From patchwork Wed Mar 19 22:27:40 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 14023249 Received: from sonic311-30.consmr.mail.ne1.yahoo.com (sonic311-30.consmr.mail.ne1.yahoo.com [66.163.188.211]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EBD6B21C9EB for ; Wed, 19 Mar 2025 22:28:01 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=66.163.188.211 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1742423284; cv=none; b=byRzPChHMj4b66Pl6maIdi5yH9xuIh2BnMuQoPAaibgmfMYe/zZxMH9kl7ExY+0iYPozm2kxF45Dmm9bQmMW7akzgbGuB6Alz86ScfEZTwKgNFZy67tiSVhMHjIbxI0aysOeXzhlmIvhuPpnLN/qBzU+5QuUKGwZ0/Ntcga2YTU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1742423284; c=relaxed/simple; bh=DCG6bifvByBuCsqPYIEHPBVhWlTZPfFDODT2mif8HkI=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=FoEBwo3uuHnUHdTC8UofRgY33u/QRwvdOwKNWvGpdt1CbZeY2Q30LJ8itgFZISV2TjoPwYtyfE0a4McPgFTyk0cz8Yp3iaC3q25WD/WVSM+4dMeZn0GefWb81AFSLR2MWXjdcLvvtLlo5SEz9wl9/jVIJIINu6pi13TJ8DCgi08= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com; spf=none smtp.mailfrom=schaufler-ca.com; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b=cXdmOTe2; arc=none smtp.client-ip=66.163.188.211 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="cXdmOTe2" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1742423275; bh=1J3lSB8n1jv+w9ZqbP54sFbPpicu2hj+x/1lxo/qb7o=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=cXdmOTe221UUt0YMQT/ZxIGB8+RnPVLRwzvTc63Dmr1ZOWzgpYWMJi9pPTlBnGgMN3iJL7ZYPQn2PW0pedfoi5ovVzdvzq6Ex6KZDzzj0DP5R0Uu9x8bLCAUcD3uoDSoQ/4fLeODJMa418VgV5xHRoB1Z7lvyQak/fNyaOLiY+AqEagO19nYqgCiIutbWKJCfuymUrETUPq5jSgSUCJUoyPEJflwskFAv/KqFZ5QITnfBb0Gy1/pTRIGNztSgmzedXhetRL3uO0SV5JwVMkYvmQghyMt2U5j2AUgqWpXe1TIFlBY0ozGXhbriYMMBEDitMrXjnUY5nx1NCm/3FS1cg== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1742423275; bh=9hFaUMJXnjqmwy1bjt7ez7Vg/rj3BG73KqJDaadIQq3=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=CStW19mdZZtTdDgjfTmB8ONPdTTuYo/aRLkLIc80Z09x8bi5FqWIZ7NVxvMiZU7FB4JD2EgEstBG6G1TJCB+3dHh2C1pJ1PSR6mpaH6KYMzua0Ox7UJnkp51XaCs1FZxGBCsT/OjpHp/ZrdYeiN5AxHfzKRjRFaFfip9STWPzAR5UaLeOe0rhaDxFWCfKv/+11of9A0UyCBirI9DOY8LRIJIUoDTMlipJHanNyMx9pblCzr4eF/K1JG7HWr3bQug5elZnbPpPcr9IOsC4aNCgsGiSltFzvbzji4E+KyVQ3DFfFimoQdSnQQ8NAICnKLxlY5cEdGLeCDpvf9hdxW1DQ== X-YMail-OSG: 2i0Yc7UVM1my2FqAaaH2t_AOqoZgWQOMfxs3jIjsJO4xBsJCpxbjLA6.gT0Mqro NLhboNbdYEbbcCtPuRBq0NoZIPLa0AvXN9p19t2nZ6174WNf2uAkpH.jnKmvHmdofOC9SBcqG3VV 1qk.T2VUZEKO4eyT8nhnkPqawU80YzQgxMi6UGOWmI5ZvL_pI60EwwjdDzsjF3rXLtj4.hrBuExu qvQa61Zpl4yu8a_L2N7FcgHKUSBdejfJ.mbAHJjquBYACJcKW5894_zn9h0JjXrp.NxcJH6ToOL7 oYAYEm5gcMgcOD5nk0oBuB0ch9rkievT5j6K1XFiZAnRqoo_VfFqFdksIxmd4ytqFl_UcnkO8IND eGjV2tE6XmNV7i_1TfZpQRtdXKR87SdCCtOfabsvrS4UNGzOZuW_IZzN4d4RACCCr18WNS41tnaP DyWFR8buj4._zapNp.1jRkrQYXbS7yRf5SGDbiegJpne0IOsg4P5K08nYmwn2pY4lE3MSvgAkdED chmo8IxpGhjVhF9AFzjsLfn_BupHgpAE3QcXSq5UObganRGpnwutOo7jshBnHAD4x0cKVQj7wV7L XiuS_dgS1xUrHEU5MfSmD2b70HwnGot9y7G0rY3yoHKYaqWmfi3CwYSeLcn1Exw0VxcN7hGfGOjP axCePhg.PWomgO1ur1kAjurBZVrCYtJBzBph.QZgomUnEfg3K8QBpW05.6AM8hbwoLyK0gzrb.4p pgBzztLkNeJDGv4Bjxd4foA_Uw0HPn8_K0c_iuVRVq8hSEpRJyd6bFaYikaZHJQ0z6.F3yk5WXts zlgr3h79Sech_X7K9FQaEDbf3ZaQDCEUtm96ON1RDVvDkgB_B7aIuYg3H64yRzJsK5u7ik3fzP7l bVVdcbfJGVsPG4YANn9F7deQ0Efv3fdDqhn3VnPZHj.kOnSWGoWGStZ2Zhp5IoKAy2hsT.7z9u0t KXD9RrJCyM7m4SfDBnRwJYAv7BTReSyNPD937SyBWdU0aJuyeJVnVyGAYw.1vEbPNZiy_xDgV1sm tskp3EzuQR.XrYEZ3axgHIP8bJawEPbrbWxsQR1CX.IjuFbbIXD2tO7JZ5H2zMyJeAWgXh8Cej4F crP.o03yAeHUGRS03CWtU57stTvGhI4Hn1_Fzzj9DFmRQpXgQEMgBfXUhNcveXuDNwtPYo.pRDok 5Yg75mY40CDoPX3CjX5OCcDgQXvD1agqTs1cc4FHzzBDmda4Su6L.fvOq0Yb9hir.pIESSMYy8qF mIdbK8msTA5uS.M.k7YxQGSbEB6Kx.x3oMpO1qn1NUxjJSEx2gn9JVL83aAEWIVRhL8t5RKA7RAR 1Zk2yBFcuoT8to8e71EWZukUfVFtL81fOQuJjCbt0wa_VSlcqyzU0taUrR5XRKxgBslmAg9alR_r Xy.7dpk0wpmRrzoVrZH9Hp.o9.2y4egvkzG_uV_eFG_GDd8LXuTfEI3pZnnfQMZpniYrqnZTi6P_ g3K5DHT922VWP4zqHtFMd2DbPr3nTLKj6n3kv8iGUQiuNyipRjwJWIzKMdRUyu16F1h1IyaNwV6s 8sSNC2d34r2C1SHtvsDcK2HF6iwIFd_.mJkDxgbhocRzkQGD6ND1j9HAISBrLQX7zJV5U1.2FUq4 eEH4NTuDDRI_FERV1Tvtp6kqbQcQnX5iZrcRjM4GQqReXddQsRl.H7marZG5v.GsFuLLBEtq4AM9 7c2V_q7IvZjZUBDn27Q9E_YciVlMz0pqDAsC7HVeggtHqv4flUJgSS2QfWIowqiW0pe4E634evcD vH.SjTQV9eJQHYUTYV1ZEtTOBJuRqfYI2BIE9uLPc6lBFRtSDeHVQ.mFnPz3Q_gmohYGnCXkeTVW yuYySrZ7bUZjO0yvUZrMXEIMp4TSrgMJ7PvgnJInbSLJ5QYUkdUI.vLj5JQhWcfwMKR0dDiWdrQm e3I8E.dAqbP581IbVc6SQlIAUsH6ruN_YoFGQZl80SjG1BjyyuGjfM_6UQtMB.5kapHKSPtu4HqD GqCPaIw1.kxZjRDlCsqsmUup38pBaIkdIRkdg3tnpuBHAn15IJJTE8LzAZ08Nv6Jq6R3p1eGDIH. STsFdoo8H6Ti3PflYYJ3uJwt6lr719O9BaYegviG1ZI1AKd2ZJT7N3_iCktmi33SyKkAQqdN.5zg zgSuGxnwEfjMVwmDBh76alKpJN45MaUfRBQmaeSnO7oH3DsIDPfcw_K5uwguvtCb9qQN9sso.sgn HknFUDGZZiPlIZx4_t7B1aLZ62SJxUr.3KfbpOL0zRil6PMlHxkG2ZpagtAdkQ1Sl1qbJmruiFND td80.B.EURLO31DyNop4Xqv4R7Qo- X-Sonic-MF: X-Sonic-ID: b86a8153-41de-4246-87ac-b32565e305db Received: from sonic.gate.mail.ne1.yahoo.com by sonic311.consmr.mail.ne1.yahoo.com with HTTP; Wed, 19 Mar 2025 22:27:55 +0000 Received: by hermes--production-gq1-7d5f4447dd-jcqz7 (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 1e9bd32085bcf3fce38fe3767fad9b05; Wed, 19 Mar 2025 22:27:49 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, eparis@redhat.com, linux-security-module@vger.kernel.org, audit@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, selinux@vger.kernel.org Subject: [PATCH v3 1/5] Audit: Create audit_stamp structure Date: Wed, 19 Mar 2025 15:27:40 -0700 Message-ID: <20250319222744.17576-2-casey@schaufler-ca.com> X-Mailer: git-send-email 2.47.0 In-Reply-To: <20250319222744.17576-1-casey@schaufler-ca.com> References: <20250319222744.17576-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Replace the timestamp and serial number pair used in audit records with a structure containing the two elements. Signed-off-by: Casey Schaufler --- kernel/audit.c | 17 +++++++++-------- kernel/audit.h | 13 +++++++++---- kernel/auditsc.c | 22 +++++++++------------- 3 files changed, 27 insertions(+), 25 deletions(-) diff --git a/kernel/audit.c b/kernel/audit.c index 5f5bf85bcc90..2a567f667528 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -1833,11 +1833,11 @@ unsigned int audit_serial(void) } static inline void audit_get_stamp(struct audit_context *ctx, - struct timespec64 *t, unsigned int *serial) + struct audit_stamp *stamp) { - if (!ctx || !auditsc_get_stamp(ctx, t, serial)) { - ktime_get_coarse_real_ts64(t); - *serial = audit_serial(); + if (!ctx || !auditsc_get_stamp(ctx, stamp)) { + ktime_get_coarse_real_ts64(&stamp->ctime); + stamp->serial = audit_serial(); } } @@ -1860,8 +1860,7 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type) { struct audit_buffer *ab; - struct timespec64 t; - unsigned int serial; + struct audit_stamp stamp; if (audit_initialized != AUDIT_INITIALIZED) return NULL; @@ -1916,12 +1915,14 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, return NULL; } - audit_get_stamp(ab->ctx, &t, &serial); + audit_get_stamp(ab->ctx, &stamp); /* cancel dummy context to enable supporting records */ if (ctx) ctx->dummy = 0; audit_log_format(ab, "audit(%llu.%03lu:%u): ", - (unsigned long long)t.tv_sec, t.tv_nsec/1000000, serial); + (unsigned long long)stamp.ctime.tv_sec, + stamp.ctime.tv_nsec/1000000, + stamp.serial); return ab; } diff --git a/kernel/audit.h b/kernel/audit.h index 0211cb307d30..4d6dd2588f9b 100644 --- a/kernel/audit.h +++ b/kernel/audit.h @@ -99,6 +99,12 @@ struct audit_proctitle { char *value; /* the cmdline field */ }; +/* A timestamp/serial pair to identify an event */ +struct audit_stamp { + struct timespec64 ctime; /* time of syscall entry */ + unsigned int serial; /* serial number for record */ +}; + /* The per-task audit context. */ struct audit_context { int dummy; /* must be the first element */ @@ -108,10 +114,9 @@ struct audit_context { AUDIT_CTX_URING, /* in use by io_uring */ } context; enum audit_state state, current_state; - unsigned int serial; /* serial number for record */ + struct audit_stamp stamp; /* event identifier */ int major; /* syscall number */ int uring_op; /* uring operation */ - struct timespec64 ctime; /* time of syscall entry */ unsigned long argv[4]; /* syscall arguments */ long return_code;/* syscall return code */ u64 prio; @@ -263,7 +268,7 @@ extern void audit_put_tty(struct tty_struct *tty); extern unsigned int audit_serial(void); #ifdef CONFIG_AUDITSYSCALL extern int auditsc_get_stamp(struct audit_context *ctx, - struct timespec64 *t, unsigned int *serial); + struct audit_stamp *stamp); extern void audit_put_watch(struct audit_watch *watch); extern void audit_get_watch(struct audit_watch *watch); @@ -304,7 +309,7 @@ extern void audit_filter_inodes(struct task_struct *tsk, struct audit_context *ctx); extern struct list_head *audit_killed_trees(void); #else /* CONFIG_AUDITSYSCALL */ -#define auditsc_get_stamp(c, t, s) 0 +#define auditsc_get_stamp(c, s) 0 #define audit_put_watch(w) do { } while (0) #define audit_get_watch(w) do { } while (0) #define audit_to_watch(k, p, l, o) (-EINVAL) diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 9c853cde9abe..60f2c927afd7 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -994,10 +994,10 @@ static void audit_reset_context(struct audit_context *ctx) */ ctx->current_state = ctx->state; - ctx->serial = 0; + ctx->stamp.serial = 0; + ctx->stamp.ctime = (struct timespec64){ .tv_sec = 0, .tv_nsec = 0 }; ctx->major = 0; ctx->uring_op = 0; - ctx->ctime = (struct timespec64){ .tv_sec = 0, .tv_nsec = 0 }; memset(ctx->argv, 0, sizeof(ctx->argv)); ctx->return_code = 0; ctx->prio = (ctx->state == AUDIT_STATE_RECORD ? ~0ULL : 0); @@ -1917,7 +1917,7 @@ void __audit_uring_entry(u8 op) ctx->context = AUDIT_CTX_URING; ctx->current_state = ctx->state; - ktime_get_coarse_real_ts64(&ctx->ctime); + ktime_get_coarse_real_ts64(&ctx->stamp.ctime); } /** @@ -2039,7 +2039,7 @@ void __audit_syscall_entry(int major, unsigned long a1, unsigned long a2, context->argv[3] = a4; context->context = AUDIT_CTX_SYSCALL; context->current_state = state; - ktime_get_coarse_real_ts64(&context->ctime); + ktime_get_coarse_real_ts64(&context->stamp.ctime); } /** @@ -2510,21 +2510,17 @@ EXPORT_SYMBOL_GPL(__audit_inode_child); /** * auditsc_get_stamp - get local copies of audit_context values * @ctx: audit_context for the task - * @t: timespec64 to store time recorded in the audit_context - * @serial: serial value that is recorded in the audit_context + * @stamp: timestamp to record * * Also sets the context as auditable. */ -int auditsc_get_stamp(struct audit_context *ctx, - struct timespec64 *t, unsigned int *serial) +int auditsc_get_stamp(struct audit_context *ctx, struct audit_stamp *stamp) { if (ctx->context == AUDIT_CTX_UNUSED) return 0; - if (!ctx->serial) - ctx->serial = audit_serial(); - t->tv_sec = ctx->ctime.tv_sec; - t->tv_nsec = ctx->ctime.tv_nsec; - *serial = ctx->serial; + if (!ctx->stamp.serial) + ctx->stamp.serial = audit_serial(); + *stamp = ctx->stamp; if (!ctx->prio) { ctx->prio = 1; ctx->current_state = AUDIT_STATE_RECORD; From patchwork Wed Mar 19 22:27:41 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 14023248 Received: from sonic309-27.consmr.mail.ne1.yahoo.com (sonic309-27.consmr.mail.ne1.yahoo.com [66.163.184.153]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BBDA921C18C for ; Wed, 19 Mar 2025 22:27:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=66.163.184.153 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1742423282; cv=none; b=fAzrBvcxg/ODJBUJ0NHI5TYikwG3PchcOWFd924uoYlVnMM/K2H1F1Gyk8xciEKeuoldG5ID0TnwEezwyiqnvgnElmq0kA+PKmVAdRJ0x6zUr/OFjPiovqWpG7jLurPB1ufyo7dDQtyl+bKdNhweukZnL9VwQLw4vKYkmwIIXr8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1742423282; c=relaxed/simple; bh=UNW+YvCPp0c7mxj3odVP2Cv7e9rx2hHtMfO3CmqQB8k=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=HN+De8NquolFhvU5kLeomeKasmbKUCqk/7T5/Mf3TVyeAK0/Cz5f7vPB+gos5ACokF9UZtOzEZi6qSB0XYoif0xFPr8yHg75C0qs0xqaVEt7sF66KFXdebJYgi6eTFR35k21YiIlXU9esPRpOvyEOksL2LtI3sg4BYI4d2oYgYU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com; spf=none smtp.mailfrom=schaufler-ca.com; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b=H7qk/SFZ; arc=none smtp.client-ip=66.163.184.153 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="H7qk/SFZ" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1742423273; bh=n0BKJUlkPGnWX75lq/PcNvJf0pe2ZlGotvHrvtbzhJg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=H7qk/SFZkcggiZartdsirA6IWdB6puQnXqa9EHblXCkIDUnhmhfcXSe4WHn0gYj4i59uDmqsikhQmpfB61K+mYpabuuk976bPQE+BGUAAJODshNThREHYTcLCm8nsjqfXGpzRpNtFkLU6+U91twiJJU9dNgl2CWuhsqxNPVFg2HhptOWATAfPkiLqvQSCzMr31hgTxlRk/7Y9H7cO45wvvKGKeXd6ahaSY7OsBJmJrQMCxnM2lxLmtZP2uzjnl1GtYAP+2dFZmH53iX+irRfXkjI8kqS11jsRJi2E4mScGhgMjF5PacUp4xahbEodms7xtAlPgnehN7N6fCBSQq+0w== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1742423273; bh=e0tf8pGPVgh74IEJJDSoG+nskp3FXi5Ygg0derl0s3K=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=OSi/HJ/aRGA0P7K35vQiVRF1I6hqYBQGJfCE/uPKcJIw5oFez0naQHxaAdeJFsc1WnL1HeYz9cDFViiJzWWkpB3GEJoUHL5sQsjovNL2ivSoMfIyX1nevztslkfPrnms/fx5QpKGqCbRUrIkzj8n1WTBJorOuKyR7r6pz3VJylYJHAJQ8tZMGOclXJ2T18tHmhq8iTcMYPCgg21eJ0+rgir3hhQUl8YTfO1pCVIv74HBnNbPsiOvkKLWXB466jiOMLDaFcWupJq0HfsFXVvRYTqvtJt1SctVlEB5WLR/aKiAz9p5pcBRoaoGpjoktVYjwmPX0DxlUUuBE1i4riIBkA== X-YMail-OSG: C1JLUosVM1kntn3C9ZYW.dQsb8.afZXPVaSMxoreRteySF8Yo3ZXX6fp9mvUhCs P73Ut5P2eB7CU0eMEeaRpcshCs.KsnIc8vkPt5x1CCRfCPmtKWHtSDF9cpoX6J8M5Dj22Yjrh6kJ 1G.eldhADjeQ_jfExCa2A_wWtxfNZTyZmhIOmr9lo2xjy3VKI0oHvWt54PUhevjRhjJJlA_eJuhG RiSI_9U9lxzuGowG1PK_zNOxiSy27zqCx2zuvmZmyySWfupypNgtGT8Fab0uiUEHz8Hp3RwRkLg1 5YdhYL0WA3Zg4tcST4jlal6NVRdsqIn1CyudFc9wXt6MeI7QjbZeqEQsnrCgDaq.RlEIn1BxRPIN FP5gpkprU1PZeu1A0Poc7ZIbC7H4GPrUPvb2hj4rJzo1W7MBtEO7BB5N82X77JYgCTjf9o6SxArg fkB9I3dLz3ZjDeBhsUzqduS7VWuxuWfM11dXMmv_VmAPDCqDenbknLtP.VkW8wNX4Ws7bo4qvZMW 0yIGee5LHOD73kn8L_u4IDXaZ4Am9z.PrO5XAH5A5qa2tc22IVy5ZRiN9ylhUpWetdeSEkNT7VSl NMeLm5ZstMClICyhASC3_CR_ULIjdXt9MSj2hxiAbBUdbM223PfbOFeDOBwSZN9EV7kNLxdK9NxO IAXoxr2F1Rrg0smMzLXj_p.Jasve1JJfT2DfF.PrI8Wx13hxt_nyHatBkJy8VB5oA3kL4dEGlWYf 1rBBxn9Dhg6vHDqpZMO7KKHGmrJtwi5Uzcu9sOoGFvrTuIwIyC5.8CoutIH8N6Nl_UCuaklnsB0z e4Q.H5CN83W9y122oSE40tEiwuoyxbD2cKvR3UKxu9RWhQlDFGHC9adiZfp93tKO8swuVLLHIbbh hohlHQLai3OUuD4FyBUOubrVApb3WKL7fAS_.o4Rcum.SPd1HncFaHmnwGC6E3tvnqrFZcDGHttQ wA453y5nCZ5wLqAg3bLxeEBU8tQ4gpqT90Mi2HL.AYTyCjtwtugwvVPDL4vTug6o1q398roIofMe BCFA9CCPhtJVuNKMdu.RaCkaFZbkvjpcCXC5.tCfnz9gUKChQTsHj7_r7Ux8IBNNRS7d4baUNt9A btiskZcFeRblX1JzvVDCihSo2fTN0pS5Ci4U_eDlEGwnk4jwc7JMRj2MBDIwmxtEJWpNzO4nA.1t r5aOsPMmKvcAKB1B7KxbYzps.tc6EzyZKqAJ3W3CyaPJfO3Nx_bviVlIyuX0hPFaG8VK_4wOd5QG hnt51vY0azALA8aTCq3mNJSxV3H2JE7eiNsRa7xX3Dn2sW0wi6vwk6yQS_zQBdhGY4uy1fyittvP y40Yf4owh2pbA9qOeHa1PNUtBeCdWJOjueDHJ0ZJ8MxTBzhGXfoUEvwWbYsz8Bg.toj5bveolvz3 YydrZAS0iSRdRucbVi0cch0cytv562ukA7.jOYjS8bfqbwp8ugcgstpYZLYA9ENGz9r8_gzi5d49 uhjGfFEmPA1.pv5Qu9s5q0bT4ZANp_9lG6Z1Bk7wxCSpVZiiMsyrN2ckej7xHlwLCFgfy9RFceJu t2nOPhC3LfxuFh7EFkmi54Lw7bfr7NHS4HmGOx4Vfpgz1QyEK60wCad_res0aWCpNsk2.EnbyX5n vSvzbeRWhNgs4rQbXEsSZKL6iSp4O1.wKSrSlcXdSK73Jisqiw2CexJBnpVZWennOTTdx2Ux.ONx x4k97ra0toPQTK4bPBsHr7w5fZcJAXKu3O.SaZWVr9HsyLWRSkg6Ro8oEEXdj1Q1.IFjPMzK.Of1 8N2n2ZIn7dg8p0ygbae.WTiL8goCoe3yQb1GQ4pNA4allweod9_C8hfS_njsXNAhap5qypPe.GXs j1.kU02e0ciSLE9uG5LgRvGDfLzRTsea_F4qc218k0HAB0NFwOcDQUk4fAvxSyAXdzR8xe.KlB7u jLhDhpFVG7_T7dif3IBiJDbUBu1eHIGsZRb9nJ.Y6d1Q3vnPfJ9BBiMn0T3C48bSeFLJDN9nduMX F0C8pYstYE_JeWrmyjH0UNREwYxyTTOnW7m1reWSzzN8uhp3V87c4S6onHpNxlPsMG0TvYxw2lmj qwKSSzAYuoUPM4tPyVX573JyMZKwhT5s0ghJ6O_oxw2xP.nL3q828X8GA83aho_RyLAs65j2a3az ICi1mF.8_PWkxqOO4miAVpaqcnv8VyaRRAIv82JE02SV7V1iuiWGDbF9OYs3VMHdGQVQBo6sF9zq n3rcabL_VK8ICPKV2LmbevoRA0UYSFGAQD5XZPzqg4kLL7wf3j9uOY9W0EmGp4.5xbYDrmkEbQQH oVcmHW6u.jHRYQMCusx2GQg9VObc- X-Sonic-MF: X-Sonic-ID: ac7c40c9-cbba-4a38-9664-9373dee065b8 Received: from sonic.gate.mail.ne1.yahoo.com by sonic309.consmr.mail.ne1.yahoo.com with HTTP; Wed, 19 Mar 2025 22:27:53 +0000 Received: by hermes--production-gq1-7d5f4447dd-jcqz7 (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 1e9bd32085bcf3fce38fe3767fad9b05; Wed, 19 Mar 2025 22:27:51 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, eparis@redhat.com, linux-security-module@vger.kernel.org, audit@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, selinux@vger.kernel.org Subject: [PATCH v3 2/5] LSM: security_lsmblob_to_secctx module selection Date: Wed, 19 Mar 2025 15:27:41 -0700 Message-ID: <20250319222744.17576-3-casey@schaufler-ca.com> X-Mailer: git-send-email 2.47.0 In-Reply-To: <20250319222744.17576-1-casey@schaufler-ca.com> References: <20250319222744.17576-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Add a parameter lsmid to security_lsmblob_to_secctx() to identify which of the security modules that may be active should provide the security context. If the value of lsmid is LSM_ID_UNDEF the first LSM providing a hook is used. security_secid_to_secctx() is unchanged, and will always report the first LSM providing a hook. Signed-off-by: Casey Schaufler --- include/linux/security.h | 6 ++++-- kernel/audit.c | 4 ++-- kernel/auditsc.c | 8 +++++--- net/netlabel/netlabel_user.c | 3 ++- security/security.c | 13 +++++++++++-- 5 files changed, 24 insertions(+), 10 deletions(-) diff --git a/include/linux/security.h b/include/linux/security.h index 980b6c207cad..540894695c4b 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -566,7 +566,8 @@ int security_setprocattr(int lsmid, const char *name, void *value, size_t size); int security_netlink_send(struct sock *sk, struct sk_buff *skb); int security_ismaclabel(const char *name); int security_secid_to_secctx(u32 secid, struct lsm_context *cp); -int security_lsmprop_to_secctx(struct lsm_prop *prop, struct lsm_context *cp); +int security_lsmprop_to_secctx(struct lsm_prop *prop, struct lsm_context *cp, + int lsmid); int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid); void security_release_secctx(struct lsm_context *cp); void security_inode_invalidate_secctx(struct inode *inode); @@ -1543,7 +1544,8 @@ static inline int security_secid_to_secctx(u32 secid, struct lsm_context *cp) } static inline int security_lsmprop_to_secctx(struct lsm_prop *prop, - struct lsm_context *cp) + struct lsm_context *cp, + int lsmid) { return -EOPNOTSUPP; } diff --git a/kernel/audit.c b/kernel/audit.c index 2a567f667528..6bbadb605ca3 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -1473,7 +1473,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh, case AUDIT_SIGNAL_INFO: if (lsmprop_is_set(&audit_sig_lsm)) { err = security_lsmprop_to_secctx(&audit_sig_lsm, - &lsmctx); + &lsmctx, LSM_ID_UNDEF); if (err < 0) return err; } @@ -2188,7 +2188,7 @@ int audit_log_task_context(struct audit_buffer *ab) if (!lsmprop_is_set(&prop)) return 0; - error = security_lsmprop_to_secctx(&prop, &ctx); + error = security_lsmprop_to_secctx(&prop, &ctx, LSM_ID_UNDEF); if (error < 0) { if (error != -EINVAL) goto error_path; diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 60f2c927afd7..dc3f7e9666f2 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -1109,7 +1109,7 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid, from_kuid(&init_user_ns, auid), from_kuid(&init_user_ns, uid), sessionid); if (lsmprop_is_set(prop)) { - if (security_lsmprop_to_secctx(prop, &ctx) < 0) { + if (security_lsmprop_to_secctx(prop, &ctx, LSM_ID_UNDEF) < 0) { audit_log_format(ab, " obj=(none)"); rc = 1; } else { @@ -1395,7 +1395,8 @@ static void show_special(struct audit_context *context, int *call_panic) struct lsm_context lsmctx; if (security_lsmprop_to_secctx(&context->ipc.oprop, - &lsmctx) < 0) { + &lsmctx, + LSM_ID_UNDEF) < 0) { *call_panic = 1; } else { audit_log_format(ab, " obj=%s", lsmctx.context); @@ -1560,7 +1561,8 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n, if (lsmprop_is_set(&n->oprop)) { struct lsm_context ctx; - if (security_lsmprop_to_secctx(&n->oprop, &ctx) < 0) { + if (security_lsmprop_to_secctx(&n->oprop, &ctx, + LSM_ID_UNDEF) < 0) { if (call_panic) *call_panic = 2; } else { diff --git a/net/netlabel/netlabel_user.c b/net/netlabel/netlabel_user.c index 0d04d23aafe7..6d6545297ee3 100644 --- a/net/netlabel/netlabel_user.c +++ b/net/netlabel/netlabel_user.c @@ -98,7 +98,8 @@ struct audit_buffer *netlbl_audit_start_common(int type, audit_info->sessionid); if (lsmprop_is_set(&audit_info->prop) && - security_lsmprop_to_secctx(&audit_info->prop, &ctx) > 0) { + security_lsmprop_to_secctx(&audit_info->prop, &ctx, + LSM_ID_UNDEF) > 0) { audit_log_format(audit_buf, " subj=%s", ctx.context); security_release_secctx(&ctx); } diff --git a/security/security.c b/security/security.c index 143561ebc3e8..55f9c7ad3f89 100644 --- a/security/security.c +++ b/security/security.c @@ -4312,6 +4312,7 @@ EXPORT_SYMBOL(security_ismaclabel); * security_secid_to_secctx() - Convert a secid to a secctx * @secid: secid * @cp: the LSM context + * @lsmid: which security module to report * * Convert secid to security context. If @cp is NULL the length of the * result will be returned, but no data will be returned. This @@ -4338,9 +4339,17 @@ EXPORT_SYMBOL(security_secid_to_secctx); * * Return: Return length of data on success, error on failure. */ -int security_lsmprop_to_secctx(struct lsm_prop *prop, struct lsm_context *cp) +int security_lsmprop_to_secctx(struct lsm_prop *prop, struct lsm_context *cp, + int lsmid) { - return call_int_hook(lsmprop_to_secctx, prop, cp); + struct lsm_static_call *scall; + + lsm_for_each_hook(scall, lsmprop_to_secctx) { + if (lsmid != 0 && lsmid != scall->hl->lsmid->id) + continue; + return scall->hl->hook.lsmprop_to_secctx(prop, cp); + } + return LSM_RET_DEFAULT(lsmprop_to_secctx); } EXPORT_SYMBOL(security_lsmprop_to_secctx); From patchwork Wed Mar 19 22:27:42 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 14023251 Received: from sonic307-16.consmr.mail.ne1.yahoo.com (sonic307-16.consmr.mail.ne1.yahoo.com [66.163.190.39]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A52BB21CFF7 for ; Wed, 19 Mar 2025 22:28:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=66.163.190.39 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1742423287; cv=none; b=ZHhCPyUSEpxCz48ktq22CVvc5XnjIpnvZofz02Euh2bBHcY8vmz4XtA0F87n3ecFrdcTVbXtApUBrY38xpV+It3Kv/W6By/Xu5J+5v6RrCKttxUb/s1LDHzgFG38hrjRk9xfqBAFlfK0dunLiRPGeVrBLdf0XBOdxpTjWhvWK1A= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1742423287; c=relaxed/simple; bh=QYm7mXZ/JhLkdMLR0Zx3COpzmegytyB4GsVm6ToHNeE=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=fgJ4JZ9dVq8VUuPnvfUJUY25f2iRUxxmc8UaFtg9VD8IqNANasMfCdr4uryGC18dwES/u89pKqsX/c57t9F5WyfmU78Oicw1L3yex576VIIvUBfL1zlwT3DZq4tRtXSPwk7NTLzqzkU02lXLL57CRUGzTJr2yXbsE+1PozgeO04= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com; spf=none smtp.mailfrom=schaufler-ca.com; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b=HSOGg3EV; arc=none smtp.client-ip=66.163.190.39 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="HSOGg3EV" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1742423278; bh=1HLSJ6PQBJVM8UKP/Mn1Kyw9A4uIXcyC98bjgzIu7GU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=HSOGg3EVexYbv13DlM3gC7IQlZmyTbQh/YhCkY4biU4bHJDvUCV9sAOhbpNVQK4NUQDIaQJscGsCbfyroaGUyaAKhacLFfNSescDY8cRtpIh3W36wGAEzoD/MiVIt3UqbG2r420uEtNZOvtHYwVCPQowAxtaBo8uZQfEnIh9uDWy3+qGVGyGkRdlGV298jyXjZZ26Brj1ohkNdyBpkuiN0YxAy1r3fLEvVkKOFxg/WGZnlLdBecoWvbwZ2y5+NRQpJ3y2ZYeA8nq2BJWLUSJEhKhSoLfd3RwCuywDSzb2WB4OBeE543DmcJZVRJQu+0ymeZZMwCvy1amSpy99cy4Nw== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1742423278; bh=LQro4866b1MJOIfG51sL32VeYtbqRgFUxD2Yv5yKwgp=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=em7imcSrDC5L6QWEFtJfH88naAqdj9WRXoLM6LfZfkJsDoB3quCCd5al30BEWde631h4oVlLgfy67NZm8+kFGO3tWL9hmS0XB1qbyuvL2SIP3koEUdAB20FJ8Gqlus9GqQF2ZHuocLMY9Jud8p4o8n9RDdae5e/M0kiolFcPBeq44X/T4O/ove+/2QW5EmK014Z8RywsdUpB+XFmfAFI2DNAoqkoyoI4zitDYCRlpJcdGi3a3qInhrbaVhmmg+sZWe4byNnznKUCl+LI+zrhOnt/FkvDTu5neE/I6IG/xhoMaxdI7aDIdSKZN7u12Jf3YPgrqL42mWe+4qpAaeWlwA== X-YMail-OSG: NZwbdAMVM1muHfnogJMvhIOBqmXU6hd2NczuQiP48OwoB2ZfglBRPXq2ylBYX.G L9qXMR9_coQ9TvqcR.TzZtVnoNzRydFGYpy1PAJPfsozfnv6zCWHPEPXewS0Bmna0SepJ2EKLL0l A8y_1UlSlCmvEwMadsnqPsyqwuesit9jJnH5BWWcgYEcMX1TLn3ue4ZVoDHJVftfKXrD5LpU2r2n 7R_c.enZEf0pbQ2d6raReE8wT3EcWYUxuj58_xd6ElybEV3u2wkA7hr6rwTF5b.4gXmAvy2Jquas bGVbUa3ySX8n0B8G6SN.jUNeD5kegbdIwMXbKI4b9aiRzhaE2_YneDi8WWvzOVNqrdqk26JBNhLt Ps4dP.agiVqS_f6Q0kZGMocwdVEhM9JVOk4mPXDQkMamroTabTzmbMTD7HkIZx5WltTpq3fZqlHK Y68dDfHwXGLZvNrbHRJhrzDrptTHqYa6twsaZrxbErNNNqt.YyVk.6JReSAfJHWTBLM0hgwDmpC0 dbD610bKyBf6bmAN_.Rl7i4r6Cfq_XLIX19nTMUrRYlyHYfQix2w.N_Wydj3Pa1QSGBIUeRk1e6p epBb6jei4D_Nn1fANUKpfsUZvwgynyRRsbr.ZkiyVwE4Gnfn04MjsPfpV1SBYx0eBbC0MhKURT07 uBJ4I78gKI7.ImYMIlU2PQjzDSJqSxzEXNEvfmwH6CLjbPLJZ2sduVez9T218u7FLTFEdkW3NiEC 3x.z5hU6rfJKYra4kqnEC5J6EvVATkGxSnWEjzIsMxIM2lw.Gedo8IIlkSWe2ztl7QHfRoqLEnuo gIL346hs9gQgwKxNc5utnmeP6euFW5MGoR9_q.NAyHcyWu577TTyXNqQPHD.rCQOk7PhQ5OhQ5Eg qze8_ZAgySkxcD8bOZciX45YUzh8_jJBvii8dluHia6Aygem1IqowY4D3oehkv.pLAP3i_uKsY_j IMp_QAAy_h3JoZe2Ql5mcHcS7wgOw79Dq1nHMGoGrrM3bjHQN9eAfjzJBkSGJM2jxBrlmlBBEAM2 k2OPkk8GJ1AwESxvQx9OimlAcB5iHyao1wCdIn9Q9Cp1RUpNi_rzAbM2U8SSFGQ.fJZAJThTKXB6 hYL6jOxLnYaC5.3FizXf30V4AESI4sapBftuce8nONGcqyiRbODFaZaK5iPwW4pcCD8lgxS1p6VL M_h1apFuBV89_K3C5ODLCJMjstV0PPLX4aZ14DF5Q4dsdzSCiWdCuQy20RDOFeJ73De_2tC1Goak 7GaSlC945vxrL1_9fPJEhgey.fvI3xtJYT862i_RLTOtBxyE3DamPG30lvXsFxftnNP5vcEaGxh5 9guNMuX5WBBK.NaUdanb_F_nLbOmke1uU4gbOEflGd_rBBKUd1mQNOoX.vyx6D4EUlRW8Jh1sH8x JV.5hg5tJm_brdhIQk4_vqbtGegT7FJRDrgJAP4L3eTWbfXrYb8heuxzyZFrycwcWxhqqlDsnpGF YHaqjpyVKVZi7Rer_lwiltikOy6jpXZGsP.cBoSC5QVU85pIvDtCrvMkTXiBaYc3vPg1hRSBhUXj GMvCt.SwkQKtiQswNsKHeZTnHoTFbUInSwsC7EyiBFw1XyxnHzyd2ZRpjWvdfDyf2o1AAqjPJ0W3 Gvp57b3HG50FaJBSbgjXhSOskmaQpqAoidu_pRtDocH4j8Zj_jPv6z2I0MTGZJSPWXVbOodlkW2u uDlLB0dCOQvYb8O0Ae0sieRhj_N9K3emAJU4gIBCzy1kiegST6yTtvyxTYvdKJKUBJwQtYC1Qbto 61zgcCRw3gEuiaVe_l5nbjLBbmULIOL6oK.TcFqHU1pDfxGt09c_iVaE0asHRWUJ7IxpOmlc7Zx6 AKXBhxcZo2GLyOBboOzkG9Vn7ln2TaoNsF9dDt2s66thr02aKvC5MK20yyGwLo8dkTrbv09f7Z0i 1Z6rlYbUXlITMgWWN6WlF0tuOlRgbAmdMBgIgwKWpi7PWMjz9KjJAP9FxNBAYaP6SzNd5h1XupBy inILxPENmLaAIFtRisfs0f4AwqhccSdQ7HS4H_CR1kD15e86q0Lw5gTch9DODTPSD7JxCMxGwYZR 8iOVOzbk7YWgghWCblUUxp4JuOlQjd6R.MDQMzeOrpLZWoeGElCjeeDOBZXdrq5a7L525.Op9NTW 5UkCrXTHxKKOTG9NtdPDGncdIUzQC2MBjxeCx2l5XZ0ih4aBtlJJ_CLkCvFrw8DEqgCn3._U9Byl 9Pi36gTtbk5LRPd0EIgpt5iEeKVZh0hxIpfDBWUTAHpn3Xoa44Q8_kUuBFIGXc5EqScc85pQddNm hW2BCgRhEmtOZg7gE2F8OGFcs_9qX X-Sonic-MF: X-Sonic-ID: bdf52ab6-1241-4a1b-a6b4-49ed67e951c4 Received: from sonic.gate.mail.ne1.yahoo.com by sonic307.consmr.mail.ne1.yahoo.com with HTTP; Wed, 19 Mar 2025 22:27:58 +0000 Received: by hermes--production-gq1-7d5f4447dd-jcqz7 (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 1e9bd32085bcf3fce38fe3767fad9b05; Wed, 19 Mar 2025 22:27:52 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, eparis@redhat.com, linux-security-module@vger.kernel.org, audit@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, selinux@vger.kernel.org Subject: [PATCH v3 3/5] Audit: Add record for multiple task security contexts Date: Wed, 19 Mar 2025 15:27:42 -0700 Message-ID: <20250319222744.17576-4-casey@schaufler-ca.com> X-Mailer: git-send-email 2.47.0 In-Reply-To: <20250319222744.17576-1-casey@schaufler-ca.com> References: <20250319222744.17576-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Replace the single skb pointer in an audit_buffer with a list of skb pointers. Add the audit_stamp information to the audit_buffer as there's no guarantee that there will be an audit_context containing the stamp associated with the event. At audit_log_end() time create auxiliary records (none are currently defined) as have been added to the list. Functions are created to manage the skb list in the audit_buffer. Create a new audit record AUDIT_MAC_TASK_CONTEXTS. An example of the MAC_TASK_CONTEXTS (1423) record is: type=MAC_TASK_CONTEXTS[1423] msg=audit(1600880931.832:113) subj_apparmor=unconfined subj_smack=_ When an audit event includes a AUDIT_MAC_TASK_CONTEXTS record the "subj=" field in other records in the event will be "subj=?". An AUDIT_MAC_TASK_CONTEXTS record is supplied when the system has multiple security modules that may make access decisions based on a subject security context. Suggested-by: Paul Moore Signed-off-by: Casey Schaufler --- include/linux/audit.h | 6 ++ include/uapi/linux/audit.h | 1 + kernel/audit.c | 171 ++++++++++++++++++++++++++++++------- security/apparmor/lsm.c | 3 + security/selinux/hooks.c | 3 + security/smack/smack_lsm.c | 3 + 6 files changed, 158 insertions(+), 29 deletions(-) diff --git a/include/linux/audit.h b/include/linux/audit.h index 0050ef288ab3..b493ca5976cf 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -37,6 +37,7 @@ struct audit_watch; struct audit_tree; struct sk_buff; struct kern_ipc_perm; +struct lsm_id; struct audit_krule { u32 pflags; @@ -210,6 +211,8 @@ extern u32 audit_enabled; extern int audit_signal_info(int sig, struct task_struct *t); +extern void audit_lsm_secctx(const struct lsm_id *lsmid); + #else /* CONFIG_AUDIT */ static inline __printf(4, 5) void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type, @@ -269,6 +272,9 @@ static inline int audit_signal_info(int sig, struct task_struct *t) return 0; } +static inline void audit_lsm_secctx(const struct lsm_id *lsmid) +{ } + #endif /* CONFIG_AUDIT */ #ifdef CONFIG_AUDIT_COMPAT_GENERIC diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h index d9a069b4a775..5ebb5d80363d 100644 --- a/include/uapi/linux/audit.h +++ b/include/uapi/linux/audit.h @@ -146,6 +146,7 @@ #define AUDIT_IPE_ACCESS 1420 /* IPE denial or grant */ #define AUDIT_IPE_CONFIG_CHANGE 1421 /* IPE config change */ #define AUDIT_IPE_POLICY_LOAD 1422 /* IPE policy load */ +#define AUDIT_MAC_TASK_CONTEXTS 1423 /* Multiple LSM task contexts */ #define AUDIT_FIRST_KERN_ANOM_MSG 1700 #define AUDIT_LAST_KERN_ANOM_MSG 1799 diff --git a/kernel/audit.c b/kernel/audit.c index 6bbadb605ca3..7ec3919ae925 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -54,6 +54,7 @@ #include #include #include +#include #include #include #include @@ -81,6 +82,11 @@ static u32 audit_failure = AUDIT_FAIL_PRINTK; /* private audit network namespace index */ static unsigned int audit_net_id; +/* Number of modules that provide a security context. + List of lsms that provide a security context */ +static u32 audit_secctx_cnt = 0; +static const struct lsm_id *audit_lsms[MAX_LSM_COUNT]; + /** * struct audit_net - audit private network namespace data * @sk: communication socket @@ -195,8 +201,10 @@ static struct audit_ctl_mutex { * to place it on a transmit queue. Multiple audit_buffers can be in * use simultaneously. */ struct audit_buffer { - struct sk_buff *skb; /* formatted skb ready to send */ + struct sk_buff *skb; /* the skb for audit_log functions */ + struct sk_buff_head skb_list; /* formatted skbs, ready to send */ struct audit_context *ctx; /* NULL or associated context */ + struct audit_stamp stamp; /* audit stamp for these records */ gfp_t gfp_mask; }; @@ -278,6 +286,18 @@ static pid_t auditd_pid_vnr(void) return pid; } +/** + * audit_lsm_secctx - Identify a security module as providing a secctx. + * @lsmid - LSM identity + * + * Description: + * Increments the count of the security modules providing a secctx. + */ +void audit_lsm_secctx(const struct lsm_id *lsmid) +{ + audit_lsms[audit_secctx_cnt++] = lsmid; +} + /** * audit_get_sk - Return the audit socket for the given network namespace * @net: the destination network namespace @@ -1776,10 +1796,13 @@ __setup("audit_backlog_limit=", audit_backlog_limit_set); static void audit_buffer_free(struct audit_buffer *ab) { + struct sk_buff *skb; + if (!ab) return; - kfree_skb(ab->skb); + while ((skb = skb_dequeue(&ab->skb_list))) + kfree_skb(skb); kmem_cache_free(audit_buffer_cache, ab); } @@ -1795,6 +1818,10 @@ static struct audit_buffer *audit_buffer_alloc(struct audit_context *ctx, ab->skb = nlmsg_new(AUDIT_BUFSIZ, gfp_mask); if (!ab->skb) goto err; + + skb_queue_head_init(&ab->skb_list); + skb_queue_tail(&ab->skb_list, ab->skb); + if (!nlmsg_put(ab->skb, 0, 0, type, 0, 0)) goto err; @@ -1860,7 +1887,6 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type) { struct audit_buffer *ab; - struct audit_stamp stamp; if (audit_initialized != AUDIT_INITIALIZED) return NULL; @@ -1915,14 +1941,14 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, return NULL; } - audit_get_stamp(ab->ctx, &stamp); + audit_get_stamp(ab->ctx, &ab->stamp); /* cancel dummy context to enable supporting records */ if (ctx) ctx->dummy = 0; audit_log_format(ab, "audit(%llu.%03lu:%u): ", - (unsigned long long)stamp.ctime.tv_sec, - stamp.ctime.tv_nsec/1000000, - stamp.serial); + (unsigned long long)ab->stamp.ctime.tv_sec, + ab->stamp.ctime.tv_nsec/1000000, + ab->stamp.serial); return ab; } @@ -2178,25 +2204,104 @@ void audit_log_key(struct audit_buffer *ab, char *key) audit_log_format(ab, "(null)"); } +/** + * audit_buffer_aux_new - Add an aux record buffer to the skb list + * @ab: audit_buffer + * @type: message type + * + * Aux records are allocated and added to the skb list of + * the "main" record. The ab->skb is reset to point to the + * aux record on its creation. When the aux record in complete + * ab->skb has to be reset to point to the "main" record. + * This allows the audit_log_ functions to be ignorant of + * which kind of record it is logging to. It also avoids adding + * special data for aux records. + * + * On success ab->skb will point to the new aux record. + * Returns 0 on success, -ENOMEM should allocation fail. + */ +static int audit_buffer_aux_new(struct audit_buffer *ab, int type) +{ + WARN_ON(ab->skb != skb_peek(&ab->skb_list)); + + ab->skb = nlmsg_new(AUDIT_BUFSIZ, ab->gfp_mask); + if (!ab->skb) + goto err; + if (!nlmsg_put(ab->skb, 0, 0, type, 0, 0)) + goto err; + skb_queue_tail(&ab->skb_list, ab->skb); + + audit_log_format(ab, "audit(%llu.%03lu:%u): ", + (unsigned long long)ab->stamp.ctime.tv_sec, + ab->stamp.ctime.tv_nsec/1000000, + ab->stamp.serial); + + return 0; + +err: + kfree_skb(ab->skb); + ab->skb = skb_peek(&ab->skb_list); + return -ENOMEM; +} + +/** + * audit_buffer_aux_end - Switch back to the "main" record from an aux record + * @ab: audit_buffer + * + * Restores the "main" audit record to ab->skb. + */ +static void audit_buffer_aux_end(struct audit_buffer *ab) +{ + ab->skb = skb_peek(&ab->skb_list); +} + int audit_log_task_context(struct audit_buffer *ab) { struct lsm_prop prop; struct lsm_context ctx; + bool space = false; int error; + int i; security_current_getlsmprop_subj(&prop); if (!lsmprop_is_set(&prop)) return 0; - error = security_lsmprop_to_secctx(&prop, &ctx, LSM_ID_UNDEF); - if (error < 0) { - if (error != -EINVAL) - goto error_path; + if (audit_secctx_cnt < 2) { + error = security_lsmprop_to_secctx(&prop, &ctx, LSM_ID_UNDEF); + if (error < 0) { + if (error != -EINVAL) + goto error_path; + return 0; + } + audit_log_format(ab, " subj=%s", ctx.context); + security_release_secctx(&ctx); return 0; } - - audit_log_format(ab, " subj=%s", ctx.context); - security_release_secctx(&ctx); + /* Multiple LSMs provide contexts. Include an aux record. */ + audit_log_format(ab, " subj=?"); + error = audit_buffer_aux_new(ab, AUDIT_MAC_TASK_CONTEXTS); + if (error) + goto error_path; + + for (i = 0; i < audit_secctx_cnt; i++) { + error = security_lsmprop_to_secctx(&prop, &ctx, + audit_lsms[i]->id); + if (error < 0) { + if (error == -EOPNOTSUPP) + continue; + audit_log_format(ab, "%ssubj_%s=?", space ? " " : "", + audit_lsms[i]->name); + if (error != -EINVAL) + audit_panic("error in audit_log_task_context"); + } else { + audit_log_format(ab, "%ssubj_%s=%s", space ? " " : "", + audit_lsms[i]->name, ctx.context); + security_release_secctx(&ctx); + } + space = true; + } + audit_buffer_aux_end(ab); return 0; error_path: @@ -2412,26 +2517,14 @@ int audit_signal_info(int sig, struct task_struct *t) } /** - * audit_log_end - end one audit record - * @ab: the audit_buffer - * - * We can not do a netlink send inside an irq context because it blocks (last - * arg, flags, is not set to MSG_DONTWAIT), so the audit buffer is placed on a - * queue and a kthread is scheduled to remove them from the queue outside the - * irq context. May be called in any context. + * __audit_log_end - enqueue one audit record + * @skb: the buffer to send */ -void audit_log_end(struct audit_buffer *ab) +static void __audit_log_end(struct sk_buff *skb) { - struct sk_buff *skb; struct nlmsghdr *nlh; - if (!ab) - return; - if (audit_rate_check()) { - skb = ab->skb; - ab->skb = NULL; - /* setup the netlink header, see the comments in * kauditd_send_multicast_skb() for length quirks */ nlh = nlmsg_hdr(skb); @@ -2442,6 +2535,26 @@ void audit_log_end(struct audit_buffer *ab) wake_up_interruptible(&kauditd_wait); } else audit_log_lost("rate limit exceeded"); +} + +/** + * audit_log_end - end one audit record + * @ab: the audit_buffer + * + * We can not do a netlink send inside an irq context because it blocks (last + * arg, flags, is not set to MSG_DONTWAIT), so the audit buffer is placed on a + * queue and a kthread is scheduled to remove them from the queue outside the + * irq context. May be called in any context. + */ +void audit_log_end(struct audit_buffer *ab) +{ + struct sk_buff *skb; + + if (!ab) + return; + + while ((skb = skb_dequeue(&ab->skb_list))) + __audit_log_end(skb); audit_buffer_free(ab); } diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index 9b6c2f157f83..50242210670a 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -2250,6 +2250,9 @@ static int __init apparmor_init(void) security_add_hooks(apparmor_hooks, ARRAY_SIZE(apparmor_hooks), &apparmor_lsmid); + /* Inform the audit system that secctx is used */ + audit_lsm_secctx(&apparmor_lsmid); + /* Report that AppArmor successfully initialized */ apparmor_initialized = 1; if (aa_g_profile_mode == APPARMOR_COMPLAIN) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 7b867dfec88b..0772e9dc0414 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -7456,6 +7456,9 @@ static __init int selinux_init(void) /* Set the security state for the initial task. */ cred_init_security(); + /* Inform the audit system that secctx is used */ + audit_lsm_secctx(&selinux_lsmid); + default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC); if (!default_noexec) pr_notice("SELinux: virtual memory is executable by default\n"); diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 239773cdcdcf..214989d2146b 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -5290,6 +5290,9 @@ static __init int smack_init(void) /* initialize the smack_known_list */ init_smack_known_list(); + /* Inform the audit system that secctx is used */ + audit_lsm_secctx(&smack_lsmid); + return 0; } From patchwork Wed Mar 19 22:27:43 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 14023250 Received: from sonic309-27.consmr.mail.ne1.yahoo.com (sonic309-27.consmr.mail.ne1.yahoo.com [66.163.184.153]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9667C21CFF6 for ; Wed, 19 Mar 2025 22:28:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=66.163.184.153 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1742423286; cv=none; b=ZYuEbowqR0z1l+goUK5vVCyVFG8e06aePQ0t4yjqonfvN3FnIGdVLOxkOIIt2XOeAIwOsZRIm2zQqLnTCW1iIhJXYg9wafMJGc5wwREg9rqOxZRinxIOfmmjD5vYW0FY0ClyM2bStGoI1s9AyEiAlvu0YfdsbeZ0j8dzdAqmwz8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1742423286; c=relaxed/simple; bh=qL4g3N6FXuJsUsttnv4TNIXfAGBc2L0P8lBjLNTyqiA=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=pvsSJBg6hhjrgTKDn6zaAEhQ/yv6O/oMAOoq4K81/OU1h6s+zOT1TsRPgdvB6jVSsz1cf0uBZNR7N0NpCxwP38SQR5xdRJrPYblfsrgQyENbxf/ncU55K9ZMBC8rAkpUHBruIJpzHMNDv1QcfNh+Ph/tYIKfyGuMBK0SOSMzmBQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com; spf=none smtp.mailfrom=schaufler-ca.com; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b=TEopHSps; arc=none smtp.client-ip=66.163.184.153 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="TEopHSps" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1742423278; bh=zMeGIPdD6eYIwJBXge0SosqRCob/X0LuII/yQlL0eE8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=TEopHSpsdZqbKMwD6UHGhLrlN2/qv0Ht/721pAYOS+YkTKv6pXbJfOCBnopjSgBeJ9xPPLNw3tRDcszE0nRum/S4SfIq9HWBFdi+YUQnMfuK4j8hmv+raVCTX76kJ/nJPFz+g3GavBgSKQbmC+gwfQ7J1xDt0fOjpAJc9M3dCGWurJ+/jYWUeDOpdKRKRvGeX2XvOaT93mYoIQc64RUxWVCFnz+mbiK2rllk7vJPmpWmJIk6esNgAblRNnpCErumGBUm0ll+ltTSjgVAdK/c3ZZhHMXMVoEK9OssG5YB0Jatkl65I0I1KfGOXh2jZeczonWOPkKvYrUw+ed1wIdMVQ== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1742423278; bh=5Fadfbdv9uwsPdUDgzEIVm0LncbQnXR04DbDjaV8WG3=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=tQhEyDGPw3YTq3vzAOikvsGzwNKt2NTyA4orD050heTeXXZjMs/zMkmo4TYI8E0AyLRYkhZMWivg0KYOKK4w6XC1g6mwH+lGzVZfyXuxR+WfXse7ODJrj13ZsojUMHnXbUmzU6MxHS/9yTIDUDBzcsQ+mWfr0mlmVBwms7yKvmg/o3XFE0cMNzH5WTpsmr6QrhiylYr491kqCQuwY7GKxzUZwngWHRCiJIRqO+KhfxpHH8RXLiRkEuu/MEErdTLxdqq/fFIxxYjCCxSCWpitscd+bBSgZoUCoLvC3nEb0OCbQBIST8b/xWEGs9NOHZziQN8gZyAQ0njQ7IvqTHVsQQ== X-YMail-OSG: eSdttM0VM1lfNn17QcxN3K8OvvmVOpNwHQL.q0ZgbrjB0HiG7WjC_j54nzEfn3Q IcfrS55yJNxtLKjgAn1lBvnQtj_LA.S4_g0gTOqFt1gbJC613XSzRPrFaP40176fAFmKASwz6R8r pKnaRauT_5uqd28W1lScq6X9rjtGFKSyh0uEjAWxJPJZZPcZaYkHkrd2bLzpHCSRj.b1xxkl43Sd 1lJ01EvjsyDmPQ6Gn6t9ba4sO0DYcLJmIMv0zK.f7y8ftlxcvevpxUyX4qO1NpBzukCo1H30p8JT Gu5qChsvgMsIkInTNvO0i9yoQCDxZcGysWS3Vy3zd.DwlRItADHBdAB2hav8ohpASnaD7N2blGhp n5RxdiaXYHYpixF.47Xd_tU5RHUQ5XNU8HAnlIAreVXT14ww2z9TxZQgcxVzouVmk.9RGKTgVpIG bb4MDYt25NzurH.addPtGKvZkb7gZ.rXHKRfaDIaTAj3xNrmMsohIV.vlugh3mqPeBfD0W5O9vBB fQfIRrD.JofP8FkUWddCD_AejmLVHmG7yHMthBYgai2iqkXMTLhQdx52w82MmA0N8QnFEtmqboO4 Wy23_30OEXNqdWBHchmH9daDr5UeFtq3IDKPrMrXS8yqmlsWenvDfgCigb60rpdLmaw9WNY9vZze XfcnyQg7ChdbQfu4IpiGUDydV9po2_8mxJzhvvNMwgAPeBZmKHhjazXplGgU3Am6XufaMhO44EzE n7xlfajKxbkYh6TrJJInjoXLn6oL.80A_kNC6Vq6Ys6.CnXw0Ey.DnMmnYj6lvkHWpptBqIACwbg 4SQ5ZAjElFDZseHs.cmKcDuxjzfkqkOjSkEacDZYCp0R6jhaTIVkvIZZX8GXZFELdwZTL3x7hG3R Exybz0up.vyjByOxCZAxsD7ec4FgPWCHiQPlhUhPQWEvy2EXdvATKDugYH5.ZYyP7PewRkHFq0LS CcqWu6wZWSs3sTr39NJmDVxaQybm0RvwJa7yxA9MKF0DD16KAtYNi2aWGfuhspLbjb8sZwetm9p1 _0E.k5WGVqruXFfvt_vUpHypzKEwZyC_VV24_FHVLEdKHkyJMGIemya0NozqxKs06BDPEU2ebwBA awvQtTiXN4fHbq4.aZy4I7tDbUVsQZKXkr3dfkY6hahcrRuPwaX5YJpqtRkJiZNn8KUQ2V5qZqWF qKEZd6oedrO06pes2yiy46grKvrOWSDu4eRezLoji_4DkIxVQSlip35nXDasf978GdOyurn9a7rv Cz4e9_dyGm.3Riqi2SzCwxgMf.ieJx6qiIFroxsNJ_.TYd.1y5hPttmZr4wjYuCnxC3xFuKS74yK UmgJMnIWyemjLuaM9MlciHuSE1VCK_U4z_PJC5YcV7ioVylk3HRz_UKwTPabjnfGt9_b2eyWGYE2 xXYUFfsN0bRNSXV.gUBk_SOmm6MXi8y_HWZdK2vG4MG25XhSHAu8PJBPts1y5wzDIdMbfip20nTm cuAVBbvFQqgIchScYN9pMeV7W_CU5W25AOQaevOCTPE2LQJXNjX_ntW70L1kfSHMiXtuH76zUrsl Xei_X_rxA7QgH60LW1qc.7B8dXdPxiOiKVXpE0WahiUuT1jX.bWMIzNFWOQCbP3Xku82Ur2dHEYH QO__PfH91Bo85qwpmESBTjV1b2WUtLb9jw19mwpOdDR9aL9FFvPrM9k081GuwQCeliSaM.7bcRdU inj6FMYTIW4HaBqZTI__5jEU_gM6r_ZKEtiGdeAbxkDrWIS_KHK_J2l9.shmOingEAUfCZ4wuWad ZyLc3bHeLhNKUFsKm1Tn9KgycGj.8CdcqOTGontGuMFL9hRNrHgdhrrTLit.ng4ZAoulElG_uPAp 8AijPuFvPjWATrh6cjHKr_1xt6ZlhF8TvqtR3me0UOSiXkba1Cm.zshhgZAwTTmYlZM2WpX1JYxU ezbOQR1UEe1R_34jkZsZ8xo26D6W4g80wIVoND9foF5hKAOZ3Kdev7s8HCSBYJvdMMJW4tDyOuPU dbWyBlatvudCf.78SQlBwZl1nKqk.HQWgP2R0rnnmSoOOamB_Ms9plQhbxGhYzmmxHxPwTv0GB6J z6qCPzlPARDcWBJl6E6R6g2FbQZOqrTsnU3lxrARia84tgb6azFiua17W4wnbMQydkJ.fRaN0Bha wUGbMURMYQ4bfBMBGkleU3kVv3Hp4pVedDCbww.J5ARr2dt_LT9xcyIMCKDb4MJCzeLKHxfKA6lj ORu_Tu4Zi3wTE83hqLISq8wLHeAIt8rlP1CBW7oFm6rRTrR0UGRtiFVgj4B0LavC8AA.kAAp1THF BPl5n9Gd9iuS.nIcyPk.aTRnGZg-- X-Sonic-MF: X-Sonic-ID: d3bfbc97-27c9-4eb1-a37e-8baa6e24db61 Received: from sonic.gate.mail.ne1.yahoo.com by sonic309.consmr.mail.ne1.yahoo.com with HTTP; Wed, 19 Mar 2025 22:27:58 +0000 Received: by hermes--production-gq1-7d5f4447dd-jcqz7 (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 1e9bd32085bcf3fce38fe3767fad9b05; Wed, 19 Mar 2025 22:27:54 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, eparis@redhat.com, linux-security-module@vger.kernel.org, audit@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, selinux@vger.kernel.org Subject: [PATCH v3 4/5] Audit: multiple subject lsm values for netlabel Date: Wed, 19 Mar 2025 15:27:43 -0700 Message-ID: <20250319222744.17576-5-casey@schaufler-ca.com> X-Mailer: git-send-email 2.47.0 In-Reply-To: <20250319222744.17576-1-casey@schaufler-ca.com> References: <20250319222744.17576-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Refactor audit_log_task_context(), creating a new audit_log_subj_ctx(). This is used in netlabel auditing to provide multiple subject security contexts as necessary. Signed-off-by: Casey Schaufler --- include/linux/audit.h | 7 +++++++ kernel/audit.c | 28 +++++++++++++++++++++------- net/netlabel/netlabel_user.c | 9 +-------- 3 files changed, 29 insertions(+), 15 deletions(-) diff --git a/include/linux/audit.h b/include/linux/audit.h index b493ca5976cf..3402e3ca43c6 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -38,6 +38,7 @@ struct audit_tree; struct sk_buff; struct kern_ipc_perm; struct lsm_id; +struct lsm_prop; struct audit_krule { u32 pflags; @@ -186,6 +187,7 @@ extern void audit_log_path_denied(int type, const char *operation); extern void audit_log_lost(const char *message); +extern int audit_log_subj_ctx(struct audit_buffer *ab, struct lsm_prop *prop); extern int audit_log_task_context(struct audit_buffer *ab); extern void audit_log_task_info(struct audit_buffer *ab); @@ -248,6 +250,11 @@ static inline void audit_log_key(struct audit_buffer *ab, char *key) { } static inline void audit_log_path_denied(int type, const char *operation) { } +static inline int audit_log_subj_ctx(struct audit_buffer *ab, + struct lsm_prop *prop) +{ + return 0; +} static inline int audit_log_task_context(struct audit_buffer *ab) { return 0; diff --git a/kernel/audit.c b/kernel/audit.c index 7ec3919ae925..8ce453f6dc7d 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -2255,20 +2255,25 @@ static void audit_buffer_aux_end(struct audit_buffer *ab) ab->skb = skb_peek(&ab->skb_list); } -int audit_log_task_context(struct audit_buffer *ab) +/** + * audit_log_subj_ctx - Add LSM subject information + * @ab: audit_buffer + * @prop: LSM subject properties. + * + * Add a subj= field and, if necessary, a AUDIT_MAC_TASK_CONTEXTS record. + */ +int audit_log_subj_ctx(struct audit_buffer *ab, struct lsm_prop *prop) { - struct lsm_prop prop; struct lsm_context ctx; bool space = false; int error; int i; - security_current_getlsmprop_subj(&prop); - if (!lsmprop_is_set(&prop)) + if (!lsmprop_is_set(prop)) return 0; if (audit_secctx_cnt < 2) { - error = security_lsmprop_to_secctx(&prop, &ctx, LSM_ID_UNDEF); + error = security_lsmprop_to_secctx(prop, &ctx, LSM_ID_UNDEF); if (error < 0) { if (error != -EINVAL) goto error_path; @@ -2285,7 +2290,7 @@ int audit_log_task_context(struct audit_buffer *ab) goto error_path; for (i = 0; i < audit_secctx_cnt; i++) { - error = security_lsmprop_to_secctx(&prop, &ctx, + error = security_lsmprop_to_secctx(prop, &ctx, audit_lsms[i]->id); if (error < 0) { if (error == -EOPNOTSUPP) @@ -2305,9 +2310,18 @@ int audit_log_task_context(struct audit_buffer *ab) return 0; error_path: - audit_panic("error in audit_log_task_context"); + audit_panic("error in audit_log_subj_ctx"); return error; } +EXPORT_SYMBOL(audit_log_subj_ctx); + +int audit_log_task_context(struct audit_buffer *ab) +{ + struct lsm_prop prop; + + security_current_getlsmprop_subj(&prop); + return audit_log_subj_ctx(ab, &prop); +} EXPORT_SYMBOL(audit_log_task_context); void audit_log_d_path_exe(struct audit_buffer *ab, diff --git a/net/netlabel/netlabel_user.c b/net/netlabel/netlabel_user.c index 6d6545297ee3..0da652844dd6 100644 --- a/net/netlabel/netlabel_user.c +++ b/net/netlabel/netlabel_user.c @@ -84,7 +84,6 @@ struct audit_buffer *netlbl_audit_start_common(int type, struct netlbl_audit *audit_info) { struct audit_buffer *audit_buf; - struct lsm_context ctx; if (audit_enabled == AUDIT_OFF) return NULL; @@ -96,13 +95,7 @@ struct audit_buffer *netlbl_audit_start_common(int type, audit_log_format(audit_buf, "netlabel: auid=%u ses=%u", from_kuid(&init_user_ns, audit_info->loginuid), audit_info->sessionid); - - if (lsmprop_is_set(&audit_info->prop) && - security_lsmprop_to_secctx(&audit_info->prop, &ctx, - LSM_ID_UNDEF) > 0) { - audit_log_format(audit_buf, " subj=%s", ctx.context); - security_release_secctx(&ctx); - } + audit_log_subj_ctx(audit_buf, &audit_info->prop); return audit_buf; } From patchwork Wed Mar 19 22:27:44 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 14023261 Received: from sonic313-15.consmr.mail.ne1.yahoo.com (sonic313-15.consmr.mail.ne1.yahoo.com [66.163.185.38]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D7B0A1D5AB7 for ; Wed, 19 Mar 2025 22:48:14 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=66.163.185.38 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1742424496; cv=none; b=hEXs52/w3oHqQ7BcEJysmbm9waDo42bg2F0U4y+xeArm36fKwpx84LTe/QBGmy5QiDEVGa3TDZQ5xhqwHOlQ9/UXo9QN75QqWvLfjdlhoZoe7+Xe0OFqCJo7g3uX9CLOPjzXf6A8U1PUMnEzUE7J03976HUF31TbR+Abe+7SmiY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1742424496; c=relaxed/simple; bh=1r0zs/LbeLsRa0vbFxcK1+nFQ3eqfobRwfUent68QiI=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=ZhBhYdY6Tx7Rid2f+trm3R9LHEU77RFP9qNgG84cKAv4ehbjiXNeMuwpZVLJvruigZaBg7M5jfVLobTgamqw6+PdxNDWlpDPYY9Ip9a3q4Ms0YU74PS2BOqdPShFEdB1h9X2ZejQuWiWDJyclQLpAnMnTLOF9ka1iYinZ7JqBBM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com; spf=none smtp.mailfrom=schaufler-ca.com; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b=qzHUMryZ; arc=none smtp.client-ip=66.163.185.38 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="qzHUMryZ" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1742424493; bh=MddBqorTKiN57Cxwu2di9pDK4ApoHeFyxSqCJ/tKmuo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=qzHUMryZ4G7+ACvtGWGWN77XIj4U4AZW1EqT456WyZnqQNihFjTNWSk5N8fv3x7f7ct02fJTyead3yQvb+74XM2J86S/TDgFtwngJRUD3ufkIX6W8t28fJkoVtug/rjyYxgEJpfF9cwgdXzBO2S+m3qc877pyznJjWCmvTqTd+BtRdXYM8UOQFxyjy0lTgXRPQLK/KN3CAWWUJIpHWf88heP+TWF7mJ2vRyuj8vKVeEROotRUo7OL2o6eM0TB7ij3IvXyDs11LubzWJpyAmUzBXeR8VU6lGdpkc+5WfEHXPv75mUBqrzBL6hajvIF+5d4gtYMfX5k/04GWVrlmL4Dg== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1742424493; bh=jG02EucpMgFZURRdsfOz8kNEhZ8wICfz5XRWxv73nGq=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=ee5B6Ttq9EK2O+ViS2IGlgAmLpJ0nu2xAfqu8/DT2Kh2TIrF/F1ZUYVVO1nDKR6rCuobTgAnH/7LiYKHmqVLo96BZrLhil10p9my3j4Lr6+oVRIlPFYAHrHrjbQHl2qK53GKDCyTIC+tBHntRoBo2AarhoHOQJa/6UBfaROnpWbLea9MjE3XHGP6Wn4a9gh4hlc3AGQbM4jbSSYp5pa7cs5F8LBQCFE7EcltU0thct4R5YSZa1YGdrb4SpvME78wtzUT0+Wxi/kMC2o6DNzc1A55iH2OTz+6Mfmqod/mIpuBPG/Ea9SeabHB+1iXuiY9LX+FZStf0+r+Eol0yxJ6wQ== X-YMail-OSG: E3dUUKkVM1lQohKrCaU7knCm8SZrDrBjn.wvNGzHVW9B2i4yNkSkypqmhi8CMrc x85vDilBw0crC7LZqwF25lW5f58k28PETbiImWX519FF4CP7aaz2Au1QeWBzWglh6TQTjiIU5PAr bppjXbP0ELiJWfAWuuR3t3.TFB2rbxy14M4uIK26hRWDEzUdnnv2v2g0BxOKd3A_K9cUAecRb088 i6mNCz3lNzOC3XEoxzCvMdp.kByzM4GDylXAx654kI5DQrOqi0YWVeSu8F79LJctivmdjlR64ZT1 Dbp9UPa0ZqBu023QaS0faaoYSmhptxuWS6.PRNC9JMFS9uZVUZSvhqGlIzOQh4csgvQjPB3rivf7 urt3PnUpg.G9fEyYYI.OrAnxcbXwU66DVXyh3kNyFd6UeBTrWuEOweJZPS52nrMyU6Qx_A97dFus sYv8b6fKe3h9LErpWc9G70Qrt3oa0qpYD9lKMidbh8su6wEmuHgDnBgu0RqaXVmWGcNiaIUfzXNF oxi2qjSnxrBHCyDtpWB9NmCv9I.HKed3FXl1NyLLOI3m3qLqJOJaMo637n1Yf4b5Ryiw7jThvW65 W14sG_tuW.DmUo7vnQdL8QOkeO8dq.q0YhcHZuBvi8DEwfapYIgOKDN4uE8sFib._7ZPJFyqqdRU f6L0UKB14vvT8gfzEKkYrsXJDznrncC2C8SJ5blHnifOmubTS62uQxkr8GhSoSMhNBYhv9YbG6Xl 3cpAj7or7UUwN3FuS8xDY_m0337ytgtEjNzoxKiPkDCM5.7lHpocDBl6F3.ap3Zt4nfDG_92WR17 9BNRpNXB9MN4pb01J_3JYOWRUuFrvVMePEhsopk4hPg5rPhWivmo2nZ6JEsByGIiOA9uj3C9Qf1f JLgdtw08d6wFl2xUZ0soDhpvydrFDS4Q1qQanftpb65tUQwH095U9Csw.DMakuZ.987mqm2LngR0 qLBc0zBn9MqZmRloTemwmpccHwxfyCWIm8Yf5_d1l8IJQgi44U8YI1fsOrEgKabq7z9kS0CbCYVi cfJHmef6ZfKpHylvFZnnEpgeNO_V0c3YycBdtDlawPaOG_KLCvGxlz35z5l0IWbRBn6JE4LhQo4k Negy5PrCg6s.PJciVGCiVNPRGsoJIhwSB7HVBSbjNoy7HZWutjt5mGcro0E69_exBCbOVNXnikXg pACidX3Z5LfKqqq51JfOKBOSvMg4oBx9Ym56QQmRan8eUY29i4IkVy7e_0FZqznHn9lrVJR6X.ur GA3gJTwi4NNFS5KwayKL2_TFJ8jpmKXrKOU.RQ1yVUkM1YeXvDU2Sno0hgapk80_OSC6FZ4APKjc ZuF3Jbce_1BfG1yYT.ttaXB..kwuUX6SaPii2dmepeYhNtDws9xvIoTtkq0f5acvwfIsMqCaqCmr oopUfoRhEOU8322U0HZ9j1mZhxxN_oEsKoDLCUNwTkow9ZHP3gq9Xad2_u6AGJFXYz6Ol1ho.Pbc 8S_1UOCJBgn6t_AEEINPMUKgB9VJR1fGLTSY1chVPgMcLWwU2PTmCcjvhlkxepf6FhUsy3XRk4QH Vljv__yXVvXkrVIZtgRTt_rm27N.5vxcb5EUmdIfC65uEJsoTGS.46AL_4Jicmo9uF0QKI7JZSob 4fF7sMj9GRwCWZkw3a0Pf5FgMiFVq1JdmYLIT.V7ivrtf4O.i4NnRYr0bRN0e6TtzJHOXD1BxbZN 5lAJIbQOzw_CtyXnL14vAOC9wE0Qz4ec8k0QLZ2V3o2JgELFF9lbWoZSP.cCW8lL515jIU4Jn6zs ldRTMcOzN2yVe7qPpc_DBbuz5Ekb7PI9oZOWdcHoQqmu6kIUoy4vHb21u6vo8vZoMU.n4kvqTYFi ejQRNvqKnZzPdItsNEyX1_nmlXyE0JcmMrUfc7YhdzOFp8weT.i.koOmR7rzn3Dj8QGAg2IGbmle rO_3DYSvvKhTmvCVKUbBY77jnWkqSsSKyvGql18Klmd0X5WMbrW5haAbBN95EXJgsy_kKtRVm2.U TZ_BO.FtNOlQfrj6X3hFGFIT78muZRKMGph6510vZcHWVi0RaQhlfyS3a9bgQhdD0gkk_o1mrGfe QY_u_W1fjGZO3nPLnTNPVAA6UJndtwSut1Lykjm5zhxdByFTCkyU3dRjHNmlhW1PfC08NasHV1Ao sl_2KtHAuwgRzhtu19hJ5ClBuWJ9pCYvh1YFynP3XkqYXOuIONWBqL_57pupacKhzOHhAoBi6vQj dao0MrHYKbm7Uwmd17kMggrk6OFUnc3zQIUYYaDKhq.a6QQG4vroaalNc83wwAoZGflZlaYItwCJ 3p2zrmxZXlK6TTcXRaA1k4.ROR_Y- X-Sonic-MF: X-Sonic-ID: 704e53e2-b1dd-4fa8-863c-b720d8565769 Received: from sonic.gate.mail.ne1.yahoo.com by sonic313.consmr.mail.ne1.yahoo.com with HTTP; Wed, 19 Mar 2025 22:48:13 +0000 Received: by hermes--production-gq1-7d5f4447dd-jcqz7 (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 1e9bd32085bcf3fce38fe3767fad9b05; Wed, 19 Mar 2025 22:27:55 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, eparis@redhat.com, linux-security-module@vger.kernel.org, audit@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, selinux@vger.kernel.org Subject: [PATCH v3 5/5] Audit: Add record for multiple object contexts Date: Wed, 19 Mar 2025 15:27:44 -0700 Message-ID: <20250319222744.17576-6-casey@schaufler-ca.com> X-Mailer: git-send-email 2.47.0 In-Reply-To: <20250319222744.17576-1-casey@schaufler-ca.com> References: <20250319222744.17576-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Create a new audit record AUDIT_MAC_OBJ_CONTEXTS. An example of the MAC_OBJ_CONTEXTS (1424) record is: type=MAC_OBJ_CONTEXTS[1424] msg=audit(1601152467.009:1050): obj_selinux=unconfined_u:object_r:user_home_t:s0 When an audit event includes a AUDIT_MAC_OBJ_CONTEXTS record the "obj=" field in other records in the event will be "obj=?". An AUDIT_MAC_OBJ_CONTEXTS record is supplied when the system has multiple security modules that may make access decisions based on an object security context. Signed-off-by: Casey Schaufler --- include/linux/audit.h | 6 +++++ include/uapi/linux/audit.h | 1 + kernel/audit.c | 51 +++++++++++++++++++++++++++++++++++++- kernel/auditsc.c | 45 ++++++++------------------------- 4 files changed, 68 insertions(+), 35 deletions(-) diff --git a/include/linux/audit.h b/include/linux/audit.h index 3402e3ca43c6..8fdfa2721273 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -188,6 +188,7 @@ extern void audit_log_path_denied(int type, extern void audit_log_lost(const char *message); extern int audit_log_subj_ctx(struct audit_buffer *ab, struct lsm_prop *prop); +extern int audit_log_obj_ctx(struct audit_buffer *ab, struct lsm_prop *prop); extern int audit_log_task_context(struct audit_buffer *ab); extern void audit_log_task_info(struct audit_buffer *ab); @@ -255,6 +256,11 @@ static inline int audit_log_subj_ctx(struct audit_buffer *ab, { return 0; } +static inline int audit_log_obj_ctx(struct audit_buffer *ab, + struct lsm_prop *prop) +{ + return 0; +} static inline int audit_log_task_context(struct audit_buffer *ab) { return 0; diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h index 5ebb5d80363d..8ca58144bcc6 100644 --- a/include/uapi/linux/audit.h +++ b/include/uapi/linux/audit.h @@ -147,6 +147,7 @@ #define AUDIT_IPE_CONFIG_CHANGE 1421 /* IPE config change */ #define AUDIT_IPE_POLICY_LOAD 1422 /* IPE policy load */ #define AUDIT_MAC_TASK_CONTEXTS 1423 /* Multiple LSM task contexts */ +#define AUDIT_MAC_OBJ_CONTEXTS 1424 /* Multiple LSM objext contexts */ #define AUDIT_FIRST_KERN_ANOM_MSG 1700 #define AUDIT_LAST_KERN_ANOM_MSG 1799 diff --git a/kernel/audit.c b/kernel/audit.c index 8ce453f6dc7d..69db0ee09a3f 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -1133,7 +1133,6 @@ static int is_audit_feature_set(int i) return af.features & AUDIT_FEATURE_TO_MASK(i); } - static int audit_get_feature(struct sk_buff *skb) { u32 seq; @@ -2324,6 +2323,56 @@ int audit_log_task_context(struct audit_buffer *ab) } EXPORT_SYMBOL(audit_log_task_context); +int audit_log_obj_ctx(struct audit_buffer *ab, struct lsm_prop *prop) +{ + int i; + int rc; + int error = 0; + char *space = ""; + struct lsm_context context; + + if (audit_secctx_cnt < 2) { + error = security_lsmprop_to_secctx(prop, &context, + LSM_ID_UNDEF); + if (error < 0) { + if (error != -EINVAL) + goto error_path; + return error; + } + audit_log_format(ab, " obj=%s", context.context); + security_release_secctx(&context); + return 0; + } + audit_log_format(ab, " obj=?"); + error = audit_buffer_aux_new(ab, AUDIT_MAC_OBJ_CONTEXTS); + if (error) + goto error_path; + + for (i = 0; i < audit_secctx_cnt; i++) { + rc = security_lsmprop_to_secctx(prop, &context, + audit_lsms[i]->id); + if (rc < 0) { + audit_log_format(ab, "%sobj_%s=?", space, + audit_lsms[i]->name); + if (rc != -EINVAL) + audit_panic("error in audit_log_obj_ctx"); + error = rc; + } else { + audit_log_format(ab, "%sobj_%s=%s", space, + audit_lsms[i]->name, context.context); + security_release_secctx(&context); + } + space = " "; + } + + audit_buffer_aux_end(ab); + return error; + +error_path: + audit_panic("error in audit_log_obj_ctx"); + return error; +} + void audit_log_d_path_exe(struct audit_buffer *ab, struct mm_struct *mm) { diff --git a/kernel/auditsc.c b/kernel/auditsc.c index dc3f7e9666f2..e39d7be20c29 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -1098,7 +1098,6 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid, char *comm) { struct audit_buffer *ab; - struct lsm_context ctx; int rc = 0; ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID); @@ -1108,15 +1107,9 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid, audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid, from_kuid(&init_user_ns, auid), from_kuid(&init_user_ns, uid), sessionid); - if (lsmprop_is_set(prop)) { - if (security_lsmprop_to_secctx(prop, &ctx, LSM_ID_UNDEF) < 0) { - audit_log_format(ab, " obj=(none)"); - rc = 1; - } else { - audit_log_format(ab, " obj=%s", ctx.context); - security_release_secctx(&ctx); - } - } + if (lsmprop_is_set(prop) && audit_log_obj_ctx(ab, prop)) + rc = 1; + audit_log_format(ab, " ocomm="); audit_log_untrustedstring(ab, comm); audit_log_end(ab); @@ -1392,16 +1385,8 @@ static void show_special(struct audit_context *context, int *call_panic) from_kgid(&init_user_ns, context->ipc.gid), context->ipc.mode); if (lsmprop_is_set(&context->ipc.oprop)) { - struct lsm_context lsmctx; - - if (security_lsmprop_to_secctx(&context->ipc.oprop, - &lsmctx, - LSM_ID_UNDEF) < 0) { + if (audit_log_obj_ctx(ab, &context->ipc.oprop)) *call_panic = 1; - } else { - audit_log_format(ab, " obj=%s", lsmctx.context); - security_release_secctx(&lsmctx); - } } if (context->ipc.has_perm) { audit_log_end(ab); @@ -1558,18 +1543,9 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n, from_kgid(&init_user_ns, n->gid), MAJOR(n->rdev), MINOR(n->rdev)); - if (lsmprop_is_set(&n->oprop)) { - struct lsm_context ctx; - - if (security_lsmprop_to_secctx(&n->oprop, &ctx, - LSM_ID_UNDEF) < 0) { - if (call_panic) - *call_panic = 2; - } else { - audit_log_format(ab, " obj=%s", ctx.context); - security_release_secctx(&ctx); - } - } + if (lsmprop_is_set(&n->oprop) && + audit_log_obj_ctx(ab, &n->oprop)) + *call_panic = 2; /* log the audit_names record type */ switch (n->type) { @@ -1780,15 +1756,16 @@ static void audit_log_exit(void) axs->target_sessionid[i], &axs->target_ref[i], axs->target_comm[i])) - call_panic = 1; + call_panic = 1; } if (context->target_pid && audit_log_pid_context(context, context->target_pid, context->target_auid, context->target_uid, context->target_sessionid, - &context->target_ref, context->target_comm)) - call_panic = 1; + &context->target_ref, + context->target_comm)) + call_panic = 1; if (context->pwd.dentry && context->pwd.mnt) { ab = audit_log_start(context, GFP_KERNEL, AUDIT_CWD);