1:41 p.m.
Kernel audit component
This patch is against David Woodhouse's last update of his audit-2.6 git
tree, plus a patch submitted by Amy Griffis on 2006-01-17 that adds
support for strings in audit rules. This patch can be found here:
https://www.redhat.com/archives/linux-audit/2006-January/msg00064.html
Let me highlight and explain a few key points:
I've added another function similar to audit_comparator():
audit_str_comparator(). This function takes a left string, an operator,
and a right string and returns true or false based on the comparison.
NULL is considered absolute zero, such that any valid string is greater
than NULL. Additionally, two NULL strings are considered equal. These
assumptions are made such that ugly NULL pointer dereferences are easily
avoided.
Please double check my memory management. I need to kmalloc() space to
memcpy() the string from the netlink message into a kernel rule
structure. Obviously, this needs to be cleaned up properly upon rule
destruction, which I think I'm doing properly.
I also split the function audit_log_task_context() into two parts. The
first part allocates the memory necessary and returns the a context
(aka, label) as a string pointer--this new function is called
audit_get_task_label(). In turn, audit_log_task_context() simply calls
audit_get_task_label() and inserts that string into the audit record.
And audit_get_task_label() is called just before the filter code such
that it has a label to potentially filter upon. Again, proper kfree()'s
are required as audit_get_task_label() does the memory allocation and
the consumer must free.
Note that this code actually only provides enough functionality to
filter on _task_ labels. I'm looking for input or acknowledgment from
the SELinux guys (cc'd) on the validity of the approach herein.
Additionally, I'm open to suggestions on how I might similarly collect
object and user labels for the same filtering mechanism (if required).
I hope to easily extend this patch to handle those as well, though I
wanted to put this much forth immediately to incorporate suggestions.
Comments appreciated...
:-Dustin
---
diff --git a/include/linux/audit.h b/include/linux/audit.h
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -140,6 +140,11 @@
#define AUDIT_PERS 10
#define AUDIT_ARCH 11
#define AUDIT_MSGTYPE 12
+#define AUDIT_SE_USER 13 /* security label user */
+#define AUDIT_SE_ROLE 14 /* security label role */
+#define AUDIT_SE_TYPE 15 /* security label type */
+#define AUDIT_SE_CAT 16 /* security label category */
+#define AUDIT_SE_SENS 17 /* security label sensitivity */
/* These are ONLY useful when checking
* at syscall exit time (AUDIT_AT_EXIT). */
diff --git a/kernel/audit.c b/kernel/audit.c
diff --git a/kernel/audit.h b/kernel/audit.h
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -56,6 +56,7 @@ struct audit_field {
u32 type;
u32 val;
u32 op;
+ char *buf;
};
struct audit_krule {
@@ -78,6 +79,7 @@ struct audit_entry {
extern int audit_pid;
extern int audit_comparator(const u32 left, const u32 op, const u32 right);
+extern int audit_str_comparator(const char *left, const u32 op, const char *right);
extern void audit_send_reply(int pid, int seq, int type,
int done, int multi,
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -160,15 +160,14 @@ static struct audit_entry *audit_data_to
{
int err = 0;
struct audit_entry *entry;
- void *bufp;
/* size_t remain = datasz - sizeof(struct audit_rule_data); */
int i;
+ int offset = 0;
entry = audit_to_entry_common((struct audit_rule *)data);
if (IS_ERR(entry))
goto exit_nofree;
- bufp = data->buf;
entry->rule.vers_ops = 2;
for (i = 0; i < data->field_count; i++) {
struct audit_field *f = &entry->rule.fields[i];
@@ -180,10 +179,26 @@ static struct audit_entry *audit_data_to
f->op = data->fieldflags[i] & AUDIT_OPERATORS;
f->type = data->fields[i];
+ f->val = data->values[i];
switch(f->type) {
/* call type-specific conversion routines here */
+ case AUDIT_SE_USER:
+ case AUDIT_SE_ROLE:
+ case AUDIT_SE_TYPE:
+ case AUDIT_SE_CAT:
+ case AUDIT_SE_SENS:
+ f->buf = kmalloc(f->val + 1, GFP_KERNEL);
+ if (!f->buf) {
+ err = -ENOMEM;
+ goto exit_free;
+ }
+ memcpy(f->buf, data->buf + offset, f->val);
+ f->buf[f->val] = 0;
+ offset += f->val;
+ break;
default:
- f->val = data->values[i];
+ f->buf = NULL;
+ break;
}
}
@@ -326,7 +341,13 @@ static inline int audit_add_rule(struct
static inline void audit_free_rule(struct rcu_head *head)
{
+ int i;
struct audit_entry *e = container_of(head, struct audit_entry, rcu);
+ for (i=0; i<e->rule.field_count; i++) {
+ struct audit_field *f = &e->rule.fields[i];
+ if (f->buf)
+ kfree(f->buf);
+ }
kfree(e);
}
@@ -521,6 +542,39 @@ int audit_comparator(const u32 left, con
}
}
+int audit_str_comparator(const char *left, const u32 op, const char *right)
+{
+ u32 i = 0;
+
+ if ( (left == NULL) || (right == NULL) ) {
+ /* first handle cases where left or right are NULL */
+ if ( (left == NULL) && (right == NULL) )
+ i = 0;
+ else if ( (left == NULL) && (right != NULL) )
+ i = -1;
+ else if ( (left != NULL) && (right == NULL))
+ i = 1;
+ } else
+ /* ok, not NULL, so compare strings */
+ i = strcmp(left, right);
+
+ switch(op) {
+ case AUDIT_EQUAL:
+ return (i == 0);
+ case AUDIT_NOT_EQUAL:
+ return (i != 0);
+ case AUDIT_LESS_THAN:
+ return (i < 0);
+ case AUDIT_LESS_THAN_OR_EQUAL:
+ return (i <= 0);
+ case AUDIT_GREATER_THAN:
+ return (i > 0);
+ case AUDIT_GREATER_THAN_OR_EQUAL:
+ return (i >= 0);
+ default:
+ return -EINVAL;
+ }
+}
static int audit_filter_user_rules(struct netlink_skb_parms *cb,
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -157,15 +157,23 @@ struct audit_context {
#endif
};
+static char *audit_get_task_label(void);
/* Compare a task_struct with an audit_rule. Return 1 on match, 0
* otherwise. */
static int audit_filter_rules(struct task_struct *tsk,
struct audit_krule *rule,
struct audit_context *ctx,
- enum audit_state *state)
+ enum audit_state *state,
+ char *label)
{
int i, j;
+ char *user, *role, *type, *cat, *sens;
+ user = strsep(&label, ":");
+ role = strsep(&label, ":");
+ type = strsep(&label, ":");
+ cat = strsep(&label, ":");
+ sens = strsep(&label, ":");
for (i = 0; i < rule->field_count; i++) {
struct audit_field *f = &rule->fields[i];
@@ -206,6 +214,21 @@ static int audit_filter_rules(struct tas
if (ctx)
result = audit_comparator(ctx->arch, f->op, f->val);
break;
+ case AUDIT_SE_USER:
+ result = audit_str_comparator(user, f->op, f->buf);
+ break;
+ case AUDIT_SE_ROLE:
+ result = audit_str_comparator(role, f->op, f->buf);
+ break;
+ case AUDIT_SE_TYPE:
+ result = audit_str_comparator(type, f->op, f->buf);
+ break;
+ case AUDIT_SE_CAT:
+ result = audit_str_comparator(cat, f->op, f->buf);
+ break;
+ case AUDIT_SE_SENS:
+ result = audit_str_comparator(sens, f->op, f->buf);
+ break;
case AUDIT_EXIT:
if (ctx && ctx->return_valid)
@@ -283,15 +306,18 @@ static enum audit_state audit_filter_tas
{
struct audit_entry *e;
enum audit_state state;
+ char *label = audit_get_task_label();
rcu_read_lock();
list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TASK], list) {
- if (audit_filter_rules(tsk, &e->rule, NULL, &state)) {
+ if (audit_filter_rules(tsk, &e->rule, NULL, &state, label)) {
rcu_read_unlock();
return state;
}
}
rcu_read_unlock();
+ if (label)
+ kfree(label);
return AUDIT_BUILD_CONTEXT;
}
@@ -306,6 +332,7 @@ static enum audit_state audit_filter_sys
{
struct audit_entry *e;
enum audit_state state;
+ char *label = audit_get_task_label();
if (audit_pid && tsk->tgid == audit_pid)
return AUDIT_DISABLED;
@@ -317,13 +344,15 @@ static enum audit_state audit_filter_sys
list_for_each_entry_rcu(e, list, list) {
if ((e->rule.mask[word] & bit) == bit
- && audit_filter_rules(tsk, &e->rule, ctx, &state)) {
+ && audit_filter_rules(tsk, &e->rule, ctx, &state, label)) {
rcu_read_unlock();
return state;
}
}
}
rcu_read_unlock();
+ if (label)
+ kfree(label);
return AUDIT_BUILD_CONTEXT;
}
@@ -503,32 +532,44 @@ static inline void audit_free_context(st
static void audit_log_task_context(struct audit_buffer *ab)
{
- char *ctx = NULL;
+ char *label = audit_get_task_label();
+
+ if (label == NULL)
+ audit_panic("error in audit_log_task_context");
+ else {
+ audit_log_format(ab, " subj=%s", label);
+ kfree(label);
+ }
+ return;
+}
+
+static char *audit_get_task_label(void)
+{
+ char *label = NULL;
ssize_t len = 0;
len = security_getprocattr(current, "current", NULL, 0);
if (len < 0) {
if (len != -EINVAL)
goto error_path;
- return;
+ return NULL;
}
- ctx = kmalloc(len, GFP_KERNEL);
- if (!ctx)
+ label = kmalloc(len, GFP_KERNEL);
+ if (!label)
goto error_path;
- len = security_getprocattr(current, "current", ctx, len);
+ len = security_getprocattr(current, "current", label, len);
if (len < 0 )
goto error_path;
- audit_log_format(ab, " subj=%s", ctx);
- return;
+ return label;
error_path:
- if (ctx)
- kfree(ctx);
- audit_panic("error in audit_log_task_context");
- return;
+ if (label)
+ kfree(label);
+ audit_panic("error in audit_get_task_label");
+ return NULL;
}
static void audit_log_task_info(struct audit_buffer *ab)
12:08 a.m.
I've reworked this patch based on the work that Darrel Goedel has recently
submitted in which he has implemented an SELinux interface for the Audit
subsystem to call to match security context label components. This follows
the advice of Stephen Smalley, and Darrel based his interface at least in
part on work that James Morris had started.
These patches are against Al Viro's latest git tree plus the following two
patches:
1. Minor cleanup patch of audit_comparator(); no real dependency here, but might
cause some patch fuzz:
https://www.redhat.com/archives/linux-audit/2006-February/msg00102.html
2. Darrel's SELinux audit api patch:
https://www.redhat.com/archives/linux-audit/2006-February/msg00101.html
The audit system needs to store (and eventually free) pointers to
Darrel's new selinux_audit_rule structure. I implemented this as a
struct selinux_audit_rule *se_rule in kernel/audit.h:audit_field. I
considered making this a void *ext (something more generic), which would
have the advantage of being extensible if something like this ever came
up again, where an audit rule field interfaces with some other kernel
system. Of course, it would need to be cast properly when referenced.
Please speak up if you have strong feelings here.
Amy: In audit_data_to_entry(), you're using an effectively temporary
char *path. I, too, needed a temporary string pointer, so I declared
char *str and replaced your couple of instances of path with str. Let
me know if this is ok by you. I couldn't very well call my temp string
"path". And it didn't make much sense to me to declare another throwaway
pointer. There's a little code duplication with the audit_unpack_string too.
Darrel: I realize now that your selinux_audit_rule structure duplicates a
little data that it doesn't need to, such as au_op and au_field. I could
very easily pass those to you when I call selinux_audit_rule_match. I think
that would be a little cleaner. Just a suggestion.
Steve Grubb mentioned that there's a chance we might get this into the test
kernel by EOB Friday... That would be great. Of course, I've built and
tested the basic functionality and it seems to filter messages in/out
appropriately. I'll submit an updated userspace patch tomorrow.
One last point... This patch only covers matching on process context.
As Darrel and I have discussed, we'll move onto the other contexts once
this methodology is acceptable.
Thanks for your review.
:-Dustin
diff --git a/kernel/audit.h b/kernel/audit.h
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -59,9 +59,10 @@ struct audit_watch {
};
struct audit_field {
- u32 type;
- u32 val;
- u32 op;
+ u32 type;
+ u32 val;
+ u32 op;
+ struct selinux_audit_rule *se_rule;
};
struct audit_krule {
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -25,6 +25,7 @@
#include <linux/fs.h>
#include <linux/namei.h>
#include <linux/netlink.h>
+#include <linux/selinux.h>
#include "audit.h"
/* There are three lists of rules -- one to search at task creation
@@ -50,6 +51,12 @@ static inline void audit_free_watch(stru
static inline void audit_free_rule(struct audit_entry *e)
{
+ int i;
+ for (i=0; i<e->rule.field_count; i++) {
+ struct audit_field *f = &e->rule.fields[i];
+ if (f->se_rule)
+ selinux_audit_rule_free(f->se_rule);
+ }
kfree(e->rule.fields);
kfree(e);
}
@@ -228,7 +235,7 @@ static struct audit_entry *audit_data_to
void *bufp;
size_t remain = datasz - sizeof(struct audit_rule_data);
int i;
- char *path;
+ char *str;
entry = audit_to_entry_common((struct audit_rule *)data);
if (IS_ERR(entry))
@@ -247,16 +254,33 @@ static struct audit_entry *audit_data_to
f->op = data->fieldflags[i] & AUDIT_OPERATORS;
f->type = data->fields[i];
f->val = data->values[i];
+ f->se_rule = NULL;
switch(f->type) {
+ case AUDIT_SE_USER:
+ case AUDIT_SE_ROLE:
+ case AUDIT_SE_TYPE:
+ case AUDIT_SE_SEN:
+ case AUDIT_SE_CLR:
+ str = audit_unpack_string(&bufp, &remain, f->val);
+ if (IS_ERR(str))
+ goto exit_free;
+ entry->rule.buflen += f->val;
+
+ err = selinux_audit_rule_init(f->type, f->op, str, &f->se_rule);
+ if (err) {
+ kfree(str);
+ goto exit_free;
+ }
+ break;
case AUDIT_WATCH:
- path = audit_unpack_string(&bufp, &remain, f->val);
- if (IS_ERR(path))
+ str = audit_unpack_string(&bufp, &remain, f->val);
+ if (IS_ERR(str))
goto exit_free;
entry->rule.buflen += f->val;
- err = audit_to_watch(path, &entry->rule, i);
+ err = audit_to_watch(str, &entry->rule, i);
if (err) {
- kfree(path);
+ kfree(str);
goto exit_free;
}
break;
@@ -644,6 +668,9 @@ int audit_comparator(const u32 left, con
case AUDIT_GREATER_THAN_OR_EQUAL:
return (left >= right);
}
+ /* should NEVER get here */
+ BUG();
+ return 0;
}
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -58,6 +58,7 @@
#include <linux/security.h>
#include <linux/list.h>
#include <linux/tty.h>
+#include <linux/selinux.h>
#include "audit.h"
@@ -165,7 +166,8 @@ struct audit_context {
static int audit_filter_rules(struct task_struct *tsk,
struct audit_krule *rule,
struct audit_context *ctx,
- enum audit_state *state)
+ enum audit_state *state,
+ u32 sid)
{
int i, j;
@@ -258,6 +260,13 @@ static int audit_filter_rules(struct tas
if (ctx)
result = audit_comparator(ctx->loginuid, f->op, f->val);
break;
+ case AUDIT_SE_USER:
+ case AUDIT_SE_ROLE:
+ case AUDIT_SE_TYPE:
+ case AUDIT_SE_SEN:
+ case AUDIT_SE_CLR:
+ result = selinux_audit_rule_match(sid, f->se_rule);
+ break;
case AUDIT_ARG0:
case AUDIT_ARG1:
case AUDIT_ARG2:
@@ -286,10 +295,13 @@ static enum audit_state audit_filter_tas
{
struct audit_entry *e;
enum audit_state state;
+ u32 sid;
+
+ selinux_task_ctxid(tsk, &sid);
rcu_read_lock();
list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TASK], list) {
- if (audit_filter_rules(tsk, &e->rule, NULL, &state)) {
+ if (audit_filter_rules(tsk, &e->rule, NULL, &state, sid)) {
rcu_read_unlock();
return state;
}
@@ -309,6 +321,9 @@ static enum audit_state audit_filter_sys
{
struct audit_entry *e;
enum audit_state state;
+ u32 sid;
+
+ selinux_task_ctxid(tsk, &sid);
if (audit_pid && tsk->tgid == audit_pid)
return AUDIT_DISABLED;
@@ -320,7 +335,8 @@ static enum audit_state audit_filter_sys
list_for_each_entry_rcu(e, list, list) {
if ((e->rule.mask[word] & bit) == bit
- && audit_filter_rules(tsk, &e->rule, ctx, &state)) {
+ && audit_filter_rules(tsk, &e->rule,
+ ctx, &state, sid)) {
rcu_read_unlock();
return state;
}
10:49 a.m.
Dustin Kirkland wrote:
Darrel: I realize now that your selinux_audit_rule structure duplicates a
little data that it doesn't need to, such as au_op and au_field. I could
very easily pass those to you when I call selinux_audit_rule_match. I think
that would be a little cleaner. Just a suggestion.
Sure - I can't remember what I did earlier that made me want my own copy.
I have a few othre changes to make. I'll include that change.
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -59,9 +59,10 @@ struct audit_watch {
};
struct audit_field {
- u32 type;
- u32 val;
- u32 op;
+ u32 type;
+ u32 val;
+ u32 op;
+ struct selinux_audit_rule *se_rule;
};
struct audit_krule {
This will require that <linux/selinux.h> be included before "audit.h".
Maybe just include selinux.h from this file to get the structure
declaration.
@@ -58,6 +58,7 @@
#include <linux/security.h>
#include <linux/list.h>
#include <linux/tty.h>
+#include <linux/selinux.h>
#include "audit.h"
@@ -165,7 +166,8 @@ struct audit_context {
static int audit_filter_rules(struct task_struct *tsk,
struct audit_krule *rule,
struct audit_context *ctx,
- enum audit_state *state)
+ enum audit_state *state,
+ u32 sid)
{
int i, j;
The sid can be obtained from tsk within this function to avoid modifying the
callers to get the sid and pass it in.
@@ -258,6 +260,13 @@ static int audit_filter_rules(struct tas
if (ctx)
result = audit_comparator(ctx->loginuid, f->op, f->val);
break;
+ case AUDIT_SE_USER:
+ case AUDIT_SE_ROLE:
+ case AUDIT_SE_TYPE:
+ case AUDIT_SE_SEN:
+ case AUDIT_SE_CLR:
+ result = selinux_audit_rule_match(sid, f->se_rule);
+ break;
case AUDIT_ARG0:
case AUDIT_ARG1:
case AUDIT_ARG2:
What about the error (result < 0) cases here? For this to error, something
pretty bad has happened (a sid couldn't be mapped or an atomic memory allocation
failed). That being said, do we want to go all out and audit_panic?
@@ -286,10 +295,13 @@ static enum audit_state audit_filter_tas
{
struct audit_entry *e;
enum audit_state state;
+ u32 sid;
+
+ selinux_task_ctxid(tsk, &sid);
rcu_read_lock();
list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TASK], list) {
- if (audit_filter_rules(tsk, &e->rule, NULL, &state)) {
+ if (audit_filter_rules(tsk, &e->rule, NULL, &state, sid)) {
rcu_read_unlock();
return state;
}
@@ -309,6 +321,9 @@ static enum audit_state audit_filter_sys
{
struct audit_entry *e;
enum audit_state state;
+ u32 sid;
+
+ selinux_task_ctxid(tsk, &sid);
if (audit_pid && tsk->tgid == audit_pid)
return AUDIT_DISABLED;
@@ -320,7 +335,8 @@ static enum audit_state audit_filter_sys
list_for_each_entry_rcu(e, list, list) {
if ((e->rule.mask[word] & bit) == bit
- && audit_filter_rules(tsk, &e->rule, ctx, &state)) {
+ && audit_filter_rules(tsk, &e->rule,
+ ctx, &state, sid)) {
rcu_read_unlock();
return state;
}
These are the changes that can go away if audit_filter_rules gets the sid.
--
Darrel
11:43 a.m.
On Fri, Feb 17, 2006 at 12:08:11AM -0600, Dustin Kirkland wrote:
Amy: In audit_data_to_entry(), you're using an effectively
temporary
char *path. I, too, needed a temporary string pointer, so I declared
char *str and replaced your couple of instances of path with str. Let
me know if this is ok by you. I couldn't very well call my temp string
"path". And it didn't make much sense to me to declare another throwaway
pointer.
Looks fine.
There's a little code duplication with the audit_unpack_string
too.
In order to eliminate that, we'd need something that ties the
AUDIT_SE_* and AUDIT_WATCH fields together as string fields. Given
that it's only four lines and only duplicated once, it might not be
worth it at this point. But if it's an indication we would want
userspace to provide, then we need to add it now.
One last point... This patch only covers matching on process
context.
You'll also need to add helpers for the new AUDIT_SE_* fields to be
used for rule listing and rule comparison.
Regards,
Amy
6883
days inactive
6898
days old
linux-audit@lists.linux-audit.osci.io
3 comments
3 participants
participants (3)
-
Amy Griffis -
Darrel Goeddel -
Dustin Kirkland