Re: [PATCH] support for context based audit filtering

Here is an update of this patch incorporating some of the feedback (not all yet - just some bug fixes). This is most important feature is that it is rebased to the latest audit-current git tree (with some more help from Amy - thanks again). -- Darrel diff --git a/kernel/audit.h b/kernel/audit.h index bc53920..051ac2a 100644 --- a/kernel/audit.h +++ b/kernel/audit.h @@ -54,9 +54,11 @@ enum audit_state { /* Rule lists */ struct audit_field { - u32 type; - u32 val; - u32 op; + u32 type; + u32 val; + u32 op; + char *se_str; + struct selinux_audit_rule *se_rule; }; struct audit_krule { diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index 45f3001..b115f51 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -23,6 +23,7 @@ #include <linux/audit.h> #include <linux/kthread.h> #include <linux/netlink.h> +#include <linux/selinux.h> #include "audit.h" /* There are three lists of rules -- one to search at task creation @@ -42,6 +43,13 @@ struct list_head audit_filter_list[AUDIT static inline void audit_free_rule(struct audit_entry *e) { + int i; + if (e->rule.fields) + for (i = 0; i < e->rule.field_count; i++) { + struct audit_field *f = &e->rule.fields[i]; + kfree(f->se_str); + selinux_audit_rule_free(f->se_rule); + } kfree(e->rule.fields); kfree(e); } @@ -54,7 +62,7 @@ static inline void audit_free_rule_rcu(s /* Unpack a filter field's string representation from user-space * buffer. */ -static __attribute__((unused)) char *audit_unpack_string(void **bufp, size_t *remain, size_t len) +static char *audit_unpack_string(void **bufp, size_t *remain, size_t len) { char *str; @@ -150,15 +158,20 @@ static struct audit_entry *audit_rule_to for (i = 0; i < rule->field_count; i++) { struct audit_field *f = &entry->rule.fields[i]; - if (rule->fields[i] & AUDIT_UNUSED_BITS) { - err = -EINVAL; - goto exit_free; - } - f->op = rule->fields[i] & (AUDIT_NEGATE|AUDIT_OPERATORS); f->type = rule->fields[i] & ~(AUDIT_NEGATE|AUDIT_OPERATORS); f->val = rule->values[i]; + if (f->type & AUDIT_UNUSED_BITS || + f->type == AUDIT_SE_USER || + f->type == AUDIT_SE_ROLE || + f->type == AUDIT_SE_TYPE || + f->type == AUDIT_SE_SEN || + f->type == AUDIT_SE_CLR) { + err = -EINVAL; + goto exit_free; + } + entry->rule.vers_ops = (f->op & AUDIT_OPERATORS) ? 2 : 1; /* Support for legacy operators where @@ -188,8 +201,9 @@ static struct audit_entry *audit_data_to int err = 0; struct audit_entry *entry; void *bufp; - /* size_t remain = datasz - sizeof(struct audit_rule_data); */ + size_t remain = datasz - sizeof(struct audit_rule_data); int i; + char *str; entry = audit_to_entry_common((struct audit_rule *)data); if (IS_ERR(entry)) @@ -207,10 +221,34 @@ static struct audit_entry *audit_data_to f->op = data->fieldflags[i] & AUDIT_OPERATORS; f->type = data->fields[i]; + f->val = data->values[i]; + f->se_str = NULL; + f->se_rule = NULL; switch(f->type) { - /* call type-specific conversion routines here */ - default: - f->val = data->values[i]; + case AUDIT_SE_USER: + case AUDIT_SE_ROLE: + case AUDIT_SE_TYPE: + case AUDIT_SE_SEN: + case AUDIT_SE_CLR: + str = audit_unpack_string(&bufp, &remain, f->val); + if (IS_ERR(str)) + goto exit_free; + entry->rule.buflen += f->val; + + err = selinux_audit_rule_init(f->type, f->op, str, + &f->se_rule); + /* Keep currently invalid fields around in case they + * become valid after a policy reload. */ + if (err == -EINVAL) { + printk(KERN_WARNING "selinux audit rule for item %s is invalid\n", str); + err = 0; + } + if (err) { + kfree(str); + goto exit_free; + } else + f->se_str = str; + break; } } @@ -286,7 +324,14 @@ static struct audit_rule_data *audit_kru data->fields[i] = f->type; data->fieldflags[i] = f->op; switch(f->type) { - /* call type-specific conversion routines here */ + case AUDIT_SE_USER: + case AUDIT_SE_ROLE: + case AUDIT_SE_TYPE: + case AUDIT_SE_SEN: + case AUDIT_SE_CLR: + data->buflen += data->values[i] = + audit_pack_string(&bufp, f->se_str); + break; default: data->values[i] = f->val; } @@ -314,7 +359,14 @@ static int audit_compare_rule(struct aud return 1; switch(a->fields[i].type) { - /* call type-specific comparison routines here */ + case AUDIT_SE_USER: + case AUDIT_SE_ROLE: + case AUDIT_SE_TYPE: + case AUDIT_SE_SEN: + case AUDIT_SE_CLR: + if (strcmp(a->fields[i].se_str, b->fields[i].se_str)) + return 1; + break; default: if (a->fields[i].val != b->fields[i].val) return 1; @@ -649,3 +701,139 @@ unlock_and_return: rcu_read_unlock(); return result; } + +/* Check to see if the rule contains any selinux fields. Returns 1 if there + are selinux fields specified in the rule, 0 otherwise. */ +static inline int audit_rule_has_selinux(struct audit_krule *rule) +{ + int i; + + for (i = 0; i < rule->field_count; i++) { + struct audit_field *f = &rule->fields[i]; + switch (f->type) { + case AUDIT_SE_USER: + case AUDIT_SE_ROLE: + case AUDIT_SE_TYPE: + case AUDIT_SE_SEN: + case AUDIT_SE_CLR: + return 1; + } + } + + return 0; +} + +/* Make a copy of src in dest. This will be a deep copy with the exception + of the watch - that pointer is carried over. The selinux specific fields + will be updated in the copy. The point is to be able to replace the src + rule with the dest rule in the list, then free the dest rule. */ +static inline int selinux_audit_rule_update_helper(struct audit_krule *dest, + struct audit_krule *src) +{ + int i, err = 0; + + dest->vers_ops = src->vers_ops; + dest->flags = src->flags; + dest->listnr = src->listnr; + dest->action = src->action; + for (i = 0; i < AUDIT_BITMASK_SIZE; i++) + dest->mask[i] = src->mask[i]; + dest->buflen = src->buflen; + dest->field_count = src->field_count; + + /* deep copy this information, updating the se_rule fields, because + the originals will all be freed when the old rule is freed. */ + dest->fields = kzalloc(sizeof(struct audit_field) * dest->field_count, + GFP_ATOMIC); + if (!dest->fields) + return -ENOMEM; + memcpy(dest->fields, src->fields, + sizeof(struct audit_field) * dest->field_count); + for (i = 0; i < dest->field_count; i++) { + struct audit_field *df = &dest->fields[i]; + struct audit_field *sf = &src->fields[i]; + switch (df->type) { + case AUDIT_SE_USER: + case AUDIT_SE_ROLE: + case AUDIT_SE_TYPE: + case AUDIT_SE_SEN: + case AUDIT_SE_CLR: + /* our own copy of se_str */ + df->se_str = kstrdup(sf->se_str, GFP_ATOMIC); + if (!df->se_str) + return -ENOMEM; + /* our own (refreshed) copy of se_rule */ + err = selinux_audit_rule_init(df->type, df->op, + df->se_str, &df->se_rule); + /* Keep currently invalid fields around in case they + become valid after a policy reload. */ + if (err == -EINVAL) { + printk(KERN_WARNING "selinux audit rule for item %s is invalid\n", df->se_str); + err = 0; + } + if (err) + return err; + } + } + + return 0; +} + +/* This function will re-initialize the se_rule field of all applicable rules. + It will traverse the filter lists serarching for rules that contain selinux + specific filter fields. When such a rule is found, it is copied, the + selinux field is re-initialized, and the old rule is replaced with the + updated rule. */ +static int selinux_audit_rule_update(void) +{ + struct audit_entry *entry, *nentry; + int i, err = 0, tmperr; + + /* audit_netlink_mutex synchronizes the writers */ + mutex_lock(&audit_netlink_mutex); + + for (i = 0; i < AUDIT_NR_FILTERS; i++) { + list_for_each_entry(entry, &audit_filter_list[i], list) { + if (!audit_rule_has_selinux(&entry->rule)) + continue; + + nentry = kmalloc(sizeof(*entry), GFP_ATOMIC); + if (!nentry) { + /* save the first error encountered for the + return value */ + if (!err) + err = -ENOMEM; + audit_panic("error updating selinux filters"); + continue; + } + + tmperr = selinux_audit_rule_update_helper(&nentry->rule, + &entry->rule); + if (tmperr) { + /* save the first error encountered for the + return value */ + if (!err) + err = tmperr; + audit_free_rule(nentry); + audit_panic("error updating selinux filters"); + continue; + } + list_replace_rcu(&entry->list, &nentry->list); + call_rcu(&entry->rcu, audit_free_rule_rcu); + } + } + + mutex_unlock(&audit_netlink_mutex); + + return err; +} + +/* Register the callback with selinux. This callback will be invoked when a + new policy is loaded. */ +static int __init register_selinux_update_callback(void) +{ + selinux_audit_set_callback(&selinux_audit_rule_update); + return 0; +} +__initcall(register_selinux_update_callback); + diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 0d1bda1..05a2dc1 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -58,6 +58,7 @@ #include <linux/security.h> #include <linux/list.h> #include <linux/tty.h> +#include <linux/selinux.h> #include "audit.h" @@ -174,6 +175,9 @@ static int audit_filter_rules(struct tas enum audit_state *state) { int i, j; + u32 sid; + + selinux_task_ctxid(tsk, &sid); for (i = 0; i < rule->field_count; i++) { struct audit_field *f = &rule->fields[i]; @@ -263,6 +267,22 @@ static int audit_filter_rules(struct tas if (ctx) result = audit_comparator(ctx->loginuid, f->op, f->val); break; + case AUDIT_SE_USER: + case AUDIT_SE_ROLE: + case AUDIT_SE_TYPE: + case AUDIT_SE_SEN: + case AUDIT_SE_CLR: + /* NOTE: this may return negative values indicating + a temporary error. We simply treat this as a + match for now to avoid losing information that + may be wanted. An error message will also be + logged upon error */ + if (f->se_rule) + result = selinux_audit_rule_match(sid, f->type, + f->op, + f->se_rule, + ctx); + break; case AUDIT_ARG0: case AUDIT_ARG1: case AUDIT_ARG2: