12:04 p.m.
On 8/9/2021 7:02 AM, Steve Grubb wrote:
On Wednesday, August 4, 2021 7:32:37 PM EDT Casey Schaufler wrote:
> This patch supplies userspace support for the MAC_TASK_CONTEXTS
> and MAC_OBJ_CONTEXTS audit records proposed as part of the Linux
> security module (LSM) stacking effort.
>
> I have posted as an RFC because, well, I'd like comments.
In general, this looks good. Typically, the return code of functions in the
parser are unique for debugging (passing --debug to ausearch) per record
type. IOW, you can start at 1 instead of 62 since the output identifes the
record type and return code.
There is the general issue of what ausearch --format csv & --format text
outputs, though.
I would really appreciate some guidance regarding what you'd like
to see for those cases. I can take a wild guess and suggest something,
but it would probably speed everything up if I don't go into the
process blind.
-Steve
> The additional context values are added to the existing lists.
> The existing search methods work on these lists, so that's about
> all it takes.
>
> ---
> lib/libaudit.h | 8 ++++
> lib/msg_typetab.h | 2 +
> src/ausearch-parse.c | 101
> +++++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 111
> insertions(+)
>
> diff --git a/lib/libaudit.h b/lib/libaudit.h
> index ed75892..9bc3aa9 100644
> --- a/lib/libaudit.h
> +++ b/lib/libaudit.h
> @@ -311,6 +311,14 @@ extern "C" {
> #define AUDIT_MAC_CALIPSO_DEL 1419 /* NetLabel: del CALIPSO DOI entry
*/
> #endif
>
> +#ifndef AUDIT_MAC_TASK_CONTEXTS
> +#define AUDIT_MAC_TASK_CONTEXTS 1420 /* Multilple task contexts */
> +#endif
> +
> +#ifndef AUDIT_MAC_OBJ_CONTEXTS
> +#define AUDIT_MAC_OBJ_CONTEXTS 1421 /* Multilple object contexts */
> +#endif
> +
> #ifndef AUDIT_ANOM_LINK
> #define AUDIT_ANOM_LINK 1702 /* Suspicious use of file links */
> #endif
> diff --git a/lib/msg_typetab.h b/lib/msg_typetab.h
> index dba2f7b..e6df28b 100644
> --- a/lib/msg_typetab.h
> +++ b/lib/msg_typetab.h
> @@ -147,6 +147,8 @@ _S(AUDIT_MAC_UNLBL_STCADD,
"MAC_UNLBL_STCADD"
> ) _S(AUDIT_MAC_UNLBL_STCDEL, "MAC_UNLBL_STCDEL"
> ) _S(AUDIT_MAC_CALIPSO_ADD, "MAC_CALIPSO_ADD"
> ) _S(AUDIT_MAC_CALIPSO_DEL, "MAC_CALIPSO_DEL"
> ) +_S(AUDIT_MAC_TASK_CONTEXTS, "MAC_TASK_CONTEXTS" )
> +_S(AUDIT_MAC_OBJ_CONTEXTS, "MAC_OBJ_CONTEXTS" )
> _S(AUDIT_ANOM_PROMISCUOUS, "ANOM_PROMISCUOUS" )
> _S(AUDIT_ANOM_ABEND, "ANOM_ABEND" )
> _S(AUDIT_ANOM_LINK, "ANOM_LINK" )
> diff --git a/src/ausearch-parse.c b/src/ausearch-parse.c
> index 9ee4a4f..286829e 100644
> --- a/src/ausearch-parse.c
> +++ b/src/ausearch-parse.c
> @@ -63,6 +63,8 @@ static int parse_simple_message(const lnode *n,
> search_items *s); static int parse_tty(const lnode *n, search_items *s);
> static int parse_pkt(const lnode *n, search_items *s);
> static int parse_kernel(lnode *n, search_items *s);
> +static int parse_task_contexts(lnode *n, search_items *s);
> +static int parse_obj_contexts(lnode *n, search_items *s);
>
>
> static int audit_avc_init(search_items *s)
> @@ -184,6 +186,12 @@ int extract_search_items(llist *l)
> case AUDIT_TTY:
> ret = parse_tty(n, s);
> break;
> + case AUDIT_MAC_TASK_CONTEXTS:
> + ret = parse_task_contexts(n, s);
> + break;
> + case AUDIT_MAC_OBJ_CONTEXTS:
> + ret = parse_obj_contexts(n, s);
> + break;
> default:
> if (event_debug)
> fprintf(stderr,
> @@ -2768,3 +2776,96 @@ static int parse_kernel(lnode *n, search_items *s)
> return 0;
> }
>
> +static int parse_task_context(lnode *n, search_items *s, char *c, int l)
> +{
> + char *str, *term;
> + anode an;
> +
> + str = strstr(n->message, c);
> + if (str == NULL)
> + return 64;
> +
> + str += l;
> + term = strchr(str, '"');
> + if (term == NULL)
> + return 62;
> + *term = 0;
> + if (audit_avc_init(s) != 0)
> + return 63;
> +
> + anode_init(&an);
> + an.scontext = strdup(str);
> + alist_append(s->avc, &an);
> + *term = '"';
> +
> + return 0;
> +}
> +
> +// parse multiple security module contexts
> +// subj_<lsm>...
> +static int parse_task_contexts(lnode *n, search_items *s)
> +{
> + int rc, final = 64;
> +
> + if (!event_subject)
> + return 0;
> +
> + rc = parse_task_context(n, s, "subj_selinux=\"", 14);
> + if (rc == 62 || rc == 63)
> + return rc;
> + if (rc == 0)
> + final = 0;
> +
> + rc = parse_task_context(n, s, "subj_smack=\"", 12);
> + if (rc == 62 || rc == 63)
> + return rc;
> + if (rc == 0)
> + final = 0;
> +
> + rc = parse_task_context(n, s, "subj_apparmor=\"", 15);
> + if (rc == 62 || rc == 63)
> + return rc;
> + if (rc == 0)
> + final = 0;
> +
> + return final;
> +}
> +
> +static int parse_obj_context(lnode *n, search_items *s, char *c, int l)
> +{
> + char *str, *term;
> + anode an;
> +
> + str = strstr(n->message, c);
> + if (str != NULL) {
> + str += l;
> + term = strchr(str, '"');
> + if (term)
> + *term = 0;
> + if (audit_avc_init(s) != 0)
> + return 2;
> + anode_init(&an);
> + an.tcontext = strdup(str);
> + alist_append(s->avc, &an);
> + if (term)
> + *term = '"';
> + }
> +
> + return 0;
> +}
> +
> +// parse multiple object security module contexts
> +// obj_<lsm>...
> +static int parse_obj_contexts(lnode *n, search_items *s)
> +{
> + // obj context
> + if (!event_object)
> + return 0;
> +
> + if (parse_obj_context(n, s, "obj_selinux=\"", 12))
> + return 2;
> + if (parse_obj_context(n, s, "obj_smack=\"", 10))
> + return 2;
> +
> + return 0;
> +}