Re: [PATCH RFC] audit-userspace: support for MAC_TASK_CONTEXTS and MAC_OBJ_CONTEXTS

Monday, 9 August 2021

On Wednesday, August 4, 2021 7:32:37 PM EDT Casey Schaufler wrote:
...
 This patch supplies userspace support for the MAC_TASK_CONTEXTS
 and MAC_OBJ_CONTEXTS audit records proposed as part of the Linux
 security module (LSM) stacking effort.

 I have posted as an RFC because, well, I'd like comments. 
In general, this looks good. Typically, the return code of functions in the 
parser are unique for debugging (passing  --debug to ausearch) per record 
type. IOW, you can start at 1 instead of 62 since the output identifes the 
record type and return code.

There is the general issue of what ausearch  --format csv & --format text 
outputs, though.

-Steve

...
 The additional context values are added to the existing lists.
 The existing search methods work on these lists, so that's about
 all it takes.

 ---
  lib/libaudit.h       |   8 ++++
  lib/msg_typetab.h    |   2 +
  src/ausearch-parse.c | 101
 +++++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 111
 insertions(+)

 diff --git a/lib/libaudit.h b/lib/libaudit.h
 index ed75892..9bc3aa9 100644
 --- a/lib/libaudit.h
 +++ b/lib/libaudit.h
 @@ -311,6 +311,14 @@ extern "C" {
  #define AUDIT_MAC_CALIPSO_DEL	1419 /* NetLabel: del CALIPSO DOI entry  */
...
  #endif

 +#ifndef AUDIT_MAC_TASK_CONTEXTS
 +#define AUDIT_MAC_TASK_CONTEXTS	1420 /* Multilple task contexts */
 +#endif
 +
 +#ifndef AUDIT_MAC_OBJ_CONTEXTS
 +#define AUDIT_MAC_OBJ_CONTEXTS	1421 /* Multilple object contexts */
 +#endif
 +
  #ifndef AUDIT_ANOM_LINK
  #define AUDIT_ANOM_LINK		1702 /* Suspicious use of file links */
  #endif
 diff --git a/lib/msg_typetab.h b/lib/msg_typetab.h
 index dba2f7b..e6df28b 100644
 --- a/lib/msg_typetab.h
 +++ b/lib/msg_typetab.h
 @@ -147,6 +147,8 @@ _S(AUDIT_MAC_UNLBL_STCADD,           "MAC_UNLBL_STCADD"
              ) _S(AUDIT_MAC_UNLBL_STCDEL,           "MAC_UNLBL_STCDEL"    
          ) _S(AUDIT_MAC_CALIPSO_ADD,            "MAC_CALIPSO_ADD"         
      ) _S(AUDIT_MAC_CALIPSO_DEL,            "MAC_CALIPSO_DEL"             
  ) +_S(AUDIT_MAC_TASK_CONTEXTS,          "MAC_TASK_CONTEXTS"             )
 +_S(AUDIT_MAC_OBJ_CONTEXTS,           "MAC_OBJ_CONTEXTS"              )
 _S(AUDIT_ANOM_PROMISCUOUS,           "ANOM_PROMISCUOUS"              )
 _S(AUDIT_ANOM_ABEND,                 "ANOM_ABEND"                    )
 _S(AUDIT_ANOM_LINK,                  "ANOM_LINK"                     )
 diff --git a/src/ausearch-parse.c b/src/ausearch-parse.c
 index 9ee4a4f..286829e 100644
 --- a/src/ausearch-parse.c
 +++ b/src/ausearch-parse.c
 @@ -63,6 +63,8 @@ static int parse_simple_message(const lnode *n,
 search_items *s); static int parse_tty(const lnode *n, search_items *s);
  static int parse_pkt(const lnode *n, search_items *s);
  static int parse_kernel(lnode *n, search_items *s);
 +static int parse_task_contexts(lnode *n, search_items *s);
 +static int parse_obj_contexts(lnode *n, search_items *s);

  static int audit_avc_init(search_items *s)
 @@ -184,6 +186,12 @@ int extract_search_items(llist *l)
  			case AUDIT_TTY:
  				ret = parse_tty(n, s);
  				break;
 +			case AUDIT_MAC_TASK_CONTEXTS:
 +				ret = parse_task_contexts(n, s);
 +				break;
 +			case AUDIT_MAC_OBJ_CONTEXTS:
 +				ret = parse_obj_contexts(n, s);
 +				break;
  			default:
  				if (event_debug)
  					fprintf(stderr,
 @@ -2768,3 +2776,96 @@ static int parse_kernel(lnode *n, search_items *s)
  	return 0;
  }

 +static int parse_task_context(lnode *n, search_items *s, char *c, int l)
 +{
 +	char *str, *term;
 +	anode an;
 +
 +	str = strstr(n->message, c);
 +	if (str == NULL)
 +		return 64;
 +
 +	str += l;
 +	term = strchr(str, '"');
 +	if (term == NULL)
 +		return 62;
 +	*term = 0;
 +	if (audit_avc_init(s) != 0)
 +		return 63;
 +
 +	anode_init(&an);
 +	an.scontext = strdup(str);
 +	alist_append(s->avc, &an);
 +	*term = '"';
 +
 +	return 0;
 +}
 +
 +// parse multiple security module contexts
 +// subj_<lsm>...
 +static int parse_task_contexts(lnode *n, search_items *s)
 +{
 +	int rc, final = 64;
 +
 +	if (!event_subject)
 +		return 0;
 +
 +	rc = parse_task_context(n, s, "subj_selinux=\"", 14);
 +	if (rc == 62 || rc == 63)
 +		return rc;
 +	if (rc == 0)
 +		final = 0;
 +
 +	rc = parse_task_context(n, s, "subj_smack=\"", 12);
 +	if (rc == 62 || rc == 63)
 +		return rc;
 +	if (rc == 0)
 +		final = 0;
 +
 +	rc = parse_task_context(n, s, "subj_apparmor=\"", 15);
 +	if (rc == 62 || rc == 63)
 +		return rc;
 +	if (rc == 0)
 +		final = 0;
 +
 +	return final;
 +}
 +
 +static int parse_obj_context(lnode *n, search_items *s, char *c, int l)
 +{
 +	char *str, *term;
 +	anode an;
 +
 +	str = strstr(n->message, c);
 +	if (str != NULL) {
 +		str += l;
 +		term = strchr(str, '"');
 +		if (term)
 +			*term = 0;
 +		if (audit_avc_init(s) != 0)
 +			return 2;
 +		anode_init(&an);
 +		an.tcontext = strdup(str);
 +		alist_append(s->avc, &an);
 +		if (term)
 +			*term = '"';
 +	}
 +
 +	return 0;
 +}
 +
 +// parse multiple object security module contexts
 +// obj_<lsm>...
 +static int parse_obj_contexts(lnode *n, search_items *s)
 +{
 +	// obj context
 +	if (!event_object)
 +		return 0;
 +
 +	if (parse_obj_context(n, s, "obj_selinux=\"", 12))
 +		return 2;
 +	if (parse_obj_context(n, s, "obj_smack=\"", 10))
 +		return 2;
 +
 +	return 0;
 +} 

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Re: [PATCH RFC] audit-userspace: support for MAC_TASK_CONTEXTS and MAC_OBJ_CONTEXTS