Re: [PATCH RFC] audit-userspace: support for MAC_TASK_CONTEXTS and MAC_OBJ_CONTEXTS

From: Steve Grubb <sgrubb@redhat.com>
To: "linux-audit@redhat.com" <linux-audit@redhat.com>,
	Casey Schaufler <casey@schaufler-ca.com>
Subject: Re: [PATCH RFC] audit-userspace: support for MAC_TASK_CONTEXTS and MAC_OBJ_CONTEXTS
Date: Mon, 09 Aug 2021 10:02:05 -0400	[thread overview]
Message-ID: <5738084.lOV4Wx5bFT@x2> (raw)
In-Reply-To: <407c1b04-f6ca-327d-0227-77f97c3f6f2c@schaufler-ca.com>

On Wednesday, August 4, 2021 7:32:37 PM EDT Casey Schaufler wrote:
> This patch supplies userspace support for the MAC_TASK_CONTEXTS
> and MAC_OBJ_CONTEXTS audit records proposed as part of the Linux
> security module (LSM) stacking effort.
> 
> I have posted as an RFC because, well, I'd like comments.

In general, this looks good. Typically, the return code of functions in the 
parser are unique for debugging (passing  --debug to ausearch) per record 
type. IOW, you can start at 1 instead of 62 since the output identifes the 
record type and return code.

There is the general issue of what ausearch  --format csv & --format text 
outputs, though.

-Steve

> The additional context values are added to the existing lists.
> The existing search methods work on these lists, so that's about
> all it takes.
> 
> ---
>  lib/libaudit.h       |   8 ++++
>  lib/msg_typetab.h    |   2 +
>  src/ausearch-parse.c | 101
> +++++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 111
> insertions(+)
> 
> diff --git a/lib/libaudit.h b/lib/libaudit.h
> index ed75892..9bc3aa9 100644
> --- a/lib/libaudit.h
> +++ b/lib/libaudit.h
> @@ -311,6 +311,14 @@ extern "C" {
>  #define AUDIT_MAC_CALIPSO_DEL	1419 /* NetLabel: del CALIPSO DOI entry 
*/
>  #endif
> 
> +#ifndef AUDIT_MAC_TASK_CONTEXTS
> +#define AUDIT_MAC_TASK_CONTEXTS	1420 /* Multilple task contexts */
> +#endif
> +
> +#ifndef AUDIT_MAC_OBJ_CONTEXTS
> +#define AUDIT_MAC_OBJ_CONTEXTS	1421 /* Multilple object contexts */
> +#endif
> +
>  #ifndef AUDIT_ANOM_LINK
>  #define AUDIT_ANOM_LINK		1702 /* Suspicious use of file links */
>  #endif
> diff --git a/lib/msg_typetab.h b/lib/msg_typetab.h
> index dba2f7b..e6df28b 100644
> --- a/lib/msg_typetab.h
> +++ b/lib/msg_typetab.h
> @@ -147,6 +147,8 @@ _S(AUDIT_MAC_UNLBL_STCADD,           "MAC_UNLBL_STCADD"
>              ) _S(AUDIT_MAC_UNLBL_STCDEL,           "MAC_UNLBL_STCDEL"    
>          ) _S(AUDIT_MAC_CALIPSO_ADD,            "MAC_CALIPSO_ADD"         
>      ) _S(AUDIT_MAC_CALIPSO_DEL,            "MAC_CALIPSO_DEL"             
>  ) +_S(AUDIT_MAC_TASK_CONTEXTS,          "MAC_TASK_CONTEXTS"             )
> +_S(AUDIT_MAC_OBJ_CONTEXTS,           "MAC_OBJ_CONTEXTS"              )
> _S(AUDIT_ANOM_PROMISCUOUS,           "ANOM_PROMISCUOUS"              )
> _S(AUDIT_ANOM_ABEND,                 "ANOM_ABEND"                    )
> _S(AUDIT_ANOM_LINK,                  "ANOM_LINK"                     )
> diff --git a/src/ausearch-parse.c b/src/ausearch-parse.c
> index 9ee4a4f..286829e 100644
> --- a/src/ausearch-parse.c
> +++ b/src/ausearch-parse.c
> @@ -63,6 +63,8 @@ static int parse_simple_message(const lnode *n,
> search_items *s); static int parse_tty(const lnode *n, search_items *s);
>  static int parse_pkt(const lnode *n, search_items *s);
>  static int parse_kernel(lnode *n, search_items *s);
> +static int parse_task_contexts(lnode *n, search_items *s);
> +static int parse_obj_contexts(lnode *n, search_items *s);
> 
> 
>  static int audit_avc_init(search_items *s)
> @@ -184,6 +186,12 @@ int extract_search_items(llist *l)
>  			case AUDIT_TTY:
>  				ret = parse_tty(n, s);
>  				break;
> +			case AUDIT_MAC_TASK_CONTEXTS:
> +				ret = parse_task_contexts(n, s);
> +				break;
> +			case AUDIT_MAC_OBJ_CONTEXTS:
> +				ret = parse_obj_contexts(n, s);
> +				break;
>  			default:
>  				if (event_debug)
>  					fprintf(stderr,
> @@ -2768,3 +2776,96 @@ static int parse_kernel(lnode *n, search_items *s)
>  	return 0;
>  }
> 
> +static int parse_task_context(lnode *n, search_items *s, char *c, int l)
> +{
> +	char *str, *term;
> +	anode an;
> +
> +	str = strstr(n->message, c);
> +	if (str == NULL)
> +		return 64;
> +
> +	str += l;
> +	term = strchr(str, '"');
> +	if (term == NULL)
> +		return 62;
> +	*term = 0;
> +	if (audit_avc_init(s) != 0)
> +		return 63;
> +
> +	anode_init(&an);
> +	an.scontext = strdup(str);
> +	alist_append(s->avc, &an);
> +	*term = '"';
> +
> +	return 0;
> +}
> +
> +// parse multiple security module contexts
> +// subj_<lsm>...
> +static int parse_task_contexts(lnode *n, search_items *s)
> +{
> +	int rc, final = 64;
> +
> +	if (!event_subject)
> +		return 0;
> +
> +	rc = parse_task_context(n, s, "subj_selinux=\"", 14);
> +	if (rc == 62 || rc == 63)
> +		return rc;
> +	if (rc == 0)
> +		final = 0;
> +
> +	rc = parse_task_context(n, s, "subj_smack=\"", 12);
> +	if (rc == 62 || rc == 63)
> +		return rc;
> +	if (rc == 0)
> +		final = 0;
> +
> +	rc = parse_task_context(n, s, "subj_apparmor=\"", 15);
> +	if (rc == 62 || rc == 63)
> +		return rc;
> +	if (rc == 0)
> +		final = 0;
> +
> +	return final;
> +}
> +
> +static int parse_obj_context(lnode *n, search_items *s, char *c, int l)
> +{
> +	char *str, *term;
> +	anode an;
> +
> +	str = strstr(n->message, c);
> +	if (str != NULL) {
> +		str += l;
> +		term = strchr(str, '"');
> +		if (term)
> +			*term = 0;
> +		if (audit_avc_init(s) != 0)
> +			return 2;
> +		anode_init(&an);
> +		an.tcontext = strdup(str);
> +		alist_append(s->avc, &an);
> +		if (term)
> +			*term = '"';
> +	}
> +
> +	return 0;
> +}
> +
> +// parse multiple object security module contexts
> +// obj_<lsm>...
> +static int parse_obj_contexts(lnode *n, search_items *s)
> +{
> +	// obj context
> +	if (!event_object)
> +		return 0;
> +
> +	if (parse_obj_context(n, s, "obj_selinux=\"", 12))
> +		return 2;
> +	if (parse_obj_context(n, s, "obj_smack=\"", 10))
> +		return 2;
> +
> +	return 0;
> +}

--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit