[PATCH] integrity: audit update

[PATCH] integrity: audit update

[Mimi Zohar]

- Force audit result to be either 0 or 1.
- make template names const
- Add new stand-alone message type: AUDIT_INTEGRITY_RULE

Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
---
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 930939a..4fa2810 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -36,7 +36,8 @@
  * 1500 - 1599 kernel LSPP events
  * 1600 - 1699 kernel crypto events
  * 1700 - 1799 kernel anomaly records
- * 1800 - 1999 future kernel use (maybe integrity labels and related events)
+ * 1800 - 1899 kernel integrity events
+ * 1900 - 1999 future kernel use
  * 2000 is for otherwise unclassified kernel audit messages (legacy)
  * 2001 - 2099 unused (kernel)
  * 2100 - 2199 user space anomaly records
@@ -130,6 +131,7 @@
 #define AUDIT_INTEGRITY_STATUS	    1802 /* Integrity enable status */
 #define AUDIT_INTEGRITY_HASH	    1803 /* Integrity HASH type */
 #define AUDIT_INTEGRITY_PCR	    1804 /* PCR invalidation msgs */
+#define AUDIT_INTEGRITY_RULE	    1805 /* policy rule */
 
 #define AUDIT_KERNEL		2000	/* Asynchronous audit record. NOT A REQUEST. */
 
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index e3c16a2..165eb53 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -47,7 +47,7 @@ struct ima_template_data {
 
 struct ima_template_entry {
 	u8 digest[IMA_DIGEST_SIZE];	/* sha1 or md5 measurement hash */
-	char *template_name;
+	const char *template_name;
 	int template_len;
 	struct ima_template_data template;
 };
diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
index a148a25..3cd58b6 100644
--- a/security/integrity/ima/ima_api.c
+++ b/security/integrity/ima/ima_api.c
@@ -15,7 +15,7 @@
 #include <linux/module.h>
 
 #include "ima.h"
-static char *IMA_TEMPLATE_NAME = "ima";
+static const char *IMA_TEMPLATE_NAME = "ima";
 
 /*
  * ima_store_template - store ima template measurements
diff --git a/security/integrity/ima/ima_audit.c b/security/integrity/ima/ima_audit.c
index 8a0f1e2..1e082bb 100644
--- a/security/integrity/ima/ima_audit.c
+++ b/security/integrity/ima/ima_audit.c
@@ -22,16 +22,18 @@ static int ima_audit;
 static int __init ima_audit_setup(char *str)
 {
 	unsigned long audit;
-	int rc;
-	char *op;
+	int rc, result = 0;
+	char *op = "ima_audit";
+	char *cause;
 
 	rc = strict_strtoul(str, 0, &audit);
 	if (rc || audit > 1)
-		printk(KERN_INFO "ima: invalid ima_audit value\n");
+		result = 1;
 	else
 		ima_audit = audit;
-	op = ima_audit ? "ima_audit_enabled" : "ima_audit_not_enabled";
-	integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL, NULL, NULL, op, 0, 0);
+	cause = ima_audit ? "enabled" : "not_enabled";
+	integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL, NULL,
+			    op, cause, result, 0);
 	return 1;
 }
 __setup("ima_audit=", ima_audit_setup);
@@ -47,20 +49,21 @@ void integrity_audit_msg(int audit_msgno, struct inode *inode,
 		return;
 
 	ab = audit_log_start(current->audit_context, GFP_KERNEL, audit_msgno);
-	audit_log_format(ab, "integrity: pid=%d uid=%u auid=%u",
+	audit_log_format(ab, "integrity: pid=%d uid=%u auid=%u ses=%u",
 			 current->pid, current->cred->uid,
-			 audit_get_loginuid(current));
+			 audit_get_loginuid(current),
+			 audit_get_sessionid(current));
 	audit_log_task_context(ab);
 	switch (audit_msgno) {
 	case AUDIT_INTEGRITY_DATA:
 	case AUDIT_INTEGRITY_METADATA:
 	case AUDIT_INTEGRITY_PCR:
+	case AUDIT_INTEGRITY_STATUS:
 		audit_log_format(ab, " op=%s cause=%s", op, cause);
 		break;
 	case AUDIT_INTEGRITY_HASH:
 		audit_log_format(ab, " op=%s hash=%s", op, cause);
 		break;
-	case AUDIT_INTEGRITY_STATUS:
 	default:
 		audit_log_format(ab, " op=%s", op);
 	}
@@ -73,6 +76,6 @@ void integrity_audit_msg(int audit_msgno, struct inode *inode,
 	if (inode)
 		audit_log_format(ab, " dev=%s ino=%lu",
 				 inode->i_sb->s_id, inode->i_ino);
-	audit_log_format(ab, " res=%d", result);
+	audit_log_format(ab, " res=%d", !result ? 0 : 1);
 	audit_log_end(ab);
 }
diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c
index 573780c..ffbe259 100644
--- a/security/integrity/ima/ima_fs.c
+++ b/security/integrity/ima/ima_fs.c
@@ -137,7 +137,7 @@ static int ima_measurements_show(struct seq_file *m, void *v)
 	ima_putc(m, &namelen, sizeof namelen);
 
 	/* 4th:  template name */
-	ima_putc(m, e->template_name, namelen);
+	ima_putc(m, (void *)e->template_name, namelen);
 
 	/* 5th:  template specific data */
 	ima_template_show(m, (struct ima_template_data *)&e->template,
diff --git a/security/integrity/ima/ima_init.c b/security/integrity/ima/ima_init.c
index cf227db..0b0bb8c 100644
--- a/security/integrity/ima/ima_init.c
+++ b/security/integrity/ima/ima_init.c
@@ -20,7 +20,7 @@
 #include "ima.h"
 
 /* name for boot aggregate entry */
-static char *boot_aggregate_name = "boot_aggregate";
+static const char *boot_aggregate_name = "boot_aggregate";
 int ima_used_chip;
 
 /* Add the boot aggregate to the IMA measurement list and extend
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 23810e0..b5291ad 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -12,7 +12,6 @@
  */
 #include <linux/module.h>
 #include <linux/list.h>
-#include <linux/audit.h>
 #include <linux/security.h>
 #include <linux/magic.h>
 #include <linux/parser.h>
@@ -239,8 +238,7 @@ static int ima_parse_rule(char *rule, struct ima_measure_rule_entry *entry)
 	char *p;
 	int result = 0;
 
-	ab = audit_log_start(current->audit_context, GFP_KERNEL,
-			     AUDIT_INTEGRITY_STATUS);
+	ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_INTEGRITY_RULE);
 
 	entry->action = -1;
 	while ((p = strsep(&rule, " \n")) != NULL) {
@@ -345,15 +343,14 @@ static int ima_parse_rule(char *rule, struct ima_measure_rule_entry *entry)
 						   AUDIT_SUBJ_TYPE);
 			break;
 		case Opt_err:
-			printk(KERN_INFO "%s: unknown token: %s\n",
-			       __FUNCTION__, p);
+			audit_log_format(ab, "UNKNOWN=%s ", p);
 			break;
 		}
 	}
 	if (entry->action == UNKNOWN)
 		result = -EINVAL;
 
-	audit_log_format(ab, "res=%d", result);
+	audit_log_format(ab, "res=%d", !result ? 0 : 1);
 	audit_log_end(ab);
 	return result;
 }
@@ -367,7 +364,7 @@ static int ima_parse_rule(char *rule, struct ima_measure_rule_entry *entry)
  */
 int ima_parse_add_rule(char *rule)
 {
-	const char *op = "add_rule";
+	const char *op = "update_policy";
 	struct ima_measure_rule_entry *entry;
 	int result = 0;
 	int audit_info = 0;
@@ -394,8 +391,12 @@ int ima_parse_add_rule(char *rule)
 		mutex_lock(&ima_measure_mutex);
 		list_add_tail(&entry->list, &measure_policy_rules);
 		mutex_unlock(&ima_measure_mutex);
-	} else
+	} else {
 		kfree(entry);
+		integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL,
+				    NULL, op, "invalid policy", result,
+				    audit_info);
+	}
 	return result;
 }
 
-- 
1.5.6.6

Re: [PATCH] integrity: audit update

[Steve Grubb]

On Monday 09 February 2009 06:24:20 pm Mimi Zohar wrote:
> - Force audit result to be either 0 or 1.
> - make template names const
> - Add new stand-alone message type: AUDIT_INTEGRITY_RULE

OK, I think this patch fixes the problems from 2/8. Were you going to combine 
them for a new 2/8 or just apply this one as 9/9? IOW, should we ack this 
patch or the final one?

Thanks,
-Steve

Re: [PATCH] integrity: audit update

[Mimi Zohar]

On Tue, 2009-02-10 at 17:00 -0500, Steve Grubb wrote:
> On Monday 09 February 2009 06:24:20 pm Mimi Zohar wrote:
> > - Force audit result to be either 0 or 1.
> > - make template names const
> > - Add new stand-alone message type: AUDIT_INTEGRITY_RULE
> 
> OK, I think this patch fixes the problems from 2/8. Were you going to combine 
> them for a new 2/8 or just apply this one as 9/9? IOW, should we ack this 
> patch or the final one?
> 
> Thanks,
> -Steve

As the current patches have already been upstreamed, I'll re-post this
patch on lkml.  You can either ack this one, or the one posted on lkml.

Thanks!

Mimi

Re: [PATCH] integrity: audit update

[Steve Grubb]

On Monday 09 February 2009 06:24:20 pm Mimi Zohar wrote:
> - Force audit result to be either 0 or 1.
> - make template names const
> - Add new stand-alone message type: AUDIT_INTEGRITY_RULE
>
> Signed-off-by: Mimi Zohar <zohar@us.ibm.com>

Acked-by: Steve Grubb <sgrubb@redhat.com>

> ---
> diff --git a/include/linux/audit.h b/include/linux/audit.h
> index 930939a..4fa2810 100644
> --- a/include/linux/audit.h
> +++ b/include/linux/audit.h
> @@ -36,7 +36,8 @@
>   * 1500 - 1599 kernel LSPP events
>   * 1600 - 1699 kernel crypto events
>   * 1700 - 1799 kernel anomaly records
> - * 1800 - 1999 future kernel use (maybe integrity labels and related
> events) + * 1800 - 1899 kernel integrity events
> + * 1900 - 1999 future kernel use
>   * 2000 is for otherwise unclassified kernel audit messages (legacy)
>   * 2001 - 2099 unused (kernel)
>   * 2100 - 2199 user space anomaly records
> @@ -130,6 +131,7 @@
>  #define AUDIT_INTEGRITY_STATUS	    1802 /* Integrity enable status */
>  #define AUDIT_INTEGRITY_HASH	    1803 /* Integrity HASH type */
>  #define AUDIT_INTEGRITY_PCR	    1804 /* PCR invalidation msgs */
> +#define AUDIT_INTEGRITY_RULE	    1805 /* policy rule */
>
>  #define AUDIT_KERNEL		2000	/* Asynchronous audit record. NOT A REQUEST. */
>
> diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
> index e3c16a2..165eb53 100644
> --- a/security/integrity/ima/ima.h
> +++ b/security/integrity/ima/ima.h
> @@ -47,7 +47,7 @@ struct ima_template_data {
>
>  struct ima_template_entry {
>  	u8 digest[IMA_DIGEST_SIZE];	/* sha1 or md5 measurement hash */
> -	char *template_name;
> +	const char *template_name;
>  	int template_len;
>  	struct ima_template_data template;
>  };
> diff --git a/security/integrity/ima/ima_api.c
> b/security/integrity/ima/ima_api.c index a148a25..3cd58b6 100644
> --- a/security/integrity/ima/ima_api.c
> +++ b/security/integrity/ima/ima_api.c
> @@ -15,7 +15,7 @@
>  #include <linux/module.h>
>
>  #include "ima.h"
> -static char *IMA_TEMPLATE_NAME = "ima";
> +static const char *IMA_TEMPLATE_NAME = "ima";
>
>  /*
>   * ima_store_template - store ima template measurements
> diff --git a/security/integrity/ima/ima_audit.c
> b/security/integrity/ima/ima_audit.c index 8a0f1e2..1e082bb 100644
> --- a/security/integrity/ima/ima_audit.c
> +++ b/security/integrity/ima/ima_audit.c
> @@ -22,16 +22,18 @@ static int ima_audit;
>  static int __init ima_audit_setup(char *str)
>  {
>  	unsigned long audit;
> -	int rc;
> -	char *op;
> +	int rc, result = 0;
> +	char *op = "ima_audit";
> +	char *cause;
>
>  	rc = strict_strtoul(str, 0, &audit);
>  	if (rc || audit > 1)
> -		printk(KERN_INFO "ima: invalid ima_audit value\n");
> +		result = 1;
>  	else
>  		ima_audit = audit;
> -	op = ima_audit ? "ima_audit_enabled" : "ima_audit_not_enabled";
> -	integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL, NULL, NULL, op, 0, 0);
> +	cause = ima_audit ? "enabled" : "not_enabled";
> +	integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL, NULL,
> +			    op, cause, result, 0);
>  	return 1;
>  }
>  __setup("ima_audit=", ima_audit_setup);
> @@ -47,20 +49,21 @@ void integrity_audit_msg(int audit_msgno, struct inode
> *inode, return;
>
>  	ab = audit_log_start(current->audit_context, GFP_KERNEL, audit_msgno);
> -	audit_log_format(ab, "integrity: pid=%d uid=%u auid=%u",
> +	audit_log_format(ab, "integrity: pid=%d uid=%u auid=%u ses=%u",
>  			 current->pid, current->cred->uid,
> -			 audit_get_loginuid(current));
> +			 audit_get_loginuid(current),
> +			 audit_get_sessionid(current));
>  	audit_log_task_context(ab);
>  	switch (audit_msgno) {
>  	case AUDIT_INTEGRITY_DATA:
>  	case AUDIT_INTEGRITY_METADATA:
>  	case AUDIT_INTEGRITY_PCR:
> +	case AUDIT_INTEGRITY_STATUS:
>  		audit_log_format(ab, " op=%s cause=%s", op, cause);
>  		break;
>  	case AUDIT_INTEGRITY_HASH:
>  		audit_log_format(ab, " op=%s hash=%s", op, cause);
>  		break;
> -	case AUDIT_INTEGRITY_STATUS:
>  	default:
>  		audit_log_format(ab, " op=%s", op);
>  	}
> @@ -73,6 +76,6 @@ void integrity_audit_msg(int audit_msgno, struct inode
> *inode, if (inode)
>  		audit_log_format(ab, " dev=%s ino=%lu",
>  				 inode->i_sb->s_id, inode->i_ino);
> -	audit_log_format(ab, " res=%d", result);
> +	audit_log_format(ab, " res=%d", !result ? 0 : 1);
>  	audit_log_end(ab);
>  }
> diff --git a/security/integrity/ima/ima_fs.c
> b/security/integrity/ima/ima_fs.c index 573780c..ffbe259 100644
> --- a/security/integrity/ima/ima_fs.c
> +++ b/security/integrity/ima/ima_fs.c
> @@ -137,7 +137,7 @@ static int ima_measurements_show(struct seq_file *m,
> void *v) ima_putc(m, &namelen, sizeof namelen);
>
>  	/* 4th:  template name */
> -	ima_putc(m, e->template_name, namelen);
> +	ima_putc(m, (void *)e->template_name, namelen);
>
>  	/* 5th:  template specific data */
>  	ima_template_show(m, (struct ima_template_data *)&e->template,
> diff --git a/security/integrity/ima/ima_init.c
> b/security/integrity/ima/ima_init.c index cf227db..0b0bb8c 100644
> --- a/security/integrity/ima/ima_init.c
> +++ b/security/integrity/ima/ima_init.c
> @@ -20,7 +20,7 @@
>  #include "ima.h"
>
>  /* name for boot aggregate entry */
> -static char *boot_aggregate_name = "boot_aggregate";
> +static const char *boot_aggregate_name = "boot_aggregate";
>  int ima_used_chip;
>
>  /* Add the boot aggregate to the IMA measurement list and extend
> diff --git a/security/integrity/ima/ima_policy.c
> b/security/integrity/ima/ima_policy.c index 23810e0..b5291ad 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -12,7 +12,6 @@
>   */
>  #include <linux/module.h>
>  #include <linux/list.h>
> -#include <linux/audit.h>
>  #include <linux/security.h>
>  #include <linux/magic.h>
>  #include <linux/parser.h>
> @@ -239,8 +238,7 @@ static int ima_parse_rule(char *rule, struct
> ima_measure_rule_entry *entry) char *p;
>  	int result = 0;
>
> -	ab = audit_log_start(current->audit_context, GFP_KERNEL,
> -			     AUDIT_INTEGRITY_STATUS);
> +	ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_INTEGRITY_RULE);
>
>  	entry->action = -1;
>  	while ((p = strsep(&rule, " \n")) != NULL) {
> @@ -345,15 +343,14 @@ static int ima_parse_rule(char *rule, struct
> ima_measure_rule_entry *entry) AUDIT_SUBJ_TYPE);
>  			break;
>  		case Opt_err:
> -			printk(KERN_INFO "%s: unknown token: %s\n",
> -			       __FUNCTION__, p);
> +			audit_log_format(ab, "UNKNOWN=%s ", p);
>  			break;
>  		}
>  	}
>  	if (entry->action == UNKNOWN)
>  		result = -EINVAL;
>
> -	audit_log_format(ab, "res=%d", result);
> +	audit_log_format(ab, "res=%d", !result ? 0 : 1);
>  	audit_log_end(ab);
>  	return result;
>  }
> @@ -367,7 +364,7 @@ static int ima_parse_rule(char *rule, struct
> ima_measure_rule_entry *entry) */
>  int ima_parse_add_rule(char *rule)
>  {
> -	const char *op = "add_rule";
> +	const char *op = "update_policy";
>  	struct ima_measure_rule_entry *entry;
>  	int result = 0;
>  	int audit_info = 0;
> @@ -394,8 +391,12 @@ int ima_parse_add_rule(char *rule)
>  		mutex_lock(&ima_measure_mutex);
>  		list_add_tail(&entry->list, &measure_policy_rules);
>  		mutex_unlock(&ima_measure_mutex);
> -	} else
> +	} else {
>  		kfree(entry);
> +		integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL,
> +				    NULL, op, "invalid policy", result,
> +				    audit_info);
> +	}
>  	return result;
>  }