[RFC] Obtaining PATH entry without audit userland

[RFC] Obtaining PATH entry without audit userland

[Yuichi Nakamura]

Hi.

When debugging SELinux policy, PATH audit entry is useful.
In current audit, 
context->dummy should be 0 to obtain PATH entry, 
but it is set 1 if no audit rules are registered, 
so some audit rule should be registered to obtain PATH entry.

To register audit rule, we need audit userland.
However, in embedded devices 
we want as little userland as possible,
because hardware resource is constrained and cross-compiling is tiresome.

We want PATH entry to debug SELinux policy,
we do not want to port audit userland for this purpose,
so we want to do it in kernel.

Following is simple patch to obtain PATH entry without audit userland.
Does this sound reasonable??

Signed-off-by: Yuichi Nakamura<ynakam@hitachisoft.jp>
---
 init/Kconfig     |   10 ++++++++++
 kernel/audit.h   |    7 +++++++
 kernel/auditsc.c |    9 ++++++++-
 3 files changed, 25 insertions(+), 1 deletion(-)
diff -purN -X linux-2.6.22.1/Documentation/dontdiff linux-2.6.22.1.old/kernel/audit.h linux-2.6.22.1/kernel/audit.h
--- linux-2.6.22.1.old/kernel/audit.h	2007-12-19 10:00:19.000000000 +0900
+++ linux-2.6.22.1/kernel/audit.h	2008-01-09 09:04:28.000000000 +0900
@@ -143,6 +143,13 @@ static inline int audit_signal_info(int 
 extern enum audit_state audit_filter_inodes(struct task_struct *,
 					    struct audit_context *);
 extern void audit_set_auditable(struct audit_context *);
+
+#ifdef CONFIG_AUDIT_PATH
+#define DEFAULT_AUDIT_PATH_ENTRY 1
+#else
+#define DEFAULT_AUDIT_PATH_ENTRY 0
+#endif
+
 #else
 #define audit_signal_info(s,t) AUDIT_DISABLED
 #define audit_filter_inodes(t,c) AUDIT_DISABLED
diff -purN -X linux-2.6.22.1/Documentation/dontdiff linux-2.6.22.1.old/kernel/auditsc.c linux-2.6.22.1/kernel/auditsc.c
--- linux-2.6.22.1.old/kernel/auditsc.c	2007-12-19 10:00:19.000000000 +0900
+++ linux-2.6.22.1/kernel/auditsc.c	2008-01-09 08:57:44.000000000 +0900
@@ -227,6 +227,8 @@ struct audit_context {
 #endif
 };
 
+int audit_path_entry = DEFAULT_AUDIT_PATH_ENTRY;
+
 #define ACC_MODE(x) ("\004\002\006\006"[(x)&O_ACCMODE])
 static inline int open_arg(int flags, int mask)
 {
@@ -1198,7 +1200,12 @@ void audit_syscall_entry(int arch, int m
 	context->argv[3]    = a4;
 
 	state = context->state;
-	context->dummy = !audit_n_rules;
+
+	if (audit_path_entry)
+		context->dummy = 0;
+	else
+		context->dummy = !audit_n_rules;
+
 	if (!context->dummy && (state == AUDIT_SETUP_CONTEXT || state == AUDIT_BUILD_CONTEXT))
 		state = audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_ENTRY]);
 	if (likely(state == AUDIT_DISABLED))
--- linux-2.6.22.1.old/init/Kconfig	2008-01-08 13:49:30.000000000 +0900
+++ linux-2.6.22.1/init/Kconfig	2007-12-19 11:50:17.000000000 +0900
@@ -245,6 +245,16 @@ config AUDITSYSCALL
 	  such as SELinux.  To use audit's filesystem watch feature, please
 	  ensure that INOTIFY is configured.
 
+config AUDIT_PATH
+	bool "Audit always PATH entry"
+	depends on AUDITSYSCALL
+	default n
+	help
+	  By default, PATH entry is not audited unless
+          you register some audit rule.
+	  With this option, PATH entry is always audited.
+	  This is useful in debugging SELinux policy without audit userland. 
+
 config IKCONFIG
 	tristate "Kernel .config support"
 	---help---


-- 
Yuichi Nakamura
Hitachi Software Engineering Co., Ltd.
Japan SELinux Users Group(JSELUG): http://www.selinux.gr.jp/
SELinux Policy Editor: http://seedit.sourceforge.net/

Re: [RFC] Obtaining PATH entry without audit userland

[Steve Grubb]

On Thursday 10 January 2008 03:42:38 Yuichi Nakamura wrote:
> Hi.
>
> When debugging SELinux policy, PATH audit entry is useful.
> In current audit,
> context->dummy should be 0 to obtain PATH entry,
> but it is set 1 if no audit rules are registered,
> so some audit rule should be registered to obtain PATH entry.
>
> To register audit rule, we need audit userland.
> However, in embedded devices
> we want as little userland as possible,
> because hardware resource is constrained and cross-compiling is tiresome.
>
> We want PATH entry to debug SELinux policy,
> we do not want to port audit userland for this purpose,
> so we want to do it in kernel.
>
> Following is simple patch to obtain PATH entry without audit userland.
> Does this sound reasonable??

I was under the impression that Al Viro has already sent a patch allowing for 
PATH in all AVC messages. Al?


> Signed-off-by: Yuichi Nakamura<ynakam@hitachisoft.jp>
> ---
>  init/Kconfig     |   10 ++++++++++
>  kernel/audit.h   |    7 +++++++
>  kernel/auditsc.c |    9 ++++++++-
>  3 files changed, 25 insertions(+), 1 deletion(-)
> diff -purN -X linux-2.6.22.1/Documentation/dontdiff
> linux-2.6.22.1.old/kernel/audit.h linux-2.6.22.1/kernel/audit.h ---
> linux-2.6.22.1.old/kernel/audit.h	2007-12-19 10:00:19.000000000 +0900 +++
> linux-2.6.22.1/kernel/audit.h	2008-01-09 09:04:28.000000000 +0900 @@ -143,6
> +143,13 @@ static inline int audit_signal_info(int
>  extern enum audit_state audit_filter_inodes(struct task_struct *,
>  					    struct audit_context *);
>  extern void audit_set_auditable(struct audit_context *);
> +
> +#ifdef CONFIG_AUDIT_PATH
> +#define DEFAULT_AUDIT_PATH_ENTRY 1
> +#else
> +#define DEFAULT_AUDIT_PATH_ENTRY 0
> +#endif
> +
>  #else
>  #define audit_signal_info(s,t) AUDIT_DISABLED
>  #define audit_filter_inodes(t,c) AUDIT_DISABLED
> diff -purN -X linux-2.6.22.1/Documentation/dontdiff
> linux-2.6.22.1.old/kernel/auditsc.c linux-2.6.22.1/kernel/auditsc.c ---
> linux-2.6.22.1.old/kernel/auditsc.c	2007-12-19 10:00:19.000000000 +0900 +++
> linux-2.6.22.1/kernel/auditsc.c	2008-01-09 08:57:44.000000000 +0900 @@
> -227,6 +227,8 @@ struct audit_context {
>  #endif
>  };
>
> +int audit_path_entry = DEFAULT_AUDIT_PATH_ENTRY;
> +
>  #define ACC_MODE(x) ("\004\002\006\006"[(x)&O_ACCMODE])
>  static inline int open_arg(int flags, int mask)
>  {
> @@ -1198,7 +1200,12 @@ void audit_syscall_entry(int arch, int m
>  	context->argv[3]    = a4;
>
>  	state = context->state;
> -	context->dummy = !audit_n_rules;
> +
> +	if (audit_path_entry)
> +		context->dummy = 0;
> +	else
> +		context->dummy = !audit_n_rules;
> +
>  	if (!context->dummy && (state == AUDIT_SETUP_CONTEXT || state ==
> AUDIT_BUILD_CONTEXT)) state = audit_filter_syscall(tsk, context,
> &audit_filter_list[AUDIT_FILTER_ENTRY]); if (likely(state ==
> AUDIT_DISABLED))
> --- linux-2.6.22.1.old/init/Kconfig	2008-01-08 13:49:30.000000000 +0900
> +++ linux-2.6.22.1/init/Kconfig	2007-12-19 11:50:17.000000000 +0900
> @@ -245,6 +245,16 @@ config AUDITSYSCALL
>  	  such as SELinux.  To use audit's filesystem watch feature, please
>  	  ensure that INOTIFY is configured.
>
> +config AUDIT_PATH
> +	bool "Audit always PATH entry"
> +	depends on AUDITSYSCALL
> +	default n
> +	help
> +	  By default, PATH entry is not audited unless
> +          you register some audit rule.
> +	  With this option, PATH entry is always audited.
> +	  This is useful in debugging SELinux policy without audit userland.
> +
>  config IKCONFIG
>  	tristate "Kernel .config support"
>  	---help---

Re: [RFC] Obtaining PATH entry without audit userland

[Alexander Viro]

On Thu, Jan 10, 2008 at 10:19:50AM -0500, Steve Grubb wrote:
> I was under the impression that Al Viro has already sent a patch allowing for 
> PATH in all AVC messages. Al?

In the mainline for quite a while...

Re: [RFC] Obtaining PATH entry without audit userland

[Steve Grubb]

On Thursday 10 January 2008 10:32:37 Alexander Viro wrote:
> On Thu, Jan 10, 2008 at 10:19:50AM -0500, Steve Grubb wrote:
> > I was under the impression that Al Viro has already sent a patch allowing
> > for PATH in all AVC messages. Al?
>
> In the mainline for quite a while...

That's what I thought.

Yuichi, what kernel are you testing against that is having the problem? Is 
there a simple test case that shows the problem so we can check the kernel to 
make sure its working properly?

Thanks,
-Steve

Re: [RFC] Obtaining PATH entry without audit userland

[Stephen Smalley]

On Thu, 2008-01-10 at 10:40 -0500, Steve Grubb wrote:
> On Thursday 10 January 2008 10:32:37 Alexander Viro wrote:
> > On Thu, Jan 10, 2008 at 10:19:50AM -0500, Steve Grubb wrote:
> > > I was under the impression that Al Viro has already sent a patch allowing
> > > for PATH in all AVC messages. Al?
> >
> > In the mainline for quite a while...
> 
> That's what I thought.
> 
> Yuichi, what kernel are you testing against that is having the problem? Is 
> there a simple test case that shows the problem so we can check the kernel to 
> make sure its working properly?

SELinux can still only audit a pathname (vs. just the component name)
when it has the (vfsmount, dentry) pair available in the LSM hook, which
often isn't the case still.  So we still depend on audit pathname
collection to give us more information than just the component name on
many permission checks.

-- 
Stephen Smalley
National Security Agency

Re: [RFC] Obtaining PATH entry without audit userland

[Yuichi Nakamura]

On Thu, 10 Jan 2008 10:40:18 -0500
Steve Grubb  wrote:
> On Thursday 10 January 2008 10:32:37 Alexander Viro wrote:
> > On Thu, Jan 10, 2008 at 10:19:50AM -0500, Steve Grubb wrote:
> > > I was under the impression that Al Viro has already sent a patch allowing
> > > for PATH in all AVC messages. Al?
> >
> > In the mainline for quite a while...
> 
> That's what I thought.
> 
> Yuichi, what kernel are you testing against that is having the problem? Is 
> there a simple test case that shows the problem so we can check the kernel to 
> make sure its working properly?
I am using 2.6.22.1 and 2.6.24.rc1, and enabling syscall audit.

One example of AVC message in 2.6.24.rc1 is below.
#Type is broken for testing, do not warry about that :)
audit(946684824.060:5): avc:  denied  { read } for  pid=796 comm="httpd" name="index.html" dev=sda1 ino=61906 
scontext=system_u:system_r:httpd_t tcontext=system_u:object_r:etc_shadow_t tclass=file
audit(946684824.060:5): arch=2a syscall=5 per=800000 success=yes exit=5 a0=48d490 a1=0 a2=1b6 a3=1b6 items=1 
ppid=795 pid=796 auid=4294967295 uid=99 gid=99 euid=99 suid=99 fsuid=99 egid=99 sgid=99 fsgid=99 tty=(none) comm="httpd" 
exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t key=(null)

File name appears as name="index.html".

By applying my patch or registering some audit rule, 
following will appear.

audit(946684824.060:5):  cwd="/"
audit(946684824.060:5): item=0 name="/var/www/htdocs/index.html" inode=61906 dev=08:01 mode=0100644 
ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_shadow_t

Here, fullpath "/var/www/htdocs/index.html" is reported.

Regards,
-- 
Yuichi Nakamura
Hitachi Software Engineering Co., Ltd.
Japan SELinux Users Group(JSELUG): http://www.selinux.gr.jp/
SELinux Policy Editor: http://seedit.sourceforge.net/

Re: [RFC] Obtaining PATH entry without audit userland

[Steve Grubb]

On Thursday 10 January 2008 19:27:18 Yuichi Nakamura wrote:
> One example of AVC message in 2.6.24.rc1 is below.
> #Type is broken for testing, do not warry about that :)
> audit(946684824.060:5): avc:  denied  { read } for  pid=796 comm="httpd"
> name="index.html" dev=sda1 ino=61906 scontext=system_u:system_r:httpd_t
> tcontext=system_u:object_r:etc_shadow_t tclass=file audit(946684824.060:5):
> arch=2a syscall=5 per=800000 success=yes exit=5 a0=48d490 a1=0 a2=1b6
> a3=1b6 items=1 ppid=795 pid=796 auid=4294967295 uid=99 gid=99 euid=99
> suid=99 fsuid=99 egid=99 sgid=99 fsgid=99 tty=(none) comm="httpd"
> exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t key=(null)
>
> File name appears as name="index.html".

How can we recreate the problem so that we can see what is going on?

Thanks,
-Steve

Re: [RFC] Obtaining PATH entry without audit userland

[Yuichi Nakamura]

On Thu, 10 Jan 2008 19:32:04 -0500
Steve Grubb  wrote:
> On Thursday 10 January 2008 19:27:18 Yuichi Nakamura wrote:
> > One example of AVC message in 2.6.24.rc1 is below.
> > #Type is broken for testing, do not warry about that :)
> > audit(946684824.060:5): avc: denied { read } for pid=796 comm="httpd"
> > name="index.html" dev=sda1 ino=61906 scontext=system_u:system_r:httpd_t
> > tcontext=system_u:object_r:etc_shadow_t tclass=file audit(946684824.060:5):
> > arch=2a syscall=5 per=800000 success=yes exit=5 a0=48d490 a1=0 a2=1b6
> > a3=1b6 items=1 ppid=795 pid=796 auid=4294967295 uid=99 gid=99 euid=99
> > suid=99 fsuid=99 egid=99 sgid=99 fsgid=99 tty=(none) comm="httpd"
> > exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t key=(null)
> How can we recreate the problem so that we can see what is going on?

Here is how to recreate on Fedora 8 PC.

(1) Check /etc/audit/audit.rules, and make sure no rules are registered.
If registered, remove them and reboot.

(2) Break security context to generate AVC message, and generate AVC.
# chcon -t shadow_t /etc/httpd/conf/httpd.conf
# /etc/init.d/httpd start

(3) It should fail, and following AVC message appears
--
# ausearch -m AVC
time->Fri Jan 11 09:58:55 2008
type=SYSCALL msg=audit(1200013135.944:60): arch=40000003 syscall=5 success=no exit=-13 a0=b999c158 a1=8000 a2=1b6 a3=8000 items=0 ppid=2586 pid=2587 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="httpd" exe="/usr/sbin/httpd" subj=root:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1200013135.944:60): avc:  denied  { read } for  pid=2587 comm="httpd" name="httpd.conf" dev=dm-0 ino=1109270 scontext=root:system_r:httpd_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file
---

"name" is httpd.conf.

(4) Register dummy audit rule and generate AVC message again.
---
# auditctl -a exit,always -S chdir -F obj_type=dummy_t
# /etc/init.d/httpd start
# ausearch -m AVC 
time->Fri Jan 11 10:03:46 2008
type=PATH msg=audit(1200013426.905:65): item=0 name="/etc/httpd/conf/httpd.conf" inode=1109270 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:shadow_t:s0
type=CWD msg=audit(1200013426.905:65):  cwd="/root"
type=SYSCALL msg=audit(1200013426.905:65): arch=40000003 syscall=5 success=no exit=-13 a0=b913f158 a1=8000 a2=1b6 a3=8000 items=1 ppid=2612 pid=2613 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="httpd" exe="/usr/sbin/httpd" subj=root:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1200013426.905:65): avc:  denied  { read } for  pid=2613 comm="httpd" name="httpd.conf" dev=dm-0 ino=1109270 scontext=root:system_r:httpd_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file
---

In type=PATH, full path name "/etc/httpd/conf/httpd.conf"  appeared.

Regards,
-- 
Yuichi Nakamura
Hitachi Software Engineering Co., Ltd.
Japan SELinux Users Group(JSELUG): http://www.selinux.gr.jp/
SELinux Policy Editor: http://seedit.sourceforge.net/

Re: [RFC] Obtaining PATH entry without audit userland

[Stephen Smalley]

On Thu, 2008-01-10 at 19:32 -0500, Steve Grubb wrote:
> On Thursday 10 January 2008 19:27:18 Yuichi Nakamura wrote:
> > One example of AVC message in 2.6.24.rc1 is below.
> > #Type is broken for testing, do not warry about that :)
> > audit(946684824.060:5): avc:  denied  { read } for  pid=796 comm="httpd"
> > name="index.html" dev=sda1 ino=61906 scontext=system_u:system_r:httpd_t
> > tcontext=system_u:object_r:etc_shadow_t tclass=file audit(946684824.060:5):
> > arch=2a syscall=5 per=800000 success=yes exit=5 a0=48d490 a1=0 a2=1b6
> > a3=1b6 items=1 ppid=795 pid=796 auid=4294967295 uid=99 gid=99 euid=99
> > suid=99 fsuid=99 egid=99 sgid=99 fsgid=99 tty=(none) comm="httpd"
> > exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t key=(null)
> >
> > File name appears as name="index.html".
> 
> How can we recreate the problem so that we can see what is going on?

Just trigger a denial on open(2) without any audit rules configured.
Then, audit system doesn't collect pathname info due to the
"optimization" to not collect information without syscall filters, and
SELinux doesn't get the vfsmount (reliably) in selinux_inode_permission,
so it cannot generate a path either.

-- 
Stephen Smalley
National Security Agency