From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id C0A33C433F5 for ; Wed, 24 Nov 2021 02:10:18 +0000 (UTC) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-190-K_ImZd4dOI2M7wx0yMEvtA-1; Tue, 23 Nov 2021 21:10:14 -0500 X-MC-Unique: K_ImZd4dOI2M7wx0yMEvtA-1 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id E963183DD23; Wed, 24 Nov 2021 02:10:10 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id D338E60CC4; Wed, 24 Nov 2021 02:10:10 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 92FA14BB7C; Wed, 24 Nov 2021 02:10:10 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com [10.11.54.2]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 1AO2A9eC013863 for ; Tue, 23 Nov 2021 21:10:09 -0500 Received: by smtp.corp.redhat.com (Postfix) id 8BFD340D1B9E; Wed, 24 Nov 2021 02:10:09 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast02.extmail.prod.ext.rdu2.redhat.com [10.11.55.18]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 86DE040D1B98 for ; Wed, 24 Nov 2021 02:10:09 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [205.139.110.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 6B0B88011A5 for ; Wed, 24 Nov 2021 02:10:09 +0000 (UTC) Received: from sonic306-28.consmr.mail.ne1.yahoo.com (sonic306-28.consmr.mail.ne1.yahoo.com [66.163.189.90]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-230-g6la3kWbNnWV4xyAJIYhCg-1; Tue, 23 Nov 2021 21:10:07 -0500 X-MC-Unique: g6la3kWbNnWV4xyAJIYhCg-1 X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1637719806; bh=Di5hPUPZpGsAZ5Odpf8+egZj+tkXjdTZJAf9Or35Eix=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=GTK1uSmRFXzCBcXy6takztcysJ24s+sYsC/PTbSwBlgQZTFCyjsUew39GYJQV7RL9y7Fhb6/oorMUP3gaIPBqaYU34gByDPT0sL7CnsYgueOWaE+pv5f0fbIUs6Q8YsH55IqKbLgStnB6shpSkK1ctVIc8rPQ2ZcL62QOrrq37yO6a9rSgq8mLkzgKyilLdlxkt3WsvTuc+U1VBtVD+hu8jjPVAISedVUepBxlVDSxMxlIm4fCyU9QtVv6sajgTKOh88yEUlgt86dz70Rur25Ame4NyufriIFACeCfIFEhk7y1ngb3ueyRFwQHdv3jtEn+31jytc/xOpwJaJ3sYozA== X-YMail-OSG: IW5yBxYVM1niQT5IRqng8nMPZPMjYAEQxmu9KjcobD6tB0YhZoDevZ6WvwBSSr2 zQJwpBPuG.Tcl01nx3qdP0z7rqzODzXoZu38Sj2vDKPss1YXqv6IoOLv5_E.8PYk2fe_jWMO077p tHMYDRdR4wugnkV3pmVWhfJiW0re_4Q0FX0buYIVtrHeevnE3EZuoL61pkDI.g_aP_q58vZmDPnL nv59BGPWvoCmt_2ewh_YOGnbFnKYYu8h8qQa8H0Y5oSc5.G5ka8BxkHhP5vo.IpduZSajwNY4fxV 0ToiTEkCGRzWf_wQpZ9J9mSU670eaf9oXFEczCe2Vl0zAUfio.uoM1FDx_DzQltBkIimosltiMpS ix5eFDN54xEEAssmc57uLi6r1EiziG7Oeg7cbE.OpHkVj.k.tFy48Vtg5cRlJDKv8moNuEchNnDi zgoic2wTNOmy_H_zDeGbVoqBwdS3B8z_28VJrcXQ39LGCy76tJIoaKPYh3e5Y4quySZ3R3kiNvor RZwCJ7JGMi1jQgCZnnPH3f8.c3AQ01IiNhJUYGCUVZQtJ1pMudVoJPTer6iin_vMechpWXn17PVL fTgbLE6whMsAoxBNkOkNjh682Ou2qgFYNbqTXhkVgBV7myXJemS_uxMyJaJWgbGUGwBGAEACcT8C iBdzMHYMX5C4YYpqAziodMAQIZ_JZJP7c8QFL94AMyjUhcBxssBGCeYaZFdf5d3CXU_E9HTY5mxA zS_ZOQZCm0or2qaeEf8uH.m9PFpoHhWTki5WdTzBDkFvvwJYwDxXhs3om8HqsKX5ldCbkeLolCfX u05u8CIA1tPgiEsPmoY3d1e.shDt2FzWf7s5nw4uj_reRGoW5NcuyaMJERMwEE6OEr.EtV2ZsWjt IyJEjXBqYPbQ_4PB3e3BwJfv.IP570amP.QhCV8hVVRE0E9eNEFGxNYaMMTC6b_zvSFKXMF21UK8 HD9eHS1JWL6dYdJo6qhHBo4pDA.VtIVyIREtaQZ0Z5d25_..TCN6NjOHcudXc0F6Cv.5GYQi_.9v GqAPCO7438udz_QS.7lCCjswCgLk6RDDGbc3UB6VH3Myn6ex_zFHbpGtyrxeM3VPvNu0lOEn0H.N SnggRsojF4meJ3TPAa5DcWIKLFZ6LZcU4OqDKHbSjwKqrCUI3tMVi6.GqxZUjmoMM7p4rKyxjgt. PEhcccIYGGXAAhvPz5QsZfY3rJVU47j.pkgo3SoqYCN23lZwU4R6j568ZccIS_jgVjUJrk_TXdX6 kGqJIuDbEKAxxMOZcFfSTQ3b0RsCNxgXPFIG7H0p4FIoNmnD.fJRnkSp5RjPTXbl2XVjYPQAMfuR qKB4.ux6.YNmvW1OSDtKNzk_CHQuYRbt0GQ3c4HPOQwipnZUMBIwe4ukmplDMBmldXeTxiRpoVrw yiT6eP8lHptwfmCXum2SLHKgXMB7JPe6mq2CsIX0Q8RcNdlCoIj78FUnREk1J4P3oqhoBrJI5cRl mGf_t4mH_IO.uGhT_jTnKfYRPLD5DR7msQnWkELPfWBwvgkPe4rueqkaYGkRU3Qfx9tnTzvaXdlP Y3E3d0QOZnh1sbX9C6t_83fkKmY2Rsc.RHnRWwpjNqH2xcL0j41Y56IvbYOC5.tB_rRMao03jigf .pMgowAyr6hTV9a7q3DB54sYobhBL1IAu9DqFRS5pOhEDG78VV.GCTpKapbBzqznFgPtcfoD3seN EFLKiae.PglmuZV7DIaTv8DCRQLB_ognUaAzN0DGyYd_07gzn8v1rEYBQKaHX9kuiHjvG85_0WaT 5U959oP0pfTbolac4UBCPx9Tp3Gj9viJyJ7s22UKUFRHYoX0Fs9P6ZEoERxlmMnfHHsIdOoWAD4l chJZU79bIzI0ivX9gE8pK5MjKC73auAOqVcPwQmqu7j9V8Ei1lJyApTRSLyGh0LG.Q7VGO6wXN3_ _XjXdHztaHDcCg0WhWAnRoWvs_BPTVLM_Gev_Lbs8EIeOCopFnByJpKlRw5TptMpZZvdPbhguHyP 9A3_myRcBEuawkuyqUreHmYp8g0dR2NpkzYrib8fvUCN_WJ9nEfK5E3UvTF23z6zdpKdhsLGP8jh b_xPW8k7GLdlalb8hNTNOoLCihHhPGM6F6lGw_iWNOiT8FpaSl04_Xauu0ZphYOA1iQGvf6OysCd oMs.Id.GHqhsakCcqf5DZfKs45212ZMijlDlJewOdIpwgWNVm9_pgzEsuexHgA8VpgsKXzf_JxLX YFgEXOndXTzQ4CfKd3h3D5QRxmeuewVX.6jHH7h6dWDvWR2FdfLDFzLj6t4YUxoeazRkFSn6i4kS Wmd2g26vC4AwVEBFQpQ-- X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic306.consmr.mail.ne1.yahoo.com with HTTP; Wed, 24 Nov 2021 02:10:06 +0000 Received: by kubenode512.mail-prod1.omega.ne1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID fa97930e4df2168aeebf019ebc923940; Wed, 24 Nov 2021 02:10:03 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Subject: [PATCH v30 24/28] Audit: Add framework for auxiliary records Date: Tue, 23 Nov 2021 17:43:28 -0800 Message-Id: <20211124014332.36128-25-casey@schaufler-ca.com> In-Reply-To: <20211124014332.36128-1-casey@schaufler-ca.com> References: <20211124014332.36128-1-casey@schaufler-ca.com> MIME-Version: 1.0 X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 2.84 on 10.11.54.2 X-loop: linux-audit@redhat.com Cc: john.johansen@canonical.com, linux-kernel@vger.kernel.org, linux-audit@redhat.com, sds@tycho.nsa.gov X-BeenThere: linux-audit@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Linux Audit Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=linux-audit-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Add a list for auxiliary record data to the audit_buffer structure. Add the audit_stamp information to the audit_buffer as there's no guarantee that there will be an audit_context containing the stamp associated with the event. At audit_log_end() time create auxiliary records (none are currently defined) as have been added to the list. Signed-off-by: Casey Schaufler --- kernel/audit.c | 85 ++++++++++++++++++++++++++++++++++++++++++------ kernel/audit.h | 1 + kernel/auditsc.c | 2 ++ 3 files changed, 78 insertions(+), 10 deletions(-) diff --git a/kernel/audit.c b/kernel/audit.c index 069cd4c81a61..2b22498d3532 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -191,15 +191,25 @@ static struct audit_ctl_mutex { * should be at least that large. */ #define AUDIT_BUFSIZ 1024 +/* The audit_context_entry contains data required to create an + * auxiliary record. + */ +struct audit_context_entry { + struct list_head list; + int type; /* Audit record type */ +}; + /* The audit_buffer is used when formatting an audit record. The caller * locks briefly to get the record off the freelist or to allocate the * buffer, and locks briefly to send the buffer to the netlink layer or * to place it on a transmit queue. Multiple audit_buffers can be in * use simultaneously. */ struct audit_buffer { - struct sk_buff *skb; /* formatted skb ready to send */ - struct audit_context *ctx; /* NULL or associated context */ - gfp_t gfp_mask; + struct sk_buff *skb; /* formatted skb ready to send */ + struct audit_context *ctx; /* NULL or associated context */ + struct list_head aux_records; /* aux record data */ + struct audit_stamp stamp; /* event stamp */ + gfp_t gfp_mask; }; struct audit_reply { @@ -1753,6 +1763,7 @@ static struct audit_buffer *audit_buffer_alloc(struct audit_context *ctx, ab->ctx = ctx; ab->gfp_mask = gfp_mask; + INIT_LIST_HEAD(&ab->aux_records); return ab; @@ -1813,7 +1824,6 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type) { struct audit_buffer *ab; - struct audit_stamp stamp; if (audit_initialized != AUDIT_INITIALIZED) return NULL; @@ -1866,14 +1876,14 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, return NULL; } - audit_get_stamp(ab->ctx, &stamp); + audit_get_stamp(ab->ctx, &ab->stamp); /* cancel dummy context to enable supporting records */ if (ctx) ctx->dummy = 0; audit_log_format(ab, "audit(%llu.%03lu:%u): ", - (unsigned long long)stamp.ctime.tv_sec, - stamp.ctime.tv_nsec/1000000, - stamp.serial); + (unsigned long long)ab->stamp.ctime.tv_sec, + ab->stamp.ctime.tv_nsec/1000000, + ab->stamp.serial); return ab; } @@ -2363,7 +2373,7 @@ int audit_signal_info(int sig, struct task_struct *t) } /** - * audit_log_end - end one audit record + * __audit_log_end - end one audit record * @ab: the audit_buffer * * We can not do a netlink send inside an irq context because it blocks (last @@ -2371,7 +2381,7 @@ int audit_signal_info(int sig, struct task_struct *t) * queue and a kthread is scheduled to remove them from the queue outside the * irq context. May be called in any context. */ -void audit_log_end(struct audit_buffer *ab) +void __audit_log_end(struct audit_buffer *ab) { struct sk_buff *skb; struct nlmsghdr *nlh; @@ -2393,6 +2403,61 @@ void audit_log_end(struct audit_buffer *ab) wake_up_interruptible(&kauditd_wait); } else audit_log_lost("rate limit exceeded"); +} + +/** + * audit_log_end - end one audit record + * @ab: the audit_buffer + * + * Let __audit_log_end() handle the message while the buffer housekeeping + * is done here. + * If there are other records that have been deferred for the event + * create them here. + */ +void audit_log_end(struct audit_buffer *ab) +{ + struct audit_context_entry *entry; + struct audit_context mcontext; + struct audit_context *mctx; + struct audit_buffer *mab; + struct list_head *l; + struct list_head *n; + + if (!ab) + return; + + __audit_log_end(ab); + + if (list_empty(&ab->aux_records)) { + audit_buffer_free(ab); + return; + } + + if (ab->ctx == NULL) { + mcontext.context = AUDIT_CTX_AUXRECORD; + mcontext.stamp = ab->stamp; + mctx = &mcontext; + } else + mctx = ab->ctx; + + list_for_each_safe(l, n, &ab->aux_records) { + entry = list_entry(l, struct audit_context_entry, list); + mab = audit_log_start(mctx, ab->gfp_mask, entry->type); + if (!mab) { + audit_panic("alloc error in audit_log_end"); + continue; + } + switch (entry->type) { + /* Don't know of any quite yet. */ + default: + audit_panic("Unknown type in audit_log_end"); + break; + } + __audit_log_end(mab); + audit_buffer_free(mab); + list_del(&entry->list); + kfree(entry); + } audit_buffer_free(ab); } diff --git a/kernel/audit.h b/kernel/audit.h index 56560846f3b0..f87da8e0a5a4 100644 --- a/kernel/audit.h +++ b/kernel/audit.h @@ -112,6 +112,7 @@ struct audit_context { AUDIT_CTX_UNUSED, /* audit_context is currently unused */ AUDIT_CTX_SYSCALL, /* in use by syscall */ AUDIT_CTX_URING, /* in use by io_uring */ + AUDIT_CTX_AUXRECORD, /* in use for auxiliary records */ } context; enum audit_state state, current_state; struct audit_stamp stamp; /* event identifier */ diff --git a/kernel/auditsc.c b/kernel/auditsc.c index e6868d072648..c128f7e73e89 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -1681,6 +1681,8 @@ static void audit_log_exit(void) case AUDIT_CTX_URING: audit_log_uring(context); break; + case AUDIT_CTX_AUXRECORD: + break; default: BUG(); break; -- 2.31.1 -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit