[RFC 1/1] NetLabel: add audit support for configuration changes

[RFC 1/1] NetLabel: add audit support for configuration changes

[paul.moore]

[-- Attachment #1: netlabel-audit --]
[-- Type: text/plain, Size: 12060 bytes --]

This patch is a first attempt at adding auditing support to NetLabel, based on
a conversation with Steve Grubb on irc last Friday (9/22).  I wanted to send
this out to the audit mailing list first to get some feedback on such things
as message types and message formats.  Once I have collected your feedback I
plan on posting the next version of the patch to both the netdev and audit
mailing lists for inclusion in 2.6.19.

So please, if you have comments/concerns/etc. please share them now so this
does not get help up later - thank you.
---
 include/linux/audit.h              |    6 ++
 net/netlabel/netlabel_cipso_v4.c   |   37 +++++++++---
 net/netlabel/netlabel_domainhash.c |   36 +++++++++++-
 net/netlabel/netlabel_unlabeled.c  |   28 +++++++--
 net/netlabel/netlabel_user.c       |  110 +++++++++++++++++++++++++++++++++++++
 net/netlabel/netlabel_user.h       |    6 ++
 6 files changed, 208 insertions(+), 15 deletions(-)

Index: net-2.6/include/linux/audit.h
===================================================================
--- net-2.6.orig/include/linux/audit.h
+++ net-2.6/include/linux/audit.h
@@ -95,6 +95,12 @@
 #define AUDIT_MAC_POLICY_LOAD	1403	/* Policy file load */
 #define AUDIT_MAC_STATUS	1404	/* Changed enforcing,permissive,off */
 #define AUDIT_MAC_CONFIG_CHANGE	1405	/* Changes to booleans */
+#define AUDIT_MAC_UNLBL_ACCEPT	1406	/* NetLabel: allow unlabeled traffic */
+#define AUDIT_MAC_UNLBL_DENY	1407	/* NetLabel: deny unlabeled traffic */
+#define AUDIT_MAC_CIPSOV4_ADD	1408	/* NetLabel: add CIPSOv4 DOI entry */
+#define AUDIT_MAC_CIPSOV4_DEL	1409	/* NetLabel: del CIPSOv4 DOI entry */
+#define AUDIT_MAC_MAP_ADD	1410	/* NetLabel: add LSM domain mapping */
+#define AUDIT_MAC_MAP_DEL	1411	/* NetLabel: del LSM domain mapping */
 
 #define AUDIT_FIRST_KERN_ANOM_MSG   1700
 #define AUDIT_LAST_KERN_ANOM_MSG    1799
Index: net-2.6/net/netlabel/netlabel_cipso_v4.c
===================================================================
--- net-2.6.orig/net/netlabel/netlabel_cipso_v4.c
+++ net-2.6/net/netlabel/netlabel_cipso_v4.c
@@ -32,6 +32,7 @@
 #include <linux/socket.h>
 #include <linux/string.h>
 #include <linux/skbuff.h>
+#include <linux/audit.h>
 #include <net/sock.h>
 #include <net/netlink.h>
 #include <net/genetlink.h>
@@ -162,8 +163,7 @@ static int netlbl_cipsov4_add_std(struct
 	int nla_a_rem;
 	int nla_b_rem;
 
-	if (!info->attrs[NLBL_CIPSOV4_A_DOI] ||
-	    !info->attrs[NLBL_CIPSOV4_A_TAGLST] ||
+	if (!info->attrs[NLBL_CIPSOV4_A_TAGLST] ||
 	    !info->attrs[NLBL_CIPSOV4_A_MLSLVLLST])
 		return -EINVAL;
 
@@ -344,8 +344,7 @@ static int netlbl_cipsov4_add_pass(struc
 	int ret_val;
 	struct cipso_v4_doi *doi_def = NULL;
 
-	if (!info->attrs[NLBL_CIPSOV4_A_DOI] ||
-	    !info->attrs[NLBL_CIPSOV4_A_TAGLST])
+	if (!info->attrs[NLBL_CIPSOV4_A_TAGLST])
 		return -EINVAL;
 
 	doi_def = kmalloc(sizeof(*doi_def), GFP_KERNEL);
@@ -381,21 +380,34 @@ static int netlbl_cipsov4_add(struct sk_
 
 {
 	int ret_val = -EINVAL;
-	u32 map_type;
+	u32 type;
+	u32 doi;
+	const char *type_str = "(unknown)";
+	struct audit_buffer *audit_buf;
 
-	if (!info->attrs[NLBL_CIPSOV4_A_MTYPE])
+	if (!info->attrs[NLBL_CIPSOV4_A_DOI] ||
+	    !info->attrs[NLBL_CIPSOV4_A_MTYPE])
 		return -EINVAL;
 
-	map_type = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_MTYPE]);
-	switch (map_type) {
+	type = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_MTYPE]);
+	switch (type) {
 	case CIPSO_V4_MAP_STD:
+		type_str = "std";
 		ret_val = netlbl_cipsov4_add_std(info);
 		break;
 	case CIPSO_V4_MAP_PASS:
+		type_str = "pass";
 		ret_val = netlbl_cipsov4_add_pass(info);
 		break;
 	}
 
+	if (ret_val == 0) {
+		doi = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_DOI]);
+		audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_ADD);
+		audit_log_format(audit_buf, " doi=%u type=%s", doi, type_str);
+		audit_log_end(audit_buf);
+	}
+
 	return ret_val;
 }
 
@@ -653,13 +665,20 @@ static int netlbl_cipsov4_listall(struct
 static int netlbl_cipsov4_remove(struct sk_buff *skb, struct genl_info *info)
 {
 	int ret_val = -EINVAL;
-	u32 doi;
+	u32 doi = 0;
+	struct audit_buffer *audit_buf;
 
 	if (info->attrs[NLBL_CIPSOV4_A_DOI]) {
 		doi = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_DOI]);
 		ret_val = cipso_v4_doi_remove(doi, netlbl_cipsov4_doi_free);
 	}
 
+	if (ret_val == 0) {
+		audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_DEL);
+		audit_log_format(audit_buf, " doi=%u", doi);
+		audit_log_end(audit_buf);
+	}
+
 	return ret_val;
 }
 
Index: net-2.6/net/netlabel/netlabel_domainhash.c
===================================================================
--- net-2.6.orig/net/netlabel/netlabel_domainhash.c
+++ net-2.6/net/netlabel/netlabel_domainhash.c
@@ -35,12 +35,14 @@
 #include <linux/skbuff.h>
 #include <linux/spinlock.h>
 #include <linux/string.h>
+#include <linux/audit.h>
 #include <net/netlabel.h>
 #include <net/cipso_ipv4.h>
 #include <asm/bug.h>
 
 #include "netlabel_mgmt.h"
 #include "netlabel_domainhash.h"
+#include "netlabel_user.h"
 
 struct netlbl_domhsh_tbl {
 	struct list_head *tbl;
@@ -197,6 +199,8 @@ int netlbl_domhsh_add(struct netlbl_dom_
 {
 	int ret_val;
 	u32 bkt;
+	struct audit_buffer *audit_buf;
+	char *audit_domain;
 
 	switch (entry->type) {
 	case NETLBL_NLTYPE_UNLABELED:
@@ -236,6 +240,25 @@ int netlbl_domhsh_add(struct netlbl_dom_
 		spin_unlock(&netlbl_domhsh_def_lock);
 	} else
 		ret_val = -EINVAL;
+	if (ret_val == 0) {
+		if (entry->domain != NULL)
+			audit_domain = entry->domain;
+		else
+			audit_domain = "(default)";
+		audit_buf = netlbl_audit_start_common(AUDIT_MAC_MAP_ADD);
+		audit_log_format(audit_buf, " domain=%s", audit_domain);
+		switch (entry->type) {
+		case NETLBL_NLTYPE_UNLABELED:
+			audit_log_format(audit_buf, " protocol=unlbl");
+			break;
+		case NETLBL_NLTYPE_CIPSOV4:
+			audit_log_format(audit_buf,
+					 " protocol=cipsov4 doi=%u",
+					 entry->type_def.cipsov4->doi);
+			break;
+		}
+		audit_log_end(audit_buf);
+	}
 	rcu_read_unlock();
 
 	if (ret_val != 0) {
@@ -280,6 +303,8 @@ int netlbl_domhsh_remove(const char *dom
 {
 	int ret_val = -ENOENT;
 	struct netlbl_dom_map *entry;
+	struct audit_buffer *audit_buf;
+	char *audit_domain;
 
 	rcu_read_lock();
 	if (domain != NULL)
@@ -316,8 +341,17 @@ int netlbl_domhsh_remove(const char *dom
 			ret_val = -ENOENT;
 		spin_unlock(&netlbl_domhsh_def_lock);
 	}
-	if (ret_val == 0)
+	if (ret_val == 0) {
+		if (entry->domain != NULL)
+			audit_domain = entry->domain;
+		else
+			audit_domain = "(default)";
+		audit_buf = netlbl_audit_start_common(AUDIT_MAC_MAP_DEL);
+		audit_log_format(audit_buf, " domain=%s", audit_domain);
+		audit_log_end(audit_buf);
+
 		call_rcu(&entry->rcu, netlbl_domhsh_free_entry);
+	}
 
 remove_return:
 	rcu_read_unlock();
Index: net-2.6/net/netlabel/netlabel_unlabeled.c
===================================================================
--- net-2.6.orig/net/netlabel/netlabel_unlabeled.c
+++ net-2.6/net/netlabel/netlabel_unlabeled.c
@@ -64,6 +64,25 @@ static struct nla_policy netlbl_unlabel_
 };
 
 /*
+ * Helper Functions
+ */
+
+/**
+ * netlbl_unlabel_acceptflg_set - Set the unlabeled accept flag
+ * @value: desired value
+ *
+ * Description:
+ * Set the value of the unlabeled accept flag to @value.
+ *
+ */
+static void netlbl_unlabel_acceptflg_set(u8 value)
+{
+	atomic_set(&netlabel_unlabel_accept_flg, value);
+	netlbl_audit_nomsg((value ?
+			    AUDIT_MAC_UNLBL_ACCEPT : AUDIT_MAC_UNLBL_DENY));
+}
+
+/*
  * NetLabel Command Handlers
  */
 
@@ -79,18 +98,17 @@ static struct nla_policy netlbl_unlabel_
  */
 static int netlbl_unlabel_accept(struct sk_buff *skb, struct genl_info *info)
 {
-	int ret_val = -EINVAL;
 	u8 value;
 
 	if (info->attrs[NLBL_UNLABEL_A_ACPTFLG]) {
 		value = nla_get_u8(info->attrs[NLBL_UNLABEL_A_ACPTFLG]);
 		if (value == 1 || value == 0) {
-			atomic_set(&netlabel_unlabel_accept_flg, value);
-			ret_val = 0;
+			netlbl_unlabel_acceptflg_set(value);
+			return 0;
 		}
 	}
 
-	return ret_val;
+	return -EINVAL;
 }
 
 /**
@@ -238,7 +256,7 @@ int netlbl_unlabel_defconf(void)
 	if (ret_val != 0)
 		return ret_val;
 
-	atomic_set(&netlabel_unlabel_accept_flg, 1);
+	netlbl_unlabel_acceptflg_set(1);
 
 	return 0;
 }
Index: net-2.6/net/netlabel/netlabel_user.c
===================================================================
--- net-2.6.orig/net/netlabel/netlabel_user.c
+++ net-2.6/net/netlabel/netlabel_user.c
@@ -32,6 +32,8 @@
 #include <linux/types.h>
 #include <linux/list.h>
 #include <linux/socket.h>
+#include <linux/audit.h>
+#include <linux/tty.h>
 #include <net/sock.h>
 #include <net/netlink.h>
 #include <net/genetlink.h>
@@ -74,3 +76,111 @@ int netlbl_netlink_init(void)
 
 	return 0;
 }
+
+/*
+ * NetLabel Audit Functions
+ */
+
+/**
+ * netlbl_audit_start_common - Start an audit message
+ * @type: audit message type
+ *
+ * Description:
+ * Start an audit message using the type specified in @type and fill the audit
+ * message with some fields common to all NetLabel audit messages.  Returns
+ * a pointer to the audit buffer on success, NULL on failure.
+ *
+ */
+struct audit_buffer *netlbl_audit_start_common(int type)
+{
+	struct audit_context *audit_ctx = current->audit_context;
+	struct audit_buffer *audit_buf;
+	uid_t audit_loginuid;
+	const char *audit_tty;
+	char audit_comm[sizeof(current->comm)];
+	struct vm_area_struct *vma;
+
+	audit_buf = audit_log_start(audit_ctx, GFP_ATOMIC, type);
+	if (audit_buf == NULL)
+		return NULL;
+
+	switch (type) {
+	case AUDIT_MAC_UNLBL_ACCEPT:
+		audit_log_format(audit_buf,
+				 "netlabel: module=unlbl action=accept");
+		break;
+	case AUDIT_MAC_UNLBL_DENY:
+		audit_log_format(audit_buf,
+				 "netlabel: module=unlbl action=deny");
+		break;
+	case AUDIT_MAC_CIPSOV4_ADD:
+		audit_log_format(audit_buf,
+				 "netlabel: module=cipsov4 action=add");
+		break;
+	case AUDIT_MAC_CIPSOV4_DEL:
+		audit_log_format(audit_buf,
+				 "netlabel: module=cipsov4 action=del");
+		break;
+	case AUDIT_MAC_MAP_ADD:
+		audit_log_format(audit_buf,
+				 "netlabel: module=map action=add");
+		break;
+	case AUDIT_MAC_MAP_DEL:
+		audit_log_format(audit_buf,
+				 "netlabel: module=map action=del");
+		break;
+	}
+
+	audit_loginuid = audit_get_loginuid(audit_ctx);
+	if (current->signal &&
+	    current->signal->tty &&
+	    current->signal->tty->name)
+		audit_tty = current->signal->tty->name;
+	else
+		audit_tty = "(none)";
+	get_task_comm(audit_comm, current);
+
+	audit_log_format(audit_buf,
+			 " auid=%u uid=%u euid=%u tty=%s pid=%d",
+			 audit_loginuid,
+			 current->uid,
+			 current->euid,
+			 audit_tty,
+			 current->pid);
+	audit_log_format(audit_buf, " comm=");
+	audit_log_untrustedstring(audit_buf, audit_comm);
+	if (current->mm) {
+		down_read(&current->mm->mmap_sem);
+		vma = current->mm->mmap;
+		while (vma) {
+			if ((vma->vm_flags & VM_EXECUTABLE) &&
+			    vma->vm_file) {
+				audit_log_d_path(audit_buf,
+						 " exe=",
+						 vma->vm_file->f_dentry,
+						 vma->vm_file->f_vfsmnt);
+				break;
+			}
+			vma = vma->vm_next;
+		}
+		up_read(&current->mm->mmap_sem);
+	}
+
+	return audit_buf;
+}
+
+/**
+ * netlbl_audit_nomsg - Send an audit message without additional text
+ * @type: audit message type
+ *
+ * Description:
+ * Send an audit message with only the common NetLabel audit fields.
+ *
+ */
+void netlbl_audit_nomsg(int type)
+{
+	struct audit_buffer *audit_buf;
+
+	audit_buf = netlbl_audit_start_common(type);
+	audit_log_end(audit_buf);
+}
Index: net-2.6/net/netlabel/netlabel_user.h
===================================================================
--- net-2.6.orig/net/netlabel/netlabel_user.h
+++ net-2.6/net/netlabel/netlabel_user.h
@@ -34,6 +34,7 @@
 #include <linux/types.h>
 #include <linux/skbuff.h>
 #include <linux/capability.h>
+#include <linux/audit.h>
 #include <net/netlink.h>
 #include <net/genetlink.h>
 #include <net/netlabel.h>
@@ -75,4 +76,9 @@ static inline void *netlbl_netlink_hdr_p
 
 int netlbl_netlink_init(void);
 
+/* NetLabel Audit Functions */
+
+struct audit_buffer *netlbl_audit_start_common(int type);
+void netlbl_audit_nomsg(int type);
+
 #endif

--
paul moore
linux security @ hp

Re: [RFC 1/1] NetLabel: add audit support for configuration changes

[Linda Knippers]

paul.moore@hp.com wrote:
> This patch is a first attempt at adding auditing support to NetLabel, based on
> a conversation with Steve Grubb on irc last Friday (9/22).  I wanted to send
> this out to the audit mailing list first to get some feedback on such things
> as message types and message formats.  Once I have collected your feedback I
> plan on posting the next version of the patch to both the netdev and audit
> mailing lists for inclusion in 2.6.19.
> 
> So please, if you have comments/concerns/etc. please share them now so this
> does not get help up later - thank you.

It might be helpful if you also mailed out some examples of the audit records
generated by this code.

Thanks,

-- ljk

Re: [RFC 1/1] NetLabel: add audit support for configuration changes

[Paul Moore]

On Tuesday 26 September 2006 5:46 pm, Linda Knippers wrote:
> paul.moore@hp.com wrote:
> > This patch is a first attempt at adding auditing support to NetLabel,
> > based on a conversation with Steve Grubb on irc last Friday (9/22).  I
> > wanted to send this out to the audit mailing list first to get some
> > feedback on such things as message types and message formats.  Once I
> > have collected your feedback I plan on posting the next version of the
> > patch to both the netdev and audit mailing lists for inclusion in 2.6.19.
> >
> > So please, if you have comments/concerns/etc. please share them now so
> > this does not get help up later - thank you.
>
> It might be helpful if you also mailed out some examples of the audit
> records generated by this code.

Sheesh, isn't that what the code is for :)

Anyway, here are all of the audit messages along with some actions that will 
cause them to be triggered.  I tried to model the message format off a 
combination of SELinux AVC and syscall messages.  Bear in mind that the 
message type appears as unknown because the audit daemon does not yet know 
about the new message types.  Once again, comments are welcome.

 # netlabelctl unlbl accept on

type=UNKNOWN[1406] msg=audit(1159362394.806:420): netlabel: module=unlbl 
action=accept auid=0 uid=0 euid=0 tty=pts0 pid=6711 comm="netlabelctl"  
exe="/usr/local/sbin/netlabelctl"

 (there is also an audit message for "unlbl accept off" which changes
  "action=accept" to "action=deny")

 # netlabelctl cipsov4 add std doi:1 tags:1 levels:0=0 categories:0=0

type=UNKNOWN[1408] msg=audit(1159362224.120:416): netlabel: module=cipsov4 
action=add auid=0 uid=0 euid=0 tty=pts0 pid=6690 comm="netlabelctl"  
exe="/usr/local/sbin/netlabelctl" doi=1 type=std

 # netlabelctl cipsov4 add pass doi:1 tags:1

type=UNKNOWN[1408] msg=audit(1159362287.820:418): netlabel: module=cipsov4 
action=add auid=0 uid=0 euid=0 tty=pts0 pid=6698 comm="netlabelctl"  
exe="/usr/local/sbin/netlabelctl" doi=2 type=pass

 # netlabelctl cipsov4 del doi:2

type=UNKNOWN[1409] msg=audit(1159362325.202:419): netlabel: module=cipsov4 
action=del auid=0 uid=0 euid=0 tty=pts0 pid=6703 comm="netlabelctl"  
exe="/usr/local/sbin/netlabelctl" doi=2

 # netlabelctl map add domain:foo_t protocol:cipsov4,1

type=UNKNOWN[1410] msg=audit(1159362514.990:421): netlabel: module=map 
action=add auid=0 uid=0 euid=0 tty=pts0 pid=6722 comm="netlabelctl"  
exe="/usr/local/sbin/netlabelctl" domain=foo_t protocol=cipsov4 doi=1

 # netlabelctl map add domain:bar_t protocol:unlbl

type=UNKNOWN[1410] msg=audit(1159362574.457:424): netlabel: module=map 
action=add auid=0 uid=0 euid=0 tty=pts0 pid=6734 comm="netlabelctl"  
exe="/usr/local/sbin/netlabelctl" domain=bar_t protocol=unlbl

 # netlabelctl map del domain:bar_t

type=UNKNOWN[1411] msg=audit(1159362627.789:425): netlabel: module=map 
action=del auid=0 uid=0 euid=0 tty=pts0 pid=6740 comm="netlabelctl"  
exe="/usr/local/sbin/netlabelctl" domain=bar_t

 (when operating on the default mapping the "domain=<domain string>" is
  replaced with "domain=(default)")

-- 
paul moore
linux security @ hp

Re: [RFC 1/1] NetLabel: add audit support for configuration changes

[Linda Knippers]

Thanks for sending the audit records.

>  # netlabelctl unlbl accept on
> 
> type=UNKNOWN[1406] msg=audit(1159362394.806:420): netlabel: module=unlbl 
> action=accept auid=0 uid=0 euid=0 tty=pts0 pid=6711 comm="netlabelctl"  
> exe="/usr/local/sbin/netlabelctl"
> 
>  (there is also an audit message for "unlbl accept off" which changes
>   "action=accept" to "action=deny")

One nit-picky comment is that once the user-space tools know about the
message type and insert "MAC_UNLBL_ACCEPT" as the type, the module=
and action= fields will be somewhat redundant.  I think the same is
true for the other types of audit records.  You could omit the switch
statement in netlbl_audit_start_common() and shorten the audit records
if we rely on the audit record type to provide that module/action information.

-- ljk

Re: [RFC 1/1] NetLabel: add audit support for configuration changes

[Paul Moore]

Linda Knippers wrote:
> Thanks for sending the audit records.
>
>> # netlabelctl unlbl accept on
>>
>>type=UNKNOWN[1406] msg=audit(1159362394.806:420): netlabel: module=unlbl 
>>action=accept auid=0 uid=0 euid=0 tty=pts0 pid=6711 comm="netlabelctl"  
>>exe="/usr/local/sbin/netlabelctl"
>>
>> (there is also an audit message for "unlbl accept off" which changes
>>  "action=accept" to "action=deny")
>  
> One nit-picky comment is that once the user-space tools know about the
> message type and insert "MAC_UNLBL_ACCEPT" as the type, the module=
> and action= fields will be somewhat redundant.  I think the same is
> true for the other types of audit records.  You could omit the switch
> statement in netlbl_audit_start_common() and shorten the audit records
> if we rely on the audit record type to provide that module/action information.

I've received similar comments from others as well, I plan on dropping
those two fields in the next release of the patch.  Speaking on which, I
should have the next release out later today, I'm just waiting on some
feedback to see if it meets all of the LSPP certification requirements.

-- 
paul moore
linux security @ hp