From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-11.5 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 274AFC4338F for ; Mon, 9 Aug 2021 14:03:04 +0000 (UTC) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id A9F0260F35 for ; Mon, 9 Aug 2021 14:03:03 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org A9F0260F35 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=tempfail smtp.mailfrom=redhat.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1628517782; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=mUVzTTinhWFTgd6NKfRQ3Sp2qf5HurT7iinsLM7nHGw=; b=Tjv1mMBQss/kbpxkjwWgSfEL1cCfVAN2bGhXFyMvmPesFLpHxD2yRTWC4qQ7/srrsDqedq exK4JVI0PmtBPNtltwATOtkkcXNVMtmJjYvw/a9qaEa7VYLcJ5k4orFNCcnTTqYswCoiz3 G4BpBxC6PFKGvCWpcWbaKElys10gnig= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-528-Uu2mIAI3O3-9WepyuMn0dg-1; Mon, 09 Aug 2021 10:03:00 -0400 X-MC-Unique: Uu2mIAI3O3-9WepyuMn0dg-1 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id C68F7196634E; Mon, 9 Aug 2021 14:02:40 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id D0BBD5C1D0; Mon, 9 Aug 2021 14:02:39 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 375B7180140F; Mon, 9 Aug 2021 14:02:37 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 179E2Ykw021727 for ; Mon, 9 Aug 2021 10:02:34 -0400 Received: by smtp.corp.redhat.com (Postfix) id C7CC683864; Mon, 9 Aug 2021 14:02:34 +0000 (UTC) Received: from x2.localnet (unknown [10.22.17.131]) by smtp.corp.redhat.com (Postfix) with ESMTP id 24F2B779D0; Mon, 9 Aug 2021 14:02:07 +0000 (UTC) From: Steve Grubb To: "linux-audit@redhat.com" , Casey Schaufler Subject: Re: [PATCH RFC] audit-userspace: support for MAC_TASK_CONTEXTS and MAC_OBJ_CONTEXTS Date: Mon, 09 Aug 2021 10:02:05 -0400 Message-ID: <5738084.lOV4Wx5bFT@x2> Organization: Red Hat In-Reply-To: <407c1b04-f6ca-327d-0227-77f97c3f6f2c@schaufler-ca.com> References: <407c1b04-f6ca-327d-0227-77f97c3f6f2c.ref@schaufler-ca.com> <407c1b04-f6ca-327d-0227-77f97c3f6f2c@schaufler-ca.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-loop: linux-audit@redhat.com X-BeenThere: linux-audit@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Linux Audit Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=linux-audit-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit On Wednesday, August 4, 2021 7:32:37 PM EDT Casey Schaufler wrote: > This patch supplies userspace support for the MAC_TASK_CONTEXTS > and MAC_OBJ_CONTEXTS audit records proposed as part of the Linux > security module (LSM) stacking effort. > > I have posted as an RFC because, well, I'd like comments. In general, this looks good. Typically, the return code of functions in the parser are unique for debugging (passing --debug to ausearch) per record type. IOW, you can start at 1 instead of 62 since the output identifes the record type and return code. There is the general issue of what ausearch --format csv & --format text outputs, though. -Steve > The additional context values are added to the existing lists. > The existing search methods work on these lists, so that's about > all it takes. > > --- > lib/libaudit.h | 8 ++++ > lib/msg_typetab.h | 2 + > src/ausearch-parse.c | 101 > +++++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 111 > insertions(+) > > diff --git a/lib/libaudit.h b/lib/libaudit.h > index ed75892..9bc3aa9 100644 > --- a/lib/libaudit.h > +++ b/lib/libaudit.h > @@ -311,6 +311,14 @@ extern "C" { > #define AUDIT_MAC_CALIPSO_DEL 1419 /* NetLabel: del CALIPSO DOI entry */ > #endif > > +#ifndef AUDIT_MAC_TASK_CONTEXTS > +#define AUDIT_MAC_TASK_CONTEXTS 1420 /* Multilple task contexts */ > +#endif > + > +#ifndef AUDIT_MAC_OBJ_CONTEXTS > +#define AUDIT_MAC_OBJ_CONTEXTS 1421 /* Multilple object contexts */ > +#endif > + > #ifndef AUDIT_ANOM_LINK > #define AUDIT_ANOM_LINK 1702 /* Suspicious use of file links */ > #endif > diff --git a/lib/msg_typetab.h b/lib/msg_typetab.h > index dba2f7b..e6df28b 100644 > --- a/lib/msg_typetab.h > +++ b/lib/msg_typetab.h > @@ -147,6 +147,8 @@ _S(AUDIT_MAC_UNLBL_STCADD, "MAC_UNLBL_STCADD" > ) _S(AUDIT_MAC_UNLBL_STCDEL, "MAC_UNLBL_STCDEL" > ) _S(AUDIT_MAC_CALIPSO_ADD, "MAC_CALIPSO_ADD" > ) _S(AUDIT_MAC_CALIPSO_DEL, "MAC_CALIPSO_DEL" > ) +_S(AUDIT_MAC_TASK_CONTEXTS, "MAC_TASK_CONTEXTS" ) > +_S(AUDIT_MAC_OBJ_CONTEXTS, "MAC_OBJ_CONTEXTS" ) > _S(AUDIT_ANOM_PROMISCUOUS, "ANOM_PROMISCUOUS" ) > _S(AUDIT_ANOM_ABEND, "ANOM_ABEND" ) > _S(AUDIT_ANOM_LINK, "ANOM_LINK" ) > diff --git a/src/ausearch-parse.c b/src/ausearch-parse.c > index 9ee4a4f..286829e 100644 > --- a/src/ausearch-parse.c > +++ b/src/ausearch-parse.c > @@ -63,6 +63,8 @@ static int parse_simple_message(const lnode *n, > search_items *s); static int parse_tty(const lnode *n, search_items *s); > static int parse_pkt(const lnode *n, search_items *s); > static int parse_kernel(lnode *n, search_items *s); > +static int parse_task_contexts(lnode *n, search_items *s); > +static int parse_obj_contexts(lnode *n, search_items *s); > > > static int audit_avc_init(search_items *s) > @@ -184,6 +186,12 @@ int extract_search_items(llist *l) > case AUDIT_TTY: > ret = parse_tty(n, s); > break; > + case AUDIT_MAC_TASK_CONTEXTS: > + ret = parse_task_contexts(n, s); > + break; > + case AUDIT_MAC_OBJ_CONTEXTS: > + ret = parse_obj_contexts(n, s); > + break; > default: > if (event_debug) > fprintf(stderr, > @@ -2768,3 +2776,96 @@ static int parse_kernel(lnode *n, search_items *s) > return 0; > } > > +static int parse_task_context(lnode *n, search_items *s, char *c, int l) > +{ > + char *str, *term; > + anode an; > + > + str = strstr(n->message, c); > + if (str == NULL) > + return 64; > + > + str += l; > + term = strchr(str, '"'); > + if (term == NULL) > + return 62; > + *term = 0; > + if (audit_avc_init(s) != 0) > + return 63; > + > + anode_init(&an); > + an.scontext = strdup(str); > + alist_append(s->avc, &an); > + *term = '"'; > + > + return 0; > +} > + > +// parse multiple security module contexts > +// subj_... > +static int parse_task_contexts(lnode *n, search_items *s) > +{ > + int rc, final = 64; > + > + if (!event_subject) > + return 0; > + > + rc = parse_task_context(n, s, "subj_selinux=\"", 14); > + if (rc == 62 || rc == 63) > + return rc; > + if (rc == 0) > + final = 0; > + > + rc = parse_task_context(n, s, "subj_smack=\"", 12); > + if (rc == 62 || rc == 63) > + return rc; > + if (rc == 0) > + final = 0; > + > + rc = parse_task_context(n, s, "subj_apparmor=\"", 15); > + if (rc == 62 || rc == 63) > + return rc; > + if (rc == 0) > + final = 0; > + > + return final; > +} > + > +static int parse_obj_context(lnode *n, search_items *s, char *c, int l) > +{ > + char *str, *term; > + anode an; > + > + str = strstr(n->message, c); > + if (str != NULL) { > + str += l; > + term = strchr(str, '"'); > + if (term) > + *term = 0; > + if (audit_avc_init(s) != 0) > + return 2; > + anode_init(&an); > + an.tcontext = strdup(str); > + alist_append(s->avc, &an); > + if (term) > + *term = '"'; > + } > + > + return 0; > +} > + > +// parse multiple object security module contexts > +// obj_... > +static int parse_obj_contexts(lnode *n, search_items *s) > +{ > + // obj context > + if (!event_object) > + return 0; > + > + if (parse_obj_context(n, s, "obj_selinux=\"", 12)) > + return 2; > + if (parse_obj_context(n, s, "obj_smack=\"", 10)) > + return 2; > + > + return 0; > +} -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit