From mboxrd@z Thu Jan  1 00:00:00 1970
From: Casey Schaufler <casey@schaufler-ca.com>
Subject: Re: [PATCH 2.6.26 #repost] Smack: Integrate with Audit
Date: Sat, 19 Apr 2008 15:19:13 -0700 (PDT)
Message-ID: <858638.48039.qm@web36605.mail.mud.yahoo.com>
References: <20080417161032.GA24882@ubuntu>
Reply-To: casey@schaufler-ca.com
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32])
	by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id m3JMJYDZ022721
	for <linux-audit@redhat.com>; Sat, 19 Apr 2008 18:19:34 -0400
Received: from web36605.mail.mud.yahoo.com (web36605.mail.mud.yahoo.com
	[209.191.85.22])
	by mx3.redhat.com (8.13.8/8.13.8) with SMTP id m3JMJJSu027441
	for <linux-audit@redhat.com>; Sat, 19 Apr 2008 18:19:19 -0400
In-Reply-To: <20080417161032.GA24882@ubuntu>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: "Ahmed S. Darwish" <darwish.07@gmail.com>, James Morris <jmorris@namei.org>, Casey Schaufler <casey@schaufler-ca.com>
Cc: linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, linux-audit@redhat.com, Al Viro <viro@ftp.linux.org.uk>
List-Id: linux-audit@redhat.com


--- "Ahmed S. Darwish" <darwish.07@gmail.com> wrote:

> Hi James/all,
>=20
> On Thu, Apr 17, 2008 at 11:05:57AM +0000, James Morris wrote:
> >=20
> > Please review the following security patches for 2.6.26, which have
> > been undergoing testing in the "next" tree and affect multiple LSMs.
> >=20
> >=20
>=20
> As a clarification, those new changes was added to the security tree=20
> to modularly integrate Smack with Audit. The final step is the
> reposted below patch which setups the new Audit hooks for Smack.
>=20
> The main concern against below patch was the reuse of SELinux Audit
> fields. For such reuse, Stephen asked for an explicit ACK from the=20
> Audit devs. I've CCed Steve and Al as a kind request for the ACK.
>=20
> Patch is re-based and re-tested over James's security/for-linus
> branch.
>=20
> Thanks all.
>=20
> -->
>=20
> Setup the new Audit hooks for Smack. SELinux Audit rule fields=20
> are recycled to avoid `auditd' userspace modifications.
> Currently only equality testing is supported on labels acting=20
> as a subject (AUDIT_SUBJ_USER) or as an object (AUDIT_OBJ_USER).
>=20
> Signed-off-by: Ahmed S. Darwish <darwish.07@gmail.com>

Acked-by: Casey Schaufler <casey@schaufler-ca.com>

Had to test it before acking. It's running fine for me.

> ---
>=20
> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
> index 904bdc0..70e4abc 100644
> --- a/security/smack/smack_lsm.c
> +++ b/security/smack/smack_lsm.c
> @@ -26,6 +26,7 @@
>  #include <linux/pipe_fs_i.h>
>  #include <net/netlabel.h>
>  #include <net/cipso_ipv4.h>
> +#include <linux/audit.h>
> =20
>  #include "smack.h"
> =20
> @@ -752,6 +753,18 @@ static int smack_inode_listsecurity(struct inode *=
inode,
> char *buffer,
>  	return -EINVAL;
>  }
> =20
> +/**
> + * smack_inode_getsecid - Extract inode's security id
> + * @inode: inode to extract the info from
> + * @secid: where result will be saved
> + */
> +static void smack_inode_getsecid(const struct inode *inode, u32 *secid=
)
> +{
> +	struct inode_smack *isp =3D inode->i_security;
> +
> +	*secid =3D smack_to_secid(isp->smk_inode);
> +}
> +
>  /*
>   * File Hooks
>   */
> @@ -1805,6 +1818,18 @@ static int smack_ipc_permission(struct kern_ipc_=
perm
> *ipp, short flag)
>  	return smk_curacc(isp, may);
>  }
> =20
> +/**
> + * smack_ipc_getsecid - Extract smack security id
> + * @ipcp: the object permissions
> + * @secid: where result will be saved
> + */
> +static void smack_ipc_getsecid(struct kern_ipc_perm *ipp, u32 *secid)
> +{
> +	char *smack =3D ipp->security;
> +
> +	*secid =3D smack_to_secid(smack);
> +}
> +
>  /* module stacking operations */
> =20
>  /**
> @@ -2382,6 +2407,124 @@ static int smack_key_permission(key_ref_t key_r=
ef,
>  #endif /* CONFIG_KEYS */
> =20
>  /*
> + * Smack Audit hooks
> + *
> + * Audit requires a unique representation of each Smack specific
> + * rule. This unique representation is used to distinguish the
> + * object to be audited from remaining kernel objects and also
> + * works as a glue between the audit hooks.
> + *
> + * Since repository entries are added but never deleted, we'll use
> + * the smack_known label address related to the given audit rule as
> + * the needed unique representation. This also better fits the smack
> + * model where nearly everything is a label.
> + */
> +#ifdef CONFIG_AUDIT
> +
> +/**
> + * smack_audit_rule_init - Initialize a smack audit rule
> + * @field: audit rule fields given from user-space (audit.h)
> + * @op: required testing operator (=3D, !=3D, >, <, ...)
> + * @rulestr: smack label to be audited
> + * @vrule: pointer to save our own audit rule representation
> + *
> + * Prepare to audit cases where (@field @op @rulestr) is true.
> + * The label to be audited is created if necessay.
> + */
> +static int smack_audit_rule_init(u32 field, u32 op, char *rulestr, voi=
d
> **vrule)
> +{
> +	char **rule =3D (char **)vrule;
> +	*rule =3D NULL;
> +
> +	if (field !=3D AUDIT_SUBJ_USER && field !=3D AUDIT_OBJ_USER)
> +		return -EINVAL;
> +
> +	if (op !=3D AUDIT_EQUAL && op !=3D AUDIT_NOT_EQUAL)
> +		return -EINVAL;
> +
> +	*rule =3D smk_import(rulestr, 0);
> +
> +	return 0;
> +}
> +
> +/**
> + * smack_audit_rule_known - Distinguish Smack audit rules
> + * @krule: rule of interest, in Audit kernel representation format
> + *
> + * This is used to filter Smack rules from remaining Audit ones.
> + * If it's proved that this rule belongs to us, the
> + * audit_rule_match hook will be called to do the final judgement.
> + */
> +static int smack_audit_rule_known(struct audit_krule *krule)
> +{
> +	struct audit_field *f;
> +	int i;
> +
> +	for (i =3D 0; i < krule->field_count; i++) {
> +		f =3D &krule->fields[i];
> +
> +		if (f->type =3D=3D AUDIT_SUBJ_USER || f->type =3D=3D AUDIT_OBJ_USER)
> +			return 1;
> +	}
> +
> +	return 0;
> +}
> +
> +/**
> + * smack_audit_rule_match - Audit given object ?
> + * @secid: security id for identifying the object to test
> + * @field: audit rule flags given from user-space
> + * @op: required testing operator
> + * @vrule: smack internal rule presentation
> + * @actx: audit context associated with the check
> + *
> + * The core Audit hook. It's used to take the decision of
> + * whether to audit or not to audit a given object.
> + */
> +static int smack_audit_rule_match(u32 secid, u32 field, u32 op, void *=
vrule,
> +				  struct audit_context *actx)
> +{
> +	char *smack;
> +	char *rule =3D vrule;
> +
> +	if (!rule) {
> +		audit_log(actx, GFP_KERNEL, AUDIT_SELINUX_ERR,
> +			  "Smack: missing rule\n");
> +		return -ENOENT;
> +	}
> +
> +	if (field !=3D AUDIT_SUBJ_USER && field !=3D AUDIT_OBJ_USER)
> +		return 0;
> +
> +	smack =3D smack_from_secid(secid);
> +
> +	/*
> +	 * No need to do string comparisons. If a match occurs,
> +	 * both pointers will point to the same smack_known
> +	 * label.
> +	 */
> +	if (op =3D=3D AUDIT_EQUAL)
> +		return (rule =3D=3D smack);
> +	if (op =3D=3D AUDIT_NOT_EQUAL)
> +		return (rule !=3D smack);
> +
> +	return 0;
> +}
> +
> +/**
> + * smack_audit_rule_free - free smack rule representation
> + * @vrule: rule to be freed.
> + *
> + * No memory was allocated.
> + */
> +static void smack_audit_rule_free(void *vrule)
> +{
> +	/* No-op */
> +}
> +
> +#endif /* CONFIG_AUDIT */
> +
> +/*
>   * smack_secid_to_secctx - return the smack label for a secid
>   * @secid: incoming integer
>   * @secdata: destination
> @@ -2467,6 +2610,7 @@ struct security_operations smack_ops =3D {
>  	.inode_getsecurity =3D 		smack_inode_getsecurity,
>  	.inode_setsecurity =3D 		smack_inode_setsecurity,
>  	.inode_listsecurity =3D 		smack_inode_listsecurity,
> +	.inode_getsecid =3D		smack_inode_getsecid,
> =20
>  	.file_permission =3D 		smack_file_permission,
>  	.file_alloc_security =3D 		smack_file_alloc_security,
> @@ -2497,6 +2641,7 @@ struct security_operations smack_ops =3D {
>  	.task_to_inode =3D 		smack_task_to_inode,
> =20
>  	.ipc_permission =3D 		smack_ipc_permission,
> +	.ipc_getsecid =3D			smack_ipc_getsecid,
> =20
>  	.msg_msg_alloc_security =3D 	smack_msg_msg_alloc_security,
>  	.msg_msg_free_security =3D 	smack_msg_msg_free_security,
> @@ -2541,12 +2686,22 @@ struct security_operations smack_ops =3D {
>  	.sk_free_security =3D 		smack_sk_free_security,
>  	.sock_graft =3D 			smack_sock_graft,
>  	.inet_conn_request =3D 		smack_inet_conn_request,
> +
>   /* key management security hooks */
>  #ifdef CONFIG_KEYS
>  	.key_alloc =3D 			smack_key_alloc,
>  	.key_free =3D 			smack_key_free,
>  	.key_permission =3D 		smack_key_permission,
>  #endif /* CONFIG_KEYS */
> +
> + /* Audit hooks */
> +#ifdef CONFIG_AUDIT
> +	.audit_rule_init =3D		smack_audit_rule_init,
> +	.audit_rule_known =3D		smack_audit_rule_known,
> +	.audit_rule_match =3D		smack_audit_rule_match,
> +	.audit_rule_free =3D		smack_audit_rule_free,
> +#endif /* CONFIG_AUDIT */
> +
>  	.secid_to_secctx =3D 		smack_secid_to_secctx,
>  	.secctx_to_secid =3D 		smack_secctx_to_secid,
>  	.release_secctx =3D 		smack_release_secctx,
>=20
> --=20
>=20
> "Better to light a candle, than curse the darkness"
>=20
> Ahmed S. Darwish
> Homepage: http://darwish.07.googlepages.com
> Blog: http://darwish-07.blogspot.com
>=20
>=20
>=20


Casey Schaufler
casey@schaufler-ca.com