Linux-audit Archive on lore.kernel.org
 help / color / mirror / Atom feed
* Re: [RFC PATCH v3 2/5] lsm: introduce hooks for kdbus
From: Paul Moore @ 2015-10-19 22:29 UTC (permalink / raw)
  To: Stephen Smalley
  Cc: Paul Osmialowski, linux-security-module, linux-audit, selinux
In-Reply-To: <5617D58C.2070402@tycho.nsa.gov>

On Friday, October 09, 2015 10:56:12 AM Stephen Smalley wrote:
> On 10/07/2015 07:08 PM, Paul Moore wrote:
> > diff --git a/ipc/kdbus/connection.c b/ipc/kdbus/connection.c
> > index ef63d65..1cb87b3 100644
> > --- a/ipc/kdbus/connection.c
> > +++ b/ipc/kdbus/connection.c
> > @@ -108,6 +109,14 @@ static struct kdbus_conn *kdbus_conn_new(struct
> > kdbus_ep *ep,> 
> >   	if (!owner && (creds || pids || seclabel))
> >   	
> >   		return ERR_PTR(-EPERM);
> > 
> > +	ret = security_kdbus_conn_new(get_cred(file->f_cred),
> 
> You only need to use get_cred() if saving a reference; otherwise, you'll
> leak one here.

Yes, that was a typo on my part, thanks.

> Also, do we want file->f_cred here or ep->bus->node.creds (the latter is
> what is used by their own checks; the former is typically the same as
> current cred IIUC).  For that matter, what about ep->node.creds vs ep->bus-
> node.creds vs. ep->bus->domain->node.creds?  Can they differ?  Do we care?

We don't want file->f_cred, per our previous discussions.  I was working on 
this patchset in small chunks and while I added credential storing in the 
nodes, I forgot to update the hooks before I hit send, my apologies.

My current thinking is to pass both the endpoint and bus credentials, as I 
believe they can differ.  Both the bus and the endpoint inherit their security 
labels from their creator and while I don't have any specifics, I think it is 
reasonable to imagine those two processes having different security labels.  
Assuming we pass both credentials down to the LSM, I'm currently thinking of 
the following SELinux access controls for this hook:

  allow <current> bus_t:kdbus { connect };
  allow <current> ep_t:kdbus { use privileged activator monitor policy };

... besides the additional label, I added the kdbus:use permission and dropped 
the kdbus:owner permission.  Considering that the endpoint label, ep_t, in the 
examples above, could be different from the current process, it seemed 
reasonable to want to control that interaction and I felt the fd:use 
permission was the closest existing control so I reused the permission name.  
I decided to drop the "owner" permission as it really wasn't the useful for 
anything anymore, it simply indicates that the current task is the DAC owner 
of the endpoint.

> > @@ -1435,12 +1444,12 @@ bool kdbus_conn_policy_own_name(struct kdbus_conn
> > *conn,> 
> >   			return false;
> >   	
> >   	}
> > 
> > -	if (conn->owner)
> > -		return true;
> > +	if (!conn->owner &&
> > +	    kdbus_policy_query(&conn->ep->bus->policy_db, conn_creds, name,
> > +			       hash) < KDBUS_POLICY_OWN)
> > +		return false;
> > 
> > -	res = kdbus_policy_query(&conn->ep->bus->policy_db, conn_creds,
> > -				 name, hash);
> > -	return res >= KDBUS_POLICY_OWN;
> > +	return (security_kdbus_own_name(conn_creds, name) == 0);
> 
> Similar question here.  conn_creds is the credentials of the creator of
> the connection, typically the client/sender, right?
> conn->ep->bus->node.creds are the credentials of the bus owner, so don't
> we want to ask "Can I own this name on this bus?".

Yes, I think so.

>From a SELinux point of view I imagine we would want access controls along the 
lines of the following:

  allow current name_t:kdbus { own_name };
  allow current bus_t:kdbus { own_name };

... do we want to use different permissions?  I doubt it would matter much 
either way.

> Note that their policy checks are based on conn->ep->policy_db, i.e. the
> policy associated with the endpoint, and conn->owner is only true if the
> connection creator has the same uid as the bus.

I don't think this is significant for us.

> > @@ -1465,14 +1474,13 @@ bool kdbus_conn_policy_talk(struct kdbus_conn
> > *conn,> 
> >   					 to, KDBUS_POLICY_TALK))
> >   		
> >   		return false;
> > 
> > -	if (conn->owner)
> > -		return true;
> > -	if (uid_eq(conn_creds->euid, to->cred->uid))
> > -		return true;
> > +	if (!conn->owner && !uid_eq(conn_creds->euid, to->cred->uid) &&
> > +	    !kdbus_conn_policy_query_all(conn, conn_creds,
> > +					 &conn->ep->bus->policy_db, to,
> > +					 KDBUS_POLICY_TALK))
> > +		return false;
> > 
> > -	return kdbus_conn_policy_query_all(conn, conn_creds,
> > -					   &conn->ep->bus->policy_db, to,
> > -					   KDBUS_POLICY_TALK);
> > +	return (security_kdbus_conn_talk(conn_creds, to->cred) == 0);
> 
> Here at least we have a notion of client and peer.  But we still aren't
> considering conn->ep or conn->ep->bus, whereas they are querying both
> policy dbs for their decision.  The parallel would be checking access to
> the labels of both I suppose, unless we institute a control up front
> over the relationship between the label of the endpoint and the label of
> the bus.

While accidental, as I forgot to update this patch as mentioned previously, I 
think the differences between kdbus DAC and kdbus MAC is okay.  At this point 
we've already authorized the individual nodes to connect to the bus and now we 
are authorizing them to talk to each other; at this control point, it is the 
interaction between the two nodes that we care about, I don't think we care 
about what bus they use, do we?

> > @@ -1491,19 +1499,19 @@ bool kdbus_conn_policy_see_name_unlocked(struct
> > kdbus_conn *conn,> 
> >   					 const struct cred *conn_creds,
> >   					 const char *name)
> >   
> >   {
> > 
> > -	int res;
> > +	if (!conn_creds)
> > +		conn_creds = conn->cred;
> > 
> >   	/*
> >   	
> >   	 * By default, all names are visible on a bus. SEE policies can only be
> >   	 * installed on custom endpoints, where by default no name is visible.
> >   	 */
> > 
> > -	if (!conn->ep->user)
> > -		return true;
> > +	if (conn->ep->user &&
> > +	    kdbus_policy_query_unlocked(&conn->ep->policy_db, conn_creds, name,
> > +					kdbus_strhash(name)) < KDBUS_POLICY_SEE)
> > +		return false;
> > 
> > -	res = kdbus_policy_query_unlocked(&conn->ep->policy_db,
> > -					  conn_creds ? : conn->cred,
> > -					  name, kdbus_strhash(name));
> > -	return res >= KDBUS_POLICY_SEE;
> > +	return (security_kdbus_conn_see_name(conn_creds, name) == 0);
> 
> Here they only define policy based on endpoints, not bus.  Not sure what
> we want, but we need at least one of their creds.  Same for the rest.

Once again, I'm not sure we care about the underlying bus at this point, do 
we?  We've already authorized both the service and the client to connect to 
the bus, now I think all we care about is can the client see the service name.  
Do we really care about the label of the bus here?

> > @@ -1530,10 +1541,13 @@ static bool kdbus_conn_policy_see(struct
> > kdbus_conn *conn,> 
> >   	 * peers from each other, unless you see at least _one_ name of the
> >   	 * peer.
> >   	 */
> > 
> > -	return !conn->ep->user ||
> > -	       kdbus_conn_policy_query_all(conn, conn_creds,
> > -					   &conn->ep->policy_db, whom,
> > -					   KDBUS_POLICY_SEE);
> > +	if (conn->ep->user &&
> > +	    !kdbus_conn_policy_query_all(conn, conn_creds,
> > +					 &conn->ep->policy_db, whom,
> > +					 KDBUS_POLICY_SEE))
> > +		return false;
> > +
> > +	return (security_kdbus_conn_see(conn_creds, whom->cred) == 0);
> > 
> >   }

Very similar to the kdbus_conn_talk hook above, the credentials above still 
look reasonable to me.

> > @@ -1567,18 +1584,22 @@ bool kdbus_conn_policy_see_notification(struct
> > kdbus_conn *conn,> 
> >   	case KDBUS_ITEM_NAME_ADD:
> >   	case KDBUS_ITEM_NAME_REMOVE:
> > 
> >   	case KDBUS_ITEM_NAME_CHANGE:
> > -		return kdbus_conn_policy_see_name(conn, conn_creds,
> > -					msg->items[0].name_change.name);
> > +		if (!kdbus_conn_policy_see_name(conn, conn_creds,
> > +						msg->items[0].name_change.name))
> > +			return false;
> > 
> >   	case KDBUS_ITEM_ID_ADD:
> > 
> >   	case KDBUS_ITEM_ID_REMOVE:
> > -		return true;
> > +		/* fall through for the LSM check */
> > +		break;
> > 
> >   	default:
> >   		WARN(1, "Invalid type for notification broadcast: %llu\n",
> >   		
> >   		     (unsigned long long)msg->items[0].type);
> >   		
> >   		return false;
> >   	
> >   	}
> > 
> > +
> > +	return (security_kdbus_conn_see_notification(conn_creds) == 0);
> > 
> >   }

This also seems okay.

> > diff --git a/ipc/kdbus/fs.c b/ipc/kdbus/fs.c
> > index 68818a8..4e84e89 100644
> > --- a/ipc/kdbus/fs.c
> > +++ b/ipc/kdbus/fs.c
> > @@ -200,6 +202,10 @@ static struct inode *fs_inode_get(struct super_block
> > *sb,> 
> >   	if (!(inode->i_state & I_NEW))
> >   	
> >   		return inode;
> > 
> > +	ret = security_kdbus_init_inode(inode, node->creds);
> > +	if (ret)
> > +		return ERR_PTR(ret);
> 
> Need to put the inode.

Thanks.  It looks like I need to make a call to iget_failed() before 
returning.

-- 
paul moore
security @ redhat

^ permalink raw reply

* how costly is flush = sync vs incremental?
From: Bond Masuda @ 2015-10-19 18:57 UTC (permalink / raw)
  To: linux-audit

i'm trying to figure out how costly it is to set flush=sync vs
incremental in auditd.conf. In theory, it would seem like it is more
expensive, but by how much? At what level of paranoia about not losing
audit logs does it make sense to use flush=sync or is it not much more
costly and one might as well use that setting?

Thoughts?

^ permalink raw reply

* Re: [PATCH 2/2] Fixed Trivial Warnings in file: Deleted Spaces prior to tabs, and added lines. modified: kernel/auditfilter.c
From: Richard Guy Briggs @ 2015-10-19 16:10 UTC (permalink / raw)
  To: Scott Matheina; +Cc: Paul Moore, linux-audit, trivial, linux-kernel
In-Reply-To: <5623DBF5.8020500@matheina.com>

On 15/10/18, Scott Matheina wrote:
> On 10/14/2015 04:54 PM, Paul Moore wrote:
> > On Saturday, October 10, 2015 08:57:55 PM Scott Matheina wrote:
> >> Signed-off-by: Scott Matheina <scott@matheina.com>
> >> ---
> >>  kernel/auditfilter.c | 17 ++++++++++-------
> >>  1 file changed, 10 insertions(+), 7 deletions(-)
> > Sorry for the delay in reviewing this, comments inline ...
> >
> >> diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
> >> index 7714d93..774f9ad 100644
> >> --- a/kernel/auditfilter.c
> >> +++ b/kernel/auditfilter.c
> >> @@ -39,13 +39,13 @@
> >>   * Locking model:
> >>   *
> >>   * audit_filter_mutex:
> >> - * 		Synchronizes writes and blocking reads of audit's filterlist
> >> - * 		data.  Rcu is used to traverse the filterlist and access
> >> - * 		contents of structs audit_entry, audit_watch and opaque
> >> - * 		LSM rules during filtering.  If modified, these structures
> >> - * 		must be copied and replace their counterparts in the filterlist.
> >> - * 		An audit_parent struct is not accessed during filtering, so may
> >> - * 		be written directly provided audit_filter_mutex is held.
> >> + *		Synchronizes writes and blocking reads of audit's filterlist
> >> + *		data.  Rcu is used to traverse the filterlist and access
> >> + *		contents of structs audit_entry, audit_watch and opaque
> >> + *		LSM rules during filtering.  If modified, these structures
> >> + *		must be copied and replace their counterparts in the filterlist.
> >> + *		An audit_parent struct is not accessed during filtering, so may
> >> + *		be written directly provided audit_filter_mutex is held.
> >>   */
> > Okay, that's fine.
> >
> >>  /* Audit filter lists, defined in <linux/audit.h> */
> >> @@ -109,6 +109,7 @@ void audit_free_rule_rcu(struct rcu_head *head)
> >>  {
> >>  	struct audit_entry *e = container_of(head, struct audit_entry, rcu);
> >>  	audit_free_rule(e);
> >> +
> >>  }
> > Why?
> 
> I was following the error messages in checkpatch.pl, but the warning
> went away after adding this line. No problem with the code. 

That sounds like a bug in checkpatch.pl, since that blank line should be
tween the declaration and the function call.

> >>  /* Initialize an audit filterlist entry. */
> >> @@ -176,9 +177,11 @@ static __u32 *classes[AUDIT_SYSCALL_CLASSES];
> >>  int __init audit_register_class(int class, unsigned *list)
> >>  {
> >>  	__u32 *p = kcalloc(AUDIT_BITMASK_SIZE, sizeof(__u32), GFP_KERNEL);
> >> +
> >>  	if (!p)
> >>  		return -ENOMEM;
> > Okay.
> >
> >>  	while (*list != ~0U) {
> >> +
> >>  		unsigned n = *list++;
> >>  		if (n >= AUDIT_BITMASK_SIZE * 32 - AUDIT_SYSCALL_CLASSES) {
> >>  			kfree(p);
> > Why?
> 
> This is the same as above. Just going through the checkpatch.pl
> script, and looking for warnings to fix. 

Again, another manifestation of that bug?  That blank line should be
after the declaration and before the if statement.

> As you might have guessed, this is one of my first patches. I wasn't
> sure if a patch like this would even get reviewed, and responded to.
> I'm subscribed to the linux-kernel mail group, and seeing what is
> acceptable. 
> 
> Thanks for the review. I don't plan on making a habit of submitting
> such incredibly trivial patches, but you have to start somewhere, and
> I thought it'd be hard to screw up by fixing a couple of trivial style
> errors.  

Well, I agree, you have to start somewhere...  Too bad you hit a bug in
checkpatch.pl!

- RGB

--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545

^ permalink raw reply

* Re: [PATCH 2/2] Fixed Trivial Warnings in file: Deleted Spaces prior to tabs, and added lines. modified: kernel/auditfilter.c
From: Scott Matheina @ 2015-10-18 17:50 UTC (permalink / raw)
  To: Paul Moore; +Cc: eparis, linux-audit, linux-kernel, trivial
In-Reply-To: <10476084.rIoW7K08e6@sifl>



On 10/14/2015 04:54 PM, Paul Moore wrote:
> On Saturday, October 10, 2015 08:57:55 PM Scott Matheina wrote:
>> Signed-off-by: Scott Matheina <scott@matheina.com>
>> ---
>>  kernel/auditfilter.c | 17 ++++++++++-------
>>  1 file changed, 10 insertions(+), 7 deletions(-)
> Sorry for the delay in reviewing this, comments inline ...
>
>> diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
>> index 7714d93..774f9ad 100644
>> --- a/kernel/auditfilter.c
>> +++ b/kernel/auditfilter.c
>> @@ -39,13 +39,13 @@
>>   * Locking model:
>>   *
>>   * audit_filter_mutex:
>> - * 		Synchronizes writes and blocking reads of audit's filterlist
>> - * 		data.  Rcu is used to traverse the filterlist and access
>> - * 		contents of structs audit_entry, audit_watch and opaque
>> - * 		LSM rules during filtering.  If modified, these structures
>> - * 		must be copied and replace their counterparts in the filterlist.
>> - * 		An audit_parent struct is not accessed during filtering, so may
>> - * 		be written directly provided audit_filter_mutex is held.
>> + *		Synchronizes writes and blocking reads of audit's filterlist
>> + *		data.  Rcu is used to traverse the filterlist and access
>> + *		contents of structs audit_entry, audit_watch and opaque
>> + *		LSM rules during filtering.  If modified, these structures
>> + *		must be copied and replace their counterparts in the filterlist.
>> + *		An audit_parent struct is not accessed during filtering, so may
>> + *		be written directly provided audit_filter_mutex is held.
>>   */
> Okay, that's fine.
>
>>  /* Audit filter lists, defined in <linux/audit.h> */
>> @@ -109,6 +109,7 @@ void audit_free_rule_rcu(struct rcu_head *head)
>>  {
>>  	struct audit_entry *e = container_of(head, struct audit_entry, rcu);
>>  	audit_free_rule(e);
>> +
>>  }
> Why?

I was following the error messages in checkpatch.pl, but the warning went away after adding this line. No problem
with the code. 

>>  /* Initialize an audit filterlist entry. */
>> @@ -176,9 +177,11 @@ static __u32 *classes[AUDIT_SYSCALL_CLASSES];
>>  int __init audit_register_class(int class, unsigned *list)
>>  {
>>  	__u32 *p = kcalloc(AUDIT_BITMASK_SIZE, sizeof(__u32), GFP_KERNEL);
>> +
>>  	if (!p)
>>  		return -ENOMEM;
> Okay.
>
>>  	while (*list != ~0U) {
>> +
>>  		unsigned n = *list++;
>>  		if (n >= AUDIT_BITMASK_SIZE * 32 - AUDIT_SYSCALL_CLASSES) {
>>  			kfree(p);
> Why?

This is the same as above. Just going through the checkpatch.pl script, and looking for warnings to fix. 

As you might have guessed, this is one of my first patches. I wasn't sure if a patch like this would even get
reviewed, and responded to. I'm subscribed to the linux-kernel mail group, and seeing what is acceptable. 

Thanks for the review. I don't plan on making a habit of submitting such incredibly trivial patches, but you 
have to start somewhere, and I thought it'd be hard to screw up by fixing a couple of trivial style errors.  

^ permalink raw reply

* [PATHC] Use more rpm macros in audit.spec
From: Łukasz Stelmach @ 2015-10-16 14:12 UTC (permalink / raw)
  To: linux-audit


[-- Attachment #1.1.1: Type: text/plain, Size: 365 bytes --]

Hi,

We are preparing spec for audit in Tizen. Please find attached a small
patch that changes a few hardcoded paths to rpm macros. I havn't changed
"/sbin" to %{_sbindir} nor "/%{_lib}", however, I'd like to ask do you
still want to keep files in "/sbin" and "/lib"?

Kind regards,
-- 
Łukasz Stelmach
Samsung R&D Institute Poland
Samsung Electronics

[-- Attachment #1.1.2: user-more-rpm-macros-in-audit-spec.patch --]
[-- Type: text/x-diff, Size: 4135 bytes --]

Index: audit.spec
===================================================================
--- audit.spec	(wersja 1128)
+++ audit.spec	(kopia robocza)
@@ -152,8 +152,8 @@
 mv $RPM_BUILD_ROOT/%{_lib}/pkgconfig $RPM_BUILD_ROOT%{_libdir}
 
 # On platforms with 32 & 64 bit libs, we need to coordinate the timestamp
-touch -r ./audit.spec $RPM_BUILD_ROOT/etc/libaudit.conf
-touch -r ./audit.spec $RPM_BUILD_ROOT/usr/share/man/man5/libaudit.conf.5.gz
+touch -r ./audit.spec $RPM_BUILD_ROOT%{_sysconfdir}/libaudit.conf
+touch -r ./audit.spec $RPM_BUILD_ROOT%{_mandir}/man5/libaudit.conf.5.gz
 
 %check
 make check
@@ -165,8 +165,8 @@
 
 %post
 # Copy default rules into place on new installation
-if [ ! -e /etc/audit/audit.rules ] ; then
-	cp /etc/audit/rules.d/audit.rules /etc/audit/audit.rules
+if [ ! -e %{_sysconfdir}/audit/audit.rules ] ; then
+	cp %{_sysconfdir}/audit/rules.d/audit.rules %{_sysconfdir}/audit/audit.rules
 fi
 %if %{WITH_SYSTEMD}
 %systemd_post auditd.service
@@ -195,7 +195,7 @@
 %defattr(-,root,root,-)
 /%{_lib}/libaudit.so.1*
 /%{_lib}/libauparse.*
-%config(noreplace) %attr(640,root,root) /etc/libaudit.conf
+%config(noreplace) %attr(640,root,root) %{_sysconfdir}/libaudit.conf
 %{_mandir}/man5/libaudit.conf.5.gz
 
 %files libs-devel
@@ -265,30 +265,30 @@
 %attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/restart
 %attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/condrestart
 %else
-%attr(755,root,root) /etc/rc.d/init.d/auditd
-%config(noreplace) %attr(640,root,root) /etc/sysconfig/auditd
+%attr(755,root,root) %{_sysconfdir}/rc.d/init.d/auditd
+%config(noreplace) %attr(640,root,root) %{_sysconfdir}/sysconfig/auditd
 %endif
 %attr(750,root,root) %dir %{_var}/log/audit
-%attr(750,root,root) %dir /etc/audit
-%attr(750,root,root) %dir /etc/audit/rules.d
-%attr(750,root,root) %dir /etc/audisp
-%attr(750,root,root) %dir /etc/audisp/plugins.d
-%config(noreplace) %attr(640,root,root) /etc/audit/auditd.conf
-%config(noreplace) %attr(640,root,root) /etc/audit/rules.d/audit.rules
-%ghost %config(noreplace) %attr(640,root,root) /etc/audit/audit.rules
-%config(noreplace) %attr(640,root,root) /etc/audisp/audispd.conf
-%config(noreplace) %attr(640,root,root) /etc/audisp/plugins.d/af_unix.conf
-%config(noreplace) %attr(640,root,root) /etc/audisp/plugins.d/syslog.conf
+%attr(750,root,root) %dir %{_sysconfdir}/audit
+%attr(750,root,root) %dir %{_sysconfdir}/audit/rules.d
+%attr(750,root,root) %dir %{_sysconfdir}/audisp
+%attr(750,root,root) %dir %{_sysconfdir}/audisp/plugins.d
+%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/auditd.conf
+%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/rules.d/audit.rules
+%ghost %config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/audit.rules
+%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audisp/audispd.conf
+%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audisp/plugins.d/af_unix.conf
+%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audisp/plugins.d/syslog.conf
 
 %files -n audispd-plugins
 %defattr(-,root,root,-)
 %attr(644,root,root) %{_mandir}/man8/audispd-zos-remote.8.gz
 %attr(644,root,root) %{_mandir}/man5/zos-remote.conf.5.gz
-%config(noreplace) %attr(640,root,root) /etc/audisp/plugins.d/audispd-zos-remote.conf
-%config(noreplace) %attr(640,root,root) /etc/audisp/zos-remote.conf
+%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audisp/plugins.d/audispd-zos-remote.conf
+%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audisp/zos-remote.conf
 %attr(750,root,root) /sbin/audispd-zos-remote
-%config(noreplace) %attr(640,root,root) /etc/audisp/audisp-remote.conf
-%config(noreplace) %attr(640,root,root) /etc/audisp/plugins.d/au-remote.conf
+%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audisp/audisp-remote.conf
+%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audisp/plugins.d/au-remote.conf
 %attr(750,root,root) /sbin/audisp-remote
 %attr(700,root,root) %dir %{_var}/spool/audit
 %attr(644,root,root) %{_mandir}/man5/audisp-remote.conf.5.gz

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 472 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]



^ permalink raw reply

* Re: [PATCH 2/2] Fixed Trivial Warnings in file:  Deleted Spaces prior to tabs, and added lines. modified:   kernel/auditfilter.c
From: Paul Moore @ 2015-10-14 21:54 UTC (permalink / raw)
  To: Scott Matheina; +Cc: eparis, linux-audit, linux-kernel, trivial
In-Reply-To: <1444528675-13184-1-git-send-email-scott@matheina.com>

On Saturday, October 10, 2015 08:57:55 PM Scott Matheina wrote:
> Signed-off-by: Scott Matheina <scott@matheina.com>
> ---
>  kernel/auditfilter.c | 17 ++++++++++-------
>  1 file changed, 10 insertions(+), 7 deletions(-)

Sorry for the delay in reviewing this, comments inline ...

> diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
> index 7714d93..774f9ad 100644
> --- a/kernel/auditfilter.c
> +++ b/kernel/auditfilter.c
> @@ -39,13 +39,13 @@
>   * Locking model:
>   *
>   * audit_filter_mutex:
> - * 		Synchronizes writes and blocking reads of audit's filterlist
> - * 		data.  Rcu is used to traverse the filterlist and access
> - * 		contents of structs audit_entry, audit_watch and opaque
> - * 		LSM rules during filtering.  If modified, these structures
> - * 		must be copied and replace their counterparts in the filterlist.
> - * 		An audit_parent struct is not accessed during filtering, so may
> - * 		be written directly provided audit_filter_mutex is held.
> + *		Synchronizes writes and blocking reads of audit's filterlist
> + *		data.  Rcu is used to traverse the filterlist and access
> + *		contents of structs audit_entry, audit_watch and opaque
> + *		LSM rules during filtering.  If modified, these structures
> + *		must be copied and replace their counterparts in the filterlist.
> + *		An audit_parent struct is not accessed during filtering, so may
> + *		be written directly provided audit_filter_mutex is held.
>   */

Okay, that's fine.

>  /* Audit filter lists, defined in <linux/audit.h> */
> @@ -109,6 +109,7 @@ void audit_free_rule_rcu(struct rcu_head *head)
>  {
>  	struct audit_entry *e = container_of(head, struct audit_entry, rcu);
>  	audit_free_rule(e);
> +
>  }

Why?

>  /* Initialize an audit filterlist entry. */
> @@ -176,9 +177,11 @@ static __u32 *classes[AUDIT_SYSCALL_CLASSES];
>  int __init audit_register_class(int class, unsigned *list)
>  {
>  	__u32 *p = kcalloc(AUDIT_BITMASK_SIZE, sizeof(__u32), GFP_KERNEL);
> +
>  	if (!p)
>  		return -ENOMEM;

Okay.

>  	while (*list != ~0U) {
> +
>  		unsigned n = *list++;
>  		if (n >= AUDIT_BITMASK_SIZE * 32 - AUDIT_SYSCALL_CLASSES) {
>  			kfree(p);

Why?

-- 
paul moore
www.paul-moore.com

^ permalink raw reply

* Re: where can I find documentation on audit log formats?
From: Steve Grubb @ 2015-10-14  0:49 UTC (permalink / raw)
  To: linux-audit
In-Reply-To: <561D8B3C.4050404@jlbond.com>

On Tuesday, October 13, 2015 03:52:44 PM Bond Masuda wrote:
> I'm writing a tool to put audit logs into a database. I can guess at the
> format based on samples of logs I'm seeing, but I would feel better if I
> could find documentation that shows all the different types of audit log
> messages and what is in those messages.

Unfortunately, there is no reference that captures everything. I do have an 
ausearch test suite that can aid in collating events so that you have one of 
everything:

http://people.redhat.com/sgrubb/audit/ausearch-test-0.5.tar.gz

In it, run ./gather-logs as root. You might also find the aucoverage program 
helpful in determining what's missing.

-Steve

^ permalink raw reply

* where can I find documentation on audit log formats?
From: Bond Masuda @ 2015-10-13 22:52 UTC (permalink / raw)
  To: linux-audit

I'm writing a tool to put audit logs into a database. I can guess at the
format based on samples of logs I'm seeing, but I would feel better if I
could find documentation that shows all the different types of audit log
messages and what is in those messages.

Thanks
Bond

^ permalink raw reply

* Re: seccomp and audit_enabled
From: Steve Grubb @ 2015-10-13 20:03 UTC (permalink / raw)
  To: linux-audit; +Cc: linux-security-module
In-Reply-To: <CAHC9VhQgDJAW0RrORwzRT0T1BaV7BbqCQvNmW7F6n2v6_=0K6A@mail.gmail.com>

> No, it's the default audit.rules (-D, -b320).   No actual rules loaded.
> Let me add some instrumentation and figure out what's going on.  auditd
> is masked (via systemd) but systemd-journal seems to set audit_enabled=1
> during startup (at least on our systems).

Tony,

We have bz 1227379
https://bugzilla.redhat.com/show_bug.cgi?id=1227379

There is a patch attached to disable systemd's propensity to turn on the audit 
system. Are people complaining and opening bugs in your distribution? If so, 
that might add more ammunition to get that fixed.


On Tuesday, October 13, 2015 03:19:20 PM Paul Moore wrote:
> > I'm of the opinion that nothing should get output (through the audit
> > system) if audit_enabled == 0.  What you advocate calls for more than 2
> > possible states for audit_enabled or logging the information through
> > another mechanism than audit.
> I don't really care if it is audit or not (although we will need to
> output something via audit if it is enabled to keep the CC crowd
> happy);

The rules for CC are that any access decision must be auditable and selective. 
That means that we need to be able to choose if we want to audit success, 
and/or failure, and/or nothing.

The inability to turn off SE Linux AVCs in the audit logs is why the exclude 
filter was created. Seccomp could be the same way.

-Steve

> if you feel strongly that it isn't audit, we can just make it
> a printk, that would work well with Kees' goals.  To me the important
> point here is that we send a message when seccomp alters the behavior
> of the syscall (action != ALLOW).

^ permalink raw reply

* Re: seccomp and audit_enabled
From: Tony Jones @ 2015-10-13 19:46 UTC (permalink / raw)
  To: Paul Moore; +Cc: linux-security-module, linux-audit
In-Reply-To: <CAHC9VhQgDJAW0RrORwzRT0T1BaV7BbqCQvNmW7F6n2v6_=0K6A@mail.gmail.com>

On 10/13/2015 12:19 PM, Paul Moore wrote:

>> No, it's the default audit.rules (-D, -b320).   No actual rules loaded.
>> Let me add some instrumentation and figure out what's going on.  auditd
>> is masked (via systemd) but systemd-journal seems to set audit_enabled=1
>> during startup (at least on our systems).
> 
> Yes, if systemd is involved it enables audit; we've had some
> discussions with the systemd folks about fixing that, but they haven't
> gone very far.  I'm still a little curious as to why
> audit_dummy_context() is false in this case, but I haven't looked at
> how systemd/auditctl start/config the system too closely.

I'll debug what's going on (easy) on the test system and report back.  I'm curious
too.  Have a bad cold today so I'm moving slower than normal.

> I don't really care if it is audit or not (although we will need to
> output something via audit if it is enabled to keep the CC crowd
> happy); if you feel strongly that it isn't audit, we can just make it
> a printk, that would work well with Kees' goals.  To me the important
> point here is that we send a message when seccomp alters the behavior
> of the syscall (action != ALLOW).

Yes, if audit is enabled, you should totally be able to use it. Rest sounds good also.

thanks!

Tony

^ permalink raw reply

* Re: seccomp and audit_enabled
From: Paul Moore @ 2015-10-13 19:19 UTC (permalink / raw)
  To: Tony Jones; +Cc: linux-security-module, linux-audit
In-Reply-To: <561D3D03.30300@suse.de>

On Tue, Oct 13, 2015 at 1:18 PM, Tony Jones <tonyj@suse.de> wrote:
> On 10/13/2015 09:11 AM, Paul Moore wrote:
>> On Mon, Oct 12, 2015 at 4:45 PM, Kees Cook <keescook@chromium.org> wrote:
>>> On Mon, Oct 12, 2015 at 10:53 AM, Tony Jones <tonyj@suse.de> wrote:
>>>> diff --git a/include/linux/audit.h b/include/linux/audit.h
>>>> index b2abc99..8f70f3f 100644
>>>> --- a/include/linux/audit.h
>>>> +++ b/include/linux/audit.h
>>>> @@ -113,6 +113,12 @@ struct filename;
>>>>
>>>>  extern void audit_log_session_info(struct audit_buffer *ab);
>>>>
>>>> +#ifdef CONFIG_AUDIT
>>>> +extern u32 audit_enabled;
>>>> +#else
>>>> +#define audit_enabled 0
>>>> +#endif
>>>> +
>>>>  #ifdef CONFIG_AUDIT_COMPAT_GENERIC
>>>>  #define audit_is_compat(arch)  (!((arch) & __AUDIT_ARCH_64BIT))
>>>>  #else
>>>> @@ -213,7 +219,7 @@ void audit_core_dumps(long signr);
>>>>  static inline void audit_seccomp(unsigned long syscall, long signr, int code)
>>>>  {
>>>>         /* Force a record to be reported if a signal was delivered. */
>>>> -       if (signr || unlikely(!audit_dummy_context()))
>>>
>>> What is dummy_context part of this actually do? I don't think reports
>>> should be made when signr == 0.
>>
>> The idea behind audit_dummy_context() is to skip auditing when there
>> are no audit rules configured, it's a performance tweak.  My guess is
>> that Tony's system loads some audit configuration at boot which
>> enables audit (the kernel starts with audit_enabled=0 ...) and loads a
>> few syscall filter rules which are enough to make
>> audit_dummy_context() return false.  Can you confirm that Tony?
>
> No, it's the default audit.rules (-D, -b320).   No actual rules loaded.
> Let me add some instrumentation and figure out what's going on.  auditd
> is masked (via systemd) but systemd-journal seems to set audit_enabled=1
> during startup (at least on our systems).

Yes, if systemd is involved it enables audit; we've had some
discussions with the systemd folks about fixing that, but they haven't
gone very far.  I'm still a little curious as to why
audit_dummy_context() is false in this case, but I haven't looked at
how systemd/auditctl start/config the system too closely.

>> As for logging seccomp actions when signr == 0, I personally think
>> that still might be useful as the normal behavior has been altered; I
>> tend to think any action != ALLOW is worth logging.  However, I'm open
>> to discussion on this if others feel strongly.
>>
>>>> +       if (audit_enabled && (signr || unlikely(!audit_dummy_context())))
>>>>                 __audit_seccomp(syscall, signr, code);
>>>>  }
>
> I'm of the opinion that nothing should get output (through the audit system) if
> audit_enabled == 0.  What you advocate calls for more than 2 possible states for
> audit_enabled or logging the information through another mechanism than audit.

I don't really care if it is audit or not (although we will need to
output something via audit if it is enabled to keep the CC crowd
happy); if you feel strongly that it isn't audit, we can just make it
a printk, that would work well with Kees' goals.  To me the important
point here is that we send a message when seccomp alters the behavior
of the syscall (action != ALLOW).

-- 
paul moore
www.paul-moore.com

^ permalink raw reply

* Re: seccomp and audit_enabled
From: Tony Jones @ 2015-10-13 17:18 UTC (permalink / raw)
  To: Paul Moore, Kees Cook; +Cc: linux-security-module, linux-audit
In-Reply-To: <CAHC9VhSVOe53Mp64_kG7NeGEPsXei2EfGJUg4GtYqvyoX8oKxg@mail.gmail.com>

On 10/13/2015 09:11 AM, Paul Moore wrote:
> On Mon, Oct 12, 2015 at 4:45 PM, Kees Cook <keescook@chromium.org> wrote:
>> On Mon, Oct 12, 2015 at 10:53 AM, Tony Jones <tonyj@suse.de> wrote:
>>> From d6971ec9508244f7a1ab42f9ac4c59b7e1ca6145 Mon Sep 17 00:00:00 2001
>>> From: Tony Jones <tonyj@suse.de>
>>> Date: Sat, 10 Oct 2015 19:30:49 -0700
>>> Subject: [PATCH] Don't log seccomp messages when audit is disabled
>>>
>>> Don't log seccomp messages when audit is disabled.
>>
>> This is intentional since violation of a seccomp policy ought to
>> indicate a misbehaving program, and we want these to always be
>> presented to the system log, regardless of audit being enabled. (I'd
>> like to even produce system log entries when there is no CONFIG_AUDIT
>> too, but that's for the future.)
> 
> I agree.  As I mentioned earlier these AUDIT_SECCOMP records are very handy.
> 
>>> diff --git a/include/linux/audit.h b/include/linux/audit.h
>>> index b2abc99..8f70f3f 100644
>>> --- a/include/linux/audit.h
>>> +++ b/include/linux/audit.h
>>> @@ -113,6 +113,12 @@ struct filename;
>>>
>>>  extern void audit_log_session_info(struct audit_buffer *ab);
>>>
>>> +#ifdef CONFIG_AUDIT
>>> +extern u32 audit_enabled;
>>> +#else
>>> +#define audit_enabled 0
>>> +#endif
>>> +
>>>  #ifdef CONFIG_AUDIT_COMPAT_GENERIC
>>>  #define audit_is_compat(arch)  (!((arch) & __AUDIT_ARCH_64BIT))
>>>  #else
>>> @@ -213,7 +219,7 @@ void audit_core_dumps(long signr);
>>>  static inline void audit_seccomp(unsigned long syscall, long signr, int code)
>>>  {
>>>         /* Force a record to be reported if a signal was delivered. */
>>> -       if (signr || unlikely(!audit_dummy_context()))
>>
>> What is dummy_context part of this actually do? I don't think reports
>> should be made when signr == 0.
> 
> The idea behind audit_dummy_context() is to skip auditing when there
> are no audit rules configured, it's a performance tweak.  My guess is
> that Tony's system loads some audit configuration at boot which
> enables audit (the kernel starts with audit_enabled=0 ...) and loads a
> few syscall filter rules which are enough to make
> audit_dummy_context() return false.  Can you confirm that Tony?

No, it's the default audit.rules (-D, -b320).   No actual rules loaded. 
Let me add some instrumentation and figure out what's going on.  auditd
is masked (via systemd) but systemd-journal seems to set audit_enabled=1 
during startup (at least on our systems).

> As for logging seccomp actions when signr == 0, I personally think
> that still might be useful as the normal behavior has been altered; I
> tend to think any action != ALLOW is worth logging.  However, I'm open
> to discussion on this if others feel strongly.
> 
>>> +       if (audit_enabled && (signr || unlikely(!audit_dummy_context())))
>>>                 __audit_seccomp(syscall, signr, code);
>>>  }

I'm of the opinion that nothing should get output (through the audit system) if 
audit_enabled == 0.  What you advocate calls for more than 2 possible states for 
audit_enabled or logging the information through another mechanism than audit.

Tony

^ permalink raw reply

* Re: seccomp and audit_enabled
From: Paul Moore @ 2015-10-13 16:11 UTC (permalink / raw)
  To: Kees Cook; +Cc: linux-security-module, linux-audit
In-Reply-To: <CAGXu5jKogSW-Qo+CabVHgZ7tx-1WE=MAJd+Khu5M2AMxwTS_vA@mail.gmail.com>

On Mon, Oct 12, 2015 at 4:45 PM, Kees Cook <keescook@chromium.org> wrote:
> On Mon, Oct 12, 2015 at 10:53 AM, Tony Jones <tonyj@suse.de> wrote:
>> From d6971ec9508244f7a1ab42f9ac4c59b7e1ca6145 Mon Sep 17 00:00:00 2001
>> From: Tony Jones <tonyj@suse.de>
>> Date: Sat, 10 Oct 2015 19:30:49 -0700
>> Subject: [PATCH] Don't log seccomp messages when audit is disabled
>>
>> Don't log seccomp messages when audit is disabled.
>
> This is intentional since violation of a seccomp policy ought to
> indicate a misbehaving program, and we want these to always be
> presented to the system log, regardless of audit being enabled. (I'd
> like to even produce system log entries when there is no CONFIG_AUDIT
> too, but that's for the future.)

I agree.  As I mentioned earlier these AUDIT_SECCOMP records are very handy.

>> diff --git a/include/linux/audit.h b/include/linux/audit.h
>> index b2abc99..8f70f3f 100644
>> --- a/include/linux/audit.h
>> +++ b/include/linux/audit.h
>> @@ -113,6 +113,12 @@ struct filename;
>>
>>  extern void audit_log_session_info(struct audit_buffer *ab);
>>
>> +#ifdef CONFIG_AUDIT
>> +extern u32 audit_enabled;
>> +#else
>> +#define audit_enabled 0
>> +#endif
>> +
>>  #ifdef CONFIG_AUDIT_COMPAT_GENERIC
>>  #define audit_is_compat(arch)  (!((arch) & __AUDIT_ARCH_64BIT))
>>  #else
>> @@ -213,7 +219,7 @@ void audit_core_dumps(long signr);
>>  static inline void audit_seccomp(unsigned long syscall, long signr, int code)
>>  {
>>         /* Force a record to be reported if a signal was delivered. */
>> -       if (signr || unlikely(!audit_dummy_context()))
>
> What is dummy_context part of this actually do? I don't think reports
> should be made when signr == 0.

The idea behind audit_dummy_context() is to skip auditing when there
are no audit rules configured, it's a performance tweak.  My guess is
that Tony's system loads some audit configuration at boot which
enables audit (the kernel starts with audit_enabled=0 ...) and loads a
few syscall filter rules which are enough to make
audit_dummy_context() return false.  Can you confirm that Tony?

As for logging seccomp actions when signr == 0, I personally think
that still might be useful as the normal behavior has been altered; I
tend to think any action != ALLOW is worth logging.  However, I'm open
to discussion on this if others feel strongly.

>> +       if (audit_enabled && (signr || unlikely(!audit_dummy_context())))
>>                 __audit_seccomp(syscall, signr, code);
>>  }

-- 
paul moore
www.paul-moore.com

^ permalink raw reply

* Re: seccomp and audit_enabled
From: Kees Cook @ 2015-10-12 20:45 UTC (permalink / raw)
  To: Tony Jones; +Cc: linux-security-module, linux-audit
In-Reply-To: <561BF39B.5050209@suse.de>

On Mon, Oct 12, 2015 at 10:53 AM, Tony Jones <tonyj@suse.de> wrote:
> On 10/12/2015 08:40 AM, Paul Moore wrote:
>> My apologies for the resend, I had the wrong email for Kees.

(I keep asking for that alias, but no luck...)

>> On Monday, October 12, 2015 11:29:43 AM Paul Moore wrote:
>>> On Friday, October 09, 2015 08:50:01 PM Tony Jones wrote:
>>>> Hi.
>>>>
>>>> What is the expected handling of AUDIT_SECCOMP if audit_enabled == 0?
>>>> Opera browser makes use of a sandbox and if audit_enabled == 0 (and no
>>>> auditd is running) there is a lot of messages dumped to the klog. The fix
>>>> to __audit_seccomp() is trivial, similar to c2412d91c and I can send a
>>>> patch, I'm just not sure if seccomp is somehow special?
>>>
>>> I'm adding Kees to this since he looks after the seccomp kernel bits these
>>> days.  While there isn't anything special about seccomp from an audit
>>> perspective, the seccomp audit record can be a really nice thing as it is
>>> the only indication you may get that seccomp has stepped in and done
>>> "something" other than allow the syscall to progress normally.
>
> The issue is that (without auditd running) the messages are output to klog regardless
> of whether audit_enabled is 0 or 1.  As I said, other occurrences of this such as with
> login events has been corrected (c2412d91c). Attached patch does same for seccomp.
>
>>> I would be a little more concerned that you are seeing a flood of seccomp
>>> messages from Opera, that is something that most likely warrants some closer
>>> inspection.  Are all the records the same/similar?  Can you paste some into
>>> email?
>
> Here is the logged messages per invocation of opera.  the use of the sandbox may well
> be the result of a local suse config/packaging decision but I'm not sure that's relevant.
>
> 2015-10-10T19:35:23.237882-07:00 nohostname kernel: [  152.100348] audit: type=1326 audit(1444530923.236:356): auid=1000 uid=1000 gid=100 ses=1 pid=2048 comm="opera" exe="/usr/lib64/opera/opera" sig=0 arch=c000003e syscall=91 compat=0 ip=0x7ff926d94ab7 code=0x50000
> 2015-10-10T19:35:23.242867-07:00 nohostname kernel: [  152.105690] audit: type=1326 audit(1444530923.241:357): auid=1000 uid=1000 gid=100 ses=1 pid=2087 comm="opera" exe="/usr/lib64/opera/opera" sig=0 arch=c000003e syscall=273 compat=0 ip=0x7ff928325444 code=0x50000
> 2015-10-10T19:35:23.242873-07:00 nohostname kernel: [  152.105938] audit: type=1326 audit(1444530923.241:358): auid=1000 uid=1000 gid=100 ses=1 pid=2089 comm="opera" exe="/usr/lib64/opera/opera" sig=0 arch=c000003e syscall=273 compat=0 ip=0x7ff928325444 code=0x50000
> 2015-10-10T19:35:23.243890-07:00 nohostname kernel: [  152.106845] audit: type=1326 audit(1444530923.242:359): auid=1000 uid=1000 gid=100 ses=1 pid=2048 comm="opera" exe="/usr/lib64/opera/opera" sig=0 arch=c000003e syscall=2 compat=0 ip=0x7ff926d6daa1 code=0x30000
> 2015-10-10T19:35:23.275872-07:00 nohostname kernel: [  152.138819] audit: type=1326 audit(1444530923.273:360): auid=1000 uid=1000 gid=100 ses=1 pid=2093 comm="opera" exe="/usr/lib64/opera/opera" sig=0 arch=c000003e syscall=91 compat=0 ip=0x7f92e4bd7ab7 code=0x50000
> 2015-10-10T19:35:23.275885-07:00 nohostname kernel: [  152.138937] audit: type=1326 audit(1444530923.274:361): auid=1000 uid=1000 gid=100 ses=1 pid=2093 comm="opera" exe="/usr/lib64/opera/opera" sig=0 arch=c000003e syscall=91 compat=0 ip=0x7f92e4bd7ab7 code=0x50000
> 2015-10-10T19:35:23.280867-07:00 nohostname kernel: [  152.143147] audit: type=1326 audit(1444530923.279:362): auid=1000 uid=1000 gid=100 ses=1 pid=2096 comm="opera" exe="/usr/lib64/opera/opera" sig=0 arch=c000003e syscall=273 compat=0 ip=0x7f92e6168444 code=0x50000
> 2015-10-10T19:35:23.282055-07:00 nohostname kernel: [  152.144762] audit: type=1326 audit(1444530923.280:363): auid=1000 uid=1000 gid=100 ses=1 pid=2093 comm="opera" exe="/usr/lib64/opera/opera" sig=0 arch=c000003e syscall=2 compat=0 ip=0x7f92eb5f8587 code=0x50000
> 2015-10-10T19:35:23.282062-07:00 nohostname kernel: [  152.144890] audit: type=1326 audit(1444530923.280:364): auid=1000 uid=1000 gid=100 ses=1 pid=2093 comm="opera" exe="/usr/lib64/opera/opera" sig=0 arch=c000003e syscall=2 compat=0 ip=0x7f92e4b2ac8c code=0x50000
> 2015-10-10T19:35:23.282063-07:00 nohostname kernel: [  152.144988] audit: type=1326 audit(1444530923.280:365): auid=1000 uid=1000 gid=100 ses=1 pid=2093 comm="opera" exe="/usr/lib64/opera/opera" sig=0 arch=c000003e syscall=2 compat=0 ip=0x7f92e4b2ad70 code=0x50000
>
>
> thanks
>
> tony
>
>
> From d6971ec9508244f7a1ab42f9ac4c59b7e1ca6145 Mon Sep 17 00:00:00 2001
> From: Tony Jones <tonyj@suse.de>
> Date: Sat, 10 Oct 2015 19:30:49 -0700
> Subject: [PATCH] Don't log seccomp messages when audit is disabled
>
> Don't log seccomp messages when audit is disabled.

This is intentional since violation of a seccomp policy ought to
indicate a misbehaving program, and we want these to always be
presented to the system log, regardless of audit being enabled. (I'd
like to even produce system log entries when there is no CONFIG_AUDIT
too, but that's for the future.)

> Currently, each time the opera browser is executed 10 records similar to the
> following are output to klog (when !audit_enabled).
>
> 2015-10-10T19:35:23.237882-07:00 nohostname kernel: [  152.100348] audit: type=1326 audit(1444530923.236:356): auid=1000 uid=1000 gid=100 ses=1 pid=2048 comm="opera" exe="/usr/lib64/opera/opera" sig=0 arch=c000003e syscall=91 compat=0 ip=0x7ff926d94ab7 code=0x50000

However, these are all sig=0, which would indicate a skipped syscall,
which I wouldn't expect to get reported at all.

>
> Signed-off-by: Tony Jones <tonyj@suse.de>
> ---
>  include/linux/audit.h | 10 +++++++---
>  1 file changed, 7 insertions(+), 3 deletions(-)
>
> diff --git a/include/linux/audit.h b/include/linux/audit.h
> index b2abc99..8f70f3f 100644
> --- a/include/linux/audit.h
> +++ b/include/linux/audit.h
> @@ -113,6 +113,12 @@ struct filename;
>
>  extern void audit_log_session_info(struct audit_buffer *ab);
>
> +#ifdef CONFIG_AUDIT
> +extern u32 audit_enabled;
> +#else
> +#define audit_enabled 0
> +#endif
> +
>  #ifdef CONFIG_AUDIT_COMPAT_GENERIC
>  #define audit_is_compat(arch)  (!((arch) & __AUDIT_ARCH_64BIT))
>  #else
> @@ -213,7 +219,7 @@ void audit_core_dumps(long signr);
>  static inline void audit_seccomp(unsigned long syscall, long signr, int code)
>  {
>         /* Force a record to be reported if a signal was delivered. */
> -       if (signr || unlikely(!audit_dummy_context()))

What is dummy_context part of this actually do? I don't think reports
should be made when signr == 0.

-Kees

> +       if (audit_enabled && (signr || unlikely(!audit_dummy_context())))
>                 __audit_seccomp(syscall, signr, code);
>  }
>
> @@ -498,7 +504,6 @@ extern int audit_rule_change(int type, __u32 portid, int seq,
>                                 void *data, size_t datasz);
>  extern int audit_list_rules_send(struct sk_buff *request_skb, int seq);
>
> -extern u32 audit_enabled;
>  #else /* CONFIG_AUDIT */
>  static inline __printf(4, 5)
>  void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type,
> @@ -544,7 +549,6 @@ static inline int audit_log_task_context(struct audit_buffer *ab)
>  static inline void audit_log_task_info(struct audit_buffer *ab,
>                                        struct task_struct *tsk)
>  { }
> -#define audit_enabled 0
>  #endif /* CONFIG_AUDIT */
>  static inline void audit_log_string(struct audit_buffer *ab, const char *buf)
>  {
> --
> 2.1.4
>
>
>



-- 
Kees Cook
Chrome OS Security

^ permalink raw reply

* Re: seccomp and audit_enabled
From: Tony Jones @ 2015-10-12 17:53 UTC (permalink / raw)
  To: Paul Moore, keescook; +Cc: linux-security-module, linux-audit
In-Reply-To: <4636418.ofTBd0bpCf@sifl>

On 10/12/2015 08:40 AM, Paul Moore wrote:
> My apologies for the resend, I had the wrong email for Kees.
> 
> On Monday, October 12, 2015 11:29:43 AM Paul Moore wrote:
>> On Friday, October 09, 2015 08:50:01 PM Tony Jones wrote:
>>> Hi.
>>>
>>> What is the expected handling of AUDIT_SECCOMP if audit_enabled == 0?
>>> Opera browser makes use of a sandbox and if audit_enabled == 0 (and no
>>> auditd is running) there is a lot of messages dumped to the klog. The fix
>>> to __audit_seccomp() is trivial, similar to c2412d91c and I can send a
>>> patch, I'm just not sure if seccomp is somehow special?
>>
>> I'm adding Kees to this since he looks after the seccomp kernel bits these
>> days.  While there isn't anything special about seccomp from an audit
>> perspective, the seccomp audit record can be a really nice thing as it is
>> the only indication you may get that seccomp has stepped in and done
>> "something" other than allow the syscall to progress normally.

The issue is that (without auditd running) the messages are output to klog regardless 
of whether audit_enabled is 0 or 1.  As I said, other occurrences of this such as with
login events has been corrected (c2412d91c). Attached patch does same for seccomp.

>> I would be a little more concerned that you are seeing a flood of seccomp
>> messages from Opera, that is something that most likely warrants some closer
>> inspection.  Are all the records the same/similar?  Can you paste some into
>> email?

Here is the logged messages per invocation of opera.  the use of the sandbox may well
be the result of a local suse config/packaging decision but I'm not sure that's relevant.

2015-10-10T19:35:23.237882-07:00 nohostname kernel: [  152.100348] audit: type=1326 audit(1444530923.236:356): auid=1000 uid=1000 gid=100 ses=1 pid=2048 comm="opera" exe="/usr/lib64/opera/opera" sig=0 arch=c000003e syscall=91 compat=0 ip=0x7ff926d94ab7 code=0x50000
2015-10-10T19:35:23.242867-07:00 nohostname kernel: [  152.105690] audit: type=1326 audit(1444530923.241:357): auid=1000 uid=1000 gid=100 ses=1 pid=2087 comm="opera" exe="/usr/lib64/opera/opera" sig=0 arch=c000003e syscall=273 compat=0 ip=0x7ff928325444 code=0x50000
2015-10-10T19:35:23.242873-07:00 nohostname kernel: [  152.105938] audit: type=1326 audit(1444530923.241:358): auid=1000 uid=1000 gid=100 ses=1 pid=2089 comm="opera" exe="/usr/lib64/opera/opera" sig=0 arch=c000003e syscall=273 compat=0 ip=0x7ff928325444 code=0x50000
2015-10-10T19:35:23.243890-07:00 nohostname kernel: [  152.106845] audit: type=1326 audit(1444530923.242:359): auid=1000 uid=1000 gid=100 ses=1 pid=2048 comm="opera" exe="/usr/lib64/opera/opera" sig=0 arch=c000003e syscall=2 compat=0 ip=0x7ff926d6daa1 code=0x30000
2015-10-10T19:35:23.275872-07:00 nohostname kernel: [  152.138819] audit: type=1326 audit(1444530923.273:360): auid=1000 uid=1000 gid=100 ses=1 pid=2093 comm="opera" exe="/usr/lib64/opera/opera" sig=0 arch=c000003e syscall=91 compat=0 ip=0x7f92e4bd7ab7 code=0x50000
2015-10-10T19:35:23.275885-07:00 nohostname kernel: [  152.138937] audit: type=1326 audit(1444530923.274:361): auid=1000 uid=1000 gid=100 ses=1 pid=2093 comm="opera" exe="/usr/lib64/opera/opera" sig=0 arch=c000003e syscall=91 compat=0 ip=0x7f92e4bd7ab7 code=0x50000
2015-10-10T19:35:23.280867-07:00 nohostname kernel: [  152.143147] audit: type=1326 audit(1444530923.279:362): auid=1000 uid=1000 gid=100 ses=1 pid=2096 comm="opera" exe="/usr/lib64/opera/opera" sig=0 arch=c000003e syscall=273 compat=0 ip=0x7f92e6168444 code=0x50000
2015-10-10T19:35:23.282055-07:00 nohostname kernel: [  152.144762] audit: type=1326 audit(1444530923.280:363): auid=1000 uid=1000 gid=100 ses=1 pid=2093 comm="opera" exe="/usr/lib64/opera/opera" sig=0 arch=c000003e syscall=2 compat=0 ip=0x7f92eb5f8587 code=0x50000
2015-10-10T19:35:23.282062-07:00 nohostname kernel: [  152.144890] audit: type=1326 audit(1444530923.280:364): auid=1000 uid=1000 gid=100 ses=1 pid=2093 comm="opera" exe="/usr/lib64/opera/opera" sig=0 arch=c000003e syscall=2 compat=0 ip=0x7f92e4b2ac8c code=0x50000
2015-10-10T19:35:23.282063-07:00 nohostname kernel: [  152.144988] audit: type=1326 audit(1444530923.280:365): auid=1000 uid=1000 gid=100 ses=1 pid=2093 comm="opera" exe="/usr/lib64/opera/opera" sig=0 arch=c000003e syscall=2 compat=0 ip=0x7f92e4b2ad70 code=0x50000


thanks

tony


>From d6971ec9508244f7a1ab42f9ac4c59b7e1ca6145 Mon Sep 17 00:00:00 2001
From: Tony Jones <tonyj@suse.de>
Date: Sat, 10 Oct 2015 19:30:49 -0700
Subject: [PATCH] Don't log seccomp messages when audit is disabled

Don't log seccomp messages when audit is disabled.   

Currently, each time the opera browser is executed 10 records similar to the 
following are output to klog (when !audit_enabled).

2015-10-10T19:35:23.237882-07:00 nohostname kernel: [  152.100348] audit: type=1326 audit(1444530923.236:356): auid=1000 uid=1000 gid=100 ses=1 pid=2048 comm="opera" exe="/usr/lib64/opera/opera" sig=0 arch=c000003e syscall=91 compat=0 ip=0x7ff926d94ab7 code=0x50000

Signed-off-by: Tony Jones <tonyj@suse.de>
---
 include/linux/audit.h | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/include/linux/audit.h b/include/linux/audit.h
index b2abc99..8f70f3f 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -113,6 +113,12 @@ struct filename;
 
 extern void audit_log_session_info(struct audit_buffer *ab);
 
+#ifdef CONFIG_AUDIT
+extern u32 audit_enabled;
+#else
+#define audit_enabled 0
+#endif
+
 #ifdef CONFIG_AUDIT_COMPAT_GENERIC
 #define audit_is_compat(arch)  (!((arch) & __AUDIT_ARCH_64BIT))
 #else
@@ -213,7 +219,7 @@ void audit_core_dumps(long signr);
 static inline void audit_seccomp(unsigned long syscall, long signr, int code)
 {
 	/* Force a record to be reported if a signal was delivered. */
-	if (signr || unlikely(!audit_dummy_context()))
+	if (audit_enabled && (signr || unlikely(!audit_dummy_context())))
 		__audit_seccomp(syscall, signr, code);
 }
 
@@ -498,7 +504,6 @@ extern int audit_rule_change(int type, __u32 portid, int seq,
 				void *data, size_t datasz);
 extern int audit_list_rules_send(struct sk_buff *request_skb, int seq);
 
-extern u32 audit_enabled;
 #else /* CONFIG_AUDIT */
 static inline __printf(4, 5)
 void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type,
@@ -544,7 +549,6 @@ static inline int audit_log_task_context(struct audit_buffer *ab)
 static inline void audit_log_task_info(struct audit_buffer *ab,
 				       struct task_struct *tsk)
 { }
-#define audit_enabled 0
 #endif /* CONFIG_AUDIT */
 static inline void audit_log_string(struct audit_buffer *ab, const char *buf)
 {
-- 
2.1.4

^ permalink raw reply related

* Re: seccomp and audit_enabled
From: Paul Moore @ 2015-10-12 15:40 UTC (permalink / raw)
  To: Tony Jones, keescook; +Cc: linux-security-module, linux-audit
In-Reply-To: <9092019.92r82W6k9o@sifl>

My apologies for the resend, I had the wrong email for Kees.

On Monday, October 12, 2015 11:29:43 AM Paul Moore wrote:
> On Friday, October 09, 2015 08:50:01 PM Tony Jones wrote:
> > Hi.
> > 
> > What is the expected handling of AUDIT_SECCOMP if audit_enabled == 0?
> > Opera browser makes use of a sandbox and if audit_enabled == 0 (and no
> > auditd is running) there is a lot of messages dumped to the klog. The fix
> > to __audit_seccomp() is trivial, similar to c2412d91c and I can send a
> > patch, I'm just not sure if seccomp is somehow special?
> 
> I'm adding Kees to this since he looks after the seccomp kernel bits these
> days.  While there isn't anything special about seccomp from an audit
> perspective, the seccomp audit record can be a really nice thing as it is
> the only indication you may get that seccomp has stepped in and done
> "something" other than allow the syscall to progress normally.
> 
> I would be a little more concerned that you are seeing a flood of seccomp
> messages from Opera, that is something that most likely warrants some closer
> inspection.  Are all the records the same/similar?  Can you paste some into
> email?

-- 
paul moore
www.paul-moore.com

^ permalink raw reply

* Re: seccomp and audit_enabled
From: Paul Moore @ 2015-10-12 15:29 UTC (permalink / raw)
  To: Tony Jones, Kees Cook; +Cc: linux-security-module, linux-audit
In-Reply-To: <56188AE9.4030306@suse.de>

On Friday, October 09, 2015 08:50:01 PM Tony Jones wrote:
> Hi.
> 
> What is the expected handling of AUDIT_SECCOMP if audit_enabled == 0?  
> Opera browser makes use of a sandbox and if audit_enabled == 0 (and no
> auditd is running) there is a lot of messages dumped to the klog. The fix
> to __audit_seccomp() is trivial, similar to c2412d91c and I can send a
> patch, I'm just not sure if seccomp is somehow special?

I'm adding Kees to this since he looks after the seccomp kernel bits these 
days.  While there isn't anything special about seccomp from an audit 
perspective, the seccomp audit record can be a really nice thing as it is the 
only indication you may get that seccomp has stepped in and done "something" 
other than allow the syscall to progress normally.

I would be a little more concerned that you are seeing a flood of seccomp 
messages from Opera, that is something that most likely warrants some closer 
inspection.  Are all the records the same/similar?  Can you paste some into 
email?

-- 
paul moore
www.paul-moore.com

^ permalink raw reply

* [PATCH 2/2] Fixed Trivial Warnings in file:  Deleted Spaces prior to tabs, and added lines. modified:   kernel/auditfilter.c
From: Scott Matheina @ 2015-10-11  1:57 UTC (permalink / raw)
  To: paul, eparis, linux-audit, linux-kernel; +Cc: trivial, Scott Matheina

Signed-off-by: Scott Matheina <scott@matheina.com>
---
 kernel/auditfilter.c | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 7714d93..774f9ad 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -39,13 +39,13 @@
  * Locking model:
  *
  * audit_filter_mutex:
- * 		Synchronizes writes and blocking reads of audit's filterlist
- * 		data.  Rcu is used to traverse the filterlist and access
- * 		contents of structs audit_entry, audit_watch and opaque
- * 		LSM rules during filtering.  If modified, these structures
- * 		must be copied and replace their counterparts in the filterlist.
- * 		An audit_parent struct is not accessed during filtering, so may
- * 		be written directly provided audit_filter_mutex is held.
+ *		Synchronizes writes and blocking reads of audit's filterlist
+ *		data.  Rcu is used to traverse the filterlist and access
+ *		contents of structs audit_entry, audit_watch and opaque
+ *		LSM rules during filtering.  If modified, these structures
+ *		must be copied and replace their counterparts in the filterlist.
+ *		An audit_parent struct is not accessed during filtering, so may
+ *		be written directly provided audit_filter_mutex is held.
  */
 
 /* Audit filter lists, defined in <linux/audit.h> */
@@ -109,6 +109,7 @@ void audit_free_rule_rcu(struct rcu_head *head)
 {
 	struct audit_entry *e = container_of(head, struct audit_entry, rcu);
 	audit_free_rule(e);
+
 }
 
 /* Initialize an audit filterlist entry. */
@@ -176,9 +177,11 @@ static __u32 *classes[AUDIT_SYSCALL_CLASSES];
 int __init audit_register_class(int class, unsigned *list)
 {
 	__u32 *p = kcalloc(AUDIT_BITMASK_SIZE, sizeof(__u32), GFP_KERNEL);
+
 	if (!p)
 		return -ENOMEM;
 	while (*list != ~0U) {
+
 		unsigned n = *list++;
 		if (n >= AUDIT_BITMASK_SIZE * 32 - AUDIT_SYSCALL_CLASSES) {
 			kfree(p);
-- 
1.9.1

^ permalink raw reply related

* seccomp and audit_enabled
From: Tony Jones @ 2015-10-10  3:50 UTC (permalink / raw)
  To: linux-audit

Hi.

What is the expected handling of AUDIT_SECCOMP if audit_enabled == 0?   Opera browser makes use of a sandbox and if audit_enabled == 0 (and no auditd is running) there is a lot of messages dumped to the klog. The fix to __audit_seccomp() is trivial, similar to c2412d91c and I can send a patch, I'm just not sure if seccomp is somehow special?

Thanks

Tony

^ permalink raw reply

* Re: [RFC PATCH v3 5/5] selinux: introduce kdbus access controls
From: Paul Moore @ 2015-10-09 20:29 UTC (permalink / raw)
  To: Stephen Smalley
  Cc: Paul Osmialowski, linux-security-module, linux-audit, selinux
In-Reply-To: <561820CD.4050401@tycho.nsa.gov>

On Friday, October 09, 2015 04:17:17 PM Stephen Smalley wrote:
> On 10/09/2015 11:39 AM, Paul Moore wrote:
> > On Friday, October 09, 2015 11:05:58 AM Stephen Smalley wrote:
> >> On 10/07/2015 07:08 PM, Paul Moore wrote:
> >>> +static int selinux_kdbus_init_inode(struct inode *inode,
> >>> +				    const struct cred *creds)
> >>> +{
> >>> +	struct inode_security_struct *isec = inode->i_security;
> >>> +	u32 sid = cred_sid(creds);
> >>> +
> >>> +	/* XXX - this is very simple, e.g. no transitions, no special object
> >>> +	 *       class, etc. since this inode is basically an IPC socket ...
> >>> +	 *       however, is this too simple?  do we want transitions?  if 
we
> >>> +	 *       do, we should do the transition in kdbus_node_init() and 
not
> >>> +	 *       here so that endpoint is labeled correctly and not just 
this
> >>> +	 *       inode */
> >>> +
> >>> +	isec->inode = inode;
> >>> +	isec->task_sid = sid;
> >>> +	isec->sid = sid;
> >>> +	isec->sclass = SECCLASS_FILE;
> >>> +	isec->initialized = 1;
> >> 
> >> These are used for files exposed in the filesystem namespace, unlike
> >> sockets (sockfs can't be mounted by userspace, and the socket objects
> >> themselves have their own class, so there is no ambiguity).  Currently
> >> the only such files that are labeled with the same SID as the associated
> >> task are /proc files.  So if we label the kdbusfs files with the same
> >> SID, then you can't allow read/write to kdbusfs nodes owned by another
> >> task without also exposing its /proc/pid files in the same manner.
> >> Doubt we want that.  Probably should compute a transition from the task
> >> SID and the kdbusfs SID.
> > 
> > Okay, that was one of my main concerns; your suggestion makes sense to me.
> > 
> > I'm also thinking that is we do a file transition using the task label and
> > the kdbusfs superblock label we should limit it to just the inode label
> > and not the kdbus endpoint as I suggested in the comment above (the bit
> > about kdbus_node_init()), yes?
> 
> Yes, it only needs to be done for the inode, not the endpoint.
> Analogy with sockets:  Can I write to the socket file (kdbus file) bound
> to the socket (endpoint)?  Can I connectto/sendto the socket (endpoint)?

Yep.

I'll make these changes and work to get another draft out next week.

-- 
paul moore
security @ redhat

^ permalink raw reply

* Re: [RFC PATCH v3 5/5] selinux: introduce kdbus access controls
From: Stephen Smalley @ 2015-10-09 20:17 UTC (permalink / raw)
  To: Paul Moore; +Cc: Paul Osmialowski, linux-security-module, linux-audit, selinux
In-Reply-To: <4505777.oeeaHvkZzq@sifl>

On 10/09/2015 11:39 AM, Paul Moore wrote:
> On Friday, October 09, 2015 11:05:58 AM Stephen Smalley wrote:
>> On 10/07/2015 07:08 PM, Paul Moore wrote:
>>> +static int selinux_kdbus_init_inode(struct inode *inode,
>>> +				    const struct cred *creds)
>>> +{
>>> +	struct inode_security_struct *isec = inode->i_security;
>>> +	u32 sid = cred_sid(creds);
>>> +
>>> +	/* XXX - this is very simple, e.g. no transitions, no special object
>>> +	 *       class, etc. since this inode is basically an IPC socket ...
>>> +	 *       however, is this too simple?  do we want transitions?  if we
>>> +	 *       do, we should do the transition in kdbus_node_init() and not
>>> +	 *       here so that endpoint is labeled correctly and not just this
>>> +	 *       inode */
>>> +
>>> +	isec->inode = inode;
>>> +	isec->task_sid = sid;
>>> +	isec->sid = sid;
>>> +	isec->sclass = SECCLASS_FILE;
>>> +	isec->initialized = 1;
>>
>> These are used for files exposed in the filesystem namespace, unlike
>> sockets (sockfs can't be mounted by userspace, and the socket objects
>> themselves have their own class, so there is no ambiguity).  Currently
>> the only such files that are labeled with the same SID as the associated
>> task are /proc files.  So if we label the kdbusfs files with the same
>> SID, then you can't allow read/write to kdbusfs nodes owned by another
>> task without also exposing its /proc/pid files in the same manner.
>> Doubt we want that.  Probably should compute a transition from the task
>> SID and the kdbusfs SID.
>
> Okay, that was one of my main concerns; your suggestion makes sense to me.
>
> I'm also thinking that is we do a file transition using the task label and the
> kdbusfs superblock label we should limit it to just the inode label and not
> the kdbus endpoint as I suggested in the comment above (the bit about
> kdbus_node_init()), yes?

Yes, it only needs to be done for the inode, not the endpoint.
Analogy with sockets:  Can I write to the socket file (kdbus file) bound 
to the socket (endpoint)?  Can I connectto/sendto the socket (endpoint)?

^ permalink raw reply

* Re: [RFC PATCH v3 3/5] lsm: add support for auditing kdbus service names
From: Stephen Smalley @ 2015-10-09 16:40 UTC (permalink / raw)
  To: Steve Grubb, linux-audit; +Cc: Paul Osmialowski, linux-security-module, selinux
In-Reply-To: <1800266.KI1jez7jKq@x2>

On 10/09/2015 12:25 PM, Steve Grubb wrote:
> On Friday, October 09, 2015 10:57:44 AM Stephen Smalley wrote:
>> On 10/07/2015 07:08 PM, Paul Moore wrote:
>>> The kdbus service names will be recorded using 'service', similar to
>>> the existing dbus audit records.
>>>
>>> Signed-off-by: Paul Moore <pmoore@redhat.com>
>>>
>>> ---
>>> ChangeLog:
>>> - v3
>>>
>>>    * Ported to the 4.3-rc4 based kdbus tree
>>>
>>> - v2
>>>
>>>    * Initial draft
>>>
>>> ---
>>>
>>>    include/linux/lsm_audit.h |    2 ++
>>>    security/lsm_audit.c      |    4 ++++
>>>    2 files changed, 6 insertions(+)
>>>
>>> diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h
>>> index ffb9c9d..d6a656f 100644
>>> --- a/include/linux/lsm_audit.h
>>> +++ b/include/linux/lsm_audit.h
>>> @@ -59,6 +59,7 @@ struct common_audit_data {
>>>
>>>    #define LSM_AUDIT_DATA_INODE	9
>>>    #define LSM_AUDIT_DATA_DENTRY	10
>>>    #define LSM_AUDIT_DATA_IOCTL_OP	11
>>>
>>> +#define LSM_AUDIT_DATA_KDBUS	12
>>>
>>>    	union 	{
>>>    	
>>>    		struct path path;
>>>    		struct dentry *dentry;
>>>
>>> @@ -75,6 +76,7 @@ struct common_audit_data {
>>>
>>>    #endif
>>>
>>>    		char *kmod_name;
>>>    		struct lsm_ioctlop_audit *op;
>>>
>>> +		const char *kdbus_name;
>>>
>>>    	} u;
>>>    	/* this union contains LSM specific data */
>>>    	union {
>>>
>>> diff --git a/security/lsm_audit.c b/security/lsm_audit.c
>>> index cccbf30..0a3dc1b 100644
>>> --- a/security/lsm_audit.c
>>> +++ b/security/lsm_audit.c
>>> @@ -397,6 +397,10 @@ static void dump_common_audit_data(struct
>>> audit_buffer *ab,>
>>>    		audit_log_format(ab, " kmod=");
>>>    		audit_log_untrustedstring(ab, a->u.kmod_name);
>>>    		break;
>>>
>>> +	case LSM_AUDIT_DATA_KDBUS:
>>> +		audit_log_format(ab, " service=");
>>
>> Not a major issue to me, but just wondering if this needs to be further
>> qualified to indicate it is a kdbus service.  service= is rather generic.
>
>>From the audit perspective, its fine as service. Too many names that mean the
> same thing causes string lookup tables to get big. Service is what dbus is
> currently using. So, it makes sense to re-use the field name. If the selinux
> tooling wants to know an AVC originated from kdbus activity, then maybe
> another name=value should be added.

Ok, never mind then - just leave it as is.

^ permalink raw reply

* Re: [RFC PATCH v3 4/5] selinux: introduce kdbus names into the policy
From: Stephen Smalley @ 2015-10-09 16:38 UTC (permalink / raw)
  To: Paul Moore, linux-security-module, linux-audit, selinux; +Cc: Paul Osmialowski
In-Reply-To: <20151007230842.7823.70790.stgit@localhost>

On 10/07/2015 07:08 PM, Paul Moore wrote:
> SELinux treats kdbus service names as objects and therefore needs a
> mechanism to map service names to security labels.  This patch adds
> support for loading kdbus name/label matches with the security policy.
>
> The patch supports service name prefix matching to lessen the burden
> on the policy developers and reduce the size of the resulting policy.
>
> Signed-off-by: Paul Moore <pmoore@redhat.com>
>
> ---
> ChangeLog:
> - v3
>   * Ported to the 4.3-rc4 based kdbus tree, v2 hacks removed
> - v2
>   * Porting needed to work with ioctl xperms
> - v1
>   * Initial draft
> ---
>   security/selinux/include/security.h |    5 ++
>   security/selinux/ss/policydb.c      |   88 +++++++++++++++++++++++++++++------
>   security/selinux/ss/policydb.h      |    3 +
>   security/selinux/ss/services.c      |   38 +++++++++++++++
>   4 files changed, 116 insertions(+), 18 deletions(-)
>

> diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
> index 992a315..9be2e6d 100644
> --- a/security/selinux/ss/policydb.c
> +++ b/security/selinux/ss/policydb.c
> @@ -2111,7 +2116,7 @@ static int ocontext_read(struct policydb *p, struct policydb_compat_info *info,
>   	int i, j, rc;
>   	u32 nel, len;
>   	__le32 buf[3];
> -	struct ocontext *l, *c;
> +	struct ocontext *l, *l2, *c;
>   	u32 nodebuf[8];
>
>   	for (i = 0; i < info->ocon_num; i++) {
> @@ -2130,6 +2135,7 @@ static int ocontext_read(struct policydb *p, struct policydb_compat_info *info,
>   				l->next = c;
>   			else
>   				p->ocontexts[i] = c;
> +			l2 = l;
>   			l = c;
>
>   			switch (i) {
> @@ -2219,6 +2225,43 @@ static int ocontext_read(struct policydb *p, struct policydb_compat_info *info,
>   					goto out;
>   				break;
>   			}
> +			case OCON_KDBUS: {
> +				struct ocontext *iter, *last;
> +				u32 len2;
> +
> +				rc = next_entry(buf, fp, sizeof(u32));
> +				if (rc)
> +					goto out;
> +				len = le32_to_cpu(buf[0]);
> +				rc = str_read(&c->u.name, GFP_KERNEL, fp, len);
> +				if (rc)
> +					goto out;
> +				rc = context_read_and_validate(&c->context[0], p, fp);
> +				if (rc) {
> +					kfree(c->u.name);
> +					goto out;
> +				}
> +
> +				/* sort by ->u.name length, longest first */
> +				last = NULL;
> +				iter = p->ocontexts[OCON_KDBUS];
> +				while (iter != c) {
> +					len2 = strlen(iter->u.name);
> +					if (len > len2) {
> +						if (l2)
> +							l2->next = NULL;
> +						c->next = iter;
> +						if (last == NULL)
> +							p->ocontexts[i] = c;
> +						else
> +							last->next = c;
> +						break;
> +					}
> +					last = iter;
> +					iter = iter->next;
> +				}
> +				break;

This seems complicated compared to genfs_read() due to the fact that 
ocontext_read() pre-inserts node into the list.  Maybe we should change 
ocontext_read() to defer insertion until after the switch statement, and 
then we don't have to un-link and re-link these entries?

> +			}
>   			}
>   		}
>   	}
> @@ -3147,6 +3190,19 @@ static int ocontext_write(struct policydb *p, struct policydb_compat_info *info,
>   				if (rc)
>   					return rc;
>   				break;
> +			case OCON_KDBUS:
> +				len = strlen(c->u.name);
> +				buf[0] = cpu_to_le32(len);
> +				rc = put_entry(buf, sizeof(u32), 1, fp);
> +				if (rc)
> +					return rc;
> +				rc = put_entry(c->u.name, len, 1, fp);
> +				if (rc)
> +					return rc;
> +				rc = context_write(p, &c->context[0], fp);
> +				if (rc)
> +					return rc;
> +				break;
>   			}
>   		}
>   	}
> diff --git a/security/selinux/ss/policydb.h b/security/selinux/ss/policydb.h
> index 725d594..ee9c120 100644
> --- a/security/selinux/ss/policydb.h
> +++ b/security/selinux/ss/policydb.h
> @@ -222,7 +222,8 @@ struct genfs {
>   #define OCON_NODE  4	/* nodes */
>   #define OCON_FSUSE 5	/* fs_use */
>   #define OCON_NODE6 6	/* IPv6 nodes */
> -#define OCON_NUM   7
> +#define OCON_KDBUS 7	/* kdbus names */
> +#define OCON_NUM   8
>
>   /* The policy database */
>   struct policydb {
> diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
> index b7df12b..ada2d28 100644
> --- a/security/selinux/ss/services.c
> +++ b/security/selinux/ss/services.c
> @@ -2536,6 +2536,44 @@ int security_genfs_sid(const char *fstype,
>   }
>
>   /**
> + * security_kdbus_sid - Obtain a SID for a kdbus name
> + * @name: kdbus name
> + * @sid: SID for the kdbus name
> + *
> + * Obtain a SID for the given kdbus service name.  Returns zero on success,
> + * negative values on error.
> + */
> +int security_kdbus_sid(const char *name, u32 *sid)
> +{
> +	int rc = 0;
> +	struct ocontext *c;
> +
> +	read_lock(&policy_rwlock);
> +
> +	c = policydb.ocontexts[OCON_KDBUS];
> +	while (c) {
> +		if (strncmp(c->u.name, name, strlen(c->u.name)) == 0)
> +			break;
> +		c = c->next;
> +	}
> +
> +	if (c) {
> +		if (!c->sid[0]) {
> +			rc = sidtab_context_to_sid(&sidtab,
> +						   &c->context[0], &c->sid[0]);
> +			if (rc)
> +				goto out;
> +		}
> +		*sid = c->sid[0];
> +	} else
> +		*sid = SECINITSID_UNLABELED;
> +
> +out:
> +	read_unlock(&policy_rwlock);
> +	return rc;
> +}
> +
> +/**
>    * security_fs_use - Determine how to handle labeling for a filesystem.
>    * @sb: superblock in question
>    */
>
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
>

^ permalink raw reply

* Re: [RFC PATCH v3 3/5] lsm: add support for auditing kdbus service names
From: Steve Grubb @ 2015-10-09 16:25 UTC (permalink / raw)
  To: linux-audit; +Cc: Paul Osmialowski, linux-security-module, selinux
In-Reply-To: <5617D5E8.3000305@tycho.nsa.gov>

On Friday, October 09, 2015 10:57:44 AM Stephen Smalley wrote:
> On 10/07/2015 07:08 PM, Paul Moore wrote:
> > The kdbus service names will be recorded using 'service', similar to
> > the existing dbus audit records.
> > 
> > Signed-off-by: Paul Moore <pmoore@redhat.com>
> > 
> > ---
> > ChangeLog:
> > - v3
> > 
> >   * Ported to the 4.3-rc4 based kdbus tree
> > 
> > - v2
> > 
> >   * Initial draft
> > 
> > ---
> > 
> >   include/linux/lsm_audit.h |    2 ++
> >   security/lsm_audit.c      |    4 ++++
> >   2 files changed, 6 insertions(+)
> > 
> > diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h
> > index ffb9c9d..d6a656f 100644
> > --- a/include/linux/lsm_audit.h
> > +++ b/include/linux/lsm_audit.h
> > @@ -59,6 +59,7 @@ struct common_audit_data {
> > 
> >   #define LSM_AUDIT_DATA_INODE	9
> >   #define LSM_AUDIT_DATA_DENTRY	10
> >   #define LSM_AUDIT_DATA_IOCTL_OP	11
> > 
> > +#define LSM_AUDIT_DATA_KDBUS	12
> > 
> >   	union 	{
> >   	
> >   		struct path path;
> >   		struct dentry *dentry;
> > 
> > @@ -75,6 +76,7 @@ struct common_audit_data {
> > 
> >   #endif
> >   
> >   		char *kmod_name;
> >   		struct lsm_ioctlop_audit *op;
> > 
> > +		const char *kdbus_name;
> > 
> >   	} u;
> >   	/* this union contains LSM specific data */
> >   	union {
> > 
> > diff --git a/security/lsm_audit.c b/security/lsm_audit.c
> > index cccbf30..0a3dc1b 100644
> > --- a/security/lsm_audit.c
> > +++ b/security/lsm_audit.c
> > @@ -397,6 +397,10 @@ static void dump_common_audit_data(struct
> > audit_buffer *ab,> 
> >   		audit_log_format(ab, " kmod=");
> >   		audit_log_untrustedstring(ab, a->u.kmod_name);
> >   		break;
> > 
> > +	case LSM_AUDIT_DATA_KDBUS:
> > +		audit_log_format(ab, " service=");
> 
> Not a major issue to me, but just wondering if this needs to be further
> qualified to indicate it is a kdbus service.  service= is rather generic.

>From the audit perspective, its fine as service. Too many names that mean the 
same thing causes string lookup tables to get big. Service is what dbus is 
currently using. So, it makes sense to re-use the field name. If the selinux 
tooling wants to know an AVC originated from kdbus activity, then maybe 
another name=value should be added.

-Steve
 
> > +		audit_log_untrustedstring(ab, a->u.kdbus_name);
> > +		break;
> > 
> >   	} /* switch (a->type) */
> >   
> >   }
> > 
> > _______________________________________________
> > Selinux mailing list
> > Selinux@tycho.nsa.gov
> > To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> > To get help, send an email containing "help" to
> > Selinux-request@tycho.nsa.gov.
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

^ permalink raw reply

* Re: [RFC PATCH v3 5/5] selinux: introduce kdbus access controls
From: Paul Moore @ 2015-10-09 15:39 UTC (permalink / raw)
  To: Stephen Smalley
  Cc: Paul Osmialowski, linux-security-module, linux-audit, selinux
In-Reply-To: <5617D7D6.1090608@tycho.nsa.gov>

On Friday, October 09, 2015 11:05:58 AM Stephen Smalley wrote:
> On 10/07/2015 07:08 PM, Paul Moore wrote:
> > +static int selinux_kdbus_init_inode(struct inode *inode,
> > +				    const struct cred *creds)
> > +{
> > +	struct inode_security_struct *isec = inode->i_security;
> > +	u32 sid = cred_sid(creds);
> > +
> > +	/* XXX - this is very simple, e.g. no transitions, no special object
> > +	 *       class, etc. since this inode is basically an IPC socket ...
> > +	 *       however, is this too simple?  do we want transitions?  if we
> > +	 *       do, we should do the transition in kdbus_node_init() and not
> > +	 *       here so that endpoint is labeled correctly and not just this
> > +	 *       inode */
> > +
> > +	isec->inode = inode;
> > +	isec->task_sid = sid;
> > +	isec->sid = sid;
> > +	isec->sclass = SECCLASS_FILE;
> > +	isec->initialized = 1;
> 
> These are used for files exposed in the filesystem namespace, unlike
> sockets (sockfs can't be mounted by userspace, and the socket objects
> themselves have their own class, so there is no ambiguity).  Currently
> the only such files that are labeled with the same SID as the associated
> task are /proc files.  So if we label the kdbusfs files with the same
> SID, then you can't allow read/write to kdbusfs nodes owned by another
> task without also exposing its /proc/pid files in the same manner.
> Doubt we want that.  Probably should compute a transition from the task
> SID and the kdbusfs SID.

Okay, that was one of my main concerns; your suggestion makes sense to me.

I'm also thinking that is we do a file transition using the task label and the 
kdbusfs superblock label we should limit it to just the inode label and not 
the kdbus endpoint as I suggested in the comment above (the bit about 
kdbus_node_init()), yes?

-- 
paul moore
security @ redhat

^ permalink raw reply


This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox