From: Jasjiv Singh <jasjivsingh@linux.microsoft.com>
To: wufan@kernel.org
Cc: audit@vger.kernel.org, corbet@lwn.net, eparis@redhat.com,
jasjivsingh@linux.microsoft.com, jmorris@namei.org,
linux-audit@redhat.com, linux-doc@vger.kernel.org,
linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org, paul@paul-moore.com
Subject: [PATCH v2] ipe: add errno field to IPE policy load auditing
Date: Thu, 27 Feb 2025 14:46:17 -0800 [thread overview]
Message-ID: <1740696377-3986-1-git-send-email-jasjivsingh@linux.microsoft.com> (raw)
In-Reply-To: <CAKtyLkFg2+8ciy4DM=g+vcTVvuRPNL2SHbN+m9ObErxtYXZYPw@mail.gmail.com>
Thanks for reviewing it. Here's the example generated from real logs:
AUDIT_IPE_POLICY_LOAD(1422):
audit: AUDIT1422 policy_name="Test_Policy" policy_version=0.0.1
policy_digest =sha256:84EFBA8FA71E62AE0A537FAB962F8A2BD1053964C4
299DCA92BFFF4DB82E86D3 auid=1000 ses=3 lsm=ipe res=1 errno=0
The above record shows a new policy has been successfully loaded into
the kernel with the policy name, version, and hash with the errno=0.
AUDIT_IPE_POLICY_LOAD(1422) with error:
audit: AUDIT1422 policy_name=? policy_version=? policy_digest=?
auid=1000 ses=3 lsm=ipe res=0 errno=-74
The above record shows a policy load failure due to an invalid policy.
I have updated the failure cases in new_policy() and update_policy(),
which covers each case as well.
Signed-off-by: Jasjiv Singh <jasjivsingh@linux.microsoft.com>
---
Documentation/admin-guide/LSM/ipe.rst | 2 ++
security/ipe/audit.c | 10 ++++------
security/ipe/fs.c | 17 ++++++++++++-----
security/ipe/policy.c | 4 +---
security/ipe/policy_fs.c | 24 +++++++++++++++++++-----
5 files changed, 38 insertions(+), 19 deletions(-)
diff --git a/Documentation/admin-guide/LSM/ipe.rst b/Documentation/admin-guide/LSM/ipe.rst
index 2143165f48c9..5dbf54471fab 100644
--- a/Documentation/admin-guide/LSM/ipe.rst
+++ b/Documentation/admin-guide/LSM/ipe.rst
@@ -453,6 +453,8 @@ Field descriptions:
| errno | integer | No | The result of the policy error as follows: |
| | | | |
| | | | + 0: no error |
+| | | | + -EPERM: Insufficient permission |
+| | | | + -EEXIST: Same name policy already deployed |
| | | | + -EBADMSG: policy is invalid |
| | | | + -ENOMEM: out of memory (OOM) |
| | | | + -ERANGE: policy version number overflow |
diff --git a/security/ipe/audit.c b/security/ipe/audit.c
index f810f7004498..8df307bb2bab 100644
--- a/security/ipe/audit.c
+++ b/security/ipe/audit.c
@@ -21,7 +21,7 @@
#define AUDIT_POLICY_LOAD_FMT "policy_name=\"%s\" policy_version=%hu.%hu.%hu "\
"policy_digest=" IPE_AUDIT_HASH_ALG ":"
-#define AUDIT_POLICY_LOAD_NULL_FMT "policy_name=? policy_version=? "\
+#define AUDIT_POLICY_LOAD_FAIL_FMT "policy_name=? policy_version=? "\
"policy_digest=?"
#define AUDIT_OLD_ACTIVE_POLICY_FMT "old_active_pol_name=\"%s\" "\
"old_active_pol_version=%hu.%hu.%hu "\
@@ -255,9 +255,8 @@ void ipe_audit_policy_activation(const struct ipe_policy *const op,
*/
void ipe_audit_policy_load(const struct ipe_policy *const p)
{
- int res = 0;
- int err = 0;
struct audit_buffer *ab;
+ int err = 0;
ab = audit_log_start(audit_context(), GFP_KERNEL,
AUDIT_IPE_POLICY_LOAD);
@@ -266,15 +265,14 @@ void ipe_audit_policy_load(const struct ipe_policy *const p)
if (!IS_ERR(p)) {
audit_policy(ab, AUDIT_POLICY_LOAD_FMT, p);
- res = 1;
} else {
- audit_log_format(ab, AUDIT_POLICY_LOAD_NULL_FMT);
+ audit_log_format(ab, AUDIT_POLICY_LOAD_FAIL_FMT);
err = PTR_ERR(p);
}
audit_log_format(ab, " auid=%u ses=%u lsm=ipe res=%d errno=%d",
from_kuid(&init_user_ns, audit_get_loginuid(current)),
- audit_get_sessionid(current), res, err);
+ audit_get_sessionid(current), !err, err);
audit_log_end(ab);
}
diff --git a/security/ipe/fs.c b/security/ipe/fs.c
index 5b6d19fb844a..40805b13ee2c 100644
--- a/security/ipe/fs.c
+++ b/security/ipe/fs.c
@@ -141,12 +141,16 @@ static ssize_t new_policy(struct file *f, const char __user *data,
char *copy = NULL;
int rc = 0;
- if (!file_ns_capable(f, &init_user_ns, CAP_MAC_ADMIN))
- return -EPERM;
+ if (!file_ns_capable(f, &init_user_ns, CAP_MAC_ADMIN)) {
+ rc = -EPERM;
+ goto out;
+ }
copy = memdup_user_nul(data, len);
- if (IS_ERR(copy))
- return PTR_ERR(copy);
+ if (IS_ERR(copy)) {
+ rc = PTR_ERR(copy);
+ goto out;
+ }
p = ipe_new_policy(NULL, 0, copy, len);
if (IS_ERR(p)) {
@@ -161,8 +165,11 @@ static ssize_t new_policy(struct file *f, const char __user *data,
ipe_audit_policy_load(p);
out:
- if (rc < 0)
+ if (rc < 0) {
ipe_free_policy(p);
+ p = ERR_PTR(rc);
+ ipe_audit_policy_load(p);
+ }
kfree(copy);
return (rc < 0) ? rc : len;
}
diff --git a/security/ipe/policy.c b/security/ipe/policy.c
index 0f616e9fbe61..b628f696e32b 100644
--- a/security/ipe/policy.c
+++ b/security/ipe/policy.c
@@ -202,9 +202,7 @@ struct ipe_policy *ipe_new_policy(const char *text, size_t textlen,
return new;
err:
ipe_free_policy(new);
- new = ERR_PTR(rc);
- ipe_audit_policy_load(new);
- return new;
+ return ERR_PTR(rc);
}
/**
diff --git a/security/ipe/policy_fs.c b/security/ipe/policy_fs.c
index 3bcd8cbd09df..74f4e7288331 100644
--- a/security/ipe/policy_fs.c
+++ b/security/ipe/policy_fs.c
@@ -12,6 +12,7 @@
#include "policy.h"
#include "eval.h"
#include "fs.h"
+#include "audit.h"
#define MAX_VERSION_SIZE ARRAY_SIZE("65535.65535.65535")
@@ -288,25 +289,38 @@ static ssize_t getactive(struct file *f, char __user *data,
static ssize_t update_policy(struct file *f, const char __user *data,
size_t len, loff_t *offset)
{
+ const struct ipe_policy *p = NULL;
struct inode *root = NULL;
char *copy = NULL;
int rc = 0;
- if (!file_ns_capable(f, &init_user_ns, CAP_MAC_ADMIN))
- return -EPERM;
+ if (!file_ns_capable(f, &init_user_ns, CAP_MAC_ADMIN)) {
+ rc = -EPERM;
+ goto out;
+ }
copy = memdup_user(data, len);
- if (IS_ERR(copy))
- return PTR_ERR(copy);
+ if (IS_ERR(copy)) {
+ rc = PTR_ERR(copy);
+ goto out;
+ }
root = d_inode(f->f_path.dentry->d_parent);
inode_lock(root);
rc = ipe_update_policy(root, NULL, 0, copy, len);
+ if (rc < 0) {
+ inode_unlock(root);
+ goto out;
+ }
inode_unlock(root);
+out:
kfree(copy);
- if (rc)
+ if (rc) {
+ p = ERR_PTR(rc);
+ ipe_audit_policy_load(p);
return rc;
+ }
return len;
}
--
2.34.1
next prev parent reply other threads:[~2025-02-27 22:46 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-02-14 21:41 [RFC PATCH] ipe: add errno field to IPE policy load auditing Jasjiv Singh
2025-02-19 21:49 ` Fan Wu
2025-02-27 22:46 ` Jasjiv Singh [this message]
2025-02-27 23:41 ` [PATCH v2] " Fan Wu
2025-02-28 23:11 ` [PATCH v3] " Jasjiv Singh
2025-03-03 22:11 ` Fan Wu
2025-03-05 0:04 ` Jasjiv Singh
2025-03-05 18:13 ` Jasjiv Singh
2025-03-05 21:23 ` Fan Wu
2025-03-05 23:27 ` Jasjiv Singh
2025-03-06 0:08 ` Fan Wu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1740696377-3986-1-git-send-email-jasjivsingh@linux.microsoft.com \
--to=jasjivsingh@linux.microsoft.com \
--cc=audit@vger.kernel.org \
--cc=corbet@lwn.net \
--cc=eparis@redhat.com \
--cc=jmorris@namei.org \
--cc=linux-audit@redhat.com \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=wufan@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).