From: Casey Schaufler <casey@schaufler-ca.com>
To: casey@schaufler-ca.com, paul@paul-moore.com,
linux-security-module@vger.kernel.org
Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org,
john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp,
stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org,
mic@digikod.net
Subject: [PATCH 04/13] Audit: maintain an lsmblob in audit_context
Date: Sun, 25 Aug 2024 12:00:39 -0700 [thread overview]
Message-ID: <20240825190048.13289-5-casey@schaufler-ca.com> (raw)
In-Reply-To: <20240825190048.13289-1-casey@schaufler-ca.com>
Replace the secid value stored in struct audit_context with a struct
lsmblob. Change the code that uses this value to accommodate the
change. security_audit_rule_match() expects a lsmblob, so existing
scaffolding can be removed. A call to security_secid_to_secctx()
is changed to security_lsmblob_to_secctx(). The call to
security_ipc_getsecid() is scaffolded.
A new function lsmblob_is_set() is introduced to identify whether
an lsmblob contains a non-zero value.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
include/linux/security.h | 13 +++++++++++++
kernel/audit.h | 3 ++-
kernel/auditsc.c | 19 ++++++++-----------
3 files changed, 23 insertions(+), 12 deletions(-)
diff --git a/include/linux/security.h b/include/linux/security.h
index 457fafc32fb0..a0b23b6e8734 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -277,6 +277,19 @@ static inline const char *kernel_load_data_id_str(enum kernel_load_data_id id)
return kernel_load_data_str[id];
}
+/**
+ * lsmblob_is_set - report if there is a value in the lsmblob
+ * @blob: Pointer to the exported LSM data
+ *
+ * Returns true if there is a value set, false otherwise
+ */
+static inline bool lsmblob_is_set(struct lsmblob *blob)
+{
+ const struct lsmblob empty = {};
+
+ return !!memcmp(blob, &empty, sizeof(*blob));
+}
+
#ifdef CONFIG_SECURITY
int call_blocking_lsm_notifier(enum lsm_event event, void *data);
diff --git a/kernel/audit.h b/kernel/audit.h
index a60d2840559e..b1f2de4d4f1e 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -11,6 +11,7 @@
#include <linux/fs.h>
#include <linux/audit.h>
+#include <linux/security.h>
#include <linux/skbuff.h>
#include <uapi/linux/mqueue.h>
#include <linux/tty.h>
@@ -160,7 +161,7 @@ struct audit_context {
kuid_t uid;
kgid_t gid;
umode_t mode;
- u32 osid;
+ struct lsmblob oblob;
int has_perm;
uid_t perm_uid;
gid_t perm_gid;
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 23adb15cae43..84f6e9356b8f 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -724,9 +724,7 @@ static int audit_filter_rules(struct task_struct *tsk,
/* Find ipc objects that match */
if (!ctx || ctx->type != AUDIT_IPC)
break;
- /* scaffolding */
- blob.scaffold.secid = ctx->ipc.osid;
- if (security_audit_rule_match(&blob,
+ if (security_audit_rule_match(&ctx->ipc.oblob,
f->type, f->op,
f->lsm_rule))
++result;
@@ -1394,19 +1392,17 @@ static void show_special(struct audit_context *context, int *call_panic)
audit_log_format(ab, " a%d=%lx", i,
context->socketcall.args[i]);
break; }
- case AUDIT_IPC: {
- u32 osid = context->ipc.osid;
-
+ case AUDIT_IPC:
audit_log_format(ab, "ouid=%u ogid=%u mode=%#ho",
from_kuid(&init_user_ns, context->ipc.uid),
from_kgid(&init_user_ns, context->ipc.gid),
context->ipc.mode);
- if (osid) {
+ if (lsmblob_is_set(&context->ipc.oblob)) {
char *ctx = NULL;
u32 len;
- if (security_secid_to_secctx(osid, &ctx, &len)) {
- audit_log_format(ab, " osid=%u", osid);
+ if (security_lsmblob_to_secctx(&context->ipc.oblob,
+ &ctx, &len)) {
*call_panic = 1;
} else {
audit_log_format(ab, " obj=%s", ctx);
@@ -1426,7 +1422,7 @@ static void show_special(struct audit_context *context, int *call_panic)
context->ipc.perm_gid,
context->ipc.perm_mode);
}
- break; }
+ break;
case AUDIT_MQ_OPEN:
audit_log_format(ab,
"oflag=0x%x mode=%#ho mq_flags=0x%lx mq_maxmsg=%ld "
@@ -2642,7 +2638,8 @@ void __audit_ipc_obj(struct kern_ipc_perm *ipcp)
context->ipc.gid = ipcp->gid;
context->ipc.mode = ipcp->mode;
context->ipc.has_perm = 0;
- security_ipc_getsecid(ipcp, &context->ipc.osid);
+ /* scaffolding */
+ security_ipc_getsecid(ipcp, &context->ipc.oblob.scaffold.secid);
context->type = AUDIT_IPC;
}
--
2.41.0
next prev parent reply other threads:[~2024-08-25 19:02 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20240825190048.13289-1-casey.ref@schaufler-ca.com>
2024-08-25 19:00 ` [PATCH 00/13] LSM: Move away from secids Casey Schaufler
2024-08-25 19:00 ` [PATCH 01/13] LSM: Add the lsmblob data structure Casey Schaufler
2024-08-26 13:34 ` Georgia Garcia
2024-08-25 19:00 ` [PATCH 02/13] LSM: Use lsmblob in security_audit_rule_match Casey Schaufler
2024-08-26 19:31 ` kernel test robot
2024-08-25 19:00 ` [PATCH 03/13] LSM: Add lsmblob_to_secctx hook Casey Schaufler
2024-08-26 17:43 ` Georgia Garcia
2024-08-26 18:45 ` Casey Schaufler
2024-08-27 14:45 ` Georgia Garcia
2024-08-25 19:00 ` Casey Schaufler [this message]
2024-08-27 15:01 ` [PATCH 04/13] Audit: maintain an lsmblob in audit_context Georgia Garcia
2024-08-27 15:08 ` Georgia Garcia
2024-08-25 19:00 ` [PATCH 05/13] LSM: Use lsmblob in security_ipc_getsecid Casey Schaufler
2024-08-27 12:23 ` Stephen Smalley
2024-08-25 19:00 ` [PATCH 06/13] Audit: Update shutdown LSM data Casey Schaufler
2024-08-25 19:00 ` [PATCH 07/13] LSM: Use lsmblob in security_current_getsecid Casey Schaufler
2024-08-26 21:24 ` kernel test robot
2024-08-25 19:00 ` [PATCH 08/13] LSM: Use lsmblob in security_inode_getsecid Casey Schaufler
2024-08-25 19:00 ` [PATCH 09/13] Audit: use an lsmblob in audit_names Casey Schaufler
2024-08-25 19:00 ` [PATCH 10/13] LSM: Create new security_cred_getlsmblob LSM hook Casey Schaufler
2024-08-27 5:00 ` kernel test robot
2024-08-25 19:00 ` [PATCH 11/13] Audit: Change context data from secid to lsmblob Casey Schaufler
2024-08-25 19:00 ` [PATCH 12/13] Netlabel: Use lsmblob for audit data Casey Schaufler
2024-08-25 19:00 ` [PATCH 13/13] LSM: Remove lsmblob scaffolding Casey Schaufler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240825190048.13289-5-casey@schaufler-ca.com \
--to=casey@schaufler-ca.com \
--cc=jmorris@namei.org \
--cc=john.johansen@canonical.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mic@digikod.net \
--cc=paul@paul-moore.com \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=serge@hallyn.com \
--cc=stephen.smalley.work@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox