From: Mr Dash Four <mr.dash.four@googlemail.com>
To: netfilter-devel@vger.kernel.org
Cc: Thomas Graf <tgraf@redhat.com>, Patrick McHardy <kaber@trash.net>,
Eric Paris <eparis@parisplace.org>,
Pablo Neira Ayuso <pablo@netfilter.org>,
Al Viro <viro@ZenIV.linux.org.uk>,
Linux-audit <linux-audit@redhat.com>
Subject: [PATCH 4th revision] Add SELinux context support to AUDIT target
Date: Sat, 18 Jun 2011 13:08:05 +0100 [thread overview]
Message-ID: <4DFC9525.2080402@googlemail.com> (raw)
In-Reply-To: <4DF9C085.3040306@googlemail.com>
In this revision the conversion of secid to SELinux context and adding it to the audit log is moved from xt_AUDIT.c to audit.c with the aid of a separate helper function - audit_log_secctx - which does both the conversion and logging of SELinux context, thus also preventing internal secid number being leaked to userspace. If conversion is not successful an error is raised.
With the introduction of this helper function the work done in xt_AUDIT.c is much more simplified. It also opens the possibility of this helper function being used by other modules (including auditd itself), if desired. With this addition, typical (raw auditd) output after applying the patch would be:
type=NETFILTER_PKT msg=audit(1305852240.082:31012): action=0 hook=1 len=52 inif=? outif=eth0 saddr=10.1.1.7 daddr=10.1.2.1 ipid=16312 proto=6 sport=56150 dport=22 obj=system_u:object_r:ssh_client_packet_t:s0
type=NETFILTER_PKT msg=audit(1306772064.079:56): action=0 hook=3 len=48 inif=eth0 outif=? smac=00:05:5d:7c:27:0b dmac=00:02:b3:0a:7f:81 macproto=0x0800 saddr=10.1.2.1 daddr=10.1.1.7 ipid=462 proto=6 sport=22 dport=3561 obj=system_u:object_r:ssh_server_packet_t:s0
Signed-off-by: Mr Dash Four <mr.dash.four@googlemail.com>
---
include/linux/audit.h | 7 +++++++
kernel/audit.c | 29 +++++++++++++++++++++++++++++
net/netfilter/xt_AUDIT.c | 5 +++++
3 files changed, 41 insertions(+), 0 deletions(-)
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 9d339eb..3e47019 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -613,6 +613,12 @@ extern void audit_log_d_path(struct audit_buffer *ab,
extern void audit_log_key(struct audit_buffer *ab,
char *key);
extern void audit_log_lost(const char *message);
+#ifdef CONFIG_SECURITY
+extern void audit_log_secctx(struct audit_buffer *ab, u32 secid);
+#else
+#define audit_log_secctx(b,s) do { ; } while (0)
+#endif
+
extern int audit_update_lsm_rules(void);
/* Private API (for audit.c only) */
@@ -635,6 +641,7 @@ extern int audit_enabled;
#define audit_log_untrustedstring(a,s) do { ; } while (0)
#define audit_log_d_path(b, p, d) do { ; } while (0)
#define audit_log_key(b, k) do { ; } while (0)
+#define audit_log_secctx(b,s) do { ; } while (0)
#define audit_enabled 0
#endif
#endif
diff --git a/kernel/audit.c b/kernel/audit.c
index 9395003..4e0685e 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -55,6 +55,9 @@
#include <net/sock.h>
#include <net/netlink.h>
#include <linux/skbuff.h>
+#ifdef CONFIG_SECURITY
+#include <linux/security.h>
+#endif
#include <linux/netlink.h>
#include <linux/freezer.h>
#include <linux/tty.h>
@@ -1502,6 +1505,32 @@ void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type,
}
}
+#ifdef CONFIG_SECURITY
+/**
+ * audit_log_secctx - Converts and logs SELinux context
+ * @ab: audit_buffer
+ * @secid: security number
+ *
+ * This is a helper function that calls security_secid_to_secctx to convert secid to secctx
+ * and then adds the (converted) SELinux context to the audit log
+ * by calling audit_log_format, thus also preventing leak of internal secid to userspace.
+ * If secid cannot be converted audit_panic is called.
+ */
+void audit_log_secctx(struct audit_buffer *ab, u32 secid)
+{
+ u32 len;
+ char *secctx;
+
+ if (security_secid_to_secctx(secid, &secctx, &len)) {
+ audit_panic("Cannot convert secid to context");
+ } else {
+ audit_log_format(ab, " obj=%s", secctx);
+ security_release_secctx(secctx, len);
+ }
+}
+EXPORT_SYMBOL(audit_log_secctx);
+#endif
+
EXPORT_SYMBOL(audit_log_start);
EXPORT_SYMBOL(audit_log_end);
EXPORT_SYMBOL(audit_log_format);
diff --git a/net/netfilter/xt_AUDIT.c b/net/netfilter/xt_AUDIT.c
index 363a99e..4bca15a 100644
--- a/net/netfilter/xt_AUDIT.c
+++ b/net/netfilter/xt_AUDIT.c
@@ -163,6 +163,11 @@ audit_tg(struct sk_buff *skb, const struct xt_action_param *par)
break;
}
+#ifdef CONFIG_NETWORK_SECMARK
+ if (skb->secmark)
+ audit_log_secctx(ab, skb->secmark);
+#endif
+
audit_log_end(ab);
errout:
--
1.7.3.4
next prev parent reply other threads:[~2011-06-18 12:08 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-05-20 1:09 [PATCH] Add SELinux context support to AUDIT target Mr Dash Four
2011-05-26 16:49 ` Pablo Neira Ayuso
2011-05-26 17:03 ` Mr Dash Four
2011-05-26 17:44 ` Pablo Neira Ayuso
2011-06-04 15:12 ` [PATCH 2nd revision] " Mr Dash Four
2011-06-05 23:06 ` Pablo Neira Ayuso
2011-06-06 12:02 ` Mr Dash Four
2011-06-06 23:20 ` Pablo Neira Ayuso
2011-06-07 8:18 ` Mr Dash Four
2011-06-07 9:12 ` Pablo Neira Ayuso
2011-06-07 10:32 ` [PATCH 3rd " Mr Dash Four
2011-06-08 14:49 ` Steve Grubb
2011-06-08 16:12 ` Mr Dash Four
2011-06-08 17:14 ` Steve Grubb
2011-06-08 18:04 ` Mr Dash Four
2011-06-08 18:13 ` Casey Schaufler
2011-06-08 18:33 ` Eric Paris
2011-06-08 19:00 ` Mr Dash Four
2011-06-08 19:08 ` Eric Paris
2011-06-08 19:14 ` Mr Dash Four
2011-06-08 19:28 ` Steve Grubb
2011-06-08 19:39 ` Eric Paris
2011-06-09 12:28 ` Patrick McHardy
2011-06-09 12:52 ` Eric Paris
2011-06-09 12:56 ` Patrick McHardy
2011-06-09 14:08 ` Mr Dash Four
2011-06-09 15:06 ` Eric Paris
2011-06-09 15:16 ` Mr Dash Four
2011-06-16 8:36 ` Mr Dash Four
2011-06-18 12:08 ` Mr Dash Four [this message]
2011-06-20 12:20 ` [PATCH 4th " Steve Grubb
2011-06-20 14:21 ` Mr Dash Four
2011-06-20 14:27 ` Eric Paris
2011-06-30 11:35 ` Patrick McHardy
2011-06-08 18:36 ` [PATCH 3rd " Steve Grubb
2011-06-08 18:45 ` Mr Dash Four
2011-06-06 12:14 ` [PATCH 2nd " Steve Grubb
2011-06-06 12:25 ` Mr Dash Four
2011-06-06 12:30 ` Steve Grubb
2011-06-06 12:42 ` Mr Dash Four
2011-06-06 12:53 ` Steve Grubb
2011-06-06 13:10 ` Mr Dash Four
2011-06-06 23:22 ` Pablo Neira Ayuso
2011-06-07 0:59 ` Steve Grubb
2011-06-07 1:23 ` Casey Schaufler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4DFC9525.2080402@googlemail.com \
--to=mr.dash.four@googlemail.com \
--cc=eparis@parisplace.org \
--cc=kaber@trash.net \
--cc=linux-audit@redhat.com \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=tgraf@redhat.com \
--cc=viro@ZenIV.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).