[PATCH 1/1] NetLabel: add audit support for configuration changes

Paul Moore paul.moore at hp.com
Fri Sep 29 18:09:19 UTC 2006 

Steve Grubb wrote:
> On Thursday 28 September 2006 14:03, paul.moore at hp.com wrote:
>>@@ -381,21 +380,35 @@ static int netlbl_cipsov4_add(struct sk_
>>
>> {
>> 	int ret_val = -EINVAL;
>>-	u32 map_type;
>>+	u32 type;
>>+	u32 doi;
>>+	const char *type_str = "(unknown)";
>>+	struct audit_buffer *audit_buf;
>>
>>-	if (!info->attrs[NLBL_CIPSOV4_A_MTYPE])
>>+	if (!info->attrs[NLBL_CIPSOV4_A_DOI] ||
>>+	    !info->attrs[NLBL_CIPSOV4_A_MTYPE])
>> 		return -EINVAL;
>>
>>-	map_type = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_MTYPE]);
>>-	switch (map_type) {
>>+	type = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_MTYPE]);
>>+	switch (type) {
>> 	case CIPSO_V4_MAP_STD:
>>+		type_str = "std";
>> 		ret_val = netlbl_cipsov4_add_std(info);
>> 		break;
>> 	case CIPSO_V4_MAP_PASS:
>>+		type_str = "pass";
>> 		ret_val = netlbl_cipsov4_add_pass(info);
>> 		break;
>> 	}
>>
>>+	if (ret_val == 0) {
>>+		doi = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_DOI]);
>>+		audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_ADD,
>>+						      NETLINK_CB(skb).sid);
>>+		audit_log_format(audit_buf, " doi=%u type=%s", doi, type_str);
> 
> 
> type field is already taken for another purpose, it needs to be renamed.

If we can't have duplicate field names I would propose prefixing both
these fields (and doing similar things with the other NetLabel specific
fields) with a "cipso_" making them "cipso_doi" and "cipso_type".

If this isn't acceptable please suggest names which you feel are
appropriate.

>>+/**
>>+ * netlbl_unlabel_acceptflg_set - Set the unlabeled accept flag
>>+ * @value: desired value
>>+ * @audit_secid: the LSM secid to use in the audit message
>>+ *
>>+ * Description:
>>+ * Set the value of the unlabeled accept flag to @value.
>>+ *
>>+ */
>>+static void netlbl_unlabel_acceptflg_set(u8 value, u32 audit_secid)
>>+{
>>+	atomic_set(&netlabel_unlabel_accept_flg, value);
>>+	netlbl_audit_nomsg((value ?
>>+			    AUDIT_MAC_UNLBL_ACCEPT : AUDIT_MAC_UNLBL_DENY),
>>+			   audit_secid);
> 
> Looking at how this is being used, I think only 1 message type should be used. 
> There are places in the audit system where we set a flag to 1 or 0, but only 
> have 1 message type. We record the old and new value. So, you'd need to pass 
> that to the logger.

With that in mind I would probably change the message type to
AUDIT_MAC_UNLBL_ALLOW and use a "unlbl_accept" field; is that okay?  If
not please suggest something you would find acceptable.

>>+/**
>>+ * netlbl_audit_start_common - Start an audit message
>>+ * @type: audit message type
>>+ * @secid: LSM context ID
>>+ *
>>+ * Description:
>>+ * Start an audit message using the type specified in @type and fill the
>>audit + * message with some fields common to all NetLabel audit messages. 
>>Returns + * a pointer to the audit buffer on success, NULL on failure.
>>+ *
>>+ */
>>+struct audit_buffer *netlbl_audit_start_common(int type, u32 secid)
>>+{
> 
> Generally, logging functions are moved into auditsc.c where the context and 
> other functions are defined.

How about leaving this for a future revision?  I'd like this first
attempt to be relatively self contained.  James Morris has made other
comments along the same lines.

>>+	audit_log_format(audit_buf,
>>+			 "netlabel: auid=%u uid=%u tty=%s pid=%d",
>>+			 audit_loginuid,
>>+			 current->uid,
>>+			 audit_tty,
>>+			 current->pid);
> 
> 
> Why are you logging all this? When we add audit rules, all that we log is the 
> auid, and subj. If we need to log all this, we should probably have a helper 
> function that gets called by other config change loggers.

If I drop the uid, tty, and pid fields will this be acceptable?

>>+	audit_log_format(audit_buf, " comm=");
>>+	audit_log_untrustedstring(audit_buf, audit_comm);
>>+	if (current->mm) {
>>+		down_read(&current->mm->mmap_sem);
>>+		vma = current->mm->mmap;
>>+		while (vma) {
>>+			if ((vma->vm_flags & VM_EXECUTABLE) &&
>>+			    vma->vm_file) {
>>+				audit_log_d_path(audit_buf,
>>+						 " exe=",
>>+						 vma->vm_file->f_dentry,
>>+						 vma->vm_file->f_vfsmnt);
>>+				break;
>>+			}
>>+			vma = vma->vm_next;
>>+		}
>>+		up_read(&current->mm->mmap_sem);
>>+	}
>>+
> 
> 
> If this function was moved inside auditsc.c you could use a function there 
> that does this. But the question remains why all this data?

In the ideal world would you prefer this to be removed?

-- 
paul moore
linux security @ hp

More information about the Linux-audit mailing list