[PATCH][RFC] V1 Remove SELinux dependencies from linux-audit via LSM

Stephen Smalley sds at tycho.nsa.gov
Fri Aug 3 13:09:03 UTC 2007 

On Thu, 2007-08-02 at 20:33 -0700, Casey Schaufler wrote:
> From: Casey Schaufler <casey at schaufler-ca.com>
> 
> This patch removes SELinux specific code from the kernel auditing
> system, replacing it with LSM hook invocations that perform the
> functions appropriate to those behaviors.

(patch was whitespace damaged)

> The LSM interface is extended to provide interfaces for a module
> to add audit filters. Interfaces are added to get secids from
> inodes and ipcs.
> 
> The audit code is revised to call these hooks instead of the SELinux
> functions. This requires some structure definitions to change header
> files.
> 
> The SELinux code is changed to export the old interfaces as LSM hooks
> instead of doing so directly. The SELinux specific audit filter code
> has been moved into the SELinux module.
> 
> Signed-off-by: Casey Schaufler <casey at schaufler-ca.com>
> 
> ---

Missing diffstat -p1 output.

> I hope for some suggestions regarding how appropriate the header file
> changes I've made are. My confidence level in them is fairly low. Also,
> in my haste to get some feedback the testing has been limited. There
> are three projects (SELinux, audit, and LSM) whose code I've changed,
> and I expect there may be differences of opinion about what's right,
> what's wrong, and how to go about reconciling the differences. I see
> this as the start.
> 
> Thank you.
> 

> diff -uprN -X linux-2.6.22-base/Documentation/dontdiff
> linux-2.6.22-base/include/linux/security.h
> linux-2.6.22-audit/include/linux/security.h
> --- linux-2.6.22-base/include/linux/security.h	2007-07-08 16:32:17.000000000
> -0700
> +++ linux-2.6.22-audit/include/linux/security.h	2007-08-01 20:14:18.000000000
> -0700
> @@ -35,6 +35,8 @@
>  #include <net/flow.h>
>  
>  struct ctl_table;
> +struct audit_krule;
> +struct selinux_audit_rule;

selinux_audit_rule in LSM interface?
 
>  /*
>   * These functions are in security/capability.c and are used
> @@ -1328,6 +1330,16 @@ struct security_operations {
>   	int (*setprocattr)(struct task_struct *p, char *name, void *value, size_t
> size);
>  	int (*secid_to_secctx)(u32 secid, char **secdata, u32 *seclen);
>  	void (*release_secctx)(char *secdata, u32 seclen);
> +	void (*inode_getsecid) (const struct inode *inode, u32 *secid);
> +	void (*ipc_getsecid) (struct kern_ipc_perm *p, u32 *secid);
> +	int (*audit_rule_supplied) (struct audit_krule *rule);
> +	int (*audit_rule_match) (u32 sid, u32 field, u32 op,
> +                          	 struct selinux_audit_rule *rule,

Ditto.

> +                      	         struct audit_context *actx);
> +	int (*audit_rule_init) (u32 field, u32 op, char *rulestr,
> +                                struct selinux_audit_rule **rule);
> +	void (*audit_rule_free) (struct selinux_audit_rule *rule);
> +
>  
>  #ifdef CONFIG_SECURITY_NETWORK
>  	int (*unix_stream_connect) (struct socket * sock,

> diff -uprN -X linux-2.6.22-base/Documentation/dontdiff
> linux-2.6.22-base/kernel/audit.c linux-2.6.22-audit/kernel/audit.c
> --- linux-2.6.22-base/kernel/audit.c	2007-07-08 16:32:17.000000000 -0700
> +++ linux-2.6.22-audit/kernel/audit.c	2007-08-01 12:16:36.000000000 -0700
> @@ -252,7 +252,7 @@ static int audit_set_rate_limit(int limi
>  	if (sid) {
>  		char *ctx = NULL;
>  		u32 len;
> -		if ((rc = selinux_sid_to_string(sid, &ctx, &len)) == 0) {
> +		if ((rc = security_secid_to_secctx(sid, &ctx, &len)) == 0) {
>  			audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
>  				"audit_rate_limit=%d old=%d by auid=%u"
>  				" subj=%s res=%d",

If you do that, then you also need to use security_secctx_release() to
free ctx rather than direct kfree.

Also, the sid passed to this (and other functions) came from
NETLINK_CB(skb).sid, which was set by netlink_sendmsg() with a direct
call to selinux_get_task_sid.  So if you convert these calls to using
LSM hooks w/o changing netlink to do likewise, you could end up with a
mismatch (sid provided by selinux, defaulting to 0 when selinux
disabled; secid_to_secctx hook provided by your module).

> diff -uprN -X linux-2.6.22-base/Documentation/dontdiff
> linux-2.6.22-base/kernel/auditfilter.c linux-2.6.22-audit/kernel/auditfilter.c
> --- linux-2.6.22-base/kernel/auditfilter.c	2007-07-08 16:32:17.000000000 -0700
> +++ linux-2.6.22-audit/kernel/auditfilter.c	2007-08-01 20:22:36.000000000 -0700
> @@ -29,6 +29,7 @@
>  #include <linux/sched.h>
>  #include <linux/inotify.h>
>  #include <linux/selinux.h>
> +#include <linux/security.h>

Shouldn't you be removing #include <linux/selinux.h> from all of the
audit code?  That will help you catch all lingering references to
selinux-specific references as well.

> @@ -1210,7 +1211,8 @@ static inline int audit_add_rule(struct 
>  	struct audit_entry *e;
>  	struct audit_field *inode_f = entry->rule.inode_f;
>  	struct audit_watch *watch = entry->rule.watch;
> -	struct nameidata *ndp, *ndw;
> +	struct nameidata *ndp = NULL;
> +	struct nameidata *ndw = NULL;

Not related to your changes, and seems to already be present in git (but
without splitting into two lines).

> diff -uprN -X linux-2.6.22-base/Documentation/dontdiff
> linux-2.6.22-base/security/selinux/hooks.c
> linux-2.6.22-audit/security/selinux/hooks.c
> --- linux-2.6.22-base/security/selinux/hooks.c	2007-07-08 16:32:17.000000000
> -0700
> +++ linux-2.6.22-audit/security/selinux/hooks.c	2007-08-01 21:42:32.000000000
> -0700
> @@ -4838,6 +4862,12 @@ static struct security_operations selinu
>  
>  	.secid_to_secctx =		selinux_secid_to_secctx,
>  	.release_secctx =		selinux_release_secctx,
> +	.inode_getsecid =		selinux_get_inode_sid,
> +	.ipc_getsecid = 		selinux_get_ipc_sid,
> +	.audit_rule_supplied = 		selinux_audit_rule_supplied,
> +	.audit_rule_match = 		selinux_audit_rule_match,
> +	.audit_rule_init = 		selinux_audit_rule_init,
> +	.audit_rule_free = 		selinux_audit_rule_free,

So I'd then expect you to also remove the function prototypes from
include/linux/selinux.h unless there is some other caller, and move the
functions from selinux/exports.c to selinux/hooks.c and make them
static.  And drop the selinux_enabled check from them, as the hook
function will only be registered if SELinux is enabled.

-- 
Stephen Smalley
National Security Agency

More information about the Linux-audit mailing list