[PATCH RFC] audit-userspace: support for MAC_TASK_CONTEXTS and MAC_OBJ_CONTEXTS

Wed Aug 4 23:32:37 UTC 2021

This patch supplies userspace support for the MAC_TASK_CONTEXTS
and MAC_OBJ_CONTEXTS audit records proposed as part of the Linux
security module (LSM) stacking effort.

I have posted as an RFC because, well, I'd like comments.

The additional context values are added to the existing lists.
The existing search methods work on these lists, so that's about
all it takes.


---
 lib/libaudit.h       |   8 ++++
 lib/msg_typetab.h    |   2 +
 src/ausearch-parse.c | 101 +++++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 111 insertions(+)

diff --git a/lib/libaudit.h b/lib/libaudit.h
index ed75892..9bc3aa9 100644
--- a/lib/libaudit.h
+++ b/lib/libaudit.h
@@ -311,6 +311,14 @@ extern "C" {
 #define AUDIT_MAC_CALIPSO_DEL	1419 /* NetLabel: del CALIPSO DOI entry */
 #endif
 
+#ifndef AUDIT_MAC_TASK_CONTEXTS
+#define AUDIT_MAC_TASK_CONTEXTS	1420 /* Multilple task contexts */
+#endif
+
+#ifndef AUDIT_MAC_OBJ_CONTEXTS
+#define AUDIT_MAC_OBJ_CONTEXTS	1421 /* Multilple object contexts */
+#endif
+
 #ifndef AUDIT_ANOM_LINK
 #define AUDIT_ANOM_LINK		1702 /* Suspicious use of file links */
 #endif
diff --git a/lib/msg_typetab.h b/lib/msg_typetab.h
index dba2f7b..e6df28b 100644
--- a/lib/msg_typetab.h
+++ b/lib/msg_typetab.h
@@ -147,6 +147,8 @@ _S(AUDIT_MAC_UNLBL_STCADD,           "MAC_UNLBL_STCADD"              )
 _S(AUDIT_MAC_UNLBL_STCDEL,           "MAC_UNLBL_STCDEL"              )
 _S(AUDIT_MAC_CALIPSO_ADD,            "MAC_CALIPSO_ADD"               )
 _S(AUDIT_MAC_CALIPSO_DEL,            "MAC_CALIPSO_DEL"               )
+_S(AUDIT_MAC_TASK_CONTEXTS,          "MAC_TASK_CONTEXTS"             )
+_S(AUDIT_MAC_OBJ_CONTEXTS,           "MAC_OBJ_CONTEXTS"              )
 _S(AUDIT_ANOM_PROMISCUOUS,           "ANOM_PROMISCUOUS"              )
 _S(AUDIT_ANOM_ABEND,                 "ANOM_ABEND"                    )
 _S(AUDIT_ANOM_LINK,                  "ANOM_LINK"                     )
diff --git a/src/ausearch-parse.c b/src/ausearch-parse.c
index 9ee4a4f..286829e 100644
--- a/src/ausearch-parse.c
+++ b/src/ausearch-parse.c
@@ -63,6 +63,8 @@ static int parse_simple_message(const lnode *n, search_items *s);
 static int parse_tty(const lnode *n, search_items *s);
 static int parse_pkt(const lnode *n, search_items *s);
 static int parse_kernel(lnode *n, search_items *s);
+static int parse_task_contexts(lnode *n, search_items *s);
+static int parse_obj_contexts(lnode *n, search_items *s);
 
 
 static int audit_avc_init(search_items *s)
@@ -184,6 +186,12 @@ int extract_search_items(llist *l)
 			case AUDIT_TTY:
 				ret = parse_tty(n, s);
 				break;
+			case AUDIT_MAC_TASK_CONTEXTS:
+				ret = parse_task_contexts(n, s);
+				break;
+			case AUDIT_MAC_OBJ_CONTEXTS:
+				ret = parse_obj_contexts(n, s);
+				break;
 			default:
 				if (event_debug)
 					fprintf(stderr,
@@ -2768,3 +2776,96 @@ static int parse_kernel(lnode *n, search_items *s)
 	return 0;
 }
 
+static int parse_task_context(lnode *n, search_items *s, char *c, int l)
+{
+	char *str, *term;
+	anode an;
+
+	str = strstr(n->message, c);
+	if (str == NULL)
+		return 64;
+
+	str += l;
+	term = strchr(str, '"');
+	if (term == NULL)
+		return 62;
+	*term = 0;
+	if (audit_avc_init(s) != 0)
+		return 63;
+
+	anode_init(&an);
+	an.scontext = strdup(str);
+	alist_append(s->avc, &an);
+	*term = '"';
+
+	return 0;
+}
+
+// parse multiple security module contexts
+// subj_<lsm>...
+static int parse_task_contexts(lnode *n, search_items *s)
+{
+	int rc, final = 64;
+
+	if (!event_subject)
+		return 0;
+
+	rc = parse_task_context(n, s, "subj_selinux=\"", 14);
+	if (rc == 62 || rc == 63)
+		return rc;
+	if (rc == 0)
+		final = 0;
+
+	rc = parse_task_context(n, s, "subj_smack=\"", 12);
+	if (rc == 62 || rc == 63)
+		return rc;
+	if (rc == 0)
+		final = 0;
+
+	rc = parse_task_context(n, s, "subj_apparmor=\"", 15);
+	if (rc == 62 || rc == 63)
+		return rc;
+	if (rc == 0)
+		final = 0;
+
+	return final;
+}
+
+static int parse_obj_context(lnode *n, search_items *s, char *c, int l)
+{
+	char *str, *term;
+	anode an;
+
+	str = strstr(n->message, c);
+	if (str != NULL) {
+		str += l;
+		term = strchr(str, '"');
+		if (term)
+			*term = 0;
+		if (audit_avc_init(s) != 0)
+			return 2;
+		anode_init(&an);
+		an.tcontext = strdup(str);
+		alist_append(s->avc, &an);
+		if (term)
+			*term = '"';
+	}
+
+	return 0;
+}
+
+// parse multiple object security module contexts
+// obj_<lsm>...
+static int parse_obj_contexts(lnode *n, search_items *s)
+{
+	// obj context
+	if (!event_object)
+		return 0;
+
+	if (parse_obj_context(n, s, "obj_selinux=\"", 12))
+		return 2;
+	if (parse_obj_context(n, s, "obj_smack=\"", 10))
+		return 2;
+
+	return 0;
+}




