[PATCH RFC] audit-userspace: support for MAC_TASK_CONTEXTS and MAC_OBJ_CONTEXTS
Casey Schaufler
casey at schaufler-ca.com
Mon Aug 9 17:04:17 UTC 2021
On 8/9/2021 7:02 AM, Steve Grubb wrote:
> On Wednesday, August 4, 2021 7:32:37 PM EDT Casey Schaufler wrote:
>> This patch supplies userspace support for the MAC_TASK_CONTEXTS
>> and MAC_OBJ_CONTEXTS audit records proposed as part of the Linux
>> security module (LSM) stacking effort.
>>
>> I have posted as an RFC because, well, I'd like comments.
> In general, this looks good. Typically, the return code of functions in the
> parser are unique for debugging (passing --debug to ausearch) per record
> type. IOW, you can start at 1 instead of 62 since the output identifes the
> record type and return code.
>
> There is the general issue of what ausearch --format csv & --format text
> outputs, though.
I would really appreciate some guidance regarding what you'd like
to see for those cases. I can take a wild guess and suggest something,
but it would probably speed everything up if I don't go into the
process blind.
>
> -Steve
>
>> The additional context values are added to the existing lists.
>> The existing search methods work on these lists, so that's about
>> all it takes.
>>
>> ---
>> lib/libaudit.h | 8 ++++
>> lib/msg_typetab.h | 2 +
>> src/ausearch-parse.c | 101
>> +++++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 111
>> insertions(+)
>>
>> diff --git a/lib/libaudit.h b/lib/libaudit.h
>> index ed75892..9bc3aa9 100644
>> --- a/lib/libaudit.h
>> +++ b/lib/libaudit.h
>> @@ -311,6 +311,14 @@ extern "C" {
>> #define AUDIT_MAC_CALIPSO_DEL 1419 /* NetLabel: del CALIPSO DOI entry
> */
>> #endif
>>
>> +#ifndef AUDIT_MAC_TASK_CONTEXTS
>> +#define AUDIT_MAC_TASK_CONTEXTS 1420 /* Multilple task contexts */
>> +#endif
>> +
>> +#ifndef AUDIT_MAC_OBJ_CONTEXTS
>> +#define AUDIT_MAC_OBJ_CONTEXTS 1421 /* Multilple object contexts */
>> +#endif
>> +
>> #ifndef AUDIT_ANOM_LINK
>> #define AUDIT_ANOM_LINK 1702 /* Suspicious use of file links */
>> #endif
>> diff --git a/lib/msg_typetab.h b/lib/msg_typetab.h
>> index dba2f7b..e6df28b 100644
>> --- a/lib/msg_typetab.h
>> +++ b/lib/msg_typetab.h
>> @@ -147,6 +147,8 @@ _S(AUDIT_MAC_UNLBL_STCADD, "MAC_UNLBL_STCADD"
>> ) _S(AUDIT_MAC_UNLBL_STCDEL, "MAC_UNLBL_STCDEL"
>> ) _S(AUDIT_MAC_CALIPSO_ADD, "MAC_CALIPSO_ADD"
>> ) _S(AUDIT_MAC_CALIPSO_DEL, "MAC_CALIPSO_DEL"
>> ) +_S(AUDIT_MAC_TASK_CONTEXTS, "MAC_TASK_CONTEXTS" )
>> +_S(AUDIT_MAC_OBJ_CONTEXTS, "MAC_OBJ_CONTEXTS" )
>> _S(AUDIT_ANOM_PROMISCUOUS, "ANOM_PROMISCUOUS" )
>> _S(AUDIT_ANOM_ABEND, "ANOM_ABEND" )
>> _S(AUDIT_ANOM_LINK, "ANOM_LINK" )
>> diff --git a/src/ausearch-parse.c b/src/ausearch-parse.c
>> index 9ee4a4f..286829e 100644
>> --- a/src/ausearch-parse.c
>> +++ b/src/ausearch-parse.c
>> @@ -63,6 +63,8 @@ static int parse_simple_message(const lnode *n,
>> search_items *s); static int parse_tty(const lnode *n, search_items *s);
>> static int parse_pkt(const lnode *n, search_items *s);
>> static int parse_kernel(lnode *n, search_items *s);
>> +static int parse_task_contexts(lnode *n, search_items *s);
>> +static int parse_obj_contexts(lnode *n, search_items *s);
>>
>>
>> static int audit_avc_init(search_items *s)
>> @@ -184,6 +186,12 @@ int extract_search_items(llist *l)
>> case AUDIT_TTY:
>> ret = parse_tty(n, s);
>> break;
>> + case AUDIT_MAC_TASK_CONTEXTS:
>> + ret = parse_task_contexts(n, s);
>> + break;
>> + case AUDIT_MAC_OBJ_CONTEXTS:
>> + ret = parse_obj_contexts(n, s);
>> + break;
>> default:
>> if (event_debug)
>> fprintf(stderr,
>> @@ -2768,3 +2776,96 @@ static int parse_kernel(lnode *n, search_items *s)
>> return 0;
>> }
>>
>> +static int parse_task_context(lnode *n, search_items *s, char *c, int l)
>> +{
>> + char *str, *term;
>> + anode an;
>> +
>> + str = strstr(n->message, c);
>> + if (str == NULL)
>> + return 64;
>> +
>> + str += l;
>> + term = strchr(str, '"');
>> + if (term == NULL)
>> + return 62;
>> + *term = 0;
>> + if (audit_avc_init(s) != 0)
>> + return 63;
>> +
>> + anode_init(&an);
>> + an.scontext = strdup(str);
>> + alist_append(s->avc, &an);
>> + *term = '"';
>> +
>> + return 0;
>> +}
>> +
>> +// parse multiple security module contexts
>> +// subj_<lsm>...
>> +static int parse_task_contexts(lnode *n, search_items *s)
>> +{
>> + int rc, final = 64;
>> +
>> + if (!event_subject)
>> + return 0;
>> +
>> + rc = parse_task_context(n, s, "subj_selinux=\"", 14);
>> + if (rc == 62 || rc == 63)
>> + return rc;
>> + if (rc == 0)
>> + final = 0;
>> +
>> + rc = parse_task_context(n, s, "subj_smack=\"", 12);
>> + if (rc == 62 || rc == 63)
>> + return rc;
>> + if (rc == 0)
>> + final = 0;
>> +
>> + rc = parse_task_context(n, s, "subj_apparmor=\"", 15);
>> + if (rc == 62 || rc == 63)
>> + return rc;
>> + if (rc == 0)
>> + final = 0;
>> +
>> + return final;
>> +}
>> +
>> +static int parse_obj_context(lnode *n, search_items *s, char *c, int l)
>> +{
>> + char *str, *term;
>> + anode an;
>> +
>> + str = strstr(n->message, c);
>> + if (str != NULL) {
>> + str += l;
>> + term = strchr(str, '"');
>> + if (term)
>> + *term = 0;
>> + if (audit_avc_init(s) != 0)
>> + return 2;
>> + anode_init(&an);
>> + an.tcontext = strdup(str);
>> + alist_append(s->avc, &an);
>> + if (term)
>> + *term = '"';
>> + }
>> +
>> + return 0;
>> +}
>> +
>> +// parse multiple object security module contexts
>> +// obj_<lsm>...
>> +static int parse_obj_contexts(lnode *n, search_items *s)
>> +{
>> + // obj context
>> + if (!event_object)
>> + return 0;
>> +
>> + if (parse_obj_context(n, s, "obj_selinux=\"", 12))
>> + return 2;
>> + if (parse_obj_context(n, s, "obj_smack=\"", 10))
>> + return 2;
>> +
>> + return 0;
>> +}
>
>
>
More information about the Linux-audit
mailing list