[PATCH RFC] audit-userspace: support for MAC_TASK_CONTEXTS and MAC_OBJ_CONTEXTS

Casey Schaufler casey at schaufler-ca.com
Mon Aug 9 17:04:17 UTC 2021 

On 8/9/2021 7:02 AM, Steve Grubb wrote:
> On Wednesday, August 4, 2021 7:32:37 PM EDT Casey Schaufler wrote:
>> This patch supplies userspace support for the MAC_TASK_CONTEXTS
>> and MAC_OBJ_CONTEXTS audit records proposed as part of the Linux
>> security module (LSM) stacking effort.
>>
>> I have posted as an RFC because, well, I'd like comments.
> In general, this looks good. Typically, the return code of functions in the 
> parser are unique for debugging (passing  --debug to ausearch) per record 
> type. IOW, you can start at 1 instead of 62 since the output identifes the 
> record type and return code.
>
> There is the general issue of what ausearch  --format csv & --format text 
> outputs, though.

I would really appreciate some guidance regarding what you'd like
to see for those cases. I can take a wild guess and suggest something,
but it would probably speed everything up if I don't go into the
process blind.

>
> -Steve
>  
>> The additional context values are added to the existing lists.
>> The existing search methods work on these lists, so that's about
>> all it takes.
>>
>> ---
>>  lib/libaudit.h       |   8 ++++
>>  lib/msg_typetab.h    |   2 +
>>  src/ausearch-parse.c | 101
>> +++++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 111
>> insertions(+)
>>
>> diff --git a/lib/libaudit.h b/lib/libaudit.h
>> index ed75892..9bc3aa9 100644
>> --- a/lib/libaudit.h
>> +++ b/lib/libaudit.h
>> @@ -311,6 +311,14 @@ extern "C" {
>>  #define AUDIT_MAC_CALIPSO_DEL	1419 /* NetLabel: del CALIPSO DOI entry 
> */
>>  #endif
>>
>> +#ifndef AUDIT_MAC_TASK_CONTEXTS
>> +#define AUDIT_MAC_TASK_CONTEXTS	1420 /* Multilple task contexts */
>> +#endif
>> +
>> +#ifndef AUDIT_MAC_OBJ_CONTEXTS
>> +#define AUDIT_MAC_OBJ_CONTEXTS	1421 /* Multilple object contexts */
>> +#endif
>> +
>>  #ifndef AUDIT_ANOM_LINK
>>  #define AUDIT_ANOM_LINK		1702 /* Suspicious use of file links */
>>  #endif
>> diff --git a/lib/msg_typetab.h b/lib/msg_typetab.h
>> index dba2f7b..e6df28b 100644
>> --- a/lib/msg_typetab.h
>> +++ b/lib/msg_typetab.h
>> @@ -147,6 +147,8 @@ _S(AUDIT_MAC_UNLBL_STCADD,           "MAC_UNLBL_STCADD"
>>              ) _S(AUDIT_MAC_UNLBL_STCDEL,           "MAC_UNLBL_STCDEL"    
>>          ) _S(AUDIT_MAC_CALIPSO_ADD,            "MAC_CALIPSO_ADD"         
>>      ) _S(AUDIT_MAC_CALIPSO_DEL,            "MAC_CALIPSO_DEL"             
>>  ) +_S(AUDIT_MAC_TASK_CONTEXTS,          "MAC_TASK_CONTEXTS"             )
>> +_S(AUDIT_MAC_OBJ_CONTEXTS,           "MAC_OBJ_CONTEXTS"              )
>> _S(AUDIT_ANOM_PROMISCUOUS,           "ANOM_PROMISCUOUS"              )
>> _S(AUDIT_ANOM_ABEND,                 "ANOM_ABEND"                    )
>> _S(AUDIT_ANOM_LINK,                  "ANOM_LINK"                     )
>> diff --git a/src/ausearch-parse.c b/src/ausearch-parse.c
>> index 9ee4a4f..286829e 100644
>> --- a/src/ausearch-parse.c
>> +++ b/src/ausearch-parse.c
>> @@ -63,6 +63,8 @@ static int parse_simple_message(const lnode *n,
>> search_items *s); static int parse_tty(const lnode *n, search_items *s);
>>  static int parse_pkt(const lnode *n, search_items *s);
>>  static int parse_kernel(lnode *n, search_items *s);
>> +static int parse_task_contexts(lnode *n, search_items *s);
>> +static int parse_obj_contexts(lnode *n, search_items *s);
>>
>>
>>  static int audit_avc_init(search_items *s)
>> @@ -184,6 +186,12 @@ int extract_search_items(llist *l)
>>  			case AUDIT_TTY:
>>  				ret = parse_tty(n, s);
>>  				break;
>> +			case AUDIT_MAC_TASK_CONTEXTS:
>> +				ret = parse_task_contexts(n, s);
>> +				break;
>> +			case AUDIT_MAC_OBJ_CONTEXTS:
>> +				ret = parse_obj_contexts(n, s);
>> +				break;
>>  			default:
>>  				if (event_debug)
>>  					fprintf(stderr,
>> @@ -2768,3 +2776,96 @@ static int parse_kernel(lnode *n, search_items *s)
>>  	return 0;
>>  }
>>
>> +static int parse_task_context(lnode *n, search_items *s, char *c, int l)
>> +{
>> +	char *str, *term;
>> +	anode an;
>> +
>> +	str = strstr(n->message, c);
>> +	if (str == NULL)
>> +		return 64;
>> +
>> +	str += l;
>> +	term = strchr(str, '"');
>> +	if (term == NULL)
>> +		return 62;
>> +	*term = 0;
>> +	if (audit_avc_init(s) != 0)
>> +		return 63;
>> +
>> +	anode_init(&an);
>> +	an.scontext = strdup(str);
>> +	alist_append(s->avc, &an);
>> +	*term = '"';
>> +
>> +	return 0;
>> +}
>> +
>> +// parse multiple security module contexts
>> +// subj_<lsm>...
>> +static int parse_task_contexts(lnode *n, search_items *s)
>> +{
>> +	int rc, final = 64;
>> +
>> +	if (!event_subject)
>> +		return 0;
>> +
>> +	rc = parse_task_context(n, s, "subj_selinux=\"", 14);
>> +	if (rc == 62 || rc == 63)
>> +		return rc;
>> +	if (rc == 0)
>> +		final = 0;
>> +
>> +	rc = parse_task_context(n, s, "subj_smack=\"", 12);
>> +	if (rc == 62 || rc == 63)
>> +		return rc;
>> +	if (rc == 0)
>> +		final = 0;
>> +
>> +	rc = parse_task_context(n, s, "subj_apparmor=\"", 15);
>> +	if (rc == 62 || rc == 63)
>> +		return rc;
>> +	if (rc == 0)
>> +		final = 0;
>> +
>> +	return final;
>> +}
>> +
>> +static int parse_obj_context(lnode *n, search_items *s, char *c, int l)
>> +{
>> +	char *str, *term;
>> +	anode an;
>> +
>> +	str = strstr(n->message, c);
>> +	if (str != NULL) {
>> +		str += l;
>> +		term = strchr(str, '"');
>> +		if (term)
>> +			*term = 0;
>> +		if (audit_avc_init(s) != 0)
>> +			return 2;
>> +		anode_init(&an);
>> +		an.tcontext = strdup(str);
>> +		alist_append(s->avc, &an);
>> +		if (term)
>> +			*term = '"';
>> +	}
>> +
>> +	return 0;
>> +}
>> +
>> +// parse multiple object security module contexts
>> +// obj_<lsm>...
>> +static int parse_obj_contexts(lnode *n, search_items *s)
>> +{
>> +	// obj context
>> +	if (!event_object)
>> +		return 0;
>> +
>> +	if (parse_obj_context(n, s, "obj_selinux=\"", 12))
>> +		return 2;
>> +	if (parse_obj_context(n, s, "obj_smack=\"", 10))
>> +		return 2;
>> +
>> +	return 0;
>> +}
>
>
>

More information about the Linux-audit mailing list