[PATCH 1/1] Smack:- Fix the issue of wrong info printed in ptrace error logs

Vishal Goel vishal.goel at samsung.com
Tue Feb 1 07:54:53 UTC 2022 

>>> Currently tracer process info is printed in object field in
>>> smack error log for ptrace check which is wrong.
>>> Object process should print the tracee process info.
>>> Tracee info is not printed in the smack error logs.
>>> So it is not possible to debug the ptrace smack issues.
>>>
>>> Now changes has been done to print both tracer and tracee
>>> process info in smack error logs for ptrace scenarios
>>>
>>> Old logs:-
>>> [  378.098330] audit: type=1400 audit(1637212273.300:2): lsm=SMACK fn=smack_ptrace_access_check action=denied subject="Tracer_lbl" object="Tracee_lbl" requested= pid=9397 comm="tst_pt" opid=9397 ocomm="tst_pt"
>>> [  520.261605] audit: type=1400 audit(1637212415.464:3): lsm=SMACK fn=smack_ptrace_traceme action=denied subject="Tracer_lbl" object="Tracee_lbl" requested= pid=12685 comm="tst_pt_me" opid=12563 ocomm="bash"
>>> [ 1445.259319] audit: type=1400 audit(1637213340.460:5): lsm=SMACK fn=smack_bprm_set_creds action=denied subject="Tracer_lbl" object="Tracee_lbl" requested= pid=1778 comm="tst_bprm" opid=1776 ocomm="tst_bprm"
>>>
>>> New logs:-
>>> [  378.098330] audit: type=1400 audit(1637212273.300:2): lsm=SMACK fn=smack_ptrace_access_check action=denied subject="Tracer_lbl" object="Tracee_lbl" requested= tracer-pid=5189 tracer-comm="tst_pt" pid=5189 comm="tst_pt" tracee-pid=962 tracee-comm="test_tracee"
>>> [  520.261605] audit: type=1400 audit(1637212415.464:3): lsm=SMACK fn=smack_ptrace_traceme action=denied subject="Tracer_lbl" object="Tracee_lbl" requested= tracer-pid=6161 tracer-comm="bash" pid=6310 comm="tst_pt_me" tracee-pid=6310 tracee-comm="tst_pt_me"
>>> [ 1445.259319] audit: type=1400 audit(1637213340.460:5): lsm=SMACK fn=smack_bprm_set_creds action=denied subject="Tracer_lbl" object="Tracee_lbl" requested= tracer-pid=6435 tracer-comm="tst_bprm" pid=6436 comm="tst_bprm" tracee-pid=6436 tracee-comm="tst_bprm"
>>>
>>> Signed-off-by: Vishal Goel <vishal.goel at samsung.com>
>>
>> Does anyone from the audit side object to my taking this
>> in the Smack tree?
 
> The audit subsystem already has the "opid" and "ocomm" fields for
> reporting on the object task info and this is even available in
> dump_common_audit_data() via LSM_AUDIT_DATA_TASK; is there a reason
> that can't be used instead?

That info is not sufficient for debugging smack issues in ptrace calls. 
Tracee information is not printed in the logs. For eg. in below log-
[  378.098330] audit: type=1400 audit(1637212273.300:2): lsm=SMACK fn=smack_ptrace_access_check action=denied subject="Tracer_lbl" object="Tracee_lbl" requested= pid=9397 comm="tst_pt" opid=9397 ocomm="tst_pt"

There is no information of the tracee process.
So to debug such ptrace issues, both tracer and tracee information is needed.
That's why added new type to print both info specifically for ptrace scenarios.


Thanks & Regards
Vishal Goel
 
--------- Original Message ---------
Sender : Paul Moore <paul at paul-moore.com>
Date : 2022-01-29 03:00 (GMT+9)
Title : Re: [PATCH 1/1] Smack:- Fix the issue of wrong info printed in ptrace error logs
 
On Fri, Jan 28, 2022 at 11:25 AM Casey Schaufler <casey at schaufler-ca.com> wrote:
> On 12/20/2021 2:13 AM, Vishal Goel wrote:
> > Currently tracer process info is printed in object field in
> > smack error log for ptrace check which is wrong.
> > Object process should print the tracee process info.
> > Tracee info is not printed in the smack error logs.
> > So it is not possible to debug the ptrace smack issues.
> >
> > Now changes has been done to print both tracer and tracee
> > process info in smack error logs for ptrace scenarios
> >
> > Old logs:-
> > [  378.098330] audit: type=1400 audit(1637212273.300:2): lsm=SMACK fn=smack_ptrace_access_check action=denied subject="Tracer_lbl" object="Tracee_lbl" requested= pid=9397 comm="tst_pt" opid=9397 ocomm="tst_pt"
> > [  520.261605] audit: type=1400 audit(1637212415.464:3): lsm=SMACK fn=smack_ptrace_traceme action=denied subject="Tracer_lbl" object="Tracee_lbl" requested= pid=12685 comm="tst_pt_me" opid=12563 ocomm="bash"
> > [ 1445.259319] audit: type=1400 audit(1637213340.460:5): lsm=SMACK fn=smack_bprm_set_creds action=denied subject="Tracer_lbl" object="Tracee_lbl" requested= pid=1778 comm="tst_bprm" opid=1776 ocomm="tst_bprm"
> >
> > New logs:-
> > [  378.098330] audit: type=1400 audit(1637212273.300:2): lsm=SMACK fn=smack_ptrace_access_check action=denied subject="Tracer_lbl" object="Tracee_lbl" requested= tracer-pid=5189 tracer-comm="tst_pt" pid=5189 comm="tst_pt" tracee-pid=962 tracee-comm="test_tracee"
> > [  520.261605] audit: type=1400 audit(1637212415.464:3): lsm=SMACK fn=smack_ptrace_traceme action=denied subject="Tracer_lbl" object="Tracee_lbl" requested= tracer-pid=6161 tracer-comm="bash" pid=6310 comm="tst_pt_me" tracee-pid=6310 tracee-comm="tst_pt_me"
> > [ 1445.259319] audit: type=1400 audit(1637213340.460:5): lsm=SMACK fn=smack_bprm_set_creds action=denied subject="Tracer_lbl" object="Tracee_lbl" requested= tracer-pid=6435 tracer-comm="tst_bprm" pid=6436 comm="tst_bprm" tracee-pid=6436 tracee-comm="tst_bprm"
> >
> > Signed-off-by: Vishal Goel <vishal.goel at samsung.com>
>
> Does anyone from the audit side object to my taking this
> in the Smack tree?
 
The audit subsystem already has the "opid" and "ocomm" fields for
reporting on the object task info and this is even available in
dump_common_audit_data() via LSM_AUDIT_DATA_TASK; is there a reason
that can't be used instead?
 
-- 
paul-moore.com
 

More information about the Linux-audit mailing list