[PATCH v2] TaskTracker : Simplified thread information tracker.

Casey Schaufler casey at schaufler-ca.com
Mon Aug 7 17:25:23 UTC 2023 

On 8/7/2023 7:24 AM, Tetsuo Handa wrote:
> On 2023/08/07 7:01, Steve Grubb wrote:
>> This is where the problem begins. We like to have normalized audit records. 
>> Meaning that a type of event defines the fields it contains. In this case 
>> subject would be a process label. and there is already a precedent for what 
>> fields belong in a syscall record.
> What is the definition of "a process label"? SELinux / Smack / AppArmor are using
> security_secid_to_secctx() hook for providing string data for the subj= field.
> I don't think that they are restricting characters that can be included.
> Then, what is wrong with returning subset of ASCII printable characters from
> tt_secid_to_secctx() ?

I would say that a "process label" is the information about the process used
in an access control decision. I agree with Steve that putting the process
history in the subj= field is the wrong approach. I also agree that a separate
record is the way to go.

>
>
>
> static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
> {
> 	return security_sid_to_context(secid,
> 				       secdata, seclen);
> }
>
> static int smack_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
> {
> 	struct smack_known *skp = smack_from_secid(secid);
>
> 	if (secdata)
> 		*secdata = skp->smk_known;
> 	*seclen = strlen(skp->smk_known);
> 	return 0;
> }
>
> int apparmor_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
> {
> 	/* TODO: cache secctx and ref count so we don't have to recreate */
> 	struct aa_label *label = aa_secid_to_label(secid);
> 	int flags = FLAG_VIEW_SUBNS | FLAG_HIDDEN_UNCONFINED | FLAG_ABS_ROOT;
> 	int len;
>
> 	AA_BUG(!seclen);
>
> 	if (!label)
> 		return -EINVAL;
>
> 	if (apparmor_display_secid_mode)
> 		flags |= FLAG_SHOW_MODE;
>
> 	if (secdata)
> 		len = aa_label_asxprint(secdata, root_ns, label,
> 					flags, GFP_ATOMIC);
> 	else
> 		len = aa_label_snxprint(NULL, 0, root_ns, label, flags);
>
> 	if (len < 0)
> 		return -ENOMEM;
>
> 	*seclen = len;
>
> 	return 0;
> }
>
>> What I would suggest is to make a separate record: AUDIT_PROC_TREE that 
>> describes process tree from the one killed up to the last known parent. This 
>> way you can define your own format and SYSCALL can stay as everyone expects it 
>> to look. In the EXECVE audit record, there is a precedent of using agv[0]=xx 
>> argv[1]=xx argv[2]=yy  and so on. If you want to make these generally 
>> parsable without special knowledge of the record format, I'd suggest 
>> something like it.
> Yes, https://lkml.kernel.org/r/201501202220.DJJ34834.OLJOHFMQOFtSVF@I-love.SAKURA.ne.jp
> used AUDIT_PROCHISTORY instead of LSM hooks, but that thread died there.
>

More information about the Linux-audit mailing list