tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

netfilter: add SELinux context support to AUDIT target

In this revision the conversion of secid to SELinux context and adding it
to the audit log is moved from xt_AUDIT.c to audit.c with the aid of a
separate helper function - audit_log_secctx - which does both the conversion
and logging of SELinux context, thus also preventing internal secid number
being leaked to userspace. If conversion is not successful an error is raised.

With the introduction of this helper function the work done in xt_AUDIT.c is
much more simplified. It also opens the possibility of this helper function
being used by other modules (including auditd itself), if desired. With this
addition, typical (raw auditd) output after applying the patch would be:

type=NETFILTER_PKT msg=audit(1305852240.082:31012): action=0 hook=1 len=52 inif=? outif=eth0 saddr=10.1.1.7 daddr=10.1.2.1 ipid=16312 proto=6 sport=56150 dport=22 obj=system_u:object_r:ssh_client_packet_t:s0
type=NETFILTER_PKT msg=audit(1306772064.079:56): action=0 hook=3 len=48 inif=eth0 outif=? smac=00:05:5d:7c:27:0b dmac=00:02:b3:0a:7f:81 macproto=0x0800 saddr=10.1.2.1 daddr=10.1.1.7 ipid=462 proto=6 sport=22 dport=3561 obj=system_u:object_r:ssh_server_packet_t:s0

Acked-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Mr Dash Four <mr.dash.four@googlemail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>

authored by

Mr Dash Four and committed by
Patrick McHardy 131ad62d 15b4d93f

+41
+7
include/linux/audit.h
··· 613 613 extern void audit_log_key(struct audit_buffer *ab, 614 614 char *key); 615 615 extern void audit_log_lost(const char *message); 616 + #ifdef CONFIG_SECURITY 617 + extern void audit_log_secctx(struct audit_buffer *ab, u32 secid); 618 + #else 619 + #define audit_log_secctx(b,s) do { ; } while (0) 620 + #endif 621 + 616 622 extern int audit_update_lsm_rules(void); 617 623 618 624 /* Private API (for audit.c only) */ ··· 641 635 #define audit_log_untrustedstring(a,s) do { ; } while (0) 642 636 #define audit_log_d_path(b, p, d) do { ; } while (0) 643 637 #define audit_log_key(b, k) do { ; } while (0) 638 + #define audit_log_secctx(b,s) do { ; } while (0) 644 639 #define audit_enabled 0 645 640 #endif 646 641 #endif
+29
kernel/audit.c
··· 55 55 #include <net/sock.h> 56 56 #include <net/netlink.h> 57 57 #include <linux/skbuff.h> 58 + #ifdef CONFIG_SECURITY 59 + #include <linux/security.h> 60 + #endif 58 61 #include <linux/netlink.h> 59 62 #include <linux/freezer.h> 60 63 #include <linux/tty.h> ··· 1504 1501 audit_log_end(ab); 1505 1502 } 1506 1503 } 1504 + 1505 + #ifdef CONFIG_SECURITY 1506 + /** 1507 + * audit_log_secctx - Converts and logs SELinux context 1508 + * @ab: audit_buffer 1509 + * @secid: security number 1510 + * 1511 + * This is a helper function that calls security_secid_to_secctx to convert 1512 + * secid to secctx and then adds the (converted) SELinux context to the audit 1513 + * log by calling audit_log_format, thus also preventing leak of internal secid 1514 + * to userspace. If secid cannot be converted audit_panic is called. 1515 + */ 1516 + void audit_log_secctx(struct audit_buffer *ab, u32 secid) 1517 + { 1518 + u32 len; 1519 + char *secctx; 1520 + 1521 + if (security_secid_to_secctx(secid, &secctx, &len)) { 1522 + audit_panic("Cannot convert secid to context"); 1523 + } else { 1524 + audit_log_format(ab, " obj=%s", secctx); 1525 + security_release_secctx(secctx, len); 1526 + } 1527 + } 1528 + EXPORT_SYMBOL(audit_log_secctx); 1529 + #endif 1507 1530 1508 1531 EXPORT_SYMBOL(audit_log_start); 1509 1532 EXPORT_SYMBOL(audit_log_end);
+5
net/netfilter/xt_AUDIT.c
··· 163 163 break; 164 164 } 165 165 166 + #ifdef CONFIG_NETWORK_SECMARK 167 + if (skb->secmark) 168 + audit_log_secctx(ab, skb->secmark); 169 + #endif 170 + 166 171 audit_log_end(ab); 167 172 168 173 errout: