The Linux audit system includes LSM based security "context" information in its events. Historically, only one LSM that uses security contexts can be active on a system. One of the few obsticles to allowing multiple LSM support is the inability to report more than one security context in an audit event. This patchset provides a mechanism to provide supplimental records containing more than one security context for subjects and objects.
The mechanism for reporting multiple security contexts inspired considerable discussion. It would have been possible to add multiple contexts to existing records using sophisticated formatting. This would have significant backward compatibility issues, and require additional parsing in user space code. Adding new records for an event that contain the contexts is more in keeping with the way audit events have been constructed in the past. Only audit events associated with system calls have required multiple records prior to this. Mechanism has been added allowing any event to be composed of multiple records. This should make it easier to add information to existing audit events without breaking backward compatability. v6: Rebase on Linus' tree. Drop the alignment change patch. Finish changes from review. v5: Comment on the LSM_ID_UNDEF behavior in security_secid_to_secctx(). Change some names to better reflect their purpose. Move alignment changes into a separate patch. v4: Use LSM_ID_UNDEF when checking for valid LSM IDs in security_lsmprop_to_secctx(). Fix the object record to include only those for LSMs that use them. Squash the two patches dealing with subject contexts. Base the patches on Paul Moore's LSM initialization patchset. https://lore.kernel.org/all/20250409185019.238841-31-p...@paul-moore.com/ v3: Rework how security modules identify that they provide security contexts to the audit system. Maintain a list within the audit system of the security modules that provide security contexts. Revert the separate counts of subject and object contexts. v2: Maintain separate counts for LSMs using subject contexts and object contexts. AppArmor uses the former but not the latter. Correct error handling in object record creation. https://github.com/cschaufler/lsm-stacking#audit-6.17-rc1 Casey Schaufler (4): Audit: Create audit_stamp structure LSM: security_lsmblob_to_secctx module selection Audit: Add record for multiple task security contexts Audit: Add record for multiple object contexts include/linux/audit.h | 23 +++ include/linux/security.h | 6 +- include/uapi/linux/audit.h | 2 + kernel/audit.c | 275 ++++++++++++++++++++++++++++++----- kernel/audit.h | 13 +- kernel/auditsc.c | 58 ++------ net/netlabel/netlabel_user.c | 8 +- security/apparmor/lsm.c | 3 + security/security.c | 18 ++- security/selinux/hooks.c | 5 + security/smack/smack_lsm.c | 5 + 11 files changed, 321 insertions(+), 95 deletions(-) -- 2.50.1
