On 8/7/2023 7:24 AM, Tetsuo Handa wrote:
> On 2023/08/07 7:01, Steve Grubb wrote:
>> This is where the problem begins. We like to have normalized audit records.
>> Meaning that a type of event defines the fields it contains. In this case
>> subject would be a process label. and there is already a precedent for what
>> fields belong in a syscall record.
> What is the definition of "a process label"? SELinux / Smack / AppArmor are
> using
> security_secid_to_secctx() hook for providing string data for the subj= field.
> I don't think that they are restricting characters that can be included.
> Then, what is wrong with returning subset of ASCII printable characters from
> tt_secid_to_secctx() ?
I would say that a "process label" is the information about the process used
in an access control decision. I agree with Steve that putting the process
history in the subj= field is the wrong approach. I also agree that a separate
record is the way to go.
>
>
>
> static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
> {
> return security_sid_to_context(secid,
> secdata, seclen);
> }
>
> static int smack_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
> {
> struct smack_known *skp = smack_from_secid(secid);
>
> if (secdata)
> *secdata = skp->smk_known;
> *seclen = strlen(skp->smk_known);
> return 0;
> }
>
> int apparmor_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
> {
> /* TODO: cache secctx and ref count so we don't have to recreate */
> struct aa_label *label = aa_secid_to_label(secid);
> int flags = FLAG_VIEW_SUBNS | FLAG_HIDDEN_UNCONFINED | FLAG_ABS_ROOT;
> int len;
>
> AA_BUG(!seclen);
>
> if (!label)
> return -EINVAL;
>
> if (apparmor_display_secid_mode)
> flags |= FLAG_SHOW_MODE;
>
> if (secdata)
> len = aa_label_asxprint(secdata, root_ns, label,
> flags, GFP_ATOMIC);
> else
> len = aa_label_snxprint(NULL, 0, root_ns, label, flags);
>
> if (len < 0)
> return -ENOMEM;
>
> *seclen = len;
>
> return 0;
> }
>
>> What I would suggest is to make a separate record: AUDIT_PROC_TREE that
>> describes process tree from the one killed up to the last known parent. This
>> way you can define your own format and SYSCALL can stay as everyone expects
>> it
>> to look. In the EXECVE audit record, there is a precedent of using agv[0]=xx
>> argv[1]=xx argv[2]=yy and so on. If you want to make these generally
>> parsable without special knowledge of the record format, I'd suggest
>> something like it.
> Yes,
> https://lkml.kernel.org/r/201501202220.djj34834.oljohfmqoft...@i-love.sakura.ne.jp
> used AUDIT_PROCHISTORY instead of LSM hooks, but that thread died there.
>
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
