2009-04-05 08:47:12

by Etienne Basset

[permalink] [raw]
Subject: [PATCH 0/2] security/smack implement logging V2

Hello,

the following 2 patches implements auditing of security events for Smack.
It tries to implement what Eric Paris suggested, and moves shareable code
to include/linux/lsm_audit.h and security/lsm_audit.c.
Smack specific logging functions are now defined in smack_access.c

patch 1 : created common LSM auditing code
patch 2 : convert smack to use it

the patches are against current mainline
thanks,
Etienne

sample logs produced :

type=1400 audit(1238919766.161:13): SMACK[smack_netlabel_send]: action=denied subject="FOO" object="BAR" requested=w pid=6672 comm="telnet" daddr=212.180.1.1 dest=80
type=1400 audit(1238919813.116:21): SMACK[smack_inode_getattr]: action=denied subject="FOO" object="etienne" requested=r pid=6679 comm="bash" path="/home/etienne/Desktop" dev=sda8ino=1237000
type=1400 audit(1238919813.773:22): SMACK[smack_inode_permission]: action=denied subject="FOO" object="_" requested=wx pid=6691 comm="rm"name="etienne" dev=sda8 ino=1236993
type=1400 audit(1238919842.953:30): SMACK[smack_task_kill]: action=denied subject="FOO" object="_" requested=w pid=6679 comm="bash"pid=6466 comm="thunderbird-bin"
type=1400 audit(1238920571.962:52): SMACK[smack_sb_mount]: action=denied subject="FOO" object="_" requested=w pid=6835 comm="mount" path="/debug" dev=sda5 ino=16161
type=1400 audit(1238920971.805:10435): SMACK[smack_socket_sock_rcv_skb]: action=granted subject="_" object="_" requested=w saddr=77.199.172.15 src=8541 daddr=192.168.0.10 dest=36917 netif=eth0



2009-04-06 15:36:58

by Eric Paris

[permalink] [raw]
Subject: Re: [PATCH 0/2] security/smack implement logging V2

On Sun, 2009-04-05 at 10:46 +0200, Etienne Basset wrote:

> the following 2 patches implements auditing of security events for Smack.
> It tries to implement what Eric Paris suggested, and moves shareable code
> to include/linux/lsm_audit.h and security/lsm_audit.c.
> Smack specific logging functions are now defined in smack_access.c


> type=1400 audit(1238919813.116:21): SMACK[smack_inode_getattr]: action=denied subject="FOO" object="etienne" requested=r pid=6679 comm="bash" path="/home/etienne/Desktop" dev=sda8ino=1237000

Can we make SMACK[smack_inode_getarr] into key=value pairs too and get
rid of that extra ':'? Anyone have naming suggestions?

lsm=SMACK function=smack_inode_getattr

also: dev=sda8ino=1237000 I'm guessing that was just a typo of you
putting the example into the e-mail, but you may want to double check.

-Eric

2009-04-06 16:50:23

by Etienne Basset

[permalink] [raw]
Subject: Re: [PATCH 0/2] security/smack implement logging V2

Eric Paris wrote:
> On Sun, 2009-04-05 at 10:46 +0200, Etienne Basset wrote:
>
>> the following 2 patches implements auditing of security events for Smack.
>> It tries to implement what Eric Paris suggested, and moves shareable code
>> to include/linux/lsm_audit.h and security/lsm_audit.c.
>> Smack specific logging functions are now defined in smack_access.c
>
>
>> type=1400 audit(1238919813.116:21): SMACK[smack_inode_getattr]: action=denied subject="FOO" object="etienne" requested=r pid=6679 comm="bash" path="/home/etienne/Desktop" dev=sda8ino=1237000
>
> Can we make SMACK[smack_inode_getarr] into key=value pairs too and get
> rid of that extra ':'? Anyone have naming suggestions?
>
> lsm=SMACK function=smack_inode_getattr
>
yes, sure. Maybe just :
lsm=SMACK fn=smack_inode_getattr
I want as much info as possible with as less characters as possible (is this english? :) )

> also: dev=sda8ino=1237000 I'm guessing that was just a typo of you
> putting the example into the e-mail, but you may want to double check.
>
yeah, bad cut&paste, sorry about that

Etienne