Re: [PATCH v2 1/3] dm: introduce audit event module for device mapper
From: Paul Moore <paul@paul-moore.com>
Date: 2021-08-18 18:59:28
Also in:
dm-devel, lkml
On Sat, Aug 14, 2021 at 2:34 PM Michael Weiß [off-list ref] wrote:
To be able to send auditing events to user space, we introduce a generic dm-audit module. It provides helper functions to emit audit events through the kernel audit subsystem. We claim the AUDIT_DM type=1336 out of the audit event messages range in the corresponding userspace api in 'include/uapi/linux/audit.h' for those events. Following commits to device mapper targets actually will make use of this to emit those events in relevant cases. Signed-off-by: Michael Weiß <redacted>
Hi Michael, You went into more detail in your patchset cover letter, e.g. example audit records, which I think would be helpful here in the commit description so we have it as part of the git log. I don't want to discourage you from writing cover letters, but don't forget that the cover letters can be lost to the ether after a couple of years whereas the git log has a much longer lifetime (we hope!) and a tighter binding to the related code.
quoted hunk ↗ jump to hunk
--- drivers/md/Kconfig | 10 +++++++ drivers/md/Makefile | 4 +++ drivers/md/dm-audit.c | 59 ++++++++++++++++++++++++++++++++++++++ drivers/md/dm-audit.h | 33 +++++++++++++++++++++ include/uapi/linux/audit.h | 1 + 5 files changed, 107 insertions(+) create mode 100644 drivers/md/dm-audit.c create mode 100644 drivers/md/dm-audit.hdiff --git a/drivers/md/Kconfig b/drivers/md/Kconfig index 0602e82a9516..48adbec12148 100644 --- a/drivers/md/Kconfig +++ b/drivers/md/Kconfig@@ -608,6 +608,7 @@ config DM_INTEGRITY select CRYPTO select CRYPTO_SKCIPHER select ASYNC_XOR + select DM_AUDIT if AUDIT help This device-mapper target emulates a block device that has additional per-sector tags that can be used for storing@@ -640,4 +641,13 @@ config DM_ZONED If unsure, say N. +config DM_AUDIT + bool "DM audit events" + depends on AUDIT + help + Generate audit events for device-mapper. + + Enables audit logging of several security relevant events in the + particular device-mapper targets, especially the integrity target. + endif # MDdiff --git a/drivers/md/Makefile b/drivers/md/Makefile index a74aaf8b1445..4cd47623c742 100644 --- a/drivers/md/Makefile +++ b/drivers/md/Makefile@@ -103,3 +103,7 @@ endif ifeq ($(CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG),y) dm-verity-objs += dm-verity-verify-sig.o endif + +ifeq ($(CONFIG_DM_AUDIT),y) +dm-mod-objs += dm-audit.o +endifdiff --git a/drivers/md/dm-audit.c b/drivers/md/dm-audit.c new file mode 100644 index 000000000000..c7e5824821bb --- /dev/null +++ b/drivers/md/dm-audit.c@@ -0,0 +1,59 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Creating audit records for mapped devices. + * + * Copyright (C) 2021 Fraunhofer AISEC. All rights reserved. + * + * Authors: Michael Weiß <michael.weiss@aisec.fraunhofer.de> + */ + +#include <linux/audit.h> +#include <linux/module.h> +#include <linux/device-mapper.h> +#include <linux/bio.h> +#include <linux/blkdev.h> + +#include "dm-audit.h" +#include "dm-core.h" + +void dm_audit_log_bio(const char *dm_msg_prefix, const char *op, + struct bio *bio, sector_t sector, int result) +{ + struct audit_buffer *ab; + + if (audit_enabled == AUDIT_OFF) + return; + + ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_DM); + if (unlikely(!ab)) + return; + + audit_log_format(ab, "module=%s dev=%d:%d op=%s sector=%llu res=%d", + dm_msg_prefix, MAJOR(bio->bi_bdev->bd_dev), + MINOR(bio->bi_bdev->bd_dev), op, sector, result); + audit_log_end(ab); +} +EXPORT_SYMBOL_GPL(dm_audit_log_bio); + +void dm_audit_log_target(const char *dm_msg_prefix, const char *op, + struct dm_target *ti, int result) +{ + struct audit_buffer *ab; + struct mapped_device *md = dm_table_get_md(ti->table); + + if (audit_enabled == AUDIT_OFF) + return; + + ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_DM); + if (unlikely(!ab)) + return; + + audit_log_format(ab, "module=%s dev=%s op=%s", + dm_msg_prefix, dm_device_name(md), op); + + if (!result && !strcmp("ctr", op)) + audit_log_format(ab, " error_msg='%s'", ti->error); + audit_log_format(ab, " res=%d", result); + audit_log_end(ab); +}
Generally speaking we try to keep a consistent format and ordering within a given audit record type. However you appear to have at least three different formats for the AUDIT_DM record in this patch: "... module=%s dev=%d:%d op=%s sector=%llu res=%d" "... module=%s dev=%s op=%s error_msg='%s' res=%d" "... module=%s dev=%s op=%s res=%d" The first thing that jumps out is that some fields, e.g. "sector", are not always present in the record; we typically handle this by using a "?" for the field value in those cases where you would otherwise drop the field from the record, for example the following record: "... module=%s dev=%s op=%s res=%d" ... would be rewritten like this: "... module=%s dev=%s op=%s sector=? res=%d" The second thing that I noticed is that the "dev" field changes from a "major:minor" number representation to an arbitrary string value, e.g. "dev=%s". This generally isn't something we do with audit records, please stick to a single representation for a given audit record-type/field combination. -- paul moore www.paul-moore.com