user/sven/linux.git/kernel/audit.c, branch v6.15.1

audit: Initialize lsmctx to avoid memory allocation error

2025-01-30T01:02:04Z

When audit is enabled in a kernel build, and there are no LSMs active that support LSM labeling, it is possible that local variable lsmctx in the AUDIT_SIGNAL_INFO handler in audit_receive_msg() could be used before it is properly initialize. Then kmalloc() will try to allocate a large amount of memory with the uninitialized length. This patch corrects this problem by initializing the lsmctx to a safe value when it is declared, which avoid errors like: WARNING: CPU: 2 PID: 443 at mm/page_alloc.c:4727 __alloc_pages_noprof ... ra: 9000000003059644 ___kmalloc_large_node+0x84/0x1e0 ERA: 900000000304d588 __alloc_pages_noprof+0x4c8/0x1040 CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE) PRMD: 00000004 (PPLV0 +PIE -PWE) EUEN: 00000007 (+FPE +SXE +ASXE -BTE) ECFG: 00071c1d (LIE=0,2-4,10-12 VS=7) ESTAT: 000c0000 [BRK] (IS= ECode=12 EsubCode=0) PRID: 0014c010 (Loongson-64bit, Loongson-3A5000) CPU: 2 UID: 0 PID: 443 Comm: auditd Not tainted 6.13.0-rc1+ #1899 ... Call Trace: [<9000000002def6a8>] show_stack+0x30/0x148 [<9000000002debf58>] dump_stack_lvl+0x68/0xa0 [<9000000002e0fe18>] __warn+0x80/0x108 [<900000000407486c>] report_bug+0x154/0x268 [<90000000040ad468>] do_bp+0x2a8/0x320 [<9000000002dedda0>] handle_bp+0x120/0x1c0 [<900000000304d588>] __alloc_pages_noprof+0x4c8/0x1040 [<9000000003059640>] ___kmalloc_large_node+0x80/0x1e0 [<9000000003061504>] __kmalloc_noprof+0x2c4/0x380 [<9000000002f0f7ac>] audit_receive_msg+0x764/0x1530 [<9000000002f1065c>] audit_receive+0xe4/0x1c0 [<9000000003e5abe8>] netlink_unicast+0x340/0x450 [<9000000003e5ae9c>] netlink_sendmsg+0x1a4/0x4a0 [<9000000003d9ffd0>] __sock_sendmsg+0x48/0x58 [<9000000003da32f0>] __sys_sendto+0x100/0x170 [<9000000003da3374>] sys_sendto+0x14/0x28 [<90000000040ad574>] do_syscall+0x94/0x138 [<9000000002ded318>] handle_syscall+0xb8/0x158 Fixes: 6fba89813ccf333d ("lsm: ensure the correct LSM context releaser") Signed-off-by: Huacai Chen [PM: resolved excessive line length in the backtrace] Signed-off-by: Paul Moore

lsm: replace context+len with lsm_context

2024-12-04T19:42:31Z

Replace the (secctx,seclen) pointer pair with a single lsm_context pointer to allow return of the LSM identifier along with the context and context length. This allows security_release_secctx() to know how to release the context. Callers have been modified to use or save the returned data from the new structure. security_secid_to_secctx() and security_lsmproc_to_secctx() will now return the length value on success instead of 0. Cc: netdev@vger.kernel.org Cc: audit@vger.kernel.org Cc: netfilter-devel@vger.kernel.org Cc: Todd Kjos Signed-off-by: Casey Schaufler [PM: subject tweak, kdoc fix, signedness fix from Dan Carpenter] Signed-off-by: Paul Moore

lsm: ensure the correct LSM context releaser

2024-12-04T15:46:26Z

Add a new lsm_context data structure to hold all the information about a "security context", including the string, its size and which LSM allocated the string. The allocation information is necessary because LSMs have different policies regarding the lifecycle of these strings. SELinux allocates and destroys them on each use, whereas Smack provides a pointer to an entry in a list that never goes away. Update security_release_secctx() to use the lsm_context instead of a (char *, len) pair. Change its callers to do likewise. The LSMs supporting this hook have had comments added to remind the developer that there is more work to be done. The BPF security module provides all LSM hooks. While there has yet to be a known instance of a BPF configuration that uses security contexts, the possibility is real. In the existing implementation there is potential for multiple frees in that case. Cc: linux-integrity@vger.kernel.org Cc: netdev@vger.kernel.org Cc: audit@vger.kernel.org Cc: netfilter-devel@vger.kernel.org To: Pablo Neira Ayuso Cc: linux-nfs@vger.kernel.org Cc: Todd Kjos Signed-off-by: Casey Schaufler [PM: subject tweak] Signed-off-by: Paul Moore

Merge tag 'lsm-pr-20241112' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm

2024-11-19T01:34:05Z

Pull lsm updates from Paul Moore: "Thirteen patches, all focused on moving away from the current 'secid' LSM identifier to a richer 'lsm_prop' structure. This move will help reduce the translation that is necessary in many LSMs, offering better performance, and make it easier to support different LSMs in the future" * tag 'lsm-pr-20241112' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm: lsm: remove lsm_prop scaffolding netlabel,smack: use lsm_prop for audit data audit: change context data from secid to lsm_prop lsm: create new security_cred_getlsmprop LSM hook audit: use an lsm_prop in audit_names lsm: use lsm_prop in security_inode_getsecid lsm: use lsm_prop in security_current_getsecid audit: update shutdown LSM data lsm: use lsm_prop in security_ipc_getsecid audit: maintain an lsm_prop in audit_context lsm: add lsmprop_to_secctx hook lsm: use lsm_prop in security_audit_rule_match lsm: add the lsm_prop data structure

lsm: use lsm_prop in security_current_getsecid

2024-10-11T18:34:14Z

Change the security_current_getsecid_subj() and security_task_getsecid_obj() interfaces to fill in a lsm_prop structure instead of a u32 secid. Audit interfaces will need to collect all possible security data for possible reporting. Cc: linux-integrity@vger.kernel.org Cc: audit@vger.kernel.org Cc: selinux@vger.kernel.org Signed-off-by: Casey Schaufler [PM: subject line tweak] Signed-off-by: Paul Moore

audit: update shutdown LSM data

2024-10-11T18:34:13Z

The audit process LSM information is changed from a secid audit_sig_sid to an lsm_prop in audit_sig_lsm. Update the users of this data appropriately. Calls to security_secid_to_secctx() are changed to use security_lsmprop_to_secctx() instead. security_current_getsecid_subj() is scaffolded. It will be updated in a subsequent patch. Signed-off-by: Casey Schaufler [PM: subject line tweak] Signed-off-by: Paul Moore

audit: Reorganize kerneldoc parameter names

2024-10-03T19:05:05Z

Reorganize kerneldoc parameter names to match the parameter order in the function header. Problems identified using Coccinelle. Signed-off-by: Julia Lawall Signed-off-by: Paul Moore

audit: Make use of str_enabled_disabled() helper

2024-09-03T20:35:16Z

Use str_enabled_disabled() helper instead of open coding the same. Signed-off-by: Hongbo Li Signed-off-by: Paul Moore

audit: use task_tgid_nr() instead of task_pid_nr()

2024-08-28T20:48:28Z

In a few audit records, PIDs were being recorded with task_pid_nr() instead of task_tgid_nr(). $ grep "task_pid_nr" kernel/audit*.c audit.c: task_pid_nr(current), auditfilter.c: pid = task_pid_nr(current); auditsc.c: audit_log_format(ab, " pid=%u", task_pid_nr(current)); For single-thread applications, the process id (pid) and the thread group id (tgid) are the same. However, on multi-thread applications, task_pid_nr() returns the current thread id (user-space's TID), while task_tgid_nr() returns the main thread id (user-space's PID). Since the users are more interested in the process id (pid), rather than the thread id (tid), this patch converts these callers to the correct method. Link: https://github.com/linux-audit/audit-kernel/issues/126 Reviewed-by: Richard Guy Briggs Signed-off-by: Ricardo Robaina Signed-off-by: Paul Moore

audit: use KMEM_CACHE() instead of kmem_cache_create()

2024-01-25T15:12:22Z

Use the new KMEM_CACHE() macro instead of direct kmem_cache_create to simplify the creation of SLAB caches. Signed-off-by: Kunwu Chan [PM: subject line tweaks] Signed-off-by: Paul Moore