Opps. script error. Please disregard.
On 8/16/2025 9:41 AM, Casey Schaufler wrote:
> The Linux audit system includes LSM based security "context" information
> in its events. Historically, only one LSM that uses security contexts can
> be active on a system. One of the few obsticles to allowing multiple LSM
> support is the inability to report more than one security context in an
> audit event. This patchset provides a mechanism to provide supplimental
> records containing more than one security context for subjects and
> objects.
>
> The mechanism for reporting multiple security contexts inspired
> considerable discussion. It would have been possible to add multiple
> contexts to existing records using sophisticated formatting. This would
> have significant backward compatibility issues, and require additional
> parsing in user space code. Adding new records for an event that contain
> the contexts is more in keeping with the way audit events have been
> constructed in the past.
>
> Only audit events associated with system calls have required multiple
> records prior to this. Mechanism has been added allowing any event
> to be composed of multiple records. This should make it easier to
> add information to existing audit events without breaking backward
> compatability.
>
> v5:
> Comment on the LSM_ID_UNDEF behavior in security_secid_to_secctx().
> Change some names to better reflect their purpose.
> Move alignment changes into a separate patch.
> v4:
> Use LSM_ID_UNDEF when checking for valid LSM IDs in
> security_lsmprop_to_secctx().
> Fix the object record to include only those for LSMs that use them.
> Squash the two patches dealing with subject contexts.
> Base the patches on Paul Moore's LSM initialization patchset.
> https://lore.kernel.org/all/20250409185019.238841-31-paul@paul-moore.com/
> v3:
> Rework how security modules identify that they provide security
> contexts to the audit system. Maintain a list within the audit
> system of the security modules that provide security contexts.
> Revert the separate counts of subject and object contexts.
> v2:
> Maintain separate counts for LSMs using subject contexts and object
> contexts. AppArmor uses the former but not the latter.
> Correct error handling in object record creation.
>
> https://github.com/cschaufler/lsm-stacking#audit-6.16-rc4-v5
>
> Casey Schaufler (5):
> Audit: Create audit_stamp structure
> LSM: security_lsmblob_to_secctx module selection
> Audit: Add record for multiple task security contexts
> Audit: Fix indentation in audit_log_exit
> Audit: Add record for multiple object contexts
>
> include/linux/audit.h | 23 +++
> include/linux/security.h | 6 +-
> include/uapi/linux/audit.h | 2 +
> kernel/audit.c | 274 ++++++++++++++++++++++++++++++-----
> kernel/audit.h | 13 +-
> kernel/auditsc.c | 65 +++------
> net/netlabel/netlabel_user.c | 8 +-
> security/apparmor/lsm.c | 3 +
> security/lsm.h | 4 -
> security/lsm_init.c | 5 -
> security/security.c | 21 ++-
> security/selinux/hooks.c | 5 +
> security/smack/smack_lsm.c | 5 +
> 13 files changed, 325 insertions(+), 109 deletions(-)
>