audit: error in audit_log_object_context

ali4006 commented 3 weeks ago

On Ubuntu 24.04 installed auditd=1:3.1.2-2.1build1, The audit log starts printing on the console the error of audit: error in audit_log_object_context when deactivate apparmor and activate selinux as:

$ systemctl stop apparmor
$ systemctl disable apparmor
$ selinux-activate

Installed selinux-basics=0.5.9 Linux Kernel: 6.8.0

stevegrubb commented 2 weeks ago

I grepped around the code and can't find audit_log_object_context anywhere. I think your distribution must have a patch they have not submitted to upstream.

ali4006 commented 2 weeks ago

I found this code snippet from the archive listed in March 2022:

+void audit_log_object_context(struct audit_buffer *ab, struct lsmblob *blob)
+{
+   int i;
+   int error;
+   struct lsmcontext context;
+
+   if (!lsm_multiple_contexts()) {
+       error = security_secid_to_secctx(blob, &context, LSMBLOB_FIRST);
+       if (error) {
+           if (error != -EINVAL)
+               goto error_path;
+           return;
+       }
+       audit_log_format(ab, " obj=%s", context.context);
+       security_release_secctx(&context);
+   } else {
+       audit_log_format(ab, " obj=?");
+       error = audit_buffer_aux_new(ab, AUDIT_MAC_OBJ_CONTEXTS);
+       if (error)
+           goto error_path;
+
+       for (i = 0; i < LSMBLOB_ENTRIES; i++) {
+           if (blob->secid[i] == 0)
+               continue;
+           error = security_secid_to_secctx(blob, &context, i);
+           if (error) {
+               if (error != -EINVAL)
+                   audit_panic("error in audit_log_object_context");
+               audit_log_format(ab, "%sobj_%s=?",
+                        i ? " " : "",
+                        lsm_slot_to_name(i));
+           } else {
+               audit_log_format(ab, "%sobj_%s=%s",
+                        i ? " " : "",
+                        lsm_slot_to_name(i),
+                        context.context);
+               security_release_secctx(&context);
+           }
+       }
+
+       audit_buffer_aux_end(ab);
+   }
+   return;
+
+error_path:
+   audit_panic("error in audit_log_object_context");
+}

mmelnyk commented 2 weeks ago

The easier way to reproduce this issue on Ubuntu 24.04:

autrace /bin/ls

the dmesg output:

[ 1334.743586] audit_panic: 14 callbacks suppressed
[ 1334.743589] audit: error in audit_log_object_context
[ 1334.743609] audit: error in audit_log_object_context
[ 1334.744685] audit: error in audit_log_object_context
[ 1334.744736] audit: error in audit_log_object_context
[ 1334.744846] audit: error in audit_log_object_context
[ 1334.745896] audit: error in audit_log_object_context
[ 1334.747746] audit: error in audit_log_object_context
[ 1334.748660] audit: error in audit_log_object_context
[ 1334.748903] audit: error in audit_log_object_context
[ 1334.749164] audit: error in audit_log_object_context

linux-audit / audit-userspace

audit: error in audit_log_object_context #378