linux/drivers/md
Michael Weiß 074c44664f dm verity: emit audit events on verification failure and more
dm-verity signals integrity violations by returning I/O errors
to user space. To identify integrity violations by a controlling
instance, the kernel audit subsystem can be used to emit audit
events to user space. Analogous to dm-integrity, we also use the
dm-audit submodule allowing to emit audit events on verification
failures of metadata and data blocks as well as if max corrupted
errors are reached.

The construction and destruction of verity device mappings are
also relevant for auditing a system. Thus, those events are also
logged as audit events.

Tested by starting a container with the container manager (cmld) of
GyroidOS which uses a dm-verity protected rootfs image root.img mapped
to /dev/mapper/<uuid>-root. One block was manipulated in the
underlying image file and repeated reads of the verity device were
performed again until the max corrupted errors is reached, e.g.:

  dd if=/dev/urandom of=root.img bs=512 count=1 seek=1000
  for i in range {1..101}; do \
    dd if=/dev/mapper/<uuid>-root of=/dev/null bs=4096 \
       count=1 skip=1000 \
  done

The resulting audit log looks as follows:

  type=DM_CTRL msg=audit(1677618791.876:962):
    module=verity op=ctr ppid=4876 pid=29102 auid=0 uid=0 gid=0
    euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=44
    comm="cmld" exe="/usr/sbin/cml/cmld" subj=unconfined
    dev=254:3 error_msg='success' res=1

  type=DM_EVENT msg=audit(1677619463.786:1074): module=verity
    op=verify-data dev=7:0 sector=1000 res=0
  ...
  type=DM_EVENT msg=audit(1677619596.727:1162): module=verity
    op=verify-data dev=7:0 sector=1000 res=0

  type=DM_EVENT msg=audit(1677619596.731:1163): module=verity
    op=max-corrupted-errors dev=254:3 sector=? res=0

Signed-off-by: Michael Weiß <michael.weiss@aisec.fraunhofer.de>
Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Mike Snitzer <snitzer@kernel.org>
2023-04-04 13:30:05 -04:00
..
bcache flexible-array transformations for 6.3-rc1 2023-02-25 12:53:42 -08:00
persistent-data dm: add missing blank line after declarations/fix those 2023-02-14 14:23:07 -05:00
dm-audit.c dm: add missing SPDX-License-Indentifiers 2023-02-14 14:23:06 -05:00
dm-audit.h dm: introduce audit event module for device mapper 2021-10-27 16:53:47 -04:00
dm-bio-prison-v1.c dm: improve hash_locks sizing and hash function 2023-03-30 15:57:51 -04:00
dm-bio-prison-v1.h dm bio prison v1: add dm_cell_key_has_valid_range 2023-03-30 15:57:51 -04:00
dm-bio-prison-v2.c dm: address space issues relative to switch/while/for/... 2023-02-14 14:23:06 -05:00
dm-bio-prison-v2.h dm: change "unsigned" to "unsigned int" 2023-02-14 14:23:06 -05:00
dm-bio-record.h dm: add missing SPDX-License-Indentifiers 2023-02-14 14:23:06 -05:00
dm-bufio.c dm: improve hash_locks sizing and hash function 2023-03-30 15:57:51 -04:00
dm-builtin.c dm: adjust EXPORT_SYMBOL() to follow functions immediately 2023-02-14 14:23:07 -05:00
dm-cache-background-tracker.c dm: change "unsigned" to "unsigned int" 2023-02-14 14:23:06 -05:00
dm-cache-background-tracker.h dm: change "unsigned" to "unsigned int" 2023-02-14 14:23:06 -05:00
dm-cache-block-types.h dm: add missing SPDX-License-Indentifiers 2023-02-14 14:23:06 -05:00
dm-cache-metadata.c dm: prefer '"%s...", __func__' 2023-02-14 14:23:07 -05:00
dm-cache-metadata.h dm: change "unsigned" to "unsigned int" 2023-02-14 14:23:06 -05:00
dm-cache-policy-internal.h dm: add missing empty lines 2023-02-14 14:23:06 -05:00
dm-cache-policy-smq.c dm: add missing empty lines 2023-02-14 14:23:06 -05:00
dm-cache-policy.c dm: change "unsigned" to "unsigned int" 2023-02-14 14:23:06 -05:00
dm-cache-policy.h dm: address indent/space issues 2023-02-14 14:23:06 -05:00
dm-cache-target.c dm cache: add cond_resched() to various workqueue loops 2023-02-17 14:49:12 -05:00
dm-clone-metadata.c dm clone metadata: remove unused function 2021-04-19 13:20:31 -04:00
dm-clone-metadata.h
dm-clone-target.c dm clone: prefer kvmalloc_array() 2023-02-14 14:23:08 -05:00
dm-core.h dm: add argument identifier names 2023-02-14 14:23:06 -05:00
dm-crypt.c - Fix DM thin to work as a swap device by using 'limit_swap_bios' DM 2023-03-24 14:20:48 -07:00
dm-delay.c dm: change "unsigned" to "unsigned int" 2023-02-14 14:23:06 -05:00
dm-dust.c dm: add missing SPDX-License-Indentifiers 2023-02-14 14:23:06 -05:00
dm-ebs-target.c dm: avoid spaces before function arguments or in favour of tabs 2023-02-14 14:23:06 -05:00
dm-era-target.c dm: prefer '"%s...", __func__' 2023-02-14 14:23:07 -05:00
dm-exception-store.c dm: change "unsigned" to "unsigned int" 2023-02-14 14:23:06 -05:00
dm-exception-store.h dm: avoid spaces before function arguments or in favour of tabs 2023-02-14 14:23:06 -05:00
dm-flakey.c dm: add missing empty lines 2023-02-14 14:23:06 -05:00
dm-ima.c dm: avoid inline filenames 2023-02-14 14:23:07 -05:00
dm-ima.h dm: avoid inline filenames 2023-02-14 14:23:07 -05:00
dm-init.c dm: avoid inline filenames 2023-02-14 14:23:07 -05:00
dm-integrity.c - Fix DM cache target to free background tracker work items, otherwise 2023-02-22 13:21:31 -08:00
dm-io-rewind.c dm: avoid void function return statements 2023-02-14 14:23:07 -05:00
dm-io-tracker.h dm: add missing SPDX-License-Indentifiers 2023-02-14 14:23:06 -05:00
dm-io.c dm: don't indent labels 2023-02-14 14:23:07 -05:00
dm-ioctl.c dm ioctl: remove unnecessary check when using dm_get_mdptr() 2023-02-17 14:49:21 -05:00
dm-kcopyd.c dm: fix use of sizeof() macro 2023-02-14 14:23:07 -05:00
dm-linear.c dm: don't indent labels 2023-02-14 14:23:07 -05:00
dm-log-userspace-base.c dm: avoid void function return statements 2023-02-14 14:23:07 -05:00
dm-log-userspace-transfer.c dm: avoid split of quoted strings where possible 2023-02-14 14:23:07 -05:00
dm-log-userspace-transfer.h dm: add missing SPDX-License-Indentifiers 2023-02-14 14:23:06 -05:00
dm-log-writes.c dm: change "unsigned" to "unsigned int" 2023-02-14 14:23:06 -05:00
dm-log.c dm log: avoid multiple line dereference 2023-02-14 14:23:07 -05:00
dm-mpath.c dm: update targets using system workqueues to use a local workqueue 2023-02-14 14:23:08 -05:00
dm-mpath.h dm: change "unsigned" to "unsigned int" 2023-02-14 14:23:06 -05:00
dm-path-selector.c dm: adjust EXPORT_SYMBOL() to follow functions immediately 2023-02-14 14:23:07 -05:00
dm-path-selector.h dm: avoid spaces before function arguments or in favour of tabs 2023-02-14 14:23:06 -05:00
dm-ps-historical-service-time.c dm: add missing SPDX-License-Indentifiers 2023-02-14 14:23:06 -05:00
dm-ps-io-affinity.c dm: address space issues relative to switch/while/for/... 2023-02-14 14:23:06 -05:00
dm-ps-queue-length.c dm: avoid spaces before function arguments or in favour of tabs 2023-02-14 14:23:06 -05:00
dm-ps-round-robin.c dm: correct block comments format. 2023-02-14 14:23:06 -05:00
dm-ps-service-time.c dm: avoid spaces before function arguments or in favour of tabs 2023-02-14 14:23:06 -05:00
dm-raid1.c dm: update targets using system workqueues to use a local workqueue 2023-02-14 14:23:08 -05:00
dm-raid.c dm: fix suspect indent whitespace 2023-02-14 14:23:07 -05:00
dm-region-hash.c dm: correct block comments format. 2023-02-14 14:23:06 -05:00
dm-rq.c dm: avoid using symbolic permissions 2023-02-14 14:23:07 -05:00
dm-rq.h dm: change "unsigned" to "unsigned int" 2023-02-14 14:23:06 -05:00
dm-snap-persistent.c dm: avoid split of quoted strings where possible 2023-02-14 14:23:07 -05:00
dm-snap-transient.c dm: avoid split of quoted strings where possible 2023-02-14 14:23:07 -05:00
dm-snap.c dm: avoid split of quoted strings where possible 2023-02-14 14:23:07 -05:00
dm-stats.c dm stats: check for and propagate alloc_percpu failure 2023-03-16 13:37:06 -04:00
dm-stats.h dm stats: check for and propagate alloc_percpu failure 2023-03-16 13:37:06 -04:00
dm-stripe.c dm: update targets using system workqueues to use a local workqueue 2023-02-14 14:23:08 -05:00
dm-switch.c dm: change "unsigned" to "unsigned int" 2023-02-14 14:23:06 -05:00
dm-sysfs.c dm sysfs: make kobj_type structure constant 2023-02-14 14:23:08 -05:00
dm-table.c dm: avoid split of quoted strings where possible 2023-02-14 14:23:07 -05:00
dm-target.c dm: adjust EXPORT_SYMBOL() to follow functions immediately 2023-02-14 14:23:07 -05:00
dm-thin-metadata.c dm: avoid useless 'else' after 'break' or return' 2023-02-14 14:23:07 -05:00
dm-thin-metadata.h dm: add missing SPDX-License-Indentifiers 2023-02-14 14:23:06 -05:00
dm-thin.c dm bio prison v1: add dm_cell_key_has_valid_range 2023-03-30 15:57:51 -04:00
dm-uevent.c dm: avoid spaces before function arguments or in favour of tabs 2023-02-14 14:23:06 -05:00
dm-uevent.h dm: fix undue/missing spaces 2023-02-14 14:23:06 -05:00
dm-unstripe.c dm: add missing SPDX-License-Indentifiers 2023-02-14 14:23:06 -05:00
dm-verity-fec.c dm: change "unsigned" to "unsigned int" 2023-02-14 14:23:06 -05:00
dm-verity-fec.h dm: change "unsigned" to "unsigned int" 2023-02-14 14:23:06 -05:00
dm-verity-loadpin.c dm: verity-loadpin: Only trust verity targets with enforcement 2022-09-07 16:37:27 -07:00
dm-verity-target.c dm verity: emit audit events on verification failure and more 2023-04-04 13:30:05 -04:00
dm-verity-verify-sig.c dm: add missing SPDX-License-Indentifiers 2023-02-14 14:23:06 -05:00
dm-verity-verify-sig.h dm: add missing SPDX-License-Indentifiers 2023-02-14 14:23:06 -05:00
dm-verity.h dm: change "unsigned" to "unsigned int" 2023-02-14 14:23:06 -05:00
dm-writecache.c dm: fix use of sizeof() macro 2023-02-14 14:23:07 -05:00
dm-zero.c dm: add missing SPDX-License-Indentifiers 2023-02-14 14:23:06 -05:00
dm-zone.c dm: add missing SPDX-License-Indentifiers 2023-02-14 14:23:06 -05:00
dm-zoned-metadata.c dm: don't indent labels 2023-02-14 14:23:07 -05:00
dm-zoned-reclaim.c dm kcopyd: avoid useless atomic operations 2021-06-04 12:07:24 -04:00
dm-zoned-target.c dm: avoid void function return statements 2023-02-14 14:23:07 -05:00
dm-zoned.h dm/dm-zoned: Use the enum req_op type 2022-07-14 12:14:31 -06:00
dm.c dm: split discards further if target sets max_discard_granularity 2023-03-30 15:57:50 -04:00
dm.h dm: improve hash_locks sizing and hash function 2023-03-30 15:57:51 -04:00
Kconfig Merge branch 'md-fixes' of https://git.kernel.org/pub/scm/linux/kernel/git/song/md into block-6.3 2023-03-15 12:18:07 -06:00
Makefile hardening updates for v5.20-rc1 2022-08-02 14:38:59 -07:00
md-autodetect.c md: return the allocated devices from md_alloc 2022-08-02 17:22:46 -06:00
md-bitmap.c md/bitmap: Fix bitmap chunk size overflow issues 2022-11-14 09:35:50 -08:00
md-bitmap.h
md-cluster.c fs: dlm: remove DLM_LSFL_FS from uapi 2022-08-23 14:54:54 -05:00
md-cluster.h
md-faulty.c block: pass a block_device to bio_clone_fast 2022-02-04 07:43:18 -07:00
md-linear.c md: remove most calls to bdevname 2022-05-22 23:07:21 -07:00
md-linear.h md/raid1: Replace zero-length array with flexible-array 2020-05-13 12:02:23 -07:00
md-multipath.c md: remove most calls to bdevname 2022-05-22 23:07:21 -07:00
md-multipath.h
md.c md: avoid signed overflow in slot_store() 2023-03-13 12:50:54 -07:00
md.h md: account io_acct_set usage with active_io 2023-02-08 15:46:57 -08:00
raid0.c md/raid0, raid10: Don't set discard sectors for request queue 2022-11-14 10:15:34 -08:00
raid0.h
raid1-10.c md: raid1/raid10: drop pending_cnt 2022-03-08 15:16:54 -08:00
raid1.c block: remove bio_set_op_attrs 2022-12-07 09:43:12 -07:00
raid1.h md: raid1/raid10: drop pending_cnt 2022-03-08 15:16:54 -08:00
raid5-cache.c md/raid5: use bdev_write_cache instead of open coding it 2022-11-14 10:15:35 -08:00
raid5-log.h md/raid5-ppl: Drop unused argument from ppl_handle_flush_request() 2022-08-02 17:14:31 -06:00
raid5-ppl.c md/raid5: use bdev_write_cache instead of open coding it 2022-11-14 10:15:35 -08:00
raid5.c md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d 2022-09-22 00:05:06 -07:00
raid5.h md/raid5: Cleanup prototype of raid5_get_active_stripe() 2022-09-22 00:05:04 -07:00
raid10.c block: remove bio_set_op_attrs 2022-12-07 09:43:12 -07:00
raid10.h md/raid10: convert resync_lock to use seqlock 2022-09-22 00:05:05 -07:00