[RFC][PATCH] (version 2) Introduce /proc/$$/loginuid
by Serge Hallyn
This patch finishes some of the cleanup of the last patch which moved
loginuid into the task_struct, and introduces /proc/$$/loginuid. The
only comment I can think of which I haven't yet integrated was getting
rid of the get_free_page() in proc_loginuid_read(). I had problems when
I tried to do that earlier, but those were probably due to the loginuid
in audit_context problem.
thanks,
-serge
--
Serge Hallyn <serue(a)us.ibm.com>
21 years, 1 month
auditctl task ignores -S flag
by Debora Velarde
Here at IBM we have found that if you create an audit rule which uses
"task", then the -S flag has no affect. Rather than only auditing the
specified syscalls, all syscalls will generate an audit message. fyi, the
-F flag seems to work as expected. If this behavior is acceptable and it
doesn't make sense to use the "-S" flag with "task" rules, then auditctl
needs to be changed to not accept the -S flag in conjunction with "task",
or at least return a warning that the -S flag will be ignored. The man
page will also need to be changed in order to state the limitation.
Thanks,
debora
21 years, 1 month
Re: [PATCH] enable /proc/$$/loginuid
by Timothy R. Chavez
On Mon, 17 Jan 2005 11:10:29 -0800 (PST), Casey Schaufler
<casey(a)schaufler-ca.com> wrote:
>
> --- "Timothy R. Chavez" <chavezt(a)gmail.com> wrote:
>
> > ... Better to
> > do this filtering
> > in userspace via a daemon then in the kernel. We
> > should keep the
> > in-kernel audit subsystem as small and efficient as
> > possible.
> > Anything that can be delegated to userspace should
> > be delegated to
> > userspace.
>
> For this scheme to work the kernel has to
> generate all possible records and pass them
> on for filtering. This is much less efficient
> than having the kernel filter records that
> are known to be uninteresting. Filtering
> must be done at a place where sufficient
> information is available to make the choice,
> and that means it must be done in the kernel
> or that all possible filtering criteria must
> be passed on.
Right, and such filtering already exists in the kernel and is mostly,
if not completely, sufficient to meet this goal. What I was getting
at is that there may be a desire to do additional filtering that goes
above and beyond what the kernel is capable of doing. Thus. this is
one reason why the audit daemon and not the kernel, should be used to
write out to the actual log file.
<snip>
> =====
> Casey Schaufler
> casey(a)schaufler-ca.com
>
> __________________________________
> Do you Yahoo!?
> Meet the all-new My Yahoo! - Try it today!
> http://my.yahoo.com
>
>
--
- Timothy R. Chavez
21 years, 1 month
[RFC][PATCH] send loginuid with audit messages
by Serge Hallyn
Hopefully my last patch for awhile.
This patch:
1. Adds loginuid to the netlink_skb_parms
2. Prepends loginuid to AUDIT_USER log entries
3. Logs loginuid for audit control log entries
4. Stops sending current->audit_context to audit_log()
for audit control messages. Once again, the current
process has nothing to do with the sending
process, so just send NULL for context.
We probably will want more complete info on audit_add_rule and
audit_del_rule messages.
I assume this patch will need to go to net-devel?
--
Serge Hallyn <serue(a)us.ibm.com>
21 years, 1 month
Patch on LKML
by Steve Grubb
Hi,
I was reading through the lkml archives and saw a patch posted that changes
several of the global function in audit.c to static functions:
http://www.ussg.iu.edu/hypermail/linux/kernel/0501.2/0275.html
I just want to make sure everyone is aware of it in case there's objections.
The patch did not originate from any discussion on this mail list.
-Steve Grubb
21 years, 1 month
[RFC][PATCH] Move loginuid into task_struct
by Serge Hallyn
The attached patch moves the loginuid into the task_struct. Is there
any reason not to do this? Keeping it in the audit_context is
incompatible with the idea of only creating audit_contexts during an
auditable action.
The next patch I send out will again introduce /proc/$$/loginuid, and
initialize the loginuid to -1 at boot.
thanks,
-serge
--
Serge Hallyn <serue(a)us.ibm.com>
21 years, 1 month
[PATCH] Fix audit control message checks
by Serge E. Hallyn
The audit control messages are sent over netlink. Permission checks
are done on the process receiving the message, which may not be the
same as the process sending the message. This patch switches the
netlink_send security hooks to calculate the effective capabilities
based on the sender. Then audit_receive_msg performs capability checks
based on that.
It also introduces the CAP_AUDIT_WRITE and CAP_AUDIT_CONTROL capabilities,
and replaces the previous CAP_SYS_ADMIN checks in audit code with the
appropriate checks.
Please apply.
Changelog:
1/15/2005: Simplified dummy_netlink_send given that dummy now
keeps track of capabilities.
1/14/2005: Many fixes based on feedback from linux-audit(a)redhat.com
list.
1/14/2005: Removed the netlink_msg_type helper function.
1/07/2005: Swith to using CAP_AUDIT_WRITE and CAP_AUDIT_CONTROL.
thanks,
-serge
Signed-off-by: Serge Hallyn <serue(a)us.ibm.com>
Index: linux-2.6.10/include/linux/capability.h
===================================================================
--- linux-2.6.10.orig/include/linux/capability.h 2005-01-14 23:01:10.000000000 -0600
+++ linux-2.6.10/include/linux/capability.h 2005-01-14 23:01:12.000000000 -0600
@@ -284,6 +284,10 @@ typedef __u32 kernel_cap_t;
#define CAP_LEASE 28
+#define CAP_AUDIT_WRITE 29
+
+#define CAP_AUDIT_CONTROL 30
+
#ifdef __KERNEL__
/*
* Bounding set
Index: linux-2.6.10/kernel/audit.c
===================================================================
--- linux-2.6.10.orig/kernel/audit.c 2005-01-14 23:01:10.000000000 -0600
+++ linux-2.6.10/kernel/audit.c 2005-01-14 23:21:17.000000000 -0600
@@ -300,21 +300,57 @@ nlmsg_failure: /* Used by NLMSG_PUT */
kfree_skb(skb);
}
+/*
+ * Check for appropriate CAP_AUDIT_ capabilities on incoming audit
+ * control messages.
+ */
+int audit_netlink_ok(kernel_cap_t eff_cap, u16 msg_type)
+{
+ int err = 0;
+
+ switch(msg_type) {
+ case AUDIT_GET:
+ case AUDIT_LIST:
+ case AUDIT_SET:
+ case AUDIT_LOGIN:
+ case AUDIT_ADD:
+ case AUDIT_DEL:
+ if (!cap_raised(eff_cap, CAP_AUDIT_CONTROL))
+ err = -EPERM;
+ break;
+
+ case AUDIT_USER:
+ if (!cap_raised(eff_cap, CAP_AUDIT_WRITE))
+ err = -EPERM;
+ break;
+
+ default: /* bad msg */
+ err = -EINVAL;
+ }
+
+ return err;
+}
+
static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
{
u32 uid, pid, seq;
void *data;
struct audit_status *status_get, status_set;
struct audit_login *login;
- int err = 0;
+ int err;
struct audit_buffer *ab;
+ u16 msg_type = nlh->nlmsg_type;
+
+ err = audit_netlink_ok (NETLINK_CB(skb).eff_cap, msg_type);
+ if (err)
+ return err;
pid = NETLINK_CREDS(skb)->pid;
uid = NETLINK_CREDS(skb)->uid;
seq = nlh->nlmsg_seq;
data = NLMSG_DATA(nlh);
- switch (nlh->nlmsg_type) {
+ switch (msg_type) {
case AUDIT_GET:
status_set.enabled = audit_enabled;
status_set.failure = audit_failure;
@@ -327,8 +363,8 @@ static int audit_receive_msg(struct sk_b
&status_set, sizeof(status_set));
break;
case AUDIT_SET:
- if (!capable(CAP_SYS_ADMIN))
- return -EPERM;
+ if (nlh->nlmsg_len < sizeof(struct audit_status))
+ return -EINVAL;
status_get = (struct audit_status *)data;
if (status_get->mask & AUDIT_STATUS_ENABLED) {
err = audit_set_enabled(status_get->enabled);
@@ -364,8 +400,8 @@ static int audit_receive_msg(struct sk_b
audit_log_end(ab);
break;
case AUDIT_LOGIN:
- if (!capable(CAP_SYS_ADMIN))
- return -EPERM;
+ if (nlh->nlmsg_len < sizeof(struct audit_login))
+ return -EINVAL;
login = (struct audit_login *)data;
ab = audit_log_start(NULL);
if (ab) {
@@ -384,9 +420,12 @@ static int audit_receive_msg(struct sk_b
login->loginuid);
#endif
break;
- case AUDIT_LIST:
case AUDIT_ADD:
case AUDIT_DEL:
+ if (nlh->nlmsg_len < sizeof(struct audit_rule))
+ return -EINVAL;
+ /* fallthrough */
+ case AUDIT_LIST:
#ifdef CONFIG_AUDITSYSCALL
err = audit_receive_filter(nlh->nlmsg_type, pid, uid, seq,
data);
Index: linux-2.6.10/kernel/auditsc.c
===================================================================
--- linux-2.6.10.orig/kernel/auditsc.c 2005-01-14 23:01:10.000000000 -0600
+++ linux-2.6.10/kernel/auditsc.c 2005-01-14 23:01:12.000000000 -0600
@@ -250,8 +250,6 @@ int audit_receive_filter(int type, int p
audit_send_reply(pid, seq, AUDIT_LIST, 1, 1, NULL, 0);
break;
case AUDIT_ADD:
- if (!capable(CAP_SYS_ADMIN))
- return -EPERM;
if (!(entry = kmalloc(sizeof(*entry), GFP_KERNEL)))
return -ENOMEM;
if (audit_copy_rule(&entry->rule, data)) {
Index: linux-2.6.10/security/dummy.c
===================================================================
--- linux-2.6.10.orig/security/dummy.c 2005-01-14 23:01:10.000000000 -0600
+++ linux-2.6.10/security/dummy.c 2005-01-15 15:14:35.000000000 -0600
@@ -685,10 +685,7 @@ static int dummy_sem_semop (struct sem_a
static int dummy_netlink_send (struct sock *sk, struct sk_buff *skb)
{
- if (current->euid == 0)
- cap_raise (NETLINK_CB (skb).eff_cap, CAP_NET_ADMIN);
- else
- NETLINK_CB (skb).eff_cap = 0;
+ NETLINK_CB(skb).eff_cap = current->cap_effective;
return 0;
}
Index: linux-2.6.10/security/selinux/hooks.c
===================================================================
--- linux-2.6.10.orig/security/selinux/hooks.c 2005-01-14 23:01:10.000000000 -0600
+++ linux-2.6.10/security/selinux/hooks.c 2005-01-14 23:01:12.000000000 -0600
@@ -3502,12 +3502,20 @@ static inline int selinux_nlmsg_perm(str
static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
{
- int err = 0;
+ struct task_security_struct *tsec;
+ struct av_decision avd;
+ int err;
- if (capable(CAP_NET_ADMIN))
- cap_raise (NETLINK_CB (skb).eff_cap, CAP_NET_ADMIN);
- else
- NETLINK_CB(skb).eff_cap = 0;
+ err = secondary_ops->netlink_send(sk, skb);
+ if (err)
+ return err;
+
+ tsec = current->security;
+
+ avd.allowed = 0;
+ (void)avc_has_perm_noaudit(tsec->sid, tsec->sid,
+ SECCLASS_CAPABILITY, ~0, &avd);
+ cap_mask(NETLINK_CB(skb).eff_cap, avd.allowed);
if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
err = selinux_nlmsg_perm(sk, skb);
21 years, 1 month
Audit capability patch
by Serge Hallyn
Attached is a "final" version of the audit caps patch. I will send this
to lkml tomorrow if noone complains.
thanks,
-serge
--
Serge Hallyn <serue(a)us.ibm.com>
21 years, 1 month
reporting loginuid on AUDIT_USER message
by Serge Hallyn
Based on earlier discussion, we have a few options:
1. hack netlink to send loginuid along with credentials
2. Get the loginuid from the task struct by pid at audit_receive_msg
(), and require the programs sending AUDIT_USER messages to make sure
that the process does not exit until a reply has been received.
3. Have the user-space programs send loginuid (as received
from /proc/$$/loginuid) in the actual AUDIT_USER message.
Do we have a preference? (1) is the most invasive, and would require
going through netdev, but seems the cleanest to me. On the other hand,
we could just say we're going with (3) as a way to put off having to
make a decision...
thanks,
-serge
--
Serge Hallyn <serue(a)us.ibm.com>
21 years, 1 month
RE: audit 0.6 release
by Browder, Tom
> -----Original Message-----
> From: linux-audit-bounces(a)redhat.com
> [mailto:linux-audit-bounces@redhat.com] On Behalf Of Steve Grubb
> Subject: audit 0.6 release
> is getting closer. If you see missing functionality that's
> not on the TODO list in the top directory, let me know. If
> you have patches...even better.
>From a newbie trying to satisfy my minumum audit requirements: I've
looked at the source briefly and wonder if you might add to TODO:
1. Add a separate conf file for rules (say, /etc/audit.rules.conf; or
put them in the /etc/auditd.conf file). (Is that the "rules loader"?)
2. Have rules capable of responding to a user by name (or a negation of
user names), exit success of the syscall, and argument to the syscall
(and syscall by name as you already mention in TODO). (You probably do
most of this, I just haven't figured out all the rule rules yet.)
3. Allow user formatting of messages (e.g., eliminate unwanted fields)
4. You mention log rotation in TODO, can't the system logrotate handle
it (through the /etc/logrotate.conf file)?
An example of a rule I want is to report when user X tries
unsuccessfully to unlink a specific file.
I'm at the point where I want to hack the code as is just to get my
minimum requirements, so I'm happy to help out if you can use me.
-Tom Browder
21 years, 1 month
