is this message necessary?
by Linda Knippers
As some of us have been experimenting with adding/removing lots of
file system watches, I've noticed that we get one of these messages
in the audit log each time a file system watch is removed, including
during an 'auditctl -D'.
type=CONFIG_CHANGE msg=audit(1131576749.186:1182016): auid=4294967295
removed watch
I'm wondering about the usefulness of this message since it doesn't
identify the watch that's being removed. If we need this message,
shouldn't it identify the watch that's being removed? If we don't need
this message, can we delete it?
-- ljk
18 years, 11 months
[PATCH 1/1] audit: misc bug and warning fixes
by Dustin Kirkland
From: Dustin Kirkland <dustin.kirkland(a)us.ibm.com>
Subject: [PATCH 1/1] audit: misc bug and warning fixes
This patch fixes a couple of bugs revealed in new features recently added to -mm1:
* fixes warnings due to inconsistent use of const struct inode *inode
* fixes bug that prevent a kernel from booting with audit on, and SELinux off
due to a missing function in security/dummy.c
* fixes a bug that throws spurious audit_panic() messages due to a missing return
just before an error_path label
* some reasonable house cleaning in audit_ipc_context(), audit_inode_context(), and
audit_log_task_context()
Signed-off-by: Dustin Kirkland <dustin.kirkland(a)us.ibm.com>
---
David-
This is a patch freshly generated against your current git tree. This
patch incorporates several minor changes that I've put on the list in
the past week (though not in canonical patch format). Once you give
this a look over, I'd appreciate you merging into your git tree soon.
Thanks,
:-Dustin
diff --git a/include/linux/security.h b/include/linux/security.h
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -1121,8 +1121,8 @@ struct security_operations {
int (*inode_getxattr) (struct dentry *dentry, char *name);
int (*inode_listxattr) (struct dentry *dentry);
int (*inode_removexattr) (struct dentry *dentry, char *name);
- char *(*inode_xattr_getsuffix) (void);
- int (*inode_getsecurity)(struct inode *inode, const char *name, void *buffer, size_t size, int err);
+ const char *(*inode_xattr_getsuffix) (void);
+ int (*inode_getsecurity)(const struct inode *inode, const char *name, void *buffer, size_t size, int err);
int (*inode_setsecurity)(struct inode *inode, const char *name, const void *value, size_t size, int flags);
int (*inode_listsecurity)(struct inode *inode, char *buffer, size_t buffer_size);
@@ -1628,7 +1628,7 @@ static inline const char *security_inode
return security_ops->inode_xattr_getsuffix();
}
-static inline int security_inode_getsecurity(struct inode *inode, const char *name, void *buffer, size_t size, int err)
+static inline int security_inode_getsecurity(const struct inode *inode, const char *name, void *buffer, size_t size, int err)
{
if (unlikely (IS_PRIVATE (inode)))
return 0;
@@ -2280,7 +2280,7 @@ static inline const char *security_inode
return NULL ;
}
-static inline int security_inode_getsecurity(struct inode *inode, const char *name, void *buffer, size_t size, int err)
+static inline int security_inode_getsecurity(const struct inode *inode, const char *name, void *buffer, size_t size, int err)
{
return -EOPNOTSUPP;
}
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -888,21 +888,20 @@ static void audit_log_task_context(struc
}
ctx = kmalloc(len, GFP_KERNEL);
- if (!ctx) {
+ if (!ctx)
goto error_path;
- return;
- }
len = security_getprocattr(current, "current", ctx, len);
if (len < 0 )
goto error_path;
audit_log_format(ab, " subj=%s", ctx);
+ return;
error_path:
if (ctx)
kfree(ctx);
- audit_panic("security_getprocattr error in audit_log_task_context");
+ audit_panic("error in audit_log_task_context");
return;
}
@@ -1301,13 +1300,16 @@ void audit_putname(const char *name)
void audit_inode_context(int idx, const struct inode *inode)
{
struct audit_context *context = current->audit_context;
+ const char *suffix = security_inode_xattr_getsuffix();
char *ctx = NULL;
int len = 0;
- if (!security_inode_xattr_getsuffix())
- return;
+ if (!suffix)
+ goto ret;
- len = security_inode_getsecurity(inode, (char *)security_inode_xattr_getsuffix(), NULL, 0, 0);
+ len = security_inode_getsecurity(inode, suffix, NULL, 0, 0);
+ if (len == -EOPNOTSUPP)
+ goto ret;
if (len < 0)
goto error_path;
@@ -1315,17 +1317,18 @@ void audit_inode_context(int idx, const
if (!ctx)
goto error_path;
- len = security_inode_getsecurity(inode, (char *)security_inode_xattr_getsuffix(), ctx, len, 0);
+ len = security_inode_getsecurity(inode, suffix, ctx, len, 0);
if (len < 0)
goto error_path;
context->names[idx].ctx = ctx;
- return;
+ goto ret;
error_path:
if (ctx)
kfree(ctx);
audit_panic("error in audit_inode_context");
+ret:
return;
}
@@ -1555,6 +1558,8 @@ char *audit_ipc_context(struct kern_ipc_
return NULL;
len = security_ipc_getsecurity(ipcp, NULL, 0);
+ if (len == -EOPNOTSUPP)
+ goto ret;
if (len < 0)
goto error_path;
@@ -1571,6 +1576,7 @@ char *audit_ipc_context(struct kern_ipc_
error_path:
kfree(ctx);
audit_panic("error in audit_ipc_context");
+ret:
return NULL;
}
diff --git a/security/dummy.c b/security/dummy.c
--- a/security/dummy.c
+++ b/security/dummy.c
@@ -377,7 +377,7 @@ static int dummy_inode_removexattr (stru
return 0;
}
-static int dummy_inode_getsecurity(struct inode *inode, const char *name, void *buffer, size_t size, int err)
+static int dummy_inode_getsecurity(const struct inode *inode, const char *name, void *buffer, size_t size, int err)
{
return -EOPNOTSUPP;
}
@@ -392,6 +392,11 @@ static int dummy_inode_listsecurity(stru
return 0;
}
+static const char *dummy_inode_xattr_getsuffix(void)
+{
+ return NULL;
+}
+
static int dummy_file_permission (struct file *file, int mask)
{
return 0;
@@ -895,6 +900,7 @@ void security_fixup_ops (struct security
set_to_dummy_if_null(ops, inode_getxattr);
set_to_dummy_if_null(ops, inode_listxattr);
set_to_dummy_if_null(ops, inode_removexattr);
+ set_to_dummy_if_null(ops, inode_xattr_getsuffix);
set_to_dummy_if_null(ops, inode_getsecurity);
set_to_dummy_if_null(ops, inode_setsecurity);
set_to_dummy_if_null(ops, inode_listsecurity);
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2273,7 +2273,7 @@ static const char *selinux_inode_xattr_g
*
* Permission check is handled by selinux_inode_getxattr hook.
*/
-static int selinux_inode_getsecurity(struct inode *inode, const char *name, void *buffer, size_t size, int err)
+static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void *buffer, size_t size, int err)
{
struct inode_security_struct *isec = inode->i_security;
18 years, 11 months
Re: [redhat-lspp] SE Linux messages in current kernel
by Dustin Kirkland
On Thu, 2005-11-10 at 09:06 -0500, Steve Grubb wrote:
> I am using rawhide with all current SE Linux tools & 2.6.14-1.1639.2.2_FC5
> kernel on an x86_64 machine. I am seeing this:
>
> Nov 10 08:47:49 localhost kernel: audit: security_getprocattr error in
> audit_log_task_context
> Nov 10 08:47:52 localhost last message repeated 19 times
>
> Not sure where this is coming from other than kernel. Is someone looking into
> this? Do we want it in bugzilla?
Steve-
I'm looking into this.
:-Dustin
18 years, 11 months
audit 1.1 released
by Steve Grubb
Hello,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit It will also be in rawhide
tomorrow. The Changelog is:
- Add initial version of audisp. Just a placeholder at this point
- Remove -t option from auditctl
This release is not intended to have a functioning audit event dispatcher. It
currently has a very simple program that simply echos any audit event to
syslog. This is just for proof of concept.
-Steve
18 years, 12 months
[PATCH] (1/2) new audit filter allows excluding messages by type (kernel)
by Dustin Kirkland
Kernel patch is pretty simple, straightforward...
- Add a new, 5th filter called "exclude".
- And add a new field AUDIT_MSGTYPE.
- Define a new function audit_filter_exclude() that takes a message type
as input and examines all rules in the filter. It returns '1' if the
message is to be excluded, and '0' otherwise.
- Call the audit_filter_exclude() function near the top of
audit_log_start() just after asserting audit_initialized. If the
message type is not to be audited, return NULL very early, before doing
a lot of work.
Comments welcome.
:-Dustin
diff -urpN linux-2.6.14-rc4-audit_ops/include/linux/audit.h
linux-2.6.14-rc4-audit_ops-exclude/include/linux/audit.h
--- linux-2.6.14-rc4-audit_ops/include/linux/audit.h 2005-10-26 16:12:42.000000000 -0500
+++ linux-2.6.14-rc4-audit_ops-exclude/include/linux/audit.h 2005-10-31 15:51:02.000000000 -0600
@@ -81,8 +81,9 @@
#define AUDIT_FILTER_ENTRY 0x02 /* Apply rule at syscall entry */
#define AUDIT_FILTER_WATCH 0x03 /* Apply rule to file system watches */
#define AUDIT_FILTER_EXIT 0x04 /* Apply rule at syscall exit */
+#define AUDIT_FILTER_EXCLUDE 0x05 /* Apply rule early, at audit_log_start */
-#define AUDIT_NR_FILTERS 5
+#define AUDIT_NR_FILTERS 6
#define AUDIT_FILTER_PREPEND 0x10 /* Prepend to front of list */
@@ -121,6 +122,7 @@
#define AUDIT_LOGINUID 9
#define AUDIT_PERS 10
#define AUDIT_ARCH 11
+#define AUDIT_MSGTYPE 12
/* These are ONLY useful when checking
* at syscall exit time (AUDIT_AT_EXIT). */
@@ -265,6 +267,7 @@ extern int audit_sockaddr(int len, void
extern int audit_avc_path(struct dentry *dentry, struct vfsmount *mnt);
extern void audit_signal_info(int sig, struct task_struct *t);
extern int audit_filter_user(struct netlink_skb_parms *cb, int type);
+extern int audit_filter_exclude(int type);
#else
#define audit_alloc(t) ({ 0; })
#define audit_free(t) do { ; } while (0)
diff -urpN linux-2.6.14-rc4-audit_ops/kernel/audit.c linux-2.6.14-rc4-audit_ops-exclude/kernel/audit.c
--- linux-2.6.14-rc4-audit_ops/kernel/audit.c 2005-10-21 12:35:50.000000000 -0500
+++ linux-2.6.14-rc4-audit_ops-exclude/kernel/audit.c 2005-11-01 16:01:57.000000000 -0600
@@ -659,6 +659,10 @@ struct audit_buffer *audit_log_start(str
if (!audit_initialized)
return NULL;
+ if (unlikely(audit_filter_exclude(type))) {
+ return NULL;
+ }
+
if (gfp_mask & __GFP_WAIT)
reserve = 0;
else
diff -urpN linux-2.6.14-rc4-audit_ops/kernel/auditsc.c linux-2.6.14-rc4-audit_ops-exclude/kernel/auditsc.c
--- linux-2.6.14-rc4-audit_ops/kernel/auditsc.c 2005-10-27 14:17:41.000000000 -0500
+++ linux-2.6.14-rc4-audit_ops-exclude/kernel/auditsc.c 2005-11-01 14:02:25.000000000 -0600
@@ -181,7 +181,8 @@ static struct list_head audit_filter_lis
LIST_HEAD_INIT(audit_filter_list[2]),
LIST_HEAD_INIT(audit_filter_list[3]),
LIST_HEAD_INIT(audit_filter_list[4]),
-#if AUDIT_NR_FILTERS != 5
+ LIST_HEAD_INIT(audit_filter_list[5]),
+#if AUDIT_NR_FILTERS != 6
#error Fix audit_filter_list initialiser
#endif
};
@@ -663,6 +664,33 @@ int audit_filter_user(struct netlink_skb
return ret; /* Audit by default */
}
+int audit_filter_exclude(int type)
+{
+ struct audit_entry *e;
+ int result = 0;
+
+ rcu_read_lock();
+ list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_EXCLUDE], list) {
+ struct audit_rule *rule = &e->rule;
+ int i;
+ for (i = 0; i < rule->field_count; i++) {
+ u32 field = rule->fields[i] & ~AUDIT_OPERATORS;
+ u32 op = rule->fields[i] & AUDIT_OPERATORS;
+ u32 value = rule->values[i];
+ if ( field == AUDIT_MSGTYPE ) {
+ result = audit_comparator(type, op, value);
+ if (!result) {
+ rcu_read_unlock();
+ return result;
+ }
+ }
+ }
+ }
+ rcu_read_unlock();
+ return result;
+}
+
+
/* This should be called with task_lock() held. */
static inline struct audit_context *audit_get_context(struct task_struct *tsk,
int return_valid,
18 years, 12 months
[PATCH]: unreachable code block in auditd-sendmail.c
by Dustin Kirkland
There appears to be some error handling deadcode in
src/auditd-sendmail.c. If fd<0, then the function returns and the error
handling code is never reached. This bug was found by Coverity, which I
used to scan the audit code.
Patch attached.
:-Dustin
--- audit-1.0.12/src/auditd-sendmail.c.orig 2005-11-08 15:34:49.931111016 -0600
+++ audit-1.0.12/src/auditd-sendmail.c 2005-11-08 15:35:28.340271936 -0600
@@ -45,15 +45,13 @@ int sendmail(const char *subject, const
int fd;
fd = safe_popen(&pid, mail_acct);
- if (fd < 0)
- return 1;
- mail = fdopen(fd, "w");
if (fd < 0) {
kill(pid, SIGKILL);
close(fd);
audit_msg(LOG_ERR, "Error - starting mail");
return 1;
}
+ mail = fdopen(fd, "w");
fprintf(mail, "To: %s\n", mail_acct);
fprintf(mail, "From: root\n");
18 years, 12 months
Re: 2.6.14-mm1
by Dustin Kirkland
On Mon, 2005-11-07 at 12:19 +0000, David Woodhouse wrote:
> On Mon, 2005-11-07 at 13:00 +0100, Jiri Slaby wrote:
> > There should be something like if (len == -EOPNOTSUPP) goto ret, where ret
> > should be right before return NULL.
>
> Yeah, that would seem to make sense.
>
> > Or am I missing something? David, it's from your tree, do you have any
> > comments, ideas?
>
> At the moment I'm mostly just collecting patches in a repository for
> those working in earnest on LSPP -- particularly when it comes to
> selinux, I'm mostly clueless. Deferring to Dustin, whose code this is.
Ok, I've gotten to the bottom of this "audit on, selinux off" problem
and tested the fix. Attached is a patch against David's current git
tree.
The changes integrate:
- Jiri's suggested handling of EOPNOTSUPP. Avoids audit_panic() calls
in EOPNOTSUPP situations
- David's suggested correction of a couple of warnings (using the const
char* suffix assignment at the top of audit_inode_context())
- And the real reason why this kernel wouldn't boot when SELinux was
off... There was a missing dummy() function that should be stubbed in
and return NULL when SELinux is off.
Thanks for your help reporting this, Jiri. Our linux-audit mailing list
really should have shaken out this bug earlier.
:-Dustin
diff --git a/include/linux/security.h b/include/linux/security.h
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -1121,7 +1121,7 @@ struct security_operations {
int (*inode_getxattr) (struct dentry *dentry, char *name);
int (*inode_listxattr) (struct dentry *dentry);
int (*inode_removexattr) (struct dentry *dentry, char *name);
- char *(*inode_xattr_getsuffix) (void);
+ const char *(*inode_xattr_getsuffix) (void);
int (*inode_getsecurity)(struct inode *inode, const char *name, void *buffer, size_t size, int err);
int (*inode_setsecurity)(struct inode *inode, const char *name, const void *value, size_t size, int flags);
int (*inode_listsecurity)(struct inode *inode, char *buffer, size_t buffer_size);
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1301,13 +1301,16 @@ void audit_putname(const char *name)
void audit_inode_context(int idx, const struct inode *inode)
{
struct audit_context *context = current->audit_context;
+ const char *suffix = security_inode_xattr_getsuffix();
char *ctx = NULL;
int len = 0;
- if (!security_inode_xattr_getsuffix())
- return;
+ if (!suffix)
+ goto ret;
- len = security_inode_getsecurity(inode, (char *)security_inode_xattr_getsuffix(), NULL, 0, 0);
+ len = security_inode_getsecurity(inode, suffix, NULL, 0, 0);
+ if (len == -EOPNOTSUPP)
+ goto ret;
if (len < 0)
goto error_path;
@@ -1315,17 +1318,18 @@ void audit_inode_context(int idx, const
if (!ctx)
goto error_path;
- len = security_inode_getsecurity(inode, (char *)security_inode_xattr_getsuffix(), ctx, len, 0);
+ len = security_inode_getsecurity(inode, suffix, ctx, len, 0);
if (len < 0)
goto error_path;
context->names[idx].ctx = ctx;
- return;
+ goto ret;
error_path:
if (ctx)
kfree(ctx);
audit_panic("error in audit_inode_context");
+ret:
return;
}
@@ -1555,6 +1559,8 @@ char *audit_ipc_context(struct kern_ipc_
return NULL;
len = security_ipc_getsecurity(ipcp, NULL, 0);
+ if (len == -EOPNOTSUPP)
+ goto ret;
if (len < 0)
goto error_path;
@@ -1571,6 +1577,7 @@ char *audit_ipc_context(struct kern_ipc_
error_path:
kfree(ctx);
audit_panic("error in audit_ipc_context");
+ret:
return NULL;
}
diff --git a/security/dummy.c b/security/dummy.c
--- a/security/dummy.c
+++ b/security/dummy.c
@@ -392,6 +392,11 @@ static int dummy_inode_listsecurity(stru
return 0;
}
+static const char *dummy_inode_xattr_getsuffix(void)
+{
+ return NULL;
+}
+
static int dummy_file_permission (struct file *file, int mask)
{
return 0;
@@ -895,6 +900,7 @@ void security_fixup_ops (struct security
set_to_dummy_if_null(ops, inode_getxattr);
set_to_dummy_if_null(ops, inode_listxattr);
set_to_dummy_if_null(ops, inode_removexattr);
+ set_to_dummy_if_null(ops, inode_xattr_getsuffix);
set_to_dummy_if_null(ops, inode_getsecurity);
set_to_dummy_if_null(ops, inode_setsecurity);
set_to_dummy_if_null(ops, inode_listsecurity);
--
Dustin Kirkland <dustin.kirkland(a)us.ibm.com>
18 years, 12 months
audit 1.012 released
by Steve Grubb
Hello,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit It will also be in rawhide
tomorrow. The Changelog is:
- Add 2 more summary reports
- Add 2 more message types
- Fixed another parsing issue in avc messages
Please let me know if there are any problems with this release.
-Steve
18 years, 12 months
[2.6 patch] kernel/: small cleanups
by Adrian Bunk
This patch contains the following cleanups:
- make needlessly global functions static
- every file should include the headers containing the prototypes for
it's global functions
The rcutorture.c part was already ACK'ed by Paul E. McKenney.
Signed-off-by: Adrian Bunk <bunk(a)stusta.de>
---
This patch was already sent on:
- 30 Oct 2005
kernel/audit.c | 2 +-
kernel/irq/proc.c | 2 ++
kernel/rcutorture.c | 2 +-
kernel/timer.c | 1 +
4 files changed, 5 insertions(+), 2 deletions(-)
--- linux-2.6.14-rc5-mm1-full/kernel/timer.c.old 2005-10-30 02:27:36.000000000 +0200
+++ linux-2.6.14-rc5-mm1-full/kernel/timer.c 2005-10-30 02:27:56.000000000 +0200
@@ -33,6 +33,7 @@
#include <linux/cpu.h>
#include <linux/syscalls.h>
#include <linux/kallsyms.h>
+#include <linux/delay.h>
#include <asm/uaccess.h>
#include <asm/unistd.h>
--- linux-2.6.14-rc5-mm1-full/kernel/irq/proc.c.old 2005-10-30 02:31:31.000000000 +0200
+++ linux-2.6.14-rc5-mm1-full/kernel/irq/proc.c 2005-10-30 02:31:48.000000000 +0200
@@ -10,6 +10,8 @@
#include <linux/proc_fs.h>
#include <linux/interrupt.h>
+#include "internals.h"
+
static struct proc_dir_entry *root_irq_dir, *irq_dir[NR_IRQS];
#ifdef CONFIG_SMP
--- linux-2.6.14-rc5-mm1-full/kernel/audit.c.old 2005-10-30 02:33:08.000000000 +0200
+++ linux-2.6.14-rc5-mm1-full/kernel/audit.c 2005-10-30 02:33:15.000000000 +0200
@@ -272,7 +272,7 @@
return old;
}
-int kauditd_thread(void *dummy)
+static int kauditd_thread(void *dummy)
{
struct sk_buff *skb;
--- linux-2.6.14-rc5-mm1-full/kernel/rcutorture.c.old 2005-10-30 02:33:35.000000000 +0200
+++ linux-2.6.14-rc5-mm1-full/kernel/rcutorture.c 2005-10-30 02:33:53.000000000 +0200
@@ -99,7 +99,7 @@
/*
* Allocate an element from the rcu_tortures pool.
*/
-struct rcu_torture *
+static struct rcu_torture *
rcu_torture_alloc(void)
{
struct list_head *p;
18 years, 12 months
Re: 2.6.14-mm1
by Jiri Slaby
Andrew Morton wrote:
>Changes since 2.6.14-rc5-mm1:
>
[...]
> git-audit.patch
There are many errors produced by this patch. I don't have any security model
enabled and in audit_ipc_context security_ipc_getsecurity returns -EOPNOTSUPP,
that causes audit_panic("error in audit_ipc_context");
>char *audit_ipc_context(struct kern_ipc_perm *ipcp)
>{
> struct audit_context *context = current->audit_context;
> char *ctx = NULL;
> int len = 0;
>
> if (likely(!context))
> return NULL;
>
> len = security_ipc_getsecurity(ipcp, NULL, 0);
This fails here with -EOPNOTSUPP, and it goes to the error_path label.
> if (len < 0)
> goto error_path;
>
> ctx = kmalloc(len, GFP_ATOMIC);
> if (!ctx)
> goto error_path;
>
> len = security_ipc_getsecurity(ipcp, ctx, len);
> if (len < 0)
> goto error_path;
>
> return ctx;
>
>error_path:
> if (ctx)
> kfree(ctx);
> audit_panic("error in audit_ipc_context");
> return NULL;
>}
There should be something like if (len == -EOPNOTSUPP) goto ret, where ret
should be right before return NULL. Or am I missing something? David, it's from
your tree, do you have any comments, ideas?
regards,
--
Jiri Slaby www.fi.muni.cz/~xslaby
\_.-^-._ jirislaby(a)gmail.com _.-^-._/
B67499670407CE62ACC8 22A032CC55C339D47A7E
18 years, 12 months