April 2005 - Linux-audit - Linux-Audit List Archives

[PATCH] Race-free auditd shutdown credentials

by Steve Grubb

Hello, The attached patch addresses the problem with getting the shutdown information in a race-free way. It creates a new message type AUDIT_TERM_INFO, which is used by the audit daemon to query who issued the shutdown. It requires the placement of a hook function that gathers the information. The userspace component will be released later in audit 0.7.2. When it receives the TERM signal, it queries the kernel for shutdown information. When it receives it, it writes the message and shutsdown. The message looks like this: type=DAEMON msg=auditd(1114551182.000) auditd normal halt, sending pid=2650 uid=525, auditd pid=1685 Signed-off-by: Steve Grubb <sgrubb(a)redhat.com>

19 years, 8 months

2
1
0 / 0

[RFC][PATCH 1/3] (#7U1) file system auditing

by Timothy R. Chavez

Updated patches... Please patch, compile and give a quick test so we can push this all to LKML. Please be weary, these haven't been tested on an SMP machine yet. I'm hoping my changes fixed the deadlock issue, though. [PATCH 1/3] At the bottom of this message, below the changelog, is the kernel patch for file systeming auditing diffed against linux-2.6.12-mm2-rc1 [PATCH 2/3] Kernel patch for the file system auditing diffed against the Redhat 2.6.9 (prep) audit.20 kernel. This patch replaces the linux-2.6.9-auditfs-[1| 2].patch set. Thus, place it in /usr/src/redhat/SOURCES/ and then edit the .spec file accordingly. [PATCH 3/3] This is the updated user space patch. I patched against audit-0.6.10 because it was the fastest for me to do. I'll try to get a audit-0.6.12 patch out tommorrow in the AM. KERNEL CHANGES - Removed audit.h include from fs.h and did a forward declaration of audit_data - Fixed audit_master_watchlist locking - Removed audit_master_* helper functions - Added dput needed for d_lookup in audit_watch_insert - Added audit_filesystem_init() to Redhat/audit.c - Fixed watch listing in Redhat/audit.c - A audit_wentry reference leak was fixed in audit_send_watch() - Changed order of deletion in audit_destroy_entry to preserve correct watch listing - Fixed reference shortage, audit_master_watchlist was not claiming its own reference to the audit_wentry TODO: - I want to change audit_attach_watch to audit_update_watch USER CHANGES - Added all the necessary header information for my piece into libaudit.h rather then assuming its all in /usr/include/linux/audit.h -tim diff -Nurp linux-2.6.12-rc2-mm1~orig/fs/dcache.c linux-2.6.12-rc2-mm1~audit/fs/dcache.c --- linux-2.6.12-rc2-mm1~orig/fs/dcache.c 2005-04-11 14:14:36.000000000 +0000 +++ linux-2.6.12-rc2-mm1~audit/fs/dcache.c 2005-04-05 18:16:04.000000000 +0000 @@ -32,6 +32,7 @@ #include <linux/seqlock.h> #include <linux/swap.h> #include <linux/bootmem.h> +#include <linux/audit.h> /* #define DCACHE_DEBUG 1 */ @@ -97,6 +98,7 @@ static inline void dentry_iput(struct de { struct inode *inode = dentry->d_inode; if (inode) { + audit_attach_watch(dentry, 1); dentry->d_inode = NULL; list_del_init(&dentry->d_alias); spin_unlock(&dentry->d_lock); @@ -802,6 +804,7 @@ void d_instantiate(struct dentry *entry, if (inode) list_add(&entry->d_alias, &inode->i_dentry); entry->d_inode = inode; + audit_attach_watch(entry, 0); spin_unlock(&dcache_lock); security_d_instantiate(entry, inode); } @@ -978,6 +981,7 @@ struct dentry *d_splice_alias(struct ino new = __d_find_alias(inode, 1); if (new) { BUG_ON(!(new->d_flags & DCACHE_DISCONNECTED)); + audit_attach_watch(new, 0); spin_unlock(&dcache_lock); security_d_instantiate(new, inode); d_rehash(dentry); @@ -987,6 +991,7 @@ struct dentry *d_splice_alias(struct ino /* d_instantiate takes dcache_lock, so we do it by hand */ list_add(&dentry->d_alias, &inode->i_dentry); dentry->d_inode = inode; + audit_attach_watch(dentry, 0); spin_unlock(&dcache_lock); security_d_instantiate(dentry, inode); d_rehash(dentry); @@ -1090,6 +1095,7 @@ struct dentry * __d_lookup(struct dentry if (!d_unhashed(dentry)) { atomic_inc(&dentry->d_count); found = dentry; + audit_attach_watch(found, 0); } spin_unlock(&dentry->d_lock); break; @@ -1299,6 +1305,8 @@ void d_move(struct dentry * dentry, stru spin_lock(&target->d_lock); } + audit_attach_watch(dentry, 1); + /* Move the dentry to the target hash queue, if on different bucket */ if (dentry->d_flags & DCACHE_UNHASHED) goto already_unhashed; @@ -1332,6 +1340,7 @@ already_unhashed: list_add(&target->d_child, &target->d_parent->d_subdirs); } + audit_attach_watch(dentry, 0); list_add(&dentry->d_child, &dentry->d_parent->d_subdirs); spin_unlock(&target->d_lock); spin_unlock(&dentry->d_lock); diff -Nurp linux-2.6.12-rc2-mm1~orig/fs/inode.c linux-2.6.12-rc2-mm1~audit/fs/inode.c --- linux-2.6.12-rc2-mm1~orig/fs/inode.c 2005-04-11 14:14:37.000000000 +0000 +++ linux-2.6.12-rc2-mm1~audit/fs/inode.c 2005-04-05 18:16:04.000000000 +0000 @@ -22,6 +22,7 @@ #include <linux/cdev.h> #include <linux/bootmem.h> #include <linux/inotify.h> +#include <linux/audit.h> /* * This is needed for the following functions: @@ -140,9 +141,11 @@ static struct inode *alloc_inode(struct inode->i_bdev = NULL; inode->i_cdev = NULL; inode->i_rdev = 0; + inode->i_audit = NULL; inode->i_security = NULL; inode->dirtied_when = 0; - if (security_inode_alloc(inode)) { + if (audit_inode_alloc(inode) || security_inode_alloc(inode)) { + audit_inode_free(inode); if (inode->i_sb->s_op->destroy_inode) inode->i_sb->s_op->destroy_inode(inode); else @@ -180,6 +183,7 @@ void destroy_inode(struct inode *inode) { if (inode_has_buffers(inode)) BUG(); + audit_inode_free(inode); security_inode_free(inode); if (inode->i_sb->s_op->destroy_inode) inode->i_sb->s_op->destroy_inode(inode); diff -Nurp linux-2.6.12-rc2-mm1~orig/fs/namei.c linux-2.6.12-rc2-mm1~audit/fs/namei.c --- linux-2.6.12-rc2-mm1~orig/fs/namei.c 2005-04-11 14:14:36.000000000 +0000 +++ linux-2.6.12-rc2-mm1~audit/fs/namei.c 2005-04-05 18:16:04.000000000 +0000 @@ -225,6 +225,8 @@ int permission(struct inode *inode, int { int retval, submask; + audit_notify_watch(inode, mask); + if (mask & MAY_WRITE) { umode_t mode = inode->i_mode; @@ -358,6 +360,8 @@ static inline int exec_permission_lite(s if (inode->i_op && inode->i_op->permission) return -EAGAIN; + audit_notify_watch(inode, MAY_EXEC); + if (current->fsuid == inode->i_uid) mode >>= 6; else if (in_group_p(inode->i_gid)) @@ -1172,6 +1176,8 @@ static inline int may_delete(struct inod BUG_ON(victim->d_parent->d_inode != dir); + audit_notify_watch(victim->d_inode, MAY_WRITE); + error = permission(dir,MAY_WRITE | MAY_EXEC, NULL); if (error) return error; @@ -1296,6 +1302,7 @@ int vfs_create(struct inode *dir, struct DQUOT_INIT(dir); error = dir->i_op->create(dir, dentry, mode, nd); if (!error) { + audit_notify_watch(dentry->d_inode, MAY_WRITE); fsnotify_create(dir, dentry->d_name.name); security_inode_post_create(dir, dentry, mode); } @@ -1601,6 +1608,7 @@ int vfs_mknod(struct inode *dir, struct DQUOT_INIT(dir); error = dir->i_op->mknod(dir, dentry, mode, dev); if (!error) { + audit_notify_watch(dentry->d_inode, MAY_WRITE); fsnotify_create(dir, dentry->d_name.name); security_inode_post_mknod(dir, dentry, mode, dev); } @@ -1674,6 +1682,7 @@ int vfs_mkdir(struct inode *dir, struct DQUOT_INIT(dir); error = dir->i_op->mkdir(dir, dentry, mode); if (!error) { + audit_notify_watch(dentry->d_inode, MAY_WRITE); fsnotify_mkdir(dir, dentry->d_name.name); security_inode_post_mkdir(dir,dentry, mode); } @@ -1915,6 +1924,7 @@ int vfs_symlink(struct inode *dir, struc DQUOT_INIT(dir); error = dir->i_op->symlink(dir, dentry, oldname); if (!error) { + audit_notify_watch(dentry->d_inode, MAY_WRITE); fsnotify_create(dir, dentry->d_name.name); security_inode_post_symlink(dir, dentry, oldname); } @@ -1988,6 +1998,7 @@ int vfs_link(struct dentry *old_dentry, error = dir->i_op->link(old_dentry, dir, new_dentry); up(&old_dentry->d_inode->i_sem); if (!error) { + audit_notify_watch(new_dentry->d_inode, MAY_WRITE); fsnotify_create(dir, new_dentry->d_name.name); security_inode_post_link(old_dentry, dir, new_dentry); } @@ -2111,6 +2122,7 @@ int vfs_rename_dir(struct inode *old_dir } if (!error) { d_move(old_dentry,new_dentry); + audit_notify_watch(old_dentry->d_inode, MAY_WRITE); security_inode_post_rename(old_dir, old_dentry, new_dir, new_dentry); } @@ -2139,6 +2151,7 @@ int vfs_rename_other(struct inode *old_d /* The following d_move() should become unconditional */ if (!(old_dir->i_sb->s_type->fs_flags & FS_ODD_RENAME)) d_move(old_dentry, new_dentry); + audit_notify_watch(old_dentry->d_inode, MAY_WRITE); security_inode_post_rename(old_dir, old_dentry, new_dir, new_dentry); } if (target) diff -Nurp linux-2.6.12-rc2-mm1~orig/include/linux/audit.h linux-2.6.12-rc2-mm1~audit/include/linux/audit.h --- linux-2.6.12-rc2-mm1~orig/include/linux/audit.h 2005-04-11 14:15:03.000000000 +0000 +++ linux-2.6.12-rc2-mm1~audit/include/linux/audit.h 2005-04-20 22:19:35.000000000 +0000 @@ -24,18 +24,27 @@ #ifndef _LINUX_AUDIT_H_ #define _LINUX_AUDIT_H_ +#ifdef __KERNEL__ #include <linux/sched.h> #include <linux/elf.h> +#include <linux/list.h> +#include <linux/spinlock.h> +#include <asm/atomic.h> +#endif + /* Request and reply types */ -#define AUDIT_GET 1000 /* Get status */ -#define AUDIT_SET 1001 /* Set status (enable/disable/auditd) */ -#define AUDIT_LIST 1002 /* List filtering rules */ -#define AUDIT_ADD 1003 /* Add filtering rule */ -#define AUDIT_DEL 1004 /* Delete filtering rule */ -#define AUDIT_USER 1005 /* Send a message from user-space */ -#define AUDIT_LOGIN 1006 /* Define the login id and informaiton */ -#define AUDIT_KERNEL 2000 /* Asynchronous audit record. NOT A REQUEST. */ +#define AUDIT_GET 1000 /* Get status */ +#define AUDIT_SET 1001 /* Set status (enable/disable/auditd) */ +#define AUDIT_LIST 1002 /* List filtering rules */ +#define AUDIT_ADD 1003 /* Add filtering rule */ +#define AUDIT_DEL 1004 /* Delete filtering rule */ +#define AUDIT_USER 1005 /* Send a message from user-space */ +#define AUDIT_LOGIN 1006 /* Define the login id and informaiton */ +#define AUDIT_WATCH_INS 1007 /* Insert file/dir watch entry */ +#define AUDIT_WATCH_REM 1008 /* Remove file/dir watch entry */ +#define AUDIT_WATCH_LIST 1009 /* List all watches */ +#define AUDIT_KERNEL 2000 /* Asynchronous audit record. NOT A REQUEST. */ /* Rule flags */ #define AUDIT_PER_TASK 0x01 /* Apply rule at task creation (not syscall) */ @@ -132,6 +141,9 @@ #define AUDIT_ARCH_V850 (EM_V850|__AUDIT_ARCH_LE) #define AUDIT_ARCH_X86_64 (EM_X86_64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE) +/* 32 byte max key size */ +#define AUDIT_FILTERKEY_MAX 32 + #ifndef __KERNEL__ struct audit_message { struct nlmsghdr nlh; @@ -159,8 +171,42 @@ struct audit_rule { /* for AUDIT_LIST, __u32 values[AUDIT_MAX_FIELDS]; }; +/* Structure to transport watch data to and from the kernel */ + +struct audit_transport { + __u32 dev_major; + __u32 dev_minor; + __u32 perms; + __u32 valid; + __u32 pathlen; + __u32 fklen; + char buf[0]; +}; + #ifdef __KERNEL__ +struct audit_data { + struct audit_wentry *wentry; + struct hlist_head watchlist; + rwlock_t lock; +}; + +struct audit_watch { + dev_t dev; /* Superblock device */ + __u32 perms; /* Permissions filtering */ + char *name; /* Watch point beneath parent */ + char *path; /* Insertion path */ + char *filterkey; /* An arbitrary filtering key */ +}; + +struct audit_wentry { + struct hlist_node w_node; + struct hlist_node w_master; + struct audit_watch *w_watch; + atomic_t w_count; + +}; + struct audit_buffer; struct audit_context; struct inode; @@ -190,6 +236,7 @@ extern void audit_get_stamp(struct audit extern int audit_set_loginuid(struct audit_context *ctx, uid_t loginuid); extern uid_t audit_get_loginuid(struct audit_context *ctx); extern int audit_ipc_perms(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode); +extern int audit_notify_watch(struct inode *inode, int mask); #else #define audit_alloc(t) ({ 0; }) #define audit_free(t) do { ; } while (0) @@ -200,6 +247,28 @@ extern int audit_ipc_perms(unsigned long #define audit_inode(n,i) do { ; } while (0) #define audit_get_loginuid(c) ({ -1; }) #define audit_ipc_perms(q,u,g,m) ({ 0; }) +#define audit_notify_watch(i,m) ({ 0; }) +#endif + +#ifdef CONFIG_AUDITFILESYSTEM +extern int audit_list_watches(int pid, int seq); +extern int audit_receive_watch(int type, int pid, int uid, int seq, + struct audit_transport *req); +extern int audit_filesystem_init(void); +extern int audit_inode_alloc(struct inode *inode); +extern void audit_inode_free(struct inode *inode); +extern void audit_attach_watch(struct dentry *dentry, int remove); +extern void audit_wentry_put(struct audit_wentry *wentry); +extern struct audit_wentry *audit_wentry_get(struct audit_wentry *wentry); +#else +#define audit_list_watches(p,s) ({ 0; }) +#define audit_receive_watch(t,p,u,s,r) ({ -EOPNOTSUPP; }) +#define audit_filesystem_init() ({ 0; }) +#define audit_inode_alloc(i) ({ 0; }) +#define audit_inode_free(i) do { ; } while(0) +#define audit_attach_watch(d,r) do { ; } while (0) +#define audit_wentry_put(w) do { ; } while(0) +#define audit_wentry_get(w) ({ 0; }) #endif #ifdef CONFIG_AUDIT diff -Nurp linux-2.6.12-rc2-mm1~orig/include/linux/fs.h linux-2.6.12-rc2-mm1~audit/include/linux/fs.h --- linux-2.6.12-rc2-mm1~orig/include/linux/fs.h 2005-04-11 14:15:02.000000000 +0000 +++ linux-2.6.12-rc2-mm1~audit/include/linux/fs.h 2005-04-20 22:20:32.000000000 +0000 @@ -226,6 +226,7 @@ struct poll_table_struct; struct kstatfs; struct vm_area_struct; struct vfsmount; +struct audit_data; /* Used to be a macro which just called the function, now just a function */ extern void update_atime (struct inode *); @@ -477,6 +478,7 @@ struct inode { struct semaphore inotify_sem; /* protects the watches list */ #endif + struct audit_data *i_audit; unsigned long i_state; unsigned long dirtied_when; /* jiffies of first dirtying */ diff -Nurp linux-2.6.12-rc2-mm1~orig/init/Kconfig linux-2.6.12-rc2-mm1~audit/init/Kconfig --- linux-2.6.12-rc2-mm1~orig/init/Kconfig 2005-04-11 14:15:38.000000000 +0000 +++ linux-2.6.12-rc2-mm1~audit/init/Kconfig 2005-04-05 18:16:26.000000000 +0000 @@ -198,6 +198,16 @@ config AUDITSYSCALL can be used independently or with another kernel subsystem, such as SELinux. +config AUDITFILESYSTEM + bool "Enable file system auditing support" + depends on AUDITSYSCALL + default n + help + Enable file system auditing for regular files and directories. + When a targeted file or directory is accessed, an audit record + is generated describing the inode accessed, how it was accessed, + and by whom (ie: pid and system call). + config HOTPLUG bool "Support for hot-pluggable devices" if !ARCH_S390 default ARCH_S390 diff -Nurp linux-2.6.12-rc2-mm1~orig/kernel/Makefile linux-2.6.12-rc2-mm1~audit/kernel/Makefile --- linux-2.6.12-rc2-mm1~orig/kernel/Makefile 2005-04-11 14:15:35.000000000 +0000 +++ linux-2.6.12-rc2-mm1~audit/kernel/Makefile 2005-04-05 18:21:20.000000000 +0000 @@ -25,6 +25,7 @@ obj-$(CONFIG_IKCONFIG_PROC) += configs.o obj-$(CONFIG_STOP_MACHINE) += stop_machine.o obj-$(CONFIG_AUDIT) += audit.o obj-$(CONFIG_AUDITSYSCALL) += auditsc.o +obj-$(CONFIG_AUDITFILESYSTEM) += auditfs.o obj-$(CONFIG_KPROBES) += kprobes.o obj-$(CONFIG_SYSFS) += ksysfs.o obj-$(CONFIG_DETECT_SOFTLOCKUP) += softlockup.o diff -Nurp linux-2.6.12-rc2-mm1~orig/kernel/audit.c linux-2.6.12-rc2-mm1~audit/kernel/audit.c --- linux-2.6.12-rc2-mm1~orig/kernel/audit.c 2005-04-11 14:15:36.000000000 +0000 +++ linux-2.6.12-rc2-mm1~audit/kernel/audit.c 2005-04-21 20:58:37.000000000 +0000 @@ -322,6 +322,8 @@ static int audit_netlink_ok(kernel_cap_t case AUDIT_SET: case AUDIT_ADD: case AUDIT_DEL: + case AUDIT_WATCH_INS: + case AUDIT_WATCH_REM: if (!cap_raised(eff_cap, CAP_AUDIT_CONTROL)) err = -EPERM; break; @@ -410,12 +412,23 @@ static int audit_receive_msg(struct sk_b /* fallthrough */ case AUDIT_LIST: #ifdef CONFIG_AUDITSYSCALL + err = audit_list_watches(NETLINK_CB(skb).pid, seq); + if (err < 0) + break; err = audit_receive_filter(nlh->nlmsg_type, NETLINK_CB(skb).pid, uid, seq, data); #else err = -EOPNOTSUPP; #endif break; + case AUDIT_WATCH_INS: + case AUDIT_WATCH_REM: + if (nlh->nlmsg_len < sizeof(struct audit_transport)) + return -EINVAL; + err = audit_receive_watch(nlh->nlmsg_type, + NETLINK_CB(skb).pid, + uid, seq, data); + break; default: err = -EINVAL; break; @@ -560,6 +573,7 @@ static int __init audit_init(void) audit_initialized = 1; audit_enabled = audit_default; + audit_filesystem_init(); audit_log(NULL, "initialized"); return 0; } diff -Nurp linux-2.6.12-rc2-mm1~orig/kernel/auditfs.c linux-2.6.12-rc2-mm1~audit/kernel/auditfs.c --- linux-2.6.12-rc2-mm1~orig/kernel/auditfs.c 1970-01-01 00:00:00.000000000 +0000 +++ linux-2.6.12-rc2-mm1~audit/kernel/auditfs.c 2005-04-20 21:49:05.000000000 +0000 @@ -0,0 +1,542 @@ +/* auditfs.c -- Filesystem auditing support -*- linux-c -*- + * Implements filesystem auditing support, depends on kernel/auditsc.c + * + * Copyright 2005 International Business Machines Corp. (IBM) + * All Rights Reserved. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA + * 02111-1307 USA + * + * Written by Timothy R. Chavez <chavezt(a)us.ibm.com> + * + */ + +#include <linux/init.h> +#include <linux/fs.h> +#include <linux/sched.h> +#include <linux/kernel.h> +#include <linux/namei.h> +#include <linux/mount.h> +#include <linux/list.h> +#include <linux/slab.h> +#include <linux/audit.h> +#include <asm/uaccess.h> + +kmem_cache_t *audit_watch_cache; +kmem_cache_t *audit_wentry_cache; + +spinlock_t audit_master_watchlist_lock; +HLIST_HEAD(audit_master_watchlist); + + +/* Private Interface */ + +static inline struct audit_wentry *audit_wentry_fetch(const char *name, + struct audit_data *data) +{ + struct audit_wentry *wentry, *ret = NULL; + struct hlist_node *pos; + + hlist_for_each_entry(wentry, pos, &data->watchlist, w_node) + if(!strcmp(wentry->w_watch->name, name)) { + ret = audit_wentry_get(wentry); + break; + } + + return ret; +} + +static inline struct audit_wentry *audit_wentry_fetch_lock(const char *name, + struct audit_data *data) +{ + struct audit_wentry *ret = NULL; + + if (name && data) { + read_lock(&data->lock); + ret = audit_wentry_fetch(name, data); + read_unlock(&data->lock); + } + + return ret; +} + +static inline struct audit_watch *audit_watch_alloc(void) +{ + struct audit_watch *watch; + + watch = kmem_cache_alloc(audit_watch_cache, GFP_KERNEL); + if (watch) { + watch->name = NULL; + watch->filterkey = NULL; + watch->perms = 0; + } + + return watch; +} + +static inline void audit_watch_free(struct audit_watch *watch) +{ + if (watch) { + kfree(watch->name); + kfree(watch->path); + kfree(watch->filterkey); + kmem_cache_free(audit_watch_cache, watch); + } +} + +static inline struct audit_watch *audit_create_watch(const char *path, + const char *name, + const char *filterkey, + __u32 perms, dev_t dev) +{ + struct audit_watch *err = NULL; + struct audit_watch *watch = NULL; + + err = ERR_PTR(-ENOMEM); + watch = audit_watch_alloc(); + if (watch) { + watch->path = kmalloc(strlen(path)+1, GFP_KERNEL); + if (!watch->path) + goto audit_create_watch_fail; + strcpy(watch->path, path); + watch->name = kmalloc(strlen(name)+1, GFP_KERNEL); + if (!watch->name) + goto audit_create_watch_fail; + strcpy(watch->name, name); + + if (filterkey) { + watch->filterkey = kmalloc(strlen(filterkey)+1, + GFP_KERNEL); + if (!watch->filterkey) + goto audit_create_watch_fail; + strcpy(watch->filterkey, filterkey); + } + + watch->dev = dev; + watch->perms = perms; + + goto audit_create_watch_exit; + } + + +audit_create_watch_fail: + audit_watch_free(watch); + watch = err; +audit_create_watch_exit: + return watch; +} + +static inline struct audit_wentry *audit_wentry_alloc(void) +{ + struct audit_wentry *wentry; + + wentry = kmem_cache_alloc(audit_wentry_cache, GFP_KERNEL); + if (wentry) { + atomic_set(&wentry->w_count, 1); + wentry->w_watch = NULL; + } + + return wentry; +} + +static inline void audit_wentry_free(struct audit_wentry *wentry) +{ + if (wentry) { + audit_watch_free(wentry->w_watch); + kmem_cache_free(audit_wentry_cache, wentry); + } +} + +/* The only time the new wentry gets updated is when it is inaccessible + * (out of the list). + */ +static inline int audit_create_wentry(const char *path, + const char *name, + const char *filterkey, + __u32 perms, dev_t dev, + struct audit_data *data) +{ + int ret; + struct audit_wentry *wentry = NULL; + struct audit_wentry *new = NULL; + + ret = -ENOMEM; + new = audit_wentry_alloc(); + if (!new) + goto audit_create_wentry_fail; + + new->w_watch = audit_create_watch(path, name, filterkey, perms, dev); + if (IS_ERR(new->w_watch)) { + ret = PTR_ERR(new->w_watch); + new->w_watch = NULL; + goto audit_create_wentry_fail; + } + + ret = 0; + write_lock(&data->lock); + wentry = audit_wentry_fetch(name, data); + if (!wentry) { + spin_lock(&audit_master_watchlist_lock); + new = audit_wentry_get(new); + hlist_add_head(&new->w_master, &audit_master_watchlist); + spin_unlock(&audit_master_watchlist_lock); + hlist_add_head(&new->w_node, &data->watchlist); + write_unlock(&data->lock); + goto audit_create_wentry_exit; + } + audit_wentry_put(wentry); + write_unlock(&data->lock); + + ret = -EEXIST; + +audit_create_wentry_fail: + audit_wentry_put(new); +audit_create_wentry_exit: + return ret; +} + +/* Caller must hold watchlist_lock */ + +static inline void audit_destroy_wentry(struct audit_wentry *wentry) +{ + if (wentry) { + spin_lock(&audit_master_watchlist_lock); + hlist_del_init(&wentry->w_master); + audit_wentry_put(wentry); + spin_unlock(&audit_master_watchlist_lock); + hlist_del_init(&wentry->w_node); + audit_wentry_put(wentry); + } +} + + +/* Caller must hold data->lock */ + +static inline void audit_drain_watchlist(struct audit_data *data) +{ + struct audit_wentry *wentry; + struct hlist_node *pos, *buf; + + hlist_for_each_entry_safe(wentry, pos, buf, &data->watchlist, w_node) + audit_destroy_wentry(wentry); +} + +static inline struct audit_data *audit_data_alloc(void) +{ + struct audit_data *data; + + data = kmalloc(sizeof(struct audit_data), GFP_KERNEL); + if (data) { + data->wentry = NULL; + INIT_HLIST_HEAD(&data->watchlist); + data->lock = RW_LOCK_UNLOCKED; + } + + return data; +} + +static inline void audit_data_free(struct audit_data *data) +{ + if (data) { + write_lock(&data->lock); + audit_drain_watchlist(data); + audit_wentry_put(data->wentry); + write_unlock(&data->lock); + kfree(data); + } +} + +static inline int audit_insert_watch(char *path, char *filterkey, __u32 perms) +{ + int ret; + struct nameidata nd; + + ret = path_lookup(path, LOOKUP_PARENT, &nd); + if (ret < 0) + goto audit_insert_watch_exit; + + ret = -EPERM; + if (nd.last_type != LAST_NORM || !nd.last.name) + goto audit_insert_watch_release; + + ret = audit_create_wentry(path, nd.last.name, filterkey, perms, + nd.dentry->d_inode->i_sb->s_dev, + nd.dentry->d_inode->i_audit); + /* __d_lookup will attach the audit data, if nd.last exists. */ + dput(d_lookup(nd.dentry, &nd.last)); + +audit_insert_watch_release: + path_release(&nd); +audit_insert_watch_exit: + return ret; +} + +static inline int audit_remove_watch(char *path) +{ + int ret; + struct nameidata nd; + struct audit_data *data; + struct audit_wentry *wentry; + + ret = path_lookup(path, LOOKUP_PARENT, &nd); + if (ret < 0) + goto audit_remove_watch_exit; + + ret = -EPERM; + if (nd.last_type != LAST_NORM || !nd.last.name) + goto audit_remove_watch_release; + + data = nd.dentry->d_inode->i_audit; + + write_lock(&data->lock); + wentry = audit_wentry_fetch(nd.last.name, data); + if (!wentry) { + write_unlock(&data->lock); + goto audit_remove_watch_release; + } + audit_destroy_wentry(wentry); + audit_wentry_put(wentry); + write_unlock(&data->lock); + + ret = 0; + +audit_remove_watch_release: + path_release(&nd); +audit_remove_watch_exit: + return ret; +} + +struct audit_wentry *audit_wentry_get(struct audit_wentry *wentry) +{ + if (wentry) { + BUG_ON(!atomic_read(&wentry->w_count)); + atomic_inc(&wentry->w_count); + } + + return wentry; +} + +void audit_wentry_put(struct audit_wentry *wentry) +{ + if (wentry && atomic_dec_and_test(&wentry->w_count)) + audit_wentry_free(wentry); +} + +/* + * Hook appears in fs/dcache.c: + * d_move(), + * d_delete(), + * d_instantiate(), + * d_splice_alias() + * __d_lookup() + */ +void audit_attach_watch(struct dentry *dentry, int remove) +{ + struct audit_wentry *wentry; + struct audit_data *data, *parent; + + if (!dentry || !dentry->d_inode) + return; + + if (!dentry->d_parent || !dentry->d_parent->d_inode) + return; + + data = dentry->d_inode->i_audit; + parent = dentry->d_parent->d_inode->i_audit; + + wentry = audit_wentry_fetch_lock(dentry->d_name.name, parent); + + write_lock(&data->lock); + /* FIXME: long watchlist == too much spinning? */ + if (remove) { + audit_drain_watchlist(data); + if (wentry && data->wentry) { + if (!strcmp(wentry->w_watch->name, + data->wentry->w_watch->name)) { + audit_wentry_put(data->wentry); + dentry->d_inode->i_audit->wentry = NULL; + } + } + } else if (!data->wentry || hlist_unhashed(&data->wentry->w_node)) { + audit_wentry_put(data->wentry); + dentry->d_inode->i_audit->wentry = audit_wentry_get(wentry); + } + audit_wentry_put(wentry); + write_unlock(&data->lock); +} + +int audit_send_watch(int pid, int seq, struct audit_watch *watch) +{ + int ret; + void *memblk; + unsigned int offset; + unsigned int total; + struct audit_data *data; + struct audit_wentry *wentry; + struct audit_transport req; + struct nameidata nd; + + req.valid = 0; + req.dev_major = MAJOR(watch->dev); + req.dev_minor = MINOR(watch->dev); + req.perms = watch->perms; + req.pathlen = strlen(watch->path) + 1; + if (watch->filterkey) + req.fklen = strlen(watch->filterkey) + 1; + else + req.fklen = 0; + + ret = -ENOMEM; + total = sizeof(req) + req.pathlen + req.fklen; + memblk = kmalloc(total, GFP_KERNEL); + if (!memblk) + goto audit_send_watch_exit; + + /* See if path to watch is valid */ + ret = path_lookup(watch->path, LOOKUP_PARENT, &nd); + if (!ret) { + data = nd.dentry->d_inode->i_audit; + wentry = audit_wentry_fetch_lock(watch->name, data); + if (wentry && nd.dentry->d_inode->i_sb->s_dev == watch->dev) + req.valid = 1; + audit_wentry_put(wentry); + path_release(&nd); + } + + /* Payload */ + memcpy(memblk, &req, sizeof(req)); + offset = total - req.fklen; + memcpy(memblk + offset, watch->filterkey, req.fklen); + offset = offset - req.pathlen; + memcpy(memblk + offset, watch->path, req.pathlen); + + audit_send_reply(pid, seq, AUDIT_WATCH_LIST, 0, 1, memblk, total); + + kfree(memblk); + +audit_send_watch_exit: + return ret; +} + +int audit_list_watches(int pid, int seq) +{ + int ret = 0; + struct audit_wentry *wentry; + struct hlist_node *pos; + + spin_lock(&audit_master_watchlist_lock); + hlist_for_each_entry(wentry, pos, &audit_master_watchlist, w_master) { + ret = audit_send_watch(pid, seq, wentry->w_watch); + if (ret < 0) + break; + } + spin_unlock(&audit_master_watchlist_lock); + + audit_send_reply(pid, seq, AUDIT_WATCH_LIST, 1, 1, NULL, 0); + + return ret; +} + +int audit_receive_watch(int type, int pid, int uid, int seq, + struct audit_transport *req) +{ + int ret = 0; + char *path = NULL; + char *filterkey = NULL; + + ret = -ENOMEM; + path = kmalloc(req->pathlen, GFP_KERNEL); + if (!path) + goto audit_receive_watch_exit; + strncpy(path, req->buf, req->pathlen); + + if (req->fklen) { + filterkey = kmalloc(req->fklen, GFP_KERNEL); + if (!filterkey) + goto audit_receive_watch_exit; + } + strncpy(filterkey, req->buf+req->pathlen, req->fklen); + + ret = -EINVAL; + if (!path || strlen(path) + 1 > PATH_MAX) + goto audit_receive_watch_exit; + + /* Includes terminating '\0' */ + if (req->fklen > AUDIT_FILTERKEY_MAX) + goto audit_receive_watch_exit; + + if (req->perms > (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND)) + goto audit_receive_watch_exit; + + switch (type) { + case AUDIT_WATCH_INS: + ret = audit_insert_watch(path, filterkey, req->perms); + break; + case AUDIT_WATCH_REM: + ret = audit_remove_watch(path); + break; + default: + ret = -EINVAL; + } + +audit_receive_watch_exit: + kfree(path); + kfree(filterkey); + return ret; +} + +int audit_inode_alloc(struct inode *inode) +{ + if (inode) { + inode->i_audit = audit_data_alloc(); + if (!inode->i_audit) + return ENOMEM; + } + + return 0; +} + +void audit_inode_free(struct inode *inode) +{ + if (inode) + audit_data_free(inode->i_audit); +} + +int audit_filesystem_init() +{ + int ret = 0; + + audit_watch_cache = + kmem_cache_create("audit_watch_cache", + sizeof(struct audit_watch), 0, 0, NULL, NULL); + if (!audit_watch_cache) + goto audit_filesystem_init_fail; + + audit_wentry_cache = + kmem_cache_create("audit_wentry_cache", + sizeof(struct audit_wentry), 0, 0, NULL, NULL); + if (!audit_wentry_cache) + goto audit_filesystem_init_fail; + + goto audit_filesystem_init_exit; + +audit_filesystem_init_fail: + ret = -ENOMEM; + kmem_cache_destroy(audit_watch_cache); + kmem_cache_destroy(audit_wentry_cache); +audit_filesystem_init_exit: + return ret; + +} diff -Nurp linux-2.6.12-rc2-mm1~orig/kernel/auditsc.c linux-2.6.12-rc2-mm1~audit/kernel/auditsc.c --- linux-2.6.12-rc2-mm1~orig/kernel/auditsc.c 2005-04-11 14:15:36.000000000 +0000 +++ linux-2.6.12-rc2-mm1~audit/kernel/auditsc.c 2005-04-20 22:03:02.000000000 +0000 @@ -102,6 +102,7 @@ struct audit_aux_data { }; #define AUDIT_AUX_IPCPERM 0 +#define AUDIT_AUX_WATCH 1 struct audit_aux_data_ipcctl { struct audit_aux_data d; @@ -112,6 +113,16 @@ struct audit_aux_data_ipcctl { mode_t mode; }; +struct audit_aux_data_watched { + struct audit_aux_data link; + struct audit_wentry *wentry; + unsigned long ino; + int mask; + uid_t uid; + gid_t gid; + dev_t dev; + dev_t rdev; +}; /* The per-task audit context. */ struct audit_context { @@ -665,6 +676,24 @@ static void audit_log_exit(struct audit_ audit_log_format(ab, " qbytes=%lx uid=%d gid=%d mode=%x", axi->qbytes, axi->uid, axi->gid, axi->mode); + break; + } + + case AUDIT_AUX_WATCH: { + struct audit_aux_data_watched *axi = (void *)aux; + audit_log_format(ab, " watch="); + audit_log_untrustedstring(ab, axi->wentry->w_watch->name); + audit_log_format(ab, + " filterkey=%s perm=%u perm_mask=%d" + " inode=%lu inode_uid=%d inode_gid=%d" + " inode_dev=%02x:%02x inode_rdev=%02x:%02x", + axi->wentry->w_watch->filterkey, + axi->wentry->w_watch->perms, + axi->mask, axi->ino, axi->uid, axi->gid, + MAJOR(axi->dev), MINOR(axi->dev), + MAJOR(axi->rdev), MINOR(axi->rdev)); + audit_wentry_put(axi->wentry); + break; } } audit_log_end(ab); @@ -1024,3 +1053,52 @@ int audit_ipc_perms(unsigned long qbytes context->aux = (void *)ax; return 0; } + +int audit_notify_watch(struct inode *inode, int mask) +{ + int ret = 0; + struct audit_context *context = current->audit_context; + struct audit_aux_data_watched *ax; + struct audit_wentry *wentry = NULL; + + if (likely(!context)) + goto audit_notify_watch_fail; + + if (!inode) + goto audit_notify_watch_fail; + + wentry = audit_wentry_get(inode->i_audit->wentry); + if (!wentry) + goto audit_notify_watch_fail; + + if (mask && (wentry->w_watch->perms && !(wentry->w_watch->perms&mask))) + goto audit_notify_watch_fail; + + ret = -ENOMEM; + ax = kmalloc(sizeof(*ax), GFP_KERNEL); + if (!ax) + goto audit_notify_watch_fail; + + ret = 0; + if (context->in_syscall && !context->auditable) + context->auditable = 1; + + ax->wentry = wentry; + ax->mask = mask; + ax->ino = inode->i_ino; + ax->uid = inode->i_uid; + ax->gid = inode->i_gid; + ax->dev = inode->i_sb->s_dev; + ax->rdev = inode->i_rdev; + + ax->link.type = AUDIT_AUX_WATCH; + ax->link.next = context->aux; + context->aux = (void *)ax; + + goto audit_notify_watch_exit; + +audit_notify_watch_fail: + audit_wentry_put(wentry); +audit_notify_watch_exit: + return ret; +} diff -Nurp linux-2.6.12-rc2-mm1~orig/security/selinux/nlmsgtab.c linux-2.6.12-rc2-mm1~audit/security/selinux/nlmsgtab.c --- linux-2.6.12-rc2-mm1~orig/security/selinux/nlmsgtab.c 2005-04-11 14:15:36.000000000 +0000 +++ linux-2.6.12-rc2-mm1~audit/security/selinux/nlmsgtab.c 2005-04-05 22:58:51.000000000 +0000 @@ -98,6 +98,9 @@ static struct nlmsg_perm nlmsg_audit_per { AUDIT_DEL, NETLINK_AUDIT_SOCKET__NLMSG_WRITE }, { AUDIT_USER, NETLINK_AUDIT_SOCKET__NLMSG_WRITE }, { AUDIT_LOGIN, NETLINK_AUDIT_SOCKET__NLMSG_WRITE }, + { AUDIT_WATCH_INS, NETLINK_AUDIT_SOCKET__NLMSG_WRITE }, + { AUDIT_WATCH_REM, NETLINK_AUDIT_SOCKET__NLMSG_WRITE }, + { AUDIT_WATCH_LIST, NETLINK_AUDIT_SOCKET__NLMSG_WRITE }, };

19 years, 8 months

5
17
0 / 0

[RFC][PATCH] (#7U2) [linux-2.6.12-rc2-mm1] file system auditing

by Timothy R. Chavez

Hello, This is an updated patch with the spinlock correctly defined. I'm assuming both oops Stephen reported were the same one (since the spinlock would be used in both cases). -tim diff -Nurp linux-2.6.12-rc2-mm1~orig/fs/dcache.c linux-2.6.12-rc2-mm1~audit/fs/dcache.c --- linux-2.6.12-rc2-mm1~orig/fs/dcache.c 2005-04-11 14:14:36.000000000 +0000 +++ linux-2.6.12-rc2-mm1~audit/fs/dcache.c 2005-04-05 18:16:04.000000000 +0000 @@ -32,6 +32,7 @@ #include <linux/seqlock.h> #include <linux/swap.h> #include <linux/bootmem.h> +#include <linux/audit.h> /* #define DCACHE_DEBUG 1 */ @@ -97,6 +98,7 @@ static inline void dentry_iput(struct de { struct inode *inode = dentry->d_inode; if (inode) { + audit_attach_watch(dentry, 1); dentry->d_inode = NULL; list_del_init(&dentry->d_alias); spin_unlock(&dentry->d_lock); @@ -802,6 +804,7 @@ void d_instantiate(struct dentry *entry, if (inode) list_add(&entry->d_alias, &inode->i_dentry); entry->d_inode = inode; + audit_attach_watch(entry, 0); spin_unlock(&dcache_lock); security_d_instantiate(entry, inode); } @@ -978,6 +981,7 @@ struct dentry *d_splice_alias(struct ino new = __d_find_alias(inode, 1); if (new) { BUG_ON(!(new->d_flags & DCACHE_DISCONNECTED)); + audit_attach_watch(new, 0); spin_unlock(&dcache_lock); security_d_instantiate(new, inode); d_rehash(dentry); @@ -987,6 +991,7 @@ struct dentry *d_splice_alias(struct ino /* d_instantiate takes dcache_lock, so we do it by hand */ list_add(&dentry->d_alias, &inode->i_dentry); dentry->d_inode = inode; + audit_attach_watch(dentry, 0); spin_unlock(&dcache_lock); security_d_instantiate(dentry, inode); d_rehash(dentry); @@ -1090,6 +1095,7 @@ struct dentry * __d_lookup(struct dentry if (!d_unhashed(dentry)) { atomic_inc(&dentry->d_count); found = dentry; + audit_attach_watch(found, 0); } spin_unlock(&dentry->d_lock); break; @@ -1299,6 +1305,8 @@ void d_move(struct dentry * dentry, stru spin_lock(&target->d_lock); } + audit_attach_watch(dentry, 1); + /* Move the dentry to the target hash queue, if on different bucket */ if (dentry->d_flags & DCACHE_UNHASHED) goto already_unhashed; @@ -1332,6 +1340,7 @@ already_unhashed: list_add(&target->d_child, &target->d_parent->d_subdirs); } + audit_attach_watch(dentry, 0); list_add(&dentry->d_child, &dentry->d_parent->d_subdirs); spin_unlock(&target->d_lock); spin_unlock(&dentry->d_lock); diff -Nurp linux-2.6.12-rc2-mm1~orig/fs/inode.c linux-2.6.12-rc2-mm1~audit/fs/inode.c --- linux-2.6.12-rc2-mm1~orig/fs/inode.c 2005-04-11 14:14:37.000000000 +0000 +++ linux-2.6.12-rc2-mm1~audit/fs/inode.c 2005-04-05 18:16:04.000000000 +0000 @@ -22,6 +22,7 @@ #include <linux/cdev.h> #include <linux/bootmem.h> #include <linux/inotify.h> +#include <linux/audit.h> /* * This is needed for the following functions: @@ -140,9 +141,11 @@ static struct inode *alloc_inode(struct inode->i_bdev = NULL; inode->i_cdev = NULL; inode->i_rdev = 0; + inode->i_audit = NULL; inode->i_security = NULL; inode->dirtied_when = 0; - if (security_inode_alloc(inode)) { + if (audit_inode_alloc(inode) || security_inode_alloc(inode)) { + audit_inode_free(inode); if (inode->i_sb->s_op->destroy_inode) inode->i_sb->s_op->destroy_inode(inode); else @@ -180,6 +183,7 @@ void destroy_inode(struct inode *inode) { if (inode_has_buffers(inode)) BUG(); + audit_inode_free(inode); security_inode_free(inode); if (inode->i_sb->s_op->destroy_inode) inode->i_sb->s_op->destroy_inode(inode); diff -Nurp linux-2.6.12-rc2-mm1~orig/fs/namei.c linux-2.6.12-rc2-mm1~audit/fs/namei.c --- linux-2.6.12-rc2-mm1~orig/fs/namei.c 2005-04-11 14:14:36.000000000 +0000 +++ linux-2.6.12-rc2-mm1~audit/fs/namei.c 2005-04-05 18:16:04.000000000 +0000 @@ -225,6 +225,8 @@ int permission(struct inode *inode, int { int retval, submask; + audit_notify_watch(inode, mask); + if (mask & MAY_WRITE) { umode_t mode = inode->i_mode; @@ -358,6 +360,8 @@ static inline int exec_permission_lite(s if (inode->i_op && inode->i_op->permission) return -EAGAIN; + audit_notify_watch(inode, MAY_EXEC); + if (current->fsuid == inode->i_uid) mode >>= 6; else if (in_group_p(inode->i_gid)) @@ -1172,6 +1176,8 @@ static inline int may_delete(struct inod BUG_ON(victim->d_parent->d_inode != dir); + audit_notify_watch(victim->d_inode, MAY_WRITE); + error = permission(dir,MAY_WRITE | MAY_EXEC, NULL); if (error) return error; @@ -1296,6 +1302,7 @@ int vfs_create(struct inode *dir, struct DQUOT_INIT(dir); error = dir->i_op->create(dir, dentry, mode, nd); if (!error) { + audit_notify_watch(dentry->d_inode, MAY_WRITE); fsnotify_create(dir, dentry->d_name.name); security_inode_post_create(dir, dentry, mode); } @@ -1601,6 +1608,7 @@ int vfs_mknod(struct inode *dir, struct DQUOT_INIT(dir); error = dir->i_op->mknod(dir, dentry, mode, dev); if (!error) { + audit_notify_watch(dentry->d_inode, MAY_WRITE); fsnotify_create(dir, dentry->d_name.name); security_inode_post_mknod(dir, dentry, mode, dev); } @@ -1674,6 +1682,7 @@ int vfs_mkdir(struct inode *dir, struct DQUOT_INIT(dir); error = dir->i_op->mkdir(dir, dentry, mode); if (!error) { + audit_notify_watch(dentry->d_inode, MAY_WRITE); fsnotify_mkdir(dir, dentry->d_name.name); security_inode_post_mkdir(dir,dentry, mode); } @@ -1915,6 +1924,7 @@ int vfs_symlink(struct inode *dir, struc DQUOT_INIT(dir); error = dir->i_op->symlink(dir, dentry, oldname); if (!error) { + audit_notify_watch(dentry->d_inode, MAY_WRITE); fsnotify_create(dir, dentry->d_name.name); security_inode_post_symlink(dir, dentry, oldname); } @@ -1988,6 +1998,7 @@ int vfs_link(struct dentry *old_dentry, error = dir->i_op->link(old_dentry, dir, new_dentry); up(&old_dentry->d_inode->i_sem); if (!error) { + audit_notify_watch(new_dentry->d_inode, MAY_WRITE); fsnotify_create(dir, new_dentry->d_name.name); security_inode_post_link(old_dentry, dir, new_dentry); } @@ -2111,6 +2122,7 @@ int vfs_rename_dir(struct inode *old_dir } if (!error) { d_move(old_dentry,new_dentry); + audit_notify_watch(old_dentry->d_inode, MAY_WRITE); security_inode_post_rename(old_dir, old_dentry, new_dir, new_dentry); } @@ -2139,6 +2151,7 @@ int vfs_rename_other(struct inode *old_d /* The following d_move() should become unconditional */ if (!(old_dir->i_sb->s_type->fs_flags & FS_ODD_RENAME)) d_move(old_dentry, new_dentry); + audit_notify_watch(old_dentry->d_inode, MAY_WRITE); security_inode_post_rename(old_dir, old_dentry, new_dir, new_dentry); } if (target) diff -Nurp linux-2.6.12-rc2-mm1~orig/include/linux/audit.h linux-2.6.12-rc2-mm1~audit/include/linux/audit.h --- linux-2.6.12-rc2-mm1~orig/include/linux/audit.h 2005-04-11 14:15:03.000000000 +0000 +++ linux-2.6.12-rc2-mm1~audit/include/linux/audit.h 2005-04-20 22:19:35.000000000 +0000 @@ -24,18 +24,27 @@ #ifndef _LINUX_AUDIT_H_ #define _LINUX_AUDIT_H_ +#ifdef __KERNEL__ #include <linux/sched.h> #include <linux/elf.h> +#include <linux/list.h> +#include <linux/spinlock.h> +#include <asm/atomic.h> +#endif + /* Request and reply types */ -#define AUDIT_GET 1000 /* Get status */ -#define AUDIT_SET 1001 /* Set status (enable/disable/auditd) */ -#define AUDIT_LIST 1002 /* List filtering rules */ -#define AUDIT_ADD 1003 /* Add filtering rule */ -#define AUDIT_DEL 1004 /* Delete filtering rule */ -#define AUDIT_USER 1005 /* Send a message from user-space */ -#define AUDIT_LOGIN 1006 /* Define the login id and informaiton */ -#define AUDIT_KERNEL 2000 /* Asynchronous audit record. NOT A REQUEST. */ +#define AUDIT_GET 1000 /* Get status */ +#define AUDIT_SET 1001 /* Set status (enable/disable/auditd) */ +#define AUDIT_LIST 1002 /* List filtering rules */ +#define AUDIT_ADD 1003 /* Add filtering rule */ +#define AUDIT_DEL 1004 /* Delete filtering rule */ +#define AUDIT_USER 1005 /* Send a message from user-space */ +#define AUDIT_LOGIN 1006 /* Define the login id and informaiton */ +#define AUDIT_WATCH_INS 1007 /* Insert file/dir watch entry */ +#define AUDIT_WATCH_REM 1008 /* Remove file/dir watch entry */ +#define AUDIT_WATCH_LIST 1009 /* List all watches */ +#define AUDIT_KERNEL 2000 /* Asynchronous audit record. NOT A REQUEST. */ /* Rule flags */ #define AUDIT_PER_TASK 0x01 /* Apply rule at task creation (not syscall) */ @@ -132,6 +141,9 @@ #define AUDIT_ARCH_V850 (EM_V850|__AUDIT_ARCH_LE) #define AUDIT_ARCH_X86_64 (EM_X86_64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE) +/* 32 byte max key size */ +#define AUDIT_FILTERKEY_MAX 32 + #ifndef __KERNEL__ struct audit_message { struct nlmsghdr nlh; @@ -159,8 +171,42 @@ struct audit_rule { /* for AUDIT_LIST, __u32 values[AUDIT_MAX_FIELDS]; }; +/* Structure to transport watch data to and from the kernel */ + +struct audit_transport { + __u32 dev_major; + __u32 dev_minor; + __u32 perms; + __u32 valid; + __u32 pathlen; + __u32 fklen; + char buf[0]; +}; + #ifdef __KERNEL__ +struct audit_data { + struct audit_wentry *wentry; + struct hlist_head watchlist; + rwlock_t lock; +}; + +struct audit_watch { + dev_t dev; /* Superblock device */ + __u32 perms; /* Permissions filtering */ + char *name; /* Watch point beneath parent */ + char *path; /* Insertion path */ + char *filterkey; /* An arbitrary filtering key */ +}; + +struct audit_wentry { + struct hlist_node w_node; + struct hlist_node w_master; + struct audit_watch *w_watch; + atomic_t w_count; + +}; + struct audit_buffer; struct audit_context; struct inode; @@ -190,6 +236,7 @@ extern void audit_get_stamp(struct audit extern int audit_set_loginuid(struct audit_context *ctx, uid_t loginuid); extern uid_t audit_get_loginuid(struct audit_context *ctx); extern int audit_ipc_perms(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode); +extern int audit_notify_watch(struct inode *inode, int mask); #else #define audit_alloc(t) ({ 0; }) #define audit_free(t) do { ; } while (0) @@ -200,6 +247,28 @@ extern int audit_ipc_perms(unsigned long #define audit_inode(n,i) do { ; } while (0) #define audit_get_loginuid(c) ({ -1; }) #define audit_ipc_perms(q,u,g,m) ({ 0; }) +#define audit_notify_watch(i,m) ({ 0; }) +#endif + +#ifdef CONFIG_AUDITFILESYSTEM +extern int audit_list_watches(int pid, int seq); +extern int audit_receive_watch(int type, int pid, int uid, int seq, + struct audit_transport *req); +extern int audit_filesystem_init(void); +extern int audit_inode_alloc(struct inode *inode); +extern void audit_inode_free(struct inode *inode); +extern void audit_attach_watch(struct dentry *dentry, int remove); +extern void audit_wentry_put(struct audit_wentry *wentry); +extern struct audit_wentry *audit_wentry_get(struct audit_wentry *wentry); +#else +#define audit_list_watches(p,s) ({ 0; }) +#define audit_receive_watch(t,p,u,s,r) ({ -EOPNOTSUPP; }) +#define audit_filesystem_init() ({ 0; }) +#define audit_inode_alloc(i) ({ 0; }) +#define audit_inode_free(i) do { ; } while(0) +#define audit_attach_watch(d,r) do { ; } while (0) +#define audit_wentry_put(w) do { ; } while(0) +#define audit_wentry_get(w) ({ 0; }) #endif #ifdef CONFIG_AUDIT diff -Nurp linux-2.6.12-rc2-mm1~orig/include/linux/fs.h linux-2.6.12-rc2-mm1~audit/include/linux/fs.h --- linux-2.6.12-rc2-mm1~orig/include/linux/fs.h 2005-04-11 14:15:02.000000000 +0000 +++ linux-2.6.12-rc2-mm1~audit/include/linux/fs.h 2005-04-20 22:20:32.000000000 +0000 @@ -226,6 +226,7 @@ struct poll_table_struct; struct kstatfs; struct vm_area_struct; struct vfsmount; +struct audit_data; /* Used to be a macro which just called the function, now just a function */ extern void update_atime (struct inode *); @@ -477,6 +478,7 @@ struct inode { struct semaphore inotify_sem; /* protects the watches list */ #endif + struct audit_data *i_audit; unsigned long i_state; unsigned long dirtied_when; /* jiffies of first dirtying */ diff -Nurp linux-2.6.12-rc2-mm1~orig/init/Kconfig linux-2.6.12-rc2-mm1~audit/init/Kconfig --- linux-2.6.12-rc2-mm1~orig/init/Kconfig 2005-04-11 14:15:38.000000000 +0000 +++ linux-2.6.12-rc2-mm1~audit/init/Kconfig 2005-04-05 18:16:26.000000000 +0000 @@ -198,6 +198,16 @@ config AUDITSYSCALL can be used independently or with another kernel subsystem, such as SELinux. +config AUDITFILESYSTEM + bool "Enable file system auditing support" + depends on AUDITSYSCALL + default n + help + Enable file system auditing for regular files and directories. + When a targeted file or directory is accessed, an audit record + is generated describing the inode accessed, how it was accessed, + and by whom (ie: pid and system call). + config HOTPLUG bool "Support for hot-pluggable devices" if !ARCH_S390 default ARCH_S390 diff -Nurp linux-2.6.12-rc2-mm1~orig/kernel/Makefile linux-2.6.12-rc2-mm1~audit/kernel/Makefile --- linux-2.6.12-rc2-mm1~orig/kernel/Makefile 2005-04-11 14:15:35.000000000 +0000 +++ linux-2.6.12-rc2-mm1~audit/kernel/Makefile 2005-04-05 18:21:20.000000000 +0000 @@ -25,6 +25,7 @@ obj-$(CONFIG_IKCONFIG_PROC) += configs.o obj-$(CONFIG_STOP_MACHINE) += stop_machine.o obj-$(CONFIG_AUDIT) += audit.o obj-$(CONFIG_AUDITSYSCALL) += auditsc.o +obj-$(CONFIG_AUDITFILESYSTEM) += auditfs.o obj-$(CONFIG_KPROBES) += kprobes.o obj-$(CONFIG_SYSFS) += ksysfs.o obj-$(CONFIG_DETECT_SOFTLOCKUP) += softlockup.o diff -Nurp linux-2.6.12-rc2-mm1~orig/kernel/audit.c linux-2.6.12-rc2-mm1~audit/kernel/audit.c --- linux-2.6.12-rc2-mm1~orig/kernel/audit.c 2005-04-11 14:15:36.000000000 +0000 +++ linux-2.6.12-rc2-mm1~audit/kernel/audit.c 2005-04-21 20:58:37.000000000 +0000 @@ -322,6 +322,8 @@ static int audit_netlink_ok(kernel_cap_t case AUDIT_SET: case AUDIT_ADD: case AUDIT_DEL: + case AUDIT_WATCH_INS: + case AUDIT_WATCH_REM: if (!cap_raised(eff_cap, CAP_AUDIT_CONTROL)) err = -EPERM; break; @@ -410,12 +412,23 @@ static int audit_receive_msg(struct sk_b /* fallthrough */ case AUDIT_LIST: #ifdef CONFIG_AUDITSYSCALL + err = audit_list_watches(NETLINK_CB(skb).pid, seq); + if (err < 0) + break; err = audit_receive_filter(nlh->nlmsg_type, NETLINK_CB(skb).pid, uid, seq, data); #else err = -EOPNOTSUPP; #endif break; + case AUDIT_WATCH_INS: + case AUDIT_WATCH_REM: + if (nlh->nlmsg_len < sizeof(struct audit_transport)) + return -EINVAL; + err = audit_receive_watch(nlh->nlmsg_type, + NETLINK_CB(skb).pid, + uid, seq, data); + break; default: err = -EINVAL; break; @@ -560,6 +573,7 @@ static int __init audit_init(void) audit_initialized = 1; audit_enabled = audit_default; + audit_filesystem_init(); audit_log(NULL, "initialized"); return 0; } diff -Nurp linux-2.6.12-rc2-mm1~orig/kernel/auditfs.c linux-2.6.12-rc2-mm1~audit/kernel/auditfs.c --- linux-2.6.12-rc2-mm1~orig/kernel/auditfs.c 1970-01-01 00:00:00.000000000 +0000 +++ linux-2.6.12-rc2-mm1~audit/kernel/auditfs.c 2005-04-23 00:49:58.000000000 +0000 @@ -0,0 +1,542 @@ +/* auditfs.c -- Filesystem auditing support -*- linux-c -*- + * Implements filesystem auditing support, depends on kernel/auditsc.c + * + * Copyright 2005 International Business Machines Corp. (IBM) + * All Rights Reserved. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA + * 02111-1307 USA + * + * Written by Timothy R. Chavez <chavezt(a)us.ibm.com> + * + */ + +#include <linux/init.h> +#include <linux/fs.h> +#include <linux/sched.h> +#include <linux/kernel.h> +#include <linux/namei.h> +#include <linux/mount.h> +#include <linux/list.h> +#include <linux/slab.h> +#include <linux/audit.h> +#include <asm/uaccess.h> + +kmem_cache_t *audit_watch_cache; +kmem_cache_t *audit_wentry_cache; + +DEFINE_SPINLOCK(audit_master_watchlist_lock); +HLIST_HEAD(audit_master_watchlist); + + +/* Private Interface */ + +static inline struct audit_wentry *audit_wentry_fetch(const char *name, + struct audit_data *data) +{ + struct audit_wentry *wentry, *ret = NULL; + struct hlist_node *pos; + + hlist_for_each_entry(wentry, pos, &data->watchlist, w_node) + if(!strcmp(wentry->w_watch->name, name)) { + ret = audit_wentry_get(wentry); + break; + } + + return ret; +} + +static inline struct audit_wentry *audit_wentry_fetch_lock(const char *name, + struct audit_data *data) +{ + struct audit_wentry *ret = NULL; + + if (name && data) { + read_lock(&data->lock); + ret = audit_wentry_fetch(name, data); + read_unlock(&data->lock); + } + + return ret; +} + +static inline struct audit_watch *audit_watch_alloc(void) +{ + struct audit_watch *watch; + + watch = kmem_cache_alloc(audit_watch_cache, GFP_KERNEL); + if (watch) { + watch->name = NULL; + watch->filterkey = NULL; + watch->perms = 0; + } + + return watch; +} + +static inline void audit_watch_free(struct audit_watch *watch) +{ + if (watch) { + kfree(watch->name); + kfree(watch->path); + kfree(watch->filterkey); + kmem_cache_free(audit_watch_cache, watch); + } +} + +static inline struct audit_watch *audit_create_watch(const char *path, + const char *name, + const char *filterkey, + __u32 perms, dev_t dev) +{ + struct audit_watch *err = NULL; + struct audit_watch *watch = NULL; + + err = ERR_PTR(-ENOMEM); + watch = audit_watch_alloc(); + if (watch) { + watch->path = kmalloc(strlen(path)+1, GFP_KERNEL); + if (!watch->path) + goto audit_create_watch_fail; + strcpy(watch->path, path); + watch->name = kmalloc(strlen(name)+1, GFP_KERNEL); + if (!watch->name) + goto audit_create_watch_fail; + strcpy(watch->name, name); + + if (filterkey) { + watch->filterkey = kmalloc(strlen(filterkey)+1, + GFP_KERNEL); + if (!watch->filterkey) + goto audit_create_watch_fail; + strcpy(watch->filterkey, filterkey); + } + + watch->dev = dev; + watch->perms = perms; + + goto audit_create_watch_exit; + } + + +audit_create_watch_fail: + audit_watch_free(watch); + watch = err; +audit_create_watch_exit: + return watch; +} + +static inline struct audit_wentry *audit_wentry_alloc(void) +{ + struct audit_wentry *wentry; + + wentry = kmem_cache_alloc(audit_wentry_cache, GFP_KERNEL); + if (wentry) { + atomic_set(&wentry->w_count, 1); + wentry->w_watch = NULL; + } + + return wentry; +} + +static inline void audit_wentry_free(struct audit_wentry *wentry) +{ + if (wentry) { + audit_watch_free(wentry->w_watch); + kmem_cache_free(audit_wentry_cache, wentry); + } +} + +/* The only time the new wentry gets updated is when it is inaccessible + * (out of the list). + */ +static inline int audit_create_wentry(const char *path, + const char *name, + const char *filterkey, + __u32 perms, dev_t dev, + struct audit_data *data) +{ + int ret; + struct audit_wentry *wentry = NULL; + struct audit_wentry *new = NULL; + + ret = -ENOMEM; + new = audit_wentry_alloc(); + if (!new) + goto audit_create_wentry_fail; + + new->w_watch = audit_create_watch(path, name, filterkey, perms, dev); + if (IS_ERR(new->w_watch)) { + ret = PTR_ERR(new->w_watch); + new->w_watch = NULL; + goto audit_create_wentry_fail; + } + + ret = 0; + write_lock(&data->lock); + wentry = audit_wentry_fetch(name, data); + if (!wentry) { + spin_lock(&audit_master_watchlist_lock); + new = audit_wentry_get(new); + hlist_add_head(&new->w_master, &audit_master_watchlist); + spin_unlock(&audit_master_watchlist_lock); + hlist_add_head(&new->w_node, &data->watchlist); + write_unlock(&data->lock); + goto audit_create_wentry_exit; + } + audit_wentry_put(wentry); + write_unlock(&data->lock); + + ret = -EEXIST; + +audit_create_wentry_fail: + audit_wentry_put(new); +audit_create_wentry_exit: + return ret; +} + +/* Caller must hold watchlist_lock */ + +static inline void audit_destroy_wentry(struct audit_wentry *wentry) +{ + if (wentry) { + spin_lock(&audit_master_watchlist_lock); + hlist_del_init(&wentry->w_master); + audit_wentry_put(wentry); + spin_unlock(&audit_master_watchlist_lock); + hlist_del_init(&wentry->w_node); + audit_wentry_put(wentry); + } +} + + +/* Caller must hold data->lock */ + +static inline void audit_drain_watchlist(struct audit_data *data) +{ + struct audit_wentry *wentry; + struct hlist_node *pos, *buf; + + hlist_for_each_entry_safe(wentry, pos, buf, &data->watchlist, w_node) + audit_destroy_wentry(wentry); +} + +static inline struct audit_data *audit_data_alloc(void) +{ + struct audit_data *data; + + data = kmalloc(sizeof(struct audit_data), GFP_KERNEL); + if (data) { + data->wentry = NULL; + INIT_HLIST_HEAD(&data->watchlist); + data->lock = RW_LOCK_UNLOCKED; + } + + return data; +} + +static inline void audit_data_free(struct audit_data *data) +{ + if (data) { + write_lock(&data->lock); + audit_drain_watchlist(data); + audit_wentry_put(data->wentry); + write_unlock(&data->lock); + kfree(data); + } +} + +static inline int audit_insert_watch(char *path, char *filterkey, __u32 perms) +{ + int ret; + struct nameidata nd; + + ret = path_lookup(path, LOOKUP_PARENT, &nd); + if (ret < 0) + goto audit_insert_watch_exit; + + ret = -EPERM; + if (nd.last_type != LAST_NORM || !nd.last.name) + goto audit_insert_watch_release; + + ret = audit_create_wentry(path, nd.last.name, filterkey, perms, + nd.dentry->d_inode->i_sb->s_dev, + nd.dentry->d_inode->i_audit); + /* __d_lookup will attach the audit data, if nd.last exists. */ + dput(d_lookup(nd.dentry, &nd.last)); + +audit_insert_watch_release: + path_release(&nd); +audit_insert_watch_exit: + return ret; +} + +static inline int audit_remove_watch(char *path) +{ + int ret; + struct nameidata nd; + struct audit_data *data; + struct audit_wentry *wentry; + + ret = path_lookup(path, LOOKUP_PARENT, &nd); + if (ret < 0) + goto audit_remove_watch_exit; + + ret = -EPERM; + if (nd.last_type != LAST_NORM || !nd.last.name) + goto audit_remove_watch_release; + + data = nd.dentry->d_inode->i_audit; + + write_lock(&data->lock); + wentry = audit_wentry_fetch(nd.last.name, data); + if (!wentry) { + write_unlock(&data->lock); + goto audit_remove_watch_release; + } + audit_destroy_wentry(wentry); + audit_wentry_put(wentry); + write_unlock(&data->lock); + + ret = 0; + +audit_remove_watch_release: + path_release(&nd); +audit_remove_watch_exit: + return ret; +} + +struct audit_wentry *audit_wentry_get(struct audit_wentry *wentry) +{ + if (wentry) { + BUG_ON(!atomic_read(&wentry->w_count)); + atomic_inc(&wentry->w_count); + } + + return wentry; +} + +void audit_wentry_put(struct audit_wentry *wentry) +{ + if (wentry && atomic_dec_and_test(&wentry->w_count)) + audit_wentry_free(wentry); +} + +/* + * Hook appears in fs/dcache.c: + * d_move(), + * d_delete(), + * d_instantiate(), + * d_splice_alias() + * __d_lookup() + */ +void audit_attach_watch(struct dentry *dentry, int remove) +{ + struct audit_wentry *wentry; + struct audit_data *data, *parent; + + if (!dentry || !dentry->d_inode) + return; + + if (!dentry->d_parent || !dentry->d_parent->d_inode) + return; + + data = dentry->d_inode->i_audit; + parent = dentry->d_parent->d_inode->i_audit; + + wentry = audit_wentry_fetch_lock(dentry->d_name.name, parent); + + write_lock(&data->lock); + /* FIXME: long watchlist == too much spinning? */ + if (remove) { + audit_drain_watchlist(data); + if (wentry && data->wentry) { + if (!strcmp(wentry->w_watch->name, + data->wentry->w_watch->name)) { + audit_wentry_put(data->wentry); + dentry->d_inode->i_audit->wentry = NULL; + } + } + } else if (!data->wentry || hlist_unhashed(&data->wentry->w_node)) { + audit_wentry_put(data->wentry); + dentry->d_inode->i_audit->wentry = audit_wentry_get(wentry); + } + audit_wentry_put(wentry); + write_unlock(&data->lock); +} + +int audit_send_watch(int pid, int seq, struct audit_watch *watch) +{ + int ret; + void *memblk; + unsigned int offset; + unsigned int total; + struct audit_data *data; + struct audit_wentry *wentry; + struct audit_transport req; + struct nameidata nd; + + req.valid = 0; + req.dev_major = MAJOR(watch->dev); + req.dev_minor = MINOR(watch->dev); + req.perms = watch->perms; + req.pathlen = strlen(watch->path) + 1; + if (watch->filterkey) + req.fklen = strlen(watch->filterkey) + 1; + else + req.fklen = 0; + + ret = -ENOMEM; + total = sizeof(req) + req.pathlen + req.fklen; + memblk = kmalloc(total, GFP_KERNEL); + if (!memblk) + goto audit_send_watch_exit; + + /* See if path to watch is valid */ + ret = path_lookup(watch->path, LOOKUP_PARENT, &nd); + if (!ret) { + data = nd.dentry->d_inode->i_audit; + wentry = audit_wentry_fetch_lock(watch->name, data); + if (wentry && nd.dentry->d_inode->i_sb->s_dev == watch->dev) + req.valid = 1; + audit_wentry_put(wentry); + path_release(&nd); + } + + /* Payload */ + memcpy(memblk, &req, sizeof(req)); + offset = total - req.fklen; + memcpy(memblk + offset, watch->filterkey, req.fklen); + offset = offset - req.pathlen; + memcpy(memblk + offset, watch->path, req.pathlen); + + audit_send_reply(pid, seq, AUDIT_WATCH_LIST, 0, 1, memblk, total); + + kfree(memblk); + +audit_send_watch_exit: + return ret; +} + +int audit_list_watches(int pid, int seq) +{ + int ret = 0; + struct audit_wentry *wentry; + struct hlist_node *pos; + + spin_lock(&audit_master_watchlist_lock); + hlist_for_each_entry(wentry, pos, &audit_master_watchlist, w_master) { + ret = audit_send_watch(pid, seq, wentry->w_watch); + if (ret < 0) + break; + } + spin_unlock(&audit_master_watchlist_lock); + + audit_send_reply(pid, seq, AUDIT_WATCH_LIST, 1, 1, NULL, 0); + + return ret; +} + +int audit_receive_watch(int type, int pid, int uid, int seq, + struct audit_transport *req) +{ + int ret = 0; + char *path = NULL; + char *filterkey = NULL; + + ret = -ENOMEM; + path = kmalloc(req->pathlen, GFP_KERNEL); + if (!path) + goto audit_receive_watch_exit; + strncpy(path, req->buf, req->pathlen); + + if (req->fklen) { + filterkey = kmalloc(req->fklen, GFP_KERNEL); + if (!filterkey) + goto audit_receive_watch_exit; + } + strncpy(filterkey, req->buf+req->pathlen, req->fklen); + + ret = -EINVAL; + if (!path || strlen(path) + 1 > PATH_MAX) + goto audit_receive_watch_exit; + + /* Includes terminating '\0' */ + if (req->fklen > AUDIT_FILTERKEY_MAX) + goto audit_receive_watch_exit; + + if (req->perms > (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND)) + goto audit_receive_watch_exit; + + switch (type) { + case AUDIT_WATCH_INS: + ret = audit_insert_watch(path, filterkey, req->perms); + break; + case AUDIT_WATCH_REM: + ret = audit_remove_watch(path); + break; + default: + ret = -EINVAL; + } + +audit_receive_watch_exit: + kfree(path); + kfree(filterkey); + return ret; +} + +int audit_inode_alloc(struct inode *inode) +{ + if (inode) { + inode->i_audit = audit_data_alloc(); + if (!inode->i_audit) + return ENOMEM; + } + + return 0; +} + +void audit_inode_free(struct inode *inode) +{ + if (inode) + audit_data_free(inode->i_audit); +} + +int audit_filesystem_init() +{ + int ret = 0; + + audit_watch_cache = + kmem_cache_create("audit_watch_cache", + sizeof(struct audit_watch), 0, 0, NULL, NULL); + if (!audit_watch_cache) + goto audit_filesystem_init_fail; + + audit_wentry_cache = + kmem_cache_create("audit_wentry_cache", + sizeof(struct audit_wentry), 0, 0, NULL, NULL); + if (!audit_wentry_cache) + goto audit_filesystem_init_fail; + + goto audit_filesystem_init_exit; + +audit_filesystem_init_fail: + ret = -ENOMEM; + kmem_cache_destroy(audit_watch_cache); + kmem_cache_destroy(audit_wentry_cache); +audit_filesystem_init_exit: + return ret; + +} diff -Nurp linux-2.6.12-rc2-mm1~orig/kernel/auditsc.c linux-2.6.12-rc2-mm1~audit/kernel/auditsc.c --- linux-2.6.12-rc2-mm1~orig/kernel/auditsc.c 2005-04-11 14:15:36.000000000 +0000 +++ linux-2.6.12-rc2-mm1~audit/kernel/auditsc.c 2005-04-20 22:03:02.000000000 +0000 @@ -102,6 +102,7 @@ struct audit_aux_data { }; #define AUDIT_AUX_IPCPERM 0 +#define AUDIT_AUX_WATCH 1 struct audit_aux_data_ipcctl { struct audit_aux_data d; @@ -112,6 +113,16 @@ struct audit_aux_data_ipcctl { mode_t mode; }; +struct audit_aux_data_watched { + struct audit_aux_data link; + struct audit_wentry *wentry; + unsigned long ino; + int mask; + uid_t uid; + gid_t gid; + dev_t dev; + dev_t rdev; +}; /* The per-task audit context. */ struct audit_context { @@ -665,6 +676,24 @@ static void audit_log_exit(struct audit_ audit_log_format(ab, " qbytes=%lx uid=%d gid=%d mode=%x", axi->qbytes, axi->uid, axi->gid, axi->mode); + break; + } + + case AUDIT_AUX_WATCH: { + struct audit_aux_data_watched *axi = (void *)aux; + audit_log_format(ab, " watch="); + audit_log_untrustedstring(ab, axi->wentry->w_watch->name); + audit_log_format(ab, + " filterkey=%s perm=%u perm_mask=%d" + " inode=%lu inode_uid=%d inode_gid=%d" + " inode_dev=%02x:%02x inode_rdev=%02x:%02x", + axi->wentry->w_watch->filterkey, + axi->wentry->w_watch->perms, + axi->mask, axi->ino, axi->uid, axi->gid, + MAJOR(axi->dev), MINOR(axi->dev), + MAJOR(axi->rdev), MINOR(axi->rdev)); + audit_wentry_put(axi->wentry); + break; } } audit_log_end(ab); @@ -1024,3 +1053,52 @@ int audit_ipc_perms(unsigned long qbytes context->aux = (void *)ax; return 0; } + +int audit_notify_watch(struct inode *inode, int mask) +{ + int ret = 0; + struct audit_context *context = current->audit_context; + struct audit_aux_data_watched *ax; + struct audit_wentry *wentry = NULL; + + if (likely(!context)) + goto audit_notify_watch_fail; + + if (!inode) + goto audit_notify_watch_fail; + + wentry = audit_wentry_get(inode->i_audit->wentry); + if (!wentry) + goto audit_notify_watch_fail; + + if (mask && (wentry->w_watch->perms && !(wentry->w_watch->perms&mask))) + goto audit_notify_watch_fail; + + ret = -ENOMEM; + ax = kmalloc(sizeof(*ax), GFP_KERNEL); + if (!ax) + goto audit_notify_watch_fail; + + ret = 0; + if (context->in_syscall && !context->auditable) + context->auditable = 1; + + ax->wentry = wentry; + ax->mask = mask; + ax->ino = inode->i_ino; + ax->uid = inode->i_uid; + ax->gid = inode->i_gid; + ax->dev = inode->i_sb->s_dev; + ax->rdev = inode->i_rdev; + + ax->link.type = AUDIT_AUX_WATCH; + ax->link.next = context->aux; + context->aux = (void *)ax; + + goto audit_notify_watch_exit; + +audit_notify_watch_fail: + audit_wentry_put(wentry); +audit_notify_watch_exit: + return ret; +} diff -Nurp linux-2.6.12-rc2-mm1~orig/security/selinux/nlmsgtab.c linux-2.6.12-rc2-mm1~audit/security/selinux/nlmsgtab.c --- linux-2.6.12-rc2-mm1~orig/security/selinux/nlmsgtab.c 2005-04-11 14:15:36.000000000 +0000 +++ linux-2.6.12-rc2-mm1~audit/security/selinux/nlmsgtab.c 2005-04-05 22:58:51.000000000 +0000 @@ -98,6 +98,9 @@ static struct nlmsg_perm nlmsg_audit_per { AUDIT_DEL, NETLINK_AUDIT_SOCKET__NLMSG_WRITE }, { AUDIT_USER, NETLINK_AUDIT_SOCKET__NLMSG_WRITE }, { AUDIT_LOGIN, NETLINK_AUDIT_SOCKET__NLMSG_WRITE }, + { AUDIT_WATCH_INS, NETLINK_AUDIT_SOCKET__NLMSG_WRITE }, + { AUDIT_WATCH_REM, NETLINK_AUDIT_SOCKET__NLMSG_WRITE }, + { AUDIT_WATCH_LIST, NETLINK_AUDIT_SOCKET__NLMSG_WRITE }, };

19 years, 8 months

4
5
0 / 0

[PATCH] LOGIN message credentials

by Steve Grubb

Hello, Attached is a new patch that solves the issue of getting valid credentials into the LOGIN message. The current code was assuming that the audit context had already been copied. This is not always the case for LOGIN messages. To solve the problem, the patch passes the task struct to the function that emits the message where it can get valid credentials. Signed-off-by: Steve Grubb <sgrubb(a)redhat.com>

19 years, 8 months

2
2
0 / 0

[PATCH] LOGIN message credentials

by Steve Grubb

Hello, I was testing the kernel and found a problem where the credentials are not being recorded for LOGIN messages. Here's a typical message: type=LOGIN msg=audit(1114444861.363:0): login pid=0 uid=0 old loginuid=4294967295 new loginuid=0 The pid cannot be 0. The problem is that the kernel code assumes the information is in the audit context. What if audit_get_context has never been called for that process? Attached is a patch that passes the needed info out of the task struct to the function that emits the message. -Steve

19 years, 8 months

3
6
0 / 0

[PATCH]kernel spelling errors

by Steve Grubb

Hello, I'm going through the kernel code and have a patch that corrects several spelling errors in comments. It also updates the URL of the user space utils. -Steve

19 years, 8 months

2
1
0 / 0

audit 0.7.1 released

by Steve Grubb

Hello, I've just released a new version of the audit daemon. It can be downloaded from http://people.redhat.com/sgrubb/audit It will also be in rawhide tomorrow. The Changelog is: - Make sure time calc is done using localtime - Raise rlimits for file size & cpu usage - Added new disk_error_action config item to auditd.conf - Rework memory management of event buffer - Improved error handling in event logging thread There was also a small goof in the release yesterday where time calculation was done using gmt - which messes up the date if you only provide a time for -ts or -te. It now uses local time. Also, I'm now raising the rlimits for file size to infinity in case an admin is restarting the audit daemon from a shell that has rlimit restrictions. One of the TODO items was to review all errors and make sure everything is handled in the logging path. I reworked the memory management of the logging thread so there's little chance of that being a problem during write. I also got to thinking about disk failures. If the write fails because the hard drive is toast, we now have a new action item to configure. It is the disk_error_action . It only comes into play during a disk write error condition that is not disk full. Let me know if there are any problems... -Steve

19 years, 8 months

1
0
0 / 0

audit-0.7 released

by Steve Grubb

Hello, I've just released a new version of the audit daemon. It can be downloaded from http://people.redhat.com/sgrubb/audit It will also be in rawhide tomorrow. The Changelog is: - In auditctl -l, loop until all rules are printed - Update autrace not to run if rules are currently loaded - Added code to allow switching to single user mode when disk is full - Added the ausearch program The big news in this release is finally having the first draft of the ausearch program. There are a few things that are not working yet. -hn & -f. Besides getting those options working, I am planning to add the ability for it to interpret all numeric attributes. And I have plans to change the format so that its easier to understand. Both of these will be enabled by new command line options. Let me know if you have any problems. -Steve

19 years, 8 months

1
0
0 / 0

[PATCH] audit-0.6.10 (update)

by Timothy R. Chavez

Hello, This patch does some minor cosmetic fixups and also fixed the faulty #include path Stephen pointed out earlier. I will try to patch up to the latest audit user package later today. Thanks. -tim diff -Nurp audit-0.6.10~orig/lib/libaudit.c audit-0.6.10~audit/lib/libaudit.c --- audit-0.6.10~orig/lib/libaudit.c 2005-03-31 22:04:57.000000000 +0000 +++ audit-0.6.10~audit/lib/libaudit.c 2005-04-23 05:34:39.000000000 +0000 @@ -203,18 +203,44 @@ int audit_request_list(int fd) return rc; } -int audit_insert_watch(int fd, struct audit_watch *req) +int audit_insert_watch(int fd, struct audit_transport *req, char **buf) { - int rc = audit_send(fd, AUDIT_WATCH_INS, req, sizeof(*req)); + void *memblk = NULL; + unsigned int offset, total; + + total = sizeof(*req) + req->pathlen + req->fklen; + memblk = (void*)malloc(total); + if (!memblk) + return -1; + + memcpy(memblk, req, sizeof(*req)); + offset = total - req->fklen; + memcpy(memblk + offset, buf[1], req->fklen); + offset = offset - req->pathlen; + memcpy(memblk + offset, buf[0], req->pathlen); + + int rc = audit_send(fd, AUDIT_WATCH_INS, memblk, total); if (rc < 0) msg(LOG_WARNING, "Error sending watch insert request (%s)", strerror(-rc)); return rc; } -int audit_remove_watch(int fd, struct audit_watch *req) +int audit_remove_watch(int fd, struct audit_transport *req, char **buf) { - int rc = audit_send(fd, AUDIT_WATCH_REM, req, sizeof(*req)); + void *memblk = NULL; + unsigned int offset, total; + + total = sizeof(*req) + req->pathlen; + memblk = (void*)malloc(total); + if (!memblk) + return -1; + + memcpy(memblk, req, sizeof(*req)); + offset = total - req->pathlen; + memcpy(memblk + offset, buf[0], req->pathlen); + + int rc = audit_send(fd, AUDIT_WATCH_REM, memblk, total); if (rc < 0) msg(LOG_WARNING, "Error sending watch remove request (%s)", strerror(-rc)); diff -Nurp audit-0.6.10~orig/lib/libaudit.h audit-0.6.10~audit/lib/libaudit.h --- audit-0.6.10~orig/lib/libaudit.h 2005-04-23 05:26:17.000000000 +0000 +++ audit-0.6.10~audit/lib/libaudit.h 2005-04-23 05:31:28.000000000 +0000 @@ -42,11 +42,22 @@ #define AUDIT_WATCH_LIST 1009 struct audit_watch { - uint32_t namelen; - uint32_t fklen; - char *name; - char *filterkey; - uint32_t perms; + uint32_t dev_major; + uint32_t dev_minor; + char *path; + char *filterkey; + uint32_t perms; + uint32_t valid; +}; + +struct audit_transport { + uint32_t dev_major; + uint32_t dev_minor; + uint32_t perms; + uint32_t valid; + uint32_t pathlen; + uint32_t fklen; + char buf[0]; }; /* 32 byte max key size */ #define AUDIT_FILTERKEY_MAX 32 @@ -57,15 +68,15 @@ struct audit_watch { struct audit_reply { struct audit_message msg; - int type; - int len; - struct nlmsghdr *nlh; - struct audit_status *status; - struct audit_rule *rule; - struct audit_login *login; - const char *message; - struct nlmsgerr *error; - int watch; + int type; + int len; + struct nlmsghdr *nlh; + struct audit_status *status; + struct audit_rule *rule; + struct audit_login *login; + struct audit_transport *watch; + const char *message; + struct nlmsgerr *error; }; struct auditd_reply_list { @@ -120,8 +131,8 @@ extern int audit_set_backlog_limit(int extern int audit_request_list(int fd); /* AUDIT_WATCH */ -extern int audit_insert_watch(int fd, struct audit_watch *req); -extern int audit_remove_watch(int fd, struct audit_watch *req); +extern int audit_insert_watch(int fd, struct audit_transport *req, char **buf); +extern int audit_remove_watch(int fd, struct audit_transport *req, char **buf); /* AUDIT_ADD */ extern int audit_add_rule(int fd, struct audit_rule *rule, diff -Nurp audit-0.6.10~orig/lib/netlink.c audit-0.6.10~audit/lib/netlink.c --- audit-0.6.10~orig/lib/netlink.c 2005-03-31 22:04:57.000000000 +0000 +++ audit-0.6.10~audit/lib/netlink.c 2005-04-23 05:32:50.000000000 +0000 @@ -133,7 +133,7 @@ static int adjust_reply(struct audit_rep rep->rule = NULL; rep->message = NULL; rep->error = NULL; - rep->watch = 0; + rep->watch = NULL; if (!NLMSG_OK(rep->nlh, (unsigned int)len)) return 0; switch (rep->type) { @@ -153,7 +153,8 @@ static int adjust_reply(struct audit_rep break; case AUDIT_WATCH_INS: case AUDIT_WATCH_REM: - memcpy(&rep->watch, NLMSG_DATA(rep->nlh), sizeof(int)); + case AUDIT_WATCH_LIST: + rep->watch = NLMSG_DATA(rep->nlh); break; } return len; diff -Nurp audit-0.6.10~orig/src/auditctl.c audit-0.6.10~audit/src/auditctl.c --- audit-0.6.10~orig/src/auditctl.c 2005-04-01 19:06:42.000000000 +0000 +++ audit-0.6.10~audit/src/auditctl.c 2005-04-23 05:34:01.000000000 +0000 @@ -73,6 +73,8 @@ static int add = 0, del = 0, action = 0; static int ins = 0, rem = 0; static struct audit_rule rule; static struct audit_watch watch; +static struct audit_transport wreq; +static char *wreq_buf[2] = {NULL, NULL}; /* @@ -90,7 +92,7 @@ static int reset_vars(void) rem = 0; memset(&rule, 0, sizeof(rule)); - memset(&watch, 0, sizeof(watch)); + memset(&wreq, 0, sizeof(wreq)); if ((fd = audit_open()) < 0) { fprintf(stderr, "Cannot open netlink audit socket\n"); return 1; @@ -116,7 +118,8 @@ static void usage(void) " -k <key> Set filterkey on watch\n" " -l List rules\n" " -m text Send a user-space message\n" - " -p [r|w|e|a] Set permissions filter on watch:\n" + " -p [r|w|e|a] Set permissions filter on watch\n" + " r=read, w=write, e=execute, a=append\n" " -r <rate> Set limit in messages/sec (0=none)\n" " -R <file> read rules from file\n" " -s Report status\n" @@ -125,7 +128,6 @@ static void usage(void) " -v Version\n" " -w <path> Insert watch at <path>\n" " -W <path> Remove watch at <path>\n" - " r=read, w=write, e=execute, a=append\n" ); } @@ -183,24 +185,47 @@ static int check_path(const char *path) return 0; } +static int make_watch(struct audit_transport *wreq, struct audit_watch *watch) +{ + watch->path = (char*)malloc(wreq->pathlen); + if (!watch->path) + return 0; + + memcpy(watch->path, wreq->buf, wreq->pathlen); + + if (wreq->fklen) { + watch->filterkey = (char*)malloc(wreq->fklen); + if (!watch->filterkey) { + free(watch->path); + return 0; + } + } + + memcpy(watch->filterkey, wreq->buf+wreq->pathlen, wreq->fklen); + + watch->dev_major = wreq->dev_major; + watch->dev_minor = wreq->dev_minor; + watch->perms = wreq->perms; + watch->valid = wreq->valid; + + return 1; +} + /* - * Setup a watch. The "name" of the watch in userspace will be the <path> to - * the watch. When this potential watch reaches the kernel, it will resolve - * down to <name> (of terminating file or directory). * Returns a 1 on success & -1 on failure. */ -static int audit_setup_watch_name(struct audit_watch *req, const char *opt, +static int audit_setup_watch_path(struct audit_transport *req, const char *opt, int *act) { - if (!req->name) { + if (!wreq_buf[0]) { if (check_path(opt)) return -1; - req->name = strdup(opt); - if (!req->name) { + wreq_buf[0] = strdup(opt); + if (!wreq_buf[0]) { fprintf(stderr, "Out of memory\n"); return -1; } - req->namelen = strlen(req->name) + 1; + req->pathlen = strlen(wreq_buf[0]) + 1; *act = 1; return 1; } @@ -212,18 +237,18 @@ static int audit_setup_watch_name(struct * Setup a filterkey for the watch. * Returns a 1 on success & -1 on failure. */ -static int audit_setup_filterkey(struct audit_watch *req, const char *opt) +static int audit_setup_filterkey(struct audit_transport *req, const char *opt) { - if (!req->filterkey) { - req->filterkey = strdup(opt); - if (!req->filterkey) { + if (!wreq_buf[1]) { + wreq_buf[1] = strdup(opt); + if (!wreq_buf[1]) { fprintf(stderr, "Out of memory\n"); return -1; } req->fklen = strlen(opt) + 1; if (req->fklen > AUDIT_FILTERKEY_MAX) { fprintf(stderr, "The filterkey is too big\n"); - free(req->filterkey); + free(wreq_buf[1]); return -1; } return 1; @@ -236,7 +261,7 @@ static int audit_setup_filterkey(struct * Setup a watch permissions. * Returns a 1 on success & -1 on failure. */ -static int audit_setup_perms(struct audit_watch *req, const char *opt) +static int audit_setup_perms(struct audit_transport *req, const char *opt) { int i; @@ -453,7 +478,7 @@ static int setopt(int count, char *vars[ break; case 'w': if (optarg) - retval = audit_setup_watch_name(&watch, optarg, &ins); + retval = audit_setup_watch_path(&wreq, optarg, &ins); else { fprintf(stderr, "watch option needs a path\n"); retval = -1; @@ -461,7 +486,7 @@ static int setopt(int count, char *vars[ break; case 'W': if (optarg) - retval = audit_setup_watch_name(&watch, optarg, &rem); + retval = audit_setup_watch_path(&wreq, optarg, &rem); else { fprintf(stderr, "watch option needs a path\n"); retval = -1; @@ -478,7 +503,7 @@ static int setopt(int count, char *vars[ retval = -1; } else - retval = audit_setup_filterkey(&watch, optarg); + retval = audit_setup_filterkey(&wreq, optarg); break; case 'p': if (!ins) { @@ -491,7 +516,7 @@ static int setopt(int count, char *vars[ retval = -1; } else - retval = audit_setup_perms(&watch, optarg); + retval = audit_setup_perms(&wreq, optarg); break; case 'v': printf("auditctl version %s\n", VERSION); @@ -664,9 +689,9 @@ static int handle_request(int status) else if (del & 0x07) rc = audit_delete_rule(fd, &rule, del, action); else if (ins && !rem) - rc = audit_insert_watch(fd, &watch); + rc = audit_insert_watch(fd, &wreq, wreq_buf); else if (rem && !ins) - rc = audit_remove_watch(fd, &watch); + rc = audit_remove_watch(fd, &wreq, wreq_buf); else { usage(); audit_close(fd); @@ -730,7 +755,7 @@ static int audit_print_reply(struct audi return 1; case NLMSG_DONE: if (list_requested) - printf("No rules\n"); + return 1; return 0; case NLMSG_ERROR: printf("NLMSG_ERROR %d (%s) type=%d seq=%d\n", @@ -797,6 +822,23 @@ static int audit_print_reply(struct audi } printf("\n"); return 1; /* get more messages until NLMSG_DONE */ + case AUDIT_WATCH_LIST: { + int ret = make_watch(rep->watch, &watch); + if (!ret) + return ret; + + list_requested = 0; + printf("AUDIT_WATCH_LIST: dev=%u:%u, path=%s, " + "filterkey=%s, perms=%u, valid=%d\n", + watch.dev_major, watch.dev_minor, watch.path, + watch.filterkey, watch.perms, watch.valid); + + free(watch.path); + free(watch.filterkey); + memset(&watch, 0, sizeof(watch)); + + return 1; + } default: printf("Unknown: type=%d, len=%d\n", rep->type, rep->nlh->nlmsg_len);

19 years, 8 months

1
0
0 / 0

audit.23 kernel

by David Woodhouse

Updated to use Tim's latest (#7U1) auditfs patch. Available from ftp://zeniv.uk.linux.org/pub/people/dwmw2/audit for the moment because uploads to ftp.uk.linux.org are being _very_ slow. -- dwmw2

19 years, 8 months

4
6
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Linux-audit April 2005