July 2005 - Linux-audit - Linux-Audit List Archives

[PATCH] LSPP audit enablement: storing selinux ocontext and scontext

by Dustin Kirkland

The attached patch contains functionality specified by the labeled security protection profile--basically appending object context and subject context labels to audit records. This code was originally written by Dan Jones against a 2.6.9 kernel tree. I have ported it forward to the 2.6.13-rc3-mm1 tree and tested it. I expect at least one section of this code to generate some animated discussion. This code utilizes "static inline" function definitions rather than "#define" macros, as per Documentation/SubmittingPatches lines 328-372 and Documentation/CodingStyle line 358. This is inconsistent with the rest of the code in include/linux/audit.h, so I suspect someone will have to give, in the interest of consistency. Please advise. Additionally, we've arbitrarily defined AUDIT_SECURITY_CONTEXT = 1350. We expect this to change to whatever the appropriate value might be. Signed-off-by: Dustin Kirkland <dustin.kirkland(a)us.ibm.com> diff -uprN linux-2.6.13-rc3-mm1/include/linux/audit.h linux-2.6.13-rc3-mm1-lspp_audit/include/linux/audit.h --- linux-2.6.13-rc3-mm1/include/linux/audit.h 2005-07-18 15:20:34.000000000 -0500 +++ linux-2.6.13-rc3-mm1-lspp_audit/include/linux/audit.h 2005-07-19 11:33:37.000000000 -0500 @@ -68,6 +68,7 @@ #define AUDIT_CONFIG_CHANGE 1305 /* Audit system configuration change */ #define AUDIT_SOCKADDR 1306 /* sockaddr copied as syscall arg */ #define AUDIT_CWD 1307 /* Current working directory */ +#define AUDIT_SECURITY_CONTEXT 1350 /* security context */ #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */ #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */ @@ -238,6 +239,8 @@ extern int audit_sockaddr(int len, void extern int audit_avc_path(struct dentry *dentry, struct vfsmount *mnt); extern void audit_signal_info(int sig, struct task_struct *t); extern int audit_filter_user(struct netlink_skb_parms *cb, int type); +extern int audit_ipc_security_context(struct kern_ipc_perm *ipcp); +extern int audit_set_macxattr(const char *name); #else #define audit_alloc(t) ({ 0; }) #define audit_free(t) do { ; } while (0) @@ -255,6 +258,14 @@ extern int audit_filter_user(struct netl #define audit_avc_path(dentry, mnt) ({ 0; }) #define audit_signal_info(s,t) do { ; } while (0) #define audit_filter_user(cb,t) ({ 1; }) +static inline int audit_ipc_security_context(struct kern_ipc_perm *ipcp) +{ + return 0; +} +static inline int audit_set_macxattr(const char *name) +{ + return 0; +} #endif #ifdef CONFIG_AUDIT @@ -283,6 +294,7 @@ extern void audit_send_reply(int pi int done, int multi, void *payload, int size); extern void audit_log_lost(const char *message); +extern void audit_panic(const char *message); extern struct semaphore audit_netlink_sem; #else #define audit_log(c,g,t,f,...) do { ; } while (0) @@ -293,6 +305,10 @@ extern struct semaphore audit_netlink_se #define audit_log_hex(a,b,l) do { ; } while (0) #define audit_log_untrustedstring(a,s) do { ; } while (0) #define audit_log_d_path(b,p,d,v) do { ; } while (0) +static inline void audit_panic(const char *message) +{ + return; +} #endif #endif #endif diff -uprN linux-2.6.13-rc3-mm1/include/linux/security.h linux-2.6.13-rc3-mm1-lspp_audit/include/linux/security.h --- linux-2.6.13-rc3-mm1/include/linux/security.h 2005-07-18 15:20:35.000000000 -0500 +++ linux-2.6.13-rc3-mm1-lspp_audit/include/linux/security.h 2005-07-18 16:35:02.000000000 -0500 @@ -792,6 +792,11 @@ struct swap_info_struct; * @ipcp contains the kernel IPC permission structure * @flag contains the desired (requested) permission set * Return 0 if permission is granted. + * @ipc_getsecurity: + * Copy the security label associated with the ipc object into + * @buffer. @buffer may be NULL to request the size of the buffer + * required. @size indicates the size of @buffer in bytes. Return + * number of bytes used/required on success. * * Security hooks for individual messages held in System V IPC message queues * @msg_msg_alloc_security: @@ -1140,6 +1145,7 @@ struct security_operations { void (*task_to_inode)(struct task_struct *p, struct inode *inode); int (*ipc_permission) (struct kern_ipc_perm * ipcp, short flag); + int (*ipc_getsecurity)(struct kern_ipc_perm *ipcp, void *buffer, size_t size); int (*msg_msg_alloc_security) (struct msg_msg * msg); void (*msg_msg_free_security) (struct msg_msg * msg); @@ -1775,6 +1781,11 @@ static inline int security_ipc_permissio return security_ops->ipc_permission (ipcp, flag); } +static inline int security_ipc_getsecurity(struct kern_ipc_perm *ipcp, void *buffer, size_t size) +{ + return security_ops->ipc_getsecurity(ipcp, buffer, size); +} + static inline int security_msg_msg_alloc (struct msg_msg * msg) { return security_ops->msg_msg_alloc_security (msg); @@ -2405,6 +2416,11 @@ static inline int security_ipc_permissio return 0; } +static inline int security_ipc_getsecurity(struct kern_ipc_perm *ipcp, void *buffer, size_t size) +{ + return -EOPNOTSUPP; +} + static inline int security_msg_msg_alloc (struct msg_msg * msg) { return 0; diff -uprN linux-2.6.13-rc3-mm1/ipc/msg.c linux-2.6.13-rc3-mm1-lspp_audit/ipc/msg.c --- linux-2.6.13-rc3-mm1/ipc/msg.c 2005-06-17 14:48:29.000000000 -0500 +++ linux-2.6.13-rc3-mm1-lspp_audit/ipc/msg.c 2005-07-18 16:35:02.000000000 -0500 @@ -441,6 +441,13 @@ asmlinkage long sys_msgctl (int msqid, i if (msq == NULL) goto out_up; + ipcp = &msq->q_perm; + + if (cmd == IPC_SET) { + if ((err = audit_ipc_security_context(ipcp))) + goto out_unlock_up; + } + err = -EIDRM; if (msg_checkid(msq,msqid)) goto out_unlock_up; diff -uprN linux-2.6.13-rc3-mm1/ipc/sem.c linux-2.6.13-rc3-mm1-lspp_audit/ipc/sem.c --- linux-2.6.13-rc3-mm1/ipc/sem.c 2005-07-18 15:20:05.000000000 -0500 +++ linux-2.6.13-rc3-mm1-lspp_audit/ipc/sem.c 2005-07-18 16:35:02.000000000 -0500 @@ -811,12 +811,18 @@ static int semctl_down(int semid, int se if(sma==NULL) return -EINVAL; + ipcp = &sma->sem_perm; + + if(cmd == IPC_SET) { + if ((err = audit_ipc_security_context(ipcp))) + goto out_unlock; + } + if (sem_checkid(sma,semid)) { err=-EIDRM; goto out_unlock; } - ipcp = &sma->sem_perm; - + if (current->euid != ipcp->cuid && current->euid != ipcp->uid && !capable(CAP_SYS_ADMIN)) { err=-EPERM; diff -uprN linux-2.6.13-rc3-mm1/ipc/shm.c linux-2.6.13-rc3-mm1-lspp_audit/ipc/shm.c --- linux-2.6.13-rc3-mm1/ipc/shm.c 2005-06-17 14:48:29.000000000 -0500 +++ linux-2.6.13-rc3-mm1-lspp_audit/ipc/shm.c 2005-07-18 16:35:02.000000000 -0500 @@ -610,6 +610,9 @@ asmlinkage long sys_shmctl (int shmid, i err=-EINVAL; if(shp==NULL) goto out_up; + err = audit_ipc_security_context(&(shp->shm_perm)); + if(err) + goto out_unlock_up; err = shm_checkid(shp,shmid); if(err) goto out_unlock_up; diff -uprN linux-2.6.13-rc3-mm1/ipc/util.c linux-2.6.13-rc3-mm1-lspp_audit/ipc/util.c --- linux-2.6.13-rc3-mm1/ipc/util.c 2005-06-17 14:48:29.000000000 -0500 +++ linux-2.6.13-rc3-mm1-lspp_audit/ipc/util.c 2005-07-18 16:35:02.000000000 -0500 @@ -24,6 +24,7 @@ #include <linux/security.h> #include <linux/rcupdate.h> #include <linux/workqueue.h> +#include <linux/audit.h> #include <asm/unistd.h> @@ -420,6 +421,8 @@ int ipcperms (struct kern_ipc_perm *ipcp { /* flag will most probably be 0 or S_...UGO from <linux/stat.h> */ int requested_mode, granted_mode; + audit_ipc_security_context(ipcp); + requested_mode = (flag >> 6) | (flag >> 3) | flag; granted_mode = ipcp->mode; if (current->euid == ipcp->cuid || current->euid == ipcp->uid) diff -uprN linux-2.6.13-rc3-mm1/kernel/audit.c linux-2.6.13-rc3-mm1-lspp_audit/kernel/audit.c --- linux-2.6.13-rc3-mm1/kernel/audit.c 2005-07-18 15:20:35.000000000 -0500 +++ linux-2.6.13-rc3-mm1-lspp_audit/kernel/audit.c 2005-07-18 16:35:02.000000000 -0500 @@ -147,7 +147,7 @@ struct audit_entry { struct audit_rule rule; }; -static void audit_panic(const char *message) +void audit_panic(const char *message) { switch (audit_failure) { @@ -896,3 +896,4 @@ void audit_log(struct audit_context *ctx audit_log_end(ab); } } + diff -uprN linux-2.6.13-rc3-mm1/kernel/auditsc.c linux-2.6.13-rc3-mm1-lspp_audit/kernel/auditsc.c --- linux-2.6.13-rc3-mm1/kernel/auditsc.c 2005-07-18 15:20:35.000000000 -0500 +++ linux-2.6.13-rc3-mm1-lspp_audit/kernel/auditsc.c 2005-07-19 11:50:15.000000000 -0500 @@ -43,6 +43,7 @@ #include <linux/netlink.h> #include <linux/compiler.h> #include <asm/unistd.h> +#include <linux/security.h> /* 0 = no checking 1 = put_count checking @@ -99,6 +100,7 @@ struct audit_names { gid_t gid; dev_t rdev; unsigned flags; + char *security_context; }; struct audit_aux_data { @@ -108,6 +110,12 @@ struct audit_aux_data { #define AUDIT_AUX_IPCPERM 0 +struct audit_aux_data_security_context { + struct audit_aux_data d; + char *security_context; + size_t security_context_len; +}; + struct audit_aux_data_ipcctl { struct audit_aux_data d; struct ipc_perm p; @@ -167,6 +175,8 @@ struct audit_context { #endif }; +static const char *audit_macxattr; + /* Public API */ /* There are three lists of rules -- one to search at task creation * time, one to search at syscall entry time, and another to search at @@ -650,9 +660,11 @@ static inline void audit_free_names(stru context->ino_count = 0; #endif - for (i = 0; i < context->name_count; i++) + for (i = 0; i < context->name_count; i++) { if (context->names[i].name) __putname(context->names[i].name); + kfree(context->names[i].security_context); + } context->name_count = 0; if (context->pwd) dput(context->pwd); @@ -751,6 +763,37 @@ static inline void audit_free_context(st printk(KERN_ERR "audit: freed %d contexts\n", count); } +static void audit_log_task_security_context(struct audit_buffer *ab) +{ + char *security_context; + ssize_t len = 0; + + len = security_getprocattr(current, "current", NULL, 0); + if (len < 0) { + if (len != -EINVAL) + audit_panic("security_getprocattr error in audit_log_task_security_context"); + return; + } + + security_context = kmalloc(len, GFP_KERNEL); + if (!security_context) { + audit_panic("memory allocation error in audit_log_task_security_context"); + return; + } + + len = security_getprocattr(current, "current", security_context, len); + if (len < 0 ) { + audit_panic("security_getprocattr error in audit_log_task_security_context"); + goto out; + } + + audit_log_format(ab, " scontext=%s", security_context); + +out: + kfree(security_context); + return; +} + static void audit_log_task_info(struct audit_buffer *ab) { char name[sizeof(current->comm)]; @@ -777,6 +820,7 @@ static void audit_log_task_info(struct a vma = vma->vm_next; } up_read(&mm->mmap_sem); + audit_log_task_security_context(ab); } static void audit_log_exit(struct audit_context *context, unsigned int gfp_mask) @@ -848,6 +892,11 @@ static void audit_log_exit(struct audit_ struct audit_aux_data_path *axi = (void *)aux; audit_log_d_path(ab, "path=", axi->dentry, axi->mnt); break; } + case AUDIT_SECURITY_CONTEXT: { + struct audit_aux_data_security_context *axi = (void *)aux; + audit_log_format(ab, " ocontext=%s", axi->security_context); + kfree(axi->security_context); + break; } } audit_log_end(ab); @@ -883,6 +932,10 @@ static void audit_log_exit(struct audit_ context->names[i].gid, MAJOR(context->names[i].rdev), MINOR(context->names[i].rdev)); + if (context->names[i].security_context) { + audit_log_format(ab, " ocontext=%s", + context->names[i].security_context); + } audit_log_end(ab); } } @@ -1098,6 +1151,37 @@ void audit_putname(const char *name) #endif } +void audit_inode_security_context(int idx, const struct inode *inode) +{ + struct audit_context *context = current->audit_context; + int len = 0; + + if (!audit_macxattr) + return; + + len = security_inode_getsecurity((struct inode *)inode, audit_macxattr, NULL, 0); + if (len < 0) { + if (len != -EOPNOTSUPP) + audit_panic("security_inode_getsecurity error in audit_inode_security_context"); + return; + } + + context->names[idx].security_context = kmalloc(len, GFP_KERNEL); + if (!(context->names[idx].security_context)) { + audit_panic("memory allocation error in audit_inode_security_context"); + return; + } + + len = security_inode_getsecurity((struct inode *)inode, audit_macxattr, + context->names[idx].security_context, len); + if (len < 0) { + kfree(context->names[idx].security_context); + audit_panic("security_inode_getsecurity error in audit_inode_security_context"); + } + + return; +} + /* Store the inode and device from a lookup. Called from * fs/namei.c:path_lookup(). */ void audit_inode(const char *name, const struct inode *inode, unsigned flags) @@ -1133,6 +1217,8 @@ void audit_inode(const char *name, const context->names[idx].uid = inode->i_uid; context->names[idx].gid = inode->i_gid; context->names[idx].rdev = inode->i_rdev; + + audit_inode_security_context(idx, inode); } void auditsc_get_stamp(struct audit_context *ctx, @@ -1270,3 +1356,63 @@ void audit_signal_info(int sig, struct t } } +int audit_ipc_security_context(struct kern_ipc_perm *ipcp) +{ + struct audit_aux_data_security_context *ax; + struct audit_context *context = current->audit_context; + int len = 0; + + if (likely(!context)) + return 0; + + ax = kmalloc(sizeof(*ax), GFP_ATOMIC); + if (!ax) { + audit_panic("memory allocation error in audit_ipc_security_context"); + return -ENOMEM; + } + + len = security_ipc_getsecurity(ipcp, NULL, 0); + if (len < 0) { + if (len != -EOPNOTSUPP) + audit_panic("security_ipc_getsecurity error in audit_ipc_security_context"); + return len; + } + + ax->security_context = kmalloc(len, GFP_ATOMIC); + if (!ax->security_context) { + audit_panic("memory allocation error in audit_ipc_security_context"); + kfree(ax); + return -ENOMEM; + } + + len = security_ipc_getsecurity(ipcp, ax->security_context, len); + if (len < 0) { + audit_panic("security_ipc_getsecurity error in audit_ipc_security_context"); + kfree(ax->security_context); + kfree(ax); + return len; + } + + ax->security_context_len = len; + + ax->d.type = AUDIT_SECURITY_CONTEXT; + ax->d.next = context->aux; + context->aux = (void *)ax; + return 0; +} + +/* Set the security XATTR name. This is needed for audit functions + * to obtain the security context of file system objects. */ +int audit_set_macxattr(const char *name) +{ + size_t len = strlen(name)+1; + + if (audit_macxattr) + return -EINVAL; + + audit_macxattr = kmalloc(len, GFP_KERNEL); + if (!audit_macxattr) + return -ENOMEM; + memcpy((void *)audit_macxattr, (const void *)name, len); + return 0; +} diff -uprN linux-2.6.13-rc3-mm1/security/dummy.c linux-2.6.13-rc3-mm1-lspp_audit/security/dummy.c --- linux-2.6.13-rc3-mm1/security/dummy.c 2005-07-18 15:20:36.000000000 -0500 +++ linux-2.6.13-rc3-mm1-lspp_audit/security/dummy.c 2005-07-18 16:35:02.000000000 -0500 @@ -557,6 +557,11 @@ static int dummy_ipc_permission (struct return 0; } +static int dummy_ipc_getsecurity(struct kern_ipc_perm *ipcp, void *buffer, size_t size) +{ + return -EOPNOTSUPP; +} + static int dummy_msg_msg_alloc_security (struct msg_msg *msg) { return 0; @@ -907,6 +912,7 @@ void security_fixup_ops (struct security set_to_dummy_if_null(ops, task_reparent_to_init); set_to_dummy_if_null(ops, task_to_inode); set_to_dummy_if_null(ops, ipc_permission); + set_to_dummy_if_null(ops, ipc_getsecurity); set_to_dummy_if_null(ops, msg_msg_alloc_security); set_to_dummy_if_null(ops, msg_msg_free_security); set_to_dummy_if_null(ops, msg_queue_alloc_security); diff -uprN linux-2.6.13-rc3-mm1/security/selinux/hooks.c linux-2.6.13-rc3-mm1-lspp_audit/security/selinux/hooks.c --- linux-2.6.13-rc3-mm1/security/selinux/hooks.c 2005-07-18 15:20:36.000000000 -0500 +++ linux-2.6.13-rc3-mm1-lspp_audit/security/selinux/hooks.c 2005-07-19 10:56:44.000000000 -0500 @@ -116,6 +116,35 @@ static struct security_operations *secon static LIST_HEAD(superblock_security_head); static DEFINE_SPINLOCK(sb_security_lock); +/* Return security context for a given sid or just the context + length if the buffer is null or length is 0 */ +static int selinux_getsecurity(u32 sid, void *buffer, size_t size) +{ + char *context; + unsigned len; + int rc; + + if (buffer && !size) + return -ERANGE; + + rc = security_sid_to_context(sid, &context, &len); + if (rc) + return rc; + + if (!buffer || !size) + goto getsecurity_exit; + + if (size < len) { + kfree(context); + return -ERANGE; + } + memcpy(buffer, context, len); + +getsecurity_exit: + kfree(context); + return len; +} + /* Allocate and free functions for each kind of security blob. */ static int task_alloc_security(struct task_struct *task) @@ -2232,30 +2261,13 @@ static int selinux_inode_removexattr (st static int selinux_inode_getsecurity(struct inode *inode, const char *name, void *buffer, size_t size) { struct inode_security_struct *isec = inode->i_security; - char *context; - unsigned len; - int rc; /* Permission check handled by selinux_inode_getxattr hook.*/ if (strcmp(name, XATTR_SELINUX_SUFFIX)) return -EOPNOTSUPP; - rc = security_sid_to_context(isec->sid, &context, &len); - if (rc) - return rc; - - if (!buffer || !size) { - kfree(context); - return len; - } - if (size < len) { - kfree(context); - return -ERANGE; - } - memcpy(buffer, context, len); - kfree(context); - return len; + return(selinux_getsecurity(isec->sid, buffer, size)); } static int selinux_inode_setsecurity(struct inode *inode, const char *name, @@ -3360,6 +3372,13 @@ out: return err; } +static int selinux_socket_getsecurity(struct socket *sock, void *buffer, size_t size) +{ + struct inode_security_struct *isec = SOCK_INODE(sock)->i_security; + + return(selinux_getsecurity(isec->sid, buffer, size)); +} + static int selinux_sk_alloc_security(struct sock *sk, int family, int priority) { return sk_alloc_security(sk, family, priority); @@ -4025,6 +4044,13 @@ static int selinux_ipc_permission(struct return ipc_has_perm(ipcp, av); } +static int selinux_ipc_getsecurity(struct kern_ipc_perm *ipcp, void *buffer, size_t size) +{ + struct ipc_security_struct *isec = ipcp->security; + + return(selinux_getsecurity(isec->sid, buffer, size)); +} + /* module stacking operations */ static int selinux_register_security (const char *name, struct security_operations *ops) { @@ -4066,8 +4092,7 @@ static int selinux_getprocattr(struct ta char *name, void *value, size_t size) { struct task_security_struct *tsec; - u32 sid, len; - char *context; + u32 sid; int error; if (current != p) { @@ -4076,9 +4101,6 @@ static int selinux_getprocattr(struct ta return error; } - if (!size) - return -ERANGE; - tsec = p->security; if (!strcmp(name, "current")) @@ -4095,16 +4117,7 @@ static int selinux_getprocattr(struct ta if (!sid) return 0; - error = security_sid_to_context(sid, &context, &len); - if (error) - return error; - if (len > size) { - kfree(context); - return -ERANGE; - } - memcpy(value, context, len); - kfree(context); - return len; + return(selinux_getsecurity(sid, value, size)); } static int selinux_setprocattr(struct task_struct *p, @@ -4299,6 +4312,7 @@ static struct security_operations selinu .task_to_inode = selinux_task_to_inode, .ipc_permission = selinux_ipc_permission, + .ipc_getsecurity = selinux_ipc_getsecurity, .msg_msg_alloc_security = selinux_msg_msg_alloc_security, .msg_msg_free_security = selinux_msg_msg_free_security, @@ -4379,6 +4393,10 @@ static __init int selinux_init(void) if (register_security (&selinux_ops)) panic("SELinux: Unable to register with kernel.\n"); + if (audit_set_macxattr(XATTR_SELINUX_SUFFIX)) { + printk(KERN_WARNING "SELinux: Unable to register xattr name with audit.\n"); + } + if (selinux_enforcing) { printk(KERN_INFO "SELinux: Starting in enforcing mode\n"); } else {

19 years, 9 months

11
46
0 / 0

[PATCH] kerneldoc for kernel/audit*.c

by randy_dunlap

From: Randy Dunlap <rdunlap(a)xenotime.net> for kernel/audit*.c: - add kerneldoc for non-static functions; - don't init static data to 0; - limit lines to < 80 columns; - fix long-format style; - delete whitespace at end of some lines; - break a for loop into 2 lines; Signed-off-by: Randy Dunlap <rdunlap(a)xenotime.net> diffstat:= kernel/audit.c | 133 ++++++++++++++++++++++++++++++++++++----------- kernel/auditsc.c | 153 ++++++++++++++++++++++++++++++++++++++++++++++++------- 2 files changed, 236 insertions(+), 50 deletions(-) diff -Naurp linux-2613-rc1-git5/kernel/audit.c~kdoc_kernel_audit linux-2613-rc1-git5/kernel/audit.c --- linux-2613-rc1-git5/kernel/audit.c~kdoc_kernel_audit 2005-07-03 20:38:57.000000000 -0700 +++ linux-2613-rc1-git5/kernel/audit.c 2005-07-07 11:46:21.000000000 -0700 @@ -72,7 +72,7 @@ static int audit_failure = AUDIT_FAIL_PR * contains the (non-zero) pid. */ int audit_pid; -/* If audit_limit is non-zero, limit the rate of sending audit records +/* If audit_rate_limit is non-zero, limit the rate of sending audit records * to that number per second. This prevents DoS attacks, but results in * audit records being dropped. */ static int audit_rate_limit; @@ -100,7 +100,7 @@ static struct sock *audit_sock; * than AUDIT_MAXFREE are in use, the audit buffer is freed instead of * being placed on the freelist). */ static DEFINE_SPINLOCK(audit_freelist_lock); -static int audit_freelist_count = 0; +static int audit_freelist_count; static LIST_HEAD(audit_freelist); static struct sk_buff_head audit_skb_queue; @@ -194,8 +194,14 @@ static inline int audit_rate_check(void) return retval; } -/* Emit at least 1 message per second, even if audit_rate_check is - * throttling. */ +/** + * audit_log_lost - conditionally log an audit message + * @message: the message to be logged + * + * Emit at least 1 message per second, even if audit_rate_check is + * throttling. + * Always increment the lost messages counter. +*/ void audit_log_lost(const char *message) { static unsigned long last_msg = 0; @@ -226,7 +232,6 @@ void audit_log_lost(const char *message) audit_backlog_limit); audit_panic(message); } - } static int audit_set_rate_limit(int limit, uid_t loginuid) @@ -307,6 +312,19 @@ int kauditd_thread(void *dummy) } } +/** + * audit_send_reply - send an audit reply message via netlink + * @pid: process id of the listener + * @seq: sequence number + * @type: audit message type + * @done: done (last) flag + * @multi: multi-part message flag + * @payload: payload data + * @size: payload size + * + * Allocates an skb, builds the netlink message, and sends it to the pid. + * No failure notifications. + */ void audit_send_reply(int pid, int seq, int type, int done, int multi, void *payload, int size) { @@ -381,7 +399,8 @@ static int audit_receive_msg(struct sk_b if (err) return err; - /* As soon as there's any sign of userspace auditd, start kauditd to talk to it */ + /* As soon as there's any sign of userspace auditd, + * start kauditd to talk to it */ if (!kauditd_task) kauditd_task = kthread_run(kauditd_thread, NULL, "kauditd"); if (IS_ERR(kauditd_task)) { @@ -468,9 +487,11 @@ static int audit_receive_msg(struct sk_b return err < 0 ? err : 0; } -/* Get message from skb (based on rtnetlink_rcv_skb). Each message is +/* + * Get message from skb (based on rtnetlink_rcv_skb). Each message is * processed by audit_receive_msg. Malformed skbs with wrong length are - * discarded silently. */ + * discarded silently. + */ static void audit_receive_skb(struct sk_buff *skb) { int err; @@ -597,7 +618,10 @@ err: return NULL; } -/* Compute a serial number for the audit record. Audit records are +/** + * audit_serial - compute a serial number for the audit record + * + * Compute a serial number for the audit record. Audit records are * written to user-space as soon as they are generated, so a complete * audit record may be written in several pieces. The timestamp of the * record and this serial number are used by the user-space tools to @@ -611,7 +635,8 @@ err: * audit context (for those records that have a context), and emit them * all at syscall exit. However, this could delay the reporting of * significant errors until syscall exit (or never, if the system - * halts). */ + * halts). + */ unsigned int audit_serial(void) { static atomic_t serial = ATOMIC_INIT(0xffffff); @@ -638,12 +663,20 @@ static inline void audit_get_stamp(struc } } -/* Obtain an audit buffer. This routine does locking to obtain the +/** + * audit_log_start - obtain an audit buffer + * @ctx: audit_context (may be NULL) + * @type: audit netlink message type + * + * Returns audit_buffer pointer on success or NULL on error. + * + * Obtain an audit buffer. This routine does locking to obtain the * audit buffer, but then no locking is required for calls to - * audit_log_*format. If the tsk is a task that is currently in a + * audit_log_*format. If the task (ctx) is a task that is currently in a * syscall, then the syscall is marked as auditable and an audit record - * will be written at syscall exit. If there is no associated task, tsk - * should be NULL. */ + * will be written at syscall exit. If there is no associated task, then + * task context (ctx) should be NULL. + */ struct audit_buffer *audit_log_start(struct audit_context *ctx, int type) { struct audit_buffer *ab = NULL; @@ -681,6 +714,7 @@ struct audit_buffer *audit_log_start(str /** * audit_expand - expand skb in the audit buffer * @ab: audit_buffer + * @extra: space to add at tail of the skb * * Returns 0 (no space) on failed expansion, or available space if * successful. @@ -697,10 +731,12 @@ static inline int audit_expand(struct au return skb_tailroom(skb); } -/* Format an audit message into the audit buffer. If there isn't enough +/* + * Format an audit message into the audit buffer. If there isn't enough * room in the audit buffer, more room will be allocated and vsnprint * will be called a second time. Currently, we assume that a printk - * can't format message larger than 1024 bytes, so we don't either. */ + * can't format message larger than 1024 bytes, so we don't either. + */ static void audit_log_vformat(struct audit_buffer *ab, const char *fmt, va_list args) { @@ -725,7 +761,8 @@ static void audit_log_vformat(struct aud /* The printk buffer is 1024 bytes long, so if we get * here and AUDIT_BUFSIZ is at least 1024, then we can * log everything that printk could have logged. */ - avail = audit_expand(ab, max_t(unsigned, AUDIT_BUFSIZ, 1+len-avail)); + avail = audit_expand(ab, + max_t(unsigned, AUDIT_BUFSIZ, 1+len-avail)); if (!avail) goto out; len = vsnprintf(skb->tail, avail, fmt, args2); @@ -736,8 +773,14 @@ out: return; } -/* Format a message into the audit buffer. All the work is done in - * audit_log_vformat. */ +/** + * audit_log_format - format a message into the audit buffer. + * @ab: audit_buffer + * @fmt: format string + * @...: optional parameters matching @fmt string + * + * All the work is done in audit_log_vformat. + */ void audit_log_format(struct audit_buffer *ab, const char *fmt, ...) { va_list args; @@ -749,9 +792,18 @@ void audit_log_format(struct audit_buffe va_end(args); } -/* This function will take the passed buf and convert it into a string of - * ascii hex digits. The new string is placed onto the skb. */ -void audit_log_hex(struct audit_buffer *ab, const unsigned char *buf, +/** + * audit_log_hex - convert a buffer to hex and append it to the audit skb + * @ab: the audit_buffer + * @buf: buffer to convert to hex + * @len: length of @buf to be converted + * + * No return value; failure to expand is silently ignored. + * + * This function will take the passed buf and convert it into a string of + * ascii hex digits. The new string is placed onto the skb. + */ +void audit_log_hex(struct audit_buffer *ab, const unsigned char *buf, size_t len) { int i, avail, new_len; @@ -780,10 +832,16 @@ void audit_log_hex(struct audit_buffer * skb_put(skb, len << 1); /* new string is twice the old string */ } -/* This code will escape a string that is passed to it if the string - * contains a control character, unprintable character, double quote mark, +/** + * audit_log_unstrustedstring - log a string that may contain random characters + * @ab: audit_buffer + * @string: string to be logged + * + * This code will escape a string that is passed to it if the string + * contains a control character, unprintable character, double quote mark, * or a space. Unescaped strings will start and end with a double quote mark. - * Strings that are escaped are printed in hex (2 digits per char). */ + * Strings that are escaped are printed in hex (2 digits per char). + */ void audit_log_untrustedstring(struct audit_buffer *ab, const char *string) { const unsigned char *p = string; @@ -822,10 +880,15 @@ void audit_log_d_path(struct audit_buffe kfree(path); } -/* The netlink_* functions cannot be called inside an irq context, so - * the audit buffer is places on a queue and a tasklet is scheduled to +/** + * audit_log_end - end one audit record + * @ab: the audit_buffer + * + * The netlink_* functions cannot be called inside an irq context, so + * the audit buffer is placed on a queue and a tasklet is scheduled to * remove them from the queue outside the irq context. May be called in - * any context. */ + * any context. + */ void audit_log_end(struct audit_buffer *ab) { if (!ab) @@ -846,9 +909,17 @@ void audit_log_end(struct audit_buffer * audit_buffer_free(ab); } -/* Log an audit record. This is a convenience function that calls - * audit_log_start, audit_log_vformat, and audit_log_end. It may be - * called in any context. */ +/** + * audit_log - log an audit record + * @ctx: the audit_context + * @type: the audit message type + * @fmt: format string to use + * @...: variable parameters matching the format string + * + * This is a convenience function that calls audit_log_start, + * audit_log_vformat, and audit_log_end. It may be + * called in any context. + */ void audit_log(struct audit_context *ctx, int type, const char *fmt, ...) { struct audit_buffer *ab; diff -Naurp linux-2613-rc1-git5/kernel/auditsc.c~kdoc_kernel_audit linux-2613-rc1-git5/kernel/auditsc.c --- linux-2613-rc1-git5/kernel/auditsc.c~kdoc_kernel_audit 2005-07-03 20:38:57.000000000 -0700 +++ linux-2613-rc1-git5/kernel/auditsc.c 2005-07-07 10:57:44.000000000 -0700 @@ -268,10 +268,21 @@ static int audit_copy_rule(struct audit_ d->fields[i] = s->fields[i]; d->values[i] = s->values[i]; } - for (i = 0; i < AUDIT_BITMASK_SIZE; i++) d->mask[i] = s->mask[i]; + for (i = 0; i < AUDIT_BITMASK_SIZE; i++) + d->mask[i] = s->mask[i]; return 0; } +/** + * audit_receive_filter - apply all rules to the specified message type + * @type: audit message type + * @pid: target pid for netlink audit messages + * @uid: target uid for netlink audit messages + * @seq: netlink audit message sequence (serial) number + * @data: payload data + * @loginuid: loginuid of sender + * + */ int audit_receive_filter(int type, int pid, int uid, int seq, void *data, uid_t loginuid) { @@ -467,7 +478,7 @@ static enum audit_state audit_filter_tas /* At syscall entry and exit time, this filter is called if the * audit_state is not low enough that auditing cannot take place, but is * also not high enough that we already know we have to write an audit - * record (i.e., the state is AUDIT_SETUP_CONTEXT or AUDIT_BUILD_CONTEXT). + * record (i.e., the state is AUDIT_SETUP_CONTEXT or AUDIT_BUILD_CONTEXT). */ static enum audit_state audit_filter_syscall(struct task_struct *tsk, struct audit_context *ctx, @@ -597,10 +608,15 @@ static inline struct audit_context *audi return context; } -/* Filter on the task information and allocate a per-task audit context +/** + * audit_alloc - allocate an audit context block for a task + * @tsk: task + * + * Filter on the task information and allocate a per-task audit context * if necessary. Doing so turns on system call auditing for the * specified task. This is called from copy_process, so no lock is - * needed. */ + * needed. + */ int audit_alloc(struct task_struct *tsk) { struct audit_context *context; @@ -785,8 +801,12 @@ static void audit_log_exit(struct audit_ } } -/* Free a per-task audit context. Called from copy_process and - * __put_task_struct. */ +/** + * audit_free - free a per-task audit context + * @tsk: task whose audit context block to free + * + * Called from copy_process and __put_task_struct. + */ void audit_free(struct task_struct *tsk) { struct audit_context *context; @@ -806,13 +826,24 @@ void audit_free(struct task_struct *tsk) audit_free_context(context); } -/* Fill in audit context at syscall entry. This only happens if the +/** + * audit_syscall_entry - fill in an audit record at syscall entry + * @tsk: task being audited + * @arch: architecture type + * @major: major syscall type (function) + * @a1: additional syscall register 1 + * @a2: additional syscall register 2 + * @a3: additional syscall register 3 + * @a4: additional syscall register 4 + * + * Fill in audit context at syscall entry. This only happens if the * audit context was created when the task was created and the state or * filters demand the audit context be built. If the state from the * per-task filter or from the per-syscall filter is AUDIT_RECORD_CONTEXT, * then the record will be written at syscall exit time (otherwise, it * will only be written if another part of the kernel requests that it - * be written). */ + * be written). + */ void audit_syscall_entry(struct task_struct *tsk, int arch, int major, unsigned long a1, unsigned long a2, unsigned long a3, unsigned long a4) @@ -822,7 +853,8 @@ void audit_syscall_entry(struct task_str BUG_ON(!context); - /* This happens only on certain architectures that make system + /* + * This happens only on certain architectures that make system * calls in kernel_thread via the entry.S interface, instead of * with direct calls. (If you are porting to a new * architecture, hitting this condition can indicate that you @@ -886,11 +918,18 @@ void audit_syscall_entry(struct task_str context->auditable = !!(state == AUDIT_RECORD_CONTEXT); } -/* Tear down after system call. If the audit context has been marked as +/** + * audit_syscall_exit - deallocate audit context after a system call + * @tsk: task being audited + * @valid: success/failure flag + * @return_code: syscall return value + * + * Tear down after system call. If the audit context has been marked as * auditable (either because of the AUDIT_RECORD_CONTEXT state from * filtering, or because some other part of the kernel write an audit * message), then write out the syscall information. In call cases, - * free the names stored from getname(). */ + * free the names stored from getname(). + */ void audit_syscall_exit(struct task_struct *tsk, int valid, long return_code) { struct audit_context *context; @@ -925,7 +964,13 @@ void audit_syscall_exit(struct task_stru put_task_struct(tsk); } -/* Add a name to the list. Called from fs/namei.c:getname(). */ +/** + * audit_getname - add a name to the list + * @name: name to add + * + * Add a name to the list of audit names for this context. + * Called from fs/namei.c:getname(). + */ void audit_getname(const char *name) { struct audit_context *context = current->audit_context; @@ -954,10 +999,13 @@ void audit_getname(const char *name) } -/* Intercept a putname request. Called from - * include/linux/fs.h:putname(). If we have stored the name from - * getname in the audit context, then we delay the putname until syscall - * exit. */ +/* audit_putname - intercept a putname request + * @name: name to intercept and delay for putname + * + * If we have stored the name from getname in the audit context, + * then we delay the putname until syscall exit. + * Called from include/linux/fs.h:putname(). + */ void audit_putname(const char *name) { struct audit_context *context = current->audit_context; @@ -994,8 +1042,13 @@ void audit_putname(const char *name) #endif } -/* Store the inode and device from a lookup. Called from - * fs/namei.c:path_lookup(). */ +/** + * audit_inode - store the inode and device from a lookup + * @name: name being audited + * @inode: inode being audited + * + * Called from fs/namei.c:path_lookup(). + */ void audit_inode(const char *name, const struct inode *inode) { int idx; @@ -1030,6 +1083,14 @@ void audit_inode(const char *name, const context->names[idx].rdev = inode->i_rdev; } +/** + * auditsc_get_stamp - get local copies of audit_context values + * @ctx: audit_context for the task + * @t: timespec to store time recorded in the audit_context + * @serial: serial value that is recorded in the audit_context + * + * Also sets the context as auditable. + */ void auditsc_get_stamp(struct audit_context *ctx, struct timespec *t, unsigned int *serial) { @@ -1039,6 +1100,15 @@ void auditsc_get_stamp(struct audit_cont ctx->auditable = 1; } +/** + * audit_set_loginuid - set a task's audit_context loginuid + * @task: task whose audit context is being modified + * @loginuid: loginuid value + * + * Returns 0. + * + * Called (set) from fs/proc/base.c::proc_loginuid_write(). + */ int audit_set_loginuid(struct task_struct *task, uid_t loginuid) { if (task->audit_context) { @@ -1057,11 +1127,26 @@ int audit_set_loginuid(struct task_struc return 0; } +/** + * audit_get_loginuid - get the loginuid for an audit_context + * @ctx: the audit_context + * + * Returns the context's loginuid or -1 if @ctx is NULL. + */ uid_t audit_get_loginuid(struct audit_context *ctx) { return ctx ? ctx->loginuid : -1; } +/** + * audit_ipc_perms - record audit data for ipc + * @qbytes: msgq bytes + * @uid: msgq user id + * @gid: msgq group id + * @mode: msgq mode (permissions) + * + * Returns 0 for success or NULL context or < 0 on error. + */ int audit_ipc_perms(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode) { struct audit_aux_data_ipcctl *ax; @@ -1085,6 +1170,13 @@ int audit_ipc_perms(unsigned long qbytes return 0; } +/** + * audit_socketcall - record audit data for sys_socketcall + * @nargs: number of args + * @args: args array + * + * Returns 0 for success or NULL context or < 0 on error. + */ int audit_socketcall(int nargs, unsigned long *args) { struct audit_aux_data_socketcall *ax; @@ -1106,6 +1198,13 @@ int audit_socketcall(int nargs, unsigned return 0; } +/** + * audit_sockaddr - record audit data for sys_bind, sys_connect, sys_sendto + * @len: data length in user space + * @a: data address in kernel space + * + * Returns 0 for success or NULL context or < 0 on error. + */ int audit_sockaddr(int len, void *a) { struct audit_aux_data_sockaddr *ax; @@ -1127,6 +1226,15 @@ int audit_sockaddr(int len, void *a) return 0; } +/** + * audit_avc_path - record the granting or denial of permissions + * @dentry: dentry to record + * @mnt: mnt to record + * + * Returns 0 for success or NULL context or < 0 on error. + * + * Called from security/selinux/avc.c::avc_audit() + */ int audit_avc_path(struct dentry *dentry, struct vfsmount *mnt) { struct audit_aux_data_path *ax; @@ -1148,6 +1256,14 @@ int audit_avc_path(struct dentry *dentry return 0; } +/** + * audit_signal_info - record signal info for shutting down audit subsystem + * @sig: signal value + * @t: task being signaled + * + * If the audit subsystem is being terminated, record the task (pid) + * and uid that is doing that. + */ void audit_signal_info(int sig, struct task_struct *t) { extern pid_t audit_sig_pid; @@ -1164,4 +1280,3 @@ void audit_signal_info(int sig, struct t } } } - ---

19 years, 11 months

3
3
0 / 0

[PATCH] prevent duplicate syscall rules

by Amy Griffis

The following patch against audit.81 prevents duplicate syscall rules in a given filter list by walking the list on each rule add. I also removed the unused struct audit_entry in audit.c and made the static inlines in auditsc.c consistent. Signed-off-by: Amy Griffis <amy.griffis(a)hp.com> audit.c | 5 --- auditsc.c | 95 ++++++++++++++++++++++++++++++++++++-------------------------- 2 files changed, 56 insertions(+), 44 deletions(-) diff -Nrup linux-2.6.9.orig/kernel/audit.c linux-2.6.9/kernel/audit.c --- linux-2.6.9.orig/kernel/audit.c 2005-07-29 13:37:34.581058000 -0400 +++ linux-2.6.9/kernel/audit.c 2005-07-29 13:41:32.018555559 -0400 @@ -147,11 +147,6 @@ static void audit_set_pid(struct audit_b nlh->nlmsg_pid = pid; } -struct audit_entry { - struct list_head list; - struct audit_rule rule; -}; - static void audit_panic(const char *message) { switch (audit_failure) diff -Nrup linux-2.6.9.orig/kernel/auditsc.c linux-2.6.9/kernel/auditsc.c --- linux-2.6.9.orig/kernel/auditsc.c 2005-07-29 13:37:34.572269000 -0400 +++ linux-2.6.9/kernel/auditsc.c 2005-07-29 13:53:31.988273302 -0400 @@ -198,9 +198,36 @@ struct audit_entry { extern int audit_pid; +/* Copy rule from user-space to kernel-space. Called from + * audit_add_rule during AUDIT_ADD. */ +static inline int audit_copy_rule(struct audit_rule *d, struct audit_rule *s) +{ + int i; + + if (s->action != AUDIT_NEVER + && s->action != AUDIT_POSSIBLE + && s->action != AUDIT_ALWAYS) + return -1; + if (s->field_count < 0 || s->field_count > AUDIT_MAX_FIELDS) + return -1; + if ((s->flags & ~AUDIT_FILTER_PREPEND) >= AUDIT_NR_FILTERS) + return -1; + + d->flags = s->flags; + d->action = s->action; + d->field_count = s->field_count; + for (i = 0; i < d->field_count; i++) { + d->fields[i] = s->fields[i]; + d->values[i] = s->values[i]; + } + for (i = 0; i < AUDIT_BITMASK_SIZE; i++) d->mask[i] = s->mask[i]; + return 0; +} + /* Check to see if two rules are identical. It is called from + * audit_add_rule during AUDIT_ADD and * audit_del_rule during AUDIT_DEL. */ -static int audit_compare_rule(struct audit_rule *a, struct audit_rule *b) +static inline int audit_compare_rule(struct audit_rule *a, struct audit_rule *b) { int i; @@ -229,18 +256,37 @@ static int audit_compare_rule(struct aud /* Note that audit_add_rule and audit_del_rule are called via * audit_receive() in audit.c, and are protected by * audit_netlink_sem. */ -static inline void audit_add_rule(struct audit_entry *entry, +static inline int audit_add_rule(struct audit_rule *rule, struct list_head *list) { + struct audit_entry *entry; + + /* Do not use the _rcu iterator here, since this is the only + * addition routine. */ + list_for_each_entry(entry, list, list) { + if (!audit_compare_rule(rule, &entry->rule)) { + return -EINVAL; + } + } + + if (!(entry = kmalloc(sizeof(*entry), GFP_KERNEL))) + return -ENOMEM; + if (audit_copy_rule(&entry->rule, rule)) { + kfree(entry); + return -EINVAL; + } + if (entry->rule.flags & AUDIT_FILTER_PREPEND) { entry->rule.flags &= ~AUDIT_FILTER_PREPEND; list_add_rcu(&entry->list, list); } else { list_add_tail_rcu(&entry->list, list); } + + return 0; } -static void audit_free_rule(struct rcu_head *head) +static inline void audit_free_rule(struct rcu_head *head) { struct audit_entry *e = container_of(head, struct audit_entry, rcu); kfree(e); @@ -267,32 +313,6 @@ static inline int audit_del_rule(struct } #ifdef CONFIG_NET -/* Copy rule from user-space to kernel-space. Called during - * AUDIT_ADD. */ -static int audit_copy_rule(struct audit_rule *d, struct audit_rule *s) -{ - int i; - - if (s->action != AUDIT_NEVER - && s->action != AUDIT_POSSIBLE - && s->action != AUDIT_ALWAYS) - return -1; - if (s->field_count < 0 || s->field_count > AUDIT_MAX_FIELDS) - return -1; - if ((s->flags & ~AUDIT_FILTER_PREPEND) >= AUDIT_NR_FILTERS) - return -1; - - d->flags = s->flags; - d->action = s->action; - d->field_count = s->field_count; - for (i = 0; i < d->field_count; i++) { - d->fields[i] = s->fields[i]; - d->values[i] = s->values[i]; - } - for (i = 0; i < AUDIT_BITMASK_SIZE; i++) d->mask[i] = s->mask[i]; - return 0; -} - static int audit_list_rules(void *_dest) { int pid, seq; @@ -322,7 +342,6 @@ static int audit_list_rules(void *_dest) int audit_receive_filter(int type, int pid, int uid, int seq, void *data, uid_t loginuid) { - struct audit_entry *entry; struct task_struct *tsk; int *dest; int err = 0; @@ -349,16 +368,14 @@ int audit_receive_filter(int type, int p } break; case AUDIT_ADD: - if (!(entry = kmalloc(sizeof(*entry), GFP_KERNEL))) - return -ENOMEM; - if (audit_copy_rule(&entry->rule, data)) { - kfree(entry); + listnr =((struct audit_rule *)data)->flags & ~AUDIT_FILTER_PREPEND; + if (listnr >= AUDIT_NR_FILTERS) return -EINVAL; - } - listnr = entry->rule.flags & ~AUDIT_FILTER_PREPEND; - audit_add_rule(entry, &audit_filter_list[listnr]); - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, - "auid=%u added an audit rule\n", loginuid); + + err = audit_add_rule(data, &audit_filter_list[listnr]); + if (!err) + audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, + "auid=%u added an audit rule\n", loginuid); break; case AUDIT_DEL: listnr =((struct audit_rule *)data)->flags & ~AUDIT_FILTER_PREPEND;

20 years

2
2
0 / 0

audit.82 kernel

by David Woodhouse

Profiling showed up a couple more bottlenecks Steve spotted a task refcounting leak too. I'm _fairly_ sure the removal of audit_zero_context() is OK. We'll be filling it in again before we use it anyway. * Fri Jul 29 2005 David Woodhouse <dwmw2(a)redhat.com> audit.82 - Speed up audit_filter_syscall() for the fast path - Fix task refcounting in audit_free() and audit_syscall_exit() - Remove audit_zero_context() in audit_syscall_exit() --- linux-2.6.9/kernel/auditsc.c.p20064 2005-07-29 15:46:05.000000000 +0100 +++ linux-2.6.9/kernel/auditsc.c 2005-07-29 15:46:05.000000000 +0100 @@ -523,20 +523,23 @@ static enum audit_state audit_filter_sys struct list_head *list) { struct audit_entry *e; - enum audit_state state; - int word = AUDIT_WORD(ctx->major); - int bit = AUDIT_BIT(ctx->major); + enum audit_state state; if (audit_pid && tsk->tgid == audit_pid) return AUDIT_DISABLED; rcu_read_lock(); - list_for_each_entry_rcu(e, list, list) { - if ((e->rule.mask[word] & bit) == bit - && audit_filter_rules(tsk, &e->rule, ctx, &state)) { - rcu_read_unlock(); - return state; - } + if (!list_empty(list)) { + int word = AUDIT_WORD(ctx->major); + int bit = AUDIT_BIT(ctx->major); + + list_for_each_entry_rcu(e, list, list) { + if ((e->rule.mask[word] & bit) == bit + && audit_filter_rules(tsk, &e->rule, ctx, &state)) { + rcu_read_unlock(); + return state; + } + } } rcu_read_unlock(); return AUDIT_BUILD_CONTEXT; @@ -944,7 +947,7 @@ void audit_free(struct task_struct *tsk) task_unlock(tsk); if (likely(!context)) - return; + goto out; /* Check for system calls that do not go through the exit * function (e.g., exit_group), then free context block. @@ -953,6 +956,7 @@ void audit_free(struct task_struct *tsk) if (context->in_syscall && context->auditable) audit_log_exit(context, GFP_ATOMIC); + out: audit_free_context(context); } @@ -1053,7 +1057,7 @@ void audit_syscall_exit(struct task_stru /* Not having a context here is ok, since the parent may have * called __put_task_struct. */ if (likely(!context)) - return; + goto out; if (context->in_syscall && context->auditable) audit_log_exit(context, GFP_KERNEL); @@ -1069,9 +1073,9 @@ void audit_syscall_exit(struct task_stru } else { audit_free_names(context); audit_free_aux(context); - audit_zero_context(context, context->state); tsk->audit_context = context; } + out: put_task_struct(tsk); } -- dwmw2

20 years

2
5
0 / 0

auditing auditctl

by Amy Griffis

Hello, I've discovered another situation where audit is still auditing itself. When I have audit enabled but I'm not running the daemon, and add rules like: # auditctl -a entry,always -S open # auditctl -a entry,always -S close Doing something like 'auditctl -l' floods the console with audit records. Has anyone else seen this? I'm running the .81 kernel. Thanks, Amy

20 years

4
5
0 / 0

audit 0.9.20 released

by Steve Grubb

Hello, I've just released a new version of the audit daemon. It can be downloaded from http://people.redhat.com/sgrubb/audit It will also be in rawhide tomorrow. The Changelog is: - Fix ausearch to handle missing audit log better - Fix auditctl blank line handling - Trim trailing '/' from file system watches in auditctl - Catch cases where parameter was passed without option being given to auditctl - Add CAPP sample configuration This is mostly a bug fix release. This release also features a first draft sample CAPP configuration from Amy Griffis of HP. It will be updated as we finalize security concerns. If anyone sees problems, please let me know. -Steve

20 years

1
0
0 / 0

LSPP Requirements -- first pass

by Amy Griffis

Hello, I've looked through the LSPP spec for audit requirements and the list below is what I've found. Some of the requirements around devices may be optional depending on what is in a security target. If anyone has more info on that, please share. If anyone else wants to take a look at the spec and see if I've missed something, I'd appreciate it. I think the next steps should be: * Determine each audit record field in our current set of possible records that requires a sensitivity label (marked TODO below). * List where requirements necessitate changes to kernel, audit tools, or applications. Additionally, user attributes will now include the SELinux user identity and SELinux role. Is there ever a need to include that information in audit records generated by the audit subsystem? Or will all events requiring that information be logged by SELinux? Here is the list. I've included the relevant section of the LSPP spec in parentheses. Audit LSPP Requirements ----------------------- 1. Each audit record must have sensitivity labels of subjects, objects, or the information involved. (5.1.1.2) << TODO: determine each audit record field that requires a sensitivity label. >> 2. An administrator must be able to search or sort the audit log data based on subject and object sensitivity labels. (5.1.5) 3. An administrator must be able to include or exclude events from the set of audited events, based on subject and object sensitivity labels. (5.1.6) 4. If a device is used to export both labeled and unlabeled data, the change in device state must be auditable. (5.2.3, 5.2.4) 5. If a device is used to export labeled data, any change in the security attribute settings of the device must be audited. (5.2.4) 6. Any overriding of printed labels must be audited. (5.2.4) 7. If a device is used to import both labeled and unlabeled data, the change in device state must be auditable. (5.2.7, 5.2.8) 8. If a device is used to import labeled or unlabeled data, any change in the security attribute settings of the device must be audited. (5.2.8) Your comments welcome! Amy

20 years

3
2
0 / 0

auditctl bug: load rules from file

by Amy Griffis

Hi Steve, I discovered a usability bug in auditctl while attempting to load rules from a file. When auditctl reaches a line containing only whitespace, it silently terminates, without loading the remainder of the rules. I suppose either continuing on, or terminating with an error message would be acceptable behavior. Thanks, Amy

20 years

3
11
0 / 0

audit.81 kernel

by David Woodhouse

Profiling shows we spend 20% of CPU time in check_poison_obj. That might explain some of the performance degradation :) Some arches are still building but some are already uploaded... * Sat Jul 16 2005 David Woodhouse <dwmw2(a)redhat.com> audit.81 - Disable slab debugging -- dwmw2

20 years

1
0
0 / 0

audit message output to console

by Michael C Thompson

Hey all, I am seeing the following output to terminal: audit(1121876490.976:53271): user pid=8726 uid=0 auid=0 msg='userdel: op=deleting user from shadow group acct=laf_b res=failed' audit(1121876490.976:53272): user pid=8726 uid=0 auid=0 msg='userdel: op=deleting mail file acct=laf_b res=failed' audit(1121876490.976:53273): user pid=8726 uid=0 auid=0 msg='userdel: op=deleting home directory acct=laf_b res=success' audit: *NO* daemon at audit_pid=9283 audit: *NO* daemon at audit_pid=9335 audit: *NO* daemon at audit_pid=9434 audit(1121876521.166:53363): auid=0 removed watch audit: *NO* daemon at audit_pid=9552 audit(1121876528.766:53387): user pid=9596 uid=0 auid=0 msg='useradd: op=adding user to group acct=laf_b res=success' audit(1121876528.766:53388): user pid=9596 uid=0 auid=0 msg='useradd: op=adding user to shadow group acct=laf_b res=success' audit(1121876528.766:53389): user pid=9596 uid=0 auid=0 msg='useradd: op=adding home directory acct=laf_b res=success' audit(1121876528.856:53390): user pid=9597 uid=0 auid=0 msg='useradd: op=adding user acct=laf_c res=success' audit(1121876528.856:53391): user pid=9597 uid=0 auid=0 msg='useradd: op=adding user to group acct=laf_c res=success' audit(1121876528.856:53392): user pid=9597 uid=0 auid=0 msg='useradd: op=adding user to shadow group acct=laf_c res=success' audit(1121876528.856:53393): user pid=9597 uid=0 auid=0 msg='useradd: op=adding home directory acct=laf_c res=success' And I just wanted to make sure this is the intended action when there is no audit daemon running. (If the audit daemon is running, these messages are captured & logged). The output to screen is essentially a copy of what appears in /var/log/messages. Mike

20 years

3
4
0 / 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Linux-audit July 2005