[PATCH] missing audit_syscall_exit() on sigsuspend exit to signal handler
by David Woodhouse
When we leave sigsuspend() directly into a signal handler, we don't want
to go via the normal syscall exit path -- it'll corrupt r4 and r5 which
are supposed to be giving information to the signal handler, and it'll
give us one more single-step SIGTRAP than we need if single-stepping is
in operation.
However, we _should_ be calling audit_syscall_exit(), which would
normally get invoked in that patch. It's not wonderfully pretty, but I
suspect the best answer is just to call it directly...
Signed-off-by: David Woodhouse <dwmw2(a)infradead.org>
--- linux-2.6.12/arch/ppc64/kernel/asm-offsets.c.audit 2005-08-24 23:21:51.000000000 +0100
+++ linux-2.6.12/arch/ppc64/kernel/asm-offsets.c 2005-08-24 23:34:26.000000000 +0100
@@ -68,6 +68,7 @@ int main(void)
DEFINE(THREAD_USED_VR, offsetof(struct thread_struct, used_vr));
#endif /* CONFIG_ALTIVEC */
DEFINE(MM, offsetof(struct task_struct, mm));
+ DEFINE(AUDITCONTEXT, offsetof(struct task_struct, audit_context));
DEFINE(DCACHEL1LINESIZE, offsetof(struct ppc64_caches, dline_size));
DEFINE(DCACHEL1LOGLINESIZE, offsetof(struct ppc64_caches, log_dline_size));
--- linux-2.6.12/arch/ppc64/kernel/entry.S.audit 2005-08-24 23:20:57.000000000 +0100
+++ linux-2.6.12/arch/ppc64/kernel/entry.S 2005-08-24 23:33:18.000000000 +0100
@@ -276,12 +276,20 @@ _GLOBAL(ppc64_rt_sigsuspend)
_GLOBAL(ppc32_rt_sigsuspend)
bl .save_nvgprs
bl .sys32_rt_sigsuspend
- /* If sigsuspend() returns zero, we are going into a signal handler */
70: cmpdi 0,r3,0
- beq .ret_from_except
- /* If it returned -EINTR, we need to return via syscall_exit to set
+ /* If it returned an error, we need to return via syscall_exit to set
the SO bit in cr0 and potentially stop for ptrace. */
- b syscall_exit
+ bne syscall_exit
+ /* If sigsuspend() returns zero, we are going into a signal handler. We
+ may need to call audit_syscall_exit() to mark the exit from sigsuspend() */
+ ld r3,PACACURRENT(r13)
+ ld r4,AUDITCONTEXT(r3)
+ cmpdi 0,r4,0
+ beq .ret_from_except /* No audit_context: Leave immediately. */
+ li r4, 2 /* AUDITSC_FAILURE */
+ li r5,-4 /* It's always -EINTR */
+ bl .audit_syscall_exit
+ b .ret_from_except
_GLOBAL(ppc_fork)
bl .save_nvgprs
--
dwmw2
19 years, 9 months
audit 1.0.3 released
by Steve Grubb
Hello,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit It will also be in rawhide
tomorrow. The Changelog is:
- adjust file perms of newly created log file in auditd
- fix 2 memory leaks and an out of bounds access in auditd
- fix case where auditd was closing netlink descriptor too early
- fix watch rules not to take field arguments in auditctl
- fix bug where inode, devmajor, devminor, exit, and success fields in
auditctl rules were not getting the correct value stored
This is a bug fix release. There was a big bug found by Amy Griffis of HP
where several fields values are set to 0 before being sent into the kernel.
The fields affected are: inode, devmajor, devminor, exit, and success. Thanks
for reporting it!
Please let me know if there are any problems.
-Steve
19 years, 9 months
Initial CUPS auditing patch
by Matt Anderson
After seeing what Cory and TCS have done I started working on some of
the other LSPP requirements around printing. Attached is a patch that
applies on top of Cups 1.2.23 with the TCS patch applied.
Right now the patch is a basic audting framework with only a few audited
events such as the classification of the cups daemon, if users are
allowed to override the banners on the command line, that sort of thing.
The patch currently uses AUDIT_USER as the message type. This was
suggested by Steve as a work around while the message types are being
decided. So far I've only really made Job related messages and Config
related messages, but I'm sure more will come.
Some sample messages are:
'CUPS Config: ClassifyOverride is enabled'
'CUPS Config: System wide Classification set to "classified"'
'CUPS Config: Setting printer "freecoffee" banners to "secret" "secret"'
'CUPS Config: Setting printer "localghost" banners to "topsecret" "none"'
'CUPS Job #1: being printed on "freecoffee" with labels "classified"
"classified"'
One thing I did try to do, but have since removed, is attempt to
determine if the user specified "-o job_sheets=foo" which is the cups
way to override the banners. It seems that with a system wide
classification set this user option is overwritten. Auditing the
client's end of printing could present some challenges due to the client
- server nature of cups. One option may be to expand the way cups does
IPP to include more meta data in the client request, although this is
not without issues.
Cups does seem to have support for classifications and labels, and this
patch and the one from TCS improve on those features, but at this point
I'm concerned that its basic infrastucture isn't right for what we need
from a strict LSPP perspective. Things like a label translation table
built-in seems like a feature that Trusted/Labeled printing users would
like, but doesn't seem like something Cups would want to upstream.
I'm going to be away thru the end of this week, but I wanted to get this
out for comments. I'll be checking in on my mail, but don't be offened
if I don't get back to you right away.
-matt
19 years, 9 months
AUDIT_INODE
by Amy Griffis
Hi Steve,
I just discovered that it is no longer possible to add syscall rules
based on an inode number. I believe this is due to your recent change
preventing a user from adding exit-based syscall rule fields to an
entry-based rule. This should fix it for inodes and the other fields
as well.
Regards,
Amy
diff -Nrup audit-1.0.2.orig/lib/libaudit.c audit-1.0.2/lib/libaudit.c
--- audit-1.0.2.orig/lib/libaudit.c 2005-08-08 15:16:10.000000000 -0400
+++ audit-1.0.2/lib/libaudit.c 2005-08-22 11:38:16.615787233 -0400
@@ -762,7 +762,7 @@ int audit_rule_fieldpair(struct audit_ru
case AUDIT_DEVMAJOR...AUDIT_SUCCESS:
if (flags == AUDIT_FILTER_ENTRY)
return -7;
- break;
+ /* fallthrough */
default:
rule->values[rule->field_count] = strtol(v, NULL, 0);
break;
19 years, 9 months
USER_END for ssh?
by Rob Myers
should there be a corresponding USER_END message for every USER_START
message?
i do not see any messages indicating the end of an ssh session, but the
messages i expect are shown at the start of an ssh session.
thanks for any pointers.
rob.
19 years, 9 months
[PATCH] change default mode of audit.log to 640
by Rob Myers
steve-
the attached patch also prevents ausearch from checking for group write
permissions on audit.log, which i missed in what i pasted earlier on
irc. this patch will be an improvement for me because i create an audit
group that i want to be able to review the logs, but not to modify them.
unless this has unintended consequences, or breaks things for someone
else please apply.
thanks.
rob.
19 years, 10 months
path-based filesystem watch limitation
by Amy Griffis
Hello,
I've been taking a look at the auditfs code in U2, and I've noticed an
issue with the path-based watching. In U2, the path-based watching
code only keeps tabs on the parent of given user watch, instead of
watching the entire path back to the filesystem root.
This means that if a path component beyond the user watch's parent
changes, the recreation of the object at the watched path will not be
caught. Any subsequent events on the object at the watched path will
also not be caught.
For example:
# auditctl -w /one/two/three/four
# mkdir -p /one/two/three
# :> /one/two/three/four
# echo "hello world" > /one/two/three/four
<audit records generated>
# mv /one/two /one/too
# mkdir -p /one/two/three
# :> /one/two/three/four
# echo "hello world" > /one/two/three/four
<no audit records generated>
Is this a known limitation?
Amy
19 years, 10 months
Re: CAPP mode for audit
by Amy Griffis
Steve Grubb wrote: [Wed Aug 10 2005, 04:09:35PM EDT]
> On Wednesday 10 August 2005 15:58, Amy Griffis wrote:
> > I think it would help if audit had a finer-grained mechanism for
> > specifying events to watch for.
>
> Please elaborate. I am mulling over the next specs. Maybe an example
> usage, too?
A few weeks ago in #audit, Tim, Rob (_blah_) and I discussed using the
inotify events. For example, from inotify.h:
/* the following are legal, implemented events that user-space can watch for */
#define IN_ACCESS 0x00000001 /* File was accessed */
#define IN_MODIFY 0x00000002 /* File was modified */
#define IN_ATTRIB 0x00000004 /* Metadata changed */
#define IN_CLOSE_WRITE 0x00000008 /* Writtable file was closed */
#define IN_CLOSE_NOWRITE 0x00000010 /* Unwrittable file closed */
#define IN_OPEN 0x00000020 /* File was opened */
#define IN_MOVED_FROM 0x00000040 /* File was moved from X */
#define IN_MOVED_TO 0x00000080 /* File was moved to Y */
#define IN_CREATE 0x00000100 /* Subfile was created */
#define IN_DELETE 0x00000200 /* Subfile was deleted */
#define IN_DELETE_SELF 0x00000400 /* Self was deleted */
/* helper events */
#define IN_CLOSE (IN_CLOSE_WRITE | IN_CLOSE_NOWRITE) /* close */
#define IN_MOVE (IN_MOVED_FROM | IN_MOVED_TO) /* moves */
#define IN_ALL_EVENTS (IN_ACCESS | IN_MODIFY | IN_ATTRIB | IN_CLOSE_WRITE | \
IN_CLOSE_NOWRITE | IN_OPEN | IN_MOVED_FROM | \
IN_MOVED_TO | IN_DELETE | IN_CREATE | IN_DELETE_SELF)
I suppose an example might be to use -E for event (as -e is already
taken). There are too many possibilities to practically use a single
character "mask", so you'd probably have to do something like:
-E access -E modify -E move
or
-E all
Any other ideas?
Amy
19 years, 10 months
two sets of fs_watch/fs_inode messages?
by Linda Knippers
I'm running the sample CAPP rules with the .87 kernel and 1.0.1
audit tools. I'm seeing duplicate watch/inode messages sometimes.
The sample CAPP rules set a watch on all access to /etc/sysconfig
(-w /etc/sysconfig/). I created a file (ljk) in /etc/sysconfig and
when I update it (echo "1" > /etc/sysconfig/ljk) I get audit
records like below. Notice that the FS_WATCH and FS_INODE
lines show up twice. That doesn't seem right. Any ideas?
-- ljk
type=SYSCALL msg=audit(1123701552.619:2552): arch=c0000032 syscall=1028
success=yes exit=3 a0=600000000003bdf0 a1=241 a2=1b6 a3=2 items=1
pid=3711 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 comm="bash" exe="/bin/bash"
type=FS_WATCH msg=audit(1123701552.619:2552): watch_inode=554882
watch="sysconfig" filterkey= perm=0 perm_mask=1
type=FS_INODE msg=audit(1123701552.619:2552): inode=554882 inode_uid=0
inode_gid=0 inode_dev=08:13 inode_rdev=00:00
type=FS_WATCH msg=audit(1123701552.619:2552): watch_inode=554882
watch="sysconfig" filterkey= perm=0 perm_mask=1
type=FS_INODE msg=audit(1123701552.619:2552): inode=554882 inode_uid=0
inode_gid=0 inode_dev=08:13 inode_rdev=00:00
type=CWD msg=audit(1123701552.619:2552): cwd="/home/ljk"
type=PATH msg=audit(1123701552.619:2552): name="/etc/sysconfig/ljk"
flags=310 inode=554882 dev=08:13 mode=040755 ouid=0 ogid=0 rdev=00:00
19 years, 10 months
Is audit really disabled?
by James Morris
I'm using audit=0 at the kernel command line, have auditd disabled. Boot
messages:
audit: disabled (after initialization)
audit: initializing netlink socket (disabled) <- confusing
audit(1123705334.896:1): initialized
# auditctl -s
AUDIT_STATUS: enabled=0 flag=1 pid=0 rate_limit=0 backlog_limit=64 lost=0
backlog=0
kauditd is running and I appear to be getting some audit messages on the
console.
What's going on here?
- James
--
James Morris
<jmorris(a)redhat.com>
19 years, 10 months
