[2.6 patch] kernel/audit.c: remove unused exports
by Adrian Bunk
This patch removes the following unused EXPORT_SYMBOL's:
- audit_log_start
- audit_log_end
- audit_log_format
- audit_log
Signed-off-by: Adrian Bunk <bunk(a)stusta.de>
---
This patch was already sent on:
- 20 Apr 2006
--- linux-2.6.17-rc1-mm3-full/kernel/audit.c.old 2006-04-20 22:38:17.000000000 +0200
+++ linux-2.6.17-rc1-mm3-full/kernel/audit.c 2006-04-20 22:40:03.000000000 +0200
@@ -1092,7 +1092,3 @@
}
}
-EXPORT_SYMBOL(audit_log_start);
-EXPORT_SYMBOL(audit_log_end);
-EXPORT_SYMBOL(audit_log_format);
-EXPORT_SYMBOL(audit_log);
17 years, 10 months
[PATCH 1/1] fix several things in ipsec audit
by Joy Latten
Steve, if this looks ok to you I will send to netdev.
I compiled and tested with and without CONFIG_AUDITSYSCALL.
-------------------------------------------------------------
This patch disables auditing in ipsec when CONFIG_AUDITSYSCALL
is disabled in the kernel.
This patch also includes a bug fix for xfrm_state.c as a result of original
ipsec audit patch.
Regards,
Joy
diff -urpN linux-2.6.18-patch/include/net/xfrm.h linux-2.6.18-patch.2/include/net/xfrm.h
--- linux-2.6.18-patch/include/net/xfrm.h 2006-11-27 12:29:11.000000000 -0600
+++ linux-2.6.18-patch.2/include/net/xfrm.h 2006-11-28 13:26:49.000000000 -0600
@@ -395,8 +395,13 @@ struct xfrm_audit
uid_t loginuid;
u32 secid;
};
-void xfrm_audit_log(uid_t auid, u32 secid, int type, int result,
+
+#ifdef CONFIG_AUDITSYSCALL
+extern void xfrm_audit_log(uid_t auid, u32 secid, int type, int result,
struct xfrm_policy *xp, struct xfrm_state *x);
+#else
+#define xfrm_audit_log(a,s,t,r,p,x) do { ; } while (0)
+#endif /* CONFIG_AUDITSYSCALL */
static inline void xfrm_pol_hold(struct xfrm_policy *policy)
{
diff -urpN linux-2.6.18-patch/net/xfrm/xfrm_policy.c linux-2.6.18-patch.2/net/xfrm/xfrm_policy.c
--- linux-2.6.18-patch/net/xfrm/xfrm_policy.c 2006-11-27 12:29:33.000000000 -0600
+++ linux-2.6.18-patch.2/net/xfrm/xfrm_policy.c 2006-11-28 14:51:09.000000000 -0600
@@ -1955,6 +1955,7 @@ int xfrm_bundle_ok(struct xfrm_policy *p
EXPORT_SYMBOL(xfrm_bundle_ok);
+#ifdef CONFIG_AUDITSYSCALL
/* Audit addition and deletion of SAs and ipsec policy */
void xfrm_audit_log(uid_t auid, u32 sid, int type, int result,
@@ -2063,6 +2064,7 @@ void xfrm_audit_log(uid_t auid, u32 sid,
}
EXPORT_SYMBOL(xfrm_audit_log);
+#endif /* CONFIG_AUDITSYSCALL */
int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo)
{
diff -urpN linux-2.6.18-patch/net/xfrm/xfrm_state.c linux-2.6.18-patch.2/net/xfrm/xfrm_state.c
--- linux-2.6.18-patch/net/xfrm/xfrm_state.c 2006-11-27 12:29:33.000000000 -0600
+++ linux-2.6.18-patch.2/net/xfrm/xfrm_state.c 2006-11-28 12:58:56.000000000 -0600
@@ -407,7 +407,6 @@ restart:
xfrm_state_hold(x);
spin_unlock_bh(&xfrm_state_lock);
- xfrm_state_delete(x);
err = xfrm_state_delete(x);
xfrm_audit_log(audit_info->loginuid,
audit_info->secid,
17 years, 11 months
audit 1.3 released
by Steve Grubb
Hi,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit It will also be in rawhide
tomorrow. The Changelog is:
- ausearch & aureport implement uid/gid caching
- In ausearch & aureport, extract addr when hostname is unknown
- In ausearch & aureport, test audit log presence O_RDONLY
- New ausearch/aureport time keywords: recent, this-week, this-month,
this-year
- Added --add & --delete option to aureport
- Update res parsing in config change events
- Increase the size on audit daemon buffers
- Parse avc_path records in ausearch/aureport
- Rework AVC processing in ausearch/aureport
- ausearch has new output mode, raw, for extracting events
- ausearch/aureport can now read stdin
- Added long options to ausearch and aureport
- new auditd commandline option, -l, to allow following symlinks for its
config file.
This is a big update with several new things. The first three are performance
improvement things.
The next item introduces some new keywords for time ranges. recent means 10
minutes ago, this-week means since day 0 of the week as determined by your
locale, this-month means day 1 of the current month, and this-year means 1/1
of the current year.
The next item adds 2 new command line options to aureport. This is intended to
sort out things that are related to adding rules/users/groups vs deleting
them. This can be handy to divide up config change reports.
The next 4 items are bug fixes.
ausearch has a new output mode, --raw. This means that the audit log entry is
emitted with no interpretation and no changes. This is handy to extract
portions of logs for use later or as the first stage of piping commands
together. If you have a user you want to extract logs for, you can now do
this:
ausearch -ts this-week -ul 500 > user.log
The next item in the new features is that ausearch/aureport can now take
events from stdin. So, you can now do something like this:
ausearch -ts this-month -ul 500 --raw | aureport
The next item is that every commandline option in ausearch/aureport has a long
option. This means that you can do this:
ausearch --start this-week --loginuid 500 --message avc --terminal tty1
or
aureport --start this-month --failed --event
The final item is a commandline option allowing auditd to follow symlinks to
read its config file. I guess this might be useful for people doing stateless
or live CD's where the writeable files are kept somewhere else.
If you see any issues with this release please let me know.
-Steve
17 years, 11 months
Chronological audit logs
by Kirkwood, David A
Can someone tell me how I can generate a chronological listing between 2
dates of all the issues
I have designated to watch in the audit capabilities of the system? I
need to get a system with audit
capability sufficiently palatable to the Defense Department for
classified use. I currently use Sun
workstations and generate the audit logs via praudit and was looking for
some way to set up simaller
archived weekly audit logs.
Thanks,
David A. Kirkwood
SAIC
david.a.kirkwood(a)saic.com
kirkwoodd(a)saic.com
Phone: (727) 502-8310
Fax: (727) 822-7776
17 years, 11 months
[PATCH] minor update to rule add/delete messages
by Steve Grubb
Hi,
I was looking at parsing some of these messages and found that I wanted what
it was doing next to an op= for the parser to key on. Also, you can search on
the key field for a lot of things and I think its missing in a couple places
as is the list number and results.
Signed-off-by: Steve Grubb <sgrubb(a)redhat.com>
diff -urp linux-2.6.18.x86_64.orig/kernel/auditfilter.c linux-2.6.18.x86_64/kernel/auditfilter.c
--- linux-2.6.18.x86_64.orig/kernel/auditfilter.c 2006-11-28 14:23:17.000000000 -0500
+++ linux-2.6.18.x86_64/kernel/auditfilter.c 2006-11-28 14:21:51.000000000 -0500
@@ -938,9 +938,15 @@ static void audit_update_watch(struct au
}
ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
- audit_log_format(ab, "audit updated rules specifying path=");
+ audit_log_format(ab, "op=updated rules specifying path=");
audit_log_untrustedstring(ab, owatch->path);
audit_log_format(ab, " with dev=%u ino=%lu\n", dev, ino);
+ if (r->filterkey) {
+ audit_log_format(ab, " key=");
+ audit_log_untrustedstring(ab, r->filterkey);
+ } else
+ audit_log_format(ab, " key=(null)");
+ audit_log_format(ab, " list=%d res=1", r->listnr);
audit_log_end(ab);
audit_remove_watch(owatch);
@@ -970,14 +976,14 @@ static void audit_remove_parent_watches(
e = container_of(r, struct audit_entry, rule);
ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
- audit_log_format(ab, "audit implicitly removed rule path=");
+ audit_log_format(ab, "op=remove rule path=");
audit_log_untrustedstring(ab, w->path);
if (r->filterkey) {
audit_log_format(ab, " key=");
audit_log_untrustedstring(ab, r->filterkey);
} else
audit_log_format(ab, " key=(null)");
- audit_log_format(ab, " list=%d", r->listnr);
+ audit_log_format(ab, " list=%d res=1", r->listnr);
audit_log_end(ab);
list_del(&r->rlist);
@@ -1411,7 +1417,7 @@ static void audit_log_rule_change(uid_t
audit_log_format(ab, " subj=%s", ctx);
kfree(ctx);
}
- audit_log_format(ab, " %s rule key=", action);
+ audit_log_format(ab, " op=%s rule key=", action);
if (rule->filterkey)
audit_log_untrustedstring(ab, rule->filterkey);
else
17 years, 11 months
syscall record for mq_unlink
by Michael C Thompson
Hey Steve,
So, Happy Thanksgiving, is this a bug? :P
Audit record:
type=SYSCALL msg=audit(1164127960.194:49): arch=c000003e syscall=241
success=yes exit=0 a0=2aaaaab2171d a1=2aaaaab2171c a2=7fff69a6cab8
a3=2aaaafb31188 items=3 ppid=1758 pid=1791 auid=4294967295 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="python"
exe="/usr/bin/python" subj=abat_u:abat_r:abat_t:s0-s15:c0.c1023 key=(null)
type=CWD msg=audit(1164127960.194:49):
cwd="/rhcc/lspp/tests/LTP/ltp-merged/testcases/kernel/security/mls/tests/framework"
type=PATH msg=audit(1164127960.194:49): item=0 name="-RNHJnfkU"
type=PATH msg=audit(1164127960.194:49): item=1 name=(null) inode=7385
dev=00:0d mode=0100755 ouid=0 ogid=0 rdev=00:00
obj=abat_u:object_r:abat_tmpfs_t:s0
type=PATH msg=audit(1164127960.194:49): item=2 name=(null) inode=338
dev=00:0d mode=041777 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:tmpfs_t:s15:c0.c1023
The syscall prototype in the kernel is as follows:
asmlinkage long sys_mq_unlink(const char __user *u_name)
The function all is:
ret = mq_unlink(msgqid);
The value of char *msgqid is:
2aaaaab2171c
So, the question is:
Why is a0=(msgqid)+1, and why is a1=(msgqid)
I am not sure if this is some crazy "feature" or if this is a real bug.
I know there are some syscalls that differ from the glibc-level calls,
but this one violates the function internal to the kernel.
Any ideas? This is on the lspp.55 kernel.
Thanks,
Mike
17 years, 11 months
[PATCH 2.6.19-rc6] audit: support for descriptor pairs
by Mark Workman
provide an audit record of the descriptor pair returned by pipe() and
socketpair().
Signed-off-by: Jeremy Latt <jlatt(a)faceprint.com>
Signed-off-by: Steven Trieber <spt(a)mitre.org>
Signed-off-by: Mark Workman <mworkman(a)mitre.org>
---
fs/pipe.c | 7 +++++++
include/linux/audit.h | 9 +++++++++
kernel/auditsc.c | 40 ++++++++++++++++++++++++++++++++++++++++
net/socket.c | 34 ++++++++++++++++++++++++++--------
4 files changed, 82 insertions(+), 8 deletions(-)
---
diff -uprN -X a/Documentation/dontdiff a/fs/pipe.c b/fs/pipe.c
--- a/fs/pipe.c 2006-11-17 16:39:33.000000000 -0500
+++ b/fs/pipe.c 2006-11-17 17:34:24.000000000 -0500
@@ -16,6 +16,7 @@
#include <linux/uio.h>
#include <linux/highmem.h>
#include <linux/pagemap.h>
+#include <linux/audit.h>
#include <asm/uaccess.h>
#include <asm/ioctls.h>
@@ -972,6 +973,10 @@ int do_pipe(int *fd)
goto err_fdr;
fdw = error;
+ error = audit_fd_pair(fdr, fdw);
+ if (error < 0)
+ goto err_fdw;
+
fd_install(fdr, fr);
fd_install(fdw, fw);
fd[0] = fdr;
@@ -979,6 +984,8 @@ int do_pipe(int *fd)
return 0;
+ err_fdw:
+ put_unused_fd(fdw);
err_fdr:
put_unused_fd(fdr);
err_read_pipe:
diff -uprN -X a/Documentation/dontdiff a/include/linux/audit.h b/include/linux/audit.h
--- a/include/linux/audit.h 2006-11-17 16:39:38.000000000 -0500
+++ b/include/linux/audit.h 2006-11-17 17:34:24.000000000 -0500
@@ -89,6 +89,7 @@
#define AUDIT_MQ_NOTIFY 1314 /* POSIX MQ notify record type */
#define AUDIT_MQ_GETSETATTR 1315 /* POSIX MQ get/set attribute record type */
#define AUDIT_KERNEL_OTHER 1316 /* For use by 3rd party modules */
+#define AUDIT_FD_PAIR 1317 /* audit record for pipe/socketpair */
#define AUDIT_AVC 1400 /* SE Linux avc denial or grant */
#define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */
@@ -382,6 +383,7 @@ extern int __audit_ipc_set_perm(unsigned
extern int audit_bprm(struct linux_binprm *bprm);
extern int audit_socketcall(int nargs, unsigned long *args);
extern int audit_sockaddr(int len, void *addr);
+extern int __audit_fd_pair(int fd1, int fd2);
extern int audit_avc_path(struct dentry *dentry, struct vfsmount *mnt);
extern int audit_set_macxattr(const char *name);
extern int __audit_mq_open(int oflag, mode_t mode, struct mq_attr __user *u_attr);
@@ -396,6 +398,12 @@ static inline int audit_ipc_obj(struct k
return __audit_ipc_obj(ipcp);
return 0;
}
+static inline int audit_fd_pair(int fd1, int fd2)
+{
+ if (unlikely(!audit_dummy_context()))
+ return __audit_fd_pair(fd1, fd2);
+ return 0;
+}
static inline int audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode)
{
if (unlikely(!audit_dummy_context()))
@@ -453,6 +461,7 @@ extern int audit_n_rules;
#define audit_ipc_set_perm(q,u,g,m) ({ 0; })
#define audit_bprm(p) ({ 0; })
#define audit_socketcall(n,a) ({ 0; })
+#define audit_fd_pair(n,a) ({ 0; })
#define audit_sockaddr(len, addr) ({ 0; })
#define audit_avc_path(dentry, mnt) ({ 0; })
#define audit_set_macxattr(n) do { ; } while (0)
diff -uprN -X a/Documentation/dontdiff a/kernel/auditsc.c b/kernel/auditsc.c
--- a/kernel/auditsc.c 2006-11-17 16:39:43.000000000 -0500
+++ b/kernel/auditsc.c 2006-11-17 17:34:24.000000000 -0500
@@ -169,6 +169,11 @@ struct audit_aux_data_sockaddr {
char a[0];
};
+struct audit_aux_data_fd_pair {
+ struct audit_aux_data d;
+ int fd[2];
+};
+
struct audit_aux_data_path {
struct audit_aux_data d;
struct dentry *dentry;
@@ -956,6 +961,11 @@ static void audit_log_exit(struct audit_
audit_log_d_path(ab, "path=", axi->dentry, axi->mnt);
break; }
+ case AUDIT_FD_PAIR: {
+ struct audit_aux_data_fd_pair *axs = (void *)aux;
+ audit_log_format(ab, "fd0=%d fd1=%d", axs->fd[0], axs->fd[1]);
+ break; }
+
}
audit_log_end(ab);
}
@@ -1808,6 +1818,36 @@ int audit_socketcall(int nargs, unsigned
}
/**
+ * __audit_fd_pair - record audit data for pipe and socketpair
+ * @fd1: the first file descriptor
+ * @fd2: the second file descriptor
+ *
+ * Returns 0 for success or NULL context or < 0 on error.
+ */
+int __audit_fd_pair(int fd1, int fd2)
+{
+ struct audit_context *context = current->audit_context;
+ struct audit_aux_data_fd_pair *ax;
+
+ if (likely(!context)) {
+ return 0;
+ }
+
+ ax = kmalloc(sizeof(*ax), GFP_KERNEL);
+ if (!ax) {
+ return -ENOMEM;
+ }
+
+ ax->fd[0] = fd1;
+ ax->fd[1] = fd2;
+
+ ax->d.type = AUDIT_FD_PAIR;
+ ax->d.next = context->aux;
+ context->aux = (void *)ax;
+ return 0;
+}
+
+/**
* audit_sockaddr - record audit data for sys_bind, sys_connect, sys_sendto
* @len: data length in user space
* @a: data address in kernel space
diff -uprN -X a/Documentation/dontdiff a/net/socket.c b/net/socket.c
--- a/net/socket.c 2006-11-17 16:39:45.000000000 -0500
+++ b/net/socket.c 2006-11-17 17:34:24.000000000 -0500
@@ -1200,6 +1200,7 @@ asmlinkage long sys_socketpair(int famil
{
struct socket *sock1, *sock2;
int fd1, fd2, err;
+ struct file *newfile1, *newfile2;
/*
* Obtain the first socket and check if the underlying protocol
@@ -1218,18 +1219,34 @@ asmlinkage long sys_socketpair(int famil
if (err < 0)
goto out_release_both;
- fd1 = fd2 = -1;
+ fd1 = sock_alloc_fd(&newfile1);
+ if (likely(fd1 >= 0)) {
+ err = sock_attach_fd(sock1, newfile1);
+
+ if (unlikely(err < 0)) {
+ put_filp(newfile1);
+ put_unused_fd(fd1);
+ goto out_release_both;
+ }
+ }
- err = sock_map_fd(sock1);
- if (err < 0)
- goto out_release_both;
- fd1 = err;
+ fd2 = sock_alloc_fd(&newfile2);
+ if (likely(fd2 >= 0)) {
+ err = sock_attach_fd(sock2, newfile2);
+
+ if (unlikely(err < 0)) {
+ put_filp(newfile2);
+ put_unused_fd(fd2);
+ goto out_close_1;
+ }
+ }
- err = sock_map_fd(sock2);
+ err = audit_fd_pair(fd1, fd2);
if (err < 0)
- goto out_close_1;
- fd2 = err;
+ goto out_close_2;
+ fd_install(fd1, newfile1);
+ fd_install(fd2, newfile2);
/* fd1 and fd2 may be already another descriptors.
* Not kernel problem.
*/
@@ -1240,6 +1257,7 @@ asmlinkage long sys_socketpair(int famil
if (!err)
return 0;
+out_close_2:
sys_close(fd2);
sys_close(fd1);
return err;
17 years, 11 months
[PATCH 1/1]:ipsec audit: additional change when AUDITSYSCALL is off
by Joy Latten
Steve,
I have successfully compiled and run following kernels with this patch.
- lspp 55 kernel source with config that comes with it
- lspp 55 kernel source with CONFIG_SELINUX turned off in config
- lspp 55 kernel source with CONFIG_AUDITSYSCALL turned off
(this compilation resulted in my having to add following line to
linux/audit.h so that kernel would compile. Let me know if
that looks ok or not.
+#define audit_log_task_context(b) do { ; } while (0)
If the new line of code I added looks ok, let me know and I will send
patch to netdev and cc you.
When I tested the kernel with CONFIG_AUDITSYSCALL turned off, I
noticed that I did receive the expected messages in the audit.log.
Is that ok? Should I have also turned off CONFIG_AUDIT? Or was I just
ensuring that kernel compiled with CONFIG_AUDITSYSCALL turned off?
Thanks!
Regards,
Joy
----------------------------------------------------------------------------
diff -urpN linux-2.6.18.ppc64.orig/include/linux/audit.h linux-2.6.18.ppc64.test/include/linux/audit.h
--- linux-2.6.18.ppc64.orig/include/linux/audit.h 2006-11-20 09:52:19.000000000 -0600
+++ linux-2.6.18.ppc64.test/include/linux/audit.h 2006-11-20 18:05:30.000000000 -0600
@@ -100,6 +100,10 @@
#define AUDIT_MAC_CIPSOV4_DEL 1408 /* NetLabel: del CIPSOv4 DOI entry */
#define AUDIT_MAC_MAP_ADD 1409 /* NetLabel: add LSM domain mapping */
#define AUDIT_MAC_MAP_DEL 1410 /* NetLabel: del LSM domain mapping */
+#define AUDIT_MAC_IPSEC_ADDSA 1411 /* Add a XFRM state */
+#define AUDIT_MAC_IPSEC_DELSA 1412 /* Delete a XFRM state */
+#define AUDIT_MAC_IPSEC_ADDSPD 1413 /* Add a XFRM policy */
+#define AUDIT_MAC_IPSEC_DELSPD 1414 /* Delete a XFRM policy */
#define AUDIT_FIRST_KERN_ANOM_MSG 1700
#define AUDIT_LAST_KERN_ANOM_MSG 1799
@@ -376,6 +380,7 @@ extern void auditsc_get_stamp(struct aud
struct timespec *t, unsigned int *serial);
extern int audit_set_loginuid(struct task_struct *task, uid_t loginuid);
extern uid_t audit_get_loginuid(struct audit_context *ctx);
+extern void audit_log_task_context(struct audit_buffer *ab);
extern int __audit_ipc_obj(struct kern_ipc_perm *ipcp);
extern int __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode);
extern int audit_bprm(struct linux_binprm *bprm);
@@ -448,6 +453,7 @@ extern int audit_n_rules;
#define audit_inode_update(i) do { ; } while (0)
#define auditsc_get_stamp(c,t,s) do { BUG(); } while (0)
#define audit_get_loginuid(c) ({ -1; })
+#define audit_log_task_context(b) do { ; } while (0)
#define audit_ipc_obj(i) ({ 0; })
#define audit_ipc_set_perm(q,u,g,m) ({ 0; })
#define audit_bprm(p) ({ 0; })
diff -urpN linux-2.6.18.ppc64.orig/include/net/xfrm.h linux-2.6.18.ppc64.test/include/net/xfrm.h
--- linux-2.6.18.ppc64.orig/include/net/xfrm.h 2006-11-20 09:52:43.000000000 -0600
+++ linux-2.6.18.ppc64.test/include/net/xfrm.h 2006-11-20 11:05:49.000000000 -0600
@@ -371,9 +371,17 @@ struct xfrm_mgr
extern int xfrm_register_km(struct xfrm_mgr *km);
extern int xfrm_unregister_km(struct xfrm_mgr *km);
-
extern struct xfrm_policy *xfrm_policy_list[XFRM_POLICY_MAX*2];
+/* Audit Information */
+struct xfrm_audit
+{
+ uid_t loginuid;
+ u32 secid;
+};
+void xfrm_audit_log(uid_t auid, u32 secid, int type, int result,
+ struct xfrm_policy *xp, struct xfrm_state *x);
+
static inline void xfrm_pol_hold(struct xfrm_policy *policy)
{
if (likely(policy != NULL))
@@ -904,7 +912,7 @@ extern int xfrm_state_update(struct xfrm
extern struct xfrm_state *xfrm_state_lookup(xfrm_address_t *daddr, u32 spi, u8 proto, unsigned short family);
extern struct xfrm_state *xfrm_find_acq_byseq(u32 seq);
extern int xfrm_state_delete(struct xfrm_state *x);
-extern void xfrm_state_flush(u8 proto);
+extern void xfrm_state_flush(u8 proto, struct xfrm_audit *audit_info);
extern int xfrm_replay_check(struct xfrm_state *x, u32 seq);
extern void xfrm_replay_advance(struct xfrm_state *x, u32 seq);
extern void xfrm_replay_notify(struct xfrm_state *x, int event);
@@ -952,13 +960,12 @@ int xfrm_policy_insert(int dir, struct x
struct xfrm_policy *xfrm_policy_bysel_ctx(int dir, struct xfrm_selector *sel,
struct xfrm_sec_ctx *ctx, int delete);
struct xfrm_policy *xfrm_policy_byid(int dir, u32 id, int delete);
-void xfrm_policy_flush(void);
u32 xfrm_get_acqseq(void);
void xfrm_alloc_spi(struct xfrm_state *x, u32 minspi, u32 maxspi);
struct xfrm_state * xfrm_find_acq(u8 mode, u32 reqid, u8 proto,
xfrm_address_t *daddr, xfrm_address_t *saddr,
int create, unsigned short family);
-extern void xfrm_policy_flush(void);
+extern void xfrm_policy_flush(struct xfrm_audit *audit_info);
extern int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *pol);
extern int xfrm_flush_bundles(void);
extern void xfrm_flush_all_bundles(void);
diff -urpN linux-2.6.18.ppc64.orig/kernel/auditsc.c linux-2.6.18.ppc64.test/kernel/auditsc.c
--- linux-2.6.18.ppc64.orig/kernel/auditsc.c 2006-11-20 09:51:06.000000000 -0600
+++ linux-2.6.18.ppc64.test/kernel/auditsc.c 2006-11-20 11:02:36.000000000 -0600
@@ -730,7 +730,7 @@ static inline void audit_free_context(st
printk(KERN_ERR "audit: freed %d contexts\n", count);
}
-static void audit_log_task_context(struct audit_buffer *ab)
+void audit_log_task_context(struct audit_buffer *ab)
{
char *ctx = NULL;
ssize_t len = 0;
@@ -759,6 +759,8 @@ error_path:
return;
}
+EXPORT_SYMBOL(audit_log_task_context);
+
static void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk)
{
char name[sizeof(tsk->comm)];
@@ -1489,6 +1491,8 @@ uid_t audit_get_loginuid(struct audit_co
return ctx ? ctx->loginuid : -1;
}
+EXPORT_SYMBOL(audit_get_loginuid);
+
/**
* __audit_mq_open - record audit data for a POSIX MQ open
* @oflag: open flag
diff -urpN linux-2.6.18.ppc64.orig/net/key/af_key.c linux-2.6.18.ppc64.test/net/key/af_key.c
--- linux-2.6.18.ppc64.orig/net/key/af_key.c 2006-11-20 09:53:03.000000000 -0600
+++ linux-2.6.18.ppc64.test/net/key/af_key.c 2006-11-20 11:06:15.000000000 -0600
@@ -27,6 +27,7 @@
#include <linux/proc_fs.h>
#include <linux/init.h>
#include <net/xfrm.h>
+#include <linux/audit.h>
#include <net/sock.h>
@@ -1420,6 +1421,9 @@ static int pfkey_add(struct sock *sk, st
else
err = xfrm_state_update(x);
+ xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
+ AUDIT_MAC_IPSEC_ADDSA, err ? 0 : 1, NULL, x);
+
if (err < 0) {
x->km.state = XFRM_STATE_DEAD;
__xfrm_state_put(x);
@@ -1462,6 +1466,10 @@ static int pfkey_delete(struct sock *sk,
}
err = xfrm_state_delete(x);
+
+ xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
+ AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x);
+
if (err < 0)
goto out;
@@ -1637,12 +1645,15 @@ static int pfkey_flush(struct sock *sk,
{
unsigned proto;
struct km_event c;
+ struct xfrm_audit audit_info;
proto = pfkey_satype2proto(hdr->sadb_msg_satype);
if (proto == 0)
return -EINVAL;
- xfrm_state_flush(proto);
+ audit_info.loginuid = audit_get_loginuid(current->audit_context);
+ audit_info.secid = 0;
+ xfrm_state_flush(proto, &audit_info);
c.data.proto = proto;
c.seq = hdr->sadb_msg_seq;
c.pid = hdr->sadb_msg_pid;
@@ -2194,6 +2205,8 @@ static int pfkey_spdadd(struct sock *sk,
err = xfrm_policy_insert(pol->sadb_x_policy_dir-1, xp,
hdr->sadb_msg_type != SADB_X_SPDUPDATE);
+ xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
+ AUDIT_MAC_IPSEC_ADDSPD, err ? 0 : 1, xp, NULL);
if (err)
goto out;
@@ -2270,7 +2283,11 @@ static int pfkey_spddelete(struct sock *
xp = xfrm_policy_bysel_ctx(pol->sadb_x_policy_dir-1, &sel, tmp.security, 1);
security_xfrm_policy_free(&tmp);
- if (xp == NULL)
+
+ xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
+ AUDIT_MAC_IPSEC_DELSPD, (xp) ? 1 : 0, xp, NULL);
+
+ if (xp == NULL)
return -ENOENT;
err = 0;
@@ -2404,8 +2421,11 @@ static int key_notify_policy_flush(struc
static int pfkey_spdflush(struct sock *sk, struct sk_buff *skb, struct sadb_msg *hdr, void **ext_hdrs)
{
struct km_event c;
+ struct xfrm_audit audit_info;
- xfrm_policy_flush();
+ audit_info.loginuid = audit_get_loginuid(current->audit_context);
+ audit_info.secid = 0;
+ xfrm_policy_flush(&audit_info);
c.event = XFRM_MSG_FLUSHPOLICY;
c.pid = hdr->sadb_msg_pid;
c.seq = hdr->sadb_msg_seq;
diff -urpN linux-2.6.18.ppc64.orig/net/xfrm/xfrm_policy.c linux-2.6.18.ppc64.test/net/xfrm/xfrm_policy.c
--- linux-2.6.18.ppc64.orig/net/xfrm/xfrm_policy.c 2006-11-20 14:03:05.000000000 -0600
+++ linux-2.6.18.ppc64.test/net/xfrm/xfrm_policy.c 2006-11-20 13:49:47.000000000 -0600
@@ -24,6 +24,7 @@
#include <linux/module.h>
#include <net/xfrm.h>
#include <net/ip.h>
+#include <linux/audit.h>
DEFINE_MUTEX(xfrm_cfg_mutex);
EXPORT_SYMBOL(xfrm_cfg_mutex);
@@ -541,7 +542,7 @@ struct xfrm_policy *xfrm_policy_byid(int
}
EXPORT_SYMBOL(xfrm_policy_byid);
-void xfrm_policy_flush(void)
+void xfrm_policy_flush(struct xfrm_audit *audit_info)
{
struct xfrm_policy *xp;
int dir;
@@ -552,6 +553,8 @@ void xfrm_policy_flush(void)
xfrm_policy_list[dir] = xp->next;
write_unlock_bh(&xfrm_policy_lock);
+ xfrm_audit_log(audit_info->loginuid, audit_info->secid,
+ AUDIT_MAC_IPSEC_DELSPD, 1, xp, NULL);
xfrm_policy_kill(xp);
write_lock_bh(&xfrm_policy_lock);
@@ -1367,6 +1370,116 @@ int xfrm_bundle_ok(struct xfrm_policy *p
EXPORT_SYMBOL(xfrm_bundle_ok);
+/* Audit addition and deletion of SAs and ipsec policy */
+
+void xfrm_audit_log(uid_t auid, u32 sid, int type, int result,
+ struct xfrm_policy *xp, struct xfrm_state *x)
+{
+
+ char *secctx;
+ u32 secctx_len;
+ struct xfrm_sec_ctx *sctx = NULL;
+ struct audit_buffer *audit_buf;
+ int family;
+ extern int audit_enabled;
+
+
+ if (audit_enabled == 0)
+ return;
+
+ audit_buf = audit_log_start(current->audit_context, GFP_ATOMIC, type);
+ if (audit_buf == NULL)
+ return;
+
+ switch(type) {
+ case AUDIT_MAC_IPSEC_ADDSA:
+ audit_log_format(audit_buf, "SAD add: auid=%u", auid);
+ break;
+ case AUDIT_MAC_IPSEC_DELSA:
+ audit_log_format(audit_buf, "SAD delete: auid=%u", auid);
+ break;
+ case AUDIT_MAC_IPSEC_ADDSPD:
+ audit_log_format(audit_buf, "SPD add: auid=%u", auid);
+ break;
+ case AUDIT_MAC_IPSEC_DELSPD:
+ audit_log_format(audit_buf, "SPD delete: auid=%u", auid);
+ break;
+ default:
+ return;
+ }
+
+ if (sid != 0 &&
+ security_secid_to_secctx(sid, &secctx, &secctx_len) == 0)
+ audit_log_format(audit_buf, " subj=%s", secctx);
+ else
+ audit_log_task_context(audit_buf);
+
+ if (xp) {
+ family = xp->selector.family;
+ if (xp->security)
+ sctx = xp->security;
+ } else {
+ family = x->props.family;
+ if (x->security)
+ sctx = x->security;
+ }
+
+ if (sctx)
+ audit_log_format(audit_buf,
+ " sec_alg=%u sec_doi=%u sec_obj=%s",
+ sctx->ctx_alg, sctx->ctx_doi, sctx->ctx_str);
+
+ switch(family) {
+ case AF_INET:
+ {
+ struct in_addr saddr, daddr;
+ if (xp) {
+ saddr.s_addr = xp->selector.saddr.a4;
+ daddr.s_addr = xp->selector.daddr.a4;
+ } else {
+ saddr.s_addr = x->props.saddr.a4;
+ daddr.s_addr = x->id.daddr.a4;
+ }
+ audit_log_format(audit_buf,
+ " src=%u.%u.%u.%u dst=%u.%u.%u.%u",
+ NIPQUAD(saddr), NIPQUAD(daddr));
+ }
+ break;
+ case AF_INET6:
+ {
+ struct in6_addr saddr6, daddr6;
+ if (xp) {
+ memcpy(&saddr6, xp->selector.saddr.a6,
+ sizeof(struct in6_addr));
+ memcpy(&daddr6, xp->selector.daddr.a6,
+ sizeof(struct in6_addr));
+ } else {
+ memcpy(&saddr6, x->props.saddr.a6,
+ sizeof(struct in6_addr));
+ memcpy(&daddr6, x->id.daddr.a6,
+ sizeof(struct in6_addr));
+ }
+ audit_log_format(audit_buf,
+ " src=" NIP6_FMT "dst=" NIP6_FMT,
+ NIP6(saddr6), NIP6(daddr6));
+ }
+ break;
+ }
+
+ if (x)
+ audit_log_format(audit_buf, " spi=%lu(0x%lx) protocol=%s",
+ (unsigned long)ntohl(x->id.spi),
+ (unsigned long)ntohl(x->id.spi),
+ x->id.proto == IPPROTO_AH ? "AH" :
+ (x->id.proto == IPPROTO_ESP ?
+ "ESP" : "IPCOMP"));
+
+ audit_log_format(audit_buf, " res=%u", result);
+ audit_log_end(audit_buf);
+}
+
+EXPORT_SYMBOL(xfrm_audit_log);
+
int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo)
{
int err = 0;
diff -urpN linux-2.6.18.ppc64.orig/net/xfrm/xfrm_state.c linux-2.6.18.ppc64.test/net/xfrm/xfrm_state.c
--- linux-2.6.18.ppc64.orig/net/xfrm/xfrm_state.c 2006-11-20 14:03:08.000000000 -0600
+++ linux-2.6.18.ppc64.test/net/xfrm/xfrm_state.c 2006-11-20 13:50:03.000000000 -0600
@@ -19,6 +19,7 @@
#include <linux/ipsec.h>
#include <linux/module.h>
#include <asm/uaccess.h>
+#include <linux/audit.h>
struct sock *xfrm_nl;
EXPORT_SYMBOL(xfrm_nl);
@@ -123,6 +124,7 @@ static void xfrm_timer_handler(unsigned
unsigned long now = (unsigned long)xtime.tv_sec;
long next = LONG_MAX;
int warn = 0;
+ int err = 0;
spin_lock(&x->lock);
if (x->km.state == XFRM_STATE_DEAD)
@@ -180,8 +182,13 @@ expired:
next = 2;
goto resched;
}
- if (!__xfrm_state_delete(x) && x->id.spi)
+
+ err = __xfrm_state_delete(x);
+ if (!err && x->id.spi)
km_state_expired(x, 1, 0);
+
+ xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
+ AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x);
out:
spin_unlock(&x->lock);
@@ -284,10 +291,11 @@ int xfrm_state_delete(struct xfrm_state
}
EXPORT_SYMBOL(xfrm_state_delete);
-void xfrm_state_flush(u8 proto)
+void xfrm_state_flush(u8 proto, struct xfrm_audit *audit_info)
{
int i;
struct xfrm_state *x;
+ int err = 0;
spin_lock_bh(&xfrm_state_lock);
for (i = 0; i < XFRM_DST_HSIZE; i++) {
@@ -298,7 +306,13 @@ restart:
xfrm_state_hold(x);
spin_unlock_bh(&xfrm_state_lock);
- xfrm_state_delete(x);
+ err = xfrm_state_delete(x);
+
+ xfrm_audit_log(audit_info->loginuid,
+ audit_info->secid,
+ AUDIT_MAC_IPSEC_DELSA,
+ err ? 0 : 1, NULL, x);
+
xfrm_state_put(x);
spin_lock_bh(&xfrm_state_lock);
@@ -1130,6 +1144,7 @@ void xfrm_state_delete_tunnel(struct xfr
if (atomic_read(&t->tunnel_users) == 2)
xfrm_state_delete(t);
+
atomic_dec(&t->tunnel_users);
xfrm_state_put(t);
x->tunnel = NULL;
diff -urpN linux-2.6.18.ppc64.orig/net/xfrm/xfrm_user.c linux-2.6.18.ppc64.test/net/xfrm/xfrm_user.c
--- linux-2.6.18.ppc64.orig/net/xfrm/xfrm_user.c 2006-11-20 09:53:04.000000000 -0600
+++ linux-2.6.18.ppc64.test/net/xfrm/xfrm_user.c 2006-11-20 11:06:17.000000000 -0600
@@ -27,6 +27,7 @@
#include <net/xfrm.h>
#include <net/netlink.h>
#include <asm/uaccess.h>
+#include <linux/audit.h>
static int verify_one_alg(struct rtattr **xfrma, enum xfrm_attr_type_t type)
{
@@ -400,6 +401,9 @@ static int xfrm_add_sa(struct sk_buff *s
else
err = xfrm_state_update(x);
+ xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,
+ AUDIT_MAC_IPSEC_ADDSA, err ? 0 : 1, NULL, x);
+
if (err < 0) {
x->km.state = XFRM_STATE_DEAD;
__xfrm_state_put(x);
@@ -436,6 +440,10 @@ static int xfrm_del_sa(struct sk_buff *s
}
err = xfrm_state_delete(x);
+
+ xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,
+ AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x);
+
if (err < 0)
goto out;
@@ -860,6 +868,10 @@ static int xfrm_add_policy(struct sk_buf
* a type XFRM_MSG_UPDPOLICY - JHS */
excl = nlh->nlmsg_type == XFRM_MSG_NEWPOLICY;
err = xfrm_policy_insert(p->dir, xp, excl);
+
+ xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,
+ AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL);
+
if (err) {
security_xfrm_policy_free(xp);
kfree(xp);
@@ -1055,6 +1067,11 @@ static int xfrm_get_policy(struct sk_buf
xp = xfrm_policy_bysel_ctx(p->dir, &p->sel, tmp.security, delete);
security_xfrm_policy_free(&tmp);
}
+
+ if (delete)
+ xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,
+ AUDIT_MAC_IPSEC_DELSPD, (xp) ? 1 : 0, xp, NULL);
+
if (xp == NULL)
return -ENOENT;
@@ -1089,8 +1106,11 @@ static int xfrm_flush_sa(struct sk_buff
{
struct km_event c;
struct xfrm_usersa_flush *p = NLMSG_DATA(nlh);
+ struct xfrm_audit audit_info;
- xfrm_state_flush(p->proto);
+ audit_info.loginuid = NETLINK_CB(skb).loginuid;
+ audit_info.secid = NETLINK_CB(skb).sid;
+ xfrm_state_flush(p->proto, &audit_info);
c.data.proto = p->proto;
c.event = nlh->nlmsg_type;
c.seq = nlh->nlmsg_seq;
@@ -1235,9 +1255,12 @@ out:
static int xfrm_flush_policy(struct sk_buff *skb, struct nlmsghdr *nlh, void **xfrma)
{
-struct km_event c;
+ struct km_event c;
+ struct xfrm_audit audit_info;
- xfrm_policy_flush();
+ audit_info.loginuid = NETLINK_CB(skb).loginuid;
+ audit_info.secid = NETLINK_CB(skb).sid;
+ xfrm_policy_flush(&audit_info);
c.event = nlh->nlmsg_type;
c.seq = nlh->nlmsg_seq;
c.pid = nlh->nlmsg_pid;
@@ -1286,6 +1309,8 @@ static int xfrm_add_pol_expire(struct sk
err = 0;
if (up->hard) {
xfrm_policy_delete(xp, p->dir);
+ xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,
+ AUDIT_MAC_IPSEC_DELSPD, 1, xp, NULL);
} else {
// reset the timers here?
printk("Dont know what to do with soft policy expire\n");
@@ -1317,8 +1342,11 @@ static int xfrm_add_sa_expire(struct sk_
goto out;
km_state_expired(x, ue->hard, current->pid);
- if (ue->hard)
+ if (ue->hard) {
+ xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,
+ AUDIT_MAC_IPSEC_DELSA, 1, NULL, x);
__xfrm_state_delete(x);
+ }
out:
spin_unlock_bh(&x->lock);
xfrm_state_put(x);
17 years, 11 months
fixed ipsec audit patch
by Joy Latten
Steve,
Here is the fixed ipsec patch.
Let me know if all is ok. It is still building (slow machine)
but I will let you know when all is done and ok.
Joy
-------------------------------------------------------------------------
diff -urpN linux-2.6.18.ppc64.orig/include/linux/audit.h linux-2.6.18.ppc64.test/include/linux/audit.h
--- linux-2.6.18.ppc64.orig/include/linux/audit.h 2006-11-20 09:52:19.000000000 -0600
+++ linux-2.6.18.ppc64.test/include/linux/audit.h 2006-11-20 11:05:09.000000000 -0600
@@ -100,6 +100,10 @@
#define AUDIT_MAC_CIPSOV4_DEL 1408 /* NetLabel: del CIPSOv4 DOI entry */
#define AUDIT_MAC_MAP_ADD 1409 /* NetLabel: add LSM domain mapping */
#define AUDIT_MAC_MAP_DEL 1410 /* NetLabel: del LSM domain mapping */
+#define AUDIT_MAC_IPSEC_ADDSA 1411 /* Add a XFRM state */
+#define AUDIT_MAC_IPSEC_DELSA 1412 /* Delete a XFRM state */
+#define AUDIT_MAC_IPSEC_ADDSPD 1413 /* Add a XFRM policy */
+#define AUDIT_MAC_IPSEC_DELSPD 1414 /* Delete a XFRM policy */
#define AUDIT_FIRST_KERN_ANOM_MSG 1700
#define AUDIT_LAST_KERN_ANOM_MSG 1799
@@ -376,6 +380,7 @@ extern void auditsc_get_stamp(struct aud
struct timespec *t, unsigned int *serial);
extern int audit_set_loginuid(struct task_struct *task, uid_t loginuid);
extern uid_t audit_get_loginuid(struct audit_context *ctx);
+extern void audit_log_task_context(struct audit_buffer *ab);
extern int __audit_ipc_obj(struct kern_ipc_perm *ipcp);
extern int __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode);
extern int audit_bprm(struct linux_binprm *bprm);
diff -urpN linux-2.6.18.ppc64.orig/include/net/xfrm.h linux-2.6.18.ppc64.test/include/net/xfrm.h
--- linux-2.6.18.ppc64.orig/include/net/xfrm.h 2006-11-20 09:52:43.000000000 -0600
+++ linux-2.6.18.ppc64.test/include/net/xfrm.h 2006-11-20 11:05:49.000000000 -0600
@@ -371,9 +371,17 @@ struct xfrm_mgr
extern int xfrm_register_km(struct xfrm_mgr *km);
extern int xfrm_unregister_km(struct xfrm_mgr *km);
-
extern struct xfrm_policy *xfrm_policy_list[XFRM_POLICY_MAX*2];
+/* Audit Information */
+struct xfrm_audit
+{
+ uid_t loginuid;
+ u32 secid;
+};
+void xfrm_audit_log(uid_t auid, u32 secid, int type, int result,
+ struct xfrm_policy *xp, struct xfrm_state *x);
+
static inline void xfrm_pol_hold(struct xfrm_policy *policy)
{
if (likely(policy != NULL))
@@ -904,7 +912,7 @@ extern int xfrm_state_update(struct xfrm
extern struct xfrm_state *xfrm_state_lookup(xfrm_address_t *daddr, u32 spi, u8 proto, unsigned short family);
extern struct xfrm_state *xfrm_find_acq_byseq(u32 seq);
extern int xfrm_state_delete(struct xfrm_state *x);
-extern void xfrm_state_flush(u8 proto);
+extern void xfrm_state_flush(u8 proto, struct xfrm_audit *audit_info);
extern int xfrm_replay_check(struct xfrm_state *x, u32 seq);
extern void xfrm_replay_advance(struct xfrm_state *x, u32 seq);
extern void xfrm_replay_notify(struct xfrm_state *x, int event);
@@ -952,13 +960,12 @@ int xfrm_policy_insert(int dir, struct x
struct xfrm_policy *xfrm_policy_bysel_ctx(int dir, struct xfrm_selector *sel,
struct xfrm_sec_ctx *ctx, int delete);
struct xfrm_policy *xfrm_policy_byid(int dir, u32 id, int delete);
-void xfrm_policy_flush(void);
u32 xfrm_get_acqseq(void);
void xfrm_alloc_spi(struct xfrm_state *x, u32 minspi, u32 maxspi);
struct xfrm_state * xfrm_find_acq(u8 mode, u32 reqid, u8 proto,
xfrm_address_t *daddr, xfrm_address_t *saddr,
int create, unsigned short family);
-extern void xfrm_policy_flush(void);
+extern void xfrm_policy_flush(struct xfrm_audit *audit_info);
extern int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *pol);
extern int xfrm_flush_bundles(void);
extern void xfrm_flush_all_bundles(void);
diff -urpN linux-2.6.18.ppc64.orig/kernel/auditsc.c linux-2.6.18.ppc64.test/kernel/auditsc.c
--- linux-2.6.18.ppc64.orig/kernel/auditsc.c 2006-11-20 09:51:06.000000000 -0600
+++ linux-2.6.18.ppc64.test/kernel/auditsc.c 2006-11-20 11:02:36.000000000 -0600
@@ -730,7 +730,7 @@ static inline void audit_free_context(st
printk(KERN_ERR "audit: freed %d contexts\n", count);
}
-static void audit_log_task_context(struct audit_buffer *ab)
+void audit_log_task_context(struct audit_buffer *ab)
{
char *ctx = NULL;
ssize_t len = 0;
@@ -759,6 +759,8 @@ error_path:
return;
}
+EXPORT_SYMBOL(audit_log_task_context);
+
static void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk)
{
char name[sizeof(tsk->comm)];
@@ -1489,6 +1491,8 @@ uid_t audit_get_loginuid(struct audit_co
return ctx ? ctx->loginuid : -1;
}
+EXPORT_SYMBOL(audit_get_loginuid);
+
/**
* __audit_mq_open - record audit data for a POSIX MQ open
* @oflag: open flag
diff -urpN linux-2.6.18.ppc64.orig/net/key/af_key.c linux-2.6.18.ppc64.test/net/key/af_key.c
--- linux-2.6.18.ppc64.orig/net/key/af_key.c 2006-11-20 09:53:03.000000000 -0600
+++ linux-2.6.18.ppc64.test/net/key/af_key.c 2006-11-20 11:06:15.000000000 -0600
@@ -27,6 +27,7 @@
#include <linux/proc_fs.h>
#include <linux/init.h>
#include <net/xfrm.h>
+#include <linux/audit.h>
#include <net/sock.h>
@@ -1420,6 +1421,9 @@ static int pfkey_add(struct sock *sk, st
else
err = xfrm_state_update(x);
+ xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
+ AUDIT_MAC_IPSEC_ADDSA, err ? 0 : 1, NULL, x);
+
if (err < 0) {
x->km.state = XFRM_STATE_DEAD;
__xfrm_state_put(x);
@@ -1462,6 +1466,10 @@ static int pfkey_delete(struct sock *sk,
}
err = xfrm_state_delete(x);
+
+ xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
+ AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x);
+
if (err < 0)
goto out;
@@ -1637,12 +1645,15 @@ static int pfkey_flush(struct sock *sk,
{
unsigned proto;
struct km_event c;
+ struct xfrm_audit audit_info;
proto = pfkey_satype2proto(hdr->sadb_msg_satype);
if (proto == 0)
return -EINVAL;
- xfrm_state_flush(proto);
+ audit_info.loginuid = audit_get_loginuid(current->audit_context);
+ audit_info.secid = 0;
+ xfrm_state_flush(proto, &audit_info);
c.data.proto = proto;
c.seq = hdr->sadb_msg_seq;
c.pid = hdr->sadb_msg_pid;
@@ -2194,6 +2205,8 @@ static int pfkey_spdadd(struct sock *sk,
err = xfrm_policy_insert(pol->sadb_x_policy_dir-1, xp,
hdr->sadb_msg_type != SADB_X_SPDUPDATE);
+ xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
+ AUDIT_MAC_IPSEC_ADDSPD, err ? 0 : 1, xp, NULL);
if (err)
goto out;
@@ -2270,7 +2283,11 @@ static int pfkey_spddelete(struct sock *
xp = xfrm_policy_bysel_ctx(pol->sadb_x_policy_dir-1, &sel, tmp.security, 1);
security_xfrm_policy_free(&tmp);
- if (xp == NULL)
+
+ xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
+ AUDIT_MAC_IPSEC_DELSPD, (xp) ? 1 : 0, xp, NULL);
+
+ if (xp == NULL)
return -ENOENT;
err = 0;
@@ -2404,8 +2421,11 @@ static int key_notify_policy_flush(struc
static int pfkey_spdflush(struct sock *sk, struct sk_buff *skb, struct sadb_msg *hdr, void **ext_hdrs)
{
struct km_event c;
+ struct xfrm_audit audit_info;
- xfrm_policy_flush();
+ audit_info.loginuid = audit_get_loginuid(current->audit_context);
+ audit_info.secid = 0;
+ xfrm_policy_flush(&audit_info);
c.event = XFRM_MSG_FLUSHPOLICY;
c.pid = hdr->sadb_msg_pid;
c.seq = hdr->sadb_msg_seq;
diff -urpN linux-2.6.18.ppc64.orig/net/xfrm/xfrm_policy.c linux-2.6.18.ppc64.test/net/xfrm/xfrm_policy.c
--- linux-2.6.18.ppc64.orig/net/xfrm/xfrm_policy.c 2006-11-20 09:53:04.000000000 -0600
+++ linux-2.6.18.ppc64.test/net/xfrm/xfrm_policy.c 2006-11-20 11:06:17.000000000 -0600
@@ -24,6 +24,7 @@
#include <linux/module.h>
#include <net/xfrm.h>
#include <net/ip.h>
+#include <linux/audit.h>
DEFINE_MUTEX(xfrm_cfg_mutex);
EXPORT_SYMBOL(xfrm_cfg_mutex);
@@ -541,7 +542,7 @@ struct xfrm_policy *xfrm_policy_byid(int
}
EXPORT_SYMBOL(xfrm_policy_byid);
-void xfrm_policy_flush(void)
+void xfrm_policy_flush(struct xfrm_audit audit_info)
{
struct xfrm_policy *xp;
int dir;
@@ -552,6 +553,8 @@ void xfrm_policy_flush(void)
xfrm_policy_list[dir] = xp->next;
write_unlock_bh(&xfrm_policy_lock);
+ xfrm_audit_log(audit_info.loginuid, audit_info.secid,
+ AUDIT_MAC_IPSEC_DELSPD, 1, xp, NULL);
xfrm_policy_kill(xp);
write_lock_bh(&xfrm_policy_lock);
@@ -1367,6 +1370,115 @@ int xfrm_bundle_ok(struct xfrm_policy *p
EXPORT_SYMBOL(xfrm_bundle_ok);
+/* Audit addition and deletion of SAs and ipsec policy */
+
+void xfrm_audit_log(uid_t auid, u32 sid, int type, int result,
+ struct xfrm_policy *xp, struct xfrm_state *x)
+{
+
+ char *secctx;
+ u32 secctx_len;
+ struct xfrm_sec_ctx *sctx = NULL;
+ struct audit_buffer *audit_buf;
+ int family;
+ extern int audit_enabled;
+
+
+ if (audit_enabled == 0)
+ return;
+
+ audit_buf = audit_log_start(current->audit_context, GFP_ATOMIC, type);
+ if (audit_buf == NULL)
+ return;
+
+ switch(type) {
+ case AUDIT_MAC_IPSEC_ADDSA:
+ audit_log_format(audit_buf, "SAD add: auid=%u", auid);
+ break;
+ case AUDIT_MAC_IPSEC_DELSA:
+ audit_log_format(audit_buf, "SAD delete: auid=%u", auid);
+ break;
+ case AUDIT_MAC_IPSEC_ADDSPD:
+ audit_log_format(audit_buf, "SPD add: auid=%u", auid);
+ break;
+ case AUDIT_MAC_IPSEC_DELSPD:
+ audit_log_format(audit_buf, "SPD delete: auid=%u", auid);
+ break;
+ default:
+ return;
+ }
+
+ if (sid != 0 &&
+ security_secid_to_secctx(sid, &secctx, &secctx_len) == 0)
+ audit_log_format(audit_buf, " subj=%s", secctx);
+ else
+ audit_log_task_context(audit_buf);
+
+ if (xp) {
+ family = xp->selector.family;
+ if (xp->security)
+ sctx = xp->security;
+ } else {
+ family = x->props.family;
+ if (x->security)
+ sctx = x->security;
+ }
+
+ if (sctx)
+ audit_log_format(audit_buf, " sec_alg=%u sec_doi=%u ctx=%s",
+ sctx->ctx_alg, sctx->ctx_doi, sctx->ctx_str);
+
+ switch(family) {
+ case AF_INET:
+ {
+ struct in_addr saddr, daddr;
+ if (xp) {
+ saddr.s_addr = xp->selector.saddr.a4;
+ daddr.s_addr = xp->selector.daddr.a4;
+ } else {
+ saddr.s_addr = x->props.saddr.a4;
+ daddr.s_addr = x->id.daddr.a4;
+ }
+ audit_log_format(audit_buf,
+ " src=%u.%u.%u.%u dst=%u.%u.%u.%u",
+ NIPQUAD(saddr), NIPQUAD(daddr));
+ }
+ break;
+ case AF_INET6:
+ {
+ struct in6_addr saddr6, daddr6;
+ if (xp) {
+ memcpy(&saddr6, xp->selector.saddr.a6,
+ sizeof(struct in6_addr));
+ memcpy(&daddr6, xp->selector.daddr.a6,
+ sizeof(struct in6_addr));
+ } else {
+ memcpy(&saddr6, x->props.saddr.a6,
+ sizeof(struct in6_addr));
+ memcpy(&daddr6, x->id.daddr.a6,
+ sizeof(struct in6_addr));
+ }
+ audit_log_format(audit_buf,
+ " src=" NIP6_FMT "dst=" NIP6_FMT,
+ NIP6(saddr6), NIP6(daddr6));
+ }
+ break;
+ }
+
+ if (x)
+ audit_log_format(audit_buf, " spi=%lu(0x%lx) protocol=%s",
+ (unsigned long)ntohl(x->id.spi),
+ (unsigned long)ntohl(x->id.spi),
+ x->id.proto == IPPROTO_AH ? "AH" :
+ (x->id.proto == IPPROTO_ESP ?
+ "ESP" : "IPCOMP"));
+
+ audit_log_format(audit_buf, " res=%u", result);
+ audit_log_end(audit_buf);
+}
+
+EXPORT_SYMBOL(xfrm_audit_log);
+
int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo)
{
int err = 0;
diff -urpN linux-2.6.18.ppc64.orig/net/xfrm/xfrm_state.c linux-2.6.18.ppc64.test/net/xfrm/xfrm_state.c
--- linux-2.6.18.ppc64.orig/net/xfrm/xfrm_state.c 2006-11-20 09:53:04.000000000 -0600
+++ linux-2.6.18.ppc64.test/net/xfrm/xfrm_state.c 2006-11-20 11:06:17.000000000 -0600
@@ -19,6 +19,7 @@
#include <linux/ipsec.h>
#include <linux/module.h>
#include <asm/uaccess.h>
+#include <linux/audit.h>
struct sock *xfrm_nl;
EXPORT_SYMBOL(xfrm_nl);
@@ -123,6 +124,7 @@ static void xfrm_timer_handler(unsigned
unsigned long now = (unsigned long)xtime.tv_sec;
long next = LONG_MAX;
int warn = 0;
+ int err = 0;
spin_lock(&x->lock);
if (x->km.state == XFRM_STATE_DEAD)
@@ -180,8 +182,13 @@ expired:
next = 2;
goto resched;
}
- if (!__xfrm_state_delete(x) && x->id.spi)
+
+ err = __xfrm_state_delete(x);
+ if (!err && x->id.spi)
km_state_expired(x, 1, 0);
+
+ xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
+ AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x);
out:
spin_unlock(&x->lock);
@@ -284,10 +291,11 @@ int xfrm_state_delete(struct xfrm_state
}
EXPORT_SYMBOL(xfrm_state_delete);
-void xfrm_state_flush(u8 proto)
+void xfrm_state_flush(u8 proto, struct xfrm_audit audit_info)
{
int i;
struct xfrm_state *x;
+ int err = 0;
spin_lock_bh(&xfrm_state_lock);
for (i = 0; i < XFRM_DST_HSIZE; i++) {
@@ -298,7 +306,13 @@ restart:
xfrm_state_hold(x);
spin_unlock_bh(&xfrm_state_lock);
- xfrm_state_delete(x);
+ err = xfrm_state_delete(x);
+
+ xfrm_audit_log(audit_info.loginuid,
+ audit_info.secid,
+ AUDIT_MAC_IPSEC_DELSA,
+ err ? 0 : 1, NULL, x);
+
xfrm_state_put(x);
spin_lock_bh(&xfrm_state_lock);
@@ -1130,6 +1144,7 @@ void xfrm_state_delete_tunnel(struct xfr
if (atomic_read(&t->tunnel_users) == 2)
xfrm_state_delete(t);
+
atomic_dec(&t->tunnel_users);
xfrm_state_put(t);
x->tunnel = NULL;
diff -urpN linux-2.6.18.ppc64.orig/net/xfrm/xfrm_user.c linux-2.6.18.ppc64.test/net/xfrm/xfrm_user.c
--- linux-2.6.18.ppc64.orig/net/xfrm/xfrm_user.c 2006-11-20 09:53:04.000000000 -0600
+++ linux-2.6.18.ppc64.test/net/xfrm/xfrm_user.c 2006-11-20 11:06:17.000000000 -0600
@@ -27,6 +27,7 @@
#include <net/xfrm.h>
#include <net/netlink.h>
#include <asm/uaccess.h>
+#include <linux/audit.h>
static int verify_one_alg(struct rtattr **xfrma, enum xfrm_attr_type_t type)
{
@@ -400,6 +401,9 @@ static int xfrm_add_sa(struct sk_buff *s
else
err = xfrm_state_update(x);
+ xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,
+ AUDIT_MAC_IPSEC_ADDSA, err ? 0 : 1, NULL, x);
+
if (err < 0) {
x->km.state = XFRM_STATE_DEAD;
__xfrm_state_put(x);
@@ -436,6 +440,10 @@ static int xfrm_del_sa(struct sk_buff *s
}
err = xfrm_state_delete(x);
+
+ xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,
+ AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x);
+
if (err < 0)
goto out;
@@ -860,6 +868,10 @@ static int xfrm_add_policy(struct sk_buf
* a type XFRM_MSG_UPDPOLICY - JHS */
excl = nlh->nlmsg_type == XFRM_MSG_NEWPOLICY;
err = xfrm_policy_insert(p->dir, xp, excl);
+
+ xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,
+ AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL);
+
if (err) {
security_xfrm_policy_free(xp);
kfree(xp);
@@ -1055,6 +1067,11 @@ static int xfrm_get_policy(struct sk_buf
xp = xfrm_policy_bysel_ctx(p->dir, &p->sel, tmp.security, delete);
security_xfrm_policy_free(&tmp);
}
+
+ if (delete)
+ xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,
+ AUDIT_MAC_IPSEC_DELSPD, (xp) ? 1 : 0, xp, NULL);
+
if (xp == NULL)
return -ENOENT;
@@ -1089,8 +1106,11 @@ static int xfrm_flush_sa(struct sk_buff
{
struct km_event c;
struct xfrm_usersa_flush *p = NLMSG_DATA(nlh);
+ struct xfrm_audit audit_info;
- xfrm_state_flush(p->proto);
+ audit_info.loginuid = NETLINK_CB(skb).loginuid;
+ audit_info.secid = NETLINK_CB(skb).sid;
+ xfrm_state_flush(p->proto, &audit_info);
c.data.proto = p->proto;
c.event = nlh->nlmsg_type;
c.seq = nlh->nlmsg_seq;
@@ -1235,9 +1255,12 @@ out:
static int xfrm_flush_policy(struct sk_buff *skb, struct nlmsghdr *nlh, void **xfrma)
{
-struct km_event c;
+ struct km_event c;
+ struct xfrm_audit audit_info;
- xfrm_policy_flush();
+ audit_info.loginuid = NETLINK_CB(skb).loginuid;
+ audit_info.secid = NETLINK_CB(skb).sid;
+ xfrm_policy_flush(&audit_info);
c.event = nlh->nlmsg_type;
c.seq = nlh->nlmsg_seq;
c.pid = nlh->nlmsg_pid;
@@ -1286,6 +1309,8 @@ static int xfrm_add_pol_expire(struct sk
err = 0;
if (up->hard) {
xfrm_policy_delete(xp, p->dir);
+ xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,
+ AUDIT_MAC_IPSEC_DELSPD, 1, xp, NULL);
} else {
// reset the timers here?
printk("Dont know what to do with soft policy expire\n");
@@ -1317,8 +1342,11 @@ static int xfrm_add_sa_expire(struct sk_
goto out;
km_state_expired(x, ue->hard, current->pid);
- if (ue->hard)
+ if (ue->hard) {
+ xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,
+ AUDIT_MAC_IPSEC_DELSA, 1, NULL, x);
__xfrm_state_delete(x);
+ }
out:
spin_unlock_bh(&x->lock);
xfrm_state_put(x);
17 years, 11 months
audit 1.0.15 released
by Steve Grubb
Hi,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit The srpm is aimed at FC-4. A
slightly different srpm is required for RHEL4.
The Changelog is:
- Correct address resolving of hostname in logging functions
- Fix logging messages to use addr if passed
- Add TRUSTED_APP message type
- Fix netlink errno return
- Auditd ignore most signals
- Add audit dispatcher interface to auditd
- In auditd if num_logs is zero, don't rotate on SIGUSR1 (#208834)
- Cleanup file descriptor handling in auditd
- Improve time handling in ausearch and aureport (#191394)
- Attempt to reconstruct full path from relative for searching
- Ausearch & aureport now fail if no args to -te
- In aureport, add class between syscall and permission in avc report
- Fix bug where fsync is called in debug mode
- ausearch & aureport implement uid/gid caching
- In ausearch & aureport, extract addr when hostname is unknown
- In ausearch & aureport, test audit log presence O_RDONLY
- Updated man pages (#213328, #213330)
Please let me if there are any issues with this.
-Steve
17 years, 11 months