November 2006 - Linux-audit - Linux-Audit List Archives

by Joy Latten

This code adds auditing to IPSec. An audit message gets logged whenever an ipsec policy or security association is added or deleted from the kernel's Security Policy Database and/or Security Association Database. IPSec policies and SAs can be added and/or deleted via the pfkey api or the netlink api, which was extended to accomodate key management. PFKEYv2 is a socket protocol for key management defined in RFC 2367. I added auditing for both key management protocols. Please let me know if this patch is acceptable. Reagrds, Joy ------------------------------------------------------------------------------- diff -urpN linux-2.6.18.ppc64.orig/include/linux/audit.h linux-2.6.18.ppc64.patch/include/linux/audit.h --- linux-2.6.18.ppc64.orig/include/linux/audit.h 2006-11-02 09:18:04.000000000 -0600 +++ linux-2.6.18.ppc64.patch/include/linux/audit.h 2006-11-05 20:16:29.000000000 -0600 @@ -100,6 +100,10 @@ #define AUDIT_MAC_CIPSOV4_DEL 1408 /* NetLabel: del CIPSOv4 DOI entry */ #define AUDIT_MAC_MAP_ADD 1409 /* NetLabel: add LSM domain mapping */ #define AUDIT_MAC_MAP_DEL 1410 /* NetLabel: del LSM domain mapping */ +#define AUDIT_MAC_IPSEC_ADDSA 1411 /* Add a XFRM state */ +#define AUDIT_MAC_IPSEC_DELSA 1412 /* Delete a XFRM state */ +#define AUDIT_MAC_IPSEC_ADDSPD 1413 /* Add a XFRM policy */ +#define AUDIT_MAC_IPSEC_DELSPD 1414 /* Delete a XFRM policy */ #define AUDIT_FIRST_KERN_ANOM_MSG 1700 #define AUDIT_LAST_KERN_ANOM_MSG 1799 @@ -376,6 +380,7 @@ extern void auditsc_get_stamp(struct aud struct timespec *t, unsigned int *serial); extern int audit_set_loginuid(struct task_struct *task, uid_t loginuid); extern uid_t audit_get_loginuid(struct audit_context *ctx); +extern void audit_log_task_context(struct audit_buffer *ab); extern int __audit_ipc_obj(struct kern_ipc_perm *ipcp); extern int __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode); extern int audit_bprm(struct linux_binprm *bprm); diff -urpN linux-2.6.18.ppc64.orig/include/net/xfrm.h linux-2.6.18.ppc64.patch/include/net/xfrm.h --- linux-2.6.18.ppc64.orig/include/net/xfrm.h 2006-11-02 09:17:55.000000000 -0600 +++ linux-2.6.18.ppc64.patch/include/net/xfrm.h 2006-11-05 20:16:05.000000000 -0600 @@ -371,9 +371,17 @@ struct xfrm_mgr extern int xfrm_register_km(struct xfrm_mgr *km); extern int xfrm_unregister_km(struct xfrm_mgr *km); - extern struct xfrm_policy *xfrm_policy_list[XFRM_POLICY_MAX*2]; +/* Audit Information */ +struct xfrm_audit +{ + uid_t loginuid; + u32 secid; +}; +void xfrm_audit_log(uid_t auid, u32 secid, int type, int result, + struct xfrm_policy *xp, struct xfrm_state *x); + static inline void xfrm_pol_hold(struct xfrm_policy *policy) { if (likely(policy != NULL)) @@ -904,7 +912,7 @@ extern int xfrm_state_update(struct xfrm extern struct xfrm_state *xfrm_state_lookup(xfrm_address_t *daddr, u32 spi, u8 proto, unsigned short family); extern struct xfrm_state *xfrm_find_acq_byseq(u32 seq); extern int xfrm_state_delete(struct xfrm_state *x); -extern void xfrm_state_flush(u8 proto); +extern void xfrm_state_flush(u8 proto, struct xfrm_audit audit_info); extern int xfrm_replay_check(struct xfrm_state *x, u32 seq); extern void xfrm_replay_advance(struct xfrm_state *x, u32 seq); extern void xfrm_replay_notify(struct xfrm_state *x, int event); @@ -952,13 +960,12 @@ int xfrm_policy_insert(int dir, struct x struct xfrm_policy *xfrm_policy_bysel_ctx(int dir, struct xfrm_selector *sel, struct xfrm_sec_ctx *ctx, int delete); struct xfrm_policy *xfrm_policy_byid(int dir, u32 id, int delete); -void xfrm_policy_flush(void); u32 xfrm_get_acqseq(void); void xfrm_alloc_spi(struct xfrm_state *x, u32 minspi, u32 maxspi); struct xfrm_state * xfrm_find_acq(u8 mode, u32 reqid, u8 proto, xfrm_address_t *daddr, xfrm_address_t *saddr, int create, unsigned short family); -extern void xfrm_policy_flush(void); +extern void xfrm_policy_flush(struct xfrm_audit audit_info); extern int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *pol); extern int xfrm_flush_bundles(void); extern void xfrm_flush_all_bundles(void); diff -urpN linux-2.6.18.ppc64.orig/kernel/auditsc.c linux-2.6.18.ppc64.patch/kernel/auditsc.c --- linux-2.6.18.ppc64.orig/kernel/auditsc.c 2006-11-02 09:16:27.000000000 -0600 +++ linux-2.6.18.ppc64.patch/kernel/auditsc.c 2006-11-08 10:16:34.000000000 -0600 @@ -730,7 +730,7 @@ static inline void audit_free_context(st printk(KERN_ERR "audit: freed %d contexts\n", count); } -static void audit_log_task_context(struct audit_buffer *ab) +void audit_log_task_context(struct audit_buffer *ab) { char *ctx = NULL; ssize_t len = 0; @@ -759,6 +759,8 @@ error_path: return; } +EXPORT_SYMBOL(audit_log_task_context); + static void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk) { char name[sizeof(tsk->comm)]; @@ -1489,6 +1491,8 @@ uid_t audit_get_loginuid(struct audit_co return ctx ? ctx->loginuid : -1; } +EXPORT_SYMBOL(audit_get_loginuid); + /** * __audit_mq_open - record audit data for a POSIX MQ open * @oflag: open flag diff -urpN linux-2.6.18.ppc64.orig/net/key/af_key.c linux-2.6.18.ppc64.patch/net/key/af_key.c --- linux-2.6.18.ppc64.orig/net/key/af_key.c 2006-11-02 09:16:11.000000000 -0600 +++ linux-2.6.18.ppc64.patch/net/key/af_key.c 2006-11-08 10:15:55.000000000 -0600 @@ -27,6 +27,7 @@ #include <linux/proc_fs.h> #include <linux/init.h> #include <net/xfrm.h> +#include <linux/audit.h> #include <net/sock.h> @@ -1420,6 +1421,9 @@ static int pfkey_add(struct sock *sk, st else err = xfrm_state_update(x); + xfrm_audit_log(audit_get_loginuid(current->audit_context), 0, + AUDIT_MAC_IPSEC_ADDSA, err ? 0 : 1, NULL, x); + if (err < 0) { x->km.state = XFRM_STATE_DEAD; __xfrm_state_put(x); @@ -1462,6 +1466,10 @@ static int pfkey_delete(struct sock *sk, } err = xfrm_state_delete(x); + + xfrm_audit_log(audit_get_loginuid(current->audit_context), 0, + AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x); + if (err < 0) goto out; @@ -1637,12 +1645,14 @@ static int pfkey_flush(struct sock *sk, { unsigned proto; struct km_event c; + struct xfrm_audit audit_info; proto = pfkey_satype2proto(hdr->sadb_msg_satype); if (proto == 0) return -EINVAL; - xfrm_state_flush(proto); + audit_info.loginuid = audit_get_loginuid(current->audit_context); + xfrm_state_flush(proto, audit_info); c.data.proto = proto; c.seq = hdr->sadb_msg_seq; c.pid = hdr->sadb_msg_pid; @@ -2194,6 +2204,8 @@ static int pfkey_spdadd(struct sock *sk, err = xfrm_policy_insert(pol->sadb_x_policy_dir-1, xp, hdr->sadb_msg_type != SADB_X_SPDUPDATE); + xfrm_audit_log(audit_get_loginuid(current->audit_context), 0, + AUDIT_MAC_IPSEC_ADDSPD, err ? 0 : 1, xp, NULL); if (err) goto out; @@ -2270,7 +2282,11 @@ static int pfkey_spddelete(struct sock * xp = xfrm_policy_bysel_ctx(pol->sadb_x_policy_dir-1, &sel, tmp.security, 1); security_xfrm_policy_free(&tmp); - if (xp == NULL) + + xfrm_audit_log(audit_get_loginuid(current->audit_context), 0, + AUDIT_MAC_IPSEC_DELSPD, (xp) ? 1 : 0, xp, NULL); + + if (xp == NULL) return -ENOENT; err = 0; @@ -2404,8 +2420,10 @@ static int key_notify_policy_flush(struc static int pfkey_spdflush(struct sock *sk, struct sk_buff *skb, struct sadb_msg *hdr, void **ext_hdrs) { struct km_event c; + struct xfrm_audit audit_info; - xfrm_policy_flush(); + audit_info.loginuid = audit_get_loginuid(current->audit_context); + xfrm_policy_flush(audit_info); c.event = XFRM_MSG_FLUSHPOLICY; c.pid = hdr->sadb_msg_pid; c.seq = hdr->sadb_msg_seq; diff -urpN linux-2.6.18.ppc64.orig/net/xfrm/xfrm_policy.c linux-2.6.18.ppc64.patch/net/xfrm/xfrm_policy.c --- linux-2.6.18.ppc64.orig/net/xfrm/xfrm_policy.c 2006-11-02 09:16:10.000000000 -0600 +++ linux-2.6.18.ppc64.patch/net/xfrm/xfrm_policy.c 2006-11-08 10:13:54.000000000 -0600 @@ -24,6 +24,7 @@ #include <linux/module.h> #include <net/xfrm.h> #include <net/ip.h> +#include <linux/audit.h> DEFINE_MUTEX(xfrm_cfg_mutex); EXPORT_SYMBOL(xfrm_cfg_mutex); @@ -541,7 +542,7 @@ struct xfrm_policy *xfrm_policy_byid(int } EXPORT_SYMBOL(xfrm_policy_byid); -void xfrm_policy_flush(void) +void xfrm_policy_flush(struct xfrm_audit audit_info) { struct xfrm_policy *xp; int dir; @@ -552,6 +553,8 @@ void xfrm_policy_flush(void) xfrm_policy_list[dir] = xp->next; write_unlock_bh(&xfrm_policy_lock); + xfrm_audit_log(audit_info.loginuid, audit_info.secid, + AUDIT_MAC_IPSEC_DELSPD, 1, xp, NULL); xfrm_policy_kill(xp); write_lock_bh(&xfrm_policy_lock); @@ -1366,6 +1369,106 @@ int xfrm_bundle_ok(struct xfrm_policy *p EXPORT_SYMBOL(xfrm_bundle_ok); +/* Audit addition and deletion of SAs and ipsec policy */ + +void xfrm_audit_log(uid_t auid, u32 sid, int type, int result, + struct xfrm_policy *xp, struct xfrm_state *x) +{ + + char *secctx; + u32 secctx_len; + struct xfrm_sec_ctx *sctx = NULL; + struct in6_addr saddr6, daddr6; + struct in_addr saddr, daddr; + struct audit_buffer *audit_buf; + int family; + + + audit_buf = audit_log_start(current->audit_context, GFP_ATOMIC, type); + if (audit_buf == NULL) + return; + + switch(type) { + case AUDIT_MAC_IPSEC_ADDSA: + audit_log_format(audit_buf, "SAD add: auid=%u", auid); + break; + case AUDIT_MAC_IPSEC_DELSA: + audit_log_format(audit_buf, "SAD delete: auid=%u", auid); + break; + case AUDIT_MAC_IPSEC_ADDSPD: + audit_log_format(audit_buf, "SPD add: auid=%u", auid); + break; + case AUDIT_MAC_IPSEC_DELSPD: + audit_log_format(audit_buf, "SPD delete: auid=%u", auid); + break; + default: + return; + } + + if (sid != 0 && + security_secid_to_secctx(sid, &secctx, &secctx_len) == 0) + audit_log_format(audit_buf, " subj=%s", secctx); + else + audit_log_task_context(audit_buf); + + if (xp) { + family = xp->selector.family; + if (xp->security) + sctx = xp->security; + } else { + family = x->props.family; + if (x->security) + sctx = x->security; + } + + if (sctx) + audit_log_format(audit_buf, " sec_alg=%u sec_doi=%u ctx=%s", + sctx->ctx_alg, sctx->ctx_doi, sctx->ctx_str); + + switch(family) { + case AF_INET: + if (xp) { + saddr.s_addr = xp->selector.saddr.a4; + daddr.s_addr = xp->selector.daddr.a4; + } else { + saddr.s_addr = x->props.saddr.a4; + daddr.s_addr = x->id.daddr.a4; + } + audit_log_format(audit_buf, " src=%u.%u.%u.%u dst=%u.%u.%u.%u", + NIPQUAD(saddr), NIPQUAD(daddr)); + + break; + case AF_INET6: + if (xp) { + memcpy(&saddr6, xp->selector.saddr.a6, + sizeof(struct in6_addr)); + memcpy(&daddr6, xp->selector.daddr.a6, + sizeof(struct in6_addr)); + } else { + memcpy(&saddr6, x->props.saddr.a6, + sizeof(struct in6_addr)); + memcpy(&daddr6, x->id.daddr.a6, + sizeof(struct in6_addr)); + } + audit_log_format(audit_buf, " src=" NIP6_FMT "dst=" NIP6_FMT, + NIP6(saddr6), NIP6(daddr6)); + break; + } + + if (x) + audit_log_format(audit_buf, " spi=%lu(0x%lx) protocol=%s", + (unsigned long)ntohl(x->id.spi), + (unsigned long)ntohl(x->id.spi), + x->id.proto == IPPROTO_AH ? "AH" : + (x->id.proto == IPPROTO_ESP ? + "ESP" : "IPCOMP")); + + audit_log_format(audit_buf, " res=%u", result); + audit_log_end(audit_buf); +} + +EXPORT_SYMBOL(xfrm_audit_log); + int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo) { int err = 0; diff -urpN linux-2.6.18.ppc64.orig/net/xfrm/xfrm_state.c linux-2.6.18.ppc64.patch/net/xfrm/xfrm_state.c --- linux-2.6.18.ppc64.orig/net/xfrm/xfrm_state.c 2006-11-02 09:16:10.000000000 -0600 +++ linux-2.6.18.ppc64.patch/net/xfrm/xfrm_state.c 2006-11-08 10:14:26.000000000 -0600 @@ -19,6 +19,7 @@ #include <linux/ipsec.h> #include <linux/module.h> #include <asm/uaccess.h> +#include <linux/audit.h> struct sock *xfrm_nl; EXPORT_SYMBOL(xfrm_nl); @@ -123,6 +124,7 @@ static void xfrm_timer_handler(unsigned unsigned long now = (unsigned long)xtime.tv_sec; long next = LONG_MAX; int warn = 0; + int err = 0; spin_lock(&x->lock); if (x->km.state == XFRM_STATE_DEAD) @@ -180,8 +182,13 @@ expired: next = 2; goto resched; } - if (!__xfrm_state_delete(x) && x->id.spi) + + err = __xfrm_state_delete(x); + if (!err && x->id.spi) km_state_expired(x, 1, 0); + + xfrm_audit_log(audit_get_loginuid(current->audit_context), 0, + AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x); out: spin_unlock(&x->lock); @@ -284,10 +291,11 @@ int xfrm_state_delete(struct xfrm_state } EXPORT_SYMBOL(xfrm_state_delete); -void xfrm_state_flush(u8 proto) +void xfrm_state_flush(u8 proto, struct xfrm_audit audit_info) { int i; struct xfrm_state *x; + int err = 0; spin_lock_bh(&xfrm_state_lock); for (i = 0; i < XFRM_DST_HSIZE; i++) { @@ -298,7 +306,13 @@ restart: xfrm_state_hold(x); spin_unlock_bh(&xfrm_state_lock); - xfrm_state_delete(x); + err = xfrm_state_delete(x); + + xfrm_audit_log(audit_info.loginuid, + audit_info.secid, + AUDIT_MAC_IPSEC_DELSA, + err ? 0 : 1, NULL, x); + xfrm_state_put(x); spin_lock_bh(&xfrm_state_lock); @@ -1130,6 +1144,7 @@ void xfrm_state_delete_tunnel(struct xfr if (atomic_read(&t->tunnel_users) == 2) xfrm_state_delete(t); + atomic_dec(&t->tunnel_users); xfrm_state_put(t); x->tunnel = NULL; diff -urpN linux-2.6.18.ppc64.orig/net/xfrm/xfrm_user.c linux-2.6.18.ppc64.patch/net/xfrm/xfrm_user.c --- linux-2.6.18.ppc64.orig/net/xfrm/xfrm_user.c 2006-11-02 09:16:10.000000000 -0600 +++ linux-2.6.18.ppc64.patch/net/xfrm/xfrm_user.c 2006-11-08 10:14:17.000000000 -0600 @@ -27,6 +27,7 @@ #include <net/xfrm.h> #include <net/netlink.h> #include <asm/uaccess.h> +#include <linux/audit.h> static int verify_one_alg(struct rtattr **xfrma, enum xfrm_attr_type_t type) { @@ -400,6 +401,9 @@ static int xfrm_add_sa(struct sk_buff *s else err = xfrm_state_update(x); + xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, + AUDIT_MAC_IPSEC_ADDSA, err ? 0 : 1, NULL, x); + if (err < 0) { x->km.state = XFRM_STATE_DEAD; __xfrm_state_put(x); @@ -436,6 +440,10 @@ static int xfrm_del_sa(struct sk_buff *s } err = xfrm_state_delete(x); + + xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, + AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x); + if (err < 0) goto out; @@ -860,6 +868,10 @@ static int xfrm_add_policy(struct sk_buf * a type XFRM_MSG_UPDPOLICY - JHS */ excl = nlh->nlmsg_type == XFRM_MSG_NEWPOLICY; err = xfrm_policy_insert(p->dir, xp, excl); + + xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, + AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL); + if (err) { security_xfrm_policy_free(xp); kfree(xp); @@ -1055,6 +1067,11 @@ static int xfrm_get_policy(struct sk_buf xp = xfrm_policy_bysel_ctx(p->dir, &p->sel, tmp.security, delete); security_xfrm_policy_free(&tmp); } + + if (delete) + xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, + AUDIT_MAC_IPSEC_DELSPD, (xp) ? 1 : 0, xp, NULL); + if (xp == NULL) return -ENOENT; @@ -1089,8 +1106,11 @@ static int xfrm_flush_sa(struct sk_buff { struct km_event c; struct xfrm_usersa_flush *p = NLMSG_DATA(nlh); + struct xfrm_audit audit_info; - xfrm_state_flush(p->proto); + audit_info.loginuid = NETLINK_CB(skb).loginuid; + audit_info.secid = NETLINK_CB(skb).sid; + xfrm_state_flush(p->proto, audit_info); c.data.proto = p->proto; c.event = nlh->nlmsg_type; c.seq = nlh->nlmsg_seq; @@ -1235,9 +1255,12 @@ out: static int xfrm_flush_policy(struct sk_buff *skb, struct nlmsghdr *nlh, void **xfrma) { -struct km_event c; + struct km_event c; + struct xfrm_audit audit_info; - xfrm_policy_flush(); + audit_info.loginuid = NETLINK_CB(skb).loginuid; + audit_info.secid = NETLINK_CB(skb).sid; + xfrm_policy_flush(audit_info); c.event = nlh->nlmsg_type; c.seq = nlh->nlmsg_seq; c.pid = nlh->nlmsg_pid; @@ -1286,6 +1309,8 @@ static int xfrm_add_pol_expire(struct sk err = 0; if (up->hard) { xfrm_policy_delete(xp, p->dir); + xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, + AUDIT_MAC_IPSEC_DELSPD, 1, xp, NULL); } else { // reset the timers here? printk("Dont know what to do with soft policy expire\n"); @@ -1317,8 +1342,11 @@ static int xfrm_add_sa_expire(struct sk_ goto out; km_state_expired(x, ue->hard, current->pid); - if (ue->hard) + if (ue->hard) { + xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, + AUDIT_MAC_IPSEC_DELSA, 1, NULL, x); __xfrm_state_delete(x); + } out: spin_unlock_bh(&x->lock); xfrm_state_put(x);

18 years, 1 month

2
1
0 / 0

Checking for audit_enabled in the kernel

by Paul Moore

I'm trying to find a way to quickly determine if auditing is enabled and it looks like the only real way to do that is to declare audit_enabled as an extern and check the variable directly. Is there some interface for this that I am missing? -- paul moore linux security @ hp

18 years, 1 month

2
3
0 / 0

Re: Audit-1.0.14

by Todd, Charles

> On Wednesday 11 October 2006 07:49, Boyce, Kevin P. (Melbourne, FL) wrote: > > I can install the deb files and the audit daemon runs, but it has trouble > > parsing the audit.rules file. The error I am getting is "Error sending > > insert watch request (Invalid Argument)." > This is not a parsing error...its worse. The audit 1.0.x series was developed > to compliment the RHEL4 kernel. At the time, it was envisioned that the > technique used for watches would be accepted upstream. It was rejected due to > some overlap with inotify, so the watch system was re-written. The audit > 1.2.x series has the code for the new system. Watches were not accepted > upstream until the 2.6.18 kernel. > > I have a requirement to use these two kernel versions, and unfortunately > > can't use redhat, fedora, or their kernel binaries. > They you are limited to inode based auditing. Or maybe if you put the things > you have to watch onto one partition, you can use devmajor and minor. I'd try > to move to a 2.6.18 kernel with the latest audit package. > -Steve Steve, If I'm reading this correctly, you're telling me that the 1.0.14 auditd that ships with RHEL4u3 is immature, at best. Does this mean that I will never get support for the dispatcher directive in /etc/auditd.conf? I was hoping to use the development Snare scripts that Leigh put together, mainly for a unified, centralization of our audit trails, but it doesn't work if the dispatcher support option is missing. I understand that file watching will not be an auditable event and that I'll have to filter out a lot of false positives. I just want to get centralized auditing working without have to script a bunch of it myself. Thanks! Charlie Todd Ball Aerospace & Technologies Corp. ctodd- at -ball -com

18 years, 1 month

2
2
0 / 0

auditd fails to start when rules and conf file are symbolic links

by Smith, Steven G (Steven)

Hey everyone, I'm seeing some strange behavior when attempting to start the auditd daemon. When I make the /etc/audit.rules and /etc/auditd.conf files symbolic links, the service fails saying that it cannot open /etc/audit.rules because of too many levels of symbolic links: [root@bling etc]# ll /etc/audit* lrwxrwxrwx 1 root root 25 Nov 7 08:22 /etc/auditd.conf -> /diskroot/etc/auditd.conf lrwxrwxrwx 1 root root 25 Nov 7 08:22 /etc/audit.rules -> /diskroot/etc/audit.rules [root@bling etc]# service auditd start Starting auditd: Error opening /etc/audit.rules (Too many levels of symbolic links) [root@acidsnowflake etc]# Note that there is nothing special about this particular diskroot directory (i.e. there are no other symbolic links involved). If I remove the symbolic links, the service works fine. The problem is that I need to have the links there for various reasons. Is this a bug in auditd, or did I do something stupid? One last note, if I vi the file via the symbolic link, it works fine, which leads me to believe that this is more likely something wrong in the startup sequence or auditd itself (although I couldn't see any issues that stood out to me). Thanks, Steve

18 years, 1 month

3
2
0 / 0

audit record content

by John Calcote

As far as I can tell, this forum has focused mainly on transport, performance, security and integrity issues. Indeed, these are all critical issues relative to audit, but is not audit record content just as important? If we spend all of our time managing the low-level transport issues, what does it avail us if only garbage is audited? I've been working at the content level in an effort to standardize the record format. I've begun with the Open Group's XDAS standard as a baseline. The project is on sourceforge and it's called OpenXDAS. Back-end loggers are pluggable, and LAF is already supported on providing platforms. Will some of you folks kindly take a few minutes of your time to look at the project and tell me what you think? I really want to make some traction here, and I think your good opinions are worth a lot. I'm open to suggestion, and would love to get some feedback. http://openxdas.sourceforge.net http://www.sourceforge.net/projects/openxdas Thanks, John ----- John Calcote (jcalcote(a)novell.com) Sr. Software Engineeer Novell, Inc.

18 years, 1 month

1
0
0 / 0

[PATCH 2.6.19-rc4] audit: support for descriptor pairs (fwd)

by Mark Workman

---------- Forwarded message ---------- Date: Fri, 3 Nov 2006 14:22:39 -0500 (EST) From: Mark Workman <mworkman(a)linus.mitre.org> To: sgrubb(a)redhat.com Cc: linux-kernel(a)vger.kernel.org Subject: [PATCH 2.6.19-rc4] audit: support for descriptor pairs provide an audit record of the descriptor pair returned by pipe() and socketpair(). Signed-off-by: Jeremy Latt <jlatt(a)faceprint.com> Signed-off-by: Steven Trieber <spt(a)mitre.org> Signed-off-by: Mark Workman <mworkman(a)mitre.org> --- fs/pipe.c | 7 ++++++ include/linux/audit.h | 9 ++++++++ kernel/auditsc.c | 40 ++++++++++++++++++++++++++++++++++++ net/socket.c | 55 +++++++++++++++++++++++++++++++++++++++----------- 4 files changed, 99 insertions(+), 12 deletions(-) --- diff -uprN -X a/Documentation/dontdiff a/fs/pipe.c b/fs/pipe.c --- a/fs/pipe.c 2006-10-31 16:03:48.000000000 -0500 +++ b/fs/pipe.c 2006-10-31 16:10:50.000000000 -0500 @@ -16,6 +16,7 @@ #include <linux/uio.h> #include <linux/highmem.h> #include <linux/pagemap.h> +#include <linux/audit.h> #include <asm/uaccess.h> #include <asm/ioctls.h> @@ -972,6 +973,10 @@ int do_pipe(int *fd) goto err_fdr; fdw = error; + error = audit_fd_pair(fdr, fdw); + if (error < 0) + goto err_fdw; + fd_install(fdr, fr); fd_install(fdw, fw); fd[0] = fdr; @@ -979,6 +984,8 @@ int do_pipe(int *fd) return 0; + err_fdw: + put_unused_fd(fdw); err_fdr: put_unused_fd(fdr); err_read_pipe: diff -uprN -X a/Documentation/dontdiff a/include/linux/audit.h b/include/linux/audit.h --- a/include/linux/audit.h 2006-10-31 16:03:48.000000000 -0500 +++ b/include/linux/audit.h 2006-10-31 16:10:50.000000000 -0500 @@ -89,6 +89,7 @@ #define AUDIT_MQ_NOTIFY 1314 /* POSIX MQ notify record type */ #define AUDIT_MQ_GETSETATTR 1315 /* POSIX MQ get/set attribute record type */ #define AUDIT_KERNEL_OTHER 1316 /* For use by 3rd party modules */ +#define AUDIT_FD_PAIR 1317 /* audit record for pipe/socketpair */ #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */ #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */ @@ -382,6 +383,7 @@ extern int __audit_ipc_set_perm(unsigned extern int audit_bprm(struct linux_binprm *bprm); extern int audit_socketcall(int nargs, unsigned long *args); extern int audit_sockaddr(int len, void *addr); +extern int __audit_fd_pair(int fd1, int fd2); extern int audit_avc_path(struct dentry *dentry, struct vfsmount *mnt); extern int audit_set_macxattr(const char *name); extern int __audit_mq_open(int oflag, mode_t mode, struct mq_attr __user *u_attr); @@ -396,6 +398,12 @@ static inline int audit_ipc_obj(struct k return __audit_ipc_obj(ipcp); return 0; } +static inline int audit_fd_pair(int fd1, int fd2) +{ + if (unlikely(!audit_dummy_context())) + return __audit_fd_pair(fd1, fd2); + return 0; +} static inline int audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode) { if (unlikely(!audit_dummy_context())) @@ -453,6 +461,7 @@ extern int audit_n_rules; #define audit_ipc_set_perm(q,u,g,m) ({ 0; }) #define audit_bprm(p) ({ 0; }) #define audit_socketcall(n,a) ({ 0; }) +#define audit_fd_pair(n,a) ({ 0; }) #define audit_sockaddr(len, addr) ({ 0; }) #define audit_avc_path(dentry, mnt) ({ 0; }) #define audit_set_macxattr(n) do { ; } while (0) diff -uprN -X a/Documentation/dontdiff a/kernel/auditsc.c b/kernel/auditsc.c --- a/kernel/auditsc.c 2006-10-31 16:03:48.000000000 -0500 +++ b/kernel/auditsc.c 2006-10-31 16:10:50.000000000 -0500 @@ -169,6 +169,11 @@ struct audit_aux_data_sockaddr { char a[0]; }; +struct audit_aux_data_fd_pair { + struct audit_aux_data d; + int fd[2]; +}; + struct audit_aux_data_path { struct audit_aux_data d; struct dentry *dentry; @@ -956,6 +961,11 @@ static void audit_log_exit(struct audit_ audit_log_d_path(ab, "path=", axi->dentry, axi->mnt); break; } + case AUDIT_FD_PAIR: { + struct audit_aux_data_fd_pair *axs = (void *)aux; + audit_log_format(ab, "fd0=%d fd1=%d", axs->fd[0], axs->fd[1]); + break; } + } audit_log_end(ab); } @@ -1808,6 +1818,36 @@ int audit_socketcall(int nargs, unsigned } /** + * __audit_fd_pair - record audit data for pipe and socketpair + * @fd1: the first file descriptor + * @fd2: the second file descriptor + * + * Returns 0 for success or NULL context or < 0 on error. + */ +int __audit_fd_pair(int fd1, int fd2) +{ + struct audit_context *context = current->audit_context; + struct audit_aux_data_fd_pair *ax; + + if (likely(!context)) { + return 0; + } + + ax = kmalloc(sizeof(*ax), GFP_KERNEL); + if (!ax) { + return -ENOMEM; + } + + ax->fd[0] = fd1; + ax->fd[1] = fd2; + + ax->d.type = AUDIT_FD_PAIR; + ax->d.next = context->aux; + context->aux = (void *)ax; + return 0; +} + +/** * audit_sockaddr - record audit data for sys_bind, sys_connect, sys_sendto * @len: data length in user space * @a: data address in kernel space diff -uprN -X a/Documentation/dontdiff a/net/socket.c b/net/socket.c --- a/net/socket.c 2006-10-31 16:03:49.000000000 -0500 +++ b/net/socket.c 2006-11-03 14:19:46.000000000 -0500 @@ -393,6 +393,47 @@ int sock_map_fd(struct socket *sock) return fd; } +int sock_map_fd_pair(struct socket *sock1, struct socket *sock2, int *fd1, int *fd2) +{ + int err; + struct file *newfile1; + struct file *newfile2; + + *fd1 = err = sock_alloc_fd(&newfile1); + if (unlikely(*fd1 < 0)) + return err; + + err = sock_attach_fd(sock1, newfile1); + if (unlikely(err < 0)) + goto err_f1; + + *fd2 = err = sock_alloc_fd(&newfile2); + if (unlikely(*fd2 < 0)) + goto err_f1; + + err = sock_attach_fd(sock2, newfile2); + if (unlikely(err < 0)) + goto err_f2; + + err = audit_fd_pair(*fd1, *fd2); + if (err < 0) + goto err_f2; + + fd_install(*fd1, newfile1); + fd_install(*fd2, newfile2); + + return 0; + +err_f2: + fput(newfile2); + put_unused_fd(*fd2); + +err_f1: + fput(newfile1); + put_unused_fd(*fd1); + return (err); +} + static struct socket *sock_from_file(struct file *file, int *err) { struct inode *inode; @@ -1220,15 +1261,9 @@ asmlinkage long sys_socketpair(int famil fd1 = fd2 = -1; - err = sock_map_fd(sock1); + err = sock_map_fd_pair(sock1, sock2, &fd1, &fd2); if (err < 0) goto out_release_both; - fd1 = err; - - err = sock_map_fd(sock2); - if (err < 0) - goto out_close_1; - fd2 = err; /* fd1 and fd2 may be already another descriptors. * Not kernel problem. @@ -1244,11 +1279,6 @@ asmlinkage long sys_socketpair(int famil sys_close(fd1); return err; -out_close_1: - sock_release(sock2); - sys_close(fd1); - return err; - out_release_both: sock_release(sock2); out_release_1: @@ -2259,6 +2289,7 @@ EXPORT_SYMBOL(sock_create); EXPORT_SYMBOL(sock_create_kern); EXPORT_SYMBOL(sock_create_lite); EXPORT_SYMBOL(sock_map_fd); +EXPORT_SYMBOL(sock_map_fd_pair); EXPORT_SYMBOL(sock_recvmsg); EXPORT_SYMBOL(sock_register); EXPORT_SYMBOL(sock_release);

18 years, 1 month

3
2
0 / 0

[PATCH 0/9] Task Watchers v2: Introduction

by Matt Helsley

This is version 2 of my Task Watchers patches. Task watchers calls functions whenever a task forks, execs, changes its [re][ug]id, or exits. Task watchers is primarily useful to existing kernel code as a means of making the code in fork and exit more readable. Kernel code uses these paths by marking a function as a task watcher much like modules mark their init functions with module_init(). This improves the readability of copy_process(). The first patch adds the basic infrastructure of task watchers: notification function calls in the various paths and a table of function pointers to be called. It uses an ELF section because parts of the table must be gathered from all over the kernel code and using the linker is easier than resolving and maintaining complex header interdependencies. An ELF table is also ideal because its "readonly" nature means that no locking nor list traversal are required. Subsequent patches adapt existing parts of the kernel to use a task watcher -- typically in the fork, clone, and exit paths: FEATURE (notes) RELEVANT CONFIG VARIABLE ----------------------------------------------------------------------- audit [ CONFIG_AUDIT ... ] semundo [ CONFIG_SYSVIPC ] cpusets [ CONFIG_CPUSETS ] mempolicy [ CONFIG_NUMA ] trace irqflags [ CONFIG_TRACE_IRQFLAGS ] lockdep [ CONFIG_LOCKDEP ] keys (for processes -- not for thread groups) [ CONFIG_KEYS ] process events connector [ CONFIG_PROC_EVENTS ] TODO: Mark the task watcher table ELF section read-only. I've tried to "fix" the .lds files to do this with no success. I'd really appreciate help from folks familiar with writing linker scripts. I'm working on three more patches that add support for creating a task watcher from within a module using an ELF section. They haven't recieved as much attention since I've been focusing on measuring the performance impact of these patches. Changes: since v2 RFC: Updated to 2.6.19-rc2-mm2 Compiled, booted, tested, and benchmarked Testing Booted with audit=1 profile=2 Enabled profiling tools Enabled auditing Ran random syscall test IRQ trace and lockdep CONFIG=y not tested Benchmarks A clone benchmark (try to clone as fast as possible) Unrealistic. Shows incremental cost of one task watcher A fork benchmark (try to fork as fast as possible) Unrealistic. Shows incremental cost of one task watcher Kernbench Closer to realistic. Result summaries follow changelog See patches for details Fork and clone samples available on request (too large for email) Fork and clone benchmark sources will be posted as replies to 00 v2: Dropped use of notifier chains Dropped per-task watchers Can be implemented on top of this Still requires notifier chains Dropped taskstats conversion Parts of taskstats had to move away from the regions of copy_process() and do_exit() where task_watchers are notified Used linker script mechanism suggested by Al Viro Created one "list" of watchers per event as requested by Andrew Morton No need to multiplex a single function call Easier to static register/unregister watchers: 1 line of code val param now used for: WATCH_TASK_INIT: clone_flags WATCH_TASK_CLONE: clone_flags WATCH_TASK_EXIT: exit code WATCH_TASK_*: <unused> Renamed notify_watchers() to notify_task_watchers() Replaced: if (err != 0) --> if (err) Added patches converting more "features" to use task watchers Added return code handling to WATCH_TASK_INIT Return code handling elsewhere didn't seem appropriate since there was generally no response necessary Fixed process keys free to handle failure in fork as originally coded in copy_process Added process keys code to watch for [er][ug]id changes v1: Added ability to cause fork to fail with NOTIFY_STOP_MASK Added WARN_ON() when watchers cause WATCH_TASK_FREE to stop early Moved fork invocation Moved exec invocation Added current as argument to exec invocation Moved exit code assignment Added id change invocations (70 insertions) v0: Based on Jes Sorensen's Task Notifiers patches (posted to LSE-Tech) Benchmark result summaries (sorry, this part is 86 columns): System: 4 1.7GHz ppc64 (Power 4+) processors, 30968600MB RAM, 2.6.19-rc2-mm2 kernel Clone - Incremental worst-case costs measured in tasks/second and as a percentage of expected rate Patch 1 2 3 4 5 6 7 8 9 -------------------------------------------------------------------------------------- Incremental Cost (tasks/s) -38.12 12.5 -84 25.2 -187.5 -0.5834 -11.36 -125.2 -64.05 Cost Err 122.3 17.84 67.11 61.03 41.8 34.64 45.53 58.28 53.18 Cost (%) -0.2 0.07 -0.5 0.1 -1 -0.004 -0.06 -0.7 -0.4 Cost Err (%) 0.7 0.1 0.4 0.3 0.2 0.2 0.2 0.3 0.3 Fork - Incremental worst-case costs measured in tasks/second and as a percentage of expected rate Patch 1 2 3 4 5 6 7 8 9 -------------------------------------------------------------------------------------- Incremental Cost (tasks/s) -64.58 -35.74 -33.29 -25.8 -139.5 -7.311 -9.2 -131.4 -50.47 Cost Err 54.09 27.58 41.76 42.47 49.87 60.94 29.72 39.7 40.89 Cost (%) -0.3 -0.2 -0.2 -0.1 -0.8 -0.04 -0.05 -0.7 -0.3 Cost Err (%) 0.3 0.2 0.2 0.2 0.3 0.3 0.2 0.2 0.2 Kernbench Measurements Patch Elapsed(s) User(s) System(s) CPU(%) - 124.406 439.947 46.615 390.700 <-- baseline 2.6.19-rc2-mm2 1 124.353 439.935 46.334 390.400 2 124.234 439.700 46.503 390.800 3 124.248 439.830 46.258 390.700 4 124.357 439.753 46.582 390.600 5 124.333 439.787 46.491 390.700 6 124.532 439.732 46.497 389.900 7 124.359 439.756 46.457 390.300 8 124.272 439.643 46.320 390.500 9 124.400 439.787 46.485 390.300 Mean: 124.349 439.787 46.454 390.490 Stddev: 0.087641 0.095917 0.115309 0.272641 Kernbench - Incremental costs Patch Elapsed(s) User(s) System(s) CPU(%) 1 -0.053 -0.012 -0.281 -0.3 2 -0.119 -0.235 0.169 0.4 3 0.014 0.130 -0.245 -0.1 4 0.109 -0.077 0.324 -0.1 5 -0.024 0.034 -0.091 0.1 6 0.199 -0.055 0.006 -0.8 7 -0.173 0.024 -0.040 0.4 8 -0.087 -0.113 -0.137 0.2 9 0.128 0.144 0.165 -0.2 Mean: 0.005875 -0.0185 0.018875 -0.0125 Stddev: 0.13094 0.12738 0.1877 0.39074 Andrew, please consider these patches for 2.6.20's -mm tree. Cheers, -Matt Helsley --

18 years, 1 month

3
15
0 / 0

[PATCH 1/1]: ipsec audit

by Joy Latten

This code adds auditing to IPSec. An audit message gets logged whenever an ipsec policy or security association is added or deleted from the kernel's Security Policy Database and/or Security Association Database. IPSec policies and SAs can be added and/or deleted via the pfkey api or the netlink api, which was extended to accomodate key management. PFKEYv2 is a socket protocol for key management defined in RFC 2367. I added auditing for both key management protocols. Both protocols utilize the same code in some places. Please let me know if this patch is acceptable. Regards, Joy Latten --------------------------------------------------------------------------------- diff -urpN linux-2.6.18.ppc64/include/linux/audit.h linux-2.6.18.ppc64.patch/include/linux/audit.h --- linux-2.6.18.ppc64/include/linux/audit.h 2006-10-26 03:10:10.000000000 -0500 +++ linux-2.6.18.ppc64.patch/include/linux/audit.h 2006-10-26 07:04:08.000000000 -0500 @@ -100,6 +100,10 @@ #define AUDIT_MAC_CIPSOV4_DEL 1408 /* NetLabel: del CIPSOv4 DOI entry */ #define AUDIT_MAC_MAP_ADD 1409 /* NetLabel: add LSM domain mapping */ #define AUDIT_MAC_MAP_DEL 1410 /* NetLabel: del LSM domain mapping */ +#define AUDIT_MAC_IPSEC_ADDSA 1411 /* Add a XFRM state */ +#define AUDIT_MAC_IPSEC_DELSA 1412 /* Delete a XFRM state */ +#define AUDIT_MAC_IPSEC_ADDSPD 1413 /* Add a XFRM policy */ +#define AUDIT_MAC_IPSEC_DELSPD 1414 /* Delete a XFRM policy */ #define AUDIT_FIRST_KERN_ANOM_MSG 1700 #define AUDIT_LAST_KERN_ANOM_MSG 1799 diff -urpN linux-2.6.18.ppc64/include/net/xfrm.h linux-2.6.18.ppc64.patch/include/net/xfrm.h --- linux-2.6.18.ppc64/include/net/xfrm.h 2006-10-26 03:10:11.000000000 -0500 +++ linux-2.6.18.ppc64.patch/include/net/xfrm.h 2006-10-26 07:04:08.000000000 -0500 @@ -18,6 +18,7 @@ #include <net/route.h> #include <net/ipv6.h> #include <net/ip6_fib.h> +#include <linux/audit.h> #define XFRM_ALIGN8(len) (((len) + 7) & ~7) #define MODULE_ALIAS_XFRM_MODE(family, encap) \ @@ -231,7 +232,7 @@ extern void km_state_notify(struct xfrm_ struct xfrm_tmpl; extern int km_query(struct xfrm_state *x, struct xfrm_tmpl *t, struct xfrm_policy *pol); extern void km_state_expired(struct xfrm_state *x, int hard, u32 pid); -extern int __xfrm_state_delete(struct xfrm_state *x); +extern int __xfrm_state_delete(struct xfrm_state *x, uid_t auid); struct xfrm_state_afinfo { unsigned short family; @@ -737,16 +738,17 @@ static inline int xfrm_sk_clone_policy(s return 0; } -extern int xfrm_policy_delete(struct xfrm_policy *pol, int dir); +extern int xfrm_policy_delete(struct xfrm_policy *pol, int dir, uid_t auid); static inline void xfrm_sk_free_policy(struct sock *sk) { + uid_t auid = audit_get_loginuid(current->audit_context); if (unlikely(sk->sk_policy[0] != NULL)) { - xfrm_policy_delete(sk->sk_policy[0], XFRM_POLICY_MAX); + xfrm_policy_delete(sk->sk_policy[0], XFRM_POLICY_MAX, auid); sk->sk_policy[0] = NULL; } if (unlikely(sk->sk_policy[1] != NULL)) { - xfrm_policy_delete(sk->sk_policy[1], XFRM_POLICY_MAX+1); + xfrm_policy_delete(sk->sk_policy[1], XFRM_POLICY_MAX+1, auid); sk->sk_policy[1] = NULL; } } @@ -898,13 +900,13 @@ extern struct xfrm_state *xfrm_state_fin struct xfrm_policy *pol, int *err, unsigned short family); extern int xfrm_state_check_expire(struct xfrm_state *x); -extern void xfrm_state_insert(struct xfrm_state *x); -extern int xfrm_state_add(struct xfrm_state *x); -extern int xfrm_state_update(struct xfrm_state *x); +extern void xfrm_state_insert(struct xfrm_state *x, uid_t auid); +extern int xfrm_state_add(struct xfrm_state *x, uid_t auid); +extern int xfrm_state_update(struct xfrm_state *x, uid_t auid); extern struct xfrm_state *xfrm_state_lookup(xfrm_address_t *daddr, u32 spi, u8 proto, unsigned short family); extern struct xfrm_state *xfrm_find_acq_byseq(u32 seq); -extern int xfrm_state_delete(struct xfrm_state *x); -extern void xfrm_state_flush(u8 proto); +extern int xfrm_state_delete(struct xfrm_state *x, uid_t auid); +extern void xfrm_state_flush(u8 proto, uid_t auid); extern int xfrm_replay_check(struct xfrm_state *x, u32 seq); extern void xfrm_replay_advance(struct xfrm_state *x, u32 seq); extern void xfrm_replay_notify(struct xfrm_state *x, int event); @@ -948,17 +950,18 @@ static inline int xfrm_dst_lookup(struct struct xfrm_policy *xfrm_policy_alloc(gfp_t gfp); extern int xfrm_policy_walk(int (*func)(struct xfrm_policy *, int, int, void*), void *); -int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl); +int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl, uid_t auid); struct xfrm_policy *xfrm_policy_bysel_ctx(int dir, struct xfrm_selector *sel, - struct xfrm_sec_ctx *ctx, int delete); -struct xfrm_policy *xfrm_policy_byid(int dir, u32 id, int delete); -void xfrm_policy_flush(void); + struct xfrm_sec_ctx *ctx, int delete, + uid_t auid); +struct xfrm_policy *xfrm_policy_byid(int dir, u32 id, int delete, uid_t auid); +void xfrm_policy_flush(uid_t auid); u32 xfrm_get_acqseq(void); void xfrm_alloc_spi(struct xfrm_state *x, u32 minspi, u32 maxspi); struct xfrm_state * xfrm_find_acq(u8 mode, u32 reqid, u8 proto, xfrm_address_t *daddr, xfrm_address_t *saddr, int create, unsigned short family); -extern void xfrm_policy_flush(void); +extern void xfrm_policy_flush(uid_t auid); extern int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *pol); extern int xfrm_flush_bundles(void); extern void xfrm_flush_all_bundles(void); diff -urpN linux-2.6.18.ppc64/kernel/auditsc.c linux-2.6.18.ppc64.patch/kernel/auditsc.c --- linux-2.6.18.ppc64/kernel/auditsc.c 2006-10-26 03:10:35.000000000 -0500 +++ linux-2.6.18.ppc64.patch/kernel/auditsc.c 2006-10-26 07:04:49.000000000 -0500 @@ -1488,6 +1488,7 @@ uid_t audit_get_loginuid(struct audit_co { return ctx ? ctx->loginuid : -1; } +EXPORT_SYMBOL(audit_get_loginuid); /** * __audit_mq_open - record audit data for a POSIX MQ open diff -urpN linux-2.6.18.ppc64/net/ipv4/ipcomp.c linux-2.6.18.ppc64.patch/net/ipv4/ipcomp.c --- linux-2.6.18.ppc64/net/ipv4/ipcomp.c 2006-09-19 22:42:06.000000000 -0500 +++ linux-2.6.18.ppc64.patch/net/ipv4/ipcomp.c 2006-10-26 07:04:08.000000000 -0500 @@ -29,6 +29,7 @@ #include <net/icmp.h> #include <net/ipcomp.h> #include <net/protocol.h> +#include <linux/audit.h> struct ipcomp_tfms { struct list_head list; @@ -251,7 +252,7 @@ static int ipcomp_tunnel_attach(struct x err = -EINVAL; goto out; } - xfrm_state_insert(t); + xfrm_state_insert(t,audit_get_loginuid(current->audit_context)); xfrm_state_hold(t); } x->tunnel = t; diff -urpN linux-2.6.18.ppc64/net/ipv6/ipcomp6.c linux-2.6.18.ppc64.patch/net/ipv6/ipcomp6.c --- linux-2.6.18.ppc64/net/ipv6/ipcomp6.c 2006-09-19 22:42:06.000000000 -0500 +++ linux-2.6.18.ppc64.patch/net/ipv6/ipcomp6.c 2006-10-26 07:04:08.000000000 -0500 @@ -50,6 +50,7 @@ #include <linux/ipv6.h> #include <linux/icmpv6.h> #include <linux/mutex.h> +#include <linux/audit.h> struct ipcomp6_tfms { struct list_head list; @@ -246,7 +247,7 @@ static int ipcomp6_tunnel_attach(struct err = -EINVAL; goto out; } - xfrm_state_insert(t); + xfrm_state_insert(t,audit_get_loginuid(current->audit_context)); xfrm_state_hold(t); } x->tunnel = t; diff -urpN linux-2.6.18.ppc64/net/key/af_key.c linux-2.6.18.ppc64.patch/net/key/af_key.c --- linux-2.6.18.ppc64/net/key/af_key.c 2006-10-26 03:10:11.000000000 -0500 +++ linux-2.6.18.ppc64.patch/net/key/af_key.c 2006-10-26 07:04:08.000000000 -0500 @@ -29,6 +29,7 @@ #include <net/xfrm.h> #include <net/sock.h> +#include <linux/audit.h> #define _X2KEY(x) ((x) == XFRM_INF ? 0 : (x)) #define _KEY2X(x) ((x) == 0 ? XFRM_INF : (x)) @@ -1416,9 +1417,9 @@ static int pfkey_add(struct sock *sk, st xfrm_state_hold(x); if (hdr->sadb_msg_type == SADB_ADD) - err = xfrm_state_add(x); + err = xfrm_state_add(x, audit_get_loginuid(current->audit_context)); else - err = xfrm_state_update(x); + err = xfrm_state_update(x, audit_get_loginuid(current->audit_context)); if (err < 0) { x->km.state = XFRM_STATE_DEAD; @@ -1461,7 +1462,7 @@ static int pfkey_delete(struct sock *sk, goto out; } - err = xfrm_state_delete(x); + err = xfrm_state_delete(x, audit_get_loginuid(current->audit_context)); if (err < 0) goto out; @@ -1642,7 +1643,7 @@ static int pfkey_flush(struct sock *sk, if (proto == 0) return -EINVAL; - xfrm_state_flush(proto); + xfrm_state_flush(proto, audit_get_loginuid(current->audit_context)); c.data.proto = proto; c.seq = hdr->sadb_msg_seq; c.pid = hdr->sadb_msg_pid; @@ -2192,7 +2193,8 @@ static int pfkey_spdadd(struct sock *sk, goto out; err = xfrm_policy_insert(pol->sadb_x_policy_dir-1, xp, - hdr->sadb_msg_type != SADB_X_SPDUPDATE); + hdr->sadb_msg_type != SADB_X_SPDUPDATE, + audit_get_loginuid(current->audit_context)); if (err) goto out; @@ -2268,7 +2270,7 @@ static int pfkey_spddelete(struct sock * return err; } - xp = xfrm_policy_bysel_ctx(pol->sadb_x_policy_dir-1, &sel, tmp.security, 1); + xp = xfrm_policy_bysel_ctx(pol->sadb_x_policy_dir-1, &sel, tmp.security, 1, audit_get_loginuid(current->audit_context)); security_xfrm_policy_free(&tmp); if (xp == NULL) return -ENOENT; @@ -2331,7 +2333,8 @@ static int pfkey_spdget(struct sock *sk, return -EINVAL; xp = xfrm_policy_byid(dir, pol->sadb_x_policy_id, - hdr->sadb_msg_type == SADB_X_SPDDELETE2); + hdr->sadb_msg_type == SADB_X_SPDDELETE2, + audit_get_loginuid(current->audit_context)); if (xp == NULL) return -ENOENT; @@ -2405,7 +2408,7 @@ static int pfkey_spdflush(struct sock *s { struct km_event c; - xfrm_policy_flush(); + xfrm_policy_flush(audit_get_loginuid(current->audit_context)); c.event = XFRM_MSG_FLUSHPOLICY; c.pid = hdr->sadb_msg_pid; c.seq = hdr->sadb_msg_seq; diff -urpN linux-2.6.18.ppc64/net/xfrm/xfrm_policy.c linux-2.6.18.ppc64.patch/net/xfrm/xfrm_policy.c --- linux-2.6.18.ppc64/net/xfrm/xfrm_policy.c 2006-10-26 03:10:11.000000000 -0500 +++ linux-2.6.18.ppc64.patch/net/xfrm/xfrm_policy.c 2006-10-26 07:04:08.000000000 -0500 @@ -293,7 +293,7 @@ out: expired: read_unlock(&xp->lock); - if (!xfrm_policy_delete(xp, dir)) + if (!xfrm_policy_delete(xp, dir, audit_get_loginuid(current->audit_context))) km_policy_expired(xp, dir, 1, 0); xfrm_pol_put(xp); } @@ -374,13 +374,21 @@ static void xfrm_policy_gc_task(void *da * entry dead. The rule must be unlinked from lists to the moment. */ -static void xfrm_policy_kill(struct xfrm_policy *policy) +static void xfrm_policy_kill(struct xfrm_policy *policy, uid_t auid) { int dead; write_lock_bh(&policy->lock); dead = policy->dead; policy->dead = 1; + + if (policy->security) + audit_log(current->audit_context, GFP_ATOMIC, + AUDIT_MAC_IPSEC_DELSPD, + "spd delete: auid=%u ctx_alg=%d ctx_doi=%d ctx=%s", + auid, policy->security->ctx_alg, + policy->security->ctx_doi, policy->security->ctx_str); + write_unlock_bh(&policy->lock); if (unlikely(dead)) { @@ -417,7 +425,7 @@ static u32 xfrm_gen_index(int dir) } } -int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl) +int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl, uid_t auid) { struct xfrm_policy *pol, **p; struct xfrm_policy *delpol = NULL; @@ -460,10 +468,18 @@ int xfrm_policy_insert(int dir, struct x write_unlock_bh(&xfrm_policy_lock); if (delpol) - xfrm_policy_kill(delpol); + xfrm_policy_kill(delpol, auid); read_lock_bh(&xfrm_policy_lock); gc_list = NULL; + + if (policy->security) + audit_log(current->audit_context, GFP_ATOMIC, + AUDIT_MAC_IPSEC_ADDSPD, + "spd add: auid=%u ctx_alg=%d ctx_doi=%d ctx=%s", + auid, policy->security->ctx_alg, + policy->security->ctx_doi, policy->security->ctx_str); + for (policy = policy->next; policy; policy = policy->next) { struct dst_entry *dst; @@ -480,6 +496,7 @@ int xfrm_policy_insert(int dir, struct x } write_unlock(&policy->lock); } + read_unlock_bh(&xfrm_policy_lock); while (gc_list) { @@ -494,7 +511,8 @@ int xfrm_policy_insert(int dir, struct x EXPORT_SYMBOL(xfrm_policy_insert); struct xfrm_policy *xfrm_policy_bysel_ctx(int dir, struct xfrm_selector *sel, - struct xfrm_sec_ctx *ctx, int delete) + struct xfrm_sec_ctx *ctx, int delete, + uid_t auid) { struct xfrm_policy *pol, **p; @@ -512,13 +530,13 @@ struct xfrm_policy *xfrm_policy_bysel_ct if (pol && delete) { atomic_inc(&flow_cache_genid); - xfrm_policy_kill(pol); + xfrm_policy_kill(pol, auid); } return pol; } EXPORT_SYMBOL(xfrm_policy_bysel_ctx); -struct xfrm_policy *xfrm_policy_byid(int dir, u32 id, int delete) +struct xfrm_policy *xfrm_policy_byid(int dir, u32 id, int delete, uid_t auid) { struct xfrm_policy *pol, **p; @@ -535,13 +553,13 @@ struct xfrm_policy *xfrm_policy_byid(int if (pol && delete) { atomic_inc(&flow_cache_genid); - xfrm_policy_kill(pol); + xfrm_policy_kill(pol, auid); } return pol; } EXPORT_SYMBOL(xfrm_policy_byid); -void xfrm_policy_flush(void) +void xfrm_policy_flush(uid_t auid) { struct xfrm_policy *xp; int dir; @@ -552,7 +570,7 @@ void xfrm_policy_flush(void) xfrm_policy_list[dir] = xp->next; write_unlock_bh(&xfrm_policy_lock); - xfrm_policy_kill(xp); + xfrm_policy_kill(xp, auid); write_lock_bh(&xfrm_policy_lock); } @@ -696,7 +714,7 @@ static struct xfrm_policy *__xfrm_policy return NULL; } -int xfrm_policy_delete(struct xfrm_policy *pol, int dir) +int xfrm_policy_delete(struct xfrm_policy *pol, int dir, uid_t auid) { write_lock_bh(&xfrm_policy_lock); pol = __xfrm_policy_unlink(pol, dir); @@ -704,7 +722,7 @@ int xfrm_policy_delete(struct xfrm_polic if (pol) { if (dir < XFRM_POLICY_MAX) atomic_inc(&flow_cache_genid); - xfrm_policy_kill(pol); + xfrm_policy_kill(pol, auid); return 0; } return -ENOENT; @@ -728,7 +746,7 @@ int xfrm_sk_policy_insert(struct sock *s write_unlock_bh(&xfrm_policy_lock); if (old_pol) { - xfrm_policy_kill(old_pol); + xfrm_policy_kill(old_pol, audit_get_loginuid(current->audit_context)); } return 0; } diff -urpN linux-2.6.18.ppc64/net/xfrm/xfrm_state.c linux-2.6.18.ppc64.patch/net/xfrm/xfrm_state.c --- linux-2.6.18.ppc64/net/xfrm/xfrm_state.c 2006-10-26 03:10:09.000000000 -0500 +++ linux-2.6.18.ppc64.patch/net/xfrm/xfrm_state.c 2006-10-26 07:04:08.000000000 -0500 @@ -59,7 +59,7 @@ static DEFINE_SPINLOCK(xfrm_state_gc_loc static int xfrm_state_gc_flush_bundles; -int __xfrm_state_delete(struct xfrm_state *x); +int __xfrm_state_delete(struct xfrm_state *x, uid_t auid); static struct xfrm_state_afinfo *xfrm_state_get_afinfo(unsigned short family); static void xfrm_state_put_afinfo(struct xfrm_state_afinfo *afinfo); @@ -180,7 +180,8 @@ expired: next = 2; goto resched; } - if (!__xfrm_state_delete(x) && x->id.spi) + if (!__xfrm_state_delete(x, audit_get_loginuid(current->audit_context)) + && x->id.spi) km_state_expired(x, 1, 0); out: @@ -231,7 +232,7 @@ void __xfrm_state_destroy(struct xfrm_st } EXPORT_SYMBOL(__xfrm_state_destroy); -int __xfrm_state_delete(struct xfrm_state *x) +int __xfrm_state_delete(struct xfrm_state *x, uid_t auid) { int err = -ESRCH; @@ -244,6 +245,13 @@ int __xfrm_state_delete(struct xfrm_stat list_del(&x->byspi); __xfrm_state_put(x); } + if (x->security) + audit_log(current->audit_context, GFP_ATOMIC, + AUDIT_MAC_IPSEC_ADDSA, + "SAD delete: auid=%u ctx_alg=%d ctx_doi=%d ctx=%s", + auid, x->security->ctx_alg, + x->security->ctx_doi, x->security->ctx_str); + spin_unlock(&xfrm_state_lock); if (del_timer(&x->timer)) __xfrm_state_put(x); @@ -272,19 +280,19 @@ int __xfrm_state_delete(struct xfrm_stat } EXPORT_SYMBOL(__xfrm_state_delete); -int xfrm_state_delete(struct xfrm_state *x) +int xfrm_state_delete(struct xfrm_state *x, uid_t auid) { int err; spin_lock_bh(&x->lock); - err = __xfrm_state_delete(x); + err = __xfrm_state_delete(x, auid); spin_unlock_bh(&x->lock); return err; } EXPORT_SYMBOL(xfrm_state_delete); -void xfrm_state_flush(u8 proto) +void xfrm_state_flush(u8 proto, uid_t auid) { int i; struct xfrm_state *x; @@ -298,7 +306,7 @@ restart: xfrm_state_hold(x); spin_unlock_bh(&xfrm_state_lock); - xfrm_state_delete(x); + xfrm_state_delete(x, auid); xfrm_state_put(x); spin_lock_bh(&xfrm_state_lock); @@ -441,7 +449,7 @@ out: return x; } -static void __xfrm_state_insert(struct xfrm_state *x) +static void __xfrm_state_insert(struct xfrm_state *x, uid_t auid) { unsigned h = xfrm_dst_hash(&x->id.daddr, x->props.family); @@ -461,12 +469,20 @@ static void __xfrm_state_insert(struct x xfrm_state_hold(x); wake_up(&km_waitq); + + if (x->security) + audit_log(current->audit_context, GFP_ATOMIC, + AUDIT_MAC_IPSEC_ADDSA, + "SAD add: auid=%u ctx_alg=%d ctx_doi=%d, ctx=%s", + auid, x->security->ctx_alg, x->security->ctx_doi, + x->security->ctx_str); + } -void xfrm_state_insert(struct xfrm_state *x) +void xfrm_state_insert(struct xfrm_state *x, uid_t auid) { spin_lock_bh(&xfrm_state_lock); - __xfrm_state_insert(x); + __xfrm_state_insert(x, auid); spin_unlock_bh(&xfrm_state_lock); xfrm_flush_all_bundles(); @@ -475,7 +491,7 @@ EXPORT_SYMBOL(xfrm_state_insert); static struct xfrm_state *__xfrm_find_acq_byseq(u32 seq); -int xfrm_state_add(struct xfrm_state *x) +int xfrm_state_add(struct xfrm_state *x, uid_t auid) { struct xfrm_state_afinfo *afinfo; struct xfrm_state *x1; @@ -510,7 +526,7 @@ int xfrm_state_add(struct xfrm_state *x) x->props.mode, x->props.reqid, x->id.proto, &x->id.daddr, &x->props.saddr, 0); - __xfrm_state_insert(x); + __xfrm_state_insert(x, auid); err = 0; out: @@ -521,7 +537,7 @@ out: xfrm_flush_all_bundles(); if (x1) { - xfrm_state_delete(x1); + xfrm_state_delete(x1, auid); xfrm_state_put(x1); } @@ -529,7 +545,7 @@ out: } EXPORT_SYMBOL(xfrm_state_add); -int xfrm_state_update(struct xfrm_state *x) +int xfrm_state_update(struct xfrm_state *x, uid_t auid) { struct xfrm_state_afinfo *afinfo; struct xfrm_state *x1; @@ -553,7 +569,7 @@ int xfrm_state_update(struct xfrm_state } if (x1->km.state == XFRM_STATE_ACQ) { - __xfrm_state_insert(x); + __xfrm_state_insert(x, auid); x = NULL; } err = 0; @@ -566,7 +582,7 @@ out: return err; if (!x) { - xfrm_state_delete(x1); + xfrm_state_delete(x1, auid); xfrm_state_put(x1); return 0; } @@ -1125,11 +1141,15 @@ static void xfrm_state_put_afinfo(struct /* Temporarily located here until net/xfrm/xfrm_tunnel.c is created */ void xfrm_state_delete_tunnel(struct xfrm_state *x) { + uid_t auid; + + auid = audit_get_loginuid(current->audit_context); + if (x->tunnel) { struct xfrm_state *t = x->tunnel; if (atomic_read(&t->tunnel_users) == 2) - xfrm_state_delete(t); + xfrm_state_delete(t, auid); atomic_dec(&t->tunnel_users); xfrm_state_put(t); x->tunnel = NULL; diff -urpN linux-2.6.18.ppc64/net/xfrm/xfrm_user.c linux-2.6.18.ppc64.patch/net/xfrm/xfrm_user.c --- linux-2.6.18.ppc64/net/xfrm/xfrm_user.c 2006-10-26 03:10:11.000000000 -0500 +++ linux-2.6.18.ppc64.patch/net/xfrm/xfrm_user.c 2006-10-26 07:04:08.000000000 -0500 @@ -27,6 +27,7 @@ #include <net/xfrm.h> #include <net/netlink.h> #include <asm/uaccess.h> +#include <linux/audit.h> static int verify_one_alg(struct rtattr **xfrma, enum xfrm_attr_type_t type) { @@ -396,9 +397,9 @@ static int xfrm_add_sa(struct sk_buff *s xfrm_state_hold(x); if (nlh->nlmsg_type == XFRM_MSG_NEWSA) - err = xfrm_state_add(x); + err = xfrm_state_add(x, NETLINK_CB(skb).loginuid); else - err = xfrm_state_update(x); + err = xfrm_state_update(x, NETLINK_CB(skb).loginuid); if (err < 0) { x->km.state = XFRM_STATE_DEAD; @@ -435,7 +436,7 @@ static int xfrm_del_sa(struct sk_buff *s goto out; } - err = xfrm_state_delete(x); + err = xfrm_state_delete(x, NETLINK_CB(skb).loginuid); if (err < 0) goto out; @@ -859,7 +860,7 @@ static int xfrm_add_policy(struct sk_buf * in netlink excl is a flag and you wouldnt need * a type XFRM_MSG_UPDPOLICY - JHS */ excl = nlh->nlmsg_type == XFRM_MSG_NEWPOLICY; - err = xfrm_policy_insert(p->dir, xp, excl); + err = xfrm_policy_insert(p->dir, xp, excl, NETLINK_CB(skb).loginuid); if (err) { security_xfrm_policy_free(xp); kfree(xp); @@ -1026,6 +1027,7 @@ static int xfrm_get_policy(struct sk_buf int err; struct km_event c; int delete; + uid_t auid; p = NLMSG_DATA(nlh); delete = nlh->nlmsg_type == XFRM_MSG_DELPOLICY; @@ -1034,8 +1036,9 @@ static int xfrm_get_policy(struct sk_buf if (err) return err; + auid = NETLINK_CB(skb).loginuid; if (p->index) - xp = xfrm_policy_byid(p->dir, p->index, delete); + xp = xfrm_policy_byid(p->dir, p->index, delete, auid); else { struct rtattr **rtattrs = (struct rtattr **)xfrma; struct rtattr *rt = rtattrs[XFRMA_SEC_CTX-1]; @@ -1052,7 +1055,7 @@ static int xfrm_get_policy(struct sk_buf if ((err = security_xfrm_policy_alloc(&tmp, uctx))) return err; } - xp = xfrm_policy_bysel_ctx(p->dir, &p->sel, tmp.security, delete); + xp = xfrm_policy_bysel_ctx(p->dir, &p->sel, tmp.security, delete, auid); security_xfrm_policy_free(&tmp); } if (xp == NULL) @@ -1090,7 +1093,7 @@ static int xfrm_flush_sa(struct sk_buff struct km_event c; struct xfrm_usersa_flush *p = NLMSG_DATA(nlh); - xfrm_state_flush(p->proto); + xfrm_state_flush(p->proto, NETLINK_CB(skb).loginuid); c.data.proto = p->proto; c.event = nlh->nlmsg_type; c.seq = nlh->nlmsg_seq; @@ -1237,7 +1240,7 @@ static int xfrm_flush_policy(struct sk_b { struct km_event c; - xfrm_policy_flush(); + xfrm_policy_flush(NETLINK_CB(skb).loginuid); c.event = nlh->nlmsg_type; c.seq = nlh->nlmsg_seq; c.pid = nlh->nlmsg_pid; @@ -1251,9 +1254,12 @@ static int xfrm_add_pol_expire(struct sk struct xfrm_user_polexpire *up = NLMSG_DATA(nlh); struct xfrm_userpolicy_info *p = &up->pol; int err = -ENOENT; + uid_t auid; + + auid = NETLINK_CB(skb).loginuid; if (p->index) - xp = xfrm_policy_byid(p->dir, p->index, 0); + xp = xfrm_policy_byid(p->dir, p->index, 0, auid); else { struct rtattr **rtattrs = (struct rtattr **)xfrma; struct rtattr *rt = rtattrs[XFRMA_SEC_CTX-1]; @@ -1270,7 +1276,7 @@ static int xfrm_add_pol_expire(struct sk if ((err = security_xfrm_policy_alloc(&tmp, uctx))) return err; } - xp = xfrm_policy_bysel_ctx(p->dir, &p->sel, tmp.security, 0); + xp = xfrm_policy_bysel_ctx(p->dir, &p->sel, tmp.security, 0, auid); security_xfrm_policy_free(&tmp); } @@ -1285,7 +1291,7 @@ static int xfrm_add_pol_expire(struct sk read_unlock(&xp->lock); err = 0; if (up->hard) { - xfrm_policy_delete(xp, p->dir); + xfrm_policy_delete(xp, p->dir, auid); } else { // reset the timers here? printk("Dont know what to do with soft policy expire\n"); @@ -1318,7 +1324,7 @@ static int xfrm_add_sa_expire(struct sk_ km_state_expired(x, ue->hard, current->pid); if (ue->hard) - __xfrm_state_delete(x); + __xfrm_state_delete(x, NETLINK_CB(skb).loginuid); out: spin_unlock_bh(&x->lock); xfrm_state_put(x);

18 years, 1 month

2
3
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Linux-audit November 2006