[PATCH] libaudit.c - add entry list check for the path filter
by Michael C Thompson
The auditctl filter "path" is only valid on the exit filter list, and
the current version of auditctl does not perform this sanity check.
Other values filter options which are required to be on the exit list
have this sanity-check mechanism.
Below is a patch which adds this sanity check for the "path" filter keyword.
Thanks,
Mike
---
Signed-off-by: Michael Thompson <thompsmc(a)us.ibm.com>
--- audit-1.2.2-orig/lib/libaudit.c 2006-04-16 08:57:11.000000000 -0500
+++ audit-1.2.2/lib/libaudit.c 2006-05-17 14:56:55.000000000 -0500
@@ -952,6 +952,10 @@
case AUDIT_SE_SEN:
case AUDIT_SE_CLR:
case AUDIT_WATCH:
+ /* Watch is invalid on entry */
+ if ((flags == AUDIT_FILTER_ENTRY) &&
+ (field == AUDIT_WATCH))
+ return -7;
rule->values[rule->field_count] = strlen(v);
offset = rule->buflen;
rule->buflen += strlen(v);
18 years, 7 months
[PATCH] auditctl.8 man-page: Changed filter name from watch to path
by Michael C Thompson
Below is a patch to update the auditctl man page. The list of filters
had "watch" as a valid keyword, but as per my recent discussion with
Steve, the keyword is "path", not "watch".
This patch updates the man-page accordingly.
Thanks,
Mike
---
Signed-off-by: Michael Thompson <thompsmc(a)us.ibm.com>
--- audit-1.2.2-orig/docs/auditctl.8 2006-05-12 12:58:21.000000000 -0500
+++ audit-1.2.2/docs/auditctl.8 2006-05-17 14:59:32.000000000 -0500
@@ -131,6 +131,9 @@
.B msgtype
This is used to match the message type number. It should only be used
on the exclude filter list.
.TP
+.B path
+The full path of file to watch. This can only be used on the exit
filter list.
+.TP
.B pers
OS Personality Number
.TP
@@ -166,9 +169,6 @@
.TP
.B uid
User ID
-.TP
-.B watch
-Full Path of File to Watch
.RE
.TP
\fB\-w\fR <path>
18 years, 7 months
Multiple Rule Logic
by Michael C Thompson
Hey Steve,
I was wondering what is to be expected when multiple rules exist that
pertain to the same action.
Examples:
entry,always -S chmod - should see a record for chmod
exclude,always -S all - should never see any sys calls
Combined, should I expect a chmod record?
From my experiments with the current code, if any one rule instructs
audit to log the action, auditd will log it (i.e. I'll see a chmod
record). I'm wondering if this is the intended functionality.
Thanks,
Mike
18 years, 7 months
[PATCH] update of IPC audit record cleanup
by Linda Knippers
The following patch addresses most of the issues with the IPC_SET_PERM
records as described in:
https://www.redhat.com/archives/linux-audit/2006-May/msg00010.html
and addresses the comments I received on the record field names.
To summarize, I made the following changes:
1. Changed sys_msgctl() and semctl_down() so that an IPC_SET_PERM
record is emitted in the failure case as well as the success case.
This matches the behavior in sys_shmctl(). I could simplify the
code in sys_msgctl() and semctl_down() slightly but it would mean
that in some error cases we could get an IPC_SET_PERM record
without an IPC record and that seemed odd.
2. No change to the IPC record type, given no feedback on the backward
compatibility question.
3. Removed the qbytes field from the IPC record. It wasn't being
set and when audit_ipc_obj() is called from ipcperms(), the
information isn't available. If we want the information in the IPC
record, more extensive changes will be necessary. Since it only
applies to message queues and it isn't really permission related, it
doesn't seem worth it.
4. Removed the obj field from the IPC_SET_PERM record. This means that
the kern_ipc_perm argument is no longer needed.
5. Removed the spaces and renamed the IPC_SET_PERM field names. Replaced iuid and
igid fields with ouid and ogid in the IPC record.
I tested this with the lspp.22 kernel on an x86_64 box. I believe it
applies cleanly on the latest kernel.
-- ljk
Signed-off-by: Linda Knippers <linda.knippers(a)hp.com>
include/linux/audit.h | 2 +-
ipc/msg.c | 9 +++++----
ipc/sem.c | 8 +++++---
ipc/shm.c | 2 +-
kernel/auditsc.c | 22 +++++-----------------
5 files changed, 17 insertions(+), 26 deletions(-)
--- linux-2.6.16.x86_64.orig/kernel/auditsc.c 2006-05-05 14:29:42.000000000 -0400
+++ linux-2.6.16.x86_64/kernel/auditsc.c 2006-05-16 13:13:43.000000000 -0400
@@ -665,8 +665,8 @@ static void audit_log_exit(struct audit_
case AUDIT_IPC: {
struct audit_aux_data_ipcctl *axi = (void *)aux;
audit_log_format(ab,
- " qbytes=%lx iuid=%u igid=%u mode=%x",
- axi->qbytes, axi->uid, axi->gid, axi->mode);
+ "ouid=%u ogid=%u mode=%x",
+ axi->uid, axi->gid, axi->mode);
if (axi->osid != 0) {
char *ctx = NULL;
u32 len;
@@ -684,21 +684,10 @@ static void audit_log_exit(struct audit_
case AUDIT_IPC_SET_PERM: {
struct audit_aux_data_ipcctl *axi = (void *)aux;
audit_log_format(ab,
- " new qbytes=%lx new iuid=%u new igid=%u new mode=%x",
+ "qbytes=%lx ouid=%u ogid=%u mode=%x",
axi->qbytes, axi->uid, axi->gid, axi->mode);
- if (axi->osid != 0) {
- char *ctx = NULL;
- u32 len;
- if (selinux_ctxid_to_string(
- axi->osid, &ctx, &len)) {
- audit_log_format(ab, " osid=%u",
- axi->osid);
- call_panic = 1;
- } else
- audit_log_format(ab, " obj=%s", ctx);
- kfree(ctx);
- }
break; }
+
case AUDIT_EXECVE: {
struct audit_aux_data_execve *axi = (void *)aux;
int i;
@@ -1232,7 +1221,7 @@ int audit_ipc_obj(struct kern_ipc_perm *
*
* Returns 0 for success or NULL context or < 0 on error.
*/
-int audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode, struct kern_ipc_perm *ipcp)
+int audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode)
{
struct audit_aux_data_ipcctl *ax;
struct audit_context *context = current->audit_context;
@@ -1248,7 +1237,6 @@ int audit_ipc_set_perm(unsigned long qby
ax->uid = uid;
ax->gid = gid;
ax->mode = mode;
- selinux_get_ipc_sid(ipcp, &ax->osid);
ax->d.type = AUDIT_IPC_SET_PERM;
ax->d.next = context->aux;
--- linux-2.6.16.x86_64.orig/ipc/msg.c 2006-05-05 14:30:15.000000000 -0400
+++ linux-2.6.16.x86_64/ipc/msg.c 2006-05-05 14:50:32.000000000 -0400
@@ -454,6 +454,11 @@ asmlinkage long sys_msgctl (int msqid, i
err = audit_ipc_obj(ipcp);
if (err)
goto out_unlock_up;
+ if (cmd==IPC_SET) {
+ err = audit_ipc_set_perm(setbuf.qbytes, setbuf.uid, setbuf.gid, setbuf.mode);
+ if (err)
+ goto out_unlock_up;
+ }
err = -EPERM;
if (current->euid != ipcp->cuid &&
@@ -468,10 +473,6 @@ asmlinkage long sys_msgctl (int msqid, i
switch (cmd) {
case IPC_SET:
{
- err = audit_ipc_set_perm(setbuf.qbytes, setbuf.uid, setbuf.gid, setbuf.mode, ipcp);
- if (err)
- goto out_unlock_up;
-
err = -EPERM;
if (setbuf.qbytes > msg_ctlmnb && !capable(CAP_SYS_RESOURCE))
goto out_unlock_up;
--- linux-2.6.16.x86_64.orig/ipc/shm.c 2006-05-05 15:08:23.000000000 -0400
+++ linux-2.6.16.x86_64/ipc/shm.c 2006-05-05 14:51:53.000000000 -0400
@@ -643,7 +643,7 @@ asmlinkage long sys_shmctl (int shmid, i
err = audit_ipc_obj(&(shp->shm_perm));
if (err)
goto out_unlock_up;
- err = audit_ipc_set_perm(0, setbuf.uid, setbuf.gid, setbuf.mode, &(shp->shm_perm));
+ err = audit_ipc_set_perm(0, setbuf.uid, setbuf.gid, setbuf.mode);
if (err)
goto out_unlock_up;
err=-EPERM;
--- linux-2.6.16.x86_64.orig/ipc/sem.c 2006-05-05 14:30:02.000000000 -0400
+++ linux-2.6.16.x86_64/ipc/sem.c 2006-05-05 14:50:58.000000000 -0400
@@ -828,6 +828,11 @@ static int semctl_down(int semid, int se
if (err)
goto out_unlock;
+ if (cmd == IPC_SET) {
+ err = audit_ipc_set_perm(0, setbuf.uid, setbuf.gid, setbuf.mode);
+ if (err)
+ goto out_unlock;
+ }
if (current->euid != ipcp->cuid &&
current->euid != ipcp->uid && !capable(CAP_SYS_ADMIN)) {
err=-EPERM;
@@ -844,9 +849,6 @@ static int semctl_down(int semid, int se
err = 0;
break;
case IPC_SET:
- err = audit_ipc_set_perm(0, setbuf.uid, setbuf.gid, setbuf.mode, ipcp);
- if (err)
- goto out_unlock;
ipcp->uid = setbuf.uid;
ipcp->gid = setbuf.gid;
ipcp->mode = (ipcp->mode & ~S_IRWXUGO)
--- linux-2.6.16.x86_64.orig/include/linux/audit.h 2006-05-05 15:09:42.000000000 -0400
+++ linux-2.6.16.x86_64/include/linux/audit.h 2006-05-05 14:49:35.000000000 -0400
@@ -324,7 +324,7 @@ extern void auditsc_get_stamp(struct aud
extern int audit_set_loginuid(struct task_struct *task, uid_t loginuid);
extern uid_t audit_get_loginuid(struct audit_context *ctx);
extern int audit_ipc_obj(struct kern_ipc_perm *ipcp);
-extern int audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode, struct kern_ipc_perm *ipcp);
+extern int audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode);
extern int audit_bprm(struct linux_binprm *bprm);
extern int audit_socketcall(int nargs, unsigned long *args);
extern int audit_sockaddr(int len, void *addr);
18 years, 7 months
[PATCH] Audit of POSIX Message Queue Syscalls Userspace
by George C. Wilson
This patch adds identifiers for the POSIX MQ auxiliary records. It applies
cleanly to audit-1.2.2. The constants are conditionally #define'd in
lib/libaudit.h, and the messages themselves in lib/msg_typetab.h. Not sure
what the expectation is for new #defines--/usr/include/linux/audit.h or
lib/libaudit.h. But chose the latter with the sort of preprocessor
conditionals I saw in use in some of the other groups of defines. So it
doesn't care about audit.h one way or the other.
Please apply when kernel work is ready.
libaudit.h | 6 ++++++
msg_typetab.h | 4 ++++
2 files changed, 10 insertions(+)
Signed-off-by: George Wilson <ltcgcw(a)us.ibm.com>
--
diff -Naurp audit-1.2.2.orig/lib/libaudit.h audit-1.2.2/lib/libaudit.h
--- audit-1.2.2.orig/lib/libaudit.h 2006-05-12 12:56:55.000000000 -0500
+++ audit-1.2.2/lib/libaudit.h 2006-05-16 18:12:14.000000000 -0500
@@ -96,6 +96,12 @@ extern "C" {
#ifndef AUDIT_IPC_SET_PERM
#define AUDIT_IPC_SET_PERM 1311 /* IPC new permissions record type */
#endif
+#ifndef AUDIT_MQ_OPEN
+#define AUDIT_MQ_OPEN 1312 /* POSIX MQ open record type */
+#define AUDIT_MQ_SENDRECV 1313 /* POSIX MQ send/receive record type */
+#define AUDIT_MQ_NOTIFY 1314 /* POSIX MQ notify record type */
+#define AUDIT_MQ_GETSETATTR 1315 /* POSIX MQ get/set attribute record type */
+#endif
#define AUDIT_LAST_EVENT 1399
#define AUDIT_FIRST_SELINUX 1400
diff -Naurp audit-1.2.2.orig/lib/msg_typetab.h audit-1.2.2/lib/msg_typetab.h
--- audit-1.2.2.orig/lib/msg_typetab.h 2006-05-12 12:08:28.000000000 -0500
+++ audit-1.2.2/lib/msg_typetab.h 2006-05-16 18:12:14.000000000 -0500
@@ -77,6 +77,10 @@ _S(AUDIT_FS_INODE, "FS
_S(AUDIT_EXECVE, "EXECVE" )
_S(AUDIT_SYSCALL_PARTIAL, "SYSCALL_PARTIAL" )
_S(AUDIT_IPC_SET_PERM, "IPC_SET_PERM" )
+_S(AUDIT_MQ_OPEN, "MQ_OPEN" )
+_S(AUDIT_MQ_SENDRECV, "MQ_SENDRECV" )
+_S(AUDIT_MQ_NOTIFY, "MQ_NOTIFY" )
+_S(AUDIT_MQ_GETSETATTR, "MQ_GETSETATTR" )
_S(AUDIT_AVC, "AVC" )
_S(AUDIT_SELINUX_ERR, "SELINUX_ERR" )
_S(AUDIT_AVC_PATH, "AVC_PATH" )
--
George Wilson <ltcgcw(a)us.ibm.com>
IBM Linux Technology Center
18 years, 7 months
Watch Performance
by Steve Grubb
Hello,
Over the last day or two, I re-worked the user space audit code to be able to
control the new file system audit subsystem. As I was doing the work, I
became concerned about the performance impact since it appears to be using
the syscall exit filter.
The syscall exit filter (and entry filter) is expensive to use except in cases
where you need to use it. This is because each rule in it must be examined
during each syscall to see if the current syscall is of interest. The current
lspp configuration has 10 syscall audit rules.
I became curious what the measured impact would be with the current file
system audit implementation. I decide to run the same performance test that I
tested the audit system with a couple weeks ago when inode and IPC problems
were noticed. I used the lspp.16 kernel with profile=2 boot param. The
following table shows the results:
rules seconds
0 49
10 56
25 75
50 115
75 143
90 185
0 rules had this for function usage:
1284 __d_lookup 4.7380
1170 __link_path_walk 0.3098
1065 avc_has_perm_noaudit 1.2144
706 _atomic_dec_and_lock 8.4048
612 do_path_lookup 0.8204
561 dput 1.2986
509 _raw_spin_lock 2.1477
10 rules had this:
1295 __d_lookup 4.7786
1089 audit_filter_syscall 6.3684
1081 __link_path_walk 0.2862
889 avc_has_perm_noaudit 1.0137
676 audit_getname 2.6000
658 do_path_lookup 0.8820
596 _atomic_dec_and_lock 7.0952
25 rules had this:
3193 audit_filter_rules 3.0009
2178 audit_filter_syscall 12.7368
1280 __d_lookup 4.7232
1131 __link_path_walk 0.2994
956 avc_has_perm_noaudit 1.0901
652 _atomic_dec_and_lock 7.7619
530 dput 1.2269
50 rules had this:
11213 audit_filter_rules 10.5385
4654 audit_filter_syscall 27.2164
4100 selinux_task_ctxid 141.3793
1212 __d_lookup 4.4723
1103 __link_path_walk 0.2920
1012 avc_has_perm_noaudit 1.1539
788 _atomic_dec_and_lock 9.3810
75 had this:
15351 audit_filter_rules 14.4276
6032 audit_filter_syscall 35.2749
2066 selinux_task_ctxid 71.2414
1237 __d_lookup 4.5646
1184 __link_path_walk 0.3135
1014 avc_has_perm_noaudit 1.1562
592 _atomic_dec_and_lock 7.0476
and 90 rules had this:
18287 audit_filter_rules 17.1870
9173 audit_filter_syscall 53.6433
4346 selinux_task_ctxid 149.8621
1314 __link_path_walk 0.3479
1218 __d_lookup 4.4945
1070 avc_has_perm_noaudit 1.2201
682 _atomic_dec_and_lock 8.1190
As you can see, the audit_filter_rules and audit_filter_syscall overwhelmed
the profile quickly. It would not be unreasonable for a system to have 40
watches. The lspp rules have 56 of them. With 10 syscall rules added, the
performance of a correctly configured lspp machine will be similar to the 75
rules test. This represents a 186% performance hit compared to no audit
rules.
I do not believe optimizing the audit_filter_rules function will solve the
problem. I think the file system audit algorithm needs to be re-thought. It
simply cannot penalize every syscall.
There are several ways to solve the problem. Maybe what we need to do is use
the watch list to store watches on and add a new field to the context. If a
watch is triggered it sets the flag in the context. When syscall exit is
done, it checks the flag and if set, does both the watch list and the exit
list. Otherwise, it skips the watch list. I don't know if this is feasible,
or a preferred solution, but we need to start looking at how to decouple the
exit list and watches.
-Steve
18 years, 7 months
[PATCH] IPC_SET_PERM cleanup
by Linda Knippers
The following patch addresses most of the issues with the IPC_SET_PERM
records as described in:
https://www.redhat.com/archives/linux-audit/2006-May/msg00010.html
To summarize, I made the following changes:
1. Changed sys_msgctl() and semctl_down() so that an IPC_SET_PERM
record is emitted in the failure case as well as the success case.
This matches the behavior in sys_shmctl(). I could simplify the
code in sys_msgctl() and semctl_down() slightly but it would mean
that in some error cases we could get an IPC_SET_PERM record
without an IPC record and that seemed odd.
2. No change to the IPC record type, given no feedback on the backward
compatibility question.
3. Removed the qbytes field from the IPC record. It wasn't being
set and when audit_ipc_obj() is called from ipcperms(), the
information isn't available. If we want the information in the IPC
record, more extensive changes will be necessary. Since it only
applies to message queues and it isn't really permission related, it
doesn't seem worth it.
4. Removed the obj field from the IPC_SET_PERM record. This means that
the kern_ipc_perm argument is no longer needed.
5. Replaced the spaces in the IPC_SET_PERM field names with underscores.
I tested this with the lspp.22 kernel on an x86_64 box. Please let me
know if you see any issues.
-- ljk
include/linux/audit.h | 2 +-
ipc/msg.c | 9 +++++----
ipc/sem.c | 8 +++++---
ipc/shm.c | 2 +-
kernel/auditsc.c | 22 +++++-----------------
5 files changed, 17 insertions(+), 26 deletions(-)
--- linux-2.6.16.x86_64.orig/kernel/auditsc.c 2006-05-05 14:29:42.000000000 -0400
+++ linux-2.6.16.x86_64/kernel/auditsc.c 2006-05-05 14:48:44.000000000 -0400
@@ -665,8 +665,8 @@ static void audit_log_exit(struct audit_
case AUDIT_IPC: {
struct audit_aux_data_ipcctl *axi = (void *)aux;
audit_log_format(ab,
- " qbytes=%lx iuid=%u igid=%u mode=%x",
- axi->qbytes, axi->uid, axi->gid, axi->mode);
+ "iuid=%u igid=%u mode=%x",
+ axi->uid, axi->gid, axi->mode);
if (axi->osid != 0) {
char *ctx = NULL;
u32 len;
@@ -684,21 +684,10 @@ static void audit_log_exit(struct audit_
case AUDIT_IPC_SET_PERM: {
struct audit_aux_data_ipcctl *axi = (void *)aux;
audit_log_format(ab,
- " new qbytes=%lx new iuid=%u new igid=%u new mode=%x",
+ "new_qbytes=%lx new_iuid=%u new_igid=%u new_mode=%x",
axi->qbytes, axi->uid, axi->gid, axi->mode);
- if (axi->osid != 0) {
- char *ctx = NULL;
- u32 len;
- if (selinux_ctxid_to_string(
- axi->osid, &ctx, &len)) {
- audit_log_format(ab, " osid=%u",
- axi->osid);
- call_panic = 1;
- } else
- audit_log_format(ab, " obj=%s", ctx);
- kfree(ctx);
- }
break; }
+
case AUDIT_EXECVE: {
struct audit_aux_data_execve *axi = (void *)aux;
int i;
@@ -1232,7 +1221,7 @@ int audit_ipc_obj(struct kern_ipc_perm *
*
* Returns 0 for success or NULL context or < 0 on error.
*/
-int audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode, struct kern_ipc_perm *ipcp)
+int audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode)
{
struct audit_aux_data_ipcctl *ax;
struct audit_context *context = current->audit_context;
@@ -1248,7 +1237,6 @@ int audit_ipc_set_perm(unsigned long qby
ax->uid = uid;
ax->gid = gid;
ax->mode = mode;
- selinux_get_ipc_sid(ipcp, &ax->osid);
ax->d.type = AUDIT_IPC_SET_PERM;
ax->d.next = context->aux;
--- linux-2.6.16.x86_64.orig/ipc/msg.c 2006-05-05 14:30:15.000000000 -0400
+++ linux-2.6.16.x86_64/ipc/msg.c 2006-05-05 14:50:32.000000000 -0400
@@ -454,6 +454,11 @@ asmlinkage long sys_msgctl (int msqid, i
err = audit_ipc_obj(ipcp);
if (err)
goto out_unlock_up;
+ if (cmd==IPC_SET) {
+ err = audit_ipc_set_perm(setbuf.qbytes, setbuf.uid, setbuf.gid, setbuf.mode);
+ if (err)
+ goto out_unlock_up;
+ }
err = -EPERM;
if (current->euid != ipcp->cuid &&
@@ -468,10 +473,6 @@ asmlinkage long sys_msgctl (int msqid, i
switch (cmd) {
case IPC_SET:
{
- err = audit_ipc_set_perm(setbuf.qbytes, setbuf.uid, setbuf.gid, setbuf.mode, ipcp);
- if (err)
- goto out_unlock_up;
-
err = -EPERM;
if (setbuf.qbytes > msg_ctlmnb && !capable(CAP_SYS_RESOURCE))
goto out_unlock_up;
--- linux-2.6.16.x86_64.orig/ipc/shm.c 2006-05-05 15:08:23.000000000 -0400
+++ linux-2.6.16.x86_64/ipc/shm.c 2006-05-05 14:51:53.000000000 -0400
@@ -643,7 +643,7 @@ asmlinkage long sys_shmctl (int shmid, i
err = audit_ipc_obj(&(shp->shm_perm));
if (err)
goto out_unlock_up;
- err = audit_ipc_set_perm(0, setbuf.uid, setbuf.gid, setbuf.mode, &(shp->shm_perm));
+ err = audit_ipc_set_perm(0, setbuf.uid, setbuf.gid, setbuf.mode);
if (err)
goto out_unlock_up;
err=-EPERM;
--- linux-2.6.16.x86_64.orig/ipc/sem.c 2006-05-05 14:30:02.000000000 -0400
+++ linux-2.6.16.x86_64/ipc/sem.c 2006-05-05 14:50:58.000000000 -0400
@@ -828,6 +828,11 @@ static int semctl_down(int semid, int se
if (err)
goto out_unlock;
+ if (cmd == IPC_SET) {
+ err = audit_ipc_set_perm(0, setbuf.uid, setbuf.gid, setbuf.mode);
+ if (err)
+ goto out_unlock;
+ }
if (current->euid != ipcp->cuid &&
current->euid != ipcp->uid && !capable(CAP_SYS_ADMIN)) {
err=-EPERM;
@@ -844,9 +849,6 @@ static int semctl_down(int semid, int se
err = 0;
break;
case IPC_SET:
- err = audit_ipc_set_perm(0, setbuf.uid, setbuf.gid, setbuf.mode, ipcp);
- if (err)
- goto out_unlock;
ipcp->uid = setbuf.uid;
ipcp->gid = setbuf.gid;
ipcp->mode = (ipcp->mode & ~S_IRWXUGO)
--- linux-2.6.16.x86_64.orig/include/linux/audit.h 2006-05-05 15:09:42.000000000 -0400
+++ linux-2.6.16.x86_64/include/linux/audit.h 2006-05-05 14:49:35.000000000 -0400
@@ -324,7 +324,7 @@ extern void auditsc_get_stamp(struct aud
extern int audit_set_loginuid(struct task_struct *task, uid_t loginuid);
extern uid_t audit_get_loginuid(struct audit_context *ctx);
extern int audit_ipc_obj(struct kern_ipc_perm *ipcp);
-extern int audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode, struct kern_ipc_perm *ipcp);
+extern int audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode);
extern int audit_bprm(struct linux_binprm *bprm);
extern int audit_socketcall(int nargs, unsigned long *args);
extern int audit_sockaddr(int len, void *addr);
18 years, 7 months
[PATCH] collect sid of those who send {HUP,TERM,USR1} to auditd
by Alexander Viro
Add USR1 to the set we are logging, log sid of sender, make audit_signal_info()
inlined.
Signed-off-by: Al Viro <viro(a)zeniv.linux.org.uk>
---
include/linux/audit.h | 3 +--
kernel/audit.c | 2 ++
kernel/audit.h | 11 +++++++++++
kernel/auditsc.c | 21 +++++++++++----------
kernel/signal.c | 2 +-
5 files changed, 26 insertions(+), 13 deletions(-)
b0e74dd9e54eb5f81751f5cd832d1c9d1c703775
diff --git a/include/linux/audit.h b/include/linux/audit.h
index c60e96d..103ed6d 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -278,6 +278,7 @@ struct audit_rule { /* for AUDIT_LIST,
struct audit_sig_info {
uid_t uid;
pid_t pid;
+ __u32 sid;
};
struct audit_buffer;
@@ -328,7 +329,6 @@ extern int audit_bprm(struct linux_binpr
extern int audit_socketcall(int nargs, unsigned long *args);
extern int audit_sockaddr(int len, void *addr);
extern int audit_avc_path(struct dentry *dentry, struct vfsmount *mnt);
-extern void audit_signal_info(int sig, struct task_struct *t);
extern int audit_set_macxattr(const char *name);
#else
#define audit_alloc(t) ({ 0; })
@@ -349,7 +349,6 @@ extern int audit_set_macxattr(const char
#define audit_socketcall(n,a) ({ 0; })
#define audit_sockaddr(len, addr) ({ 0; })
#define audit_avc_path(dentry, mnt) ({ 0; })
-#define audit_signal_info(s,t) do { ; } while (0)
#define audit_set_macxattr(n) do { ; } while (0)
#endif
diff --git a/kernel/audit.c b/kernel/audit.c
index 35d5db1..11aa301 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -89,6 +89,7 @@ static int audit_backlog_wait_overflow =
/* The identity of the user shutting down the audit system. */
uid_t audit_sig_uid = -1;
pid_t audit_sig_pid = -1;
+u32 audit_sig_sid = 0;
/* Records can be lost in several ways:
0) [suppressed in audit_alloc]
@@ -614,6 +615,7 @@ static int audit_receive_msg(struct sk_b
case AUDIT_SIGNAL_INFO:
sig_data.uid = audit_sig_uid;
sig_data.pid = audit_sig_pid;
+ sig_data.sid = audit_sig_sid;
audit_send_reply(NETLINK_CB(skb).pid, seq, AUDIT_SIGNAL_INFO,
0, 0, &sig_data, sizeof(sig_data));
break;
diff --git a/kernel/audit.h b/kernel/audit.h
index 8948fc1..52cb1e3 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -101,3 +101,14 @@ struct audit_netlink_list {
int audit_send_list(void *);
extern int selinux_audit_rule_update(void);
+
+#ifdef CONFIG_AUDITSYSCALL
+extern void __audit_signal_info(int sig, struct task_struct *t);
+static inline void audit_signal_info(int sig, struct task_struct *t)
+{
+ if (unlikely(audit_pid && t->tgid == audit_pid))
+ __audit_signal_info(sig, t);
+}
+#else
+#define audit_signal_info(s,t)
+#endif
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 114f921..4ca913d 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1376,19 +1376,20 @@ int audit_avc_path(struct dentry *dentry
* If the audit subsystem is being terminated, record the task (pid)
* and uid that is doing that.
*/
-void audit_signal_info(int sig, struct task_struct *t)
+void __audit_signal_info(int sig, struct task_struct *t)
{
extern pid_t audit_sig_pid;
extern uid_t audit_sig_uid;
+ extern u32 audit_sig_sid;
- if (unlikely(audit_pid && t->tgid == audit_pid)) {
- if (sig == SIGTERM || sig == SIGHUP) {
- struct audit_context *ctx = current->audit_context;
- audit_sig_pid = current->pid;
- if (ctx)
- audit_sig_uid = ctx->loginuid;
- else
- audit_sig_uid = current->uid;
- }
+ if (sig == SIGTERM || sig == SIGHUP || sig == SIGUSR1) {
+ struct task_struct *tsk = current;
+ struct audit_context *ctx = tsk->audit_context;
+ audit_sig_pid = tsk->pid;
+ if (ctx)
+ audit_sig_uid = ctx->loginuid;
+ else
+ audit_sig_uid = tsk->uid;
+ selinux_get_task_sid(tsk, &audit_sig_sid);
}
}
diff --git a/kernel/signal.c b/kernel/signal.c
index e5f8aea..1b3c921 100644
--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -23,12 +23,12 @@
#include <linux/syscalls.h>
#include <linux/ptrace.h>
#include <linux/signal.h>
-#include <linux/audit.h>
#include <linux/capability.h>
#include <asm/param.h>
#include <asm/uaccess.h>
#include <asm/unistd.h>
#include <asm/siginfo.h>
+#include "audit.h" /* audit_signal_info() */
/*
* SLAB caches for signal bits.
--
0.99.9.GIT
18 years, 7 months
Linux audit newbie question (Sorry probably a little boring...)
by Adrian Powell
Hi,
I have a Linux system running a 2.6.5 kernel, which cannot be upgraded to a later
release for the time being. I do have the source available, and can patch it if necessary.
I wish to run some kind of system call level auditing/logging for security purposes. I have
the LaUS package installed with the PAM modules, but this does not impliment the system
call level logging that I require, without a patch. The trouble is that the only patches that I can
find are not compatible with this particular kernel.
Looking at other options, it appears that syscalltrace is no longer being developed ?.
It doesn't appear for the 2.6 kernels, and LSM again looks only good to 2.5 kernels.
The only other thing that I can find is ptrace, but has to be explicity run under each
executable ?.
What are my options here ?.
Thanks in advance,
Adrian.
18 years, 7 months
filter by ppid
by Alexander Viro
Signed-off-by: Al Viro <viro(a)zeniv.linux.org.uk>
---
include/linux/audit.h | 1 +
kernel/auditsc.c | 4 ++++
2 files changed, 5 insertions(+), 0 deletions(-)
5577dff75cbaab5635a5c8127a7f8fb2a9727baf
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 103ed6d..b32d91b 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -152,6 +152,7 @@
#define AUDIT_SE_TYPE 15 /* security label type */
#define AUDIT_SE_SEN 16 /* security label sensitivity label */
#define AUDIT_SE_CLR 17 /* security label clearance label */
+#define AUDIT_PPID 18
/* These are ONLY useful when checking
* at syscall exit time (AUDIT_AT_EXIT). */
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 4fc3867..e455165 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -188,6 +188,10 @@ static int audit_filter_rules(struct tas
case AUDIT_PID:
result = audit_comparator(tsk->pid, f->op, f->val);
break;
+ case AUDIT_PPID:
+ if (ctx)
+ result = audit_comparator(ctx->ppid, f->op, f->val);
+ break;
case AUDIT_UID:
result = audit_comparator(tsk->uid, f->op, f->val);
break;
--
0.99.9.GIT
18 years, 7 months
