[PATCH git 0/3] audit inode hash bug fix, cleanup
by Amy Griffis
The following patches include a few bug fixes and some cleanup for
audit's inode hash.
Al, these should be folded in with the main filesystem auditing patch:
lspp.b18 74457481a11b6283cecdfbaa6ec644e2edc1c8ef
Thanks,
Amy
18 years, 6 months
[PATCH] fix AUDIT_FILTER_PREPEND handling
by Amy Griffis
Clear AUDIT_FILTER_PREPEND flag after adding rule to list. This
fixes three problems when a rule is added with the -A syntax:
- auditctl displays filter list as "(null)"
- the rule cannot be removed using -d
- a duplicate rule can be added with -a
Signed-off-by: Amy Griffis <amy.griffis(a)hp.com>
---
kernel/auditfilter.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
6695e89ba4cf4940682769a2f3cc217564754c1f
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index ff85fee..1c47df1 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -1012,6 +1012,7 @@ static inline int audit_add_rule(struct
if (entry->rule.flags & AUDIT_FILTER_PREPEND) {
list_add_rcu(&entry->list, list);
+ entry->rule.flags &= ~AUDIT_FILTER_PREPEND;
} else {
list_add_tail_rcu(&entry->list, list);
}
--
1.3.0
18 years, 6 months
auditctl -A entry,always -S chmod
by Michael C Thompson
Hey Amy & Steve,
I'm not sure if you two are seeing this, but if you insert a rule to the
front of the rule list with the -A option, the list it was added to is
somewhere lost. Can you confirm that you're seeing this as well? I'm
running with audit-1.2.3 and kernel lspp.34
# auditctl -A entry,always -S chmod
# auditctl -l
LIST_RULES: (null),always syscall=chmod
I took a quick look in the user space section of auditctl, but it
doesn't seem to be a user space issue. My guess is the
AUDIT_FILTER_PREPEND flag is not being treated properly in the kernel
since I believe it does make it's way down intact (it at least gets to
audit_send intact).
Thanks,
Mike
18 years, 6 months
[PATCH] Disable from user-space the addition of an exclude,never rule
by Michael C Thompson
Below is a patch which will cause auditctl to report that exclude,never
is a meaningless rule construct. This patch was written as it was deemed
that exclude,never does not make sense based on the man-pages, and that
exclude,always and exclude,never are functionality equivalent.
Thanks,
Mike
----
Signed-off-by: Michael Thompson <mcthomps(a)us.ibm.com>
--- audit-1.2.3/src/auditctl.c 2006-05-18 16:24:20.000000000 -0500
+++ audit-1.2.3-patched/src/auditctl.c 2006-05-30 09:21:31.000000000 -0500
@@ -151,7 +151,10 @@ static int audit_rule_setup(const char *
else
return 2;
if (strstr(opt, "never"))
- *act = AUDIT_NEVER;
+ if (*flags & AUDIT_FILTER_EXCLUDE)
+ return 2;
+ else
+ *act = AUDIT_NEVER;
else if (strstr(opt, "possible"))
return 1;
else if (strstr(opt, "always"))
--- audit-1.2.3/docs/auditctl.8 2006-05-17 16:57:25.000000000 -0500
+++ audit-1.2.3-patched/docs/auditctl.8 2006-05-30 09:28:02.000000000 -0500
@@ -55,7 +55,7 @@ Add a rule to the syscall exit list. Thi
Add a rule to the user message filter list. This list is used by the
kernel to filter events originating in user space before relaying them
to the audit daemon. It should be noted that the only fields that are
valid are: uid, auid, gid, and pid. All other fields will be treated as
non-matching.
.TP
.B exclude
-Add a rule to the event type exclusion filter list. This list is used
to filter events that you do not want to see. For example, if you do not
want to see any avc messages, you would using this list to record that.
The message type that you do not wish to see is given with the msgtype
field.
+Add a rule to the event type exclusion filter list. This list is used
to filter events that you do not want to see. For example, if you do not
want to see any avc messages, you would using this list to record that.
The message type that you do not wish to see is given with the msgtype
field. Note that only valid list/action pair for exclude is: exclude,always.
.RE
The following describes the valid actions for the rule:
18 years, 6 months
[PATCH git] fix missing records when watched files removed
by Amy Griffis
audit_update_watch() invalidates rule data early, before we hit the
syscall exit filter. This means audit fails to emit records when
watched files or directories are removed. Fix by calling
audit_filter_inodes() right before the update.
Al, please fold this one in with latest filesystem auditing patch
46c438b705c31284f31c64a0d18bf3bd6c62cde3.
Signed-off-by: Amy Griffis <amy.griffis(a)hp.com>
diff --git a/kernel/audit.h b/kernel/audit.h
index 125aebe..f337845 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -126,6 +126,9 @@ extern void audit_free_parent(struct ino
extern void audit_handle_ievent(struct inotify_watch *, u32, u32, u32,
const char *, struct inode *);
extern int selinux_audit_rule_update(void);
+extern enum audit_state audit_filter_inodes(struct task_struct *,
+ struct audit_context *);
+extern void audit_set_auditable(struct audit_context *);
#ifdef CONFIG_AUDITSYSCALL
extern void __audit_signal_info(int sig, struct task_struct *t);
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 7609694..ff85fee 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -26,6 +26,7 @@ #include <linux/mutex.h>
#include <linux/fs.h>
#include <linux/namei.h>
#include <linux/netlink.h>
+#include <linux/sched.h>
#include <linux/inotify.h>
#include <linux/selinux.h>
#include "audit.h"
@@ -736,7 +737,7 @@ static struct audit_entry *audit_dupe_ru
/* Update inode info in audit rules based on filesystem event. */
static inline void audit_update_watch(struct audit_parent *parent,
const char *dname, dev_t dev,
- unsigned long ino)
+ unsigned long ino, unsigned invalidating)
{
struct audit_watch *owatch, *nwatch, *nextw;
struct audit_krule *r, *nextr;
@@ -748,6 +749,12 @@ static inline void audit_update_watch(st
if (audit_compare_dname_path(dname, owatch->path))
continue;
+ /* If the update involves invalidating rules, do the inode-based
+ * filtering now, so we don't omit records. */
+ if (invalidating &&
+ audit_filter_inodes(current, current->audit_context) == AUDIT_RECORD_CONTEXT)
+ audit_set_auditable(current->audit_context);
+
nwatch = audit_dupe_watch(owatch);
if (unlikely(IS_ERR(nwatch))) {
mutex_unlock(&audit_filter_mutex);
@@ -1523,9 +1530,9 @@ void audit_handle_ievent(struct inotify_
if (mask & (IN_CREATE|IN_MOVED_TO) && inode)
audit_update_watch(parent, dname, inode->i_sb->s_dev,
- inode->i_ino);
+ inode->i_ino, 0);
else if (mask & (IN_DELETE|IN_MOVED_FROM))
- audit_update_watch(parent, dname, (dev_t)-1, (unsigned long)-1);
+ audit_update_watch(parent, dname, (dev_t)-1, (unsigned long)-1, 1);
/* inotify automatically removes the watch and sends IN_IGNORED */
else if (mask & (IN_DELETE_SELF|IN_UNMOUNT))
audit_remove_parent_watches(parent);
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index f4b09a3..4858bdd 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -417,8 +417,8 @@ static enum audit_state audit_filter_sys
* buckets applicable to the inode numbers in audit_names[].
* Regarding audit_state, same rules apply as for audit_filter_syscall().
*/
-static enum audit_state audit_filter_inodes(struct task_struct *tsk,
- struct audit_context *ctx)
+enum audit_state audit_filter_inodes(struct task_struct *tsk,
+ struct audit_context *ctx)
{
int i;
struct audit_entry *e;
@@ -450,6 +450,11 @@ static enum audit_state audit_filter_ino
return AUDIT_BUILD_CONTEXT;
}
+void audit_set_auditable(struct audit_context *ctx)
+{
+ ctx->auditable = 1;
+}
+
static inline struct audit_context *audit_get_context(struct task_struct *tsk,
int return_valid,
int return_code)
18 years, 6 months
[PATCH git] fix oops in fs audit patch
by Amy Griffis
Fix bad list management in audit_inotify_unregister().
Al, please fold in with latest filesystem auditing patch
46c438b705c31284f31c64a0d18bf3bd6c62cde3.
Signed-off-by: Amy Griffis <amy.griffis(a)hp.com>
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index f993842..7609694 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -822,9 +822,10 @@ static inline void audit_remove_parent_w
* Generates an IN_IGNORED event. */
static void audit_inotify_unregister(struct list_head *in_list)
{
- struct audit_parent *p;
+ struct audit_parent *p, *n;
- list_for_each_entry(p, in_list, ilist) {
+ list_for_each_entry_safe(p, n, in_list, ilist) {
+ list_del(&p->ilist);
inotify_rm_watch(audit_ih, &p->wdata);
/* the put matching the get in audit_do_del_rule() */
put_inotify_watch(&p->wdata);
18 years, 6 months