Dispatcher - single line output (perl)
by Leigh Purdie
There have been a few requests on this list for a
single-line-per-event output format.
>From what I understand, supporting this feature in the kernel is a
little challenging due to the potential memory/cache requirements -
having to save off the 'pieces' of an event from initiation to exit,
could be quite expensive when we're talking in-kernel resources.
Hence, we're left with an audit output that could:
* Have an arbitrary number of lines per unique event,
* Be chronologically distributed in some cases (event lines may be
spread over several seconds),
* Be out of sequence (numerically - two lines from event A, might be
followed by 1 line from event B, then another line from event A,
followed by the rest of event B).
* Have multiple 'items' with the same name (eg: source/dest UID's for
a CHMOD have the same 'name/key', though they are on different lines).
(Please let me know if these assumptions are incorrect!)
However, the dispatcher infrastructure offers the potential to
implement this sort of functionality in user-space.
As such, I've been playing with some perl that should translate
SYSCALL events to something that should be reasonably parse-able by
follow-on processing applications that expect events in a single-line
form (eg: logwatch, a SQL-based data injector, Snare or Snare Server).
Here's a sample line. Note that events are in header/data format (tab
delimited between components, comma delimited within a component).
rhel4 LinuxKAudit event,11,20060509 06:36:25
user,0(root),0(root),0(root),0(root) process,25068,id
path,/usr/bin/id return,0,yes a0,9f96ba8 a1,9f96b28
a2,9f84b40 a3,9f96b28 arch,40000003 auid,4294967295
exe,/usr/bin/id fsgid,0 fsuid,0 items,2 sgid,0 suid,0
The program works roughly as follows:
while read line
break line up into key/value pairs
pop the key/value data into an associative array (with a key of the
event number)
if we have an items=x key/value pair saved off for this event
number, and we have 'x' PATH-related lines now, then we must have a
complete event. Push it out.
ALSO push out any events that we haven't had any new lines for, for
more than 15 seconds.
..
We also getpwname/getgrname (with an internal cache to avoid recursive
audit events), and an internal simple realpath() to turn
/path/to/blah/../../to/somewhere into /path/to/somewhere.
The raw perl is attached. Does anyone have any comments, or
suggestions? (I don't care about structure at this point - it's early
days yet - I'm sure perl aficionados could do the entire program in a
single line).
In particular, comments would be welcome on how to absolutely,
programatically determine when an 'event' is complete, and it is safe
to push out our final 'line'.
Regards,
Leigh.
18 years, 4 months
New List Member: Intro & comments
by Clif Flynt
Hi,
I'm primarily an applications developer, though I wear a
sys-admin/security-admin hat when necessary. I've done kernel hacking
on V-7 and System-3 in the bad old days, but mostly stick in userland
now.
My current goal is to get some OpenSuse 10.1 systems DSS certified.
I've been a RedHat user since about RH4 or 5, but this project decided
to standardize on SuSE. My focus for using auditd isn't so much to
make a truly secure and well audited system, but to answer the specific
DSS/NISPOM Chapter 8 requirements.
SuSE supports AppArmor and the auditd security products, but has
very little SELinux support.
As I read things, AppArmor doesn't support the file audit
requirements, but Auditd can meet the DSS requirements.
I've updated the standard SuSE 10.1 kernel to 2.6.17.6 and brought in
the 3.0 glibc kernel headers. With these hacks, I can get the 1.2.5
auditd package to compile and install. It appears to be working.
Auditd 1.2.5 doesn't quite do what I need, but I'm getting close.
It has the framework, but it seems to take a little work to get the
answers I really want, and to handle the requirements for record
maintenance.
1) Auditing and reporting
I've copied the SYSCALL rules from the capp.rules sample, and I
think that covers what DSS will need audited. (Still checking and
confirming that I haven't missed anything obvious.)
To get the answers I wanted a bit more easily, I've made a GUI based
search tool that lets me specify reports with a bit more precision and
build customized reports. It's functional code, but is not pretty, and
gets pretty ugly when the data is way outside what I expected.
2) Maintaining records
The traditional log-rotate with N logs makes it difficult to keep X
days of logs. When the system is busy, I can rotate the logs every 10
minutes.
I've put together a small cron job that looks for audit.log.1,
filters out some data I know I won't want, and zips it into a file with
a name based on the timestamp.
My current report generator builds an SQLite database on the fly from
the flat ASCII logs. I'm thinking that the next rev of the file
rotation code will move the data to an SQLite database instead of
gzipped flat files and save that step.
I'm using SQLite instead of mySQL or Postgres because it it's fast,
mature and robust and doesn't require any database server (or dbadmin)
to run it.
I put together a small audisp test application to read from stdin and
save data in a timestamped file. When I run this, I get nothing but
empty reads, and finally an EOF from auditd. I'm expecting to see
plain ASCII input.
Is this not what is sent to the audisp target?
I just tried the sample.c application, compiled it to a.out and put
that into the auditd.conf file. When I restart audispd, I see no
output in /var/log/messages, and a.out does not show in the process
stack. If I just run /tmp/a.out and type something, output appears
in /var/log/messages.
If any of this is of interest or use, let me know, and I'll make it
available to the community.
Thanks,
Clif
--
.... Clif Flynt ... http://www.cflynt.com ... clif(a)cflynt.com ...
.. Tcl/Tk: A Developer's Guide (2nd edition) - Morgan Kauffman ..
..13th Annual Tcl/Tk Conference: Oct 9-13, 2006, Chicago, IL ..
............. http://www.tcl.tk/community/tcl2006/ ............
18 years, 4 months
[PATCH lazy audit
by Alexander Viro
Killing audit overhead in case when no rules are loaded. More detailed
log (this is a composite of patch series from audit git tree, see audit.b23..
lspp.b23 in there for individual changesets):
[PATCH] introduce audit rules counter
[PATCH] mark context of syscall entered with no rules as dummy
[PATCH] don't bother with aux entires for dummy context
[PATCH] take filling ->pid, etc. out of audit_get_context()
move that stuff downstream and into the only branch where it'll be
used.
diff --git a/fs/namei.c b/fs/namei.c
index 0ab26cb..55a1312 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -159,7 +159,7 @@ char * getname(const char __user * filen
#ifdef CONFIG_AUDITSYSCALL
void putname(const char *name)
{
- if (unlikely(current->audit_context))
+ if (unlikely(!audit_dummy_context()))
audit_putname(name);
else
__putname(name);
@@ -1125,7 +1125,7 @@ static int fastcall do_path_lookup(int d
retval = link_path_walk(name, nd);
out:
if (likely(retval == 0)) {
- if (unlikely(current->audit_context && nd && nd->dentry &&
+ if (unlikely(!audit_dummy_context() && nd && nd->dentry &&
nd->dentry->d_inode))
audit_inode(name, nd->dentry->d_inode);
}
diff --git a/include/linux/audit.h b/include/linux/audit.h
index bf196c0..d26060e 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -329,23 +329,28 @@ extern void __audit_inode(const char *na
extern void __audit_inode_child(const char *dname, const struct inode *inode,
const struct inode *parent);
extern void __audit_inode_update(const struct inode *inode);
+static inline int audit_dummy_context(void)
+{
+ void *p = current->audit_context;
+ return !p || *(int *)p;
+}
static inline void audit_getname(const char *name)
{
- if (unlikely(current->audit_context))
+ if (unlikely(!audit_dummy_context()))
__audit_getname(name);
}
static inline void audit_inode(const char *name, const struct inode *inode) {
- if (unlikely(current->audit_context))
+ if (unlikely(!audit_dummy_context()))
__audit_inode(name, inode);
}
static inline void audit_inode_child(const char *dname,
const struct inode *inode,
const struct inode *parent) {
- if (unlikely(current->audit_context))
+ if (unlikely(!audit_dummy_context()))
__audit_inode_child(dname, inode, parent);
}
static inline void audit_inode_update(const struct inode *inode) {
- if (unlikely(current->audit_context))
+ if (unlikely(!audit_dummy_context()))
__audit_inode_update(inode);
}
@@ -370,51 +375,53 @@ extern int __audit_mq_getsetattr(mqd_t m
static inline int audit_ipc_obj(struct kern_ipc_perm *ipcp)
{
- if (unlikely(current->audit_context))
+ if (unlikely(!audit_dummy_context()))
return __audit_ipc_obj(ipcp);
return 0;
}
static inline int audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode)
{
- if (unlikely(current->audit_context))
+ if (unlikely(!audit_dummy_context()))
return __audit_ipc_set_perm(qbytes, uid, gid, mode);
return 0;
}
static inline int audit_mq_open(int oflag, mode_t mode, struct mq_attr __user *u_attr)
{
- if (unlikely(current->audit_context))
+ if (unlikely(!audit_dummy_context()))
return __audit_mq_open(oflag, mode, u_attr);
return 0;
}
static inline int audit_mq_timedsend(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, const struct timespec __user *u_abs_timeout)
{
- if (unlikely(current->audit_context))
+ if (unlikely(!audit_dummy_context()))
return __audit_mq_timedsend(mqdes, msg_len, msg_prio, u_abs_timeout);
return 0;
}
static inline int audit_mq_timedreceive(mqd_t mqdes, size_t msg_len, unsigned int __user *u_msg_prio, const struct timespec __user *u_abs_timeout)
{
- if (unlikely(current->audit_context))
+ if (unlikely(!audit_dummy_context()))
return __audit_mq_timedreceive(mqdes, msg_len, u_msg_prio, u_abs_timeout);
return 0;
}
static inline int audit_mq_notify(mqd_t mqdes, const struct sigevent __user *u_notification)
{
- if (unlikely(current->audit_context))
+ if (unlikely(!audit_dummy_context()))
return __audit_mq_notify(mqdes, u_notification);
return 0;
}
static inline int audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat)
{
- if (unlikely(current->audit_context))
+ if (unlikely(!audit_dummy_context()))
return __audit_mq_getsetattr(mqdes, mqstat);
return 0;
}
+extern int audit_n_rules;
#else
#define audit_alloc(t) ({ 0; })
#define audit_free(t) do { ; } while (0)
#define audit_syscall_entry(ta,a,b,c,d,e) do { ; } while (0)
#define audit_syscall_exit(f,r) do { ; } while (0)
+#define audit_dummy_context() 0
#define audit_getname(n) do { ; } while (0)
#define audit_putname(n) do { ; } while (0)
#define __audit_inode(n,i) do { ; } while (0)
@@ -437,6 +444,7 @@ #define audit_mq_timedsend(d,l,p,t) ({ 0
#define audit_mq_timedreceive(d,l,p,t) ({ 0; })
#define audit_mq_notify(d,n) ({ 0; })
#define audit_mq_getsetattr(d,s) ({ 0; })
+#define audit_n_rules 0
#endif
#ifdef CONFIG_AUDIT
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 5b4e162..7322f34 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -1134,6 +1134,14 @@ static inline int audit_add_rule(struct
struct audit_watch *watch = entry->rule.watch;
struct nameidata *ndp, *ndw;
int h, err, putnd_needed = 0;
+#ifdef CONFIG_AUDITSYSCALL
+ int dont_count = 0;
+
+ /* If either of these, don't count towards total */
+ if (entry->rule.listnr == AUDIT_FILTER_USER ||
+ entry->rule.listnr == AUDIT_FILTER_TYPE)
+ dont_count = 1;
+#endif
if (inode_f) {
h = audit_hash_ino(inode_f->val);
@@ -1174,6 +1182,10 @@ static inline int audit_add_rule(struct
} else {
list_add_tail_rcu(&entry->list, list);
}
+#ifdef CONFIG_AUDITSYSCALL
+ if (!dont_count)
+ audit_n_rules++;
+#endif
mutex_unlock(&audit_filter_mutex);
if (putnd_needed)
@@ -1198,6 +1210,14 @@ static inline int audit_del_rule(struct
struct audit_watch *watch, *tmp_watch = entry->rule.watch;
LIST_HEAD(inotify_list);
int h, ret = 0;
+#ifdef CONFIG_AUDITSYSCALL
+ int dont_count = 0;
+
+ /* If either of these, don't count towards total */
+ if (entry->rule.listnr == AUDIT_FILTER_USER ||
+ entry->rule.listnr == AUDIT_FILTER_TYPE)
+ dont_count = 1;
+#endif
if (inode_f) {
h = audit_hash_ino(inode_f->val);
@@ -1235,6 +1255,10 @@ static inline int audit_del_rule(struct
list_del_rcu(&e->list);
call_rcu(&e->rcu, audit_free_rule_rcu);
+#ifdef CONFIG_AUDITSYSCALL
+ if (!dont_count)
+ audit_n_rules--;
+#endif
mutex_unlock(&audit_filter_mutex);
if (!list_empty(&inotify_list))
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index b1356fc..efc1b74 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -85,6 +85,9 @@ #define AUDIT_NAMES_RESERVED 7
/* Indicates that audit should log the full pathname. */
#define AUDIT_NAME_FULL -1
+/* number of audit rules */
+int audit_n_rules;
+
/* When fs/namei.c:getname() is called, we store the pointer in name and
* we don't let putname() free it (instead we free all of the saved
* pointers at syscall exit time).
@@ -174,6 +177,7 @@ struct audit_aux_data_path {
/* The per-task audit context. */
struct audit_context {
+ int dummy; /* must be the first element */
int in_syscall; /* 1 if task is in a syscall */
enum audit_state state;
unsigned int serial; /* serial number for record */
@@ -514,7 +518,7 @@ static inline struct audit_context *audi
context->return_valid = return_valid;
context->return_code = return_code;
- if (context->in_syscall && !context->auditable) {
+ if (context->in_syscall && !context->dummy && !context->auditable) {
enum audit_state state;
state = audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_EXIT]);
@@ -530,17 +534,7 @@ static inline struct audit_context *audi
}
get_context:
- context->pid = tsk->pid;
- context->ppid = sys_getppid(); /* sic. tsk == current in all cases */
- context->uid = tsk->uid;
- context->gid = tsk->gid;
- context->euid = tsk->euid;
- context->suid = tsk->suid;
- context->fsuid = tsk->fsuid;
- context->egid = tsk->egid;
- context->sgid = tsk->sgid;
- context->fsgid = tsk->fsgid;
- context->personality = tsk->personality;
+
tsk->audit_context = NULL;
return context;
}
@@ -749,6 +743,17 @@ static void audit_log_exit(struct audit_
const char *tty;
/* tsk == current */
+ context->pid = tsk->pid;
+ context->ppid = sys_getppid(); /* sic. tsk == current in all cases */
+ context->uid = tsk->uid;
+ context->gid = tsk->gid;
+ context->euid = tsk->euid;
+ context->suid = tsk->suid;
+ context->fsuid = tsk->fsuid;
+ context->egid = tsk->egid;
+ context->sgid = tsk->sgid;
+ context->fsgid = tsk->fsgid;
+ context->personality = tsk->personality;
ab = audit_log_start(context, GFP_KERNEL, AUDIT_SYSCALL);
if (!ab)
@@ -1066,7 +1071,8 @@ #endif
context->argv[3] = a4;
state = context->state;
- if (state == AUDIT_SETUP_CONTEXT || state == AUDIT_BUILD_CONTEXT)
+ context->dummy = !audit_n_rules;
+ if (!context->dummy && (state == AUDIT_SETUP_CONTEXT || state == AUDIT_BUILD_CONTEXT))
state = audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_ENTRY]);
if (likely(state == AUDIT_DISABLED))
return;
@@ -1671,7 +1677,7 @@ int audit_bprm(struct linux_binprm *bprm
unsigned long p, next;
void *to;
- if (likely(!audit_enabled || !context))
+ if (likely(!audit_enabled || !context || context->dummy))
return 0;
ax = kmalloc(sizeof(*ax) + PAGE_SIZE * MAX_ARG_PAGES - bprm->p,
@@ -1709,7 +1715,7 @@ int audit_socketcall(int nargs, unsigned
struct audit_aux_data_socketcall *ax;
struct audit_context *context = current->audit_context;
- if (likely(!context))
+ if (likely(!context || context->dummy))
return 0;
ax = kmalloc(sizeof(*ax) + nargs * sizeof(unsigned long), GFP_KERNEL);
@@ -1737,7 +1743,7 @@ int audit_sockaddr(int len, void *a)
struct audit_aux_data_sockaddr *ax;
struct audit_context *context = current->audit_context;
- if (likely(!context))
+ if (likely(!context || context->dummy))
return 0;
ax = kmalloc(sizeof(*ax) + len, GFP_KERNEL);
18 years, 4 months
[patch 3/3] selinux: replace ctxid with sid in selinux_audit_rule_match interface
by Stephen Smalley
Replace ctxid with sid in selinux_audit_rule_match interface
for consistency with other interfaces.
Signed-off-by: Stephen Smalley <sds(a)tycho.nsa.gov>
Acked-by: James Morris <jmorris(a)namei.org>
---
include/linux/selinux.h | 6 +++---
security/selinux/ss/services.c | 6 +++---
2 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/include/linux/selinux.h b/include/linux/selinux.h
index df9098d..d1b7ca6 100644
--- a/include/linux/selinux.h
+++ b/include/linux/selinux.h
@@ -46,7 +46,7 @@ void selinux_audit_rule_free(struct seli
/**
* selinux_audit_rule_match - determine if a context ID matches a rule.
- * @ctxid: the context ID to check
+ * @sid: the context ID to check
* @field: the field this rule refers to
* @op: the operater the rule uses
* @rule: pointer to the audit rule to check against
@@ -55,7 +55,7 @@ void selinux_audit_rule_free(struct seli
* Returns 1 if the context id matches the rule, 0 if it does not, and
* -errno on failure.
*/
-int selinux_audit_rule_match(u32 ctxid, u32 field, u32 op,
+int selinux_audit_rule_match(u32 sid, u32 field, u32 op,
struct selinux_audit_rule *rule,
struct audit_context *actx);
@@ -144,7 +144,7 @@ static inline void selinux_audit_rule_fr
return;
}
-static inline int selinux_audit_rule_match(u32 ctxid, u32 field, u32 op,
+static inline int selinux_audit_rule_match(u32 sid, u32 field, u32 op,
struct selinux_audit_rule *rule,
struct audit_context *actx)
{
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 85e4298..ed78334 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -1923,7 +1923,7 @@ int selinux_audit_rule_init(u32 field, u
return rc;
}
-int selinux_audit_rule_match(u32 ctxid, u32 field, u32 op,
+int selinux_audit_rule_match(u32 sid, u32 field, u32 op,
struct selinux_audit_rule *rule,
struct audit_context *actx)
{
@@ -1946,11 +1946,11 @@ int selinux_audit_rule_match(u32 ctxid,
goto out;
}
- ctxt = sidtab_search(&sidtab, ctxid);
+ ctxt = sidtab_search(&sidtab, sid);
if (!ctxt) {
audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR,
"selinux_audit_rule_match: unrecognized SID %d\n",
- ctxid);
+ sid);
match = -ENOENT;
goto out;
}
--
1.4.1
18 years, 4 months
[patch 2/3] selinux: rename selinux_ctxid_to_string
by Stephen Smalley
Rename selinux_ctxid_to_string to selinux_sid_to_string to be
consistent with other interfaces.
Signed-off-by: Stephen Smalley <sds(a)tycho.nsa.gov>
Acked-by: James Morris <jmorris(a)namei.org>
---
include/linux/selinux.h | 8 ++++----
kernel/audit.c | 14 +++++++-------
kernel/auditfilter.c | 2 +-
kernel/auditsc.c | 4 ++--
security/selinux/exports.c | 4 ++--
5 files changed, 16 insertions(+), 16 deletions(-)
diff --git a/include/linux/selinux.h b/include/linux/selinux.h
index 79e4707..df9098d 100644
--- a/include/linux/selinux.h
+++ b/include/linux/selinux.h
@@ -70,8 +70,8 @@ int selinux_audit_rule_match(u32 ctxid,
void selinux_audit_set_callback(int (*callback)(void));
/**
- * selinux_ctxid_to_string - map a security context ID to a string
- * @ctxid: security context ID to be converted.
+ * selinux_sid_to_string - map a security context ID to a string
+ * @sid: security context ID to be converted.
* @ctx: address of context string to be returned
* @ctxlen: length of returned context string.
*
@@ -79,7 +79,7 @@ void selinux_audit_set_callback(int (*ca
* string will be allocated internally, and the caller must call
* kfree() on it after use.
*/
-int selinux_ctxid_to_string(u32 ctxid, char **ctx, u32 *ctxlen);
+int selinux_sid_to_string(u32 sid, char **ctx, u32 *ctxlen);
/**
* selinux_get_inode_sid - get the inode's security context ID
@@ -156,7 +156,7 @@ static inline void selinux_audit_set_cal
return;
}
-static inline int selinux_ctxid_to_string(u32 ctxid, char **ctx, u32 *ctxlen)
+static inline int selinux_sid_to_string(u32 sid, char **ctx, u32 *ctxlen)
{
*ctx = NULL;
*ctxlen = 0;
diff --git a/kernel/audit.c b/kernel/audit.c
index d417ca1..6a0a30a 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -244,7 +244,7 @@ static int audit_set_rate_limit(int limi
char *ctx = NULL;
u32 len;
int rc;
- if ((rc = selinux_ctxid_to_string(sid, &ctx, &len)))
+ if ((rc = selinux_sid_to_string(sid, &ctx, &len)))
return rc;
else
audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
@@ -267,7 +267,7 @@ static int audit_set_backlog_limit(int l
char *ctx = NULL;
u32 len;
int rc;
- if ((rc = selinux_ctxid_to_string(sid, &ctx, &len)))
+ if ((rc = selinux_sid_to_string(sid, &ctx, &len)))
return rc;
else
audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
@@ -293,7 +293,7 @@ static int audit_set_enabled(int state,
char *ctx = NULL;
u32 len;
int rc;
- if ((rc = selinux_ctxid_to_string(sid, &ctx, &len)))
+ if ((rc = selinux_sid_to_string(sid, &ctx, &len)))
return rc;
else
audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
@@ -321,7 +321,7 @@ static int audit_set_failure(int state,
char *ctx = NULL;
u32 len;
int rc;
- if ((rc = selinux_ctxid_to_string(sid, &ctx, &len)))
+ if ((rc = selinux_sid_to_string(sid, &ctx, &len)))
return rc;
else
audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
@@ -538,7 +538,7 @@ static int audit_receive_msg(struct sk_b
if (status_get->mask & AUDIT_STATUS_PID) {
int old = audit_pid;
if (sid) {
- if ((err = selinux_ctxid_to_string(
+ if ((err = selinux_sid_to_string(
sid, &ctx, &len)))
return err;
else
@@ -576,7 +576,7 @@ static int audit_receive_msg(struct sk_b
"user pid=%d uid=%u auid=%u",
pid, uid, loginuid);
if (sid) {
- if (selinux_ctxid_to_string(
+ if (selinux_sid_to_string(
sid, &ctx, &len)) {
audit_log_format(ab,
" ssid=%u", sid);
@@ -614,7 +614,7 @@ static int audit_receive_msg(struct sk_b
loginuid, sid);
break;
case AUDIT_SIGNAL_INFO:
- err = selinux_ctxid_to_string(audit_sig_sid, &ctx, &len);
+ err = selinux_sid_to_string(audit_sig_sid, &ctx, &len);
if (err)
return err;
sig_data = kmalloc(sizeof(*sig_data) + len, GFP_KERNEL);
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 5b4e162..9cf9f2e 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -1345,7 +1345,7 @@ static void audit_log_rule_change(uid_t
if (sid) {
char *ctx = NULL;
u32 len;
- if (selinux_ctxid_to_string(sid, &ctx, &len))
+ if (selinux_sid_to_string(sid, &ctx, &len))
audit_log_format(ab, " ssid=%u", sid);
else
audit_log_format(ab, " subj=%s", ctx);
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 6322547..a0b2888 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -842,7 +842,7 @@ static void audit_log_exit(struct audit_
if (axi->osid != 0) {
char *ctx = NULL;
u32 len;
- if (selinux_ctxid_to_string(
+ if (selinux_sid_to_string(
axi->osid, &ctx, &len)) {
audit_log_format(ab, " osid=%u",
axi->osid);
@@ -949,7 +949,7 @@ static void audit_log_exit(struct audit_
if (n->osid != 0) {
char *ctx = NULL;
u32 len;
- if (selinux_ctxid_to_string(
+ if (selinux_sid_to_string(
n->osid, &ctx, &len)) {
audit_log_format(ab, " osid=%u", n->osid);
call_panic = 2;
diff --git a/security/selinux/exports.c b/security/selinux/exports.c
index ee0fb47..b6f9694 100644
--- a/security/selinux/exports.c
+++ b/security/selinux/exports.c
@@ -21,10 +21,10 @@ #include <linux/ipc.h>
#include "security.h"
#include "objsec.h"
-int selinux_ctxid_to_string(u32 ctxid, char **ctx, u32 *ctxlen)
+int selinux_sid_to_string(u32 sid, char **ctx, u32 *ctxlen)
{
if (selinux_enabled)
- return security_sid_to_context(ctxid, ctx, ctxlen);
+ return security_sid_to_context(sid, ctx, ctxlen);
else {
*ctx = NULL;
*ctxlen = 0;
--
1.4.1
18 years, 4 months
[patch 1/3] selinux: eliminate selinux_task_ctxid
by Stephen Smalley
Eliminate selinux_task_ctxid since it duplicates selinux_task_get_sid.
Signed-off-by: Stephen Smalley <sds(a)tycho.nsa.gov>
Acked-by: James Morris <jmorris(a)namei.org>
---
include/linux/selinux.h | 15 ---------------
kernel/auditsc.c | 2 +-
security/selinux/exports.c | 9 ---------
3 files changed, 1 insertions(+), 25 deletions(-)
diff --git a/include/linux/selinux.h b/include/linux/selinux.h
index aad4e39..79e4707 100644
--- a/include/linux/selinux.h
+++ b/include/linux/selinux.h
@@ -70,16 +70,6 @@ int selinux_audit_rule_match(u32 ctxid,
void selinux_audit_set_callback(int (*callback)(void));
/**
- * selinux_task_ctxid - determine a context ID for a process.
- * @tsk: the task object
- * @ctxid: ID value returned via this
- *
- * On return, ctxid will contain an ID for the context. This value
- * should only be used opaquely.
- */
-void selinux_task_ctxid(struct task_struct *tsk, u32 *ctxid);
-
-/**
* selinux_ctxid_to_string - map a security context ID to a string
* @ctxid: security context ID to be converted.
* @ctx: address of context string to be returned
@@ -166,11 +156,6 @@ static inline void selinux_audit_set_cal
return;
}
-static inline void selinux_task_ctxid(struct task_struct *tsk, u32 *ctxid)
-{
- *ctxid = 0;
-}
-
static inline int selinux_ctxid_to_string(u32 ctxid, char **ctx, u32 *ctxlen)
{
*ctx = NULL;
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index ae40ac8..6322547 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -333,7 +333,7 @@ static int audit_filter_rules(struct tas
logged upon error */
if (f->se_rule) {
if (need_sid) {
- selinux_task_ctxid(tsk, &sid);
+ selinux_get_task_sid(tsk, &sid);
need_sid = 0;
}
result = selinux_audit_rule_match(sid, f->type,
diff --git a/security/selinux/exports.c b/security/selinux/exports.c
index 9d7737d..ee0fb47 100644
--- a/security/selinux/exports.c
+++ b/security/selinux/exports.c
@@ -21,15 +21,6 @@ #include <linux/ipc.h>
#include "security.h"
#include "objsec.h"
-void selinux_task_ctxid(struct task_struct *tsk, u32 *ctxid)
-{
- struct task_security_struct *tsec = tsk->security;
- if (selinux_enabled)
- *ctxid = tsec->sid;
- else
- *ctxid = 0;
-}
-
int selinux_ctxid_to_string(u32 ctxid, char **ctx, u32 *ctxlen)
{
if (selinux_enabled)
--
1.4.1
18 years, 4 months
Oops from audit
by Michael C Thompson
The follow oops is generated on the lspp.45 kernel with audit 1.2.5-5.
The trigger for this oops is:
# auditctl -a exit,always -S pread64 -F 'inode<1'
Oops: 0000 [#1]
SMP
CPU: 0
EIP is at audit_receive_filter+0x30d/0x949
eax: 00000000 ebx: 00000001 ecx: 00000008 edx: c046c62d
esi: 00000000 edi: 000003eb ebp: cfce1cbc esp: cfce1c68
ds: 007b es: 007b ss: 0068
Process auditctl (pid: 20197, ti=cfce1000 task=cd864aa0 task.ti=cfce1000)
Stack: 00000001 00004ee5 d4322ed4 00000000 cfce1cd0 c04c443a 40000000
cfce1c8c
cfce1c8c 00000003 00000000 0000001e 00000000 00000000 00000000
00000000
00000000 00000000 d8e2e0ac 0000031c 000503eb cfce1d4c c044af16
00000001
Call Trace:
[<c044af16>] audit_receive+0x658/0x781
[<c05c2254>] netlink_data_ready+0x12/0x50
[<c05c1200>] netlink_sendskb+0x1f/0x37
[<c05c1bb1>] netlink_unicast+0x1a1/0x1bb
[<c05c2235>] netlink_sendmsg+0x259/0x266
[<c05a575a>] sock_sendmsg+0xe8/0x103
[<c05a694b>] sys_sendto+0xbe/0xdc
[<c05a70cb>] sys_socketcall+0xfb/0x186
[<c0403faf>] syscall_call+0x7/0xb
Code: e9 be 05 00 00 81 ff eb 03 00 00 75 07 e8 14 ed ff ff eb 05 e8 54
f6 ff ff 89 45 b8 8b 75 b8 81 fe 00 f0 ff ff 0f 87 32 06 00 00 <8b> 8e
30 01 00 00 8b 46 18 8b b6 34 01 00 00 85 c9 89 75 c8 75
Message fEIP: [<c044cbdc>] audit_receive_filter+0x30d/0x949 SS:ESP
0068:cfce1c68
18 years, 4 months
Audit GUI
by Clif Flynt
Hi,
I just put the first escape of my GUI and audit rotating
scripts online at:
http://www.dedasys.com/~clif/austuff/
The application is still in the early stages of development,
and is expected to change a bunch over the next few days.
I'll entertain suggestions on features it should have. It will
get:
Ability to save reports to flat ASCII files.
Support for user-written SQL queries (to allow for more complex
things than a click-it interface can support.)
Clif
--
.... Clif Flynt ... http://www.cflynt.com ... clif(a)cflynt.com ...
.. Tcl/Tk: A Developer's Guide (2nd edition) - Morgan Kauffman ..
..13th Annual Tcl/Tk Conference: Oct 9-13, 2006, Chicago, IL ..
............. http://www.tcl.tk/community/tcl2006/ ............
18 years, 4 months