September 2006 - Linux-audit - Linux-Audit List Archives

by paul.moore＠hp.com

This patch is against the current net-2.6 tree and should address the issues that Steve Grubb had with the original patch. Please consider this for the 2.6.19 release. Dave - you may want to wait until Steve explicitly ACKs this ... Steve - can you please explicitly ACK (or complain) about this patch ... Thanks for your patience guys. -- paul moore linux security @ hp

18 years, 2 months

3
3
0 / 0

[RFC][PATCH 00/10] Task watchers v2 Introduction

by Matt Helsley

This is version 2 of my Task Watchers patches. Task watchers calls functions whenever a task forks, execs, changes its [re][ug]id, or exits. Task watchers is primarily useful to existing kernel code as a means making the code in fork and exit more readable. Kernel code uses these paths by marking a function as a task watcher much like modules mark their init functions with module_init(). This reduces the code length and complexity of copy_process(). The first patch adds the basic infrastructure of task watchers: notification function calls in the various paths and a table of function pointers to be called. It uses an ELF section because parts of the table must be gathered from all over the kernel code and using the linker is easier than resolving and maintaining complex header interdependencies. An ELF table is also ideal because its read-only nature means that no locking nor list traversal are required. Subsequent patches adapt existing parts of the kernel to use a task watcher -- typically in the fork, clone, and exit paths: audit semundo cpusets mempolicy trace irqflags lockdep keys (for processes -- not for thread groups) process events connector I'm working on three more patches that add support for creating a task watcher from within a module using an ELF section. I've not posted that work because it hasn't successfully booted much less completed the small selection of smoke tests I ran on these. TODO: Mark the task watcher table ELF section read-only. I've googled, read man pages, navigated the info pages, tried using PHDR, and according to the output of objdump, had no success. I'd really appreciate a pointer to an example showing what makes ld mark a kernel ELF section read-only. Changes: v2: Dropped use of notifier chains Dropped per-task watchers Can be implemented on top of this Still requires notifier chains Dropped taskstats conversion Parts of taskstats had to move away from the regions of copy_process() and do_exit() where task_watchers are notified Used linker script mechanism suggested by Al Viro Created one "list" of watchers per event as requested by Andrew Morton No need to multiplex a single function call Easier to static register/unregister watchers: 1 line of code val param now used for: WATCH_TASK_INIT: clone_flags WATCH_TASK_CLONE: clone_flags WATCH_TASK_EXIT: exit code WATCH_TASK_*: <unused> Renamed notify_watchers() to notify_task_watchers() Replaced: if (err != 0) --> if (err) Added patches converting more "features" to use task watchers Added return code handling to WATCH_TASK_INIT Return code handling elsewhere didn't seem appropriate since there was generally no response necessary Fixed process keys free to handle failure in fork as originally coded in copy_process Added process keys code to watch for [er][ug]id changes v1: Added ability to cause fork to fail with NOTIFY_STOP_MASK Added WARN_ON() when watchers cause WATCH_TASK_FREE to stop early Moved fork invocation Moved exec invocation Added current as argument to exec invocation Moved exit code assignment Added id change invocations v0: Based on Jes Sorensen's Task Notifiers patches Cheers, -Matt Helsley --

18 years, 2 months

3
21
0 / 0

audit 1.2.8 released

by Steve Grubb

Hi, I've just released a new version of the audit daemon. It can be downloaded from http://people.redhat.com/sgrubb/audit It will also be in rawhide tomorrow. The Changelog is: - Make internal auditd buffers bigger for context info - Correct address resolving of hostname in logging functions - Do not allow multiple msgtypes in same audit rule in auditctl (#207666) - Only =, != operators for arch & inode fields in auditctl (#206427) - Add disp_qos & dispatcher to auditd reconfigure - Send sighup to child when no change in dispatcher during auditd reconfigure - Cleanup file descriptor handling in auditd - Updated audit message type table - Remove watches from aureport since FS_WATCH is deprecated - Add audit_log_avc back temporarily (#208152) Please let me know if there are any problems with this release. -Steve

18 years, 2 months

1
0
0 / 0

[PATCH 1/1] NetLabel: add audit support for configuration changes

by paul.moore＠hp.com

This patch adds audit support to NetLabel, including six new audit message types shown below. #define AUDIT_MAC_UNLBL_ACCEPT 1406 #define AUDIT_MAC_UNLBL_DENY 1407 #define AUDIT_MAC_CIPSOV4_ADD 1408 #define AUDIT_MAC_CIPSOV4_DEL 1409 #define AUDIT_MAC_MAP_ADD 1410 #define AUDIT_MAC_MAP_DEL 1411 Please consider this for inclusion into 2.6.19. Signed-off-by: Paul Moore <paul.moore(a)hp.com> --- include/linux/audit.h | 6 ++ include/net/cipso_ipv4.h | 5 +- include/net/netlabel.h | 2 net/ipv4/cipso_ipv4.c | 8 ++- net/netlabel/netlabel_cipso_v4.c | 43 +++++++++++++---- net/netlabel/netlabel_domainhash.c | 54 +++++++++++++++++++-- net/netlabel/netlabel_domainhash.h | 6 +- net/netlabel/netlabel_mgmt.c | 14 +++-- net/netlabel/netlabel_unlabeled.c | 36 ++++++++++++-- net/netlabel/netlabel_user.c | 91 +++++++++++++++++++++++++++++++++++++ net/netlabel/netlabel_user.h | 6 ++ 11 files changed, 235 insertions(+), 36 deletions(-) Index: net-2.6/include/linux/audit.h =================================================================== --- net-2.6.orig/include/linux/audit.h +++ net-2.6/include/linux/audit.h @@ -95,6 +95,12 @@ #define AUDIT_MAC_POLICY_LOAD 1403 /* Policy file load */ #define AUDIT_MAC_STATUS 1404 /* Changed enforcing,permissive,off */ #define AUDIT_MAC_CONFIG_CHANGE 1405 /* Changes to booleans */ +#define AUDIT_MAC_UNLBL_ACCEPT 1406 /* NetLabel: allow unlabeled traffic */ +#define AUDIT_MAC_UNLBL_DENY 1407 /* NetLabel: deny unlabeled traffic */ +#define AUDIT_MAC_CIPSOV4_ADD 1408 /* NetLabel: add CIPSOv4 DOI entry */ +#define AUDIT_MAC_CIPSOV4_DEL 1409 /* NetLabel: del CIPSOv4 DOI entry */ +#define AUDIT_MAC_MAP_ADD 1410 /* NetLabel: add LSM domain mapping */ +#define AUDIT_MAC_MAP_DEL 1411 /* NetLabel: del LSM domain mapping */ #define AUDIT_FIRST_KERN_ANOM_MSG 1700 #define AUDIT_LAST_KERN_ANOM_MSG 1799 Index: net-2.6/include/net/cipso_ipv4.h =================================================================== --- net-2.6.orig/include/net/cipso_ipv4.h +++ net-2.6/include/net/cipso_ipv4.h @@ -128,7 +128,9 @@ extern int cipso_v4_rbm_strictvalid; #ifdef CONFIG_NETLABEL int cipso_v4_doi_add(struct cipso_v4_doi *doi_def); -int cipso_v4_doi_remove(u32 doi, void (*callback) (struct rcu_head * head)); +int cipso_v4_doi_remove(u32 doi, + u32 audit_secid, + void (*callback) (struct rcu_head * head)); struct cipso_v4_doi *cipso_v4_doi_getdef(u32 doi); int cipso_v4_doi_walk(u32 *skip_cnt, int (*callback) (struct cipso_v4_doi *doi_def, void *arg), @@ -143,6 +145,7 @@ static inline int cipso_v4_doi_add(struc } static inline int cipso_v4_doi_remove(u32 doi, + u32 audit_secid, void (*callback) (struct rcu_head * head)) { return 0; Index: net-2.6/include/net/netlabel.h =================================================================== --- net-2.6.orig/include/net/netlabel.h +++ net-2.6/include/net/netlabel.h @@ -96,7 +96,7 @@ struct netlbl_dom_map; /* Domain mapping operations */ -int netlbl_domhsh_remove(const char *domain); +int netlbl_domhsh_remove(const char *domain, u32 audit_secid); /* LSM security attributes */ struct netlbl_lsm_cache { Index: net-2.6/net/ipv4/cipso_ipv4.c =================================================================== --- net-2.6.orig/net/ipv4/cipso_ipv4.c +++ net-2.6/net/ipv4/cipso_ipv4.c @@ -474,6 +474,7 @@ doi_add_failure_rlock: /** * cipso_v4_doi_remove - Remove an existing DOI from the CIPSO protocol engine * @doi: the DOI value + * @audit_secid: the LSM secid to use in the audit message * @callback: the DOI cleanup/free callback * * Description: @@ -483,7 +484,9 @@ doi_add_failure_rlock: * success and negative values on failure. * */ -int cipso_v4_doi_remove(u32 doi, void (*callback) (struct rcu_head * head)) +int cipso_v4_doi_remove(u32 doi, + u32 audit_secid, + void (*callback) (struct rcu_head * head)) { struct cipso_v4_doi *doi_def; struct cipso_v4_domhsh_entry *dom_iter; @@ -502,7 +505,8 @@ int cipso_v4_doi_remove(u32 doi, void (* spin_unlock(&cipso_v4_doi_list_lock); list_for_each_entry_rcu(dom_iter, &doi_def->dom_list, list) if (dom_iter->valid) - netlbl_domhsh_remove(dom_iter->domain); + netlbl_domhsh_remove(dom_iter->domain, + audit_secid); cipso_v4_cache_invalidate(); rcu_read_unlock(); Index: net-2.6/net/netlabel/netlabel_cipso_v4.c =================================================================== --- net-2.6.orig/net/netlabel/netlabel_cipso_v4.c +++ net-2.6/net/netlabel/netlabel_cipso_v4.c @@ -32,6 +32,7 @@ #include <linux/socket.h> #include <linux/string.h> #include <linux/skbuff.h> +#include <linux/audit.h> #include <net/sock.h> #include <net/netlink.h> #include <net/genetlink.h> @@ -162,8 +163,7 @@ static int netlbl_cipsov4_add_std(struct int nla_a_rem; int nla_b_rem; - if (!info->attrs[NLBL_CIPSOV4_A_DOI] || - !info->attrs[NLBL_CIPSOV4_A_TAGLST] || + if (!info->attrs[NLBL_CIPSOV4_A_TAGLST] || !info->attrs[NLBL_CIPSOV4_A_MLSLVLLST]) return -EINVAL; @@ -344,8 +344,7 @@ static int netlbl_cipsov4_add_pass(struc int ret_val; struct cipso_v4_doi *doi_def = NULL; - if (!info->attrs[NLBL_CIPSOV4_A_DOI] || - !info->attrs[NLBL_CIPSOV4_A_TAGLST]) + if (!info->attrs[NLBL_CIPSOV4_A_TAGLST]) return -EINVAL; doi_def = kmalloc(sizeof(*doi_def), GFP_KERNEL); @@ -381,21 +380,35 @@ static int netlbl_cipsov4_add(struct sk_ { int ret_val = -EINVAL; - u32 map_type; + u32 type; + u32 doi; + const char *type_str = "(unknown)"; + struct audit_buffer *audit_buf; - if (!info->attrs[NLBL_CIPSOV4_A_MTYPE]) + if (!info->attrs[NLBL_CIPSOV4_A_DOI] || + !info->attrs[NLBL_CIPSOV4_A_MTYPE]) return -EINVAL; - map_type = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_MTYPE]); - switch (map_type) { + type = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_MTYPE]); + switch (type) { case CIPSO_V4_MAP_STD: + type_str = "std"; ret_val = netlbl_cipsov4_add_std(info); break; case CIPSO_V4_MAP_PASS: + type_str = "pass"; ret_val = netlbl_cipsov4_add_pass(info); break; } + if (ret_val == 0) { + doi = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_DOI]); + audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_ADD, + NETLINK_CB(skb).sid); + audit_log_format(audit_buf, " doi=%u type=%s", doi, type_str); + audit_log_end(audit_buf); + } + return ret_val; } @@ -653,11 +666,21 @@ static int netlbl_cipsov4_listall(struct static int netlbl_cipsov4_remove(struct sk_buff *skb, struct genl_info *info) { int ret_val = -EINVAL; - u32 doi; + u32 doi = 0; + struct audit_buffer *audit_buf; if (info->attrs[NLBL_CIPSOV4_A_DOI]) { doi = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_DOI]); - ret_val = cipso_v4_doi_remove(doi, netlbl_cipsov4_doi_free); + ret_val = cipso_v4_doi_remove(doi, + NETLINK_CB(skb).sid, + netlbl_cipsov4_doi_free); + } + + if (ret_val == 0) { + audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_DEL, + NETLINK_CB(skb).sid); + audit_log_format(audit_buf, " doi=%u", doi); + audit_log_end(audit_buf); } return ret_val; Index: net-2.6/net/netlabel/netlabel_domainhash.c =================================================================== --- net-2.6.orig/net/netlabel/netlabel_domainhash.c +++ net-2.6/net/netlabel/netlabel_domainhash.c @@ -35,12 +35,14 @@ #include <linux/skbuff.h> #include <linux/spinlock.h> #include <linux/string.h> +#include <linux/audit.h> #include <net/netlabel.h> #include <net/cipso_ipv4.h> #include <asm/bug.h> #include "netlabel_mgmt.h" #include "netlabel_domainhash.h" +#include "netlabel_user.h" struct netlbl_domhsh_tbl { struct list_head *tbl; @@ -186,6 +188,7 @@ int netlbl_domhsh_init(u32 size) /** * netlbl_domhsh_add - Adds a entry to the domain hash table * @entry: the entry to add + * @audit_secid: the LSM secid to use in the audit message * * Description: * Adds a new entry to the domain hash table and handles any updates to the @@ -193,10 +196,12 @@ int netlbl_domhsh_init(u32 size) * negative on failure. * */ -int netlbl_domhsh_add(struct netlbl_dom_map *entry) +int netlbl_domhsh_add(struct netlbl_dom_map *entry, u32 audit_secid) { int ret_val; u32 bkt; + struct audit_buffer *audit_buf; + char *audit_domain; switch (entry->type) { case NETLBL_NLTYPE_UNLABELED: @@ -236,6 +241,26 @@ int netlbl_domhsh_add(struct netlbl_dom_ spin_unlock(&netlbl_domhsh_def_lock); } else ret_val = -EINVAL; + if (ret_val == 0) { + if (entry->domain != NULL) + audit_domain = entry->domain; + else + audit_domain = "(default)"; + audit_buf = netlbl_audit_start_common(AUDIT_MAC_MAP_ADD, + audit_secid); + audit_log_format(audit_buf, " domain=%s", audit_domain); + switch (entry->type) { + case NETLBL_NLTYPE_UNLABELED: + audit_log_format(audit_buf, " protocol=unlbl"); + break; + case NETLBL_NLTYPE_CIPSOV4: + audit_log_format(audit_buf, + " protocol=cipsov4 doi=%u", + entry->type_def.cipsov4->doi); + break; + } + audit_log_end(audit_buf); + } rcu_read_unlock(); if (ret_val != 0) { @@ -254,6 +279,7 @@ int netlbl_domhsh_add(struct netlbl_dom_ /** * netlbl_domhsh_add_default - Adds the default entry to the domain hash table * @entry: the entry to add + * @audit_secid: the LSM secid to use in the audit message * * Description: * Adds a new default entry to the domain hash table and handles any updates @@ -261,14 +287,15 @@ int netlbl_domhsh_add(struct netlbl_dom_ * negative on failure. * */ -int netlbl_domhsh_add_default(struct netlbl_dom_map *entry) +int netlbl_domhsh_add_default(struct netlbl_dom_map *entry, u32 audit_secid) { - return netlbl_domhsh_add(entry); + return netlbl_domhsh_add(entry, audit_secid); } /** * netlbl_domhsh_remove - Removes an entry from the domain hash table * @domain: the domain to remove + * @audit_secid: the LSM secid to use in the audit message * * Description: * Removes an entry from the domain hash table and handles any updates to the @@ -276,10 +303,12 @@ int netlbl_domhsh_add_default(struct net * negative on failure. * */ -int netlbl_domhsh_remove(const char *domain) +int netlbl_domhsh_remove(const char *domain, u32 audit_secid) { int ret_val = -ENOENT; struct netlbl_dom_map *entry; + struct audit_buffer *audit_buf; + char *audit_domain; rcu_read_lock(); if (domain != NULL) @@ -316,8 +345,18 @@ int netlbl_domhsh_remove(const char *dom ret_val = -ENOENT; spin_unlock(&netlbl_domhsh_def_lock); } - if (ret_val == 0) + if (ret_val == 0) { + if (entry->domain != NULL) + audit_domain = entry->domain; + else + audit_domain = "(default)"; + audit_buf = netlbl_audit_start_common(AUDIT_MAC_MAP_DEL, + audit_secid); + audit_log_format(audit_buf, " domain=%s", audit_domain); + audit_log_end(audit_buf); + call_rcu(&entry->rcu, netlbl_domhsh_free_entry); + } remove_return: rcu_read_unlock(); @@ -326,6 +365,7 @@ remove_return: /** * netlbl_domhsh_remove_default - Removes the default entry from the table + * @audit_secid: the LSM secid to use in the audit message * * Description: * Removes/resets the default entry for the domain hash table and handles any @@ -333,9 +373,9 @@ remove_return: * success, non-zero on failure. * */ -int netlbl_domhsh_remove_default(void) +int netlbl_domhsh_remove_default(u32 audit_secid) { - return netlbl_domhsh_remove(NULL); + return netlbl_domhsh_remove(NULL, audit_secid); } /** Index: net-2.6/net/netlabel/netlabel_domainhash.h =================================================================== --- net-2.6.orig/net/netlabel/netlabel_domainhash.h +++ net-2.6/net/netlabel/netlabel_domainhash.h @@ -57,9 +57,9 @@ struct netlbl_dom_map { int netlbl_domhsh_init(u32 size); /* Manipulate the domain hash table */ -int netlbl_domhsh_add(struct netlbl_dom_map *entry); -int netlbl_domhsh_add_default(struct netlbl_dom_map *entry); -int netlbl_domhsh_remove_default(void); +int netlbl_domhsh_add(struct netlbl_dom_map *entry, u32 audit_secid); +int netlbl_domhsh_add_default(struct netlbl_dom_map *entry, u32 audit_secid); +int netlbl_domhsh_remove_default(u32 audit_secid); struct netlbl_dom_map *netlbl_domhsh_getentry(const char *domain); int netlbl_domhsh_walk(u32 *skip_bkt, u32 *skip_chain, Index: net-2.6/net/netlabel/netlabel_mgmt.c =================================================================== --- net-2.6.orig/net/netlabel/netlabel_mgmt.c +++ net-2.6/net/netlabel/netlabel_mgmt.c @@ -108,7 +108,7 @@ static int netlbl_mgmt_add(struct sk_buf switch (entry->type) { case NETLBL_NLTYPE_UNLABELED: - ret_val = netlbl_domhsh_add(entry); + ret_val = netlbl_domhsh_add(entry, NETLINK_CB(skb).sid); break; case NETLBL_NLTYPE_CIPSOV4: if (!info->attrs[NLBL_MGMT_A_CV4DOI]) @@ -125,7 +125,7 @@ static int netlbl_mgmt_add(struct sk_buf rcu_read_unlock(); goto add_failure; } - ret_val = netlbl_domhsh_add(entry); + ret_val = netlbl_domhsh_add(entry, NETLINK_CB(skb).sid); rcu_read_unlock(); break; default: @@ -161,7 +161,7 @@ static int netlbl_mgmt_remove(struct sk_ return -EINVAL; domain = nla_data(info->attrs[NLBL_MGMT_A_DOMAIN]); - return netlbl_domhsh_remove(domain); + return netlbl_domhsh_remove(domain, NETLINK_CB(skb).sid); } /** @@ -277,7 +277,8 @@ static int netlbl_mgmt_adddef(struct sk_ switch (entry->type) { case NETLBL_NLTYPE_UNLABELED: - ret_val = netlbl_domhsh_add_default(entry); + ret_val = netlbl_domhsh_add_default(entry, + NETLINK_CB(skb).sid); break; case NETLBL_NLTYPE_CIPSOV4: if (!info->attrs[NLBL_MGMT_A_CV4DOI]) @@ -294,7 +295,8 @@ static int netlbl_mgmt_adddef(struct sk_ rcu_read_unlock(); goto adddef_failure; } - ret_val = netlbl_domhsh_add_default(entry); + ret_val = netlbl_domhsh_add_default(entry, + NETLINK_CB(skb).sid); rcu_read_unlock(); break; default: @@ -322,7 +324,7 @@ adddef_failure: */ static int netlbl_mgmt_removedef(struct sk_buff *skb, struct genl_info *info) { - return netlbl_domhsh_remove_default(); + return netlbl_domhsh_remove_default(NETLINK_CB(skb).sid); } /** Index: net-2.6/net/netlabel/netlabel_unlabeled.c =================================================================== --- net-2.6.orig/net/netlabel/netlabel_unlabeled.c +++ net-2.6/net/netlabel/netlabel_unlabeled.c @@ -64,6 +64,27 @@ static struct nla_policy netlbl_unlabel_ }; /* + * Helper Functions + */ + +/** + * netlbl_unlabel_acceptflg_set - Set the unlabeled accept flag + * @value: desired value + * @audit_secid: the LSM secid to use in the audit message + * + * Description: + * Set the value of the unlabeled accept flag to @value. + * + */ +static void netlbl_unlabel_acceptflg_set(u8 value, u32 audit_secid) +{ + atomic_set(&netlabel_unlabel_accept_flg, value); + netlbl_audit_nomsg((value ? + AUDIT_MAC_UNLBL_ACCEPT : AUDIT_MAC_UNLBL_DENY), + audit_secid); +} + +/* * NetLabel Command Handlers */ @@ -79,18 +100,18 @@ static struct nla_policy netlbl_unlabel_ */ static int netlbl_unlabel_accept(struct sk_buff *skb, struct genl_info *info) { - int ret_val = -EINVAL; u8 value; if (info->attrs[NLBL_UNLABEL_A_ACPTFLG]) { value = nla_get_u8(info->attrs[NLBL_UNLABEL_A_ACPTFLG]); if (value == 1 || value == 0) { - atomic_set(&netlabel_unlabel_accept_flg, value); - ret_val = 0; + netlbl_unlabel_acceptflg_set(value, + NETLINK_CB(skb).sid); + return 0; } } - return ret_val; + return -EINVAL; } /** @@ -229,16 +250,19 @@ int netlbl_unlabel_defconf(void) { int ret_val; struct netlbl_dom_map *entry; + u32 secid; + + security_task_getsecid(current, &secid); entry = kzalloc(sizeof(*entry), GFP_KERNEL); if (entry == NULL) return -ENOMEM; entry->type = NETLBL_NLTYPE_UNLABELED; - ret_val = netlbl_domhsh_add_default(entry); + ret_val = netlbl_domhsh_add_default(entry, secid); if (ret_val != 0) return ret_val; - atomic_set(&netlabel_unlabel_accept_flg, 1); + netlbl_unlabel_acceptflg_set(1, secid); return 0; } Index: net-2.6/net/netlabel/netlabel_user.c =================================================================== --- net-2.6.orig/net/netlabel/netlabel_user.c +++ net-2.6/net/netlabel/netlabel_user.c @@ -32,6 +32,9 @@ #include <linux/types.h> #include <linux/list.h> #include <linux/socket.h> +#include <linux/audit.h> +#include <linux/tty.h> +#include <linux/security.h> #include <net/sock.h> #include <net/netlink.h> #include <net/genetlink.h> @@ -74,3 +77,91 @@ int netlbl_netlink_init(void) return 0; } + +/* + * NetLabel Audit Functions + */ + +/** + * netlbl_audit_start_common - Start an audit message + * @type: audit message type + * @secid: LSM context ID + * + * Description: + * Start an audit message using the type specified in @type and fill the audit + * message with some fields common to all NetLabel audit messages. Returns + * a pointer to the audit buffer on success, NULL on failure. + * + */ +struct audit_buffer *netlbl_audit_start_common(int type, u32 secid) +{ + struct audit_context *audit_ctx = current->audit_context; + struct audit_buffer *audit_buf; + uid_t audit_loginuid; + const char *audit_tty; + char audit_comm[sizeof(current->comm)]; + struct vm_area_struct *vma; + char *secctx; + u32 secctx_len; + + audit_buf = audit_log_start(audit_ctx, GFP_ATOMIC, type); + if (audit_buf == NULL) + return NULL; + + audit_loginuid = audit_get_loginuid(audit_ctx); + if (current->signal && + current->signal->tty && + current->signal->tty->name) + audit_tty = current->signal->tty->name; + else + audit_tty = "(none)"; + get_task_comm(audit_comm, current); + + audit_log_format(audit_buf, + "netlabel: auid=%u uid=%u tty=%s pid=%d", + audit_loginuid, + current->uid, + audit_tty, + current->pid); + audit_log_format(audit_buf, " comm="); + audit_log_untrustedstring(audit_buf, audit_comm); + if (current->mm) { + down_read(&current->mm->mmap_sem); + vma = current->mm->mmap; + while (vma) { + if ((vma->vm_flags & VM_EXECUTABLE) && + vma->vm_file) { + audit_log_d_path(audit_buf, + " exe=", + vma->vm_file->f_dentry, + vma->vm_file->f_vfsmnt); + break; + } + vma = vma->vm_next; + } + up_read(&current->mm->mmap_sem); + } + + if (secid != 0 && + security_secid_to_secctx(secid, &secctx, &secctx_len) == 0) + audit_log_format(audit_buf, " subj=%s", secctx); + + return audit_buf; +} + +/** + * netlbl_audit_nomsg - Send an audit message without additional text + * @type: audit message type + * @secid: LSM context ID + * + * Description: + * Send an audit message with only the common NetLabel audit fields. + * + */ +void netlbl_audit_nomsg(int type, u32 secid) +{ + struct audit_buffer *audit_buf; + + audit_buf = netlbl_audit_start_common(type, secid); + audit_log_end(audit_buf); +} Index: net-2.6/net/netlabel/netlabel_user.h =================================================================== --- net-2.6.orig/net/netlabel/netlabel_user.h +++ net-2.6/net/netlabel/netlabel_user.h @@ -34,6 +34,7 @@ #include <linux/types.h> #include <linux/skbuff.h> #include <linux/capability.h> +#include <linux/audit.h> #include <net/netlink.h> #include <net/genetlink.h> #include <net/netlabel.h> @@ -75,4 +76,9 @@ static inline void *netlbl_netlink_hdr_p int netlbl_netlink_init(void); +/* NetLabel Audit Functions */ + +struct audit_buffer *netlbl_audit_start_common(int type, u32 secid); +void netlbl_audit_nomsg(int type, u32 secid); + #endif -- paul moore linux security @ hp

18 years, 2 months

5
12
0 / 0

[PATCH] message typ updated

by Steve Grubb

Hi, This patch adds a new type for 3rd party module use and cleans up a deprecated message type. Signed-off-by: Steve Grubb <sgrubb(a)redhat.com> diff -urp linux-2.6.18.x86_64.orig/include/linux/audit.h linux-2.6.18.x86_64/include/linux/audit.h --- linux-2.6.18.x86_64.orig/include/linux/audit.h 2006-09-29 11:12:12.000000000 -0400 +++ linux-2.6.18.x86_64/include/linux/audit.h 2006-09-29 11:20:50.000000000 -0400 @@ -75,7 +75,7 @@ #define AUDIT_DAEMON_CONFIG 1203 /* Daemon config change */ #define AUDIT_SYSCALL 1300 /* Syscall event */ -#define AUDIT_FS_WATCH 1301 /* Filesystem watch event */ +/* #define AUDIT_FS_WATCH 1301 * Deprecated */ #define AUDIT_PATH 1302 /* Filename path information */ #define AUDIT_IPC 1303 /* IPC record */ #define AUDIT_SOCKETCALL 1304 /* sys_socketcall arguments */ @@ -88,6 +88,7 @@ #define AUDIT_MQ_SENDRECV 1313 /* POSIX MQ send/receive record type */ #define AUDIT_MQ_NOTIFY 1314 /* POSIX MQ notify record type */ #define AUDIT_MQ_GETSETATTR 1315 /* POSIX MQ get/set attribute record type */ +#define AUDIT_KERNEL_OTHER 1316 /* For use by 3rd party modules */ #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */ #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */

18 years, 2 months

1
0
0 / 0

[PATCH] -v3 newrole auditing of failures due to user actions

by Michael C Thompson

This patch introduces two new point in the code where audit records are generated for newrole. Both points are when the attempt to newrole fails. The first point is when the default type could not be determine for the specified role - this is audited because, as sgrubb pointed out, it is currently non-tracked path to probe the policy. The second point is when the desired context to change to is invalid. There record format remains unchanged. Failing to validate the desired context will result in the old and new contexts being recorded intact to the log. For the default type, the old and new contexts have not yet been obtained, so they are recorded in the log as XXX_context=? Changes since version 2 of the patch: * Added __attribute__((unused)) to "no-op" inline Changes since version 1 of the patch: * removed wrapping #ifdefs around send_audit_message() * provided a "no-op" style function * removed -D_GNU_SOURCE from the Makefile (as its defined in the code) * fixed the error path of the send_audit_message function The solution that I have for the "no-op" function is not that pretty, but the Makefile is configured with -Werror and a function which doesn't use its parameters causes warnings. Is there a better solution to this problem? Signed-off-by: Michael Thompson <thompsmc(a)us.ibm.com> ----

18 years, 2 months

2
1
0 / 0

[PATCH] arch filter lists with < or > should not be accepted

by Eric Paris

Currently the kernel audit system represents arch's as numbers and will gladly accept comparisons between archs using >, <, >=, <= when the only thing that makes sense is = or !=. I'm told that the next revision of auditctl will do this checking but this will provide enforcement in the kernel even for old userspace. A simple command to show the issue would be to run auditctl -d entry,always -F arch>i686 -S chmod with this patch the kernel will reject this with -EINVAL Please comment/ack/nak as soon as possible. -Eric kernel/auditfilter.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) --- linux-2.6.18.i686/kernel/auditfilter.c.audit.arch 2006-09-28 16:44:11.000000000 -0400 +++ linux-2.6.18.i686/kernel/auditfilter.c 2006-09-28 17:38:34.000000000 -0400 @@ -411,7 +411,6 @@ static struct audit_entry *audit_rule_to case AUDIT_FSGID: case AUDIT_LOGINUID: case AUDIT_PERS: - case AUDIT_ARCH: case AUDIT_MSGTYPE: case AUDIT_PPID: case AUDIT_DEVMAJOR: @@ -423,6 +422,14 @@ static struct audit_entry *audit_rule_to case AUDIT_ARG2: case AUDIT_ARG3: break; + /* arch is only allowed to be = or != */ + case AUDIT_ARCH: + if ((f->op != AUDIT_NOT_EQUAL) && (f->op != AUDIT_EQUAL) + && (f->op != AUDIT_NEGATE) && (f->op)) { + err = -EINVAL; + goto exit_free; + } + break; case AUDIT_PERM: if (f->val & ~15) goto exit_free;

18 years, 2 months

2
1
0 / 0

[PATCH] name_count array overrun

by Steve Grubb

Hi, This patch removes the rdev logging from the previous patch The below patch closes an unbounded use of name_count. This can lead to oopses in some new file systems. Signed-off-by: Steve Grubb <sgrubb(a)redhat.com> diff -urp linux-2.6.18.x86_64.orig/kernel/auditsc.c linux-2.6.18.x86_64/kernel/auditsc.c --- linux-2.6.18.x86_64.orig/kernel/auditsc.c 2006-09-24 08:24:27.000000000 -0400 +++ linux-2.6.18.x86_64/kernel/auditsc.c 2006-09-24 08:42:01.000000000 -0400 @@ -1347,7 +1347,13 @@ void __audit_inode_child(const char *dna } update_context: - idx = context->name_count++; + idx = context->name_count; + if (context->name_count == AUDIT_NAMES) { + printk(KERN_DEBUG "name_count maxed and losing %s\n", + found_name ?: "(null)"); + return; + } + context->name_count++; #if AUDIT_DEBUG context->ino_count++; #endif @@ -1365,7 +1371,18 @@ update_context: /* A parent was not found in audit_names, so copy the inode data for the * provided parent. */ if (!found_name) { - idx = context->name_count++; + idx = context->name_count; + if (context->name_count == AUDIT_NAMES) { + printk(KERN_DEBUG + "name_count maxed and losing parent inode data: dev=%02x:%02x, inode=%lu", + MAJOR(parent->i_sb->s_dev), + MINOR(parent->i_sb->s_dev), + parent->i_ino); + return; + } + context->name_count++; #if AUDIT_DEBUG context->ino_count++; #endif

18 years, 2 months

2
1
0 / 0

[PATCH] Allow ppid filtering on syscall auditing

by Eric Paris

Currently ppid filtering on syscall auditing does not appear to work. An easy reproducer would be to do the following: touch ./test auditctl -a entry,always -S chmod -F ppid=[pid of your shell] chmod 000 ./test no audit record will appear! (although !=[pid of your shell] will show all chmod commands from all processes regardless of the ppid) With a little instrumentation I found that ctx->ppid == 0 inside audit_filter_rules(). I originally wanted to set the ppid during the context creation back in something like audit_alloc_context but that didn't work. Because at that point the new process had not forked off so the ppid of the chmod process was actually it's parents parents. Instead I set the ppid in audit_syscall_entry when we are actually building the specific context. Please comment/ack/nak as soon as possible. -Eric kernel/auditsc.c | 1 + 1 file changed, 1 insertion(+) --- linux-2.6.18.i686/kernel/auditsc.c.orig 2006-09-27 21:53:44.000000000 -0400 +++ linux-2.6.18.i686/kernel/auditsc.c 2006-09-27 21:54:05.000000000 -0400 @@ -1116,6 +1116,7 @@ void audit_syscall_entry(int arch, int m context->arch = arch; context->major = major; + context->ppid = sys_getppid(); context->argv[0] = a1; context->argv[1] = a2; context->argv[2] = a3;

18 years, 2 months

3
3
0 / 0

[PATCH] -v2 newrole auditing of failures due to user actions

by Michael C Thompson

This patch introduces two new point in the code where audit records are generated for newrole. Both points are when the attempt to newrole fails. The first point is when the default type could not be determine for the specified role - this is audited because, as sgrubb pointed out, it is currently non-tracked path to probe the policy. The second point is when the desired context to change to is invalid. There record format remains unchanged. Failing to validate the desired context will result in the old and new contexts being recorded intact to the log. For the default type, the old and new contexts have not yet been obtained, so they are recorded in the log as XXX_context=? Changes since version 1 of the patch: * removed wrapping #ifdefs around send_audit_message() * provided a "no-op" style function * removed -D_GNU_SOURCE from the Makefile (as its defined in the code) * fixed the error path of the send_audit_message function The solution that I have for the "no-op" function is not that pretty, but the Makefile is configured with -Werror and a function which doesn't use its parameters causes warnings. Is there a better solution to this problem? Signed-off-by: Michael Thompson <thompsmc(a)us.ibm.com> ----

18 years, 2 months

2
1
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Linux-audit September 2006