July 2007 - Linux-audit - Linux-Audit List Archives

by Casey Schaufler

I'm looking at getting audit into my Smack LSM module. Stephen Smalley has suggested, and I concur, that this may be the time to convert audit from using SELinux specific interfaces to LSM based interfaces. Before I start blasting away with patches, I want to check and see if anyone else is looking into this. There's a good chunk of work to be done for LSM, audit, SELinux, and Smack. I also want to be sure that no one will take umberage with the notion. Thank you. Casey Schaufler casey(a)schaufler-ca.com

17 years, 10 months

3
3
0 / 0

"denied" error message

by Bill Tangren

I have the following error message showing up in my audit logs. This is on an SELinux-enabled web server (running RHEL ES 4, fully patched). This is actually an selinux error, so if this not the correct place to ask this question, please let me know. ********** type=AVC msg=audit(1185389440.164:7579569): avc: denied { execute } for pid=26076 comm="aa_pap8" name="ld.so.cache" dev=md3 ino=2529627 scontext=user_u:system_r:httpd_sys_script_t tcontext=root:object_r:ld_so_cache_t tclass=file type=SYSCALL msg=audit(1185389440.164:7579569): arch=40000003 syscall=90 per=400000 success=no exit=-13 a0=bffff074 a1=2 a2=a54fd4 a3=3 items=0 pid=26076 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 comm="aa_pap8" exe="/location/of/bin/aa_pap8" type=AVC_PATH msg=audit(1185389440.164:7579569): path="/etc/ld.so.cache" ********** A web page of ours is calling a script that is calling this program /location/of/bin/aa_pap8. The security context on the program is -rwxr-xr-x apache AA system_u:object_r:httpd_sys_content_t aa_pap8 The security context on ls.so.cache is -rw-r--r-- root root root:object_r:ld_so_cache_t /etc/ld.so.cache Does anyone know why this error is occurring? The program is running correctly. I'd just like to know where the error is coming from. Thanks, Bill Tangren

17 years, 10 months

2
2
0 / 0

Autotools usage in the audit package

by John D. Ramsdell

Please reconsider the way the autotools are used in the audit package. It has always struck me as odd that the RPM spec and the README-install file specify that some autotool program be run. My understanding is the autotool programs are to be run in preparation for generating a source distribution, and that the RPM builder simply builds a binary version of the distribution, just as someone builds using the sources. Another trick I suggest is to organize the sources so that the one source for all version numbers in the package is the AC_INIT call in configure.ac. The RPM spec is built by running the ./configure command, and audit.spec.in starts like this: Name: @PACKAGE@ Version: @VERSION@ I have enclosed a patch for audit version 1.5.5 that implements the changes I just described. John

17 years, 10 months

2
2
0 / 0

clone flags

by John D. Ramsdell

I've been carefully comparing output I obtain with autrace with what I get from strace. It appears they differ when the clone system call is invoked from the C library via fork. In particular, strace reports flags of CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, while autrace says the flags are 0. The flags are in field a2. John [ramsdell@goo fork]$ uname -r 2.6.21-1.3228.fc7 [ramsdell@goo fork]$ make fork cc fork.c -o fork [ramsdell@goo fork]$ strace -o strace.txt ./fork [ramsdell@goo fork]$ su - Password: [root@goo ~]# cd /home/ramsdell/proj/fork [root@goo fork]# autrace ./fork Waiting to execute: ./fork Cleaning up... Trace complete. You can locate the records with 'ausearch -i -p 1160' [root@goo fork]# ausearch -i -p 1160 > autrace.txt [root@goo fork]# grep clone strace.txt clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0xb7efb708) = 1122 [root@goo fork]# grep clone autrace.txt type=SYSCALL msg=audit(07/19/2007 09:16:02.350:848) : arch=i386 syscall=clone success=yes exit=1161 a0=1200011 a1=0 a2=0 a3=0 items=0 ppid=1158 pid=1160 auid=ramsdell uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts2 comm=fork exe=/home/ramsdell/proj/fork/fork subj=user_u:system_r:unconfined_t:s0 key=(null) [root@goo fork]# cat fork.c #include <stdio.h> #include <errno.h> #include <sys/types.h> #include <sys/wait.h> int main(int argc, char **argv) { int status; pid_t pid; switch (fork()) { case -1: perror("clone"); return 1; case 0: return 0; default: do { pid = wait(&status); } while (pid < 0 && errno == EINTR); if (WIFEXITED(status)) return WEXITSTATUS(status); else return 1; } } [root@goo fork]#

17 years, 10 months

3
9
0 / 0

Should open syscall records occur without a path record?

by John D. Ramsdell

I have a test suite that generates every system call analyzed by our package. The suite runs several programs that do a variety of things, including opening files. I traced the set of programs, and retrieved the records using ausearch -r -p P > P.txt where P is the process ID of each traced program. When I attempt to analyze the logs, my program blows up because it assumes that every syscall audit event for the open syscall will include a PATH record. I made a quick edit of the analysis program, and discovered that 24 open syscall records have no PATH record, and sometimes the CWD record is missing too. $ python auditopen.py -i ../autsv/*.txt Of 421 events with a SYSCALL record with syscall=open 401 have CWD 397 have PATH 0 have CWD but no PATH $ Is it appropriate for audit analysis programs to assume a PATH record will be available with every open syscall event? I cannot see how to do my analysis without the PATH record.

17 years, 10 months

2
8
0 / 0

[PATCH]: revised make xfrm_audit_log more generic patch

by Joy Latten

Revised patch that modifies xfrm_audit_log() such that it can accomodate auditing other ipsec events besides add/delete of an SA or SPD entry. This patch differs from original in that it does not remove existing ipsec audit defines so as to not break existing audit apps. This is a small change to accomodate updating ipsec protocol to RFCs 4301, 4302 and 4303 which require auditing some ipsec events if auditing is available. Please let me know if ok. Regards, Joy Signed-off-by: Joy Latten <latten(a)austin.ibm.com> diff -urpN linux-2.6.22/include/linux/audit.h linux-2.6.22.patch/include/linux/audit.h --- linux-2.6.22/include/linux/audit.h 2007-07-23 14:35:28.000000000 -0500 +++ linux-2.6.22.patch/include/linux/audit.h 2007-07-23 14:38:51.000000000 -0500 @@ -112,6 +112,7 @@ #define AUDIT_MAC_IPSEC_DELSA 1412 /* Delete a XFRM state */ #define AUDIT_MAC_IPSEC_ADDSPD 1413 /* Add a XFRM policy */ #define AUDIT_MAC_IPSEC_DELSPD 1414 /* Delete a XFRM policy */ +#define AUDIT_MAC_IPSEC_EVENT 1415 /* Audit IPSec events */ #define AUDIT_FIRST_KERN_ANOM_MSG 1700 #define AUDIT_LAST_KERN_ANOM_MSG 1799 diff -urpN linux-2.6.22/include/net/xfrm.h linux-2.6.22.patch/include/net/xfrm.h --- linux-2.6.22/include/net/xfrm.h 2007-07-23 14:35:28.000000000 -0500 +++ linux-2.6.22.patch/include/net/xfrm.h 2007-07-23 14:38:51.000000000 -0500 @@ -427,9 +427,11 @@ struct xfrm_audit #ifdef CONFIG_AUDITSYSCALL extern void xfrm_audit_log(uid_t auid, u32 secid, int type, int result, - struct xfrm_policy *xp, struct xfrm_state *x); + u16 family, xfrm_address_t saddr, + xfrm_address_t daddr, __be32 spi, __be32 flowid, + struct xfrm_sec_ctx *sctx, char *buf); #else -#define xfrm_audit_log(a,s,t,r,p,x) do { ; } while (0) +#define xfrm_audit_log(a,i,t,r,f,s,d,p,l,c,b) do { ; } while (0) #endif /* CONFIG_AUDITSYSCALL */ static inline void xfrm_pol_hold(struct xfrm_policy *policy) diff -urpN linux-2.6.22/net/key/af_key.c linux-2.6.22.patch/net/key/af_key.c --- linux-2.6.22/net/key/af_key.c 2007-07-08 18:32:17.000000000 -0500 +++ linux-2.6.22.patch/net/key/af_key.c 2007-07-23 14:38:51.000000000 -0500 @@ -1459,7 +1459,9 @@ static int pfkey_add(struct sock *sk, st err = xfrm_state_update(x); xfrm_audit_log(audit_get_loginuid(current->audit_context), 0, - AUDIT_MAC_IPSEC_ADDSA, err ? 0 : 1, NULL, x); + AUDIT_MAC_IPSEC_EVENT, err ? 0 : 1, + x->props.family, x->props.saddr, x->id.daddr, + x->id.spi, 0, x->security, "SAD add"); if (err < 0) { x->km.state = XFRM_STATE_DEAD; @@ -1513,7 +1515,10 @@ static int pfkey_delete(struct sock *sk, km_state_notify(x, &c); out: xfrm_audit_log(audit_get_loginuid(current->audit_context), 0, - AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x); + AUDIT_MAC_IPSEC_EVENT, err ? 0 : 1, x->props.family, + x->props.saddr, x->id.daddr, x->id.spi, 0, + x->security, "SAD delete"); + xfrm_state_put(x); return err; @@ -2266,7 +2271,9 @@ static int pfkey_spdadd(struct sock *sk, hdr->sadb_msg_type != SADB_X_SPDUPDATE); xfrm_audit_log(audit_get_loginuid(current->audit_context), 0, - AUDIT_MAC_IPSEC_ADDSPD, err ? 0 : 1, xp, NULL); + AUDIT_MAC_IPSEC_EVENT, err ? 0 : 1, + xp->selector.family, xp->selector.saddr, + xp->selector.daddr, 0, 0, xp->security, "SPD add"); if (err) goto out; @@ -2350,7 +2357,9 @@ static int pfkey_spddelete(struct sock * return -ENOENT; xfrm_audit_log(audit_get_loginuid(current->audit_context), 0, - AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL); + AUDIT_MAC_IPSEC_EVENT, err ? 0 : 1, + xp->selector.family, xp->selector.saddr, + xp->selector.daddr, 0, 0, xp->security, "SPD delete"); if (err) goto out; @@ -2611,7 +2620,10 @@ static int pfkey_spdget(struct sock *sk, if (delete) { xfrm_audit_log(audit_get_loginuid(current->audit_context), 0, - AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL); + AUDIT_MAC_IPSEC_EVENT, err ? 0 : 1, + xp->selector.family, xp->selector.saddr, + xp->selector.daddr, 0, 0, xp->security, + "SPD delete"); if (err) goto out; diff -urpN linux-2.6.22/net/xfrm/xfrm_policy.c linux-2.6.22.patch/net/xfrm/xfrm_policy.c --- linux-2.6.22/net/xfrm/xfrm_policy.c 2007-07-23 14:35:29.000000000 -0500 +++ linux-2.6.22.patch/net/xfrm/xfrm_policy.c 2007-07-23 14:38:51.000000000 -0500 @@ -853,8 +853,11 @@ xfrm_policy_flush_secctx_check(u8 type, if (err) { xfrm_audit_log(audit_info->loginuid, audit_info->secid, - AUDIT_MAC_IPSEC_DELSPD, 0, - pol, NULL); + AUDIT_MAC_IPSEC_EVENT, 0, + pol->selector.family, + pol->selector.saddr, + pol->selector.daddr, 0, 0, + pol->security, "SPD delete"); return err; } } @@ -868,8 +871,12 @@ xfrm_policy_flush_secctx_check(u8 type, if (err) { xfrm_audit_log(audit_info->loginuid, audit_info->secid, - AUDIT_MAC_IPSEC_DELSPD, - 0, pol, NULL); + AUDIT_MAC_IPSEC_EVENT, + 0, pol->selector.family, + pol->selector.saddr, + pol->selector.daddr, + 0, 0, pol->security, + "SPD delete"); return err; } } @@ -911,7 +918,11 @@ int xfrm_policy_flush(u8 type, struct xf write_unlock_bh(&xfrm_policy_lock); xfrm_audit_log(audit_info->loginuid, audit_info->secid, - AUDIT_MAC_IPSEC_DELSPD, 1, pol, NULL); + AUDIT_MAC_IPSEC_EVENT, 1, + pol->selector.family, + pol->selector.saddr, + pol->selector.daddr, 0, 0, + pol->security, "SPD delete"); xfrm_policy_kill(pol); killed++; @@ -933,8 +944,11 @@ int xfrm_policy_flush(u8 type, struct xf xfrm_audit_log(audit_info->loginuid, audit_info->secid, - AUDIT_MAC_IPSEC_DELSPD, 1, - pol, NULL); + AUDIT_MAC_IPSEC_EVENT, 1, + pol->selector.family, + pol->selector.saddr, + pol->selector.daddr, 0, 0, + pol->security, "SPD delete"); xfrm_policy_kill(pol); killed++; @@ -2154,44 +2168,23 @@ EXPORT_SYMBOL(xfrm_bundle_ok); /* Audit addition and deletion of SAs and ipsec policy */ void xfrm_audit_log(uid_t auid, u32 sid, int type, int result, - struct xfrm_policy *xp, struct xfrm_state *x) + u16 family, xfrm_address_t saddr, xfrm_address_t daddr, + __be32 spi, __be32 flowlabel, struct xfrm_sec_ctx *sctx, + char *buf) { - char *secctx; u32 secctx_len; - struct xfrm_sec_ctx *sctx = NULL; struct audit_buffer *audit_buf; - int family; extern int audit_enabled; if (audit_enabled == 0) return; - BUG_ON((type == AUDIT_MAC_IPSEC_ADDSA || - type == AUDIT_MAC_IPSEC_DELSA) && !x); - BUG_ON((type == AUDIT_MAC_IPSEC_ADDSPD || - type == AUDIT_MAC_IPSEC_DELSPD) && !xp); - audit_buf = audit_log_start(current->audit_context, GFP_ATOMIC, type); if (audit_buf == NULL) return; - switch(type) { - case AUDIT_MAC_IPSEC_ADDSA: - audit_log_format(audit_buf, "SAD add: auid=%u", auid); - break; - case AUDIT_MAC_IPSEC_DELSA: - audit_log_format(audit_buf, "SAD delete: auid=%u", auid); - break; - case AUDIT_MAC_IPSEC_ADDSPD: - audit_log_format(audit_buf, "SPD add: auid=%u", auid); - break; - case AUDIT_MAC_IPSEC_DELSPD: - audit_log_format(audit_buf, "SPD delete: auid=%u", auid); - break; - default: - return; - } + audit_log_format(audit_buf, "%s: auid=%u", buf, auid); if (sid != 0 && security_secid_to_secctx(sid, &secctx, &secctx_len) == 0) @@ -2199,16 +2192,6 @@ void xfrm_audit_log(uid_t auid, u32 sid, else audit_log_task_context(audit_buf); - if (xp) { - family = xp->selector.family; - if (xp->security) - sctx = xp->security; - } else { - family = x->props.family; - if (x->security) - sctx = x->security; - } - if (sctx) audit_log_format(audit_buf, " sec_alg=%u sec_doi=%u sec_obj=%s", @@ -2216,48 +2199,24 @@ void xfrm_audit_log(uid_t auid, u32 sid, switch(family) { case AF_INET: - { - struct in_addr saddr, daddr; - if (xp) { - saddr.s_addr = xp->selector.saddr.a4; - daddr.s_addr = xp->selector.daddr.a4; - } else { - saddr.s_addr = x->props.saddr.a4; - daddr.s_addr = x->id.daddr.a4; - } - audit_log_format(audit_buf, - " src=%u.%u.%u.%u dst=%u.%u.%u.%u", - NIPQUAD(saddr), NIPQUAD(daddr)); - } - break; + audit_log_format(audit_buf, + " src=" NIPQUAD_FMT " dst=" NIPQUAD_FMT, + NIPQUAD(saddr.a4), NIPQUAD(daddr.a4)); + break; case AF_INET6: - { - struct in6_addr saddr6, daddr6; - if (xp) { - memcpy(&saddr6, xp->selector.saddr.a6, - sizeof(struct in6_addr)); - memcpy(&daddr6, xp->selector.daddr.a6, - sizeof(struct in6_addr)); - } else { - memcpy(&saddr6, x->props.saddr.a6, - sizeof(struct in6_addr)); - memcpy(&daddr6, x->id.daddr.a6, - sizeof(struct in6_addr)); - } - audit_log_format(audit_buf, - " src=" NIP6_FMT " dst=" NIP6_FMT, - NIP6(saddr6), NIP6(daddr6)); - } + audit_log_format(audit_buf, " src=" NIP6_FMT " dst=" NIP6_FMT, + NIP6(*((struct in6_addr *)&saddr.a6)), + NIP6(*((struct in6_addr *)&daddr.a6))); break; } - if (x) - audit_log_format(audit_buf, " spi=%lu(0x%lx) protocol=%s", - (unsigned long)ntohl(x->id.spi), - (unsigned long)ntohl(x->id.spi), - x->id.proto == IPPROTO_AH ? "AH" : - (x->id.proto == IPPROTO_ESP ? - "ESP" : "IPCOMP")); + if (flowlabel) + audit_log_format(audit_buf, " flowlabel=%u", flowlabel); + + if (spi) + audit_log_format(audit_buf, " spi=%lu(0x%lx)", + (unsigned long)ntohl(spi), + (unsigned long)ntohl(spi)); audit_log_format(audit_buf, " res=%u", result); audit_log_end(audit_buf); diff -urpN linux-2.6.22/net/xfrm/xfrm_state.c linux-2.6.22.patch/net/xfrm/xfrm_state.c --- linux-2.6.22/net/xfrm/xfrm_state.c 2007-07-23 14:35:29.000000000 -0500 +++ linux-2.6.22.patch/net/xfrm/xfrm_state.c 2007-07-23 14:46:00.000000000 -0500 @@ -303,7 +303,9 @@ expired: km_state_expired(x, 1, 0); xfrm_audit_log(audit_get_loginuid(current->audit_context), 0, - AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x); + AUDIT_MAC_IPSEC_EVENT, err ? 0 : 1, + x->props.family, x->props.saddr, x->id.daddr, x->id.spi, + 0, x->security, "SAD delete"); out: spin_unlock(&x->lock); @@ -406,9 +408,10 @@ xfrm_state_flush_secctx_check(u8 proto, (err = security_xfrm_state_delete(x)) != 0) { xfrm_audit_log(audit_info->loginuid, audit_info->secid, - AUDIT_MAC_IPSEC_DELSA, - 0, NULL, x); - + AUDIT_MAC_IPSEC_EVENT, 0, + x->props.family, x->props.saddr, + x->id.daddr, x->id.spi, 0, + x->security, "SAD delete"); return err; } } @@ -446,8 +449,11 @@ restart: err = xfrm_state_delete(x); xfrm_audit_log(audit_info->loginuid, audit_info->secid, - AUDIT_MAC_IPSEC_DELSA, - err ? 0 : 1, NULL, x); + AUDIT_MAC_IPSEC_EVENT, + err ? 0 : 1, x->props.family, + x->props.saddr, x->id.daddr, + x->id.spi, 0, x->security, + "SAD delete"); xfrm_state_put(x); spin_lock_bh(&xfrm_state_lock); diff -urpN linux-2.6.22/net/xfrm/xfrm_user.c linux-2.6.22.patch/net/xfrm/xfrm_user.c --- linux-2.6.22/net/xfrm/xfrm_user.c 2007-07-08 18:32:17.000000000 -0500 +++ linux-2.6.22.patch/net/xfrm/xfrm_user.c 2007-07-23 14:38:51.000000000 -0500 @@ -456,7 +456,9 @@ static int xfrm_add_sa(struct sk_buff *s err = xfrm_state_update(x); xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, - AUDIT_MAC_IPSEC_ADDSA, err ? 0 : 1, NULL, x); + AUDIT_MAC_IPSEC_EVENT, err ? 0 : 1, + x->props.family, x->props.saddr, x->id.daddr, + x->id.spi, 0, x->security, "SAD add"); if (err < 0) { x->km.state = XFRM_STATE_DEAD; @@ -539,7 +541,9 @@ static int xfrm_del_sa(struct sk_buff *s out: xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, - AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x); + AUDIT_MAC_IPSEC_EVENT, err ? 0 : 1, + x->props.family, x->props.saddr, x->id.daddr, + x->id.spi, 0, x->security, "SAD delete"); xfrm_state_put(x); return err; } @@ -1149,7 +1153,9 @@ static int xfrm_add_policy(struct sk_buf excl = nlh->nlmsg_type == XFRM_MSG_NEWPOLICY; err = xfrm_policy_insert(p->dir, xp, excl); xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, - AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL); + AUDIT_MAC_IPSEC_EVENT, err ? 0 : 1, + xp->selector.family, xp->selector.saddr, + xp->selector.daddr, 0, 0, xp->security, "SPD delete"); if (err) { security_xfrm_policy_free(xp); @@ -1395,7 +1401,10 @@ static int xfrm_get_policy(struct sk_buf } } else { xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, - AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL); + AUDIT_MAC_IPSEC_EVENT, err ? 0 : 1, + xp->selector.family, xp->selector.saddr, + xp->selector.daddr, 0, 0, xp->security, + "SPD delete"); if (err != 0) goto out; @@ -1644,8 +1653,9 @@ static int xfrm_add_pol_expire(struct sk if (up->hard) { xfrm_policy_delete(xp, p->dir); xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, - AUDIT_MAC_IPSEC_DELSPD, 1, xp, NULL); - + AUDIT_MAC_IPSEC_EVENT, 1, xp->selector.family, + xp->selector.saddr, xp->selector.daddr, 0, 0, + xp->security, "SPD delete"); } else { // reset the timers here? printk("Dont know what to do with soft policy expire\n"); @@ -1680,7 +1690,9 @@ static int xfrm_add_sa_expire(struct sk_ if (ue->hard) { __xfrm_state_delete(x); xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, - AUDIT_MAC_IPSEC_DELSA, 1, NULL, x); + AUDIT_MAC_IPSEC_EVENT, 1, x->props.family, + x->props.saddr, x->id.daddr, x->id.spi, 0, + x->security, "SAD delete"); } err = 0; out:

17 years, 10 months

3
5
0 / 0

Ptrace looses track of a forked child

by John D. Ramsdell

I thought I was very close to finishing up an application that uses the audit system to perform a task formally done by a modified version of strace. Alas, one of the programs I had working last October no longer works. The broken program uses ptrace to add an audit rule for each child process forked by the traced application. It adds the rule before the child runs by handling a SIGTRAP generated as a result of tracing the original child with the PTRACE_O_TRACEFORK option. I tried to follow to the changes to kernel/ptrace.c via linuxhq, but I got little from that exercise. I ended up submitting a bug report here: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=246330 If there is something else I should be doing, please advise. I notice there are two other ptrace related bugs reported for Fedora 7. Both have been assigned to Roland McGrath, a primary maintainer of strace. I bet he gets assigned this bug report too. Roland doesn't like the changes I make to strace that allows it to display the security contexts associated with traced objects, so he'll remember me. One final question. Has there been any other efforts aimed at allowing the audit system to follow forks of traced processes? Alternatives to my ptrace solution would be greatly appreciated at this time. John

17 years, 10 months

1
1
0 / 0

[PATCH] make xfrm_audit_log more generic

by Joy Latten

This patch modifies xfrm_audit_log() such that it can accomodate auditing other ipsec events besides add/delete of an SA or SPD entry. This is a small change to accomodate updating ipsec protocol to RFCs 4301, 4302 and 4303 which require auditing some ipsec events if auditing is available. Please let me know if ok. I tested with selinux/labeled-ipsec/plain-ipsec and plain ipsec without selinux. Also compiled and tested with auditing disabled. Regards, Joy Signed-off-by: Joy Latten <latten(a)austin.ibm.com> diff -urpN linux-2.6.22/include/linux/audit.h linux-2.6.22.patch/include/linux/audit.h --- linux-2.6.22/include/linux/audit.h 2007-07-19 13:17:22.000000000 -0500 +++ linux-2.6.22.patch/include/linux/audit.h 2007-07-19 13:21:29.000000000 -0500 @@ -108,10 +108,7 @@ #define AUDIT_MAC_CIPSOV4_DEL 1408 /* NetLabel: del CIPSOv4 DOI entry */ #define AUDIT_MAC_MAP_ADD 1409 /* NetLabel: add LSM domain mapping */ #define AUDIT_MAC_MAP_DEL 1410 /* NetLabel: del LSM domain mapping */ -#define AUDIT_MAC_IPSEC_ADDSA 1411 /* Add a XFRM state */ -#define AUDIT_MAC_IPSEC_DELSA 1412 /* Delete a XFRM state */ -#define AUDIT_MAC_IPSEC_ADDSPD 1413 /* Add a XFRM policy */ -#define AUDIT_MAC_IPSEC_DELSPD 1414 /* Delete a XFRM policy */ +#define AUDIT_MAC_IPSEC_EVENT 1411 /* Audit IPSec events */ #define AUDIT_FIRST_KERN_ANOM_MSG 1700 #define AUDIT_LAST_KERN_ANOM_MSG 1799 diff -urpN linux-2.6.22/include/net/xfrm.h linux-2.6.22.patch/include/net/xfrm.h --- linux-2.6.22/include/net/xfrm.h 2007-07-19 13:17:22.000000000 -0500 +++ linux-2.6.22.patch/include/net/xfrm.h 2007-07-19 13:21:29.000000000 -0500 @@ -427,9 +427,11 @@ struct xfrm_audit #ifdef CONFIG_AUDITSYSCALL extern void xfrm_audit_log(uid_t auid, u32 secid, int type, int result, - struct xfrm_policy *xp, struct xfrm_state *x); + u16 family, xfrm_address_t saddr, + xfrm_address_t daddr, __be32 spi, __be32 flowid, + struct xfrm_sec_ctx *sctx, char *buf); #else -#define xfrm_audit_log(a,s,t,r,p,x) do { ; } while (0) +#define xfrm_audit_log(a,i,t,r,f,s,d,p,l,c,b) do { ; } while (0) #endif /* CONFIG_AUDITSYSCALL */ static inline void xfrm_pol_hold(struct xfrm_policy *policy) diff -urpN linux-2.6.22/net/key/af_key.c linux-2.6.22.patch/net/key/af_key.c --- linux-2.6.22/net/key/af_key.c 2007-07-08 18:32:17.000000000 -0500 +++ linux-2.6.22.patch/net/key/af_key.c 2007-07-19 13:21:30.000000000 -0500 @@ -1459,7 +1459,9 @@ static int pfkey_add(struct sock *sk, st err = xfrm_state_update(x); xfrm_audit_log(audit_get_loginuid(current->audit_context), 0, - AUDIT_MAC_IPSEC_ADDSA, err ? 0 : 1, NULL, x); + AUDIT_MAC_IPSEC_EVENT, err ? 0 : 1, + x->props.family, x->props.saddr, x->id.daddr, + x->id.spi, 0, x->security, "SAD add"); if (err < 0) { x->km.state = XFRM_STATE_DEAD; @@ -1513,7 +1515,10 @@ static int pfkey_delete(struct sock *sk, km_state_notify(x, &c); out: xfrm_audit_log(audit_get_loginuid(current->audit_context), 0, - AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x); + AUDIT_MAC_IPSEC_EVENT, err ? 0 : 1, x->props.family, + x->props.saddr, x->id.daddr, x->id.spi, 0, + x->security, "SAD delete"); + xfrm_state_put(x); return err; @@ -2266,7 +2271,9 @@ static int pfkey_spdadd(struct sock *sk, hdr->sadb_msg_type != SADB_X_SPDUPDATE); xfrm_audit_log(audit_get_loginuid(current->audit_context), 0, - AUDIT_MAC_IPSEC_ADDSPD, err ? 0 : 1, xp, NULL); + AUDIT_MAC_IPSEC_EVENT, err ? 0 : 1, + xp->selector.family, xp->selector.saddr, + xp->selector.daddr, 0, 0, xp->security, "SPD add"); if (err) goto out; @@ -2350,7 +2357,9 @@ static int pfkey_spddelete(struct sock * return -ENOENT; xfrm_audit_log(audit_get_loginuid(current->audit_context), 0, - AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL); + AUDIT_MAC_IPSEC_EVENT, err ? 0 : 1, + xp->selector.family, xp->selector.saddr, + xp->selector.daddr, 0, 0, xp->security, "SPD delete"); if (err) goto out; @@ -2611,7 +2620,10 @@ static int pfkey_spdget(struct sock *sk, if (delete) { xfrm_audit_log(audit_get_loginuid(current->audit_context), 0, - AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL); + AUDIT_MAC_IPSEC_EVENT, err ? 0 : 1, + xp->selector.family, xp->selector.saddr, + xp->selector.daddr, 0, 0, xp->security, + "SPD delete"); if (err) goto out; diff -urpN linux-2.6.22/net/xfrm/xfrm_policy.c linux-2.6.22.patch/net/xfrm/xfrm_policy.c --- linux-2.6.22/net/xfrm/xfrm_policy.c 2007-07-19 13:17:23.000000000 -0500 +++ linux-2.6.22.patch/net/xfrm/xfrm_policy.c 2007-07-19 13:21:30.000000000 -0500 @@ -853,8 +853,11 @@ xfrm_policy_flush_secctx_check(u8 type, if (err) { xfrm_audit_log(audit_info->loginuid, audit_info->secid, - AUDIT_MAC_IPSEC_DELSPD, 0, - pol, NULL); + AUDIT_MAC_IPSEC_EVENT, 0, + pol->selector.family, + pol->selector.saddr, + pol->selector.daddr, 0, 0, + pol->security, "SPD delete"); return err; } } @@ -868,8 +871,12 @@ xfrm_policy_flush_secctx_check(u8 type, if (err) { xfrm_audit_log(audit_info->loginuid, audit_info->secid, - AUDIT_MAC_IPSEC_DELSPD, - 0, pol, NULL); + AUDIT_MAC_IPSEC_EVENT, + 0, pol->selector.family, + pol->selector.saddr, + pol->selector.daddr, + 0, 0, pol->security, + "SPD delete"); return err; } } @@ -911,7 +918,11 @@ int xfrm_policy_flush(u8 type, struct xf write_unlock_bh(&xfrm_policy_lock); xfrm_audit_log(audit_info->loginuid, audit_info->secid, - AUDIT_MAC_IPSEC_DELSPD, 1, pol, NULL); + AUDIT_MAC_IPSEC_EVENT, 1, + pol->selector.family, + pol->selector.saddr, + pol->selector.daddr, 0, 0, + pol->security, "SPD delete"); xfrm_policy_kill(pol); killed++; @@ -933,8 +944,11 @@ int xfrm_policy_flush(u8 type, struct xf xfrm_audit_log(audit_info->loginuid, audit_info->secid, - AUDIT_MAC_IPSEC_DELSPD, 1, - pol, NULL); + AUDIT_MAC_IPSEC_EVENT, 1, + pol->selector.family, + pol->selector.saddr, + pol->selector.daddr, 0, 0, + pol->security, "SPD delete"); xfrm_policy_kill(pol); killed++; @@ -2154,44 +2168,23 @@ EXPORT_SYMBOL(xfrm_bundle_ok); /* Audit addition and deletion of SAs and ipsec policy */ void xfrm_audit_log(uid_t auid, u32 sid, int type, int result, - struct xfrm_policy *xp, struct xfrm_state *x) + u16 family, xfrm_address_t saddr, xfrm_address_t daddr, + __be32 spi, __be32 flowlabel, struct xfrm_sec_ctx *sctx, + char *buf) { - char *secctx; u32 secctx_len; - struct xfrm_sec_ctx *sctx = NULL; struct audit_buffer *audit_buf; - int family; extern int audit_enabled; if (audit_enabled == 0) return; - BUG_ON((type == AUDIT_MAC_IPSEC_ADDSA || - type == AUDIT_MAC_IPSEC_DELSA) && !x); - BUG_ON((type == AUDIT_MAC_IPSEC_ADDSPD || - type == AUDIT_MAC_IPSEC_DELSPD) && !xp); - audit_buf = audit_log_start(current->audit_context, GFP_ATOMIC, type); if (audit_buf == NULL) return; - switch(type) { - case AUDIT_MAC_IPSEC_ADDSA: - audit_log_format(audit_buf, "SAD add: auid=%u", auid); - break; - case AUDIT_MAC_IPSEC_DELSA: - audit_log_format(audit_buf, "SAD delete: auid=%u", auid); - break; - case AUDIT_MAC_IPSEC_ADDSPD: - audit_log_format(audit_buf, "SPD add: auid=%u", auid); - break; - case AUDIT_MAC_IPSEC_DELSPD: - audit_log_format(audit_buf, "SPD delete: auid=%u", auid); - break; - default: - return; - } + audit_log_format(audit_buf, "%s: auid=%u", buf, auid); if (sid != 0 && security_secid_to_secctx(sid, &secctx, &secctx_len) == 0) @@ -2199,16 +2192,6 @@ void xfrm_audit_log(uid_t auid, u32 sid, else audit_log_task_context(audit_buf); - if (xp) { - family = xp->selector.family; - if (xp->security) - sctx = xp->security; - } else { - family = x->props.family; - if (x->security) - sctx = x->security; - } - if (sctx) audit_log_format(audit_buf, " sec_alg=%u sec_doi=%u sec_obj=%s", @@ -2216,48 +2199,24 @@ void xfrm_audit_log(uid_t auid, u32 sid, switch(family) { case AF_INET: - { - struct in_addr saddr, daddr; - if (xp) { - saddr.s_addr = xp->selector.saddr.a4; - daddr.s_addr = xp->selector.daddr.a4; - } else { - saddr.s_addr = x->props.saddr.a4; - daddr.s_addr = x->id.daddr.a4; - } - audit_log_format(audit_buf, - " src=%u.%u.%u.%u dst=%u.%u.%u.%u", - NIPQUAD(saddr), NIPQUAD(daddr)); - } - break; + audit_log_format(audit_buf, + " src=" NIPQUAD_FMT " dst=" NIPQUAD_FMT, + NIPQUAD(saddr.a4), NIPQUAD(daddr.a4)); + break; case AF_INET6: - { - struct in6_addr saddr6, daddr6; - if (xp) { - memcpy(&saddr6, xp->selector.saddr.a6, - sizeof(struct in6_addr)); - memcpy(&daddr6, xp->selector.daddr.a6, - sizeof(struct in6_addr)); - } else { - memcpy(&saddr6, x->props.saddr.a6, - sizeof(struct in6_addr)); - memcpy(&daddr6, x->id.daddr.a6, - sizeof(struct in6_addr)); - } - audit_log_format(audit_buf, - " src=" NIP6_FMT " dst=" NIP6_FMT, - NIP6(saddr6), NIP6(daddr6)); - } + audit_log_format(audit_buf, " src=" NIP6_FMT " dst=" NIP6_FMT, + NIP6(*((struct in6_addr *)&saddr.a6)), + NIP6(*((struct in6_addr *)&daddr.a6))); break; } - if (x) - audit_log_format(audit_buf, " spi=%lu(0x%lx) protocol=%s", - (unsigned long)ntohl(x->id.spi), - (unsigned long)ntohl(x->id.spi), - x->id.proto == IPPROTO_AH ? "AH" : - (x->id.proto == IPPROTO_ESP ? - "ESP" : "IPCOMP")); + if (flowlabel) + audit_log_format(audit_buf, " flowlabel=%u", flowlabel); + + if (spi) + audit_log_format(audit_buf, " spi=%lu(0x%lx)", + (unsigned long)ntohl(spi), + (unsigned long)ntohl(spi)); audit_log_format(audit_buf, " res=%u", result); audit_log_end(audit_buf); diff -urpN linux-2.6.22/net/xfrm/xfrm_state.c linux-2.6.22.patch/net/xfrm/xfrm_state.c --- linux-2.6.22/net/xfrm/xfrm_state.c 2007-07-19 13:17:23.000000000 -0500 +++ linux-2.6.22.patch/net/xfrm/xfrm_state.c 2007-07-19 13:21:30.000000000 -0500 @@ -303,7 +303,9 @@ expired: km_state_expired(x, 1, 0); xfrm_audit_log(audit_get_loginuid(current->audit_context), 0, - AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x); + AUDIT_MAC_IPSEC_EVENT, err ? 0 : 1, + x->props.family, x->props.saddr, x->id.daddr, x->id.spi, + 0, x->security, "SAD delete"); out: spin_unlock(&x->lock); @@ -406,8 +408,10 @@ xfrm_state_flush_secctx_check(u8 proto, (err = security_xfrm_state_delete(x)) != 0) { xfrm_audit_log(audit_info->loginuid, audit_info->secid, - AUDIT_MAC_IPSEC_DELSA, - 0, NULL, x); + AUDIT_MAC_IPSEC_EVENT, 0, + x->props.family, x->props.saddr, + x->id.daddr, x->id.spi, 0, + x->security, "SAD delete"); return err; } @@ -446,8 +450,11 @@ restart: err = xfrm_state_delete(x); xfrm_audit_log(audit_info->loginuid, audit_info->secid, - AUDIT_MAC_IPSEC_DELSA, - err ? 0 : 1, NULL, x); + AUDIT_MAC_IPSEC_EVENT, + err ? 0 : 1, x->props.family, + x->props.saddr, x->id.daddr, + x->id.spi, 0, x->security, + "SAD delete"); xfrm_state_put(x); spin_lock_bh(&xfrm_state_lock); diff -urpN linux-2.6.22/net/xfrm/xfrm_user.c linux-2.6.22.patch/net/xfrm/xfrm_user.c --- linux-2.6.22/net/xfrm/xfrm_user.c 2007-07-08 18:32:17.000000000 -0500 +++ linux-2.6.22.patch/net/xfrm/xfrm_user.c 2007-07-19 13:21:30.000000000 -0500 @@ -456,7 +456,9 @@ static int xfrm_add_sa(struct sk_buff *s err = xfrm_state_update(x); xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, - AUDIT_MAC_IPSEC_ADDSA, err ? 0 : 1, NULL, x); + AUDIT_MAC_IPSEC_EVENT, err ? 0 : 1, + x->props.family, x->props.saddr, x->id.daddr, + x->id.spi, 0, x->security, "SAD add"); if (err < 0) { x->km.state = XFRM_STATE_DEAD; @@ -539,7 +541,9 @@ static int xfrm_del_sa(struct sk_buff *s out: xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, - AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x); + AUDIT_MAC_IPSEC_EVENT, err ? 0 : 1, + x->props.family, x->props.saddr, x->id.daddr, + x->id.spi, 0, x->security, "SAD delete"); xfrm_state_put(x); return err; } @@ -1149,7 +1153,9 @@ static int xfrm_add_policy(struct sk_buf excl = nlh->nlmsg_type == XFRM_MSG_NEWPOLICY; err = xfrm_policy_insert(p->dir, xp, excl); xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, - AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL); + AUDIT_MAC_IPSEC_EVENT, err ? 0 : 1, + xp->selector.family, xp->selector.saddr, + xp->selector.daddr, 0, 0, xp->security, "SPD delete"); if (err) { security_xfrm_policy_free(xp); @@ -1395,7 +1401,10 @@ static int xfrm_get_policy(struct sk_buf } } else { xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, - AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL); + AUDIT_MAC_IPSEC_EVENT, err ? 0 : 1, + xp->selector.family, xp->selector.saddr, + xp->selector.daddr, 0, 0, xp->security, + "SPD delete"); if (err != 0) goto out; @@ -1644,8 +1653,9 @@ static int xfrm_add_pol_expire(struct sk if (up->hard) { xfrm_policy_delete(xp, p->dir); xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, - AUDIT_MAC_IPSEC_DELSPD, 1, xp, NULL); - + AUDIT_MAC_IPSEC_EVENT, 1, xp->selector.family, + xp->selector.saddr, xp->selector.daddr, 0, 0, + xp->security, "SPD delete"); } else { // reset the timers here? printk("Dont know what to do with soft policy expire\n"); @@ -1680,7 +1690,9 @@ static int xfrm_add_sa_expire(struct sk_ if (ue->hard) { __xfrm_state_delete(x); xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, - AUDIT_MAC_IPSEC_DELSA, 1, NULL, x); + AUDIT_MAC_IPSEC_EVENT, 1, x->props.family, + x->props.saddr, x->id.daddr, x->id.spi, 0, + x->security, "SAD delete"); } err = 0; out:

17 years, 10 months

3
3
0 / 0

- audit-rework-execve-audit.patch removed from -mm tree

by akpm＠linux-foundation.org

The patch titled audit: rework execve audit has been removed from the -mm tree. Its filename was audit-rework-execve-audit.patch This patch was dropped because it was merged into mainline or a subsystem tree ------------------------------------------------------ Subject: audit: rework execve audit From: Peter Zijlstra <a.p.zijlstra(a)chello.nl> The purpose of audit_bprm() is to log the argv array to a userspace daemon at the end of the execve system call. Since user-space hasn't had time to run, this array is still in pristine state on the process' stack; so no need to copy it, we can just grab it from there. In order to minimize the damage to audit_log_*() copy each string into a temporary kernel buffer first. Currently the audit code requires that the full argument vector fits in a single packet. So currently it does clip the argv size to a (sysctl) limit, but only when execve auditing is enabled. If the audit protocol gets extended to allow for multiple packets this check can be removed. Signed-off-by: Peter Zijlstra <a.p.zijlstra(a)chello.nl> Signed-off-by: Ollie Wild <aaw(a)google.com> Cc: <linux-audit(a)redhat.com> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- Documentation/filesystems/proc.txt | 7 ++ fs/exec.c | 3 include/linux/binfmts.h | 1 kernel/auditsc.c | 84 ++++++++++++++++++++------- kernel/sysctl.c | 11 +++ 5 files changed, 85 insertions(+), 21 deletions(-) diff -puN Documentation/filesystems/proc.txt~audit-rework-execve-audit Documentation/filesystems/proc.txt --- a/Documentation/filesystems/proc.txt~audit-rework-execve-audit +++ a/Documentation/filesystems/proc.txt @@ -1065,6 +1065,13 @@ check the amount of free space (value is resume it if we have a value of 3 or more percent; consider information about the amount of free space valid for 30 seconds +audit_argv_kb +------------- + +The file contains a single value denoting the limit on the argv array size +for execve (in KiB). This limit is only applied when system call auditing for +execve is enabled, otherwise the value is ignored. + ctrl-alt-del ------------ diff -puN fs/exec.c~audit-rework-execve-audit fs/exec.c --- a/fs/exec.c~audit-rework-execve-audit +++ a/fs/exec.c @@ -1154,6 +1154,7 @@ int do_execve(char * filename, { struct linux_binprm *bprm; struct file *file; + unsigned long env_p; int retval; int i; @@ -1208,9 +1209,11 @@ int do_execve(char * filename, if (retval < 0) goto out; + env_p = bprm->p; retval = copy_strings(bprm->argc, argv, bprm); if (retval < 0) goto out; + bprm->argv_len = env_p - bprm->p; retval = search_binary_handler(bprm,regs); if (retval >= 0) { diff -puN include/linux/binfmts.h~audit-rework-execve-audit include/linux/binfmts.h --- a/include/linux/binfmts.h~audit-rework-execve-audit +++ a/include/linux/binfmts.h @@ -40,6 +40,7 @@ struct linux_binprm{ unsigned interp_flags; unsigned interp_data; unsigned long loader, exec; + unsigned long argv_len; }; #define BINPRM_FLAGS_ENFORCE_NONDUMP_BIT 0 diff -puN kernel/auditsc.c~audit-rework-execve-audit kernel/auditsc.c --- a/kernel/auditsc.c~audit-rework-execve-audit +++ a/kernel/auditsc.c @@ -153,7 +153,7 @@ struct audit_aux_data_execve { struct audit_aux_data d; int argc; int envc; - char mem[0]; + struct mm_struct *mm; }; struct audit_aux_data_socketcall { @@ -831,6 +831,55 @@ static int audit_log_pid_context(struct return rc; } +static void audit_log_execve_info(struct audit_buffer *ab, + struct audit_aux_data_execve *axi) +{ + int i; + long len, ret; + const char __user *p = (const char __user *)axi->mm->arg_start; + char *buf; + + if (axi->mm != current->mm) + return; /* execve failed, no additional info */ + + for (i = 0; i < axi->argc; i++, p += len) { + len = strnlen_user(p, MAX_ARG_PAGES*PAGE_SIZE); + /* + * We just created this mm, if we can't find the strings + * we just copied into it something is _very_ wrong. Similar + * for strings that are too long, we should not have created + * any. + */ + if (!len || len > MAX_ARG_STRLEN) { + WARN_ON(1); + send_sig(SIGKILL, current, 0); + } + + buf = kmalloc(len, GFP_KERNEL); + if (!buf) { + audit_panic("out of memory for argv string\n"); + break; + } + + ret = copy_from_user(buf, p, len); + /* + * There is no reason for this copy to be short. We just + * copied them here, and the mm hasn't been exposed to user- + * space yet. + */ + if (!ret) { + WARN_ON(1); + send_sig(SIGKILL, current, 0); + } + + audit_log_format(ab, "a%d=", i); + audit_log_untrustedstring(ab, buf); + audit_log_format(ab, "\n"); + + kfree(buf); + } +} + static void audit_log_exit(struct audit_context *context, struct task_struct *tsk) { int i, call_panic = 0; @@ -971,13 +1020,7 @@ static void audit_log_exit(struct audit_ case AUDIT_EXECVE: { struct audit_aux_data_execve *axi = (void *)aux; - int i; - const char *p; - for (i = 0, p = axi->mem; i < axi->argc; i++) { - audit_log_format(ab, "a%d=", i); - p = audit_log_untrustedstring(ab, p); - audit_log_format(ab, "\n"); - } + audit_log_execve_info(ab, axi); break; } case AUDIT_SOCKETCALL: { @@ -1821,32 +1864,31 @@ int __audit_ipc_set_perm(unsigned long q return 0; } +int audit_argv_kb = 32; + int audit_bprm(struct linux_binprm *bprm) { struct audit_aux_data_execve *ax; struct audit_context *context = current->audit_context; - unsigned long p, next; - void *to; if (likely(!audit_enabled || !context || context->dummy)) return 0; - ax = kmalloc(sizeof(*ax) + PAGE_SIZE * MAX_ARG_PAGES - bprm->p, - GFP_KERNEL); + /* + * Even though the stack code doesn't limit the arg+env size any more, + * the audit code requires that _all_ arguments be logged in a single + * netlink skb. Hence cap it :-( + */ + if (bprm->argv_len > (audit_argv_kb << 10)) + return -E2BIG; + + ax = kmalloc(sizeof(*ax), GFP_KERNEL); if (!ax) return -ENOMEM; ax->argc = bprm->argc; ax->envc = bprm->envc; - for (p = bprm->p, to = ax->mem; p < MAX_ARG_PAGES*PAGE_SIZE; p = next) { - struct page *page = bprm->page[p / PAGE_SIZE]; - void *kaddr = kmap(page); - next = (p + PAGE_SIZE) & ~(PAGE_SIZE - 1); - memcpy(to, kaddr + (p & (PAGE_SIZE - 1)), next - p); - to += next - p; - kunmap(page); - } - + ax->mm = bprm->mm; ax->d.type = AUDIT_EXECVE; ax->d.next = context->aux; context->aux = (void *)ax; diff -puN kernel/sysctl.c~audit-rework-execve-audit kernel/sysctl.c --- a/kernel/sysctl.c~audit-rework-execve-audit +++ a/kernel/sysctl.c @@ -78,6 +78,7 @@ extern int percpu_pagelist_fraction; extern int compat_log; extern int maps_protect; extern int sysctl_stat_interval; +extern int audit_argv_kb; /* this is needed for the proc_dointvec_minmax for [fs_]overflow UID and GID */ static int maxolduid = 65535; @@ -306,6 +307,16 @@ static ctl_table kern_table[] = { .mode = 0644, .proc_handler = &proc_dointvec, }, +#ifdef CONFIG_AUDITSYSCALL + { + .ctl_name = CTL_UNNUMBERED, + .procname = "audit_argv_kb", + .data = &audit_argv_kb, + .maxlen = sizeof(int), + .mode = 0644, + .proc_handler = &proc_dointvec, + }, +#endif { .ctl_name = KERN_CORE_PATTERN, .procname = "core_pattern", _ Patches currently in -mm which might be from a.p.zijlstra(a)chello.nl are origin.patch intel-iommu-dmar-detection-and-parsing-logic.patch intel-iommu-pci-generic-helper-function.patch intel-iommu-clflush_cache_range-now-takes-size-param.patch intel-iommu-iova-allocation-and-management-routines.patch intel-iommu-intel-iommu-driver.patch intel-iommu-avoid-memory-allocation-failures-in-dma-map-api-calls.patch intel-iommu-intel-iommu-cmdline-option-forcedac.patch intel-iommu-dmar-fault-handling-support.patch intel-iommu-iommu-gfx-workaround.patch intel-iommu-iommu-floppy-workaround.patch

17 years, 11 months

1
0
0 / 0

Audit rule problem

by Roger Holm

Hello. I wonder if someone can help me with an audit rule issue? I want to log if someone uses the rpm command (to install/upgrade packages), but not the rest of commands. Only the rpm command! Is it possible? If so, can anyone please tell me how to write the rule string? I've searched the internet, without success. Regards Roger Holm

17 years, 11 months

3
2
0 / 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Linux-audit July 2007