[PATCH 1/7] audit: implement generic feature setting and retrieving
by Eric Paris
The audit_status structure was not designed with extensibility in mind.
Define a new AUDIT_SET_FEATURE message type which takes a new structure
of bits where things can be enabled/disabled/locked one at a time. This
structure should be able to grow in the future while maintaining forward
and backward compatibility (based loosly on the ideas from capabilities
and prctl)
This does not actually add any features, but is just infrastructure to
allow new on/off types of audit system features.
Signed-off-by: Eric Paris <eparis(a)redhat.com>
---
include/linux/audit.h | 2 +
include/uapi/linux/audit.h | 16 +++++++
kernel/audit.c | 110 ++++++++++++++++++++++++++++++++++++++++++++-
3 files changed, 127 insertions(+), 1 deletion(-)
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 729a4d1..7b31bec 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -73,6 +73,8 @@ struct audit_field {
void *lsm_rule;
};
+extern int is_audit_feature_set(int which);
+
extern int __init audit_register_class(int class, unsigned *list);
extern int audit_classify_syscall(int abi, unsigned syscall);
extern int audit_classify_arch(int arch);
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index b7cb978..a053243 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -68,6 +68,9 @@
#define AUDIT_MAKE_EQUIV 1015 /* Append to watched tree */
#define AUDIT_TTY_GET 1016 /* Get TTY auditing status */
#define AUDIT_TTY_SET 1017 /* Set TTY auditing status */
+#define AUDIT_SET_FEATURE 1018 /* Turn an audit feature on or off */
+#define AUDIT_GET_FEATURE 1019 /* Get which features are enabled */
+#define AUDIT_FEATURE_CHANGE 1020 /* audit log listing feature changes */
#define AUDIT_FIRST_USER_MSG 1100 /* Userspace messages mostly uninteresting to kernel */
#define AUDIT_USER_AVC 1107 /* We filter this differently */
@@ -369,6 +372,19 @@ struct audit_status {
__u32 backlog; /* messages waiting in queue */
};
+struct audit_features {
+#define AUDIT_FEATURE_VERSION 1
+ __u32 vers;
+ __u32 mask; /* which bits we are dealing with */
+ __u32 features; /* which feature to enable/disable */
+ __u32 lock; /* which features to lock */
+};
+
+#define AUDIT_LAST_FEATURE -1
+
+#define audit_feature_valid(x) ((x) >= 0 && (x) <= AUDIT_LAST_FEATURE)
+#define AUDIT_FEATURE_TO_MASK(x) (1 << ((x) & 31)) /* mask for __u32 */
+
struct audit_tty_status {
__u32 enabled; /* 1 = enabled, 0 = disabled */
__u32 log_passwd; /* 1 = enabled, 0 = disabled */
diff --git a/kernel/audit.c b/kernel/audit.c
index f2f4666..3acbbc8 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -140,6 +140,15 @@ static struct task_struct *kauditd_task;
static DECLARE_WAIT_QUEUE_HEAD(kauditd_wait);
static DECLARE_WAIT_QUEUE_HEAD(audit_backlog_wait);
+static struct audit_features af = {.vers = AUDIT_FEATURE_VERSION,
+ .mask = -1,
+ .features = 0,
+ .lock = 0,};
+
+static char *audit_feature_names[0] = {
+};
+
+
/* Serialize requests from userspace. */
DEFINE_MUTEX(audit_cmd_mutex);
@@ -584,6 +593,8 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
return -EOPNOTSUPP;
case AUDIT_GET:
case AUDIT_SET:
+ case AUDIT_GET_FEATURE:
+ case AUDIT_SET_FEATURE:
case AUDIT_LIST_RULES:
case AUDIT_ADD_RULE:
case AUDIT_DEL_RULE:
@@ -628,6 +639,94 @@ static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type)
return rc;
}
+int is_audit_feature_set(int i)
+{
+ return af.features & AUDIT_FEATURE_TO_MASK(i);
+}
+
+
+static int audit_get_feature(struct sk_buff *skb)
+{
+ u32 seq;
+
+ seq = nlmsg_hdr(skb)->nlmsg_seq;
+
+ audit_send_reply(NETLINK_CB(skb).portid, seq, AUDIT_GET, 0, 0,
+ &af, sizeof(af));
+
+ return 0;
+}
+
+static void audit_log_feature_change(int which, u32 old_feature, u32 new_feature,
+ u32 old_lock, u32 new_lock, int res)
+{
+ struct audit_buffer *ab;
+
+ ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_FEATURE_CHANGE);
+ audit_log_format(ab, "feature=%s new=%d old=%d old_lock=%d new_lock=%d res=%d",
+ audit_feature_names[which], !!old_feature, !!new_feature,
+ !!old_lock, !!new_lock, res);
+ audit_log_end(ab);
+}
+
+static int audit_set_feature(struct sk_buff *skb)
+{
+ struct audit_features *uaf;
+ int i;
+
+ BUILD_BUG_ON(AUDIT_LAST_FEATURE + 1 > sizeof(audit_feature_names)/sizeof(audit_feature_names[0]));
+ uaf = nlmsg_data(nlmsg_hdr(skb));
+
+ /* if there is ever a version 2 we should handle that here */
+
+ for (i = 0; i <= AUDIT_LAST_FEATURE; i++) {
+ u32 feature = AUDIT_FEATURE_TO_MASK(i);
+ u32 old_feature, new_feature, old_lock, new_lock;
+
+ /* if we are not changing this feature, move along */
+ if (!(feature & uaf->mask))
+ continue;
+
+ old_feature = af.features & feature;
+ new_feature = uaf->features & feature;
+ new_lock = (uaf->lock | af.lock) & feature;
+ old_lock = af.lock & feature;
+
+ /* are we changing a locked feature? */
+ if ((af.lock & feature) && (new_feature != old_feature)) {
+ audit_log_feature_change(i, old_feature, new_feature,
+ old_lock, new_lock, 0);
+ return -EPERM;
+ }
+ }
+ /* nothing invalid, do the changes */
+ for (i = 0; i <= AUDIT_LAST_FEATURE; i++) {
+ u32 feature = AUDIT_FEATURE_TO_MASK(i);
+ u32 old_feature, new_feature, old_lock, new_lock;
+
+ /* if we are not changing this feature, move along */
+ if (!(feature & uaf->mask))
+ continue;
+
+ old_feature = af.features & feature;
+ new_feature = uaf->features & feature;
+ old_lock = af.lock & feature;
+ new_lock = (uaf->lock | af.lock) & feature;
+
+ if (new_feature != old_feature)
+ audit_log_feature_change(i, old_feature, new_feature,
+ old_lock, new_lock, 1);
+
+ if (new_feature)
+ af.features |= feature;
+ else
+ af.features &= ~feature;
+ af.lock |= new_lock;
+ }
+
+ return 0;
+}
+
static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
{
u32 seq;
@@ -699,7 +798,16 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
if (status_get->mask & AUDIT_STATUS_BACKLOG_LIMIT)
err = audit_set_backlog_limit(status_get->backlog_limit);
break;
- case AUDIT_USER:
+ case AUDIT_GET_FEATURE:
+ err = audit_get_feature(skb);
+ if (err)
+ return err;
+ break;
+ case AUDIT_SET_FEATURE:
+ err = audit_set_feature(skb);
+ if (err)
+ return err;
+ break;
case AUDIT_FIRST_USER_MSG ... AUDIT_LAST_USER_MSG:
case AUDIT_FIRST_USER_MSG2 ... AUDIT_LAST_USER_MSG2:
if (!audit_enabled && msg_type != AUDIT_USER_AVC)
--
1.8.2.1
10 years, 2 months
[PATCH] Support for auditing on the actions of a not-yet-executed process.
by Peter Moody
eg:
-a exit,always -F arch=b64 -S socket -F 'a0!=1' -F exe=/bin/bash -F success=1
to see instances of /bin/bash opening a non-local socket. Or
-a exit,always -F arch=b64 -S socket -F 'a0!=1' -F exe_children=/bin/bash -F success=1
to instances of /bin/bash, and any descendant processes, opening a non local socket.
proposed https://www.redhat.com/archives/linux-audit/2012-June/msg00002.html
and it seemed like there was interest.
Signed-off-by: Peter Moody <pmoody(a)google.com>
---
trunk/lib/errormsg.h | 2 +-
trunk/lib/fieldtab.h | 2 ++
trunk/lib/libaudit.c | 11 +++++++++++
trunk/lib/libaudit.h | 7 ++++++-
4 files changed, 20 insertions(+), 2 deletions(-)
diff --git a/trunk/lib/errormsg.h b/trunk/lib/errormsg.h
index 4d996d5..cd595ec 100644
--- a/trunk/lib/errormsg.h
+++ b/trunk/lib/errormsg.h
@@ -51,7 +51,7 @@ static const struct msg_tab err_msgtab[] = {
{ -15, 2, "-F unknown errno -"},
{ -16, 2, "-F unknown file type - " },
{ -17, 1, "can only be used with exit and entry filter list" },
- { -18, 1, "" }, // Unused
+ { -18, 1, "only takes = operator" },
{ -19, 0, "Key field needs a watch or syscall given prior to it" },
{ -20, 2, "-F missing value after operation for" },
{ -21, 2, "-F value should be number for" },
diff --git a/trunk/lib/fieldtab.h b/trunk/lib/fieldtab.h
index c0432cc..245b541 100644
--- a/trunk/lib/fieldtab.h
+++ b/trunk/lib/fieldtab.h
@@ -66,3 +66,5 @@ _S(AUDIT_ARG3, "a3" )
_S(AUDIT_FILTERKEY, "key" )
_S(AUDIT_FIELD_COMPARE, "field_compare" )
+_S(AUDIT_EXE, "exe" )
+_S(AUDIT_EXE_CHILDREN, "exe_children" )
diff --git a/trunk/lib/libaudit.c b/trunk/lib/libaudit.c
index 20eaf5f..06eed86 100644
--- a/trunk/lib/libaudit.c
+++ b/trunk/lib/libaudit.c
@@ -1400,6 +1400,17 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
else
return -21;
break;
+ case AUDIT_EXE_CHILDREN:
+ case AUDIT_EXE:
+ {
+ struct stat buf;
+ if ((stat(v, &buf)) < 0)
+ return -2;
+ if (op != AUDIT_EQUAL)
+ return -18;
+ rule->values[rule->field_count] = (unsigned long)buf.st_ino;
+ }
+ break;
case AUDIT_DEVMAJOR...AUDIT_INODE:
case AUDIT_SUCCESS:
if (flags != AUDIT_FILTER_EXIT)
diff --git a/trunk/lib/libaudit.h b/trunk/lib/libaudit.h
index 89dd588..2c8a802 100644
--- a/trunk/lib/libaudit.h
+++ b/trunk/lib/libaudit.h
@@ -243,6 +243,12 @@ extern "C" {
#ifndef AUDIT_FIELD_COMPARE
#define AUDIT_FIELD_COMPARE 111
#endif
+#ifndef AUDIT_EXE
+#define AUDIT_EXE 112
+#endif
+#ifndef AUDIT_EXE_CHILDREN
+#define AUDIT_EXE_CHILDREN 113
+#endif
#ifndef AUDIT_COMPARE_UID_TO_OBJ_UID
#define AUDIT_COMPARE_UID_TO_OBJ_UID 1
@@ -524,4 +530,3 @@ extern void audit_rule_free_data(struct audit_rule_data *rule);
#endif
#endif
-
--
1.7.7.3
10 years, 6 months
[PATCH] ausearch: Add checkpoint capability and have incomplete logs carry forward when processing multiple audit.log files
by Burn Alting
All,
Attached is a patch for review.
It is against revision 829 within http://svn.fedorahosted.org/svn/audit
This patch
- allows ausearch to checkpoint itself, in that, successive invocations
will only display new events. This is enabled via the --checkpoint fn
option. The mods to ausearch.8 describe the method of achieving this.
- fixes a minor annoyance/bug in that, when ausearch processes events
from multiple audit.log files, incomplete events are considered as
complete (and hence printed) when ausearch encounters an EOF on input
from all the log files being processed. Now, ausearch only flushes
incomplete events on the last log file being processed.
Regards
Burn Alting
10 years, 7 months
[PATCH 00/12] RFC: steps to make audit pid namespace-safe
by Richard Guy Briggs
This patchset is a revival of some of Eric Biederman's work to make audit
pid-namespace-safe.
In a couple of places, audit was printing PIDs in the task's pid namespace
rather than relative to the audit daemon's pid namespace, which currently is
init_pid_ns.
It also allows processes to log audit user messages in their own pid
namespaces, which was not previously permitted. Please see:
https://bugzilla.redhat.com/show_bug.cgi?id=947530
https://bugs.launchpad.net/ubuntu/+source/vsftpd/+bug/1160372
https://bugzilla.novell.com/show_bug.cgi?id=786024
Part of the cleanup here involves deprecating task->pid and task->tgid, which
are error-prone duplicates of the task->pids structure
The next step which I hope to add to this patchset will be to purge task->pid
and task->tgid from the rest of the kernel if possible. Once that is done,
task_pid_nr_init_ns() and task_tgid_nr_init_ns() that were introduced in patch
05/12 and used in patches 06/12 and 08/12 could be replaced with task_pid_nr()
and task_tgid_nr(). Eric B. did take a stab at that, but checking all the
subtleties will be non-trivial.
Does anyone have any opinions or better yet hard data on cache line misses
between pid_nr(struct pid*) and pid_nr_ns(struct pid*, &init_pid_ns)? I'd
like to see pid_nr() use pid_nr_ns(struct pid*, &init_pid_ns), or
pid_nr_init_ns() eliminated in favour of the original pid_nr(). pid_nr()
currently accesses the first level of the pid structure without having to
dereference the level number. If there is an actual speed difference, it could
be worth keeping, otherwise, I'd prefer to simplify that code.
Eric also had a patch to add a printk option to format a struct pid pointer
which was PID namespace-aware. I don't see the point, but I'll let him explain
it.
Discuss.
Eric W. Biederman (5):
audit: Kill the unused struct audit_aux_data_capset
audit: Simplify and correct audit_log_capset
Richard Guy Briggs (7):
audit: fix netlink portid naming and types
pid: get ppid pid_t of task in init_pid_ns safely
audit: convert PPIDs to the inital PID namespace.
pid: get pid_t of task in init_pid_ns correctly
audit: store audit_pid as a struct pid pointer
audit: anchor all pid references in the initial pid namespace
pid: modify task_pid_nr to work without task->pid.
pid: modify task_tgid_nr to work without task->tgid.
pid: rewrite task helper functions avoiding task->pid and task->tgid
pid: mark struct task const in helper functions
drivers/tty/tty_audit.c | 3 +-
include/linux/audit.h | 8 ++--
include/linux/pid.h | 6 +++
include/linux/sched.h | 81 ++++++++++++++++++++++++----------
kernel/audit.c | 76 +++++++++++++++++++------------
kernel/audit.h | 12 +++---
kernel/auditfilter.c | 35 +++++++++++----
kernel/auditsc.c | 36 ++++++---------
kernel/capability.c | 2 +-
kernel/pid.c | 4 +-
security/apparmor/audit.c | 7 +--
security/integrity/integrity_audit.c | 2 +-
security/lsm_audit.c | 11 +++--
security/tomoyo/audit.c | 2 +-
14 files changed, 177 insertions(+), 108 deletions(-)
10 years, 7 months
Re: [PATCH RFC 7/8] audit: report namespace information along with USER events
by Eric W. Biederman
Aristeu Rozanski <arozansk(a)redhat.com> writes:
> For userspace generated events, include a record with the namespace
> procfs inode numbers the process belongs to. This allows to track down
> and filter audit messages by userspace.
I am not comfortable with using the inode numbers this way. It does not
pass the test of can I migrate a container and still have this work
test. Any kind of kernel assigned name for namespaces fails that test.
I also don't like that you don't include the procfs device number. An
inode number means nothing without knowing which filesystem you are
referring to.
It may never happen but I reserve the right to have the inode numbers
for namespaces to show up differently in different instances of procfs.
Beyond that I think this usage is possibly buggy by using two audit
records for one event.
> Signed-off-by: Aristeu Rozanski <arozansk(a)redhat.com>
> ---
> include/uapi/linux/audit.h | 1 +
> kernel/audit.c | 51 +++++++++++++++++++++++++++++++++++++++++++-
> 2 files changed, 51 insertions(+), 1 deletions(-)
>
> diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> index 9f096f1..3ec3ccb 100644
> --- a/include/uapi/linux/audit.h
> +++ b/include/uapi/linux/audit.h
> @@ -106,6 +106,7 @@
> #define AUDIT_NETFILTER_PKT 1324 /* Packets traversing netfilter chains */
> #define AUDIT_NETFILTER_CFG 1325 /* Netfilter chain modifications */
> #define AUDIT_SECCOMP 1326 /* Secure Computing event */
> +#define AUDIT_USER_NAMESPACE 1327 /* Information about process' namespaces */
>
> #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */
> #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */
> diff --git a/kernel/audit.c b/kernel/audit.c
> index 58db117..b17f9c0 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -62,6 +62,11 @@
> #include <linux/freezer.h>
> #include <linux/tty.h>
> #include <linux/pid_namespace.h>
> +#include <linux/ipc_namespace.h>
> +#include <linux/mnt_namespace.h>
> +#include <linux/utsname.h>
> +#include <linux/user_namespace.h>
> +#include <net/net_namespace.h>
>
> #include "audit.h"
>
> @@ -641,6 +646,49 @@ static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type,
> return rc;
> }
>
> +#ifdef CONFIG_NAMESPACES
> +static int audit_log_namespaces(struct task_struct *tsk,
> + struct sk_buff *skb)
> +{
> + struct audit_context *ctx = tsk->audit_context;
> + struct audit_buffer *ab;
> +
> + if (!audit_enabled)
> + return 0;
> +
> + ab = audit_log_start(ctx, GFP_KERNEL, AUDIT_USER_NAMESPACE);
> + if (unlikely(!ab))
> + return -ENOMEM;
> +
> + audit_log_format(ab, "mnt=%u", mntns_get_inum(tsk));
> +#ifdef CONFIG_NET_NS
> + audit_log_format(ab, " net=%u", netns_get_inum(tsk));
> +#endif
> +#ifdef CONFIG_UTS_NS
> + audit_log_format(ab, " uts=%u", utsns_get_inum(tsk));
> +#endif
> +#ifdef CONFIG_IPC_NS
> + audit_log_format(ab, " ipc=%u", ipcns_get_inum(tsk));
> +#endif
> +#ifdef CONFIG_PID_NS
> + audit_log_format(ab, " pid=%u", pidns_get_inum(tsk));
> +#endif
> +#ifdef CONFIG_USER_NS
> + audit_log_format(ab, " user=%u", userns_get_inum(tsk));
> +#endif
> + audit_set_pid(ab, NETLINK_CB(skb).portid);
> + audit_log_end(ab);
> +
> + return 0;
> +}
> +#else
> +static inline int audit_log_namespaces(struct task_struct *tsk,
> + struct sk_buff *skb)
> +{
> + return 0;
> +}
> +#endif
> +
> static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
> {
> u32 seq, sid;
> @@ -741,7 +789,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
> }
> audit_log_common_recv_msg(&ab, msg_type,
> loginuid, sessionid, sid,
> - NULL);
> + current->audit_context);
>
> if (msg_type != AUDIT_USER_TTY)
> audit_log_format(ab, " msg='%.1024s'",
> @@ -758,6 +806,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
> }
> audit_set_pid(ab, NETLINK_CB(skb).portid);
> audit_log_end(ab);
> + audit_log_namespaces(current, skb);
> }
> break;
> case AUDIT_ADD:
10 years, 9 months
[PATCH] audit: printk USER_AVC messages when audit isn't enabled
by Tyler Hicks
When the audit=1 kernel parameter is absent and auditd is not running,
AUDIT_USER_AVC messages are being silently discarded.
AUDIT_USER_AVC messages should be sent to userspace using printk(), as
mentioned in the commit message of
4a4cd633b575609b741a1de7837223a2d9e1c34c ("AUDIT: Optimise the
audit-disabled case for discarding user messages").
When audit_enabled is 0, audit_receive_msg() discards all user messages
except for AUDIT_USER_AVC messages. However, audit_log_common_recv_msg()
refuses to allocate an audit_buffer if audit_enabled is 0. The fix is to
special case AUDIT_USER_AVC messages in both functions.
Signed-off-by: Tyler Hicks <tyhicks(a)canonical.com>
Cc: Al Viro <viro(a)zeniv.linux.org.uk>
Cc: Eric Paris <eparis(a)redhat.com>
Cc: linux-audit(a)redhat.com
---
It looks like commit 50397bd1e471391d27f64efad9271459c913de87 ("[AUDIT] clean
up audit_receive_msg()") introduced this bug, so I think that this patch should
also get the tag:
Cc: <stable(a)kernel.org> # v2.6.25+
Al and Eric, I'll leave that up to you two.
Here's my test matrix showing where messages end up as a result of a call to
libaudit's audit_log_user_avc_message():
| unpatched patched
----------------+--------------------------------
w/o audit=1 & | *dropped* syslog
w/o auditd |
|
w/ audit=1 & | syslog syslog
w/o auditd |
|
w/o audit=1 & | audit.log audit.log
w/ auditd |
|
w/ audit=1 & | audit.log audit.log
w/ auditd |
Thanks!
kernel/audit.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 91e53d0..f4f2773 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -613,7 +613,7 @@ static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type)
int rc = 0;
uid_t uid = from_kuid(&init_user_ns, current_uid());
- if (!audit_enabled) {
+ if (!audit_enabled && msg_type != AUDIT_USER_AVC) {
*ab = NULL;
return rc;
}
--
1.8.3.2
10 years, 9 months
[PATCH] audit/userspace: add support for the parisc architecture
by Helge Deller
The patch below adds support for the parisc architecture to the audit
userspace tool.
It would be great if you could apply this patch to trunk.
I posted the corresponding Linux kernel patch to the parisc mailing list
(https://patchwork.kernel.org/patch/3046731/) and plan to push it upstream when
the merge window for Linux kernel v3.13 opens.
Signed-off-by: Helge Deller <deller(a)gmx.de>
--- audit-2.3.2.orig/lib/Makefile.am
+++ audit-2.3.2/lib/Makefile.am
@@ -40,7 +40,7 @@ nodist_libaudit_la_SOURCES = $(BUILT_SOU
BUILT_SOURCES = actiontabs.h errtabs.h fieldtabs.h flagtabs.h \
ftypetabs.h i386_tables.h ia64_tables.h machinetabs.h \
msg_typetabs.h optabs.h ppc_tables.h s390_tables.h \
- s390x_tables.h x86_64_tables.h
+ s390x_tables.h x86_64_tables.h parisc_tables.h
if USE_ALPHA
BUILT_SOURCES += alpha_tables.h
endif
@@ -54,7 +54,7 @@ noinst_PROGRAMS = gen_actiontabs_h gen_e
gen_flagtabs_h gen_ftypetabs_h gen_i386_tables_h \
gen_ia64_tables_h gen_machinetabs_h gen_msg_typetabs_h \
gen_optabs_h gen_ppc_tables_h gen_s390_tables_h \
- gen_s390x_tables_h gen_x86_64_tables_h
+ gen_s390x_tables_h gen_x86_64_tables_h gen_parisc_tables_h
if USE_ALPHA
noinst_PROGRAMS += gen_alpha_tables_h
endif
@@ -142,6 +142,11 @@ gen_ppc_tables_h_CFLAGS = $(AM_CFLAGS) '
ppc_tables.h: gen_ppc_tables_h Makefile
./gen_ppc_tables_h --lowercase --i2s --s2i ppc_syscall > $@
+gen_parisc_tables_h_SOURCES = gen_tables.c gen_tables.h parisc_table.h
+gen_parisc_tables_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="parisc_table.h"'
+parisc_tables.h: gen_parisc_tables_h Makefile
+ ./gen_parisc_tables_h --lowercase --i2s --s2i parisc_syscall > $@
+
gen_s390_tables_h_SOURCES = gen_tables.c gen_tables.h s390_table.h
gen_s390_tables_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="s390_table.h"'
s390_tables.h: gen_s390_tables_h Makefile
--- audit-2.3.2.orig/lib/libaudit.c
+++ audit-2.3.2/lib/libaudit.c
@@ -1304,6 +1304,9 @@ int audit_rule_fieldpair_data(struct aud
machine == MACH_PPC64)
machine = MACH_PPC;
else if (bits == ~__AUDIT_ARCH_64BIT &&
+ machine == MACH_PARISC64)
+ machine = MACH_PARISC;
+ else if (bits == ~__AUDIT_ARCH_64BIT &&
machine == MACH_S390X)
machine = MACH_S390;
@@ -1324,6 +1327,10 @@ int audit_rule_fieldpair_data(struct aud
if (bits == __AUDIT_ARCH_64BIT)
return -6;
break;
+ case MACH_PARISC:
+ if (bits == __AUDIT_ARCH_64BIT)
+ return -6;
+ break;
case MACH_S390:
if (bits == __AUDIT_ARCH_64BIT)
return -6;
@@ -1342,6 +1349,7 @@ int audit_rule_fieldpair_data(struct aud
#endif
case MACH_86_64: /* fallthrough */
case MACH_PPC64: /* fallthrough */
+ case MACH_PARISC64: /* fallthrough */
case MACH_S390X: /* fallthrough */
break;
default:
--- audit-2.3.2.orig/lib/libaudit.h
+++ audit-2.3.2/lib/libaudit.h
@@ -417,7 +417,9 @@ typedef enum {
MACH_S390,
MACH_ALPHA,
MACH_ARMEB,
- MACH_AARCH64
+ MACH_AARCH64,
+ MACH_PARISC64,
+ MACH_PARISC
} machine_t;
/* These are the valid audit failure tunable enum values */
--- audit-2.3.2.orig/lib/lookup_table.c
+++ audit-2.3.2/lib/lookup_table.c
@@ -47,6 +47,7 @@
#include "i386_tables.h"
#include "ia64_tables.h"
#include "ppc_tables.h"
+#include "parisc_tables.h"
#include "s390_tables.h"
#include "s390x_tables.h"
#include "x86_64_tables.h"
@@ -82,6 +83,8 @@ static const struct int_transtab elftab[
#ifdef WITH_AARCH64
{ MACH_AARCH64, AUDIT_ARCH_AARCH64},
#endif
+ { MACH_PARISC64,AUDIT_ARCH_PARISC64 },
+ { MACH_PARISC, AUDIT_ARCH_PARISC },
};
#define AUDIT_ELF_NAMES (sizeof(elftab)/sizeof(elftab[0]))
@@ -126,6 +129,10 @@ int audit_name_to_syscall(const char *sc
case MACH_PPC:
found = ppc_syscall_s2i(sc, &res);
break;
+ case MACH_PARISC64:
+ case MACH_PARISC:
+ found = parisc_syscall_s2i(sc, &res);
+ break;
case MACH_S390X:
found = s390x_syscall_s2i(sc, &res);
break;
@@ -171,6 +178,9 @@ const char *audit_syscall_to_name(int sc
case MACH_PPC64:
case MACH_PPC:
return ppc_syscall_i2s(sc);
+ case MACH_PARISC64:
+ case MACH_PARISC:
+ return parisc_syscall_i2s(sc);
case MACH_S390X:
return s390x_syscall_i2s(sc);
case MACH_S390:
--- audit-2.3.2.orig/lib/machinetab.h
+++ audit-2.3.2/lib/machinetab.h
@@ -43,3 +43,5 @@ _S(MACH_ARMEB, "armv7l")
#ifdef WITH_AARCH64
_S(MACH_AARCH64, "aarch64" )
#endif
+_S(MACH_PARISC64, "parisc64" )
+_S(MACH_PARISC, "parisc" )
--- /dev/null
+++ audit-2.3.2/lib/parisc_table.h
@@ -0,0 +1,333 @@
+_S(0, "restart_syscall")
+_S(1, "exit")
+_S(2, "fork")
+_S(3, "read")
+_S(4, "write")
+_S(5, "open")
+_S(6, "close")
+_S(7, "waitpid")
+_S(8, "creat")
+_S(9, "link")
+_S(10, "unlink")
+_S(11, "execve")
+_S(12, "chdir")
+_S(13, "time")
+_S(14, "mknod")
+_S(15, "chmod")
+_S(16, "lchown")
+_S(17, "socket")
+_S(18, "stat")
+_S(19, "lseek")
+_S(20, "getpid")
+_S(21, "mount")
+_S(22, "bind")
+_S(23, "setuid")
+_S(24, "getuid")
+_S(25, "stime")
+_S(26, "ptrace")
+_S(27, "alarm")
+_S(28, "fstat")
+_S(29, "pause")
+_S(30, "utime")
+_S(31, "connect")
+_S(32, "listen")
+_S(33, "access")
+_S(34, "nice")
+_S(35, "accept")
+_S(36, "sync")
+_S(37, "kill")
+_S(38, "rename")
+_S(39, "mkdir")
+_S(40, "rmdir")
+_S(41, "dup")
+_S(42, "pipe")
+_S(43, "times")
+_S(44, "getsockname")
+_S(45, "brk")
+_S(46, "setgid")
+_S(47, "getgid")
+_S(48, "signal")
+_S(49, "geteuid")
+_S(50, "getegid")
+_S(51, "acct")
+_S(52, "umount2")
+_S(53, "getpeername")
+_S(54, "ioctl")
+_S(55, "fcntl")
+_S(56, "socketpair")
+_S(57, "setpgid")
+_S(58, "send")
+_S(59, "uname")
+_S(60, "umask")
+_S(61, "chroot")
+_S(62, "ustat")
+_S(63, "dup2")
+_S(64, "getppid")
+_S(65, "getpgrp")
+_S(66, "setsid")
+_S(67, "pivot_root")
+_S(68, "sgetmask")
+_S(69, "ssetmask")
+_S(70, "setreuid")
+_S(71, "setregid")
+_S(72, "mincore")
+_S(73, "sigpending")
+_S(74, "sethostname")
+_S(75, "setrlimit")
+_S(76, "getrlimit")
+_S(77, "getrusage")
+_S(78, "gettimeofday")
+_S(79, "settimeofday")
+_S(80, "getgroups")
+_S(81, "setgroups")
+_S(82, "sendto")
+_S(83, "symlink")
+_S(84, "lstat")
+_S(85, "readlink")
+_S(86, "uselib")
+_S(87, "swapon")
+_S(88, "reboot")
+_S(89, "mmap2")
+_S(90, "mmap")
+_S(91, "munmap")
+_S(92, "truncate")
+_S(93, "ftruncate")
+_S(94, "fchmod")
+_S(95, "fchown")
+_S(96, "getpriority")
+_S(97, "setpriority")
+_S(98, "recv")
+_S(99, "statfs")
+_S(100, "fstatfs")
+_S(101, "stat64")
+_S(103, "syslog")
+_S(104, "setitimer")
+_S(105, "getitimer")
+_S(106, "capget")
+_S(107, "capset")
+_S(108, "pread64")
+_S(109, "pwrite64")
+_S(110, "getcwd")
+_S(111, "vhangup")
+_S(112, "fstat64")
+_S(113, "vfork")
+_S(114, "wait4")
+_S(115, "swapoff")
+_S(116, "sysinfo")
+_S(117, "shutdown")
+_S(118, "fsync")
+_S(119, "madvise")
+_S(120, "clone")
+_S(121, "setdomainname")
+_S(122, "sendfile")
+_S(123, "recvfrom")
+_S(124, "adjtimex")
+_S(125, "mprotect")
+_S(126, "sigprocmask")
+_S(127, "create_module")
+_S(128, "init_module")
+_S(129, "delete_module")
+_S(130, "get_kernel_syms")
+_S(131, "quotactl")
+_S(132, "getpgid")
+_S(133, "fchdir")
+_S(134, "bdflush")
+_S(135, "sysfs")
+_S(136, "personality")
+_S(137, "afs_syscall")
+_S(138, "setfsuid")
+_S(139, "setfsgid")
+_S(140, "_llseek")
+_S(141, "getdents")
+_S(142, "_newselect")
+_S(143, "flock")
+_S(144, "msync")
+_S(145, "readv")
+_S(146, "writev")
+_S(147, "getsid")
+_S(148, "fdatasync")
+_S(149, "_sysctl")
+_S(150, "mlock")
+_S(151, "munlock")
+_S(152, "mlockall")
+_S(153, "munlockall")
+_S(154, "sched_setparam")
+_S(155, "sched_getparam")
+_S(156, "sched_setscheduler")
+_S(157, "sched_getscheduler")
+_S(158, "sched_yield")
+_S(159, "sched_get_priority_max")
+_S(160, "sched_get_priority_min")
+_S(161, "sched_rr_get_interval")
+_S(162, "nanosleep")
+_S(163, "mremap")
+_S(164, "setresuid")
+_S(165, "getresuid")
+_S(166, "sigaltstack")
+_S(167, "query_module")
+_S(168, "poll")
+_S(169, "nfsservctl")
+_S(170, "setresgid")
+_S(171, "getresgid")
+_S(172, "prctl")
+_S(173, "rt_sigreturn")
+_S(174, "rt_sigaction")
+_S(175, "rt_sigprocmask")
+_S(176, "rt_sigpending")
+_S(177, "rt_sigtimedwait")
+_S(178, "rt_sigqueueinfo")
+_S(179, "rt_sigsuspend")
+_S(180, "chown")
+_S(181, "setsockopt")
+_S(182, "getsockopt")
+_S(183, "sendmsg")
+_S(184, "recvmsg")
+_S(185, "semop")
+_S(186, "semget")
+_S(187, "semctl")
+_S(188, "msgsnd")
+_S(189, "msgrcv")
+_S(190, "msgget")
+_S(191, "msgctl")
+_S(192, "shmat")
+_S(193, "shmdt")
+_S(194, "shmget")
+_S(195, "shmctl")
+_S(196, "getpmsg")
+_S(197, "putpmsg")
+_S(198, "lstat64")
+_S(199, "truncate64")
+_S(200, "ftruncate64")
+_S(201, "getdents64")
+_S(202, "fcntl64")
+_S(203, "attrctl")
+_S(204, "acl_get")
+_S(205, "acl_set")
+_S(206, "gettid")
+_S(207, "readahead")
+_S(208, "tkill")
+_S(209, "sendfile64")
+_S(210, "futex")
+_S(211, "sched_setaffinity")
+_S(212, "sched_getaffinity")
+_S(213, "set_thread_area")
+_S(214, "get_thread_area")
+_S(215, "io_setup")
+_S(216, "io_destroy")
+_S(217, "io_getevents")
+_S(218, "io_submit")
+_S(219, "io_cancel")
+_S(220, "alloc_hugepages")
+_S(221, "free_hugepages")
+_S(222, "exit_group")
+_S(223, "lookup_dcookie")
+_S(224, "epoll_create")
+_S(225, "epoll_ctl")
+_S(226, "epoll_wait")
+_S(227, "remap_file_pages")
+_S(228, "semtimedop")
+_S(229, "mq_open")
+_S(230, "mq_unlink")
+_S(231, "mq_timedsend")
+_S(232, "mq_timedreceive")
+_S(233, "mq_notify")
+_S(234, "mq_getsetattr")
+_S(235, "waitid")
+_S(236, "fadvise64_64")
+_S(237, "set_tid_address")
+_S(238, "setxattr")
+_S(239, "lsetxattr")
+_S(240, "fsetxattr")
+_S(241, "getxattr")
+_S(242, "lgetxattr")
+_S(243, "fgetxattr")
+_S(244, "listxattr")
+_S(245, "llistxattr")
+_S(246, "flistxattr")
+_S(247, "removexattr")
+_S(248, "lremovexattr")
+_S(249, "fremovexattr")
+_S(250, "timer_create")
+_S(251, "timer_settime")
+_S(252, "timer_gettime")
+_S(253, "timer_getoverrun")
+_S(254, "timer_delete")
+_S(255, "clock_settime")
+_S(256, "clock_gettime")
+_S(257, "clock_getres")
+_S(258, "clock_nanosleep")
+_S(259, "tgkill")
+_S(260, "mbind")
+_S(261, "get_mempolicy")
+_S(262, "set_mempolicy")
+_S(263, "vserver")
+_S(264, "add_key")
+_S(265, "request_key")
+_S(266, "keyctl")
+_S(267, "ioprio_set")
+_S(268, "ioprio_get")
+_S(269, "inotify_init")
+_S(270, "inotify_add_watch")
+_S(271, "inotify_rm_watch")
+_S(272, "migrate_pages")
+_S(273, "pselect6")
+_S(274, "ppoll")
+_S(275, "openat")
+_S(276, "mkdirat")
+_S(277, "mknodat")
+_S(278, "fchownat")
+_S(279, "futimesat")
+_S(280, "fstatat64")
+_S(281, "unlinkat")
+_S(282, "renameat")
+_S(283, "linkat")
+_S(284, "symlinkat")
+_S(285, "readlinkat")
+_S(286, "fchmodat")
+_S(287, "faccessat")
+_S(288, "unshare")
+_S(289, "set_robust_list")
+_S(290, "get_robust_list")
+_S(291, "splice")
+_S(292, "sync_file_range")
+_S(293, "tee")
+_S(294, "vmsplice")
+_S(295, "move_pages")
+_S(296, "getcpu")
+_S(297, "epoll_pwait")
+_S(298, "statfs64")
+_S(299, "fstatfs64")
+_S(300, "kexec_load")
+_S(301, "utimensat")
+_S(302, "signalfd")
+_S(303, "timerfd")
+_S(304, "eventfd")
+_S(305, "fallocate")
+_S(306, "timerfd_create")
+_S(307, "timerfd_settime")
+_S(308, "timerfd_gettime")
+_S(309, "signalfd4")
+_S(310, "eventfd2")
+_S(311, "epoll_create1")
+_S(312, "dup3")
+_S(313, "pipe2")
+_S(314, "inotify_init1")
+_S(315, "preadv")
+_S(316, "pwritev")
+_S(317, "rt_tgsigqueueinfo")
+_S(318, "perf_event_open")
+_S(319, "recvmmsg")
+_S(320, "accept4")
+_S(321, "prlimit64")
+_S(322, "fanotify_init")
+_S(323, "fanotify_mark")
+_S(324, "clock_adjtime")
+_S(325, "name_to_handle_at")
+_S(326, "open_by_handle_at")
+_S(327, "syncfs")
+_S(328, "setns")
+_S(329, "sendmmsg")
+_S(330, "process_vm_readv")
+_S(331, "process_vm_writev")
+_S(332, "kcmp")
+_S(333, "finit_module")
--- audit-2.3.2.orig/lib/syscall-update.txt
+++ audit-2.3.2/lib/syscall-update.txt
@@ -18,3 +18,6 @@ For adding new arches, the following mig
cat unistd.h | grep '^#define __NR_' | tr -d ')' | tr 'NR+' ' ' | awk '{ printf "_S(%s, \"%s\")\n", $6, $3 }; '
it will still need hand editing
+
+for parisc:
+cat /usr/include/hppa-linux-gnu/asm/unistd.h | grep '^#define __NR_' | grep \(__NR_Linux | sed "s/#define *__NR_//g" | tr -d ")" | awk '{ printf "_S(%s, \"%s\")\n", $4, $1 };'
--- audit-2.3.2.orig/lib/test/lookup_test.c
+++ audit-2.3.2/lib/test/lookup_test.c
@@ -222,6 +222,23 @@ test_ppc_table(void)
}
static void
+test_parisc_table(void)
+{
+ static const struct entry t[] = {
+#include "../parisc_table.h"
+ };
+
+ printf("Testing parisc_table...\n");
+#define I2S(I) audit_syscall_to_name((I), MACH_PARISC)
+#define S2I(S) audit_name_to_syscall((S), MACH_PARISC)
+ TEST_I2S(0);
+ TEST_S2I(-1);
+#undef I2S
+#undef S2I
+}
+
+
+static void
test_s390_table(void)
{
static const struct entry t[] = {
@@ -415,6 +432,7 @@ main(void)
test_i386_table();
test_ia64_table();
test_ppc_table();
+ test_parisc_table();
test_s390_table();
test_s390x_table();
test_x86_64_table();
10 years, 9 months
[RFC Part1 PATCH 00/20 v2] Add namespace support for audit
by Gao feng
Here is the v1 patchset: http://lwn.net/Articles/549546/
The main target of this patchset is allowing user in audit
namespace to generate the USER_MSG type of audit message,
some userspace tools need to generate audit message, or
these tools will broken.
And the login process in container may want to setup
/proc/<pid>/loginuid, right now this value is unalterable
once it being set. this will also broke the login problem
in container. After this patchset, we can reset this loginuid
to zero if task is running in a new audit namespace.
Same with v1 patchset, in this patchset, only the privileged
user in init_audit_ns and init_user_ns has rights to
add/del audit rules. and these rules are gloabl. all
audit namespace will comply with the rules.
Compared with v1, v2 patch has some big changes.
1, the audit namespace is not assigned to user namespace.
since there is no available bit of flags for clone, we
create audit namespace through netlink, patch[18/20]
introduces a new audit netlink type AUDIT_CREATE_NS.
the privileged user in userns has rights to create a
audit namespace, it means the unprivileged user can
create auditns through create userns first. In order
to prevent them from doing harm to host, the default
audit_backlog_limit of un-init-audit-ns is zero(means
audit is unavailable in audit namespace). and it can't
be changed in auditns through netlink.
2, introduce /proc/<pid>/audit_log_limit
this interface is used to setup log_limit of audit
namespace. we need this interface to make audit
available in un-init-audit-ns. Only the privileged user
has right to set this value, it means only the root user
of host can change it.
3, make audit namespace don't depend on net namespace.
patch[1/20] add a compare function audit_compare for
audit netlink, it always return true, it means the
netlink subsystem will find out the netlink socket
only through portid and netlink type. So we needn't
to create kernel side audit netlink socket for per
net namespace, all userspace audit netlink socket
can find out the audit_sock, and audit_sock can
communicate with them through the proper portid.
it's just like the behavior we don't have net
namespace before.
This patchset still need some work, such as allow changing
audit_enabled in audit namespace, auditd wants this feature.
I send this patchset now in order to get more comments, so
I can keep on improving namespace support for audit.
Gao feng (20):
Audit: make audit netlink socket net namespace unaware
audit: introduce configure option CONFIG_AUDIT_NS
audit: make audit_skb_queue per audit namespace
audit: make audit_skb_hold_queue per audit namespace
audit: make audit_pid per audit namespace
audit: make kauditd_task per audit namespace
aduit: make audit_nlk_portid per audit namespace
audit: make kaudit_wait queue per audit namespace
audit: make audit_backlog_wait per audit namespace
audit: allow un-init audit ns to change pid and portid only
audit: use proper audit namespace in audit_receive_msg
audit: use proper audit_namespace in kauditd_thread
audit: introduce new audit logging interface for audit namespace
audit: pass proper audit namespace to audit_log_common_recv_msg
audit: Log audit pid config change in audit namespace
audit: allow GET,SET,USER MSG operations in audit namespace
nsproxy: don't make create_new_namespaces static
audit: add new message type AUDIT_CREATE_NS
audit: make audit_backlog_limit per audit namespace
audit: introduce /proc/<pid>/audit_backlog_limit
fs/proc/base.c | 53 ++++++
include/linux/audit.h | 26 ++-
include/linux/audit_namespace.h | 92 ++++++++++
include/linux/nsproxy.h | 15 +-
include/uapi/linux/audit.h | 1 +
init/Kconfig | 10 ++
kernel/Makefile | 2 +-
kernel/audit.c | 364 +++++++++++++++++++++++++---------------
kernel/audit.h | 5 +-
kernel/audit_namespace.c | 123 ++++++++++++++
kernel/auditsc.c | 6 +-
kernel/nsproxy.c | 18 +-
12 files changed, 561 insertions(+), 154 deletions(-)
create mode 100644 include/linux/audit_namespace.h
create mode 100644 kernel/audit_namespace.c
--
1.8.3.1
10 years, 10 months
[PATCH] audit: listen in all network namespaces
by Richard Guy Briggs
Convert audit from only listening in init_net to use register_pernet_subsys()
to dynamically manage the netlink socket list.
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
kernel/audit.c | 64 ++++++++++++++++++++++++++++++++++++++++++++++---------
kernel/audit.h | 4 +++
2 files changed, 57 insertions(+), 11 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 91e53d0..06e2676 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -64,6 +64,7 @@
#include <linux/freezer.h>
#include <linux/tty.h>
#include <linux/pid_namespace.h>
+#include <net/netns/generic.h>
#include "audit.h"
@@ -122,6 +123,7 @@ static atomic_t audit_lost = ATOMIC_INIT(0);
/* The netlink socket. */
static struct sock *audit_sock;
+int audit_net_id;
/* Hash for inode-based rules */
struct list_head audit_inode_hash[AUDIT_INODE_BUCKETS];
@@ -391,6 +393,7 @@ static void kauditd_send_skb(struct sk_buff *skb)
printk(KERN_ERR "audit: *NO* daemon at audit_pid=%d\n", audit_pid);
audit_log_lost("auditd disappeared\n");
audit_pid = 0;
+ audit_sock = NULL;
/* we might get lucky and get this in the next auditd */
audit_hold_skb(skb);
} else
@@ -474,13 +477,15 @@ int audit_send_list(void *_dest)
struct audit_netlink_list *dest = _dest;
int pid = dest->pid;
struct sk_buff *skb;
+ struct net *net = get_net_ns_by_pid(pid);
+ struct audit_net *aunet = net_generic(net, audit_net_id);
/* wait for parent to finish and send an ACK */
mutex_lock(&audit_cmd_mutex);
mutex_unlock(&audit_cmd_mutex);
while ((skb = __skb_dequeue(&dest->q)) != NULL)
- netlink_unicast(audit_sock, skb, pid, 0);
+ netlink_unicast(aunet->nlsk, skb, pid, 0);
kfree(dest);
@@ -515,13 +520,15 @@ out_kfree_skb:
static int audit_send_reply_thread(void *arg)
{
struct audit_reply *reply = (struct audit_reply *)arg;
+ struct net *net = get_net_ns_by_pid(reply->pid);
+ struct audit_net *aunet = net_generic(net, audit_net_id);
mutex_lock(&audit_cmd_mutex);
mutex_unlock(&audit_cmd_mutex);
/* Ignore failure. It'll only happen if the sender goes away,
because our timeout is set to infinite. */
- netlink_unicast(audit_sock, reply->skb, reply->pid, 0);
+ netlink_unicast(aunet->nlsk , reply->skb, reply->pid, 0);
kfree(reply);
return 0;
}
@@ -690,6 +697,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
audit_log_config_change("audit_pid", new_pid, audit_pid, 1);
audit_pid = new_pid;
audit_nlk_portid = NETLINK_CB(skb).portid;
+ audit_sock = NETLINK_CB(skb).sk;
}
if (status_get->mask & AUDIT_STATUS_RATE_LIMIT) {
err = audit_set_rate_limit(status_get->rate_limit);
@@ -886,24 +894,58 @@ static void audit_receive(struct sk_buff *skb)
mutex_unlock(&audit_cmd_mutex);
}
-/* Initialize audit support at boot time. */
-static int __init audit_init(void)
+static int __net_init audit_net_init(struct net *net)
{
- int i;
struct netlink_kernel_cfg cfg = {
.input = audit_receive,
};
+ struct audit_net *aunet = net_generic(net, audit_net_id);
+
+ pr_info("audit: initializing netlink socket in namespace\n");
+
+ aunet->nlsk = netlink_kernel_create(net, NETLINK_AUDIT, &cfg);
+ if (aunet->nlsk == NULL)
+ return -ENOMEM;
+ if (!aunet->nlsk)
+ audit_panic("cannot initialize netlink socket in namespace");
+ else
+ aunet->nlsk->sk_sndtimeo = MAX_SCHEDULE_TIMEOUT;
+ return 0;
+}
+
+static void __net_exit audit_net_exit(struct net *net)
+{
+ struct audit_net *aunet = net_generic(net, audit_net_id);
+ struct sock *sock = aunet->nlsk;
+ if (sock == audit_sock) {
+ audit_pid = 0;
+ audit_sock = NULL;
+ }
+
+ rcu_assign_pointer(aunet->nlsk, NULL);
+ synchronize_net();
+ netlink_kernel_release(sock);
+}
+
+static struct pernet_operations __net_initdata audit_net_ops = {
+ .init = audit_net_init,
+ .exit = audit_net_exit,
+ .id = &audit_net_id,
+ .size = sizeof(struct audit_net),
+};
+
+/* Initialize audit support at boot time. */
+static int __init audit_init(void)
+{
+ int i;
+
if (audit_initialized == AUDIT_DISABLED)
return 0;
- printk(KERN_INFO "audit: initializing netlink socket (%s)\n",
+ pr_info("audit: initializing netlink subsys (%s)\n",
audit_default ? "enabled" : "disabled");
- audit_sock = netlink_kernel_create(&init_net, NETLINK_AUDIT, &cfg);
- if (!audit_sock)
- audit_panic("cannot initialize netlink socket");
- else
- audit_sock->sk_sndtimeo = MAX_SCHEDULE_TIMEOUT;
+ register_pernet_subsys(&audit_net_ops);
skb_queue_head_init(&audit_skb_queue);
skb_queue_head_init(&audit_skb_hold_queue);
diff --git a/kernel/audit.h b/kernel/audit.h
index 123c9b7..b7cc537 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -249,6 +249,10 @@ struct audit_netlink_list {
int audit_send_list(void *);
+struct audit_net {
+ struct sock *nlsk;
+};
+
extern int selinux_audit_rule_update(void);
extern struct mutex audit_filter_mutex;
--
1.7.1
10 years, 10 months
Rational behind RefuseManualStop=yes in auditd.service
by Laurent Bigonville
Hi,
I would like to know the rational behind RefuseManualStop=yes in
auditd.service file.
I'm currently looking at upgrading the audit package in debian and
RefuseManualStop=yes is preventing the daemon to be restarted during
upgrade.
Looking at systemd.unit(5) manpage, I don't have the feeling that it
should be used in this case.
As a side note, it seems that the *.spec file is stopping the daemon in
the %preun so this could fail I guess?
Any thoughts on this?
Laurent Bigonville
10 years, 10 months