November 2013 - Linux-audit - Linux-Audit List Archives

[PATCH] audit/userspace: add support for the parisc architecture

by Helge Deller

The patch below adds support for the parisc architecture to the audit userspace tool. It would be great if you could apply this patch to trunk. I posted the corresponding Linux kernel patch to the parisc mailing list (https://patchwork.kernel.org/patch/3046731/) and plan to push it upstream when the merge window for Linux kernel v3.13 opens. Signed-off-by: Helge Deller <deller(a)gmx.de> --- audit-2.3.2.orig/lib/Makefile.am +++ audit-2.3.2/lib/Makefile.am @@ -40,7 +40,7 @@ nodist_libaudit_la_SOURCES = $(BUILT_SOU BUILT_SOURCES = actiontabs.h errtabs.h fieldtabs.h flagtabs.h \ ftypetabs.h i386_tables.h ia64_tables.h machinetabs.h \ msg_typetabs.h optabs.h ppc_tables.h s390_tables.h \ - s390x_tables.h x86_64_tables.h + s390x_tables.h x86_64_tables.h parisc_tables.h if USE_ALPHA BUILT_SOURCES += alpha_tables.h endif @@ -54,7 +54,7 @@ noinst_PROGRAMS = gen_actiontabs_h gen_e gen_flagtabs_h gen_ftypetabs_h gen_i386_tables_h \ gen_ia64_tables_h gen_machinetabs_h gen_msg_typetabs_h \ gen_optabs_h gen_ppc_tables_h gen_s390_tables_h \ - gen_s390x_tables_h gen_x86_64_tables_h + gen_s390x_tables_h gen_x86_64_tables_h gen_parisc_tables_h if USE_ALPHA noinst_PROGRAMS += gen_alpha_tables_h endif @@ -142,6 +142,11 @@ gen_ppc_tables_h_CFLAGS = $(AM_CFLAGS) ' ppc_tables.h: gen_ppc_tables_h Makefile ./gen_ppc_tables_h --lowercase --i2s --s2i ppc_syscall > $@ +gen_parisc_tables_h_SOURCES = gen_tables.c gen_tables.h parisc_table.h +gen_parisc_tables_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="parisc_table.h"' +parisc_tables.h: gen_parisc_tables_h Makefile + ./gen_parisc_tables_h --lowercase --i2s --s2i parisc_syscall > $@ + gen_s390_tables_h_SOURCES = gen_tables.c gen_tables.h s390_table.h gen_s390_tables_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="s390_table.h"' s390_tables.h: gen_s390_tables_h Makefile --- audit-2.3.2.orig/lib/libaudit.c +++ audit-2.3.2/lib/libaudit.c @@ -1304,6 +1304,9 @@ int audit_rule_fieldpair_data(struct aud machine == MACH_PPC64) machine = MACH_PPC; else if (bits == ~__AUDIT_ARCH_64BIT && + machine == MACH_PARISC64) + machine = MACH_PARISC; + else if (bits == ~__AUDIT_ARCH_64BIT && machine == MACH_S390X) machine = MACH_S390; @@ -1324,6 +1327,10 @@ int audit_rule_fieldpair_data(struct aud if (bits == __AUDIT_ARCH_64BIT) return -6; break; + case MACH_PARISC: + if (bits == __AUDIT_ARCH_64BIT) + return -6; + break; case MACH_S390: if (bits == __AUDIT_ARCH_64BIT) return -6; @@ -1342,6 +1349,7 @@ int audit_rule_fieldpair_data(struct aud #endif case MACH_86_64: /* fallthrough */ case MACH_PPC64: /* fallthrough */ + case MACH_PARISC64: /* fallthrough */ case MACH_S390X: /* fallthrough */ break; default: --- audit-2.3.2.orig/lib/libaudit.h +++ audit-2.3.2/lib/libaudit.h @@ -417,7 +417,9 @@ typedef enum { MACH_S390, MACH_ALPHA, MACH_ARMEB, - MACH_AARCH64 + MACH_AARCH64, + MACH_PARISC64, + MACH_PARISC } machine_t; /* These are the valid audit failure tunable enum values */ --- audit-2.3.2.orig/lib/lookup_table.c +++ audit-2.3.2/lib/lookup_table.c @@ -47,6 +47,7 @@ #include "i386_tables.h" #include "ia64_tables.h" #include "ppc_tables.h" +#include "parisc_tables.h" #include "s390_tables.h" #include "s390x_tables.h" #include "x86_64_tables.h" @@ -82,6 +83,8 @@ static const struct int_transtab elftab[ #ifdef WITH_AARCH64 { MACH_AARCH64, AUDIT_ARCH_AARCH64}, #endif + { MACH_PARISC64,AUDIT_ARCH_PARISC64 }, + { MACH_PARISC, AUDIT_ARCH_PARISC }, }; #define AUDIT_ELF_NAMES (sizeof(elftab)/sizeof(elftab[0])) @@ -126,6 +129,10 @@ int audit_name_to_syscall(const char *sc case MACH_PPC: found = ppc_syscall_s2i(sc, &res); break; + case MACH_PARISC64: + case MACH_PARISC: + found = parisc_syscall_s2i(sc, &res); + break; case MACH_S390X: found = s390x_syscall_s2i(sc, &res); break; @@ -171,6 +178,9 @@ const char *audit_syscall_to_name(int sc case MACH_PPC64: case MACH_PPC: return ppc_syscall_i2s(sc); + case MACH_PARISC64: + case MACH_PARISC: + return parisc_syscall_i2s(sc); case MACH_S390X: return s390x_syscall_i2s(sc); case MACH_S390: --- audit-2.3.2.orig/lib/machinetab.h +++ audit-2.3.2/lib/machinetab.h @@ -43,3 +43,5 @@ _S(MACH_ARMEB, "armv7l") #ifdef WITH_AARCH64 _S(MACH_AARCH64, "aarch64" ) #endif +_S(MACH_PARISC64, "parisc64" ) +_S(MACH_PARISC, "parisc" ) --- /dev/null +++ audit-2.3.2/lib/parisc_table.h @@ -0,0 +1,333 @@ +_S(0, "restart_syscall") +_S(1, "exit") +_S(2, "fork") +_S(3, "read") +_S(4, "write") +_S(5, "open") +_S(6, "close") +_S(7, "waitpid") +_S(8, "creat") +_S(9, "link") +_S(10, "unlink") +_S(11, "execve") +_S(12, "chdir") +_S(13, "time") +_S(14, "mknod") +_S(15, "chmod") +_S(16, "lchown") +_S(17, "socket") +_S(18, "stat") +_S(19, "lseek") +_S(20, "getpid") +_S(21, "mount") +_S(22, "bind") +_S(23, "setuid") +_S(24, "getuid") +_S(25, "stime") +_S(26, "ptrace") +_S(27, "alarm") +_S(28, "fstat") +_S(29, "pause") +_S(30, "utime") +_S(31, "connect") +_S(32, "listen") +_S(33, "access") +_S(34, "nice") +_S(35, "accept") +_S(36, "sync") +_S(37, "kill") +_S(38, "rename") +_S(39, "mkdir") +_S(40, "rmdir") +_S(41, "dup") +_S(42, "pipe") +_S(43, "times") +_S(44, "getsockname") +_S(45, "brk") +_S(46, "setgid") +_S(47, "getgid") +_S(48, "signal") +_S(49, "geteuid") +_S(50, "getegid") +_S(51, "acct") +_S(52, "umount2") +_S(53, "getpeername") +_S(54, "ioctl") +_S(55, "fcntl") +_S(56, "socketpair") +_S(57, "setpgid") +_S(58, "send") +_S(59, "uname") +_S(60, "umask") +_S(61, "chroot") +_S(62, "ustat") +_S(63, "dup2") +_S(64, "getppid") +_S(65, "getpgrp") +_S(66, "setsid") +_S(67, "pivot_root") +_S(68, "sgetmask") +_S(69, "ssetmask") +_S(70, "setreuid") +_S(71, "setregid") +_S(72, "mincore") +_S(73, "sigpending") +_S(74, "sethostname") +_S(75, "setrlimit") +_S(76, "getrlimit") +_S(77, "getrusage") +_S(78, "gettimeofday") +_S(79, "settimeofday") +_S(80, "getgroups") +_S(81, "setgroups") +_S(82, "sendto") +_S(83, "symlink") +_S(84, "lstat") +_S(85, "readlink") +_S(86, "uselib") +_S(87, "swapon") +_S(88, "reboot") +_S(89, "mmap2") +_S(90, "mmap") +_S(91, "munmap") +_S(92, "truncate") +_S(93, "ftruncate") +_S(94, "fchmod") +_S(95, "fchown") +_S(96, "getpriority") +_S(97, "setpriority") +_S(98, "recv") +_S(99, "statfs") +_S(100, "fstatfs") +_S(101, "stat64") +_S(103, "syslog") +_S(104, "setitimer") +_S(105, "getitimer") +_S(106, "capget") +_S(107, "capset") +_S(108, "pread64") +_S(109, "pwrite64") +_S(110, "getcwd") +_S(111, "vhangup") +_S(112, "fstat64") +_S(113, "vfork") +_S(114, "wait4") +_S(115, "swapoff") +_S(116, "sysinfo") +_S(117, "shutdown") +_S(118, "fsync") +_S(119, "madvise") +_S(120, "clone") +_S(121, "setdomainname") +_S(122, "sendfile") +_S(123, "recvfrom") +_S(124, "adjtimex") +_S(125, "mprotect") +_S(126, "sigprocmask") +_S(127, "create_module") +_S(128, "init_module") +_S(129, "delete_module") +_S(130, "get_kernel_syms") +_S(131, "quotactl") +_S(132, "getpgid") +_S(133, "fchdir") +_S(134, "bdflush") +_S(135, "sysfs") +_S(136, "personality") +_S(137, "afs_syscall") +_S(138, "setfsuid") +_S(139, "setfsgid") +_S(140, "_llseek") +_S(141, "getdents") +_S(142, "_newselect") +_S(143, "flock") +_S(144, "msync") +_S(145, "readv") +_S(146, "writev") +_S(147, "getsid") +_S(148, "fdatasync") +_S(149, "_sysctl") +_S(150, "mlock") +_S(151, "munlock") +_S(152, "mlockall") +_S(153, "munlockall") +_S(154, "sched_setparam") +_S(155, "sched_getparam") +_S(156, "sched_setscheduler") +_S(157, "sched_getscheduler") +_S(158, "sched_yield") +_S(159, "sched_get_priority_max") +_S(160, "sched_get_priority_min") +_S(161, "sched_rr_get_interval") +_S(162, "nanosleep") +_S(163, "mremap") +_S(164, "setresuid") +_S(165, "getresuid") +_S(166, "sigaltstack") +_S(167, "query_module") +_S(168, "poll") +_S(169, "nfsservctl") +_S(170, "setresgid") +_S(171, "getresgid") +_S(172, "prctl") +_S(173, "rt_sigreturn") +_S(174, "rt_sigaction") +_S(175, "rt_sigprocmask") +_S(176, "rt_sigpending") +_S(177, "rt_sigtimedwait") +_S(178, "rt_sigqueueinfo") +_S(179, "rt_sigsuspend") +_S(180, "chown") +_S(181, "setsockopt") +_S(182, "getsockopt") +_S(183, "sendmsg") +_S(184, "recvmsg") +_S(185, "semop") +_S(186, "semget") +_S(187, "semctl") +_S(188, "msgsnd") +_S(189, "msgrcv") +_S(190, "msgget") +_S(191, "msgctl") +_S(192, "shmat") +_S(193, "shmdt") +_S(194, "shmget") +_S(195, "shmctl") +_S(196, "getpmsg") +_S(197, "putpmsg") +_S(198, "lstat64") +_S(199, "truncate64") +_S(200, "ftruncate64") +_S(201, "getdents64") +_S(202, "fcntl64") +_S(203, "attrctl") +_S(204, "acl_get") +_S(205, "acl_set") +_S(206, "gettid") +_S(207, "readahead") +_S(208, "tkill") +_S(209, "sendfile64") +_S(210, "futex") +_S(211, "sched_setaffinity") +_S(212, "sched_getaffinity") +_S(213, "set_thread_area") +_S(214, "get_thread_area") +_S(215, "io_setup") +_S(216, "io_destroy") +_S(217, "io_getevents") +_S(218, "io_submit") +_S(219, "io_cancel") +_S(220, "alloc_hugepages") +_S(221, "free_hugepages") +_S(222, "exit_group") +_S(223, "lookup_dcookie") +_S(224, "epoll_create") +_S(225, "epoll_ctl") +_S(226, "epoll_wait") +_S(227, "remap_file_pages") +_S(228, "semtimedop") +_S(229, "mq_open") +_S(230, "mq_unlink") +_S(231, "mq_timedsend") +_S(232, "mq_timedreceive") +_S(233, "mq_notify") +_S(234, "mq_getsetattr") +_S(235, "waitid") +_S(236, "fadvise64_64") +_S(237, "set_tid_address") +_S(238, "setxattr") +_S(239, "lsetxattr") +_S(240, "fsetxattr") +_S(241, "getxattr") +_S(242, "lgetxattr") +_S(243, "fgetxattr") +_S(244, "listxattr") +_S(245, "llistxattr") +_S(246, "flistxattr") +_S(247, "removexattr") +_S(248, "lremovexattr") +_S(249, "fremovexattr") +_S(250, "timer_create") +_S(251, "timer_settime") +_S(252, "timer_gettime") +_S(253, "timer_getoverrun") +_S(254, "timer_delete") +_S(255, "clock_settime") +_S(256, "clock_gettime") +_S(257, "clock_getres") +_S(258, "clock_nanosleep") +_S(259, "tgkill") +_S(260, "mbind") +_S(261, "get_mempolicy") +_S(262, "set_mempolicy") +_S(263, "vserver") +_S(264, "add_key") +_S(265, "request_key") +_S(266, "keyctl") +_S(267, "ioprio_set") +_S(268, "ioprio_get") +_S(269, "inotify_init") +_S(270, "inotify_add_watch") +_S(271, "inotify_rm_watch") +_S(272, "migrate_pages") +_S(273, "pselect6") +_S(274, "ppoll") +_S(275, "openat") +_S(276, "mkdirat") +_S(277, "mknodat") +_S(278, "fchownat") +_S(279, "futimesat") +_S(280, "fstatat64") +_S(281, "unlinkat") +_S(282, "renameat") +_S(283, "linkat") +_S(284, "symlinkat") +_S(285, "readlinkat") +_S(286, "fchmodat") +_S(287, "faccessat") +_S(288, "unshare") +_S(289, "set_robust_list") +_S(290, "get_robust_list") +_S(291, "splice") +_S(292, "sync_file_range") +_S(293, "tee") +_S(294, "vmsplice") +_S(295, "move_pages") +_S(296, "getcpu") +_S(297, "epoll_pwait") +_S(298, "statfs64") +_S(299, "fstatfs64") +_S(300, "kexec_load") +_S(301, "utimensat") +_S(302, "signalfd") +_S(303, "timerfd") +_S(304, "eventfd") +_S(305, "fallocate") +_S(306, "timerfd_create") +_S(307, "timerfd_settime") +_S(308, "timerfd_gettime") +_S(309, "signalfd4") +_S(310, "eventfd2") +_S(311, "epoll_create1") +_S(312, "dup3") +_S(313, "pipe2") +_S(314, "inotify_init1") +_S(315, "preadv") +_S(316, "pwritev") +_S(317, "rt_tgsigqueueinfo") +_S(318, "perf_event_open") +_S(319, "recvmmsg") +_S(320, "accept4") +_S(321, "prlimit64") +_S(322, "fanotify_init") +_S(323, "fanotify_mark") +_S(324, "clock_adjtime") +_S(325, "name_to_handle_at") +_S(326, "open_by_handle_at") +_S(327, "syncfs") +_S(328, "setns") +_S(329, "sendmmsg") +_S(330, "process_vm_readv") +_S(331, "process_vm_writev") +_S(332, "kcmp") +_S(333, "finit_module") --- audit-2.3.2.orig/lib/syscall-update.txt +++ audit-2.3.2/lib/syscall-update.txt @@ -18,3 +18,6 @@ For adding new arches, the following mig cat unistd.h | grep '^#define __NR_' | tr -d ')' | tr 'NR+' ' ' | awk '{ printf "_S(%s, \"%s\")\n", $6, $3 }; ' it will still need hand editing + +for parisc: +cat /usr/include/hppa-linux-gnu/asm/unistd.h | grep '^#define __NR_' | grep \(__NR_Linux | sed "s/#define *__NR_//g" | tr -d ")" | awk '{ printf "_S(%s, \"%s\")\n", $4, $1 };' --- audit-2.3.2.orig/lib/test/lookup_test.c +++ audit-2.3.2/lib/test/lookup_test.c @@ -222,6 +222,23 @@ test_ppc_table(void) } static void +test_parisc_table(void) +{ + static const struct entry t[] = { +#include "../parisc_table.h" + }; + + printf("Testing parisc_table...\n"); +#define I2S(I) audit_syscall_to_name((I), MACH_PARISC) +#define S2I(S) audit_name_to_syscall((S), MACH_PARISC) + TEST_I2S(0); + TEST_S2I(-1); +#undef I2S +#undef S2I +} + + +static void test_s390_table(void) { static const struct entry t[] = { @@ -415,6 +432,7 @@ main(void) test_i386_table(); test_ia64_table(); test_ppc_table(); + test_parisc_table(); test_s390_table(); test_s390x_table(); test_x86_64_table();

10 years, 11 months

3
6
0 / 0

[RFC Part1 PATCH 00/20 v2] Add namespace support for audit

by Gao feng

Here is the v1 patchset: http://lwn.net/Articles/549546/ The main target of this patchset is allowing user in audit namespace to generate the USER_MSG type of audit message, some userspace tools need to generate audit message, or these tools will broken. And the login process in container may want to setup /proc/<pid>/loginuid, right now this value is unalterable once it being set. this will also broke the login problem in container. After this patchset, we can reset this loginuid to zero if task is running in a new audit namespace. Same with v1 patchset, in this patchset, only the privileged user in init_audit_ns and init_user_ns has rights to add/del audit rules. and these rules are gloabl. all audit namespace will comply with the rules. Compared with v1, v2 patch has some big changes. 1, the audit namespace is not assigned to user namespace. since there is no available bit of flags for clone, we create audit namespace through netlink, patch[18/20] introduces a new audit netlink type AUDIT_CREATE_NS. the privileged user in userns has rights to create a audit namespace, it means the unprivileged user can create auditns through create userns first. In order to prevent them from doing harm to host, the default audit_backlog_limit of un-init-audit-ns is zero(means audit is unavailable in audit namespace). and it can't be changed in auditns through netlink. 2, introduce /proc/<pid>/audit_log_limit this interface is used to setup log_limit of audit namespace. we need this interface to make audit available in un-init-audit-ns. Only the privileged user has right to set this value, it means only the root user of host can change it. 3, make audit namespace don't depend on net namespace. patch[1/20] add a compare function audit_compare for audit netlink, it always return true, it means the netlink subsystem will find out the netlink socket only through portid and netlink type. So we needn't to create kernel side audit netlink socket for per net namespace, all userspace audit netlink socket can find out the audit_sock, and audit_sock can communicate with them through the proper portid. it's just like the behavior we don't have net namespace before. This patchset still need some work, such as allow changing audit_enabled in audit namespace, auditd wants this feature. I send this patchset now in order to get more comments, so I can keep on improving namespace support for audit. Gao feng (20): Audit: make audit netlink socket net namespace unaware audit: introduce configure option CONFIG_AUDIT_NS audit: make audit_skb_queue per audit namespace audit: make audit_skb_hold_queue per audit namespace audit: make audit_pid per audit namespace audit: make kauditd_task per audit namespace aduit: make audit_nlk_portid per audit namespace audit: make kaudit_wait queue per audit namespace audit: make audit_backlog_wait per audit namespace audit: allow un-init audit ns to change pid and portid only audit: use proper audit namespace in audit_receive_msg audit: use proper audit_namespace in kauditd_thread audit: introduce new audit logging interface for audit namespace audit: pass proper audit namespace to audit_log_common_recv_msg audit: Log audit pid config change in audit namespace audit: allow GET,SET,USER MSG operations in audit namespace nsproxy: don't make create_new_namespaces static audit: add new message type AUDIT_CREATE_NS audit: make audit_backlog_limit per audit namespace audit: introduce /proc/<pid>/audit_backlog_limit fs/proc/base.c | 53 ++++++ include/linux/audit.h | 26 ++- include/linux/audit_namespace.h | 92 ++++++++++ include/linux/nsproxy.h | 15 +- include/uapi/linux/audit.h | 1 + init/Kconfig | 10 ++ kernel/Makefile | 2 +- kernel/audit.c | 364 +++++++++++++++++++++++++--------------- kernel/audit.h | 5 +- kernel/audit_namespace.c | 123 ++++++++++++++ kernel/auditsc.c | 6 +- kernel/nsproxy.c | 18 +- 12 files changed, 561 insertions(+), 154 deletions(-) create mode 100644 include/linux/audit_namespace.h create mode 100644 kernel/audit_namespace.c -- 1.8.3.1

11 years

6
49
0 / 0

[PATCH] audit: listen in all network namespaces

by Richard Guy Briggs

Convert audit from only listening in init_net to use register_pernet_subsys() to dynamically manage the netlink socket list. Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com> --- kernel/audit.c | 64 ++++++++++++++++++++++++++++++++++++++++++++++--------- kernel/audit.h | 4 +++ 2 files changed, 57 insertions(+), 11 deletions(-) diff --git a/kernel/audit.c b/kernel/audit.c index 91e53d0..06e2676 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -64,6 +64,7 @@ #include <linux/freezer.h> #include <linux/tty.h> #include <linux/pid_namespace.h> +#include <net/netns/generic.h> #include "audit.h" @@ -122,6 +123,7 @@ static atomic_t audit_lost = ATOMIC_INIT(0); /* The netlink socket. */ static struct sock *audit_sock; +int audit_net_id; /* Hash for inode-based rules */ struct list_head audit_inode_hash[AUDIT_INODE_BUCKETS]; @@ -391,6 +393,7 @@ static void kauditd_send_skb(struct sk_buff *skb) printk(KERN_ERR "audit: *NO* daemon at audit_pid=%d\n", audit_pid); audit_log_lost("auditd disappeared\n"); audit_pid = 0; + audit_sock = NULL; /* we might get lucky and get this in the next auditd */ audit_hold_skb(skb); } else @@ -474,13 +477,15 @@ int audit_send_list(void *_dest) struct audit_netlink_list *dest = _dest; int pid = dest->pid; struct sk_buff *skb; + struct net *net = get_net_ns_by_pid(pid); + struct audit_net *aunet = net_generic(net, audit_net_id); /* wait for parent to finish and send an ACK */ mutex_lock(&audit_cmd_mutex); mutex_unlock(&audit_cmd_mutex); while ((skb = __skb_dequeue(&dest->q)) != NULL) - netlink_unicast(audit_sock, skb, pid, 0); + netlink_unicast(aunet->nlsk, skb, pid, 0); kfree(dest); @@ -515,13 +520,15 @@ out_kfree_skb: static int audit_send_reply_thread(void *arg) { struct audit_reply *reply = (struct audit_reply *)arg; + struct net *net = get_net_ns_by_pid(reply->pid); + struct audit_net *aunet = net_generic(net, audit_net_id); mutex_lock(&audit_cmd_mutex); mutex_unlock(&audit_cmd_mutex); /* Ignore failure. It'll only happen if the sender goes away, because our timeout is set to infinite. */ - netlink_unicast(audit_sock, reply->skb, reply->pid, 0); + netlink_unicast(aunet->nlsk , reply->skb, reply->pid, 0); kfree(reply); return 0; } @@ -690,6 +697,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) audit_log_config_change("audit_pid", new_pid, audit_pid, 1); audit_pid = new_pid; audit_nlk_portid = NETLINK_CB(skb).portid; + audit_sock = NETLINK_CB(skb).sk; } if (status_get->mask & AUDIT_STATUS_RATE_LIMIT) { err = audit_set_rate_limit(status_get->rate_limit); @@ -886,24 +894,58 @@ static void audit_receive(struct sk_buff *skb) mutex_unlock(&audit_cmd_mutex); } -/* Initialize audit support at boot time. */ -static int __init audit_init(void) +static int __net_init audit_net_init(struct net *net) { - int i; struct netlink_kernel_cfg cfg = { .input = audit_receive, }; + struct audit_net *aunet = net_generic(net, audit_net_id); + + pr_info("audit: initializing netlink socket in namespace\n"); + + aunet->nlsk = netlink_kernel_create(net, NETLINK_AUDIT, &cfg); + if (aunet->nlsk == NULL) + return -ENOMEM; + if (!aunet->nlsk) + audit_panic("cannot initialize netlink socket in namespace"); + else + aunet->nlsk->sk_sndtimeo = MAX_SCHEDULE_TIMEOUT; + return 0; +} + +static void __net_exit audit_net_exit(struct net *net) +{ + struct audit_net *aunet = net_generic(net, audit_net_id); + struct sock *sock = aunet->nlsk; + if (sock == audit_sock) { + audit_pid = 0; + audit_sock = NULL; + } + + rcu_assign_pointer(aunet->nlsk, NULL); + synchronize_net(); + netlink_kernel_release(sock); +} + +static struct pernet_operations __net_initdata audit_net_ops = { + .init = audit_net_init, + .exit = audit_net_exit, + .id = &audit_net_id, + .size = sizeof(struct audit_net), +}; + +/* Initialize audit support at boot time. */ +static int __init audit_init(void) +{ + int i; + if (audit_initialized == AUDIT_DISABLED) return 0; - printk(KERN_INFO "audit: initializing netlink socket (%s)\n", + pr_info("audit: initializing netlink subsys (%s)\n", audit_default ? "enabled" : "disabled"); - audit_sock = netlink_kernel_create(&init_net, NETLINK_AUDIT, &cfg); - if (!audit_sock) - audit_panic("cannot initialize netlink socket"); - else - audit_sock->sk_sndtimeo = MAX_SCHEDULE_TIMEOUT; + register_pernet_subsys(&audit_net_ops); skb_queue_head_init(&audit_skb_queue); skb_queue_head_init(&audit_skb_hold_queue); diff --git a/kernel/audit.h b/kernel/audit.h index 123c9b7..b7cc537 100644 --- a/kernel/audit.h +++ b/kernel/audit.h @@ -249,6 +249,10 @@ struct audit_netlink_list { int audit_send_list(void *); +struct audit_net { + struct sock *nlsk; +}; + extern int selinux_audit_rule_update(void); extern struct mutex audit_filter_mutex; -- 1.7.1

11 years

4
14
0 / 0

Rational behind RefuseManualStop=yes in auditd.service

by Laurent Bigonville

Hi, I would like to know the rational behind RefuseManualStop=yes in auditd.service file. I'm currently looking at upgrading the audit package in debian and RefuseManualStop=yes is preventing the daemon to be restarted during upgrade. Looking at systemd.unit(5) manpage, I don't have the feeling that it should be used in this case. As a side note, it seems that the *.spec file is stopping the daemon in the %preun so this could fail I guess? Any thoughts on this? Laurent Bigonville

11 years

4
5
0 / 0

Re: [BUG][PATCH] audit: audit_log_start running on auditd should not stop

by Richard Guy Briggs

On Tue, Oct 15, 2013 at 02:30:34PM +0800, Gao feng wrote: > Hi Toshiyuki-san, Toshiuki and Gao, > On 10/15/2013 12:43 PM, Toshiyuki Okajima wrote: > > The backlog cannot be consumed when audit_log_start is running on auditd > > even if audit_log_start calls wait_for_auditd to consume it. > > The situation is a deadlock because only auditd can consume the backlog. > > If the other process needs to send the backlog, it can be also stopped > > by the deadlock. > > > > So, audit_log_start running on auditd should not stop. > > > > You can see the deadlock with the following reproducer: > > # auditctl -a exit,always -S all > > # reboot > Hmm, I see, There may be other code paths that auditd can call audit_log_start except > audit_log_config_change. so it's better to handle this problem in audit_log_start. > > but current task is only meaningful when gfp_mask & __GFP_WAIT is true. > so maybe the below patch is what you want. I have been following this thread with interest. I like the general evolution of this patch. The first patch was a bit too abrupt, dropping too much, but this one makes much more sense. I would be tempted to make the reserve even bigger. I see that you should be using a kernel that has included commit 8ac1c8d5 (which made it into v3.12-rc3) audit: fix endless wait in audit_log_start() That was an obvious bug, but I was still concerned about the cause of the initial wait. There are other fixes and ideas in the works that should alleviate some of the pressure to make the service more usable. https://lkml.org/lkml/2013/9/18/453 I have tested with and without this v3 patch and I don't see any significant difference with the reproducer provided above. I'm also testing with a reproducer of the endless wait bug (readahead-collector). What are your expected results? What are your actual results in each case? How are they different? > diff --git a/kernel/audit.c b/kernel/audit.c > index 7b0e23a..10b4545 100644 > --- a/kernel/audit.c > +++ b/kernel/audit.c > @@ -1095,7 +1095,9 @@ struct audit_buffer *audit_log_start(struct audit_context > struct audit_buffer *ab = NULL; > struct timespec t; > unsigned int uninitialized_var(serial); > - int reserve; > + int reserve = 5; /* Allow atomic callers to go up to five > + entries over the normal backlog limit */ > + > unsigned long timeout_start = jiffies; > > if (audit_initialized != AUDIT_INITIALIZED) > @@ -1104,11 +1106,12 @@ struct audit_buffer *audit_log_start(struct audit_contex > if (unlikely(audit_filter_type(type))) > return NULL; > > - if (gfp_mask & __GFP_WAIT) > - reserve = 0; > - else > - reserve = 5; /* Allow atomic callers to go up to five > - entries over the normal backlog limit */ > + if (gfp_mask & __GFP_WAIT) { > + if (audit_pid && audit_pid == current->pid) > + gfp_mask &= ~__GFP_WAIT; > + else > + reserve = 0; > + } > > while (audit_backlog_limit > && skb_queue_len(&audit_skb_queue) > audit_backlog_limit + reserv - RGB -- Richard Guy Briggs <rbriggs(a)redhat.com> Senior Software Engineer Kernel Security AMER ENG Base Operating Systems Remote, Ottawa, Canada Voice: +1.647.777.2635 Internal: (81) 32635 Alt: +1.613.693.0684x3545

11 years

5
13
0 / 0

[3.5.y.z extended stable] Patch "audit: printk USER_AVC messages when audit isn't enabled" has been added to staging queue

by Luis Henriques

This is a note to let you know that I have just added a patch titled audit: printk USER_AVC messages when audit isn't enabled to the linux-3.5.y-queue branch of the 3.5.y.z extended stable tree which can be found at: http://kernel.ubuntu.com/git?p=ubuntu/linux.git;a=shortlog;h=refs/heads/l... If you, or anyone else, feels it should not be added to this tree, please reply to this email. For more information about the 3.5.y.z tree, see https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable Thanks. -Luis ------ >From bd4bba2750d68bb460f4a85a781aa36dbdb5491e Mon Sep 17 00:00:00 2001 From: Tyler Hicks <tyhicks(a)canonical.com> Date: Thu, 25 Jul 2013 18:02:55 -0700 Subject: audit: printk USER_AVC messages when audit isn't enabled commit 0868a5e150bc4c47e7a003367cd755811eb41e0b upstream. When the audit=1 kernel parameter is absent and auditd is not running, AUDIT_USER_AVC messages are being silently discarded. AUDIT_USER_AVC messages should be sent to userspace using printk(), as mentioned in the commit message of 4a4cd633 ("AUDIT: Optimise the audit-disabled case for discarding user messages"). When audit_enabled is 0, audit_receive_msg() discards all user messages except for AUDIT_USER_AVC messages. However, audit_log_common_recv_msg() refuses to allocate an audit_buffer if audit_enabled is 0. The fix is to special case AUDIT_USER_AVC messages in both functions. It looks like commit 50397bd1 ("[AUDIT] clean up audit_receive_msg()") introduced this bug. Signed-off-by: Tyler Hicks <tyhicks(a)canonical.com> Cc: Al Viro <viro(a)zeniv.linux.org.uk> Cc: Eric Paris <eparis(a)redhat.com> Cc: linux-audit(a)redhat.com Acked-by: Kees Cook <keescook(a)chromium.org> Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com> Signed-off-by: Eric Paris <eparis(a)redhat.com> [ luis: backported to 3.5: adjusted context ] Signed-off-by: Luis Henriques <luis.henriques(a)canonical.com> --- kernel/audit.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/audit.c b/kernel/audit.c index 5917dfe..f02d3fc 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -625,7 +625,7 @@ static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type, char *ctx = NULL; u32 len; - if (!audit_enabled) { + if (!audit_enabled && msg_type != AUDIT_USER_AVC) { *ab = NULL; return rc; } -- 1.8.3.2

11 years

1
0
0 / 0

[PATCH 1/1 v2] Added exe field to audit core dump signal log

by Paul Davies C

Currently when the coredump signals are logged by the audit system , the actual path to the executable is not logged. Without details of exe , the system admin may not have an exact idea on what program failed. This patch changes the audit_log_task() so that the path to the exe is also logged. Signed-off-by: Paul Davies C <pauldaviesc(a)gmail.com> --- kernel/auditsc.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 9845cb3..53ecc02 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -2353,6 +2353,7 @@ static void audit_log_task(struct audit_buffer *ab) kuid_t auid, uid; kgid_t gid; unsigned int sessionid; + struct mm_struct *mm = current->mm; auid = audit_get_loginuid(current); sessionid = audit_get_sessionid(current); @@ -2366,6 +2367,13 @@ static void audit_log_task(struct audit_buffer *ab) audit_log_task_context(ab); audit_log_format(ab, " pid=%d comm=", current->pid); audit_log_untrustedstring(ab, current->comm); + if (mm) { + down_read(&mm->mmap_sem); + if (mm->exe_file) + audit_log_d_path(ab, " exe=", &mm->exe_file->f_path); + up_read(&mm->mmap_sem); + } else + audit_log_format(ab, " exe=(null)"); } static void audit_log_abend(struct audit_buffer *ab, char *reason, long signr) -- 1.7.9.5

11 years

1
2
0 / 0

"File system watches not supported" with auditctl 1.0.12 / kernel 2.6.32

by Aaron Lewis

Hi, I'm running "Red Hat Enterprise Linux AS release 4 (Nahant Update 3)" With a customized kernel version 2.6.32. And auditctl version 1.0.12 When I run auditctl -l, I got the following error: # auditctl -l No rules File system watches not supported What options could be missing in my kernel config? I've enabled everything related to "AUDIT" # zgrep AUDIT /proc/config.gz CONFIG_AUDIT_ARCH=y CONFIG_AUDIT=y CONFIG_AUDITSYSCALL=y CONFIG_AUDIT_TREE=y -- Best Regards, Aaron Lewis - PGP: 0xDFE6C29E ( http://keyserver.veridis.com ) Finger Print: 9482 448F C7C3 896C 1DFE 7DD3 2492 A7D0 DFE6 C29E

11 years

3
2
0 / 0

Updated patches

by William Roberts

What's changed since last time? * Squashed all the patches down * Patches are relative to master This is the version I would like to get merged. [PATCH] audit: Audit proc cmdline value

11 years

1
1
0 / 0

[PATCH 1/1 v1] Added exe field to audit core dump signal log

by Paul Davies C

Currently when the coredump signals are logged by the audit system , the actual path to the executable is not logged. Without details of exe , the system admin may not have an exact idea on what program failed. This patch changes the audit_log_task() so that the path to the exe is also logged. Signed-off-by: Paul Davies C <pauldaviesc(a)gmail.com> --- kernel/auditsc.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 9845cb3..4abae3d 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -2353,6 +2353,7 @@ static void audit_log_task(struct audit_buffer *ab) kuid_t auid, uid; kgid_t gid; unsigned int sessionid; + struct mm_struct *mm = current->mm; auid = audit_get_loginuid(current); sessionid = audit_get_sessionid(current); @@ -2366,6 +2367,13 @@ static void audit_log_task(struct audit_buffer *ab) audit_log_task_context(ab); audit_log_format(ab, " pid=%d comm=", current->pid); audit_log_untrustedstring(ab, current->comm); + if (mm) { + down_read(&mm->mmap_sem); + if (mm->exe_file) + audit_log_d_path(ab, " exe=", &mm->exe_file->f_path); + up_read(&mm->mmap_sem); + } else + audit_log_format(ab, " exe=null"); } static void audit_log_abend(struct audit_buffer *ab, char *reason, long signr) -- 1.7.9.5

11 years, 1 month

1
1
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Linux-audit November 2013