[PATCH] audit/userspace: add support for the parisc architecture
by Helge Deller
The patch below adds support for the parisc architecture to the audit
userspace tool.
It would be great if you could apply this patch to trunk.
I posted the corresponding Linux kernel patch to the parisc mailing list
(https://patchwork.kernel.org/patch/3046731/) and plan to push it upstream when
the merge window for Linux kernel v3.13 opens.
Signed-off-by: Helge Deller <deller(a)gmx.de>
--- audit-2.3.2.orig/lib/Makefile.am
+++ audit-2.3.2/lib/Makefile.am
@@ -40,7 +40,7 @@ nodist_libaudit_la_SOURCES = $(BUILT_SOU
BUILT_SOURCES = actiontabs.h errtabs.h fieldtabs.h flagtabs.h \
ftypetabs.h i386_tables.h ia64_tables.h machinetabs.h \
msg_typetabs.h optabs.h ppc_tables.h s390_tables.h \
- s390x_tables.h x86_64_tables.h
+ s390x_tables.h x86_64_tables.h parisc_tables.h
if USE_ALPHA
BUILT_SOURCES += alpha_tables.h
endif
@@ -54,7 +54,7 @@ noinst_PROGRAMS = gen_actiontabs_h gen_e
gen_flagtabs_h gen_ftypetabs_h gen_i386_tables_h \
gen_ia64_tables_h gen_machinetabs_h gen_msg_typetabs_h \
gen_optabs_h gen_ppc_tables_h gen_s390_tables_h \
- gen_s390x_tables_h gen_x86_64_tables_h
+ gen_s390x_tables_h gen_x86_64_tables_h gen_parisc_tables_h
if USE_ALPHA
noinst_PROGRAMS += gen_alpha_tables_h
endif
@@ -142,6 +142,11 @@ gen_ppc_tables_h_CFLAGS = $(AM_CFLAGS) '
ppc_tables.h: gen_ppc_tables_h Makefile
./gen_ppc_tables_h --lowercase --i2s --s2i ppc_syscall > $@
+gen_parisc_tables_h_SOURCES = gen_tables.c gen_tables.h parisc_table.h
+gen_parisc_tables_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="parisc_table.h"'
+parisc_tables.h: gen_parisc_tables_h Makefile
+ ./gen_parisc_tables_h --lowercase --i2s --s2i parisc_syscall > $@
+
gen_s390_tables_h_SOURCES = gen_tables.c gen_tables.h s390_table.h
gen_s390_tables_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="s390_table.h"'
s390_tables.h: gen_s390_tables_h Makefile
--- audit-2.3.2.orig/lib/libaudit.c
+++ audit-2.3.2/lib/libaudit.c
@@ -1304,6 +1304,9 @@ int audit_rule_fieldpair_data(struct aud
machine == MACH_PPC64)
machine = MACH_PPC;
else if (bits == ~__AUDIT_ARCH_64BIT &&
+ machine == MACH_PARISC64)
+ machine = MACH_PARISC;
+ else if (bits == ~__AUDIT_ARCH_64BIT &&
machine == MACH_S390X)
machine = MACH_S390;
@@ -1324,6 +1327,10 @@ int audit_rule_fieldpair_data(struct aud
if (bits == __AUDIT_ARCH_64BIT)
return -6;
break;
+ case MACH_PARISC:
+ if (bits == __AUDIT_ARCH_64BIT)
+ return -6;
+ break;
case MACH_S390:
if (bits == __AUDIT_ARCH_64BIT)
return -6;
@@ -1342,6 +1349,7 @@ int audit_rule_fieldpair_data(struct aud
#endif
case MACH_86_64: /* fallthrough */
case MACH_PPC64: /* fallthrough */
+ case MACH_PARISC64: /* fallthrough */
case MACH_S390X: /* fallthrough */
break;
default:
--- audit-2.3.2.orig/lib/libaudit.h
+++ audit-2.3.2/lib/libaudit.h
@@ -417,7 +417,9 @@ typedef enum {
MACH_S390,
MACH_ALPHA,
MACH_ARMEB,
- MACH_AARCH64
+ MACH_AARCH64,
+ MACH_PARISC64,
+ MACH_PARISC
} machine_t;
/* These are the valid audit failure tunable enum values */
--- audit-2.3.2.orig/lib/lookup_table.c
+++ audit-2.3.2/lib/lookup_table.c
@@ -47,6 +47,7 @@
#include "i386_tables.h"
#include "ia64_tables.h"
#include "ppc_tables.h"
+#include "parisc_tables.h"
#include "s390_tables.h"
#include "s390x_tables.h"
#include "x86_64_tables.h"
@@ -82,6 +83,8 @@ static const struct int_transtab elftab[
#ifdef WITH_AARCH64
{ MACH_AARCH64, AUDIT_ARCH_AARCH64},
#endif
+ { MACH_PARISC64,AUDIT_ARCH_PARISC64 },
+ { MACH_PARISC, AUDIT_ARCH_PARISC },
};
#define AUDIT_ELF_NAMES (sizeof(elftab)/sizeof(elftab[0]))
@@ -126,6 +129,10 @@ int audit_name_to_syscall(const char *sc
case MACH_PPC:
found = ppc_syscall_s2i(sc, &res);
break;
+ case MACH_PARISC64:
+ case MACH_PARISC:
+ found = parisc_syscall_s2i(sc, &res);
+ break;
case MACH_S390X:
found = s390x_syscall_s2i(sc, &res);
break;
@@ -171,6 +178,9 @@ const char *audit_syscall_to_name(int sc
case MACH_PPC64:
case MACH_PPC:
return ppc_syscall_i2s(sc);
+ case MACH_PARISC64:
+ case MACH_PARISC:
+ return parisc_syscall_i2s(sc);
case MACH_S390X:
return s390x_syscall_i2s(sc);
case MACH_S390:
--- audit-2.3.2.orig/lib/machinetab.h
+++ audit-2.3.2/lib/machinetab.h
@@ -43,3 +43,5 @@ _S(MACH_ARMEB, "armv7l")
#ifdef WITH_AARCH64
_S(MACH_AARCH64, "aarch64" )
#endif
+_S(MACH_PARISC64, "parisc64" )
+_S(MACH_PARISC, "parisc" )
--- /dev/null
+++ audit-2.3.2/lib/parisc_table.h
@@ -0,0 +1,333 @@
+_S(0, "restart_syscall")
+_S(1, "exit")
+_S(2, "fork")
+_S(3, "read")
+_S(4, "write")
+_S(5, "open")
+_S(6, "close")
+_S(7, "waitpid")
+_S(8, "creat")
+_S(9, "link")
+_S(10, "unlink")
+_S(11, "execve")
+_S(12, "chdir")
+_S(13, "time")
+_S(14, "mknod")
+_S(15, "chmod")
+_S(16, "lchown")
+_S(17, "socket")
+_S(18, "stat")
+_S(19, "lseek")
+_S(20, "getpid")
+_S(21, "mount")
+_S(22, "bind")
+_S(23, "setuid")
+_S(24, "getuid")
+_S(25, "stime")
+_S(26, "ptrace")
+_S(27, "alarm")
+_S(28, "fstat")
+_S(29, "pause")
+_S(30, "utime")
+_S(31, "connect")
+_S(32, "listen")
+_S(33, "access")
+_S(34, "nice")
+_S(35, "accept")
+_S(36, "sync")
+_S(37, "kill")
+_S(38, "rename")
+_S(39, "mkdir")
+_S(40, "rmdir")
+_S(41, "dup")
+_S(42, "pipe")
+_S(43, "times")
+_S(44, "getsockname")
+_S(45, "brk")
+_S(46, "setgid")
+_S(47, "getgid")
+_S(48, "signal")
+_S(49, "geteuid")
+_S(50, "getegid")
+_S(51, "acct")
+_S(52, "umount2")
+_S(53, "getpeername")
+_S(54, "ioctl")
+_S(55, "fcntl")
+_S(56, "socketpair")
+_S(57, "setpgid")
+_S(58, "send")
+_S(59, "uname")
+_S(60, "umask")
+_S(61, "chroot")
+_S(62, "ustat")
+_S(63, "dup2")
+_S(64, "getppid")
+_S(65, "getpgrp")
+_S(66, "setsid")
+_S(67, "pivot_root")
+_S(68, "sgetmask")
+_S(69, "ssetmask")
+_S(70, "setreuid")
+_S(71, "setregid")
+_S(72, "mincore")
+_S(73, "sigpending")
+_S(74, "sethostname")
+_S(75, "setrlimit")
+_S(76, "getrlimit")
+_S(77, "getrusage")
+_S(78, "gettimeofday")
+_S(79, "settimeofday")
+_S(80, "getgroups")
+_S(81, "setgroups")
+_S(82, "sendto")
+_S(83, "symlink")
+_S(84, "lstat")
+_S(85, "readlink")
+_S(86, "uselib")
+_S(87, "swapon")
+_S(88, "reboot")
+_S(89, "mmap2")
+_S(90, "mmap")
+_S(91, "munmap")
+_S(92, "truncate")
+_S(93, "ftruncate")
+_S(94, "fchmod")
+_S(95, "fchown")
+_S(96, "getpriority")
+_S(97, "setpriority")
+_S(98, "recv")
+_S(99, "statfs")
+_S(100, "fstatfs")
+_S(101, "stat64")
+_S(103, "syslog")
+_S(104, "setitimer")
+_S(105, "getitimer")
+_S(106, "capget")
+_S(107, "capset")
+_S(108, "pread64")
+_S(109, "pwrite64")
+_S(110, "getcwd")
+_S(111, "vhangup")
+_S(112, "fstat64")
+_S(113, "vfork")
+_S(114, "wait4")
+_S(115, "swapoff")
+_S(116, "sysinfo")
+_S(117, "shutdown")
+_S(118, "fsync")
+_S(119, "madvise")
+_S(120, "clone")
+_S(121, "setdomainname")
+_S(122, "sendfile")
+_S(123, "recvfrom")
+_S(124, "adjtimex")
+_S(125, "mprotect")
+_S(126, "sigprocmask")
+_S(127, "create_module")
+_S(128, "init_module")
+_S(129, "delete_module")
+_S(130, "get_kernel_syms")
+_S(131, "quotactl")
+_S(132, "getpgid")
+_S(133, "fchdir")
+_S(134, "bdflush")
+_S(135, "sysfs")
+_S(136, "personality")
+_S(137, "afs_syscall")
+_S(138, "setfsuid")
+_S(139, "setfsgid")
+_S(140, "_llseek")
+_S(141, "getdents")
+_S(142, "_newselect")
+_S(143, "flock")
+_S(144, "msync")
+_S(145, "readv")
+_S(146, "writev")
+_S(147, "getsid")
+_S(148, "fdatasync")
+_S(149, "_sysctl")
+_S(150, "mlock")
+_S(151, "munlock")
+_S(152, "mlockall")
+_S(153, "munlockall")
+_S(154, "sched_setparam")
+_S(155, "sched_getparam")
+_S(156, "sched_setscheduler")
+_S(157, "sched_getscheduler")
+_S(158, "sched_yield")
+_S(159, "sched_get_priority_max")
+_S(160, "sched_get_priority_min")
+_S(161, "sched_rr_get_interval")
+_S(162, "nanosleep")
+_S(163, "mremap")
+_S(164, "setresuid")
+_S(165, "getresuid")
+_S(166, "sigaltstack")
+_S(167, "query_module")
+_S(168, "poll")
+_S(169, "nfsservctl")
+_S(170, "setresgid")
+_S(171, "getresgid")
+_S(172, "prctl")
+_S(173, "rt_sigreturn")
+_S(174, "rt_sigaction")
+_S(175, "rt_sigprocmask")
+_S(176, "rt_sigpending")
+_S(177, "rt_sigtimedwait")
+_S(178, "rt_sigqueueinfo")
+_S(179, "rt_sigsuspend")
+_S(180, "chown")
+_S(181, "setsockopt")
+_S(182, "getsockopt")
+_S(183, "sendmsg")
+_S(184, "recvmsg")
+_S(185, "semop")
+_S(186, "semget")
+_S(187, "semctl")
+_S(188, "msgsnd")
+_S(189, "msgrcv")
+_S(190, "msgget")
+_S(191, "msgctl")
+_S(192, "shmat")
+_S(193, "shmdt")
+_S(194, "shmget")
+_S(195, "shmctl")
+_S(196, "getpmsg")
+_S(197, "putpmsg")
+_S(198, "lstat64")
+_S(199, "truncate64")
+_S(200, "ftruncate64")
+_S(201, "getdents64")
+_S(202, "fcntl64")
+_S(203, "attrctl")
+_S(204, "acl_get")
+_S(205, "acl_set")
+_S(206, "gettid")
+_S(207, "readahead")
+_S(208, "tkill")
+_S(209, "sendfile64")
+_S(210, "futex")
+_S(211, "sched_setaffinity")
+_S(212, "sched_getaffinity")
+_S(213, "set_thread_area")
+_S(214, "get_thread_area")
+_S(215, "io_setup")
+_S(216, "io_destroy")
+_S(217, "io_getevents")
+_S(218, "io_submit")
+_S(219, "io_cancel")
+_S(220, "alloc_hugepages")
+_S(221, "free_hugepages")
+_S(222, "exit_group")
+_S(223, "lookup_dcookie")
+_S(224, "epoll_create")
+_S(225, "epoll_ctl")
+_S(226, "epoll_wait")
+_S(227, "remap_file_pages")
+_S(228, "semtimedop")
+_S(229, "mq_open")
+_S(230, "mq_unlink")
+_S(231, "mq_timedsend")
+_S(232, "mq_timedreceive")
+_S(233, "mq_notify")
+_S(234, "mq_getsetattr")
+_S(235, "waitid")
+_S(236, "fadvise64_64")
+_S(237, "set_tid_address")
+_S(238, "setxattr")
+_S(239, "lsetxattr")
+_S(240, "fsetxattr")
+_S(241, "getxattr")
+_S(242, "lgetxattr")
+_S(243, "fgetxattr")
+_S(244, "listxattr")
+_S(245, "llistxattr")
+_S(246, "flistxattr")
+_S(247, "removexattr")
+_S(248, "lremovexattr")
+_S(249, "fremovexattr")
+_S(250, "timer_create")
+_S(251, "timer_settime")
+_S(252, "timer_gettime")
+_S(253, "timer_getoverrun")
+_S(254, "timer_delete")
+_S(255, "clock_settime")
+_S(256, "clock_gettime")
+_S(257, "clock_getres")
+_S(258, "clock_nanosleep")
+_S(259, "tgkill")
+_S(260, "mbind")
+_S(261, "get_mempolicy")
+_S(262, "set_mempolicy")
+_S(263, "vserver")
+_S(264, "add_key")
+_S(265, "request_key")
+_S(266, "keyctl")
+_S(267, "ioprio_set")
+_S(268, "ioprio_get")
+_S(269, "inotify_init")
+_S(270, "inotify_add_watch")
+_S(271, "inotify_rm_watch")
+_S(272, "migrate_pages")
+_S(273, "pselect6")
+_S(274, "ppoll")
+_S(275, "openat")
+_S(276, "mkdirat")
+_S(277, "mknodat")
+_S(278, "fchownat")
+_S(279, "futimesat")
+_S(280, "fstatat64")
+_S(281, "unlinkat")
+_S(282, "renameat")
+_S(283, "linkat")
+_S(284, "symlinkat")
+_S(285, "readlinkat")
+_S(286, "fchmodat")
+_S(287, "faccessat")
+_S(288, "unshare")
+_S(289, "set_robust_list")
+_S(290, "get_robust_list")
+_S(291, "splice")
+_S(292, "sync_file_range")
+_S(293, "tee")
+_S(294, "vmsplice")
+_S(295, "move_pages")
+_S(296, "getcpu")
+_S(297, "epoll_pwait")
+_S(298, "statfs64")
+_S(299, "fstatfs64")
+_S(300, "kexec_load")
+_S(301, "utimensat")
+_S(302, "signalfd")
+_S(303, "timerfd")
+_S(304, "eventfd")
+_S(305, "fallocate")
+_S(306, "timerfd_create")
+_S(307, "timerfd_settime")
+_S(308, "timerfd_gettime")
+_S(309, "signalfd4")
+_S(310, "eventfd2")
+_S(311, "epoll_create1")
+_S(312, "dup3")
+_S(313, "pipe2")
+_S(314, "inotify_init1")
+_S(315, "preadv")
+_S(316, "pwritev")
+_S(317, "rt_tgsigqueueinfo")
+_S(318, "perf_event_open")
+_S(319, "recvmmsg")
+_S(320, "accept4")
+_S(321, "prlimit64")
+_S(322, "fanotify_init")
+_S(323, "fanotify_mark")
+_S(324, "clock_adjtime")
+_S(325, "name_to_handle_at")
+_S(326, "open_by_handle_at")
+_S(327, "syncfs")
+_S(328, "setns")
+_S(329, "sendmmsg")
+_S(330, "process_vm_readv")
+_S(331, "process_vm_writev")
+_S(332, "kcmp")
+_S(333, "finit_module")
--- audit-2.3.2.orig/lib/syscall-update.txt
+++ audit-2.3.2/lib/syscall-update.txt
@@ -18,3 +18,6 @@ For adding new arches, the following mig
cat unistd.h | grep '^#define __NR_' | tr -d ')' | tr 'NR+' ' ' | awk '{ printf "_S(%s, \"%s\")\n", $6, $3 }; '
it will still need hand editing
+
+for parisc:
+cat /usr/include/hppa-linux-gnu/asm/unistd.h | grep '^#define __NR_' | grep \(__NR_Linux | sed "s/#define *__NR_//g" | tr -d ")" | awk '{ printf "_S(%s, \"%s\")\n", $4, $1 };'
--- audit-2.3.2.orig/lib/test/lookup_test.c
+++ audit-2.3.2/lib/test/lookup_test.c
@@ -222,6 +222,23 @@ test_ppc_table(void)
}
static void
+test_parisc_table(void)
+{
+ static const struct entry t[] = {
+#include "../parisc_table.h"
+ };
+
+ printf("Testing parisc_table...\n");
+#define I2S(I) audit_syscall_to_name((I), MACH_PARISC)
+#define S2I(S) audit_name_to_syscall((S), MACH_PARISC)
+ TEST_I2S(0);
+ TEST_S2I(-1);
+#undef I2S
+#undef S2I
+}
+
+
+static void
test_s390_table(void)
{
static const struct entry t[] = {
@@ -415,6 +432,7 @@ main(void)
test_i386_table();
test_ia64_table();
test_ppc_table();
+ test_parisc_table();
test_s390_table();
test_s390x_table();
test_x86_64_table();
10 years, 9 months
[RFC Part1 PATCH 00/20 v2] Add namespace support for audit
by Gao feng
Here is the v1 patchset: http://lwn.net/Articles/549546/
The main target of this patchset is allowing user in audit
namespace to generate the USER_MSG type of audit message,
some userspace tools need to generate audit message, or
these tools will broken.
And the login process in container may want to setup
/proc/<pid>/loginuid, right now this value is unalterable
once it being set. this will also broke the login problem
in container. After this patchset, we can reset this loginuid
to zero if task is running in a new audit namespace.
Same with v1 patchset, in this patchset, only the privileged
user in init_audit_ns and init_user_ns has rights to
add/del audit rules. and these rules are gloabl. all
audit namespace will comply with the rules.
Compared with v1, v2 patch has some big changes.
1, the audit namespace is not assigned to user namespace.
since there is no available bit of flags for clone, we
create audit namespace through netlink, patch[18/20]
introduces a new audit netlink type AUDIT_CREATE_NS.
the privileged user in userns has rights to create a
audit namespace, it means the unprivileged user can
create auditns through create userns first. In order
to prevent them from doing harm to host, the default
audit_backlog_limit of un-init-audit-ns is zero(means
audit is unavailable in audit namespace). and it can't
be changed in auditns through netlink.
2, introduce /proc/<pid>/audit_log_limit
this interface is used to setup log_limit of audit
namespace. we need this interface to make audit
available in un-init-audit-ns. Only the privileged user
has right to set this value, it means only the root user
of host can change it.
3, make audit namespace don't depend on net namespace.
patch[1/20] add a compare function audit_compare for
audit netlink, it always return true, it means the
netlink subsystem will find out the netlink socket
only through portid and netlink type. So we needn't
to create kernel side audit netlink socket for per
net namespace, all userspace audit netlink socket
can find out the audit_sock, and audit_sock can
communicate with them through the proper portid.
it's just like the behavior we don't have net
namespace before.
This patchset still need some work, such as allow changing
audit_enabled in audit namespace, auditd wants this feature.
I send this patchset now in order to get more comments, so
I can keep on improving namespace support for audit.
Gao feng (20):
Audit: make audit netlink socket net namespace unaware
audit: introduce configure option CONFIG_AUDIT_NS
audit: make audit_skb_queue per audit namespace
audit: make audit_skb_hold_queue per audit namespace
audit: make audit_pid per audit namespace
audit: make kauditd_task per audit namespace
aduit: make audit_nlk_portid per audit namespace
audit: make kaudit_wait queue per audit namespace
audit: make audit_backlog_wait per audit namespace
audit: allow un-init audit ns to change pid and portid only
audit: use proper audit namespace in audit_receive_msg
audit: use proper audit_namespace in kauditd_thread
audit: introduce new audit logging interface for audit namespace
audit: pass proper audit namespace to audit_log_common_recv_msg
audit: Log audit pid config change in audit namespace
audit: allow GET,SET,USER MSG operations in audit namespace
nsproxy: don't make create_new_namespaces static
audit: add new message type AUDIT_CREATE_NS
audit: make audit_backlog_limit per audit namespace
audit: introduce /proc/<pid>/audit_backlog_limit
fs/proc/base.c | 53 ++++++
include/linux/audit.h | 26 ++-
include/linux/audit_namespace.h | 92 ++++++++++
include/linux/nsproxy.h | 15 +-
include/uapi/linux/audit.h | 1 +
init/Kconfig | 10 ++
kernel/Makefile | 2 +-
kernel/audit.c | 364 +++++++++++++++++++++++++---------------
kernel/audit.h | 5 +-
kernel/audit_namespace.c | 123 ++++++++++++++
kernel/auditsc.c | 6 +-
kernel/nsproxy.c | 18 +-
12 files changed, 561 insertions(+), 154 deletions(-)
create mode 100644 include/linux/audit_namespace.h
create mode 100644 kernel/audit_namespace.c
--
1.8.3.1
10 years, 10 months
[PATCH] audit: listen in all network namespaces
by Richard Guy Briggs
Convert audit from only listening in init_net to use register_pernet_subsys()
to dynamically manage the netlink socket list.
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
kernel/audit.c | 64 ++++++++++++++++++++++++++++++++++++++++++++++---------
kernel/audit.h | 4 +++
2 files changed, 57 insertions(+), 11 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 91e53d0..06e2676 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -64,6 +64,7 @@
#include <linux/freezer.h>
#include <linux/tty.h>
#include <linux/pid_namespace.h>
+#include <net/netns/generic.h>
#include "audit.h"
@@ -122,6 +123,7 @@ static atomic_t audit_lost = ATOMIC_INIT(0);
/* The netlink socket. */
static struct sock *audit_sock;
+int audit_net_id;
/* Hash for inode-based rules */
struct list_head audit_inode_hash[AUDIT_INODE_BUCKETS];
@@ -391,6 +393,7 @@ static void kauditd_send_skb(struct sk_buff *skb)
printk(KERN_ERR "audit: *NO* daemon at audit_pid=%d\n", audit_pid);
audit_log_lost("auditd disappeared\n");
audit_pid = 0;
+ audit_sock = NULL;
/* we might get lucky and get this in the next auditd */
audit_hold_skb(skb);
} else
@@ -474,13 +477,15 @@ int audit_send_list(void *_dest)
struct audit_netlink_list *dest = _dest;
int pid = dest->pid;
struct sk_buff *skb;
+ struct net *net = get_net_ns_by_pid(pid);
+ struct audit_net *aunet = net_generic(net, audit_net_id);
/* wait for parent to finish and send an ACK */
mutex_lock(&audit_cmd_mutex);
mutex_unlock(&audit_cmd_mutex);
while ((skb = __skb_dequeue(&dest->q)) != NULL)
- netlink_unicast(audit_sock, skb, pid, 0);
+ netlink_unicast(aunet->nlsk, skb, pid, 0);
kfree(dest);
@@ -515,13 +520,15 @@ out_kfree_skb:
static int audit_send_reply_thread(void *arg)
{
struct audit_reply *reply = (struct audit_reply *)arg;
+ struct net *net = get_net_ns_by_pid(reply->pid);
+ struct audit_net *aunet = net_generic(net, audit_net_id);
mutex_lock(&audit_cmd_mutex);
mutex_unlock(&audit_cmd_mutex);
/* Ignore failure. It'll only happen if the sender goes away,
because our timeout is set to infinite. */
- netlink_unicast(audit_sock, reply->skb, reply->pid, 0);
+ netlink_unicast(aunet->nlsk , reply->skb, reply->pid, 0);
kfree(reply);
return 0;
}
@@ -690,6 +697,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
audit_log_config_change("audit_pid", new_pid, audit_pid, 1);
audit_pid = new_pid;
audit_nlk_portid = NETLINK_CB(skb).portid;
+ audit_sock = NETLINK_CB(skb).sk;
}
if (status_get->mask & AUDIT_STATUS_RATE_LIMIT) {
err = audit_set_rate_limit(status_get->rate_limit);
@@ -886,24 +894,58 @@ static void audit_receive(struct sk_buff *skb)
mutex_unlock(&audit_cmd_mutex);
}
-/* Initialize audit support at boot time. */
-static int __init audit_init(void)
+static int __net_init audit_net_init(struct net *net)
{
- int i;
struct netlink_kernel_cfg cfg = {
.input = audit_receive,
};
+ struct audit_net *aunet = net_generic(net, audit_net_id);
+
+ pr_info("audit: initializing netlink socket in namespace\n");
+
+ aunet->nlsk = netlink_kernel_create(net, NETLINK_AUDIT, &cfg);
+ if (aunet->nlsk == NULL)
+ return -ENOMEM;
+ if (!aunet->nlsk)
+ audit_panic("cannot initialize netlink socket in namespace");
+ else
+ aunet->nlsk->sk_sndtimeo = MAX_SCHEDULE_TIMEOUT;
+ return 0;
+}
+
+static void __net_exit audit_net_exit(struct net *net)
+{
+ struct audit_net *aunet = net_generic(net, audit_net_id);
+ struct sock *sock = aunet->nlsk;
+ if (sock == audit_sock) {
+ audit_pid = 0;
+ audit_sock = NULL;
+ }
+
+ rcu_assign_pointer(aunet->nlsk, NULL);
+ synchronize_net();
+ netlink_kernel_release(sock);
+}
+
+static struct pernet_operations __net_initdata audit_net_ops = {
+ .init = audit_net_init,
+ .exit = audit_net_exit,
+ .id = &audit_net_id,
+ .size = sizeof(struct audit_net),
+};
+
+/* Initialize audit support at boot time. */
+static int __init audit_init(void)
+{
+ int i;
+
if (audit_initialized == AUDIT_DISABLED)
return 0;
- printk(KERN_INFO "audit: initializing netlink socket (%s)\n",
+ pr_info("audit: initializing netlink subsys (%s)\n",
audit_default ? "enabled" : "disabled");
- audit_sock = netlink_kernel_create(&init_net, NETLINK_AUDIT, &cfg);
- if (!audit_sock)
- audit_panic("cannot initialize netlink socket");
- else
- audit_sock->sk_sndtimeo = MAX_SCHEDULE_TIMEOUT;
+ register_pernet_subsys(&audit_net_ops);
skb_queue_head_init(&audit_skb_queue);
skb_queue_head_init(&audit_skb_hold_queue);
diff --git a/kernel/audit.h b/kernel/audit.h
index 123c9b7..b7cc537 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -249,6 +249,10 @@ struct audit_netlink_list {
int audit_send_list(void *);
+struct audit_net {
+ struct sock *nlsk;
+};
+
extern int selinux_audit_rule_update(void);
extern struct mutex audit_filter_mutex;
--
1.7.1
10 years, 10 months
Rational behind RefuseManualStop=yes in auditd.service
by Laurent Bigonville
Hi,
I would like to know the rational behind RefuseManualStop=yes in
auditd.service file.
I'm currently looking at upgrading the audit package in debian and
RefuseManualStop=yes is preventing the daemon to be restarted during
upgrade.
Looking at systemd.unit(5) manpage, I don't have the feeling that it
should be used in this case.
As a side note, it seems that the *.spec file is stopping the daemon in
the %preun so this could fail I guess?
Any thoughts on this?
Laurent Bigonville
10 years, 10 months
Re: [BUG][PATCH] audit: audit_log_start running on auditd should not stop
by Richard Guy Briggs
On Tue, Oct 15, 2013 at 02:30:34PM +0800, Gao feng wrote:
> Hi Toshiyuki-san,
Toshiuki and Gao,
> On 10/15/2013 12:43 PM, Toshiyuki Okajima wrote:
> > The backlog cannot be consumed when audit_log_start is running on auditd
> > even if audit_log_start calls wait_for_auditd to consume it.
> > The situation is a deadlock because only auditd can consume the backlog.
> > If the other process needs to send the backlog, it can be also stopped
> > by the deadlock.
> >
> > So, audit_log_start running on auditd should not stop.
> >
> > You can see the deadlock with the following reproducer:
> > # auditctl -a exit,always -S all
> > # reboot
> Hmm, I see, There may be other code paths that auditd can call audit_log_start except
> audit_log_config_change. so it's better to handle this problem in audit_log_start.
>
> but current task is only meaningful when gfp_mask & __GFP_WAIT is true.
> so maybe the below patch is what you want.
I have been following this thread with interest. I like the general
evolution of this patch. The first patch was a bit too abrupt, dropping
too much, but this one makes much more sense. I would be tempted to
make the reserve even bigger.
I see that you should be using a kernel that has included commit
8ac1c8d5 (which made it into v3.12-rc3)
audit: fix endless wait in audit_log_start()
That was an obvious bug, but I was still concerned about the cause of
the initial wait. There are other fixes and ideas in the works that
should alleviate some of the pressure to make the service more usable.
https://lkml.org/lkml/2013/9/18/453
I have tested with and without this v3 patch and I don't see any
significant difference with the reproducer provided above. I'm also
testing with a reproducer of the endless wait bug (readahead-collector).
What are your expected results? What are your actual results in each
case? How are they different?
> diff --git a/kernel/audit.c b/kernel/audit.c
> index 7b0e23a..10b4545 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -1095,7 +1095,9 @@ struct audit_buffer *audit_log_start(struct audit_context
> struct audit_buffer *ab = NULL;
> struct timespec t;
> unsigned int uninitialized_var(serial);
> - int reserve;
> + int reserve = 5; /* Allow atomic callers to go up to five
> + entries over the normal backlog limit */
> +
> unsigned long timeout_start = jiffies;
>
> if (audit_initialized != AUDIT_INITIALIZED)
> @@ -1104,11 +1106,12 @@ struct audit_buffer *audit_log_start(struct audit_contex
> if (unlikely(audit_filter_type(type)))
> return NULL;
>
> - if (gfp_mask & __GFP_WAIT)
> - reserve = 0;
> - else
> - reserve = 5; /* Allow atomic callers to go up to five
> - entries over the normal backlog limit */
> + if (gfp_mask & __GFP_WAIT) {
> + if (audit_pid && audit_pid == current->pid)
> + gfp_mask &= ~__GFP_WAIT;
> + else
> + reserve = 0;
> + }
>
> while (audit_backlog_limit
> && skb_queue_len(&audit_skb_queue) > audit_backlog_limit + reserv
- RGB
--
Richard Guy Briggs <rbriggs(a)redhat.com>
Senior Software Engineer
Kernel Security
AMER ENG Base Operating Systems
Remote, Ottawa, Canada
Voice: +1.647.777.2635
Internal: (81) 32635
Alt: +1.613.693.0684x3545
10 years, 10 months
[3.5.y.z extended stable] Patch "audit: printk USER_AVC messages when audit isn't enabled" has been added to staging queue
by Luis Henriques
This is a note to let you know that I have just added a patch titled
audit: printk USER_AVC messages when audit isn't enabled
to the linux-3.5.y-queue branch of the 3.5.y.z extended stable tree
which can be found at:
http://kernel.ubuntu.com/git?p=ubuntu/linux.git;a=shortlog;h=refs/heads/l...
If you, or anyone else, feels it should not be added to this tree, please
reply to this email.
For more information about the 3.5.y.z tree, see
https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable
Thanks.
-Luis
------
>From bd4bba2750d68bb460f4a85a781aa36dbdb5491e Mon Sep 17 00:00:00 2001
From: Tyler Hicks <tyhicks(a)canonical.com>
Date: Thu, 25 Jul 2013 18:02:55 -0700
Subject: audit: printk USER_AVC messages when audit isn't enabled
commit 0868a5e150bc4c47e7a003367cd755811eb41e0b upstream.
When the audit=1 kernel parameter is absent and auditd is not running,
AUDIT_USER_AVC messages are being silently discarded.
AUDIT_USER_AVC messages should be sent to userspace using printk(), as
mentioned in the commit message of 4a4cd633 ("AUDIT: Optimise the
audit-disabled case for discarding user messages").
When audit_enabled is 0, audit_receive_msg() discards all user messages
except for AUDIT_USER_AVC messages. However, audit_log_common_recv_msg()
refuses to allocate an audit_buffer if audit_enabled is 0. The fix is to
special case AUDIT_USER_AVC messages in both functions.
It looks like commit 50397bd1 ("[AUDIT] clean up audit_receive_msg()")
introduced this bug.
Signed-off-by: Tyler Hicks <tyhicks(a)canonical.com>
Cc: Al Viro <viro(a)zeniv.linux.org.uk>
Cc: Eric Paris <eparis(a)redhat.com>
Cc: linux-audit(a)redhat.com
Acked-by: Kees Cook <keescook(a)chromium.org>
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
Signed-off-by: Eric Paris <eparis(a)redhat.com>
[ luis: backported to 3.5: adjusted context ]
Signed-off-by: Luis Henriques <luis.henriques(a)canonical.com>
---
kernel/audit.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 5917dfe..f02d3fc 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -625,7 +625,7 @@ static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type,
char *ctx = NULL;
u32 len;
- if (!audit_enabled) {
+ if (!audit_enabled && msg_type != AUDIT_USER_AVC) {
*ab = NULL;
return rc;
}
--
1.8.3.2
10 years, 11 months
[PATCH 1/1 v2] Added exe field to audit core dump signal log
by Paul Davies C
Currently when the coredump signals are logged by the audit system , the
actual path to the executable is not logged. Without details of exe , the
system admin may not have an exact idea on what program failed.
This patch changes the audit_log_task() so that the path to the exe is also
logged.
Signed-off-by: Paul Davies C <pauldaviesc(a)gmail.com>
---
kernel/auditsc.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 9845cb3..53ecc02 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -2353,6 +2353,7 @@ static void audit_log_task(struct audit_buffer *ab)
kuid_t auid, uid;
kgid_t gid;
unsigned int sessionid;
+ struct mm_struct *mm = current->mm;
auid = audit_get_loginuid(current);
sessionid = audit_get_sessionid(current);
@@ -2366,6 +2367,13 @@ static void audit_log_task(struct audit_buffer *ab)
audit_log_task_context(ab);
audit_log_format(ab, " pid=%d comm=", current->pid);
audit_log_untrustedstring(ab, current->comm);
+ if (mm) {
+ down_read(&mm->mmap_sem);
+ if (mm->exe_file)
+ audit_log_d_path(ab, " exe=", &mm->exe_file->f_path);
+ up_read(&mm->mmap_sem);
+ } else
+ audit_log_format(ab, " exe=(null)");
}
static void audit_log_abend(struct audit_buffer *ab, char *reason, long signr)
--
1.7.9.5
10 years, 11 months
"File system watches not supported" with auditctl 1.0.12 / kernel 2.6.32
by Aaron Lewis
Hi,
I'm running "Red Hat Enterprise Linux AS release 4 (Nahant Update 3)"
With a customized kernel version 2.6.32.
And auditctl version 1.0.12
When I run auditctl -l, I got the following error:
# auditctl -l
No rules
File system watches not supported
What options could be missing in my kernel config? I've enabled
everything related to "AUDIT"
# zgrep AUDIT /proc/config.gz
CONFIG_AUDIT_ARCH=y
CONFIG_AUDIT=y
CONFIG_AUDITSYSCALL=y
CONFIG_AUDIT_TREE=y
--
Best Regards,
Aaron Lewis - PGP: 0xDFE6C29E ( http://keyserver.veridis.com )
Finger Print: 9482 448F C7C3 896C 1DFE 7DD3 2492 A7D0 DFE6 C29E
10 years, 11 months
Updated patches
by William Roberts
What's changed since last time?
* Squashed all the patches down
* Patches are relative to master
This is the version I would like to get merged.
[PATCH] audit: Audit proc cmdline value
10 years, 11 months
[PATCH 1/1 v1] Added exe field to audit core dump signal log
by Paul Davies C
Currently when the coredump signals are logged by the audit system , the
actual path to the executable is not logged. Without details of exe , the
system admin may not have an exact idea on what program failed.
This patch changes the audit_log_task() so that the path to the exe is also
logged.
Signed-off-by: Paul Davies C <pauldaviesc(a)gmail.com>
---
kernel/auditsc.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 9845cb3..4abae3d 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -2353,6 +2353,7 @@ static void audit_log_task(struct audit_buffer *ab)
kuid_t auid, uid;
kgid_t gid;
unsigned int sessionid;
+ struct mm_struct *mm = current->mm;
auid = audit_get_loginuid(current);
sessionid = audit_get_sessionid(current);
@@ -2366,6 +2367,13 @@ static void audit_log_task(struct audit_buffer *ab)
audit_log_task_context(ab);
audit_log_format(ab, " pid=%d comm=", current->pid);
audit_log_untrustedstring(ab, current->comm);
+ if (mm) {
+ down_read(&mm->mmap_sem);
+ if (mm->exe_file)
+ audit_log_d_path(ab, " exe=", &mm->exe_file->f_path);
+ up_read(&mm->mmap_sem);
+ } else
+ audit_log_format(ab, " exe=null");
}
static void audit_log_abend(struct audit_buffer *ab, char *reason, long signr)
--
1.7.9.5
10 years, 11 months