Re: proposing [PATCH] audit: get rid of *NO* daemon at audit_pid=0 message
by Eric Paris
On Wed, 2013-10-30 at 00:05 +0100, Mateusz Guzik wrote:
> Hello,
>
> I wrote a trivial patch for what I believe is a subsystem you maintain.
>
> I'm sending it privately first to ensure it looks ok at has proper
> recipients (I'm new to linux world, sorry :>).
>
> 'To' would be: linux-audit(a)redhat.com
>
> The rest is:
>
> From: Mateusz Guzik <mguzik(a)redhat.com>
> Date: Tue, 29 Oct 2013 23:51:52 +0100
> Subject: [PATCH] audit: get rid of *NO* daemon at audit_pid=0 message
>
> kauditd_send_skb is called after audit_pid was checked to be non-zero.
>
> However, it can be set to 0 due to auditd exiting while kauditd_send_skb
> is still executed and this can result in a spurious warning about missing
> auditd.
>
> Re-check audit_pid before printing the message.
>
> Signed-off-by: Mateusz Guzik <mguzik(a)redhat.com>
> Cc: Eric Paris <eparis(a)redhat.com>
> Cc: linux-kernel(a)vger.kernel.org
Acked-by: Eric Paris <eparis(a)redhat.com>
> ---
> kernel/audit.c | 8 +++++---
> 1 file changed, 5 insertions(+), 3 deletions(-)
>
> diff --git a/kernel/audit.c b/kernel/audit.c
> index 7b0e23a..a91a965 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -388,9 +388,11 @@ static void kauditd_send_skb(struct sk_buff *skb)
> err = netlink_unicast(audit_sock, skb, audit_nlk_portid, 0);
> if (err < 0) {
> BUG_ON(err != -ECONNREFUSED); /* Shouldn't happen */
> - printk(KERN_ERR "audit: *NO* daemon at audit_pid=%d\n", audit_pid);
> - audit_log_lost("auditd disappeared\n");
> - audit_pid = 0;
> + if (audit_pid) {
> + printk(KERN_ERR "audit: *NO* daemon at audit_pid=%d\n", audit_pid);
> + audit_log_lost("auditd disappeared\n");
> + audit_pid = 0;
> + }
> /* we might get lucky and get this in the next auditd */
> audit_hold_skb(skb);
> } else
> --
> 1.8.3.1
>
> Is this ok?
>
> Thanks,
11 years, 1 month
[PATCH] Dropped audit_log_abend()
by Paul Davies C
The audit_log_abend() is used only by the audit_core_dumps(). Thus there is no
need of maintaining the audit_log_abend() as a separate function.
This patch drops the audit_log_abend() and pushes its functionalities back to
the audit_core_dumps(). Apart from that the "reason" field is also dropped
from being logged since the reason can be deduced from the signal number.
Signed-off-by: Paul Davies C <pauldaviesc(a)gmail.com>
---
kernel/auditsc.c | 10 ++--------
1 file changed, 2 insertions(+), 8 deletions(-)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 9845cb3..f2aa62a 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -2368,13 +2368,6 @@ static void audit_log_task(struct audit_buffer *ab)
audit_log_untrustedstring(ab, current->comm);
}
-static void audit_log_abend(struct audit_buffer *ab, char *reason, long signr)
-{
- audit_log_task(ab);
- audit_log_format(ab, " reason=");
- audit_log_string(ab, reason);
- audit_log_format(ab, " sig=%ld", signr);
-}
/**
* audit_core_dumps - record information about processes that end abnormally
* @signr: signal value
@@ -2395,7 +2388,8 @@ void audit_core_dumps(long signr)
ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND);
if (unlikely(!ab))
return;
- audit_log_abend(ab, "memory violation", signr);
+ audit_log_task(ab);
+ audit_log_format(ab, " sig=%ld", signr);
audit_log_end(ab);
}
--
1.7.9.5
11 years, 1 month
SIGXCPU and Auditd
by Paul Davies C
Hi,
Is there any way to make the *auditd system to log the SIGXCPU signal*?
As of now , without writing any specific rules, SIGSEGV is getting
logged. In my log I found lines as below :
/
type=ANOM_ABEND msg=audit(1383644379.989:88): auid=1000 uid=1000
gid=1000 ses=5 pid=2688 comm="chrome" reason="memory violation" sig=11/
11 years, 1 month
[PATCH] Fixed reason field in audit signal logging
by Paul Davies C
The audit system logs the signals that leads to abnormal end of a process.
However , as of now , it always states the reason for failure of a process as
"memory violation" regardless of the signal delivered. This is due to the
audit_core_dumps() function pass the reason for failure blindly to the
audit_log_abend() as "memory violation".
This patch changes the audit_core_dumps() function as to pass on the right
reason to the audit_log_abend based on the signal received.
Signed-off-by:Paul Davies C
---
kernel/auditsc.c | 31 ++++++++++++++++++++++++++++++-
1 file changed, 30 insertions(+), 1 deletion(-)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 9845cb3..3cafd13 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -2395,7 +2395,36 @@ void audit_core_dumps(long signr)
ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND);
if (unlikely(!ab))
return;
- audit_log_abend(ab, "memory violation", signr);
+
+ /*Identify the reason for failure based on signal delivered.*/
+ switch (signr) {
+ case SIGABRT:
+ audit_log_abend(ab, "received abort", signr);
+ break;
+ case SIGBUS:
+ audit_log_abend(ab, "invalid pointer dereference", signr);
+ break;
+ case SIGFPE:
+ audit_log_abend(ab, "invalid floating point instruction", signr);
+ break;
+ case SIGILL:
+ audit_log_abend(ab, "illegal instruction", signr);
+ break;
+ case SIGSEGV:
+ audit_log_abend(ab, "memory violation", signr);
+ break;
+ case SIGTRAP:
+ audit_log_abend(ab, "bad instruction / debugger generated signal", signr);
+ break;
+ case SIGXCPU:
+ audit_log_abend(ab, "cpu time violation", signr);
+ break;
+ case SIGXFSZ:
+ audit_log_abend(ab, "file size violation", signr);
+ break;
+ default:
+ audit_log_abend(ab, "not defined", signr);
+ }
audit_log_end(ab);
}
--
1.7.9.5
11 years, 1 month
[PATCH] audit: convert all sessionid declaration to unsigned int
by Eric Paris
Right now the sessionid value in the kernel is a combination of u32,
int, and unsigned int. Just use unsigned int throughout.
Signed-off-by: Eric Paris <eparis(a)redhat.com>
---
drivers/tty/tty_audit.c | 2 +-
include/linux/audit.h | 2 +-
include/linux/init_task.h | 2 +-
include/net/netlabel.h | 2 +-
include/net/xfrm.h | 2 +-
kernel/audit.c | 2 +-
kernel/auditfilter.c | 2 +-
kernel/auditsc.c | 2 +-
net/xfrm/xfrm_policy.c | 8 ++++----
net/xfrm/xfrm_state.c | 6 +++---
net/xfrm/xfrm_user.c | 12 ++++++------
11 files changed, 21 insertions(+), 21 deletions(-)
diff --git a/drivers/tty/tty_audit.c b/drivers/tty/tty_audit.c
index a4fdce7..b0e5401 100644
--- a/drivers/tty/tty_audit.c
+++ b/drivers/tty/tty_audit.c
@@ -67,7 +67,7 @@ static void tty_audit_log(const char *description, int major, int minor,
struct task_struct *tsk = current;
uid_t uid = from_kuid(&init_user_ns, task_uid(tsk));
uid_t loginuid = from_kuid(&init_user_ns, audit_get_loginuid(tsk));
- u32 sessionid = audit_get_sessionid(tsk);
+ unsigned int sessionid = audit_get_sessionid(tsk);
ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_TTY);
if (ab) {
diff --git a/include/linux/audit.h b/include/linux/audit.h
index a406419..f725862 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -202,7 +202,7 @@ static inline kuid_t audit_get_loginuid(struct task_struct *tsk)
return tsk->loginuid;
}
-static inline int audit_get_sessionid(struct task_struct *tsk)
+static inline unsigned int audit_get_sessionid(struct task_struct *tsk)
{
return tsk->sessionid;
}
diff --git a/include/linux/init_task.h b/include/linux/init_task.h
index 5cd0f09..a143df5 100644
--- a/include/linux/init_task.h
+++ b/include/linux/init_task.h
@@ -95,7 +95,7 @@ extern struct group_info init_groups;
#ifdef CONFIG_AUDITSYSCALL
#define INIT_IDS \
.loginuid = INVALID_UID, \
- .sessionid = -1,
+ .sessionid = (unsigned int)-1,
#else
#define INIT_IDS
#endif
diff --git a/include/net/netlabel.h b/include/net/netlabel.h
index 2c95d55..97e6dca 100644
--- a/include/net/netlabel.h
+++ b/include/net/netlabel.h
@@ -111,7 +111,7 @@ struct cipso_v4_doi;
struct netlbl_audit {
u32 secid;
kuid_t loginuid;
- u32 sessionid;
+ unsigned int sessionid;
};
/*
diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index e823786..58df66b 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -679,7 +679,7 @@ struct xfrm_spi_skb_cb {
struct xfrm_audit {
u32 secid;
kuid_t loginuid;
- u32 sessionid;
+ unsigned int sessionid;
};
#ifdef CONFIG_AUDITSYSCALL
diff --git a/kernel/audit.c b/kernel/audit.c
index b8831ac..f274353 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1490,7 +1490,7 @@ void audit_log_d_path(struct audit_buffer *ab, const char *prefix,
void audit_log_session_info(struct audit_buffer *ab)
{
- u32 sessionid = audit_get_sessionid(current);
+ unsigned int sessionid = audit_get_sessionid(current);
uid_t auid = from_kuid(&init_user_ns, audit_get_loginuid(current));
audit_log_format(ab, " auid=%u ses=%u", auid, sessionid);
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 51f3fd4..76ab33d 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -1004,7 +1004,7 @@ static void audit_log_rule_change(char *action, struct audit_krule *rule, int re
{
struct audit_buffer *ab;
uid_t loginuid = from_kuid(&init_user_ns, audit_get_loginuid(current));
- u32 sessionid = audit_get_sessionid(current);
+ unsigned int sessionid = audit_get_sessionid(current);
if (!audit_enabled)
return;
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 90594c9..5d36e4a 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -2008,7 +2008,7 @@ int audit_set_loginuid(kuid_t loginuid)
/* are we setting or clearing? */
if (uid_valid(loginuid))
- sessionid = atomic_inc_return(&session_id);
+ sessionid = (unsigned int)atomic_inc_return(&session_id);
task->sessionid = sessionid;
task->loginuid = loginuid;
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index f77c371..4de6be9 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -2881,12 +2881,12 @@ static void xfrm_policy_fini(struct net *net)
flush_work(&net->xfrm.policy_hash_work);
#ifdef CONFIG_XFRM_SUB_POLICY
audit_info.loginuid = INVALID_UID;
- audit_info.sessionid = -1;
+ audit_info.sessionid = (unsigned int)-1;
audit_info.secid = 0;
xfrm_policy_flush(net, XFRM_POLICY_TYPE_SUB, &audit_info);
#endif
audit_info.loginuid = INVALID_UID;
- audit_info.sessionid = -1;
+ audit_info.sessionid = (unsigned int)-1;
audit_info.secid = 0;
xfrm_policy_flush(net, XFRM_POLICY_TYPE_MAIN, &audit_info);
@@ -2992,7 +2992,7 @@ static void xfrm_audit_common_policyinfo(struct xfrm_policy *xp,
}
void xfrm_audit_policy_add(struct xfrm_policy *xp, int result,
- kuid_t auid, u32 sessionid, u32 secid)
+ kuid_t auid, unsigned int sessionid, u32 secid)
{
struct audit_buffer *audit_buf;
@@ -3007,7 +3007,7 @@ void xfrm_audit_policy_add(struct xfrm_policy *xp, int result,
EXPORT_SYMBOL_GPL(xfrm_audit_policy_add);
void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
- kuid_t auid, u32 sessionid, u32 secid)
+ kuid_t auid, unsigned int sessionid, u32 secid)
{
struct audit_buffer *audit_buf;
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 54c0acd..b6d74ff 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -2040,7 +2040,7 @@ void xfrm_state_fini(struct net *net)
flush_work(&net->xfrm.state_hash_work);
audit_info.loginuid = INVALID_UID;
- audit_info.sessionid = -1;
+ audit_info.sessionid = (unsigned int)-1;
audit_info.secid = 0;
xfrm_state_flush(net, IPSEC_PROTO_ANY, &audit_info);
flush_work(&net->xfrm.state_gc_work);
@@ -2106,7 +2106,7 @@ static void xfrm_audit_helper_pktinfo(struct sk_buff *skb, u16 family,
}
void xfrm_audit_state_add(struct xfrm_state *x, int result,
- kuid_t auid, u32 sessionid, u32 secid)
+ kuid_t auid, unsigned int sessionid, u32 secid)
{
struct audit_buffer *audit_buf;
@@ -2121,7 +2121,7 @@ void xfrm_audit_state_add(struct xfrm_state *x, int result,
EXPORT_SYMBOL_GPL(xfrm_audit_state_add);
void xfrm_audit_state_delete(struct xfrm_state *x, int result,
- kuid_t auid, u32 sessionid, u32 secid)
+ kuid_t auid, unsigned int sessionid, u32 secid)
{
struct audit_buffer *audit_buf;
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 3f565e49..3a890a4 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -599,7 +599,7 @@ static int xfrm_add_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
int err;
struct km_event c;
kuid_t loginuid = audit_get_loginuid(current);
- u32 sessionid = audit_get_sessionid(current);
+ unsigned int sessionid = audit_get_sessionid(current);
u32 sid;
err = verify_newsa_info(p, attrs);
@@ -678,7 +678,7 @@ static int xfrm_del_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
struct km_event c;
struct xfrm_usersa_id *p = nlmsg_data(nlh);
kuid_t loginuid = audit_get_loginuid(current);
- u32 sessionid = audit_get_sessionid(current);
+ unsigned int sessionid = audit_get_sessionid(current);
u32 sid;
x = xfrm_user_state_lookup(net, p, attrs, &err);
@@ -1404,7 +1404,7 @@ static int xfrm_add_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
int err;
int excl;
kuid_t loginuid = audit_get_loginuid(current);
- u32 sessionid = audit_get_sessionid(current);
+ unsigned int sessionid = audit_get_sessionid(current);
u32 sid;
err = verify_newpolicy_info(p);
@@ -1662,7 +1662,7 @@ static int xfrm_get_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
}
} else {
kuid_t loginuid = audit_get_loginuid(current);
- u32 sessionid = audit_get_sessionid(current);
+ unsigned int sessionid = audit_get_sessionid(current);
u32 sid;
security_task_getsecid(current, &sid);
@@ -1958,7 +1958,7 @@ static int xfrm_add_pol_expire(struct sk_buff *skb, struct nlmsghdr *nlh,
err = 0;
if (up->hard) {
kuid_t loginuid = audit_get_loginuid(current);
- u32 sessionid = audit_get_sessionid(current);
+ unsigned int sessionid = audit_get_sessionid(current);
u32 sid;
security_task_getsecid(current, &sid);
@@ -2001,7 +2001,7 @@ static int xfrm_add_sa_expire(struct sk_buff *skb, struct nlmsghdr *nlh,
if (ue->hard) {
kuid_t loginuid = audit_get_loginuid(current);
- u32 sessionid = audit_get_sessionid(current);
+ unsigned int sessionid = audit_get_sessionid(current);
u32 sid;
security_task_getsecid(current, &sid);
--
1.8.3.1
11 years, 1 month
Follow up on auditing cmdline
by William Roberts
So this still seems to be lingering as unresolved in my mind. I need to
find out what the remaining reservations are on this feature. I am going to
try and summarize...
Steve Grub:
1. Anyway to use argv values as cmdline could be a page (too big)
2. Doesn't like disappearing audit entries
Richard Briggs:
1. Can we make it dynamic on/off
Stephen Smalley:
1. Can we cache the data for performance reasons
So I addressed RGB's issues, which led to one of steve Grub's concerns.
Which I can address both with if feature on then print cmdline=value else
print cmdline=(null)
Unfortunately the data I want to audit, is the full proc/cmdline entry,
which I think is the most
generic way of getting at potential vm data through various fork mazes on
Android, as well
as gathering the data on other architectures as well. This also prevents us
from hitting the
16 char width issue on task->comm. Increasing that will result in more
non-pageable kernel
memory use, versus my transient use of a page. I also need to make sure I
can get this
data before the process terminates, which can happen if I try to acquire it
in user-space.
Also, on error conditions, the last patch version will not print
cmdline=(null) which is an error and can be trivially corrected.
But before I put more time into it, I want to make sure the underlying idea
will be accepted, architectures, cacheing, print formats etc are all
trivial.
--
Respectfully,
William C Roberts
11 years, 1 month
Auditd errors on busy hosts when rolling over log files
by Burn Alting
Hi,
I have some quite busy hosts, that emit the following errors when I
request the audit log file is rolled over (via a kill -s USR1
auditdpid).
Error receiving audit netlink packet(No buffer space available)
Error sending signal_info request (No buffer space available)
>From reading earlier posts (circa 2009) it would appear my options are
a. Increase backlog buffer (currently 32768)
b. Increase priority_boost (currently 4)
c. Reduce the number of log files (currently 9)
Does anyone have a feel for which of the above should offer the best
return?
Are their other configuration parameters I could adjust (aside from
changing my ruleset in audit.rules)?
Thanks in advance
Burn
11 years, 1 month
Question on the unset user in audit
by Burn Alting
All,
I have seen some audit.rules that ignore ALL events involving auid being
the unset user ie a rule segment of
-F auid!=4294967295
What are the possible risks of excluding recording events from the unset
auid? Especially since I believe root could override the auid by writing
to /proc/self/loginuid.
Rgds
11 years, 1 month
[PATCH v2] audit: fix incorrect type of sessionid
by Gao feng
The type of task->sessionid is unsigned int, the return
type of audit_get_sessionid should be consistent with it.
And this patch also changes the type of oldsessionid to
unsigned int.
Signed-off-by: Gao feng <gaofeng(a)cn.fujitsu.com>
---
include/linux/audit.h | 4 ++--
kernel/auditsc.c | 3 ++-
2 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 7b31bec..01b40f7 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -202,7 +202,7 @@ static inline kuid_t audit_get_loginuid(struct task_struct *tsk)
return tsk->loginuid;
}
-static inline int audit_get_sessionid(struct task_struct *tsk)
+static inline unsigned int audit_get_sessionid(struct task_struct *tsk)
{
return tsk->sessionid;
}
@@ -360,7 +360,7 @@ static inline kuid_t audit_get_loginuid(struct task_struct *tsk)
{
return INVALID_UID;
}
-static inline int audit_get_sessionid(struct task_struct *tsk)
+static inline unsigned int audit_get_sessionid(struct task_struct *tsk)
{
return -1;
}
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index ceb396f..e4aaa9d 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -2018,7 +2018,8 @@ int audit_set_loginuid(kuid_t loginuid)
{
struct task_struct *task = current;
unsigned int sessionid = -1;
- kuid_t oldloginuid, oldsessionid;
+ kuid_t oldloginuid;
+ unsigned int oldsessionid;
int rc;
oldloginuid = audit_get_loginuid(current);
--
1.8.3.1
11 years, 1 month
