[PATCH v6 1/3] mm: Create utility function for accessing a tasks commandline value
by William Roberts
introduce get_cmdline() for retreiving the value of a processes
proc/self/cmdline value.
Acked-by: David Rientjes <rientjes(a)google.com>
Acked-by: Stephen Smalley <sds(a)tycho.nsa.gov>
Signed-off-by: William Roberts <wroberts(a)tresys.com>
---
include/linux/mm.h | 1 +
mm/util.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 49 insertions(+)
diff --git a/include/linux/mm.h b/include/linux/mm.h
index f28f46e..db89a94 100644
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -1175,6 +1175,7 @@ void account_page_writeback(struct page *page);
int set_page_dirty(struct page *page);
int set_page_dirty_lock(struct page *page);
int clear_page_dirty_for_io(struct page *page);
+int get_cmdline(struct task_struct *task, char *buffer, int buflen);
/* Is the vma a continuation of the stack vma above it? */
static inline int vma_growsdown(struct vm_area_struct *vma, unsigned long addr)
diff --git a/mm/util.c b/mm/util.c
index a24aa22..8122710 100644
--- a/mm/util.c
+++ b/mm/util.c
@@ -445,6 +445,54 @@ unsigned long vm_commit_limit(void)
return allowed;
}
+/**
+ * get_cmdline() - copy the cmdline value to a buffer.
+ * @task: the task whose cmdline value to copy.
+ * @buffer: the buffer to copy to.
+ * @buflen: the length of the buffer. Larger cmdline values are truncated
+ * to this length.
+ * Returns the size of the cmdline field copied. Note that the copy does
+ * not guarantee an ending NULL byte.
+ */
+int get_cmdline(struct task_struct *task, char *buffer, int buflen)
+{
+ int res = 0;
+ unsigned int len;
+ struct mm_struct *mm = get_task_mm(task);
+ if (!mm)
+ goto out;
+ if (!mm->arg_end)
+ goto out_mm; /* Shh! No looking before we're done */
+
+ len = mm->arg_end - mm->arg_start;
+
+ if (len > buflen)
+ len = buflen;
+
+ res = access_process_vm(task, mm->arg_start, buffer, len, 0);
+
+ /*
+ * If the nul at the end of args has been overwritten, then
+ * assume application is using setproctitle(3).
+ */
+ if (res > 0 && buffer[res-1] != '\0' && len < buflen) {
+ len = strnlen(buffer, res);
+ if (len < res) {
+ res = len;
+ } else {
+ len = mm->env_end - mm->env_start;
+ if (len > buflen - res)
+ len = buflen - res;
+ res += access_process_vm(task, mm->env_start,
+ buffer+res, len, 0);
+ res = strnlen(buffer, res);
+ }
+ }
+out_mm:
+ mmput(mm);
+out:
+ return res;
+}
/* Tracepoints definitions. */
EXPORT_TRACEPOINT_SYMBOL(kmalloc);
--
1.7.9.5
10 years, 9 months
[PATCH v5 1/3] mm: Create utility function for accessing a tasks commandline value
by William Roberts
introduce get_cmdline() for retreiving the value of a processes
proc/self/cmdline value.
Acked-by: David Rientjes <rientjes(a)google.com>
Acked-by: Stephen Smalley <sds(a)tycho.nsa.gov>
Signed-off-by: William Roberts <wroberts(a)tresys.com>
---
include/linux/mm.h | 1 +
mm/util.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 49 insertions(+)
diff --git a/include/linux/mm.h b/include/linux/mm.h
index f28f46e..db89a94 100644
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -1175,6 +1175,7 @@ void account_page_writeback(struct page *page);
int set_page_dirty(struct page *page);
int set_page_dirty_lock(struct page *page);
int clear_page_dirty_for_io(struct page *page);
+int get_cmdline(struct task_struct *task, char *buffer, int buflen);
/* Is the vma a continuation of the stack vma above it? */
static inline int vma_growsdown(struct vm_area_struct *vma, unsigned long addr)
diff --git a/mm/util.c b/mm/util.c
index a24aa22..8122710 100644
--- a/mm/util.c
+++ b/mm/util.c
@@ -445,6 +445,54 @@ unsigned long vm_commit_limit(void)
return allowed;
}
+/**
+ * get_cmdline() - copy the cmdline value to a buffer.
+ * @task: the task whose cmdline value to copy.
+ * @buffer: the buffer to copy to.
+ * @buflen: the length of the buffer. Larger cmdline values are truncated
+ * to this length.
+ * Returns the size of the cmdline field copied. Note that the copy does
+ * not guarantee an ending NULL byte.
+ */
+int get_cmdline(struct task_struct *task, char *buffer, int buflen)
+{
+ int res = 0;
+ unsigned int len;
+ struct mm_struct *mm = get_task_mm(task);
+ if (!mm)
+ goto out;
+ if (!mm->arg_end)
+ goto out_mm; /* Shh! No looking before we're done */
+
+ len = mm->arg_end - mm->arg_start;
+
+ if (len > buflen)
+ len = buflen;
+
+ res = access_process_vm(task, mm->arg_start, buffer, len, 0);
+
+ /*
+ * If the nul at the end of args has been overwritten, then
+ * assume application is using setproctitle(3).
+ */
+ if (res > 0 && buffer[res-1] != '\0' && len < buflen) {
+ len = strnlen(buffer, res);
+ if (len < res) {
+ res = len;
+ } else {
+ len = mm->env_end - mm->env_start;
+ if (len > buflen - res)
+ len = buflen - res;
+ res += access_process_vm(task, mm->env_start,
+ buffer+res, len, 0);
+ res = strnlen(buffer, res);
+ }
+ }
+out_mm:
+ mmput(mm);
+out:
+ return res;
+}
/* Tracepoints definitions. */
EXPORT_TRACEPOINT_SYMBOL(kmalloc);
--
1.7.9.5
10 years, 9 months
[PATCH v4 1/3] mm: Create utility function for accessing a tasks commandline value
by William Roberts
introduce get_cmdline() for retreiving the value of a processes
proc/self/cmdline value.
Signed-off-by: William Roberts <wroberts(a)tresys.com>
---
include/linux/mm.h | 1 +
mm/util.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 49 insertions(+)
diff --git a/include/linux/mm.h b/include/linux/mm.h
index f28f46e..db89a94 100644
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -1175,6 +1175,7 @@ void account_page_writeback(struct page *page);
int set_page_dirty(struct page *page);
int set_page_dirty_lock(struct page *page);
int clear_page_dirty_for_io(struct page *page);
+int get_cmdline(struct task_struct *task, char *buffer, int buflen);
/* Is the vma a continuation of the stack vma above it? */
static inline int vma_growsdown(struct vm_area_struct *vma, unsigned long addr)
diff --git a/mm/util.c b/mm/util.c
index a24aa22..8122710 100644
--- a/mm/util.c
+++ b/mm/util.c
@@ -445,6 +445,54 @@ unsigned long vm_commit_limit(void)
return allowed;
}
+/**
+ * get_cmdline() - copy the cmdline value to a buffer.
+ * @task: the task whose cmdline value to copy.
+ * @buffer: the buffer to copy to.
+ * @buflen: the length of the buffer. Larger cmdline values are truncated
+ * to this length.
+ * Returns the size of the cmdline field copied. Note that the copy does
+ * not guarantee an ending NULL byte.
+ */
+int get_cmdline(struct task_struct *task, char *buffer, int buflen)
+{
+ int res = 0;
+ unsigned int len;
+ struct mm_struct *mm = get_task_mm(task);
+ if (!mm)
+ goto out;
+ if (!mm->arg_end)
+ goto out_mm; /* Shh! No looking before we're done */
+
+ len = mm->arg_end - mm->arg_start;
+
+ if (len > buflen)
+ len = buflen;
+
+ res = access_process_vm(task, mm->arg_start, buffer, len, 0);
+
+ /*
+ * If the nul at the end of args has been overwritten, then
+ * assume application is using setproctitle(3).
+ */
+ if (res > 0 && buffer[res-1] != '\0' && len < buflen) {
+ len = strnlen(buffer, res);
+ if (len < res) {
+ res = len;
+ } else {
+ len = mm->env_end - mm->env_start;
+ if (len > buflen - res)
+ len = buflen - res;
+ res += access_process_vm(task, mm->env_start,
+ buffer+res, len, 0);
+ res = strnlen(buffer, res);
+ }
+ }
+out_mm:
+ mmput(mm);
+out:
+ return res;
+}
/* Tracepoints definitions. */
EXPORT_TRACEPOINT_SYMBOL(kmalloc);
--
1.7.9.5
10 years, 9 months
[PATCH] audit: restore order of tty and ses fields in log output
by Richard Guy Briggs
When being refactored from audit_log_start() to audit_log_task_info(), in
commit e23eb920 the tty and ses fields in the log output got transposed.
Restore to original order to avoid breaking search tools.
Cc: stable(a)vger.kernel.org # v3.6
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
Signed-off-by: Eric Paris <eparis(a)redhat.com>
---
kernel/audit.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 3d3747b..e88f599 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1716,7 +1716,7 @@ void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk)
audit_log_format(ab,
" ppid=%ld pid=%d auid=%u uid=%u gid=%u"
" euid=%u suid=%u fsuid=%u"
- " egid=%u sgid=%u fsgid=%u ses=%u tty=%s",
+ " egid=%u sgid=%u fsgid=%u tty=%s ses=%u",
sys_getppid(),
tsk->pid,
from_kuid(&init_user_ns, audit_get_loginuid(tsk)),
@@ -1728,7 +1728,7 @@ void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk)
from_kgid(&init_user_ns, cred->egid),
from_kgid(&init_user_ns, cred->sgid),
from_kgid(&init_user_ns, cred->fsgid),
- audit_get_sessionid(tsk), tty);
+ tty, audit_get_sessionid(tsk));
get_task_comm(name, tsk);
audit_log_format(ab, " comm=");
--
1.7.1
10 years, 9 months
Re: [PATCH RFC 7/8] audit: report namespace information along with USER events
by Eric W. Biederman
Aristeu Rozanski <arozansk(a)redhat.com> writes:
> For userspace generated events, include a record with the namespace
> procfs inode numbers the process belongs to. This allows to track down
> and filter audit messages by userspace.
I am not comfortable with using the inode numbers this way. It does not
pass the test of can I migrate a container and still have this work
test. Any kind of kernel assigned name for namespaces fails that test.
I also don't like that you don't include the procfs device number. An
inode number means nothing without knowing which filesystem you are
referring to.
It may never happen but I reserve the right to have the inode numbers
for namespaces to show up differently in different instances of procfs.
Beyond that I think this usage is possibly buggy by using two audit
records for one event.
> Signed-off-by: Aristeu Rozanski <arozansk(a)redhat.com>
> ---
> include/uapi/linux/audit.h | 1 +
> kernel/audit.c | 51 +++++++++++++++++++++++++++++++++++++++++++-
> 2 files changed, 51 insertions(+), 1 deletions(-)
>
> diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> index 9f096f1..3ec3ccb 100644
> --- a/include/uapi/linux/audit.h
> +++ b/include/uapi/linux/audit.h
> @@ -106,6 +106,7 @@
> #define AUDIT_NETFILTER_PKT 1324 /* Packets traversing netfilter chains */
> #define AUDIT_NETFILTER_CFG 1325 /* Netfilter chain modifications */
> #define AUDIT_SECCOMP 1326 /* Secure Computing event */
> +#define AUDIT_USER_NAMESPACE 1327 /* Information about process' namespaces */
>
> #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */
> #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */
> diff --git a/kernel/audit.c b/kernel/audit.c
> index 58db117..b17f9c0 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -62,6 +62,11 @@
> #include <linux/freezer.h>
> #include <linux/tty.h>
> #include <linux/pid_namespace.h>
> +#include <linux/ipc_namespace.h>
> +#include <linux/mnt_namespace.h>
> +#include <linux/utsname.h>
> +#include <linux/user_namespace.h>
> +#include <net/net_namespace.h>
>
> #include "audit.h"
>
> @@ -641,6 +646,49 @@ static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type,
> return rc;
> }
>
> +#ifdef CONFIG_NAMESPACES
> +static int audit_log_namespaces(struct task_struct *tsk,
> + struct sk_buff *skb)
> +{
> + struct audit_context *ctx = tsk->audit_context;
> + struct audit_buffer *ab;
> +
> + if (!audit_enabled)
> + return 0;
> +
> + ab = audit_log_start(ctx, GFP_KERNEL, AUDIT_USER_NAMESPACE);
> + if (unlikely(!ab))
> + return -ENOMEM;
> +
> + audit_log_format(ab, "mnt=%u", mntns_get_inum(tsk));
> +#ifdef CONFIG_NET_NS
> + audit_log_format(ab, " net=%u", netns_get_inum(tsk));
> +#endif
> +#ifdef CONFIG_UTS_NS
> + audit_log_format(ab, " uts=%u", utsns_get_inum(tsk));
> +#endif
> +#ifdef CONFIG_IPC_NS
> + audit_log_format(ab, " ipc=%u", ipcns_get_inum(tsk));
> +#endif
> +#ifdef CONFIG_PID_NS
> + audit_log_format(ab, " pid=%u", pidns_get_inum(tsk));
> +#endif
> +#ifdef CONFIG_USER_NS
> + audit_log_format(ab, " user=%u", userns_get_inum(tsk));
> +#endif
> + audit_set_pid(ab, NETLINK_CB(skb).portid);
> + audit_log_end(ab);
> +
> + return 0;
> +}
> +#else
> +static inline int audit_log_namespaces(struct task_struct *tsk,
> + struct sk_buff *skb)
> +{
> + return 0;
> +}
> +#endif
> +
> static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
> {
> u32 seq, sid;
> @@ -741,7 +789,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
> }
> audit_log_common_recv_msg(&ab, msg_type,
> loginuid, sessionid, sid,
> - NULL);
> + current->audit_context);
>
> if (msg_type != AUDIT_USER_TTY)
> audit_log_format(ab, " msg='%.1024s'",
> @@ -758,6 +806,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
> }
> audit_set_pid(ab, NETLINK_CB(skb).portid);
> audit_log_end(ab);
> + audit_log_namespaces(current, skb);
> }
> break;
> case AUDIT_ADD:
10 years, 9 months
[PATCH] audit: printk USER_AVC messages when audit isn't enabled
by Tyler Hicks
When the audit=1 kernel parameter is absent and auditd is not running,
AUDIT_USER_AVC messages are being silently discarded.
AUDIT_USER_AVC messages should be sent to userspace using printk(), as
mentioned in the commit message of
4a4cd633b575609b741a1de7837223a2d9e1c34c ("AUDIT: Optimise the
audit-disabled case for discarding user messages").
When audit_enabled is 0, audit_receive_msg() discards all user messages
except for AUDIT_USER_AVC messages. However, audit_log_common_recv_msg()
refuses to allocate an audit_buffer if audit_enabled is 0. The fix is to
special case AUDIT_USER_AVC messages in both functions.
Signed-off-by: Tyler Hicks <tyhicks(a)canonical.com>
Cc: Al Viro <viro(a)zeniv.linux.org.uk>
Cc: Eric Paris <eparis(a)redhat.com>
Cc: linux-audit(a)redhat.com
---
It looks like commit 50397bd1e471391d27f64efad9271459c913de87 ("[AUDIT] clean
up audit_receive_msg()") introduced this bug, so I think that this patch should
also get the tag:
Cc: <stable(a)kernel.org> # v2.6.25+
Al and Eric, I'll leave that up to you two.
Here's my test matrix showing where messages end up as a result of a call to
libaudit's audit_log_user_avc_message():
| unpatched patched
----------------+--------------------------------
w/o audit=1 & | *dropped* syslog
w/o auditd |
|
w/ audit=1 & | syslog syslog
w/o auditd |
|
w/o audit=1 & | audit.log audit.log
w/ auditd |
|
w/ audit=1 & | audit.log audit.log
w/ auditd |
Thanks!
kernel/audit.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 91e53d0..f4f2773 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -613,7 +613,7 @@ static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type)
int rc = 0;
uid_t uid = from_kuid(&init_user_ns, current_uid());
- if (!audit_enabled) {
+ if (!audit_enabled && msg_type != AUDIT_USER_AVC) {
*ab = NULL;
return rc;
}
--
1.8.3.2
10 years, 9 months
[GIT PULL] audit subsystem for 3.14
by Eric Paris
Linus,
Please consider pulling the following audit changes. Again we stayed
pretty well contained inside the audit system. Venturing out was fixing
a couple of function prototypes which were inconsistent (didn't hurt
anything, but we used the same value as an int, uint, u32, and I think
even a long in a couple of places). We also made a couple of minor
changes to when a couple of LSMs called the audit system. We hoped to
add aarch64 audit support this go round, but it wasn't ready.
There is one merge issue. Take your code, then convert the prototype
for the first 4 functions changing the "u32 ses" to "unsigned int ses".
(Do not change the u32 secid)
I'm disappearing on vacation on Thursday. I should have internet
access, but it'll be spotty. If anything goes wrong please be sure to
cc rgb(a)redhat.com. He'll make fixing things his top priority.
-Eric
The following changes since commit fc582aef7dcc27a7120cf232c1e76c569c7b6eab:
Merge tag 'v3.12' (2013-11-22 18:57:54 -0500)
are available in the git repository at:
git://git.infradead.org/users/eparis/audit.git master
for you to fetch changes up to f3411cb2b2e396a41ed3a439863f028db7140a34:
audit: whitespace fix in kernel-parameters.txt (2014-01-17 17:15:02 -0500)
----------------------------------------------------------------
AKASHI Takahiro (2):
audit: correct a type mismatch in audit_syscall_exit()
audit: Modify a set of system calls in audit class definitions
Dan Duval (2):
audit: efficiency fix 1: only wake up if queue shorter than backlog limit
audit: efficiency fix 2: request exclusive wait since all need same resource
Eric Paris (8):
audit: convert all sessionid declaration to unsigned int
audit: wait_for_auditd rework for readability
audit: documentation of audit= kernel parameter
audit: use define's for audit version
audit: remove needless switch in AUDIT_SET
audit: rework AUDIT_TTY_SET to only grab spin_lock once
audit: reorder AUDIT_TTY_SET arguments
audit: remove pr_info for every network namespace
Eric W. Biederman (1):
audit: Simplify and correct audit_log_capset
Gao feng (7):
audit: remove useless code in audit_enable
audit: fix incorrect order of log new and old feature
audit: don't generate audit feature changed log when audit disabled
audit: use old_lock in audit_set_feature
audit: don't generate loginuid log when audit disabled
audit: print error message when fail to create audit socket
audit: fix incorrect set of audit_sock
Joe Perches (3):
audit: Use hex_byte_pack_upper
audit: Use more current logging style
audit: Convert int limit uses to u32
Paul Davies C (2):
audit: drop audit_log_abend()
audit: Added exe field to audit core dump signal log
Richard Guy Briggs (24):
audit: fix netlink portid naming and types
audit: restore order of tty and ses fields in log output
audit: listen in all network namespaces
audit: reset audit backlog wait time after error recovery
audit: make use of remaining sleep time from wait_for_auditd
documentation: document the audit= kernel start-up parameter
audit: add kernel set-up parameter to override default backlog limit
audit: clean up AUDIT_GET/SET local variables and future-proof API
audit: add audit_backlog_wait_time configuration option
audit: fix incorrect type of sessionid
audit: allow unlimited backlog queue
audit: get rid of *NO* daemon at audit_pid=0 message
audit: log AUDIT_TTY_SET config changes
audit: refactor audit_receive_msg() to clarify AUDIT_*_RULE* cases
audit: prevent an older auditd shutdown from orphaning a newer auditd startup
selinux: call WARN_ONCE() instead of calling audit_log_start()
smack: call WARN_ONCE() instead of calling audit_log_start()
audit: drop audit_cmd_lock in AUDIT_USER family of cases
audit: log on errors from filter user rules
audit: fix dangling keywords in audit_log_set_loginuid() output
audit: log task info on feature change
audit: update MAINTAINERS
audit: fix location of __net_initdata for audit_net_ops
audit: whitespace fix in kernel-parameters.txt
Toshiyuki Okajima (1):
audit: audit_log_start running on auditd should not stop
Documentation/kernel-parameters.txt | 16 ++++++
MAINTAINERS | 3 +-
drivers/tty/tty_audit.c | 2 +-
include/asm-generic/audit_change_attr.h | 4 +-
include/asm-generic/audit_write.h | 6 +++
include/linux/audit.h | 22 ++++----
include/linux/init_task.h | 2 +-
include/net/netlabel.h | 2 +-
include/net/xfrm.h | 20 +++----
include/uapi/linux/audit.h | 8 +++
kernel/audit.c | 365 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++----------------------------------------------
kernel/audit.h | 15 ++++--
kernel/auditfilter.c | 93 +++++++++++++++++++--------------
kernel/auditsc.c | 44 +++++++++-------
kernel/capability.c | 2 +-
net/xfrm/xfrm_policy.c | 8 +--
net/xfrm/xfrm_state.c | 6 +--
net/xfrm/xfrm_user.c | 12 ++---
security/selinux/ss/services.c | 12 ++---
security/smack/smack_lsm.c | 5 +-
20 files changed, 404 insertions(+), 243 deletions(-)
10 years, 9 months
Suppressing logs with kernel.printk
by Aaron Lewis
Hi,
I'm trying to suppress logs from auditd with sysctl options,
So I set kernel.printk to 4 4 4 4
And modified KLOGD_OPTIONS to "-x -c 4"
Then I restarted syslogd and klogd
But I still see auditd logs piling up, anything wrong? auditd is using
kenrel.notice for sure
--
Best Regards,
Aaron Lewis - PGP: 0x13714D33 - http://pgp.mit.edu/
Finger Print: 9F67 391B B770 8FF6 99DC D92D 87F6 2602 1371 4D33
10 years, 9 months
[PATCH] audit/userspace: add support for the parisc architecture
by Helge Deller
The patch below adds support for the parisc architecture to the audit
userspace tool.
It would be great if you could apply this patch to trunk.
I posted the corresponding Linux kernel patch to the parisc mailing list
(https://patchwork.kernel.org/patch/3046731/) and plan to push it upstream when
the merge window for Linux kernel v3.13 opens.
Signed-off-by: Helge Deller <deller(a)gmx.de>
--- audit-2.3.2.orig/lib/Makefile.am
+++ audit-2.3.2/lib/Makefile.am
@@ -40,7 +40,7 @@ nodist_libaudit_la_SOURCES = $(BUILT_SOU
BUILT_SOURCES = actiontabs.h errtabs.h fieldtabs.h flagtabs.h \
ftypetabs.h i386_tables.h ia64_tables.h machinetabs.h \
msg_typetabs.h optabs.h ppc_tables.h s390_tables.h \
- s390x_tables.h x86_64_tables.h
+ s390x_tables.h x86_64_tables.h parisc_tables.h
if USE_ALPHA
BUILT_SOURCES += alpha_tables.h
endif
@@ -54,7 +54,7 @@ noinst_PROGRAMS = gen_actiontabs_h gen_e
gen_flagtabs_h gen_ftypetabs_h gen_i386_tables_h \
gen_ia64_tables_h gen_machinetabs_h gen_msg_typetabs_h \
gen_optabs_h gen_ppc_tables_h gen_s390_tables_h \
- gen_s390x_tables_h gen_x86_64_tables_h
+ gen_s390x_tables_h gen_x86_64_tables_h gen_parisc_tables_h
if USE_ALPHA
noinst_PROGRAMS += gen_alpha_tables_h
endif
@@ -142,6 +142,11 @@ gen_ppc_tables_h_CFLAGS = $(AM_CFLAGS) '
ppc_tables.h: gen_ppc_tables_h Makefile
./gen_ppc_tables_h --lowercase --i2s --s2i ppc_syscall > $@
+gen_parisc_tables_h_SOURCES = gen_tables.c gen_tables.h parisc_table.h
+gen_parisc_tables_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="parisc_table.h"'
+parisc_tables.h: gen_parisc_tables_h Makefile
+ ./gen_parisc_tables_h --lowercase --i2s --s2i parisc_syscall > $@
+
gen_s390_tables_h_SOURCES = gen_tables.c gen_tables.h s390_table.h
gen_s390_tables_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="s390_table.h"'
s390_tables.h: gen_s390_tables_h Makefile
--- audit-2.3.2.orig/lib/libaudit.c
+++ audit-2.3.2/lib/libaudit.c
@@ -1304,6 +1304,9 @@ int audit_rule_fieldpair_data(struct aud
machine == MACH_PPC64)
machine = MACH_PPC;
else if (bits == ~__AUDIT_ARCH_64BIT &&
+ machine == MACH_PARISC64)
+ machine = MACH_PARISC;
+ else if (bits == ~__AUDIT_ARCH_64BIT &&
machine == MACH_S390X)
machine = MACH_S390;
@@ -1324,6 +1327,10 @@ int audit_rule_fieldpair_data(struct aud
if (bits == __AUDIT_ARCH_64BIT)
return -6;
break;
+ case MACH_PARISC:
+ if (bits == __AUDIT_ARCH_64BIT)
+ return -6;
+ break;
case MACH_S390:
if (bits == __AUDIT_ARCH_64BIT)
return -6;
@@ -1342,6 +1349,7 @@ int audit_rule_fieldpair_data(struct aud
#endif
case MACH_86_64: /* fallthrough */
case MACH_PPC64: /* fallthrough */
+ case MACH_PARISC64: /* fallthrough */
case MACH_S390X: /* fallthrough */
break;
default:
--- audit-2.3.2.orig/lib/libaudit.h
+++ audit-2.3.2/lib/libaudit.h
@@ -417,7 +417,9 @@ typedef enum {
MACH_S390,
MACH_ALPHA,
MACH_ARMEB,
- MACH_AARCH64
+ MACH_AARCH64,
+ MACH_PARISC64,
+ MACH_PARISC
} machine_t;
/* These are the valid audit failure tunable enum values */
--- audit-2.3.2.orig/lib/lookup_table.c
+++ audit-2.3.2/lib/lookup_table.c
@@ -47,6 +47,7 @@
#include "i386_tables.h"
#include "ia64_tables.h"
#include "ppc_tables.h"
+#include "parisc_tables.h"
#include "s390_tables.h"
#include "s390x_tables.h"
#include "x86_64_tables.h"
@@ -82,6 +83,8 @@ static const struct int_transtab elftab[
#ifdef WITH_AARCH64
{ MACH_AARCH64, AUDIT_ARCH_AARCH64},
#endif
+ { MACH_PARISC64,AUDIT_ARCH_PARISC64 },
+ { MACH_PARISC, AUDIT_ARCH_PARISC },
};
#define AUDIT_ELF_NAMES (sizeof(elftab)/sizeof(elftab[0]))
@@ -126,6 +129,10 @@ int audit_name_to_syscall(const char *sc
case MACH_PPC:
found = ppc_syscall_s2i(sc, &res);
break;
+ case MACH_PARISC64:
+ case MACH_PARISC:
+ found = parisc_syscall_s2i(sc, &res);
+ break;
case MACH_S390X:
found = s390x_syscall_s2i(sc, &res);
break;
@@ -171,6 +178,9 @@ const char *audit_syscall_to_name(int sc
case MACH_PPC64:
case MACH_PPC:
return ppc_syscall_i2s(sc);
+ case MACH_PARISC64:
+ case MACH_PARISC:
+ return parisc_syscall_i2s(sc);
case MACH_S390X:
return s390x_syscall_i2s(sc);
case MACH_S390:
--- audit-2.3.2.orig/lib/machinetab.h
+++ audit-2.3.2/lib/machinetab.h
@@ -43,3 +43,5 @@ _S(MACH_ARMEB, "armv7l")
#ifdef WITH_AARCH64
_S(MACH_AARCH64, "aarch64" )
#endif
+_S(MACH_PARISC64, "parisc64" )
+_S(MACH_PARISC, "parisc" )
--- /dev/null
+++ audit-2.3.2/lib/parisc_table.h
@@ -0,0 +1,333 @@
+_S(0, "restart_syscall")
+_S(1, "exit")
+_S(2, "fork")
+_S(3, "read")
+_S(4, "write")
+_S(5, "open")
+_S(6, "close")
+_S(7, "waitpid")
+_S(8, "creat")
+_S(9, "link")
+_S(10, "unlink")
+_S(11, "execve")
+_S(12, "chdir")
+_S(13, "time")
+_S(14, "mknod")
+_S(15, "chmod")
+_S(16, "lchown")
+_S(17, "socket")
+_S(18, "stat")
+_S(19, "lseek")
+_S(20, "getpid")
+_S(21, "mount")
+_S(22, "bind")
+_S(23, "setuid")
+_S(24, "getuid")
+_S(25, "stime")
+_S(26, "ptrace")
+_S(27, "alarm")
+_S(28, "fstat")
+_S(29, "pause")
+_S(30, "utime")
+_S(31, "connect")
+_S(32, "listen")
+_S(33, "access")
+_S(34, "nice")
+_S(35, "accept")
+_S(36, "sync")
+_S(37, "kill")
+_S(38, "rename")
+_S(39, "mkdir")
+_S(40, "rmdir")
+_S(41, "dup")
+_S(42, "pipe")
+_S(43, "times")
+_S(44, "getsockname")
+_S(45, "brk")
+_S(46, "setgid")
+_S(47, "getgid")
+_S(48, "signal")
+_S(49, "geteuid")
+_S(50, "getegid")
+_S(51, "acct")
+_S(52, "umount2")
+_S(53, "getpeername")
+_S(54, "ioctl")
+_S(55, "fcntl")
+_S(56, "socketpair")
+_S(57, "setpgid")
+_S(58, "send")
+_S(59, "uname")
+_S(60, "umask")
+_S(61, "chroot")
+_S(62, "ustat")
+_S(63, "dup2")
+_S(64, "getppid")
+_S(65, "getpgrp")
+_S(66, "setsid")
+_S(67, "pivot_root")
+_S(68, "sgetmask")
+_S(69, "ssetmask")
+_S(70, "setreuid")
+_S(71, "setregid")
+_S(72, "mincore")
+_S(73, "sigpending")
+_S(74, "sethostname")
+_S(75, "setrlimit")
+_S(76, "getrlimit")
+_S(77, "getrusage")
+_S(78, "gettimeofday")
+_S(79, "settimeofday")
+_S(80, "getgroups")
+_S(81, "setgroups")
+_S(82, "sendto")
+_S(83, "symlink")
+_S(84, "lstat")
+_S(85, "readlink")
+_S(86, "uselib")
+_S(87, "swapon")
+_S(88, "reboot")
+_S(89, "mmap2")
+_S(90, "mmap")
+_S(91, "munmap")
+_S(92, "truncate")
+_S(93, "ftruncate")
+_S(94, "fchmod")
+_S(95, "fchown")
+_S(96, "getpriority")
+_S(97, "setpriority")
+_S(98, "recv")
+_S(99, "statfs")
+_S(100, "fstatfs")
+_S(101, "stat64")
+_S(103, "syslog")
+_S(104, "setitimer")
+_S(105, "getitimer")
+_S(106, "capget")
+_S(107, "capset")
+_S(108, "pread64")
+_S(109, "pwrite64")
+_S(110, "getcwd")
+_S(111, "vhangup")
+_S(112, "fstat64")
+_S(113, "vfork")
+_S(114, "wait4")
+_S(115, "swapoff")
+_S(116, "sysinfo")
+_S(117, "shutdown")
+_S(118, "fsync")
+_S(119, "madvise")
+_S(120, "clone")
+_S(121, "setdomainname")
+_S(122, "sendfile")
+_S(123, "recvfrom")
+_S(124, "adjtimex")
+_S(125, "mprotect")
+_S(126, "sigprocmask")
+_S(127, "create_module")
+_S(128, "init_module")
+_S(129, "delete_module")
+_S(130, "get_kernel_syms")
+_S(131, "quotactl")
+_S(132, "getpgid")
+_S(133, "fchdir")
+_S(134, "bdflush")
+_S(135, "sysfs")
+_S(136, "personality")
+_S(137, "afs_syscall")
+_S(138, "setfsuid")
+_S(139, "setfsgid")
+_S(140, "_llseek")
+_S(141, "getdents")
+_S(142, "_newselect")
+_S(143, "flock")
+_S(144, "msync")
+_S(145, "readv")
+_S(146, "writev")
+_S(147, "getsid")
+_S(148, "fdatasync")
+_S(149, "_sysctl")
+_S(150, "mlock")
+_S(151, "munlock")
+_S(152, "mlockall")
+_S(153, "munlockall")
+_S(154, "sched_setparam")
+_S(155, "sched_getparam")
+_S(156, "sched_setscheduler")
+_S(157, "sched_getscheduler")
+_S(158, "sched_yield")
+_S(159, "sched_get_priority_max")
+_S(160, "sched_get_priority_min")
+_S(161, "sched_rr_get_interval")
+_S(162, "nanosleep")
+_S(163, "mremap")
+_S(164, "setresuid")
+_S(165, "getresuid")
+_S(166, "sigaltstack")
+_S(167, "query_module")
+_S(168, "poll")
+_S(169, "nfsservctl")
+_S(170, "setresgid")
+_S(171, "getresgid")
+_S(172, "prctl")
+_S(173, "rt_sigreturn")
+_S(174, "rt_sigaction")
+_S(175, "rt_sigprocmask")
+_S(176, "rt_sigpending")
+_S(177, "rt_sigtimedwait")
+_S(178, "rt_sigqueueinfo")
+_S(179, "rt_sigsuspend")
+_S(180, "chown")
+_S(181, "setsockopt")
+_S(182, "getsockopt")
+_S(183, "sendmsg")
+_S(184, "recvmsg")
+_S(185, "semop")
+_S(186, "semget")
+_S(187, "semctl")
+_S(188, "msgsnd")
+_S(189, "msgrcv")
+_S(190, "msgget")
+_S(191, "msgctl")
+_S(192, "shmat")
+_S(193, "shmdt")
+_S(194, "shmget")
+_S(195, "shmctl")
+_S(196, "getpmsg")
+_S(197, "putpmsg")
+_S(198, "lstat64")
+_S(199, "truncate64")
+_S(200, "ftruncate64")
+_S(201, "getdents64")
+_S(202, "fcntl64")
+_S(203, "attrctl")
+_S(204, "acl_get")
+_S(205, "acl_set")
+_S(206, "gettid")
+_S(207, "readahead")
+_S(208, "tkill")
+_S(209, "sendfile64")
+_S(210, "futex")
+_S(211, "sched_setaffinity")
+_S(212, "sched_getaffinity")
+_S(213, "set_thread_area")
+_S(214, "get_thread_area")
+_S(215, "io_setup")
+_S(216, "io_destroy")
+_S(217, "io_getevents")
+_S(218, "io_submit")
+_S(219, "io_cancel")
+_S(220, "alloc_hugepages")
+_S(221, "free_hugepages")
+_S(222, "exit_group")
+_S(223, "lookup_dcookie")
+_S(224, "epoll_create")
+_S(225, "epoll_ctl")
+_S(226, "epoll_wait")
+_S(227, "remap_file_pages")
+_S(228, "semtimedop")
+_S(229, "mq_open")
+_S(230, "mq_unlink")
+_S(231, "mq_timedsend")
+_S(232, "mq_timedreceive")
+_S(233, "mq_notify")
+_S(234, "mq_getsetattr")
+_S(235, "waitid")
+_S(236, "fadvise64_64")
+_S(237, "set_tid_address")
+_S(238, "setxattr")
+_S(239, "lsetxattr")
+_S(240, "fsetxattr")
+_S(241, "getxattr")
+_S(242, "lgetxattr")
+_S(243, "fgetxattr")
+_S(244, "listxattr")
+_S(245, "llistxattr")
+_S(246, "flistxattr")
+_S(247, "removexattr")
+_S(248, "lremovexattr")
+_S(249, "fremovexattr")
+_S(250, "timer_create")
+_S(251, "timer_settime")
+_S(252, "timer_gettime")
+_S(253, "timer_getoverrun")
+_S(254, "timer_delete")
+_S(255, "clock_settime")
+_S(256, "clock_gettime")
+_S(257, "clock_getres")
+_S(258, "clock_nanosleep")
+_S(259, "tgkill")
+_S(260, "mbind")
+_S(261, "get_mempolicy")
+_S(262, "set_mempolicy")
+_S(263, "vserver")
+_S(264, "add_key")
+_S(265, "request_key")
+_S(266, "keyctl")
+_S(267, "ioprio_set")
+_S(268, "ioprio_get")
+_S(269, "inotify_init")
+_S(270, "inotify_add_watch")
+_S(271, "inotify_rm_watch")
+_S(272, "migrate_pages")
+_S(273, "pselect6")
+_S(274, "ppoll")
+_S(275, "openat")
+_S(276, "mkdirat")
+_S(277, "mknodat")
+_S(278, "fchownat")
+_S(279, "futimesat")
+_S(280, "fstatat64")
+_S(281, "unlinkat")
+_S(282, "renameat")
+_S(283, "linkat")
+_S(284, "symlinkat")
+_S(285, "readlinkat")
+_S(286, "fchmodat")
+_S(287, "faccessat")
+_S(288, "unshare")
+_S(289, "set_robust_list")
+_S(290, "get_robust_list")
+_S(291, "splice")
+_S(292, "sync_file_range")
+_S(293, "tee")
+_S(294, "vmsplice")
+_S(295, "move_pages")
+_S(296, "getcpu")
+_S(297, "epoll_pwait")
+_S(298, "statfs64")
+_S(299, "fstatfs64")
+_S(300, "kexec_load")
+_S(301, "utimensat")
+_S(302, "signalfd")
+_S(303, "timerfd")
+_S(304, "eventfd")
+_S(305, "fallocate")
+_S(306, "timerfd_create")
+_S(307, "timerfd_settime")
+_S(308, "timerfd_gettime")
+_S(309, "signalfd4")
+_S(310, "eventfd2")
+_S(311, "epoll_create1")
+_S(312, "dup3")
+_S(313, "pipe2")
+_S(314, "inotify_init1")
+_S(315, "preadv")
+_S(316, "pwritev")
+_S(317, "rt_tgsigqueueinfo")
+_S(318, "perf_event_open")
+_S(319, "recvmmsg")
+_S(320, "accept4")
+_S(321, "prlimit64")
+_S(322, "fanotify_init")
+_S(323, "fanotify_mark")
+_S(324, "clock_adjtime")
+_S(325, "name_to_handle_at")
+_S(326, "open_by_handle_at")
+_S(327, "syncfs")
+_S(328, "setns")
+_S(329, "sendmmsg")
+_S(330, "process_vm_readv")
+_S(331, "process_vm_writev")
+_S(332, "kcmp")
+_S(333, "finit_module")
--- audit-2.3.2.orig/lib/syscall-update.txt
+++ audit-2.3.2/lib/syscall-update.txt
@@ -18,3 +18,6 @@ For adding new arches, the following mig
cat unistd.h | grep '^#define __NR_' | tr -d ')' | tr 'NR+' ' ' | awk '{ printf "_S(%s, \"%s\")\n", $6, $3 }; '
it will still need hand editing
+
+for parisc:
+cat /usr/include/hppa-linux-gnu/asm/unistd.h | grep '^#define __NR_' | grep \(__NR_Linux | sed "s/#define *__NR_//g" | tr -d ")" | awk '{ printf "_S(%s, \"%s\")\n", $4, $1 };'
--- audit-2.3.2.orig/lib/test/lookup_test.c
+++ audit-2.3.2/lib/test/lookup_test.c
@@ -222,6 +222,23 @@ test_ppc_table(void)
}
static void
+test_parisc_table(void)
+{
+ static const struct entry t[] = {
+#include "../parisc_table.h"
+ };
+
+ printf("Testing parisc_table...\n");
+#define I2S(I) audit_syscall_to_name((I), MACH_PARISC)
+#define S2I(S) audit_name_to_syscall((S), MACH_PARISC)
+ TEST_I2S(0);
+ TEST_S2I(-1);
+#undef I2S
+#undef S2I
+}
+
+
+static void
test_s390_table(void)
{
static const struct entry t[] = {
@@ -415,6 +432,7 @@ main(void)
test_i386_table();
test_ia64_table();
test_ppc_table();
+ test_parisc_table();
test_s390_table();
test_s390x_table();
test_x86_64_table();
10 years, 9 months
What is the bug
by Burn Alting
All,
Consider the following raw audit event ...
node=fedora20.swtf.dyndns.org type=CONFIG_CHANGE
msg=audit(1390028319.573:20803): auid=4294967295 ses=4294967295
subj=system_u:system_r:auditctl_t:s0 op="remove rule"
key="time-change" list=4 res=1
When the auparse library parses this event event, it does not correctly
parse the 'op' value and so both auparse_get_field_str() and
auparse_interpret_field() both return '"remove' rather than 'remove
rule'.
Now, I seem to recollect an earlier e-mail that would suggest the bug is
in kernel/auditfilter.c:audit_receive_filter() as it calls
audit_log_rule_change() with the string "add rule" or "remove rule". One
assumes we need to perhaps either
a. replace the space with a hyphen in these arguments, or
b. in kernel/auditfilter.c:audit_log_rule_change() replace the call
audit_log_string(ab, action);
with
audit_log_untrustedstring(ab, action);
If this is the case, then is there any appetite to have these bugs fixed
on the next update to the kernel audit code?
Thanks in advance
Burn
10 years, 9 months