January 2014 - Linux-audit - Linux-Audit List Archives

[PATCH v6 1/3] mm: Create utility function for accessing a tasks commandline value

by William Roberts

introduce get_cmdline() for retreiving the value of a processes proc/self/cmdline value. Acked-by: David Rientjes <rientjes(a)google.com> Acked-by: Stephen Smalley <sds(a)tycho.nsa.gov> Signed-off-by: William Roberts <wroberts(a)tresys.com> --- include/linux/mm.h | 1 + mm/util.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 49 insertions(+) diff --git a/include/linux/mm.h b/include/linux/mm.h index f28f46e..db89a94 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h @@ -1175,6 +1175,7 @@ void account_page_writeback(struct page *page); int set_page_dirty(struct page *page); int set_page_dirty_lock(struct page *page); int clear_page_dirty_for_io(struct page *page); +int get_cmdline(struct task_struct *task, char *buffer, int buflen); /* Is the vma a continuation of the stack vma above it? */ static inline int vma_growsdown(struct vm_area_struct *vma, unsigned long addr) diff --git a/mm/util.c b/mm/util.c index a24aa22..8122710 100644 --- a/mm/util.c +++ b/mm/util.c @@ -445,6 +445,54 @@ unsigned long vm_commit_limit(void) return allowed; } +/** + * get_cmdline() - copy the cmdline value to a buffer. + * @task: the task whose cmdline value to copy. + * @buffer: the buffer to copy to. + * @buflen: the length of the buffer. Larger cmdline values are truncated + * to this length. + * Returns the size of the cmdline field copied. Note that the copy does + * not guarantee an ending NULL byte. + */ +int get_cmdline(struct task_struct *task, char *buffer, int buflen) +{ + int res = 0; + unsigned int len; + struct mm_struct *mm = get_task_mm(task); + if (!mm) + goto out; + if (!mm->arg_end) + goto out_mm; /* Shh! No looking before we're done */ + + len = mm->arg_end - mm->arg_start; + + if (len > buflen) + len = buflen; + + res = access_process_vm(task, mm->arg_start, buffer, len, 0); + + /* + * If the nul at the end of args has been overwritten, then + * assume application is using setproctitle(3). + */ + if (res > 0 && buffer[res-1] != '\0' && len < buflen) { + len = strnlen(buffer, res); + if (len < res) { + res = len; + } else { + len = mm->env_end - mm->env_start; + if (len > buflen - res) + len = buflen - res; + res += access_process_vm(task, mm->env_start, + buffer+res, len, 0); + res = strnlen(buffer, res); + } + } +out_mm: + mmput(mm); +out: + return res; +} /* Tracepoints definitions. */ EXPORT_TRACEPOINT_SYMBOL(kmalloc); -- 1.7.9.5

10 years, 11 months

1
2
0 / 0

[PATCH v5 1/3] mm: Create utility function for accessing a tasks commandline value

by William Roberts

introduce get_cmdline() for retreiving the value of a processes proc/self/cmdline value. Acked-by: David Rientjes <rientjes(a)google.com> Acked-by: Stephen Smalley <sds(a)tycho.nsa.gov> Signed-off-by: William Roberts <wroberts(a)tresys.com> --- include/linux/mm.h | 1 + mm/util.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 49 insertions(+) diff --git a/include/linux/mm.h b/include/linux/mm.h index f28f46e..db89a94 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h @@ -1175,6 +1175,7 @@ void account_page_writeback(struct page *page); int set_page_dirty(struct page *page); int set_page_dirty_lock(struct page *page); int clear_page_dirty_for_io(struct page *page); +int get_cmdline(struct task_struct *task, char *buffer, int buflen); /* Is the vma a continuation of the stack vma above it? */ static inline int vma_growsdown(struct vm_area_struct *vma, unsigned long addr) diff --git a/mm/util.c b/mm/util.c index a24aa22..8122710 100644 --- a/mm/util.c +++ b/mm/util.c @@ -445,6 +445,54 @@ unsigned long vm_commit_limit(void) return allowed; } +/** + * get_cmdline() - copy the cmdline value to a buffer. + * @task: the task whose cmdline value to copy. + * @buffer: the buffer to copy to. + * @buflen: the length of the buffer. Larger cmdline values are truncated + * to this length. + * Returns the size of the cmdline field copied. Note that the copy does + * not guarantee an ending NULL byte. + */ +int get_cmdline(struct task_struct *task, char *buffer, int buflen) +{ + int res = 0; + unsigned int len; + struct mm_struct *mm = get_task_mm(task); + if (!mm) + goto out; + if (!mm->arg_end) + goto out_mm; /* Shh! No looking before we're done */ + + len = mm->arg_end - mm->arg_start; + + if (len > buflen) + len = buflen; + + res = access_process_vm(task, mm->arg_start, buffer, len, 0); + + /* + * If the nul at the end of args has been overwritten, then + * assume application is using setproctitle(3). + */ + if (res > 0 && buffer[res-1] != '\0' && len < buflen) { + len = strnlen(buffer, res); + if (len < res) { + res = len; + } else { + len = mm->env_end - mm->env_start; + if (len > buflen - res) + len = buflen - res; + res += access_process_vm(task, mm->env_start, + buffer+res, len, 0); + res = strnlen(buffer, res); + } + } +out_mm: + mmput(mm); +out: + return res; +} /* Tracepoints definitions. */ EXPORT_TRACEPOINT_SYMBOL(kmalloc); -- 1.7.9.5

10 years, 11 months

1
2
0 / 0

[PATCH v4 1/3] mm: Create utility function for accessing a tasks commandline value

by William Roberts

introduce get_cmdline() for retreiving the value of a processes proc/self/cmdline value. Signed-off-by: William Roberts <wroberts(a)tresys.com> --- include/linux/mm.h | 1 + mm/util.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 49 insertions(+) diff --git a/include/linux/mm.h b/include/linux/mm.h index f28f46e..db89a94 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h @@ -1175,6 +1175,7 @@ void account_page_writeback(struct page *page); int set_page_dirty(struct page *page); int set_page_dirty_lock(struct page *page); int clear_page_dirty_for_io(struct page *page); +int get_cmdline(struct task_struct *task, char *buffer, int buflen); /* Is the vma a continuation of the stack vma above it? */ static inline int vma_growsdown(struct vm_area_struct *vma, unsigned long addr) diff --git a/mm/util.c b/mm/util.c index a24aa22..8122710 100644 --- a/mm/util.c +++ b/mm/util.c @@ -445,6 +445,54 @@ unsigned long vm_commit_limit(void) return allowed; } +/** + * get_cmdline() - copy the cmdline value to a buffer. + * @task: the task whose cmdline value to copy. + * @buffer: the buffer to copy to. + * @buflen: the length of the buffer. Larger cmdline values are truncated + * to this length. + * Returns the size of the cmdline field copied. Note that the copy does + * not guarantee an ending NULL byte. + */ +int get_cmdline(struct task_struct *task, char *buffer, int buflen) +{ + int res = 0; + unsigned int len; + struct mm_struct *mm = get_task_mm(task); + if (!mm) + goto out; + if (!mm->arg_end) + goto out_mm; /* Shh! No looking before we're done */ + + len = mm->arg_end - mm->arg_start; + + if (len > buflen) + len = buflen; + + res = access_process_vm(task, mm->arg_start, buffer, len, 0); + + /* + * If the nul at the end of args has been overwritten, then + * assume application is using setproctitle(3). + */ + if (res > 0 && buffer[res-1] != '\0' && len < buflen) { + len = strnlen(buffer, res); + if (len < res) { + res = len; + } else { + len = mm->env_end - mm->env_start; + if (len > buflen - res) + len = buflen - res; + res += access_process_vm(task, mm->env_start, + buffer+res, len, 0); + res = strnlen(buffer, res); + } + } +out_mm: + mmput(mm); +out: + return res; +} /* Tracepoints definitions. */ EXPORT_TRACEPOINT_SYMBOL(kmalloc); -- 1.7.9.5

10 years, 11 months

1
2
0 / 0

[PATCH] audit: restore order of tty and ses fields in log output

by Richard Guy Briggs

When being refactored from audit_log_start() to audit_log_task_info(), in commit e23eb920 the tty and ses fields in the log output got transposed. Restore to original order to avoid breaking search tools. Cc: stable(a)vger.kernel.org # v3.6 Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com> Signed-off-by: Eric Paris <eparis(a)redhat.com> --- kernel/audit.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/kernel/audit.c b/kernel/audit.c index 3d3747b..e88f599 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -1716,7 +1716,7 @@ void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk) audit_log_format(ab, " ppid=%ld pid=%d auid=%u uid=%u gid=%u" " euid=%u suid=%u fsuid=%u" - " egid=%u sgid=%u fsgid=%u ses=%u tty=%s", + " egid=%u sgid=%u fsgid=%u tty=%s ses=%u", sys_getppid(), tsk->pid, from_kuid(&init_user_ns, audit_get_loginuid(tsk)), @@ -1728,7 +1728,7 @@ void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk) from_kgid(&init_user_ns, cred->egid), from_kgid(&init_user_ns, cred->sgid), from_kgid(&init_user_ns, cred->fsgid), - audit_get_sessionid(tsk), tty); + tty, audit_get_sessionid(tsk)); get_task_comm(name, tsk); audit_log_format(ab, " comm="); -- 1.7.1

10 years, 11 months

1
0
0 / 0

Re: [PATCH RFC 7/8] audit: report namespace information along with USER events

by Eric W. Biederman

Aristeu Rozanski <arozansk(a)redhat.com> writes: > For userspace generated events, include a record with the namespace > procfs inode numbers the process belongs to. This allows to track down > and filter audit messages by userspace. I am not comfortable with using the inode numbers this way. It does not pass the test of can I migrate a container and still have this work test. Any kind of kernel assigned name for namespaces fails that test. I also don't like that you don't include the procfs device number. An inode number means nothing without knowing which filesystem you are referring to. It may never happen but I reserve the right to have the inode numbers for namespaces to show up differently in different instances of procfs. Beyond that I think this usage is possibly buggy by using two audit records for one event. > Signed-off-by: Aristeu Rozanski <arozansk(a)redhat.com> > --- > include/uapi/linux/audit.h | 1 + > kernel/audit.c | 51 +++++++++++++++++++++++++++++++++++++++++++- > 2 files changed, 51 insertions(+), 1 deletions(-) > > diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h > index 9f096f1..3ec3ccb 100644 > --- a/include/uapi/linux/audit.h > +++ b/include/uapi/linux/audit.h > @@ -106,6 +106,7 @@ > #define AUDIT_NETFILTER_PKT 1324 /* Packets traversing netfilter chains */ > #define AUDIT_NETFILTER_CFG 1325 /* Netfilter chain modifications */ > #define AUDIT_SECCOMP 1326 /* Secure Computing event */ > +#define AUDIT_USER_NAMESPACE 1327 /* Information about process' namespaces */ > > #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */ > #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */ > diff --git a/kernel/audit.c b/kernel/audit.c > index 58db117..b17f9c0 100644 > --- a/kernel/audit.c > +++ b/kernel/audit.c > @@ -62,6 +62,11 @@ > #include <linux/freezer.h> > #include <linux/tty.h> > #include <linux/pid_namespace.h> > +#include <linux/ipc_namespace.h> > +#include <linux/mnt_namespace.h> > +#include <linux/utsname.h> > +#include <linux/user_namespace.h> > +#include <net/net_namespace.h> > > #include "audit.h" > > @@ -641,6 +646,49 @@ static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type, > return rc; > } > > +#ifdef CONFIG_NAMESPACES > +static int audit_log_namespaces(struct task_struct *tsk, > + struct sk_buff *skb) > +{ > + struct audit_context *ctx = tsk->audit_context; > + struct audit_buffer *ab; > + > + if (!audit_enabled) > + return 0; > + > + ab = audit_log_start(ctx, GFP_KERNEL, AUDIT_USER_NAMESPACE); > + if (unlikely(!ab)) > + return -ENOMEM; > + > + audit_log_format(ab, "mnt=%u", mntns_get_inum(tsk)); > +#ifdef CONFIG_NET_NS > + audit_log_format(ab, " net=%u", netns_get_inum(tsk)); > +#endif > +#ifdef CONFIG_UTS_NS > + audit_log_format(ab, " uts=%u", utsns_get_inum(tsk)); > +#endif > +#ifdef CONFIG_IPC_NS > + audit_log_format(ab, " ipc=%u", ipcns_get_inum(tsk)); > +#endif > +#ifdef CONFIG_PID_NS > + audit_log_format(ab, " pid=%u", pidns_get_inum(tsk)); > +#endif > +#ifdef CONFIG_USER_NS > + audit_log_format(ab, " user=%u", userns_get_inum(tsk)); > +#endif > + audit_set_pid(ab, NETLINK_CB(skb).portid); > + audit_log_end(ab); > + > + return 0; > +} > +#else > +static inline int audit_log_namespaces(struct task_struct *tsk, > + struct sk_buff *skb) > +{ > + return 0; > +} > +#endif > + > static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) > { > u32 seq, sid; > @@ -741,7 +789,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) > } > audit_log_common_recv_msg(&ab, msg_type, > loginuid, sessionid, sid, > - NULL); > + current->audit_context); > > if (msg_type != AUDIT_USER_TTY) > audit_log_format(ab, " msg='%.1024s'", > @@ -758,6 +806,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) > } > audit_set_pid(ab, NETLINK_CB(skb).portid); > audit_log_end(ab); > + audit_log_namespaces(current, skb); > } > break; > case AUDIT_ADD:

10 years, 11 months

3
2
0 / 0

[PATCH] audit: printk USER_AVC messages when audit isn't enabled

by Tyler Hicks

When the audit=1 kernel parameter is absent and auditd is not running, AUDIT_USER_AVC messages are being silently discarded. AUDIT_USER_AVC messages should be sent to userspace using printk(), as mentioned in the commit message of 4a4cd633b575609b741a1de7837223a2d9e1c34c ("AUDIT: Optimise the audit-disabled case for discarding user messages"). When audit_enabled is 0, audit_receive_msg() discards all user messages except for AUDIT_USER_AVC messages. However, audit_log_common_recv_msg() refuses to allocate an audit_buffer if audit_enabled is 0. The fix is to special case AUDIT_USER_AVC messages in both functions. Signed-off-by: Tyler Hicks <tyhicks(a)canonical.com> Cc: Al Viro <viro(a)zeniv.linux.org.uk> Cc: Eric Paris <eparis(a)redhat.com> Cc: linux-audit(a)redhat.com --- It looks like commit 50397bd1e471391d27f64efad9271459c913de87 ("[AUDIT] clean up audit_receive_msg()") introduced this bug, so I think that this patch should also get the tag: Cc: <stable(a)kernel.org> # v2.6.25+ Al and Eric, I'll leave that up to you two. Here's my test matrix showing where messages end up as a result of a call to libaudit's audit_log_user_avc_message(): | unpatched patched ----------------+-------------------------------- w/o audit=1 & | *dropped* syslog w/o auditd | | w/ audit=1 & | syslog syslog w/o auditd | | w/o audit=1 & | audit.log audit.log w/ auditd | | w/ audit=1 & | audit.log audit.log w/ auditd | Thanks! kernel/audit.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/audit.c b/kernel/audit.c index 91e53d0..f4f2773 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -613,7 +613,7 @@ static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type) int rc = 0; uid_t uid = from_kuid(&init_user_ns, current_uid()); - if (!audit_enabled) { + if (!audit_enabled && msg_type != AUDIT_USER_AVC) { *ab = NULL; return rc; } -- 1.8.3.2

10 years, 11 months

3
4
0 / 0

[GIT PULL] audit subsystem for 3.14

by Eric Paris

Linus, Please consider pulling the following audit changes. Again we stayed pretty well contained inside the audit system. Venturing out was fixing a couple of function prototypes which were inconsistent (didn't hurt anything, but we used the same value as an int, uint, u32, and I think even a long in a couple of places). We also made a couple of minor changes to when a couple of LSMs called the audit system. We hoped to add aarch64 audit support this go round, but it wasn't ready. There is one merge issue. Take your code, then convert the prototype for the first 4 functions changing the "u32 ses" to "unsigned int ses". (Do not change the u32 secid) I'm disappearing on vacation on Thursday. I should have internet access, but it'll be spotty. If anything goes wrong please be sure to cc rgb(a)redhat.com. He'll make fixing things his top priority. -Eric The following changes since commit fc582aef7dcc27a7120cf232c1e76c569c7b6eab: Merge tag 'v3.12' (2013-11-22 18:57:54 -0500) are available in the git repository at: git://git.infradead.org/users/eparis/audit.git master for you to fetch changes up to f3411cb2b2e396a41ed3a439863f028db7140a34: audit: whitespace fix in kernel-parameters.txt (2014-01-17 17:15:02 -0500) ---------------------------------------------------------------- AKASHI Takahiro (2): audit: correct a type mismatch in audit_syscall_exit() audit: Modify a set of system calls in audit class definitions Dan Duval (2): audit: efficiency fix 1: only wake up if queue shorter than backlog limit audit: efficiency fix 2: request exclusive wait since all need same resource Eric Paris (8): audit: convert all sessionid declaration to unsigned int audit: wait_for_auditd rework for readability audit: documentation of audit= kernel parameter audit: use define's for audit version audit: remove needless switch in AUDIT_SET audit: rework AUDIT_TTY_SET to only grab spin_lock once audit: reorder AUDIT_TTY_SET arguments audit: remove pr_info for every network namespace Eric W. Biederman (1): audit: Simplify and correct audit_log_capset Gao feng (7): audit: remove useless code in audit_enable audit: fix incorrect order of log new and old feature audit: don't generate audit feature changed log when audit disabled audit: use old_lock in audit_set_feature audit: don't generate loginuid log when audit disabled audit: print error message when fail to create audit socket audit: fix incorrect set of audit_sock Joe Perches (3): audit: Use hex_byte_pack_upper audit: Use more current logging style audit: Convert int limit uses to u32 Paul Davies C (2): audit: drop audit_log_abend() audit: Added exe field to audit core dump signal log Richard Guy Briggs (24): audit: fix netlink portid naming and types audit: restore order of tty and ses fields in log output audit: listen in all network namespaces audit: reset audit backlog wait time after error recovery audit: make use of remaining sleep time from wait_for_auditd documentation: document the audit= kernel start-up parameter audit: add kernel set-up parameter to override default backlog limit audit: clean up AUDIT_GET/SET local variables and future-proof API audit: add audit_backlog_wait_time configuration option audit: fix incorrect type of sessionid audit: allow unlimited backlog queue audit: get rid of *NO* daemon at audit_pid=0 message audit: log AUDIT_TTY_SET config changes audit: refactor audit_receive_msg() to clarify AUDIT_*_RULE* cases audit: prevent an older auditd shutdown from orphaning a newer auditd startup selinux: call WARN_ONCE() instead of calling audit_log_start() smack: call WARN_ONCE() instead of calling audit_log_start() audit: drop audit_cmd_lock in AUDIT_USER family of cases audit: log on errors from filter user rules audit: fix dangling keywords in audit_log_set_loginuid() output audit: log task info on feature change audit: update MAINTAINERS audit: fix location of __net_initdata for audit_net_ops audit: whitespace fix in kernel-parameters.txt Toshiyuki Okajima (1): audit: audit_log_start running on auditd should not stop Documentation/kernel-parameters.txt | 16 ++++++ MAINTAINERS | 3 +- drivers/tty/tty_audit.c | 2 +- include/asm-generic/audit_change_attr.h | 4 +- include/asm-generic/audit_write.h | 6 +++ include/linux/audit.h | 22 ++++---- include/linux/init_task.h | 2 +- include/net/netlabel.h | 2 +- include/net/xfrm.h | 20 +++---- include/uapi/linux/audit.h | 8 +++ kernel/audit.c | 365 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++---------------------------------------------- kernel/audit.h | 15 ++++-- kernel/auditfilter.c | 93 +++++++++++++++++++-------------- kernel/auditsc.c | 44 +++++++++------- kernel/capability.c | 2 +- net/xfrm/xfrm_policy.c | 8 +-- net/xfrm/xfrm_state.c | 6 +-- net/xfrm/xfrm_user.c | 12 ++--- security/selinux/ss/services.c | 12 ++--- security/smack/smack_lsm.c | 5 +- 20 files changed, 404 insertions(+), 243 deletions(-)

10 years, 11 months

1
0
0 / 0

Suppressing logs with kernel.printk

by Aaron Lewis

Hi, I'm trying to suppress logs from auditd with sysctl options, So I set kernel.printk to 4 4 4 4 And modified KLOGD_OPTIONS to "-x -c 4" Then I restarted syslogd and klogd But I still see auditd logs piling up, anything wrong? auditd is using kenrel.notice for sure -- Best Regards, Aaron Lewis - PGP: 0x13714D33 - http://pgp.mit.edu/ Finger Print: 9F67 391B B770 8FF6 99DC D92D 87F6 2602 1371 4D33

10 years, 11 months

2
3
0 / 0

[PATCH] audit/userspace: add support for the parisc architecture

by Helge Deller

The patch below adds support for the parisc architecture to the audit userspace tool. It would be great if you could apply this patch to trunk. I posted the corresponding Linux kernel patch to the parisc mailing list (https://patchwork.kernel.org/patch/3046731/) and plan to push it upstream when the merge window for Linux kernel v3.13 opens. Signed-off-by: Helge Deller <deller(a)gmx.de> --- audit-2.3.2.orig/lib/Makefile.am +++ audit-2.3.2/lib/Makefile.am @@ -40,7 +40,7 @@ nodist_libaudit_la_SOURCES = $(BUILT_SOU BUILT_SOURCES = actiontabs.h errtabs.h fieldtabs.h flagtabs.h \ ftypetabs.h i386_tables.h ia64_tables.h machinetabs.h \ msg_typetabs.h optabs.h ppc_tables.h s390_tables.h \ - s390x_tables.h x86_64_tables.h + s390x_tables.h x86_64_tables.h parisc_tables.h if USE_ALPHA BUILT_SOURCES += alpha_tables.h endif @@ -54,7 +54,7 @@ noinst_PROGRAMS = gen_actiontabs_h gen_e gen_flagtabs_h gen_ftypetabs_h gen_i386_tables_h \ gen_ia64_tables_h gen_machinetabs_h gen_msg_typetabs_h \ gen_optabs_h gen_ppc_tables_h gen_s390_tables_h \ - gen_s390x_tables_h gen_x86_64_tables_h + gen_s390x_tables_h gen_x86_64_tables_h gen_parisc_tables_h if USE_ALPHA noinst_PROGRAMS += gen_alpha_tables_h endif @@ -142,6 +142,11 @@ gen_ppc_tables_h_CFLAGS = $(AM_CFLAGS) ' ppc_tables.h: gen_ppc_tables_h Makefile ./gen_ppc_tables_h --lowercase --i2s --s2i ppc_syscall > $@ +gen_parisc_tables_h_SOURCES = gen_tables.c gen_tables.h parisc_table.h +gen_parisc_tables_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="parisc_table.h"' +parisc_tables.h: gen_parisc_tables_h Makefile + ./gen_parisc_tables_h --lowercase --i2s --s2i parisc_syscall > $@ + gen_s390_tables_h_SOURCES = gen_tables.c gen_tables.h s390_table.h gen_s390_tables_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="s390_table.h"' s390_tables.h: gen_s390_tables_h Makefile --- audit-2.3.2.orig/lib/libaudit.c +++ audit-2.3.2/lib/libaudit.c @@ -1304,6 +1304,9 @@ int audit_rule_fieldpair_data(struct aud machine == MACH_PPC64) machine = MACH_PPC; else if (bits == ~__AUDIT_ARCH_64BIT && + machine == MACH_PARISC64) + machine = MACH_PARISC; + else if (bits == ~__AUDIT_ARCH_64BIT && machine == MACH_S390X) machine = MACH_S390; @@ -1324,6 +1327,10 @@ int audit_rule_fieldpair_data(struct aud if (bits == __AUDIT_ARCH_64BIT) return -6; break; + case MACH_PARISC: + if (bits == __AUDIT_ARCH_64BIT) + return -6; + break; case MACH_S390: if (bits == __AUDIT_ARCH_64BIT) return -6; @@ -1342,6 +1349,7 @@ int audit_rule_fieldpair_data(struct aud #endif case MACH_86_64: /* fallthrough */ case MACH_PPC64: /* fallthrough */ + case MACH_PARISC64: /* fallthrough */ case MACH_S390X: /* fallthrough */ break; default: --- audit-2.3.2.orig/lib/libaudit.h +++ audit-2.3.2/lib/libaudit.h @@ -417,7 +417,9 @@ typedef enum { MACH_S390, MACH_ALPHA, MACH_ARMEB, - MACH_AARCH64 + MACH_AARCH64, + MACH_PARISC64, + MACH_PARISC } machine_t; /* These are the valid audit failure tunable enum values */ --- audit-2.3.2.orig/lib/lookup_table.c +++ audit-2.3.2/lib/lookup_table.c @@ -47,6 +47,7 @@ #include "i386_tables.h" #include "ia64_tables.h" #include "ppc_tables.h" +#include "parisc_tables.h" #include "s390_tables.h" #include "s390x_tables.h" #include "x86_64_tables.h" @@ -82,6 +83,8 @@ static const struct int_transtab elftab[ #ifdef WITH_AARCH64 { MACH_AARCH64, AUDIT_ARCH_AARCH64}, #endif + { MACH_PARISC64,AUDIT_ARCH_PARISC64 }, + { MACH_PARISC, AUDIT_ARCH_PARISC }, }; #define AUDIT_ELF_NAMES (sizeof(elftab)/sizeof(elftab[0])) @@ -126,6 +129,10 @@ int audit_name_to_syscall(const char *sc case MACH_PPC: found = ppc_syscall_s2i(sc, &res); break; + case MACH_PARISC64: + case MACH_PARISC: + found = parisc_syscall_s2i(sc, &res); + break; case MACH_S390X: found = s390x_syscall_s2i(sc, &res); break; @@ -171,6 +178,9 @@ const char *audit_syscall_to_name(int sc case MACH_PPC64: case MACH_PPC: return ppc_syscall_i2s(sc); + case MACH_PARISC64: + case MACH_PARISC: + return parisc_syscall_i2s(sc); case MACH_S390X: return s390x_syscall_i2s(sc); case MACH_S390: --- audit-2.3.2.orig/lib/machinetab.h +++ audit-2.3.2/lib/machinetab.h @@ -43,3 +43,5 @@ _S(MACH_ARMEB, "armv7l") #ifdef WITH_AARCH64 _S(MACH_AARCH64, "aarch64" ) #endif +_S(MACH_PARISC64, "parisc64" ) +_S(MACH_PARISC, "parisc" ) --- /dev/null +++ audit-2.3.2/lib/parisc_table.h @@ -0,0 +1,333 @@ +_S(0, "restart_syscall") +_S(1, "exit") +_S(2, "fork") +_S(3, "read") +_S(4, "write") +_S(5, "open") +_S(6, "close") +_S(7, "waitpid") +_S(8, "creat") +_S(9, "link") +_S(10, "unlink") +_S(11, "execve") +_S(12, "chdir") +_S(13, "time") +_S(14, "mknod") +_S(15, "chmod") +_S(16, "lchown") +_S(17, "socket") +_S(18, "stat") +_S(19, "lseek") +_S(20, "getpid") +_S(21, "mount") +_S(22, "bind") +_S(23, "setuid") +_S(24, "getuid") +_S(25, "stime") +_S(26, "ptrace") +_S(27, "alarm") +_S(28, "fstat") +_S(29, "pause") +_S(30, "utime") +_S(31, "connect") +_S(32, "listen") +_S(33, "access") +_S(34, "nice") +_S(35, "accept") +_S(36, "sync") +_S(37, "kill") +_S(38, "rename") +_S(39, "mkdir") +_S(40, "rmdir") +_S(41, "dup") +_S(42, "pipe") +_S(43, "times") +_S(44, "getsockname") +_S(45, "brk") +_S(46, "setgid") +_S(47, "getgid") +_S(48, "signal") +_S(49, "geteuid") +_S(50, "getegid") +_S(51, "acct") +_S(52, "umount2") +_S(53, "getpeername") +_S(54, "ioctl") +_S(55, "fcntl") +_S(56, "socketpair") +_S(57, "setpgid") +_S(58, "send") +_S(59, "uname") +_S(60, "umask") +_S(61, "chroot") +_S(62, "ustat") +_S(63, "dup2") +_S(64, "getppid") +_S(65, "getpgrp") +_S(66, "setsid") +_S(67, "pivot_root") +_S(68, "sgetmask") +_S(69, "ssetmask") +_S(70, "setreuid") +_S(71, "setregid") +_S(72, "mincore") +_S(73, "sigpending") +_S(74, "sethostname") +_S(75, "setrlimit") +_S(76, "getrlimit") +_S(77, "getrusage") +_S(78, "gettimeofday") +_S(79, "settimeofday") +_S(80, "getgroups") +_S(81, "setgroups") +_S(82, "sendto") +_S(83, "symlink") +_S(84, "lstat") +_S(85, "readlink") +_S(86, "uselib") +_S(87, "swapon") +_S(88, "reboot") +_S(89, "mmap2") +_S(90, "mmap") +_S(91, "munmap") +_S(92, "truncate") +_S(93, "ftruncate") +_S(94, "fchmod") +_S(95, "fchown") +_S(96, "getpriority") +_S(97, "setpriority") +_S(98, "recv") +_S(99, "statfs") +_S(100, "fstatfs") +_S(101, "stat64") +_S(103, "syslog") +_S(104, "setitimer") +_S(105, "getitimer") +_S(106, "capget") +_S(107, "capset") +_S(108, "pread64") +_S(109, "pwrite64") +_S(110, "getcwd") +_S(111, "vhangup") +_S(112, "fstat64") +_S(113, "vfork") +_S(114, "wait4") +_S(115, "swapoff") +_S(116, "sysinfo") +_S(117, "shutdown") +_S(118, "fsync") +_S(119, "madvise") +_S(120, "clone") +_S(121, "setdomainname") +_S(122, "sendfile") +_S(123, "recvfrom") +_S(124, "adjtimex") +_S(125, "mprotect") +_S(126, "sigprocmask") +_S(127, "create_module") +_S(128, "init_module") +_S(129, "delete_module") +_S(130, "get_kernel_syms") +_S(131, "quotactl") +_S(132, "getpgid") +_S(133, "fchdir") +_S(134, "bdflush") +_S(135, "sysfs") +_S(136, "personality") +_S(137, "afs_syscall") +_S(138, "setfsuid") +_S(139, "setfsgid") +_S(140, "_llseek") +_S(141, "getdents") +_S(142, "_newselect") +_S(143, "flock") +_S(144, "msync") +_S(145, "readv") +_S(146, "writev") +_S(147, "getsid") +_S(148, "fdatasync") +_S(149, "_sysctl") +_S(150, "mlock") +_S(151, "munlock") +_S(152, "mlockall") +_S(153, "munlockall") +_S(154, "sched_setparam") +_S(155, "sched_getparam") +_S(156, "sched_setscheduler") +_S(157, "sched_getscheduler") +_S(158, "sched_yield") +_S(159, "sched_get_priority_max") +_S(160, "sched_get_priority_min") +_S(161, "sched_rr_get_interval") +_S(162, "nanosleep") +_S(163, "mremap") +_S(164, "setresuid") +_S(165, "getresuid") +_S(166, "sigaltstack") +_S(167, "query_module") +_S(168, "poll") +_S(169, "nfsservctl") +_S(170, "setresgid") +_S(171, "getresgid") +_S(172, "prctl") +_S(173, "rt_sigreturn") +_S(174, "rt_sigaction") +_S(175, "rt_sigprocmask") +_S(176, "rt_sigpending") +_S(177, "rt_sigtimedwait") +_S(178, "rt_sigqueueinfo") +_S(179, "rt_sigsuspend") +_S(180, "chown") +_S(181, "setsockopt") +_S(182, "getsockopt") +_S(183, "sendmsg") +_S(184, "recvmsg") +_S(185, "semop") +_S(186, "semget") +_S(187, "semctl") +_S(188, "msgsnd") +_S(189, "msgrcv") +_S(190, "msgget") +_S(191, "msgctl") +_S(192, "shmat") +_S(193, "shmdt") +_S(194, "shmget") +_S(195, "shmctl") +_S(196, "getpmsg") +_S(197, "putpmsg") +_S(198, "lstat64") +_S(199, "truncate64") +_S(200, "ftruncate64") +_S(201, "getdents64") +_S(202, "fcntl64") +_S(203, "attrctl") +_S(204, "acl_get") +_S(205, "acl_set") +_S(206, "gettid") +_S(207, "readahead") +_S(208, "tkill") +_S(209, "sendfile64") +_S(210, "futex") +_S(211, "sched_setaffinity") +_S(212, "sched_getaffinity") +_S(213, "set_thread_area") +_S(214, "get_thread_area") +_S(215, "io_setup") +_S(216, "io_destroy") +_S(217, "io_getevents") +_S(218, "io_submit") +_S(219, "io_cancel") +_S(220, "alloc_hugepages") +_S(221, "free_hugepages") +_S(222, "exit_group") +_S(223, "lookup_dcookie") +_S(224, "epoll_create") +_S(225, "epoll_ctl") +_S(226, "epoll_wait") +_S(227, "remap_file_pages") +_S(228, "semtimedop") +_S(229, "mq_open") +_S(230, "mq_unlink") +_S(231, "mq_timedsend") +_S(232, "mq_timedreceive") +_S(233, "mq_notify") +_S(234, "mq_getsetattr") +_S(235, "waitid") +_S(236, "fadvise64_64") +_S(237, "set_tid_address") +_S(238, "setxattr") +_S(239, "lsetxattr") +_S(240, "fsetxattr") +_S(241, "getxattr") +_S(242, "lgetxattr") +_S(243, "fgetxattr") +_S(244, "listxattr") +_S(245, "llistxattr") +_S(246, "flistxattr") +_S(247, "removexattr") +_S(248, "lremovexattr") +_S(249, "fremovexattr") +_S(250, "timer_create") +_S(251, "timer_settime") +_S(252, "timer_gettime") +_S(253, "timer_getoverrun") +_S(254, "timer_delete") +_S(255, "clock_settime") +_S(256, "clock_gettime") +_S(257, "clock_getres") +_S(258, "clock_nanosleep") +_S(259, "tgkill") +_S(260, "mbind") +_S(261, "get_mempolicy") +_S(262, "set_mempolicy") +_S(263, "vserver") +_S(264, "add_key") +_S(265, "request_key") +_S(266, "keyctl") +_S(267, "ioprio_set") +_S(268, "ioprio_get") +_S(269, "inotify_init") +_S(270, "inotify_add_watch") +_S(271, "inotify_rm_watch") +_S(272, "migrate_pages") +_S(273, "pselect6") +_S(274, "ppoll") +_S(275, "openat") +_S(276, "mkdirat") +_S(277, "mknodat") +_S(278, "fchownat") +_S(279, "futimesat") +_S(280, "fstatat64") +_S(281, "unlinkat") +_S(282, "renameat") +_S(283, "linkat") +_S(284, "symlinkat") +_S(285, "readlinkat") +_S(286, "fchmodat") +_S(287, "faccessat") +_S(288, "unshare") +_S(289, "set_robust_list") +_S(290, "get_robust_list") +_S(291, "splice") +_S(292, "sync_file_range") +_S(293, "tee") +_S(294, "vmsplice") +_S(295, "move_pages") +_S(296, "getcpu") +_S(297, "epoll_pwait") +_S(298, "statfs64") +_S(299, "fstatfs64") +_S(300, "kexec_load") +_S(301, "utimensat") +_S(302, "signalfd") +_S(303, "timerfd") +_S(304, "eventfd") +_S(305, "fallocate") +_S(306, "timerfd_create") +_S(307, "timerfd_settime") +_S(308, "timerfd_gettime") +_S(309, "signalfd4") +_S(310, "eventfd2") +_S(311, "epoll_create1") +_S(312, "dup3") +_S(313, "pipe2") +_S(314, "inotify_init1") +_S(315, "preadv") +_S(316, "pwritev") +_S(317, "rt_tgsigqueueinfo") +_S(318, "perf_event_open") +_S(319, "recvmmsg") +_S(320, "accept4") +_S(321, "prlimit64") +_S(322, "fanotify_init") +_S(323, "fanotify_mark") +_S(324, "clock_adjtime") +_S(325, "name_to_handle_at") +_S(326, "open_by_handle_at") +_S(327, "syncfs") +_S(328, "setns") +_S(329, "sendmmsg") +_S(330, "process_vm_readv") +_S(331, "process_vm_writev") +_S(332, "kcmp") +_S(333, "finit_module") --- audit-2.3.2.orig/lib/syscall-update.txt +++ audit-2.3.2/lib/syscall-update.txt @@ -18,3 +18,6 @@ For adding new arches, the following mig cat unistd.h | grep '^#define __NR_' | tr -d ')' | tr 'NR+' ' ' | awk '{ printf "_S(%s, \"%s\")\n", $6, $3 }; ' it will still need hand editing + +for parisc: +cat /usr/include/hppa-linux-gnu/asm/unistd.h | grep '^#define __NR_' | grep \(__NR_Linux | sed "s/#define *__NR_//g" | tr -d ")" | awk '{ printf "_S(%s, \"%s\")\n", $4, $1 };' --- audit-2.3.2.orig/lib/test/lookup_test.c +++ audit-2.3.2/lib/test/lookup_test.c @@ -222,6 +222,23 @@ test_ppc_table(void) } static void +test_parisc_table(void) +{ + static const struct entry t[] = { +#include "../parisc_table.h" + }; + + printf("Testing parisc_table...\n"); +#define I2S(I) audit_syscall_to_name((I), MACH_PARISC) +#define S2I(S) audit_name_to_syscall((S), MACH_PARISC) + TEST_I2S(0); + TEST_S2I(-1); +#undef I2S +#undef S2I +} + + +static void test_s390_table(void) { static const struct entry t[] = { @@ -415,6 +432,7 @@ main(void) test_i386_table(); test_ia64_table(); test_ppc_table(); + test_parisc_table(); test_s390_table(); test_s390x_table(); test_x86_64_table();

10 years, 11 months

3
6
0 / 0

What is the bug

by Burn Alting

All, Consider the following raw audit event ... node=fedora20.swtf.dyndns.org type=CONFIG_CHANGE msg=audit(1390028319.573:20803): auid=4294967295 ses=4294967295 subj=system_u:system_r:auditctl_t:s0 op="remove rule" key="time-change" list=4 res=1 When the auparse library parses this event event, it does not correctly parse the 'op' value and so both auparse_get_field_str() and auparse_interpret_field() both return '"remove' rather than 'remove rule'. Now, I seem to recollect an earlier e-mail that would suggest the bug is in kernel/auditfilter.c:audit_receive_filter() as it calls audit_log_rule_change() with the string "add rule" or "remove rule". One assumes we need to perhaps either a. replace the space with a hyphen in these arguments, or b. in kernel/auditfilter.c:audit_log_rule_change() replace the call audit_log_string(ab, action); with audit_log_untrustedstring(ab, action); If this is the case, then is there any appetite to have these bugs fixed on the next update to the kernel audit code? Thanks in advance Burn

10 years, 11 months

3
4
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Linux-audit January 2014