[PATCH 1/2] audit: restore AUDIT_LOGINUID unset ABI
by Richard Guy Briggs
A regression was caused by commit 780a7654cee8:
audit: Make testing for a valid loginuid explicit.
(which in turn attempted to fix a regression caused by e1760bd)
When audit_krule_to_data() fills in the rules to get a listing, there was a
missing clause to convert back from AUDIT_LOGINUID_SET to AUDIT_LOGINUID.
This broke userspace by not returning the same information that was sent and
expected.
The rule:
auditctl -a exit,never -F auid=-1
gives:
auditctl -l
LIST_RULES: exit,never f24=0 syscall=all
when it should give:
LIST_RULES: exit,never auid=-1 (0xffffffff) syscall=all
Tag it so that it is reported the same way it was set. Create a new
private flags audit_krule field (pflags) to store it that won't interact with
the public one from the API.
Cc: stable(a)vger.kernel.org # v3.10-rc1+
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
include/linux/audit.h | 4 ++++
kernel/auditfilter.c | 10 ++++++++++
2 files changed, 14 insertions(+), 0 deletions(-)
diff --git a/include/linux/audit.h b/include/linux/audit.h
index eefc39a..b481779 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -46,6 +46,7 @@ struct audit_tree;
struct sk_buff;
struct audit_krule {
+ u32 pflags;
u32 flags;
u32 listnr;
u32 action;
@@ -63,6 +64,9 @@ struct audit_krule {
u64 prio;
};
+/* Flag to indicate legacy AUDIT_LOGINUID unset usage */
+#define AUDIT_LOGINUID_LEGACY 0x1
+
struct audit_field {
u32 type;
union {
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index fb4d2df..ecb05d3 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -441,6 +441,7 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
if ((f->type == AUDIT_LOGINUID) && (f->val == AUDIT_UID_UNSET)) {
f->type = AUDIT_LOGINUID_SET;
f->val = 0;
+ entry->rule.pflags |= AUDIT_LOGINUID_LEGACY;
}
if ((f->type == AUDIT_PID) || (f->type == AUDIT_PPID)) {
@@ -629,6 +630,13 @@ static struct audit_rule_data *audit_krule_to_data(struct audit_krule *krule)
data->buflen += data->values[i] =
audit_pack_string(&bufp, krule->filterkey);
break;
+ case AUDIT_LOGINUID_SET:
+ if (krule->pflags & AUDIT_LOGINUID_LEGACY && !f->val) {
+ data->fields[i] = AUDIT_LOGINUID;
+ data->values[i] = AUDIT_UID_UNSET;
+ break;
+ }
+ /* fallthrough if set */
default:
data->values[i] = f->val;
}
@@ -645,6 +653,7 @@ static int audit_compare_rule(struct audit_krule *a, struct audit_krule *b)
int i;
if (a->flags != b->flags ||
+ a->pflags != b->pflags ||
a->listnr != b->listnr ||
a->action != b->action ||
a->field_count != b->field_count)
@@ -762,6 +771,7 @@ struct audit_entry *audit_dupe_rule(struct audit_krule *old)
new = &entry->rule;
new->flags = old->flags;
+ new->pflags = old->pflags;
new->listnr = old->listnr;
new->action = old->action;
for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
--
1.7.1
9 years, 10 months
[PATCH] audit: use supplied gfp_mask from audit_buffer in kauditd_send_multicast_skb
by Richard Guy Briggs
Eric Paris explains: Since kauditd_send_multicast_skb() gets called in
audit_log_end(), which can come from any context (aka even a sleeping context)
GFP_KERNEL can't be used. Since the audit_buffer knows what context it should
use, pass that down and use that.
See: https://lkml.org/lkml/2014/12/16/542
BUG: sleeping function called from invalid context at mm/slab.c:2849
in_atomic(): 1, irqs_disabled(): 0, pid: 885, name: sulogin
2 locks held by sulogin/885:
#0: (&sig->cred_guard_mutex){+.+.+.}, at: [<ffffffff91152e30>] prepare_bprm_creds+0x28/0x8b
#1: (tty_files_lock){+.+.+.}, at: [<ffffffff9123e787>] selinux_bprm_committing_creds+0x55/0x22b
CPU: 1 PID: 885 Comm: sulogin Not tainted 3.18.0-next-20141216 #30
Hardware name: Dell Inc. Latitude E6530/07Y85M, BIOS A15 06/20/2014
ffff880223744f10 ffff88022410f9b8 ffffffff916ba529 0000000000000375
ffff880223744f10 ffff88022410f9e8 ffffffff91063185 0000000000000006
0000000000000000 0000000000000000 0000000000000000 ffff88022410fa38
Call Trace:
[<ffffffff916ba529>] dump_stack+0x50/0xa8
[<ffffffff91063185>] ___might_sleep+0x1b6/0x1be
[<ffffffff910632a6>] __might_sleep+0x119/0x128
[<ffffffff91140720>] cache_alloc_debugcheck_before.isra.45+0x1d/0x1f
[<ffffffff91141d81>] kmem_cache_alloc+0x43/0x1c9
[<ffffffff914e148d>] __alloc_skb+0x42/0x1a3
[<ffffffff914e2b62>] skb_copy+0x3e/0xa3
[<ffffffff910c263e>] audit_log_end+0x83/0x100
[<ffffffff9123b8d3>] ? avc_audit_pre_callback+0x103/0x103
[<ffffffff91252a73>] common_lsm_audit+0x441/0x450
[<ffffffff9123c163>] slow_avc_audit+0x63/0x67
[<ffffffff9123c42c>] avc_has_perm+0xca/0xe3
[<ffffffff9123dc2d>] inode_has_perm+0x5a/0x65
[<ffffffff9123e7ca>] selinux_bprm_committing_creds+0x98/0x22b
[<ffffffff91239e64>] security_bprm_committing_creds+0xe/0x10
[<ffffffff911515e6>] install_exec_creds+0xe/0x79
[<ffffffff911974cf>] load_elf_binary+0xe36/0x10d7
[<ffffffff9115198e>] search_binary_handler+0x81/0x18c
[<ffffffff91153376>] do_execveat_common.isra.31+0x4e3/0x7b7
[<ffffffff91153669>] do_execve+0x1f/0x21
[<ffffffff91153967>] SyS_execve+0x25/0x29
[<ffffffff916c61a9>] stub_execve+0x69/0xa0
Cc: stable(a)vger.kernel.org #v3.16-rc1
Reported-by: Valdis Kletnieks <Valdis.Kletnieks(a)vt.edu>
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
kernel/audit.c | 8 ++++----
1 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 7b83c55..ce484fb 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -429,7 +429,7 @@ static void kauditd_send_skb(struct sk_buff *skb)
* This function doesn't consume an skb as might be expected since it has to
* copy it anyways.
*/
-static void kauditd_send_multicast_skb(struct sk_buff *skb)
+static void kauditd_send_multicast_skb(struct sk_buff *skb, gfp_t gfp_mask)
{
struct sk_buff *copy;
struct audit_net *aunet = net_generic(&init_net, audit_net_id);
@@ -448,11 +448,11 @@ static void kauditd_send_multicast_skb(struct sk_buff *skb)
* no reason for new multicast clients to continue with this
* non-compliance.
*/
- copy = skb_copy(skb, GFP_KERNEL);
+ copy = skb_copy(skb, gfp_mask);
if (!copy)
return;
- nlmsg_multicast(sock, copy, 0, AUDIT_NLGRP_READLOG, GFP_KERNEL);
+ nlmsg_multicast(sock, copy, 0, AUDIT_NLGRP_READLOG, gfp_mask);
}
/*
@@ -1949,7 +1949,7 @@ void audit_log_end(struct audit_buffer *ab)
struct nlmsghdr *nlh = nlmsg_hdr(ab->skb);
nlh->nlmsg_len = ab->skb->len;
- kauditd_send_multicast_skb(ab->skb);
+ kauditd_send_multicast_skb(ab->skb, ab->gfp_mask);
/*
* The original kaudit unicast socket sends up messages with
--
1.7.1
9 years, 10 months
Re: linux-next 20141216 BUG: sleeping function called from invalid context at mm/slab.c:2849
by Eric Paris
On Thu, 2014-12-18 at 11:45 -0500, Valdis.Kletnieks(a)vt.edu wrote:
> On Tue, 16 Dec 2014 20:09:54 -0500, Valdis Kletnieks said:
>
> > Spotted these two while booting single-user on 20141216. 20141208
> > doesn't throw these, so it's something in the last week or so..
>
> Gaah! Turns out that 20141208 *is* susceptible - it had been booting
> just fine for several days, but it went around the bend, apparently due
> to a userspace or initrd change.
$5 says you updated systemd?
Richard?
> egrep 'BUG|Linux vers' from my syslog:
>
> Dec 9 12:19:53 turing-police kernel: [ 0.000000] Linux version 3.18.0-next-20141208 (source(a)turing-police.cc.vt.edu) (gcc version 4.9.2 20141101 (Red Hat 4.9.2-1) (GCC) ) #27 SMP PREEMPT Mon Dec 8 22:20:07 EST 2014
> Dec 9 21:19:53 turing-police kernel: [ 0.000000] Linux version 3.18.0-next-20141208 (source(a)turing-police.cc.vt.edu) (gcc version 4.9.2 20141101 (Red Hat 4.9.2-1) (GCC) ) #27 SMP PREEMPT Mon Dec 8 22:20:07 EST 2014
> Dec 10 12:39:45 turing-police kernel: [ 0.000000] Linux version 3.18.0-next-20141208 (source(a)turing-police.cc.vt.edu) (gcc version 4.9.2 20141101 (Red Hat 4.9.2-1) (GCC) ) #27 SMP PREEMPT Mon Dec 8 22:20:07 EST 2014
> Dec 10 20:56:28 turing-police kernel: [ 0.000000] Linux version 3.18.0-next-20141208 (source(a)turing-police.cc.vt.edu) (gcc version 4.9.2 20141101 (Red Hat 4.9.2-1) (GCC) ) #27 SMP PREEMPT Mon Dec 8 22:20:07 EST 2014
> Dec 11 10:46:49 turing-police kernel: [ 0.000000] Linux version 3.18.0-next-20141208 (source(a)turing-police.cc.vt.edu) (gcc version 4.9.2 20141101 (Red Hat 4.9.2-1) (GCC) ) #27 SMP PREEMPT Mon Dec 8 22:20:07 EST 2014
> Dec 11 23:53:10 turing-police kernel: [ 0.000000] Linux version 3.18.0-next-20141208 (source(a)turing-police.cc.vt.edu) (gcc version 4.9.2 20141101 (Red Hat 4.9.2-1) (GCC) ) #27 SMP PREEMPT Mon Dec 8 22:20:07 EST 2014
> Dec 12 11:13:19 turing-police kernel: [ 0.000000] Linux version 3.18.0-next-20141208 (source(a)turing-police.cc.vt.edu) (gcc version 4.9.2 20141101 (Red Hat 4.9.2-1) (GCC) ) #27 SMP PREEMPT Mon Dec 8 22:20:07 EST 2014
> Dec 12 19:26:24 turing-police kernel: [ 0.000000] Linux version 3.18.0-next-20141208 (source(a)turing-police.cc.vt.edu) (gcc version 4.9.2 20141101 (Red Hat 4.9.2-1) (GCC) ) #27 SMP PREEMPT Mon Dec 8 22:20:07 EST 2014
> Dec 12 19:33:32 turing-police kernel: [ 0.000000] Linux version 3.18.0-next-20141208 (source(a)turing-police.cc.vt.edu) (gcc version 4.9.2 20141101 (Red Hat 4.9.2-1) (GCC) ) #27 SMP PREEMPT Mon Dec 8 22:20:07 EST 2014
> Dec 12 19:42:30 turing-police kernel: [ 0.000000] Linux version 3.18.0-next-20141208 (source(a)turing-police.cc.vt.edu) (gcc version 4.9.2 20141101 (Red Hat 4.9.2-1) (GCC) ) #27 SMP PREEMPT Mon Dec 8 22:20:07 EST 2014
> Dec 12 20:00:39 turing-police kernel: [ 1109.635328] BUG: sleeping function called from invalid context at mm/slab.c:2849
> Dec 12 20:00:43 turing-police kernel: [ 1113.680912] BUG: sleeping function called from invalid context at mm/slab.c:2849
> Dec 12 20:33:15 turing-police kernel: [ 3062.345461] BUG: sleeping function called from invalid context at mm/slab.c:2849
> Dec 12 20:37:48 turing-police kernel: [ 3335.788891] BUG: sleeping function called from invalid context at mm/slab.c:2849
> Dec 12 20:41:57 turing-police kernel: [ 3584.265255] BUG: sleeping function called from invalid context at mm/slab.c:2849
> Dec 12 20:42:47 turing-police kernel: [ 3633.863552] BUG: sleeping function called from invalid context at mm/slab.c:2849
> Dec 12 20:51:33 turing-police kernel: [ 0.000000] Linux version 3.18.0-next-20141208 (source(a)turing-police.cc.vt.edu) (gcc version 4.9.2 20141101 (Red Hat 4.9.2-1) (GCC) ) #27 SMP PREEMPT Mon Dec 8 22:20:07 EST 2014
> Dec 12 21:51:04 turing-police kernel: [ 3587.132867] BUG: sleeping function called from invalid context at mm/slab.c:2849
> Dec 12 22:20:01 turing-police kernel: [ 5322.313024] BUG: sleeping function called from invalid context at mm/slab.c:2849
> Dec 12 23:06:00 turing-police kernel: [ 8077.463289] BUG: sleeping function called from invalid context at mm/slab.c:2849
> Dec 13 00:00:05 turing-police kernel: [11318.405826] BUG: sleeping function called from invalid context at mm/slab.c:2849
>
> I need to figure out what changed around 7:30PM on the 12th.
>
9 years, 10 months
Re: linux-next 20141216 BUG: sleeping function called from invalid context at mm/slab.c:2849
by Eric Paris
I haven't looked into it, but I'd place my first bet on the audit
multicast code...
Richard?
On Tue, 2014-12-16 at 20:09 -0500, Valdis Kletnieks wrote:
> Not sure who's to blame here, but I'm tending towards selinux based on
> who was holding the locks...
>
> Spotted these two while booting single-user on 20141216. 20141208
> doesn't throw these, so it's something in the last week or so..
>
> Tossed it twice - once for /sbin/sulogin, and then a second time for /bin/bash.
>
> [ 34.061285] BUG: sleeping function called from invalid context at mm/slab.c:2849
> [ 34.062863] in_atomic(): 1, irqs_disabled(): 0, pid: 885, name: sulogin
> [ 34.064416] 2 locks held by sulogin/885:
> [ 34.064418] #0: (&sig->cred_guard_mutex){+.+.+.}, at: [<ffffffff91152e30>] prepare_bprm_creds+0x28/0x8b
> [ 34.064428] #1: (tty_files_lock){+.+.+.}, at: [<ffffffff9123e787>] selinux_bprm_committing_creds+0x55/0x22b
> [ 34.064438] CPU: 1 PID: 885 Comm: sulogin Not tainted 3.18.0-next-20141216 #30
> [ 34.064440] Hardware name: Dell Inc. Latitude E6530/07Y85M, BIOS A15 06/20/2014
> [ 34.064442] ffff880223744f10 ffff88022410f9b8 ffffffff916ba529 0000000000000375
> [ 34.064447] ffff880223744f10 ffff88022410f9e8 ffffffff91063185 0000000000000006
> [ 34.064452] 0000000000000000 0000000000000000 0000000000000000 ffff88022410fa38
> [ 34.064457] Call Trace:
> [ 34.064463] [<ffffffff916ba529>] dump_stack+0x50/0xa8
> [ 34.064467] [<ffffffff91063185>] ___might_sleep+0x1b6/0x1be
> [ 34.064472] [<ffffffff910632a6>] __might_sleep+0x119/0x128
> [ 34.064477] [<ffffffff91140720>] cache_alloc_debugcheck_before.isra.45+0x1d/0x1f
> [ 34.064480] [<ffffffff91141d81>] kmem_cache_alloc+0x43/0x1c9
> [ 34.064484] [<ffffffff914e148d>] __alloc_skb+0x42/0x1a3
> [ 34.064488] [<ffffffff914e2b62>] skb_copy+0x3e/0xa3
> [ 34.064492] [<ffffffff910c263e>] audit_log_end+0x83/0x100
> [ 34.064496] [<ffffffff9123b8d3>] ? avc_audit_pre_callback+0x103/0x103
> [ 34.064500] [<ffffffff91252a73>] common_lsm_audit+0x441/0x450
> [ 34.064503] [<ffffffff9123c163>] slow_avc_audit+0x63/0x67
> [ 34.064506] [<ffffffff9123c42c>] avc_has_perm+0xca/0xe3
> [ 34.064510] [<ffffffff9123dc2d>] inode_has_perm+0x5a/0x65
> [ 34.064514] [<ffffffff9123e7ca>] selinux_bprm_committing_creds+0x98/0x22b
> [ 34.064519] [<ffffffff91239e64>] security_bprm_committing_creds+0xe/0x10
> [ 34.064522] [<ffffffff911515e6>] install_exec_creds+0xe/0x79
> [ 34.064527] [<ffffffff911974cf>] load_elf_binary+0xe36/0x10d7
> [ 34.064542] [<ffffffff9115198e>] search_binary_handler+0x81/0x18c
> [ 34.064545] [<ffffffff91153376>] do_execveat_common.isra.31+0x4e3/0x7b7
> [ 34.064548] [<ffffffff91153669>] do_execve+0x1f/0x21
> [ 34.064552] [<ffffffff91153967>] SyS_execve+0x25/0x29
> [ 34.064557] [<ffffffff916c61a9>] stub_execve+0x69/0xa0
>
> [ 48.826654] BUG: sleeping function called from invalid context at mm/slab.c:2849
> [ 48.829282] in_atomic(): 1, irqs_disabled(): 0, pid: 885, name: bash
> [ 48.829284] 2 locks held by bash/885:
> [ 48.829297] #0: (&sig->cred_guard_mutex){+.+.+.}, at: [<ffffffff91152e30>] prepare_bprm_creds+0x28/0x8b
> [ 48.829307] #1: (&(&newf->file_lock)->rlock){+.+.+.}, at: [<ffffffff91166b8b>] iterate_fd+0x34/0x11c
> [ 48.829310] CPU: 3 PID: 885 Comm: bash Not tainted 3.18.0-next-20141216 #30
> [ 48.829311] Hardware name: Dell Inc. Latitude E6530/07Y85M, BIOS A15 06/20/2014
> [ 48.829317] ffff880223744f10 ffff88022410f928 ffffffff916ba529 0000000000000375
> [ 48.829321] ffff880223744f10 ffff88022410f958 ffffffff91063185 0000000000000002
> [ 48.829325] 0000000000000000 0000000000000000 0000000000000000 ffff88022410f9a8
> [ 48.829327] Call Trace:
> [ 48.829333] [<ffffffff916ba529>] dump_stack+0x50/0xa8
> [ 48.829338] [<ffffffff91063185>] ___might_sleep+0x1b6/0x1be
> [ 48.829341] [<ffffffff910632a6>] __might_sleep+0x119/0x128
> [ 48.829347] [<ffffffff91140720>] cache_alloc_debugcheck_before.isra.45+0x1d/0x1f
> [ 48.829350] [<ffffffff91141d81>] kmem_cache_alloc+0x43/0x1c9
> [ 48.829356] [<ffffffff914e148d>] __alloc_skb+0x42/0x1a3
> [ 48.829360] [<ffffffff914e2b62>] skb_copy+0x3e/0xa3
> [ 48.829367] [<ffffffff910c263e>] audit_log_end+0x83/0x100
> [ 48.829372] [<ffffffff9123b8d3>] ? avc_audit_pre_callback+0x103/0x103
> [ 48.829377] [<ffffffff91252a73>] common_lsm_audit+0x441/0x450
> [ 48.829381] [<ffffffff9123c163>] slow_avc_audit+0x63/0x67
> [ 48.829386] [<ffffffff9123c42c>] avc_has_perm+0xca/0xe3
> [ 48.829391] [<ffffffff9123e255>] ? selinux_file_permission+0x9b/0x9b
> [ 48.829395] [<ffffffff9123e0b9>] file_has_perm+0x6d/0x7c
> [ 48.829400] [<ffffffff9123e283>] match_file+0x2e/0x3b
> [ 48.829404] [<ffffffff91166c4b>] iterate_fd+0xf4/0x11c
> [ 48.829409] [<ffffffff9123e802>] selinux_bprm_committing_creds+0xd0/0x22b
> [ 48.829415] [<ffffffff91239e64>] security_bprm_committing_creds+0xe/0x10
> [ 48.829419] [<ffffffff911515e6>] install_exec_creds+0xe/0x79
> [ 48.829426] [<ffffffff911974cf>] load_elf_binary+0xe36/0x10d7
> [ 48.829431] [<ffffffff9115198e>] search_binary_handler+0x81/0x18c
> [ 48.829435] [<ffffffff91153376>] do_execveat_common.isra.31+0x4e3/0x7b7
> [ 48.829462] [<ffffffff91153669>] do_execve+0x1f/0x21
> [ 48.829466] [<ffffffff91153967>] SyS_execve+0x25/0x29
> [ 48.829472] [<ffffffff916c61a9>] stub_execve+0x69/0xa0
>
9 years, 10 months
[PATCH 1/2] audit: remove vestiges of vers_ops
by Richard Guy Briggs
Should have been removed with 18900909.
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
include/linux/audit.h | 1 -
kernel/auditfilter.c | 2 --
2 files changed, 0 insertions(+), 3 deletions(-)
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 36dffec..eefc39a 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -46,7 +46,6 @@ struct audit_tree;
struct sk_buff;
struct audit_krule {
- int vers_ops;
u32 flags;
u32 listnr;
u32 action;
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 40ed981..fb4d2df 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -425,7 +425,6 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
goto exit_nofree;
bufp = data->buf;
- entry->rule.vers_ops = 2;
for (i = 0; i < data->field_count; i++) {
struct audit_field *f = &entry->rule.fields[i];
@@ -762,7 +761,6 @@ struct audit_entry *audit_dupe_rule(struct audit_krule *old)
return ERR_PTR(-ENOMEM);
new = &entry->rule;
- new->vers_ops = old->vers_ops;
new->flags = old->flags;
new->listnr = old->listnr;
new->action = old->action;
--
1.7.1
9 years, 10 months
[PATCH] audit: don't attempt to lookup PIDs when changing PID filtering audit rules
by Paul Moore
Commit f1dc4867 ("audit: anchor all pid references in the initial pid
namespace") introduced a find_vpid() call when adding/removing audit
rules with PID/PPID filters; unfortunately this is problematic as
find_vpid() only works if there is a task with the associated PID
alive on the system. The following commands demonstrate a simple
reproducer.
# auditctl -D
# auditctl -l
# autrace /bin/true
# auditctl -l
This patch resolves the problem by simply using the PID provided by
the user without any additional validation, e.g. no calls to check to
see if the task/PID exists.
Cc: stable(a)vger.kernel.org # 3.15
Cc: Richard Guy Briggs <rgb(a)redhat.com>
Signed-off-by: Paul Moore <pmoore(a)redhat.com>
---
kernel/auditfilter.c | 13 -------------
1 file changed, 13 deletions(-)
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 8e9bc9c..b2e63ba 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -433,19 +433,6 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
f->val = 0;
}
- if ((f->type == AUDIT_PID) || (f->type == AUDIT_PPID)) {
- struct pid *pid;
- rcu_read_lock();
- pid = find_vpid(f->val);
- if (!pid) {
- rcu_read_unlock();
- err = -ESRCH;
- goto exit_free;
- }
- f->val = pid_nr(pid);
- rcu_read_unlock();
- }
-
err = audit_field_valid(entry, f);
if (err)
goto exit_free;
9 years, 10 months
Process changes for the audit tree
by Paul Moore
Hello all,
Due to a few reasons, the most notable being a need to stop back-merging from
Linus' tree, I'm changing the way I manage the audit tree. I apologize for
any confusion this may cause, but this is a necessary change.
First off, the audit tree remains in the same place:
* git://git.infradead.org/users/pcmoore/audit
* http://git.infradead.org/users/pcmoore/audit
... the changes are limited to the branches and how they will be managed
moving forward. Ignoring master, there are presently three branches in the
audit tree: stable-3.18, next, and upstream.
The stable-3.18 branch holds patches that were submitted during the v3.18-rcX
window.
The next branch holds patches that were developed for v3.19 during the v3.18
window.
The upstream branch is based off of the stable-3.18 branch with the next
branch merged on top. This is the branch I sent to Linus last week and is
currently in Linus' tree for v3.19. It will also form the base of the next
branch once the v3.19 merge window closes.
Moving forward I'm going to adopt the following process:
1. Create a new branch, stable-3.XX, set to the upstream branch that was sent
during the merge window.
2. Reset the next branch to the upstream branch that was sent during the merge
window. The heads of stable-3.18 and next should be the same at this point.
3. Accept new features into the next branch and fixes into the stable-3.XX
branch.
4. As necessary, merge stable-3.XX into upstream and send pull requests to
Linus.
5. When v3.XX is released, merge next into upstream and send a pull request
for the upstream branch to Linus. Leave stable-3.XX untouched for future
stable fixes.
6. Goto step #1.
The big change here is the new upstream branch, but it is important to note
that the next branch will now be reset/rebased on a regular basis (step #2
above). The reset is unfortunate, but necessary to get the stable fixes. It
is also worth mentioning that while I don't expect to reset/rebase the
upstream branch often, it will likely happen on occasion so we can avoid back-
merging. When this happens I'll be sure to send notice to the list.
Thanks for your understanding, if you've got any questions, let's hear 'em.
-Paul
--
paul moore
security and virtualization @ redhat
9 years, 10 months
auditing of process exit
by Hassan Sultan
Hi,
I can't figure out how to get audit log entries for process termination.
Abnormal process termination auditing occurs, however for NORMAL process
termination, I can't find anything.
I tried the syscall route, using the exit syscall, however this does not
seem to work, maybe because it logs on exit of the syscall and that call
never returns ?
How can I get a log of all processes exiting then ?
Thanks,
Hassan
9 years, 10 months
Accounting audit messages dropped from kernel
by Kangkook Jee
Hi, all
I'm running a customized user-level audit client and getting the following messages from /var/log/kern.log every now and then.
The message seems like that it is dropping audit messages due to buffer limitations.
Dec 11 21:46:56 hostname-10 kernel: [2081500.871616] audit_log_start: 109700 callbacks suppressed
Dec 11 21:46:56 hostname-10 kernel: [2081500.871620] audit: audit_backlog=102401 > audit_backlog_limit=102400
Dec 11 21:46:56 hostname-10 kernel: [2081500.871622] audit: audit_lost=-295739022 audit_rate_limit=0 audit_backlog_limit=102400
Dec 11 21:46:56 hostname-10 kernel: [2081500.871623] audit: backlog limit exceeded
Dec 11 21:46:56 hostname-10 kernel: [2081500.871646] audit: audit_backlog=102401 > audit_backlog_limit=102400
Dec 11 21:46:56 hostname-10 kernel: [2081500.871647] audit: audit_lost=-295739021 audit_rate_limit=0 audit_backlog_limit=102400
Dec 11 21:46:56 hostname-10 kernel: [2081500.871648] audit: backlog limit exceeded
Dec 11 21:46:56 hostname-10 kernel: [2081500.871657] audit: audit_backlog=102401 > audit_backlog_limit=102400
Dec 11 21:46:56 hostname-10 kernel: [2081500.871659] audit: audit_lost=-295739020 audit_rate_limit=0 audit_backlog_limit=102400
Dec 11 21:46:56 hostname-10 kernel: [2081500.871660] audit: backlog limit exceeded
Dec 11 21:46:56 hostname-10 kernel: [2081500.871665] audit: audit_backlog=102401 > audit_backlog_limit=102400
What I want to know more from this is that how many messages we are missing.
For this, can I simply refer audit_lost field? or I also need to consider the value from " callbacks suppressed" line?
If anyone can help with this it will be very helpful.
Regards, Kangkook
9 years, 10 months
[PATCH] audit: restore AUDIT_LOGINUID unset ABI
by Richard Guy Briggs
A regression was caused by commit 780a7654cee8:
audit: Make testing for a valid loginuid explicit.
(which in turn attempted to fix a regression caused by e1760bd)
When audit_krule_to_data() fills in the rules to get a listing, there was a
missing clause to convert back from AUDIT_LOGINUID_SET to AUDIT_LOGINUID.
This broke userspace by not returning the same information that was sent and
expected.
The rule:
auditctl -a exit,never -F auid=-1
gives:
auditctl -l
LIST_RULES: exit,never f24=0 syscall=all
when it should give:
LIST_RULES: exit,never auid=-1 (0xffffffff) syscall=all
Tag it so that it is reported the same way it was set.
Note: move the field validation call ahead of the mutation code to have it work
on the original field set.
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
include/uapi/linux/audit.h | 3 +++
kernel/auditfilter.c | 19 +++++++++++++------
kernel/auditsc.c | 2 +-
3 files changed, 17 insertions(+), 7 deletions(-)
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 4d100c8..860df86 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -274,6 +274,9 @@
#define AUDIT_FILTERKEY 210
+/* Flag to indicate legacy AUDIT_LOGINUID unset usage */
+#define AUDIT_LOGINUID_LEGACY 0x80000000
+
#define AUDIT_NEGATE 0x80000000
/* These are the supported operators.
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 40ed981..39ce3e6 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -438,9 +438,13 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
f->type = data->fields[i];
f->val = data->values[i];
+ err = audit_field_valid(entry, f);
+ if (err)
+ goto exit_free;
+
/* Support legacy tests for a valid loginuid */
if ((f->type == AUDIT_LOGINUID) && (f->val == AUDIT_UID_UNSET)) {
- f->type = AUDIT_LOGINUID_SET;
+ f->type = AUDIT_LOGINUID_SET | AUDIT_LOGINUID_LEGACY;
f->val = 0;
}
@@ -457,10 +461,6 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
rcu_read_unlock();
}
- err = audit_field_valid(entry, f);
- if (err)
- goto exit_free;
-
err = -EINVAL;
switch (f->type) {
case AUDIT_LOGINUID:
@@ -630,6 +630,13 @@ static struct audit_rule_data *audit_krule_to_data(struct audit_krule *krule)
data->buflen += data->values[i] =
audit_pack_string(&bufp, krule->filterkey);
break;
+ case AUDIT_LOGINUID_SET | AUDIT_LOGINUID_LEGACY:
+ if (!f->val) {
+ data->fields[i] = AUDIT_LOGINUID;
+ data->values[i] = AUDIT_UID_UNSET;
+ break;
+ }
+ /* fallthrough if set */
default:
data->values[i] = f->val;
}
@@ -1270,7 +1277,7 @@ static int audit_filter_user_rules(struct audit_krule *rule, int type,
int result = 0;
u32 sid;
- switch (f->type) {
+ switch (f->type & ~AUDIT_LOGINUID_LEGACY) {
case AUDIT_PID:
pid = task_pid_nr(current);
result = audit_comparator(pid, f->op, f->val);
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 8933572..ef25cbc 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -452,7 +452,7 @@ static int audit_filter_rules(struct task_struct *tsk,
int result = 0;
pid_t pid;
- switch (f->type) {
+ switch (f->type & ~AUDIT_LOGINUID_LEGACY) {
case AUDIT_PID:
pid = task_pid_nr(tsk);
result = audit_comparator(pid, f->op, f->val);
--
1.7.1
9 years, 10 months