December 2014 - Linux-audit - Linux-Audit List Archives

[PATCH 1/2] audit: restore AUDIT_LOGINUID unset ABI

by Richard Guy Briggs

A regression was caused by commit 780a7654cee8: audit: Make testing for a valid loginuid explicit. (which in turn attempted to fix a regression caused by e1760bd) When audit_krule_to_data() fills in the rules to get a listing, there was a missing clause to convert back from AUDIT_LOGINUID_SET to AUDIT_LOGINUID. This broke userspace by not returning the same information that was sent and expected. The rule: auditctl -a exit,never -F auid=-1 gives: auditctl -l LIST_RULES: exit,never f24=0 syscall=all when it should give: LIST_RULES: exit,never auid=-1 (0xffffffff) syscall=all Tag it so that it is reported the same way it was set. Create a new private flags audit_krule field (pflags) to store it that won't interact with the public one from the API. Cc: stable(a)vger.kernel.org # v3.10-rc1+ Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com> --- include/linux/audit.h | 4 ++++ kernel/auditfilter.c | 10 ++++++++++ 2 files changed, 14 insertions(+), 0 deletions(-) diff --git a/include/linux/audit.h b/include/linux/audit.h index eefc39a..b481779 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -46,6 +46,7 @@ struct audit_tree; struct sk_buff; struct audit_krule { + u32 pflags; u32 flags; u32 listnr; u32 action; @@ -63,6 +64,9 @@ struct audit_krule { u64 prio; }; +/* Flag to indicate legacy AUDIT_LOGINUID unset usage */ +#define AUDIT_LOGINUID_LEGACY 0x1 + struct audit_field { u32 type; union { diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index fb4d2df..ecb05d3 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -441,6 +441,7 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data, if ((f->type == AUDIT_LOGINUID) && (f->val == AUDIT_UID_UNSET)) { f->type = AUDIT_LOGINUID_SET; f->val = 0; + entry->rule.pflags |= AUDIT_LOGINUID_LEGACY; } if ((f->type == AUDIT_PID) || (f->type == AUDIT_PPID)) { @@ -629,6 +630,13 @@ static struct audit_rule_data *audit_krule_to_data(struct audit_krule *krule) data->buflen += data->values[i] = audit_pack_string(&bufp, krule->filterkey); break; + case AUDIT_LOGINUID_SET: + if (krule->pflags & AUDIT_LOGINUID_LEGACY && !f->val) { + data->fields[i] = AUDIT_LOGINUID; + data->values[i] = AUDIT_UID_UNSET; + break; + } + /* fallthrough if set */ default: data->values[i] = f->val; } @@ -645,6 +653,7 @@ static int audit_compare_rule(struct audit_krule *a, struct audit_krule *b) int i; if (a->flags != b->flags || + a->pflags != b->pflags || a->listnr != b->listnr || a->action != b->action || a->field_count != b->field_count) @@ -762,6 +771,7 @@ struct audit_entry *audit_dupe_rule(struct audit_krule *old) new = &entry->rule; new->flags = old->flags; + new->pflags = old->pflags; new->listnr = old->listnr; new->action = old->action; for (i = 0; i < AUDIT_BITMASK_SIZE; i++) -- 1.7.1

10 years, 3 months

4
10
0 / 0

[PATCH] audit: use supplied gfp_mask from audit_buffer in kauditd_send_multicast_skb

by Richard Guy Briggs

Eric Paris explains: Since kauditd_send_multicast_skb() gets called in audit_log_end(), which can come from any context (aka even a sleeping context) GFP_KERNEL can't be used. Since the audit_buffer knows what context it should use, pass that down and use that. See: https://lkml.org/lkml/2014/12/16/542 BUG: sleeping function called from invalid context at mm/slab.c:2849 in_atomic(): 1, irqs_disabled(): 0, pid: 885, name: sulogin 2 locks held by sulogin/885: #0: (&sig->cred_guard_mutex){+.+.+.}, at: [<ffffffff91152e30>] prepare_bprm_creds+0x28/0x8b #1: (tty_files_lock){+.+.+.}, at: [<ffffffff9123e787>] selinux_bprm_committing_creds+0x55/0x22b CPU: 1 PID: 885 Comm: sulogin Not tainted 3.18.0-next-20141216 #30 Hardware name: Dell Inc. Latitude E6530/07Y85M, BIOS A15 06/20/2014 ffff880223744f10 ffff88022410f9b8 ffffffff916ba529 0000000000000375 ffff880223744f10 ffff88022410f9e8 ffffffff91063185 0000000000000006 0000000000000000 0000000000000000 0000000000000000 ffff88022410fa38 Call Trace: [<ffffffff916ba529>] dump_stack+0x50/0xa8 [<ffffffff91063185>] ___might_sleep+0x1b6/0x1be [<ffffffff910632a6>] __might_sleep+0x119/0x128 [<ffffffff91140720>] cache_alloc_debugcheck_before.isra.45+0x1d/0x1f [<ffffffff91141d81>] kmem_cache_alloc+0x43/0x1c9 [<ffffffff914e148d>] __alloc_skb+0x42/0x1a3 [<ffffffff914e2b62>] skb_copy+0x3e/0xa3 [<ffffffff910c263e>] audit_log_end+0x83/0x100 [<ffffffff9123b8d3>] ? avc_audit_pre_callback+0x103/0x103 [<ffffffff91252a73>] common_lsm_audit+0x441/0x450 [<ffffffff9123c163>] slow_avc_audit+0x63/0x67 [<ffffffff9123c42c>] avc_has_perm+0xca/0xe3 [<ffffffff9123dc2d>] inode_has_perm+0x5a/0x65 [<ffffffff9123e7ca>] selinux_bprm_committing_creds+0x98/0x22b [<ffffffff91239e64>] security_bprm_committing_creds+0xe/0x10 [<ffffffff911515e6>] install_exec_creds+0xe/0x79 [<ffffffff911974cf>] load_elf_binary+0xe36/0x10d7 [<ffffffff9115198e>] search_binary_handler+0x81/0x18c [<ffffffff91153376>] do_execveat_common.isra.31+0x4e3/0x7b7 [<ffffffff91153669>] do_execve+0x1f/0x21 [<ffffffff91153967>] SyS_execve+0x25/0x29 [<ffffffff916c61a9>] stub_execve+0x69/0xa0 Cc: stable(a)vger.kernel.org #v3.16-rc1 Reported-by: Valdis Kletnieks <Valdis.Kletnieks(a)vt.edu> Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com> --- kernel/audit.c | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) diff --git a/kernel/audit.c b/kernel/audit.c index 7b83c55..ce484fb 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -429,7 +429,7 @@ static void kauditd_send_skb(struct sk_buff *skb) * This function doesn't consume an skb as might be expected since it has to * copy it anyways. */ -static void kauditd_send_multicast_skb(struct sk_buff *skb) +static void kauditd_send_multicast_skb(struct sk_buff *skb, gfp_t gfp_mask) { struct sk_buff *copy; struct audit_net *aunet = net_generic(&init_net, audit_net_id); @@ -448,11 +448,11 @@ static void kauditd_send_multicast_skb(struct sk_buff *skb) * no reason for new multicast clients to continue with this * non-compliance. */ - copy = skb_copy(skb, GFP_KERNEL); + copy = skb_copy(skb, gfp_mask); if (!copy) return; - nlmsg_multicast(sock, copy, 0, AUDIT_NLGRP_READLOG, GFP_KERNEL); + nlmsg_multicast(sock, copy, 0, AUDIT_NLGRP_READLOG, gfp_mask); } /* @@ -1949,7 +1949,7 @@ void audit_log_end(struct audit_buffer *ab) struct nlmsghdr *nlh = nlmsg_hdr(ab->skb); nlh->nlmsg_len = ab->skb->len; - kauditd_send_multicast_skb(ab->skb); + kauditd_send_multicast_skb(ab->skb, ab->gfp_mask); /* * The original kaudit unicast socket sends up messages with -- 1.7.1

10 years, 3 months

4
4
0 / 0

Re: linux-next 20141216 BUG: sleeping function called from invalid context at mm/slab.c:2849

by Eric Paris

On Thu, 2014-12-18 at 11:45 -0500, Valdis.Kletnieks(a)vt.edu wrote: > On Tue, 16 Dec 2014 20:09:54 -0500, Valdis Kletnieks said: > > > Spotted these two while booting single-user on 20141216. 20141208 > > doesn't throw these, so it's something in the last week or so.. > > Gaah! Turns out that 20141208 *is* susceptible - it had been booting > just fine for several days, but it went around the bend, apparently due > to a userspace or initrd change. $5 says you updated systemd? Richard? > egrep 'BUG|Linux vers' from my syslog: > > Dec 9 12:19:53 turing-police kernel: [ 0.000000] Linux version 3.18.0-next-20141208 (source(a)turing-police.cc.vt.edu) (gcc version 4.9.2 20141101 (Red Hat 4.9.2-1) (GCC) ) #27 SMP PREEMPT Mon Dec 8 22:20:07 EST 2014 > Dec 9 21:19:53 turing-police kernel: [ 0.000000] Linux version 3.18.0-next-20141208 (source(a)turing-police.cc.vt.edu) (gcc version 4.9.2 20141101 (Red Hat 4.9.2-1) (GCC) ) #27 SMP PREEMPT Mon Dec 8 22:20:07 EST 2014 > Dec 10 12:39:45 turing-police kernel: [ 0.000000] Linux version 3.18.0-next-20141208 (source(a)turing-police.cc.vt.edu) (gcc version 4.9.2 20141101 (Red Hat 4.9.2-1) (GCC) ) #27 SMP PREEMPT Mon Dec 8 22:20:07 EST 2014 > Dec 10 20:56:28 turing-police kernel: [ 0.000000] Linux version 3.18.0-next-20141208 (source(a)turing-police.cc.vt.edu) (gcc version 4.9.2 20141101 (Red Hat 4.9.2-1) (GCC) ) #27 SMP PREEMPT Mon Dec 8 22:20:07 EST 2014 > Dec 11 10:46:49 turing-police kernel: [ 0.000000] Linux version 3.18.0-next-20141208 (source(a)turing-police.cc.vt.edu) (gcc version 4.9.2 20141101 (Red Hat 4.9.2-1) (GCC) ) #27 SMP PREEMPT Mon Dec 8 22:20:07 EST 2014 > Dec 11 23:53:10 turing-police kernel: [ 0.000000] Linux version 3.18.0-next-20141208 (source(a)turing-police.cc.vt.edu) (gcc version 4.9.2 20141101 (Red Hat 4.9.2-1) (GCC) ) #27 SMP PREEMPT Mon Dec 8 22:20:07 EST 2014 > Dec 12 11:13:19 turing-police kernel: [ 0.000000] Linux version 3.18.0-next-20141208 (source(a)turing-police.cc.vt.edu) (gcc version 4.9.2 20141101 (Red Hat 4.9.2-1) (GCC) ) #27 SMP PREEMPT Mon Dec 8 22:20:07 EST 2014 > Dec 12 19:26:24 turing-police kernel: [ 0.000000] Linux version 3.18.0-next-20141208 (source(a)turing-police.cc.vt.edu) (gcc version 4.9.2 20141101 (Red Hat 4.9.2-1) (GCC) ) #27 SMP PREEMPT Mon Dec 8 22:20:07 EST 2014 > Dec 12 19:33:32 turing-police kernel: [ 0.000000] Linux version 3.18.0-next-20141208 (source(a)turing-police.cc.vt.edu) (gcc version 4.9.2 20141101 (Red Hat 4.9.2-1) (GCC) ) #27 SMP PREEMPT Mon Dec 8 22:20:07 EST 2014 > Dec 12 19:42:30 turing-police kernel: [ 0.000000] Linux version 3.18.0-next-20141208 (source(a)turing-police.cc.vt.edu) (gcc version 4.9.2 20141101 (Red Hat 4.9.2-1) (GCC) ) #27 SMP PREEMPT Mon Dec 8 22:20:07 EST 2014 > Dec 12 20:00:39 turing-police kernel: [ 1109.635328] BUG: sleeping function called from invalid context at mm/slab.c:2849 > Dec 12 20:00:43 turing-police kernel: [ 1113.680912] BUG: sleeping function called from invalid context at mm/slab.c:2849 > Dec 12 20:33:15 turing-police kernel: [ 3062.345461] BUG: sleeping function called from invalid context at mm/slab.c:2849 > Dec 12 20:37:48 turing-police kernel: [ 3335.788891] BUG: sleeping function called from invalid context at mm/slab.c:2849 > Dec 12 20:41:57 turing-police kernel: [ 3584.265255] BUG: sleeping function called from invalid context at mm/slab.c:2849 > Dec 12 20:42:47 turing-police kernel: [ 3633.863552] BUG: sleeping function called from invalid context at mm/slab.c:2849 > Dec 12 20:51:33 turing-police kernel: [ 0.000000] Linux version 3.18.0-next-20141208 (source(a)turing-police.cc.vt.edu) (gcc version 4.9.2 20141101 (Red Hat 4.9.2-1) (GCC) ) #27 SMP PREEMPT Mon Dec 8 22:20:07 EST 2014 > Dec 12 21:51:04 turing-police kernel: [ 3587.132867] BUG: sleeping function called from invalid context at mm/slab.c:2849 > Dec 12 22:20:01 turing-police kernel: [ 5322.313024] BUG: sleeping function called from invalid context at mm/slab.c:2849 > Dec 12 23:06:00 turing-police kernel: [ 8077.463289] BUG: sleeping function called from invalid context at mm/slab.c:2849 > Dec 13 00:00:05 turing-police kernel: [11318.405826] BUG: sleeping function called from invalid context at mm/slab.c:2849 > > I need to figure out what changed around 7:30PM on the 12th. >

10 years, 3 months

4
7
0 / 0

Re: linux-next 20141216 BUG: sleeping function called from invalid context at mm/slab.c:2849

by Eric Paris

I haven't looked into it, but I'd place my first bet on the audit multicast code... Richard? On Tue, 2014-12-16 at 20:09 -0500, Valdis Kletnieks wrote: > Not sure who's to blame here, but I'm tending towards selinux based on > who was holding the locks... > > Spotted these two while booting single-user on 20141216. 20141208 > doesn't throw these, so it's something in the last week or so.. > > Tossed it twice - once for /sbin/sulogin, and then a second time for /bin/bash. > > [ 34.061285] BUG: sleeping function called from invalid context at mm/slab.c:2849 > [ 34.062863] in_atomic(): 1, irqs_disabled(): 0, pid: 885, name: sulogin > [ 34.064416] 2 locks held by sulogin/885: > [ 34.064418] #0: (&sig->cred_guard_mutex){+.+.+.}, at: [<ffffffff91152e30>] prepare_bprm_creds+0x28/0x8b > [ 34.064428] #1: (tty_files_lock){+.+.+.}, at: [<ffffffff9123e787>] selinux_bprm_committing_creds+0x55/0x22b > [ 34.064438] CPU: 1 PID: 885 Comm: sulogin Not tainted 3.18.0-next-20141216 #30 > [ 34.064440] Hardware name: Dell Inc. Latitude E6530/07Y85M, BIOS A15 06/20/2014 > [ 34.064442] ffff880223744f10 ffff88022410f9b8 ffffffff916ba529 0000000000000375 > [ 34.064447] ffff880223744f10 ffff88022410f9e8 ffffffff91063185 0000000000000006 > [ 34.064452] 0000000000000000 0000000000000000 0000000000000000 ffff88022410fa38 > [ 34.064457] Call Trace: > [ 34.064463] [<ffffffff916ba529>] dump_stack+0x50/0xa8 > [ 34.064467] [<ffffffff91063185>] ___might_sleep+0x1b6/0x1be > [ 34.064472] [<ffffffff910632a6>] __might_sleep+0x119/0x128 > [ 34.064477] [<ffffffff91140720>] cache_alloc_debugcheck_before.isra.45+0x1d/0x1f > [ 34.064480] [<ffffffff91141d81>] kmem_cache_alloc+0x43/0x1c9 > [ 34.064484] [<ffffffff914e148d>] __alloc_skb+0x42/0x1a3 > [ 34.064488] [<ffffffff914e2b62>] skb_copy+0x3e/0xa3 > [ 34.064492] [<ffffffff910c263e>] audit_log_end+0x83/0x100 > [ 34.064496] [<ffffffff9123b8d3>] ? avc_audit_pre_callback+0x103/0x103 > [ 34.064500] [<ffffffff91252a73>] common_lsm_audit+0x441/0x450 > [ 34.064503] [<ffffffff9123c163>] slow_avc_audit+0x63/0x67 > [ 34.064506] [<ffffffff9123c42c>] avc_has_perm+0xca/0xe3 > [ 34.064510] [<ffffffff9123dc2d>] inode_has_perm+0x5a/0x65 > [ 34.064514] [<ffffffff9123e7ca>] selinux_bprm_committing_creds+0x98/0x22b > [ 34.064519] [<ffffffff91239e64>] security_bprm_committing_creds+0xe/0x10 > [ 34.064522] [<ffffffff911515e6>] install_exec_creds+0xe/0x79 > [ 34.064527] [<ffffffff911974cf>] load_elf_binary+0xe36/0x10d7 > [ 34.064542] [<ffffffff9115198e>] search_binary_handler+0x81/0x18c > [ 34.064545] [<ffffffff91153376>] do_execveat_common.isra.31+0x4e3/0x7b7 > [ 34.064548] [<ffffffff91153669>] do_execve+0x1f/0x21 > [ 34.064552] [<ffffffff91153967>] SyS_execve+0x25/0x29 > [ 34.064557] [<ffffffff916c61a9>] stub_execve+0x69/0xa0 > > [ 48.826654] BUG: sleeping function called from invalid context at mm/slab.c:2849 > [ 48.829282] in_atomic(): 1, irqs_disabled(): 0, pid: 885, name: bash > [ 48.829284] 2 locks held by bash/885: > [ 48.829297] #0: (&sig->cred_guard_mutex){+.+.+.}, at: [<ffffffff91152e30>] prepare_bprm_creds+0x28/0x8b > [ 48.829307] #1: (&(&newf->file_lock)->rlock){+.+.+.}, at: [<ffffffff91166b8b>] iterate_fd+0x34/0x11c > [ 48.829310] CPU: 3 PID: 885 Comm: bash Not tainted 3.18.0-next-20141216 #30 > [ 48.829311] Hardware name: Dell Inc. Latitude E6530/07Y85M, BIOS A15 06/20/2014 > [ 48.829317] ffff880223744f10 ffff88022410f928 ffffffff916ba529 0000000000000375 > [ 48.829321] ffff880223744f10 ffff88022410f958 ffffffff91063185 0000000000000002 > [ 48.829325] 0000000000000000 0000000000000000 0000000000000000 ffff88022410f9a8 > [ 48.829327] Call Trace: > [ 48.829333] [<ffffffff916ba529>] dump_stack+0x50/0xa8 > [ 48.829338] [<ffffffff91063185>] ___might_sleep+0x1b6/0x1be > [ 48.829341] [<ffffffff910632a6>] __might_sleep+0x119/0x128 > [ 48.829347] [<ffffffff91140720>] cache_alloc_debugcheck_before.isra.45+0x1d/0x1f > [ 48.829350] [<ffffffff91141d81>] kmem_cache_alloc+0x43/0x1c9 > [ 48.829356] [<ffffffff914e148d>] __alloc_skb+0x42/0x1a3 > [ 48.829360] [<ffffffff914e2b62>] skb_copy+0x3e/0xa3 > [ 48.829367] [<ffffffff910c263e>] audit_log_end+0x83/0x100 > [ 48.829372] [<ffffffff9123b8d3>] ? avc_audit_pre_callback+0x103/0x103 > [ 48.829377] [<ffffffff91252a73>] common_lsm_audit+0x441/0x450 > [ 48.829381] [<ffffffff9123c163>] slow_avc_audit+0x63/0x67 > [ 48.829386] [<ffffffff9123c42c>] avc_has_perm+0xca/0xe3 > [ 48.829391] [<ffffffff9123e255>] ? selinux_file_permission+0x9b/0x9b > [ 48.829395] [<ffffffff9123e0b9>] file_has_perm+0x6d/0x7c > [ 48.829400] [<ffffffff9123e283>] match_file+0x2e/0x3b > [ 48.829404] [<ffffffff91166c4b>] iterate_fd+0xf4/0x11c > [ 48.829409] [<ffffffff9123e802>] selinux_bprm_committing_creds+0xd0/0x22b > [ 48.829415] [<ffffffff91239e64>] security_bprm_committing_creds+0xe/0x10 > [ 48.829419] [<ffffffff911515e6>] install_exec_creds+0xe/0x79 > [ 48.829426] [<ffffffff911974cf>] load_elf_binary+0xe36/0x10d7 > [ 48.829431] [<ffffffff9115198e>] search_binary_handler+0x81/0x18c > [ 48.829435] [<ffffffff91153376>] do_execveat_common.isra.31+0x4e3/0x7b7 > [ 48.829462] [<ffffffff91153669>] do_execve+0x1f/0x21 > [ 48.829466] [<ffffffff91153967>] SyS_execve+0x25/0x29 > [ 48.829472] [<ffffffff916c61a9>] stub_execve+0x69/0xa0 >

10 years, 3 months

2
1
0 / 0

[PATCH 1/2] audit: remove vestiges of vers_ops

by Richard Guy Briggs

Should have been removed with 18900909. Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com> --- include/linux/audit.h | 1 - kernel/auditfilter.c | 2 -- 2 files changed, 0 insertions(+), 3 deletions(-) diff --git a/include/linux/audit.h b/include/linux/audit.h index 36dffec..eefc39a 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -46,7 +46,6 @@ struct audit_tree; struct sk_buff; struct audit_krule { - int vers_ops; u32 flags; u32 listnr; u32 action; diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index 40ed981..fb4d2df 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -425,7 +425,6 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data, goto exit_nofree; bufp = data->buf; - entry->rule.vers_ops = 2; for (i = 0; i < data->field_count; i++) { struct audit_field *f = &entry->rule.fields[i]; @@ -762,7 +761,6 @@ struct audit_entry *audit_dupe_rule(struct audit_krule *old) return ERR_PTR(-ENOMEM); new = &entry->rule; - new->vers_ops = old->vers_ops; new->flags = old->flags; new->listnr = old->listnr; new->action = old->action; -- 1.7.1

10 years, 3 months

2
7
0 / 0

[PATCH] audit: don't attempt to lookup PIDs when changing PID filtering audit rules

by Paul Moore

Commit f1dc4867 ("audit: anchor all pid references in the initial pid namespace") introduced a find_vpid() call when adding/removing audit rules with PID/PPID filters; unfortunately this is problematic as find_vpid() only works if there is a task with the associated PID alive on the system. The following commands demonstrate a simple reproducer. # auditctl -D # auditctl -l # autrace /bin/true # auditctl -l This patch resolves the problem by simply using the PID provided by the user without any additional validation, e.g. no calls to check to see if the task/PID exists. Cc: stable(a)vger.kernel.org # 3.15 Cc: Richard Guy Briggs <rgb(a)redhat.com> Signed-off-by: Paul Moore <pmoore(a)redhat.com> --- kernel/auditfilter.c | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index 8e9bc9c..b2e63ba 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -433,19 +433,6 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data, f->val = 0; } - if ((f->type == AUDIT_PID) || (f->type == AUDIT_PPID)) { - struct pid *pid; - rcu_read_lock(); - pid = find_vpid(f->val); - if (!pid) { - rcu_read_unlock(); - err = -ESRCH; - goto exit_free; - } - f->val = pid_nr(pid); - rcu_read_unlock(); - } - err = audit_field_valid(entry, f); if (err) goto exit_free;

10 years, 3 months

4
10
0 / 0

Process changes for the audit tree

by Paul Moore

Hello all, Due to a few reasons, the most notable being a need to stop back-merging from Linus' tree, I'm changing the way I manage the audit tree. I apologize for any confusion this may cause, but this is a necessary change. First off, the audit tree remains in the same place: * git://git.infradead.org/users/pcmoore/audit * http://git.infradead.org/users/pcmoore/audit ... the changes are limited to the branches and how they will be managed moving forward. Ignoring master, there are presently three branches in the audit tree: stable-3.18, next, and upstream. The stable-3.18 branch holds patches that were submitted during the v3.18-rcX window. The next branch holds patches that were developed for v3.19 during the v3.18 window. The upstream branch is based off of the stable-3.18 branch with the next branch merged on top. This is the branch I sent to Linus last week and is currently in Linus' tree for v3.19. It will also form the base of the next branch once the v3.19 merge window closes. Moving forward I'm going to adopt the following process: 1. Create a new branch, stable-3.XX, set to the upstream branch that was sent during the merge window. 2. Reset the next branch to the upstream branch that was sent during the merge window. The heads of stable-3.18 and next should be the same at this point. 3. Accept new features into the next branch and fixes into the stable-3.XX branch. 4. As necessary, merge stable-3.XX into upstream and send pull requests to Linus. 5. When v3.XX is released, merge next into upstream and send a pull request for the upstream branch to Linus. Leave stable-3.XX untouched for future stable fixes. 6. Goto step #1. The big change here is the new upstream branch, but it is important to note that the next branch will now be reset/rebased on a regular basis (step #2 above). The reset is unfortunate, but necessary to get the stable fixes. It is also worth mentioning that while I don't expect to reset/rebase the upstream branch often, it will likely happen on occasion so we can avoid back- merging. When this happens I'll be sure to send notice to the list. Thanks for your understanding, if you've got any questions, let's hear 'em. -Paul -- paul moore security and virtualization @ redhat

10 years, 3 months

1
0
0 / 0

auditing of process exit

by Hassan Sultan

Hi, I can't figure out how to get audit log entries for process termination. Abnormal process termination auditing occurs, however for NORMAL process termination, I can't find anything. I tried the syscall route, using the exit syscall, however this does not seem to work, maybe because it logs on exit of the syscall and that call never returns ? How can I get a log of all processes exiting then ? Thanks, Hassan

10 years, 3 months

2
1
0 / 0

Accounting audit messages dropped from kernel

by Kangkook Jee

Hi, all I'm running a customized user-level audit client and getting the following messages from /var/log/kern.log every now and then. The message seems like that it is dropping audit messages due to buffer limitations. Dec 11 21:46:56 hostname-10 kernel: [2081500.871616] audit_log_start: 109700 callbacks suppressed Dec 11 21:46:56 hostname-10 kernel: [2081500.871620] audit: audit_backlog=102401 > audit_backlog_limit=102400 Dec 11 21:46:56 hostname-10 kernel: [2081500.871622] audit: audit_lost=-295739022 audit_rate_limit=0 audit_backlog_limit=102400 Dec 11 21:46:56 hostname-10 kernel: [2081500.871623] audit: backlog limit exceeded Dec 11 21:46:56 hostname-10 kernel: [2081500.871646] audit: audit_backlog=102401 > audit_backlog_limit=102400 Dec 11 21:46:56 hostname-10 kernel: [2081500.871647] audit: audit_lost=-295739021 audit_rate_limit=0 audit_backlog_limit=102400 Dec 11 21:46:56 hostname-10 kernel: [2081500.871648] audit: backlog limit exceeded Dec 11 21:46:56 hostname-10 kernel: [2081500.871657] audit: audit_backlog=102401 > audit_backlog_limit=102400 Dec 11 21:46:56 hostname-10 kernel: [2081500.871659] audit: audit_lost=-295739020 audit_rate_limit=0 audit_backlog_limit=102400 Dec 11 21:46:56 hostname-10 kernel: [2081500.871660] audit: backlog limit exceeded Dec 11 21:46:56 hostname-10 kernel: [2081500.871665] audit: audit_backlog=102401 > audit_backlog_limit=102400 What I want to know more from this is that how many messages we are missing. For this, can I simply refer audit_lost field? or I also need to consider the value from " callbacks suppressed" line? If anyone can help with this it will be very helpful. Regards, Kangkook

10 years, 3 months

3
2
0 / 0

[PATCH] audit: restore AUDIT_LOGINUID unset ABI

by Richard Guy Briggs

A regression was caused by commit 780a7654cee8: audit: Make testing for a valid loginuid explicit. (which in turn attempted to fix a regression caused by e1760bd) When audit_krule_to_data() fills in the rules to get a listing, there was a missing clause to convert back from AUDIT_LOGINUID_SET to AUDIT_LOGINUID. This broke userspace by not returning the same information that was sent and expected. The rule: auditctl -a exit,never -F auid=-1 gives: auditctl -l LIST_RULES: exit,never f24=0 syscall=all when it should give: LIST_RULES: exit,never auid=-1 (0xffffffff) syscall=all Tag it so that it is reported the same way it was set. Note: move the field validation call ahead of the mutation code to have it work on the original field set. Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com> --- include/uapi/linux/audit.h | 3 +++ kernel/auditfilter.c | 19 +++++++++++++------ kernel/auditsc.c | 2 +- 3 files changed, 17 insertions(+), 7 deletions(-) diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h index 4d100c8..860df86 100644 --- a/include/uapi/linux/audit.h +++ b/include/uapi/linux/audit.h @@ -274,6 +274,9 @@ #define AUDIT_FILTERKEY 210 +/* Flag to indicate legacy AUDIT_LOGINUID unset usage */ +#define AUDIT_LOGINUID_LEGACY 0x80000000 + #define AUDIT_NEGATE 0x80000000 /* These are the supported operators. diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index 40ed981..39ce3e6 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -438,9 +438,13 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data, f->type = data->fields[i]; f->val = data->values[i]; + err = audit_field_valid(entry, f); + if (err) + goto exit_free; + /* Support legacy tests for a valid loginuid */ if ((f->type == AUDIT_LOGINUID) && (f->val == AUDIT_UID_UNSET)) { - f->type = AUDIT_LOGINUID_SET; + f->type = AUDIT_LOGINUID_SET | AUDIT_LOGINUID_LEGACY; f->val = 0; } @@ -457,10 +461,6 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data, rcu_read_unlock(); } - err = audit_field_valid(entry, f); - if (err) - goto exit_free; - err = -EINVAL; switch (f->type) { case AUDIT_LOGINUID: @@ -630,6 +630,13 @@ static struct audit_rule_data *audit_krule_to_data(struct audit_krule *krule) data->buflen += data->values[i] = audit_pack_string(&bufp, krule->filterkey); break; + case AUDIT_LOGINUID_SET | AUDIT_LOGINUID_LEGACY: + if (!f->val) { + data->fields[i] = AUDIT_LOGINUID; + data->values[i] = AUDIT_UID_UNSET; + break; + } + /* fallthrough if set */ default: data->values[i] = f->val; } @@ -1270,7 +1277,7 @@ static int audit_filter_user_rules(struct audit_krule *rule, int type, int result = 0; u32 sid; - switch (f->type) { + switch (f->type & ~AUDIT_LOGINUID_LEGACY) { case AUDIT_PID: pid = task_pid_nr(current); result = audit_comparator(pid, f->op, f->val); diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 8933572..ef25cbc 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -452,7 +452,7 @@ static int audit_filter_rules(struct task_struct *tsk, int result = 0; pid_t pid; - switch (f->type) { + switch (f->type & ~AUDIT_LOGINUID_LEGACY) { case AUDIT_PID: pid = task_pid_nr(tsk); result = audit_comparator(pid, f->op, f->val); -- 1.7.1

10 years, 3 months

2
5
0 / 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Linux-audit December 2014