[PATCH] audit: x86: drop arch from __audit_syscall_entry() interface
by Eric Paris
From: Richard Guy Briggs <rgb(a)redhat.com>
Since the arch is found locally in __audit_syscall_entry(), there is no need to
pass it in as a parameter. Delete it from the parameter list.
x86* was the only arch to call __audit_syscall_entry() directly and did so from
assembly code.
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
Cc: Thomas Gleixner <tglx(a)linutronix.de>
Cc: Ingo Molnar <mingo(a)redhat.com>
Cc: "H. Peter Anvin" <hpa(a)zytor.com>
Cc: x86(a)kernel.org
Cc: linux-kernel(a)vger.kernel.org
Cc: linux-audit(a)redhat.com
Signed-off-by: Eric Paris <eparis(a)redhat.com>
---
As this patch relies on changes in the audit tree, I think it
appropriate to send it through my tree rather than the x86 tree.
---
arch/x86/ia32/ia32entry.S | 12 ++++++------
arch/x86/kernel/entry_32.S | 11 +++++------
arch/x86/kernel/entry_64.S | 11 +++++------
include/linux/audit.h | 5 ++---
kernel/auditsc.c | 6 ++----
5 files changed, 20 insertions(+), 25 deletions(-)
diff --git a/arch/x86/ia32/ia32entry.S b/arch/x86/ia32/ia32entry.S
index 4299eb0..f5bdd28 100644
--- a/arch/x86/ia32/ia32entry.S
+++ b/arch/x86/ia32/ia32entry.S
@@ -186,12 +186,12 @@ sysexit_from_sys_call:
#ifdef CONFIG_AUDITSYSCALL
.macro auditsys_entry_common
- movl %esi,%r9d /* 6th arg: 4th syscall arg */
- movl %edx,%r8d /* 5th arg: 3rd syscall arg */
- /* (already in %ecx) 4th arg: 2nd syscall arg */
- movl %ebx,%edx /* 3rd arg: 1st syscall arg */
- movl %eax,%esi /* 2nd arg: syscall number */
- movl $AUDIT_ARCH_I386,%edi /* 1st arg: audit arch */
+ movl %esi,%r8d /* 5th arg: 4th syscall arg */
+ movl %ecx,%r9d /*swap with edx*/
+ movl %edx,%ecx /* 4th arg: 3rd syscall arg */
+ movl %r9d,%edx /* 3rd arg: 2nd syscall arg */
+ movl %ebx,%esi /* 2nd arg: 1st syscall arg */
+ movl %eax,%edi /* 1st arg: syscall number */
call __audit_syscall_entry
movl RAX-ARGOFFSET(%rsp),%eax /* reload syscall number */
cmpq $(IA32_NR_syscalls-1),%rax
diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S
index a2a4f46..078053e 100644
--- a/arch/x86/kernel/entry_32.S
+++ b/arch/x86/kernel/entry_32.S
@@ -456,12 +456,11 @@ sysenter_audit:
jnz syscall_trace_entry
addl $4,%esp
CFI_ADJUST_CFA_OFFSET -4
- /* %esi already in 8(%esp) 6th arg: 4th syscall arg */
- /* %edx already in 4(%esp) 5th arg: 3rd syscall arg */
- /* %ecx already in 0(%esp) 4th arg: 2nd syscall arg */
- movl %ebx,%ecx /* 3rd arg: 1st syscall arg */
- movl %eax,%edx /* 2nd arg: syscall number */
- movl $AUDIT_ARCH_I386,%eax /* 1st arg: audit arch */
+ movl %esi,4(%esp) /* 5th arg: 4th syscall arg */
+ movl %edx,(%esp) /* 4th arg: 3rd syscall arg */
+ /* %ecx already in %ecx 3rd arg: 2nd syscall arg */
+ movl %ebx,%edx /* 2nd arg: 1st syscall arg */
+ /* %eax already in %eax 1st arg: syscall number */
call __audit_syscall_entry
pushl_cfi %ebx
movl PT_EAX(%esp),%eax /* reload syscall number */
diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S
index 1e96c36..8292ff7 100644
--- a/arch/x86/kernel/entry_64.S
+++ b/arch/x86/kernel/entry_64.S
@@ -694,12 +694,11 @@ badsys:
* jump back to the normal fast path.
*/
auditsys:
- movq %r10,%r9 /* 6th arg: 4th syscall arg */
- movq %rdx,%r8 /* 5th arg: 3rd syscall arg */
- movq %rsi,%rcx /* 4th arg: 2nd syscall arg */
- movq %rdi,%rdx /* 3rd arg: 1st syscall arg */
- movq %rax,%rsi /* 2nd arg: syscall number */
- movl $AUDIT_ARCH_X86_64,%edi /* 1st arg: audit arch */
+ movq %r10,%r8 /* 5th arg: 4th syscall arg */
+ movq %rdx,%rcx /* 4th arg: 3rd syscall arg */
+ movq %rsi,%rdx /* 3rd arg: 2nd syscall arg */
+ movq %rdi,%rsi /* 2nd arg: 1st syscall arg */
+ movq %rax,%rdi /* 1st arg: syscall number */
call __audit_syscall_entry
LOAD_ARGS 0 /* reload call-clobbered registers */
jmp system_call_fastpath
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 783157b..1ae0089 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -115,8 +115,7 @@ extern void audit_log_session_info(struct audit_buffer *ab);
/* Public API */
extern int audit_alloc(struct task_struct *task);
extern void __audit_free(struct task_struct *task);
-extern void __audit_syscall_entry(int arch,
- int major, unsigned long a0, unsigned long a1,
+extern void __audit_syscall_entry(int major, unsigned long a0, unsigned long a1,
unsigned long a2, unsigned long a3);
extern void __audit_syscall_exit(int ret_success, long ret_value);
extern struct filename *__audit_reusename(const __user char *uptr);
@@ -148,7 +147,7 @@ static inline void audit_syscall_entry(int major, unsigned long a0,
unsigned long a3)
{
if (unlikely(current->audit_context))
- __audit_syscall_entry(syscall_get_arch(), major, a0, a1, a2, a3);
+ __audit_syscall_entry(major, a0, a1, a2, a3);
}
static inline void audit_syscall_exit(void *pt_regs)
{
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 62823a3..b12a712 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1497,7 +1497,6 @@ void __audit_free(struct task_struct *tsk)
/**
* audit_syscall_entry - fill in an audit record at syscall entry
- * @arch: architecture type
* @major: major syscall type (function)
* @a1: additional syscall register 1
* @a2: additional syscall register 2
@@ -1512,9 +1511,8 @@ void __audit_free(struct task_struct *tsk)
* will only be written if another part of the kernel requests that it
* be written).
*/
-void __audit_syscall_entry(int arch, int major,
- unsigned long a1, unsigned long a2,
- unsigned long a3, unsigned long a4)
+void __audit_syscall_entry(int major, unsigned long a1, unsigned long a2,
+ unsigned long a3, unsigned long a4)
{
struct task_struct *tsk = current;
struct audit_context *context = tsk->audit_context;
--
1.9.0
10 years, 8 months
audit 2.3.6 released
by Steve Grubb
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
soon. The ChangeLog is:
- Add an option to auditctl to interpret a0 - a3 of syscall rules when listing
- Improve ARM and AARCH64 support (AKASHI Takahiro)
- Add ausearch --checkpoint feature (Burn Alting)
- Add --arch option to ausearch
- Improve too long config line in audispd, auditd, and auparse (#1071580)
- Fix aulast to accept the new AUDIT_LOGIN record format
- Remove clear_config symbol in auparse
I decided to go ahead and release this one because of some concern about an
unintended symbol popping up in the auparse ABI.
This release include a bunch of new stuff. You can now add a '-i' to the
listing command of auditctl and it will interpret a0-a3 if they are included
in any rules.
There is new support for arm as mentioned in an email a few weeks ago. If you
were compiling --with-armeb, you now need to change to --with-arm. Cross
compile support is not yet in place.
There is a new checkpoint feature to ausearch. What it does is give you all
the events that have occurred since the last checkpoint.
Ausearch now has a --arch search option just in case you needed to find i386
events on a x86_64 machine.
There were a number of cleanups to the code as well.
Please let me know if you run across any problems with this release.
-Steve
10 years, 8 months
CD Burner Auditing
by Boyce, Kevin P. (AS)
Does anyone know if it is possible to audit what filenames users are
burning to optical media?
I suppose I can put a watch on the /dev/sr0 device for write events, but
this does not give me any idea what was written to the disc. I suppose
I could also set an execve watch all burner programs, eg. /usr/bin/k3b
/usr/bin/brasero /usr/bin/cdrecord /usr/bin/cdrdao /usr/bin/dvdrecord,
to know if someone opened the burning interface; but how could I tell
what it was they were writing?
Any suggestions are welcome.
Kevin
10 years, 8 months
Place to call pam_loginuid in the pam session stack
by Laurent Bigonville
Hello,
This is maybe a dumb question, but is there any preferred place in the
pam session stack to call pam_loginuid?
Is it preferable to call it just after "pam_selinux close" or is any
place OK? I guess the sooner the better so the needed information are
present to audit what the other pam modules are doing?
Cheers,
Laurent Bigonville
10 years, 8 months
[PATCH 1/4] SH: define syscall_get_arch() for superh
by Eric Paris
This patch defines syscall_get_arch() for the superh platform. It does
so in both syscall_32.h and syscall_64.h. I'm not certain if the
implementation in syscall_64.h couldn't just be used in syscall.h as I
can't really track the setting of CONFIG_64BIT...
This way is safe, but we might be able to combine these if a superh
person were able to review...
Signed-off-by: Eric Paris <eparis(a)redhat.com>
Cc: linux-sh(a)vger.kernel.org
---
arch/sh/include/asm/syscall_32.h | 10 ++++++++++
arch/sh/include/asm/syscall_64.h | 14 ++++++++++++++
2 files changed, 24 insertions(+)
diff --git a/arch/sh/include/asm/syscall_32.h b/arch/sh/include/asm/syscall_32.h
index 7d80df4..460e9c6 100644
--- a/arch/sh/include/asm/syscall_32.h
+++ b/arch/sh/include/asm/syscall_32.h
@@ -1,6 +1,7 @@
#ifndef __ASM_SH_SYSCALL_32_H
#define __ASM_SH_SYSCALL_32_H
+#include <uapi/linux/audit.h>
#include <linux/kernel.h>
#include <linux/sched.h>
#include <linux/err.h>
@@ -93,4 +94,13 @@ static inline void syscall_set_arguments(struct task_struct *task,
}
}
+static inline int syscall_get_arch(void)
+{
+ int arch = EM_SH;
+
+#ifdef CONFIG_CPU_LITTLE_ENDIAN
+ arch |= __AUDIT_ARCH_LE;
+#endif
+ return arch;
+}
#endif /* __ASM_SH_SYSCALL_32_H */
diff --git a/arch/sh/include/asm/syscall_64.h b/arch/sh/include/asm/syscall_64.h
index c3561ca..e03e77d 100644
--- a/arch/sh/include/asm/syscall_64.h
+++ b/arch/sh/include/asm/syscall_64.h
@@ -1,6 +1,7 @@
#ifndef __ASM_SH_SYSCALL_64_H
#define __ASM_SH_SYSCALL_64_H
+#include <uapi/linux/audit.h>
#include <linux/kernel.h>
#include <linux/sched.h>
#include <asm/ptrace.h>
@@ -61,4 +62,17 @@ static inline void syscall_set_arguments(struct task_struct *task,
memcpy(®s->regs[2 + i], args, n * sizeof(args[0]));
}
+static inline int syscall_get_arch(void)
+{
+ int arch = EM_SH;
+
+#ifdef CONFIG_64BIT
+ arch |= __AUDIT_ARCH_64BIT;
+#endif
+#ifdef CONFIG_CPU_LITTLE_ENDIAN
+ arch |= __AUDIT_ARCH_LE;
+#endif
+
+ return arch;
+}
#endif /* __ASM_SH_SYSCALL_64_H */
--
1.8.5.3
10 years, 8 months
libauparse exporting clear_config()
by Laurent Bigonville
Hello,
With 2.3.5, libauparse is exporting a new symbol (clear_config())
It seems that all the other symbols are prefixed with either auparse_
or audit_, so is this expected?
Cheers,
Laurent Bigonville
Output of some debian tools:
--- debian/libauparse0.symbols (libauparse0_1:2.3.5-1_amd64)
+++ dpkg-gensymbols5cm36h 2014-04-08 17:59:09.324337637 +0000
@@ -43,3 +43,4 @@
ausearch_clear@Base 1:2.2.1
ausearch_next_event@Base 1:2.2.1
ausearch_set_stop@Base 1:2.2.1
+ clear_config@Base 1:2.3.5-1
10 years, 8 months
[GIT PULL] Audit subsystem for v3.15
by Eric Paris
Linus,
Please pull the audit tree for v3.15. You will have merge conflicts.
I'll publish my branch "merge-test" where I attempted to resolve them
the way you will.
The main issue is an across tree change to syscall_get_arch(). I change
it from taking a task_struct and pt_regs to take a void. Not a single
arch used or needed either of these arguments. (For 3.16 we plan to
implement the function on more arches)
There are a couple of conflicts where I made changes to #includes and
your tree also has some additions. Should be obvious.
Two conflict issues with Kconfig changes. The first is just that your
tree has some additional 'select' lines mine didn't. Obvious to
resolve.
The second is a conflict in init/Kconfig. I don't completely understand
it. I believe it was the addition of ALPHA to the gigantic depends
line. I cherry-picked the patch from your tree that introduced ALPHA
before I made the switch to HAVE_ARCH_AUDITSYSCALL. I believed that
would avoid the conflict, but I guess I was wrong. In any case, I have
the 'select HAVE_ARCH_AUDITSYSCALL' in alpha.
There is also a conflict given the last second EPERM->ECONNREFUSED
switcheroo. My 3.15 is less restrictive. We return ECONNREFUSED only
for non-init username. Should be another easy one...
Please let me know if anything isn't easy/obvious for you!
Thank you!
-Eric
The following changes since commit b7d3622a39fde7658170b7f3cf6c6889bb8db30d:
Merge tag 'v3.13' into for-3.15 (2014-03-07 11:41:32 -0500)
are available in the git repository at:
git://git.infradead.org/users/eparis/audit.git master
for you to fetch changes up to 312103d64d0fcadb332899a2c84b357ddb18f4e3:
AUDIT: make audit_is_compat depend on CONFIG_AUDIT_COMPAT_GENERIC (2014-04-10 17:51:29 -0400)
----------------------------------------------------------------
AKASHI Takahiro (2):
audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL
audit: Add generic compat syscall support
Chris Metcalf (1):
AUDIT: make audit_is_compat depend on CONFIG_AUDIT_COMPAT_GENERIC
Eric Paris (7):
audit: include subject in login records
syscall_get_arch: remove useless function arguments
audit: use uapi/linux/audit.h for AUDIT_ARCH declarations
audit: define audit_is_compat in kernel internal header
AUDIT: Allow login in non-init namespaces
audit: do not cast audit_rule_data pointers pointlesly
audit: renumber AUDIT_FEATURE_CHANGE into the 1300 range
Eric W. Biederman (2):
audit: Use struct net not pid_t to remember the network namespce to reply in
audit: Send replies in the proper network namespace.
Joe Perches (1):
audit: remove stray newline from audit_log_execve_info() audit_panic() call
Josh Boyer (1):
audit: remove stray newlines from audit_log_lost messages
Monam Agarwal (1):
kernel: Use RCU_INIT_POINTER(x, NULL) in audit.c
Richard Guy Briggs (9):
audit: Use more current logging style again
capabilities: add descriptions for AUDIT_CONTROL and AUDIT_WRITE
audit: rename the misleading audit_get_context() to audit_take_context()
pid: get pid_t ppid of task in init_pid_ns
audit: convert PPIDs to the inital PID namespace.
audit: anchor all pid references in the initial pid namespace
audit: allow user processes to log from another PID namespace
audit: remove superfluous new- prefix in AUDIT_LOGIN messages
sched: declare pid_alive as inline
William Roberts (3):
mm: Create utility function for accessing a tasks commandline value
proc: Update get proc_pid_cmdline() to use mm.h helpers
audit: Audit proc/<pid>/cmdline aka proctitle
蔡正龙 (1):
alpha: Enable system-call auditing support.
arch/alpha/Kconfig | 4 ++++
arch/alpha/include/asm/ptrace.h | 5 +++++
arch/alpha/include/asm/thread_info.h | 2 ++
arch/alpha/kernel/Makefile | 1 +
arch/alpha/kernel/audit.c | 60 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
arch/alpha/kernel/entry.S | 6 +++++-
arch/alpha/kernel/ptrace.c | 4 ++++
arch/arm/Kconfig | 1 +
arch/arm/include/asm/syscall.h | 5 ++---
arch/ia64/Kconfig | 1 +
arch/mips/include/asm/syscall.h | 4 ++--
arch/mips/kernel/ptrace.c | 2 +-
arch/parisc/Kconfig | 1 +
arch/powerpc/Kconfig | 1 +
arch/s390/Kconfig | 1 +
arch/s390/include/asm/syscall.h | 7 +++----
arch/sh/Kconfig | 1 +
arch/sparc/Kconfig | 1 +
arch/um/Kconfig.common | 1 +
arch/x86/Kconfig | 1 +
arch/x86/include/asm/syscall.h | 10 ++++------
drivers/tty/tty_audit.c | 3 ++-
fs/proc/base.c | 36 ++----------------------------------
include/asm-generic/syscall.h | 4 +---
include/linux/audit.h | 17 ++++++++++++++++-
include/linux/mm.h | 1 +
include/linux/sched.h | 20 +++++++++++++++++++-
include/uapi/linux/audit.h | 3 ++-
include/uapi/linux/capability.h | 4 ++++
init/Kconfig | 5 ++++-
kernel/audit.c | 66 ++++++++++++++++++++++++++++++++++++++++-------------------------
kernel/audit.h | 8 +++++++-
kernel/auditfilter.c | 41 +++++++++++++++++++++++++++++++----------
kernel/auditsc.c | 133 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++---------------------------------
kernel/seccomp.c | 4 ++--
lib/Kconfig | 9 +++++++++
lib/Makefile | 1 +
lib/audit.c | 15 ++++++++++++++-
lib/compat_audit.c | 50 +++++++++++++++++++++++++++++++++++++++++++++++++
mm/util.c | 48 +++++++++++++++++++++++++++++++++++++++++++++++
security/integrity/integrity_audit.c | 2 +-
security/lsm_audit.c | 11 +++++++----
42 files changed, 464 insertions(+), 136 deletions(-)
create mode 100644 arch/alpha/kernel/audit.c
create mode 100644 lib/compat_audit.c
10 years, 8 months
Repository of audit events
by Burn Alting
All,
Does there exist a repository of audit events that could be used to test
changes to the audit parsing code?
Although turning on
-a always,exit -F arch=b32 -S all
and
-a always,exit -F arch=b64 -S all
for a while does tend to generate a lot of audit, but it's clearly not
exhaustive so I am hoping we have some repositories that are shareable
and one can test against.
Rgds
10 years, 8 months
[PATCH] MIPS: use current instead of task in syscall_get_arch
by Eric Paris
In commit 6e345746 Markos started using task to determine 64bit vs
32bit instead of it being completely CONFIG based.
In commit 5e937a9a we dropped the 'task' argument to syscall_get_arch()
across the entire system.
This obviously results in a build failure when Linus's and the audit
tree were merged. This patch should be applied as part of the merge
conflict, as both sides of the merge are correct and the failure happens
AT the merge.
The fix is simple. The task is always current. Use current.
Signed-off-by: Eric Paris <eparis(a)redhat.com>
Cc: markos.chandras(a)imgtec.com
Cc: Paul Burton <paul.burton(a)imgtec.com>
Cc: James Hogan <james.hogan(a)imgtec.com>
Cc: linux-mips(a)linux-mips.org
---
arch/mips/include/asm/syscall.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/mips/include/asm/syscall.h b/arch/mips/include/asm/syscall.h
index d79cded..1258884 100644
--- a/arch/mips/include/asm/syscall.h
+++ b/arch/mips/include/asm/syscall.h
@@ -131,7 +131,7 @@ static inline int syscall_get_arch(void)
{
int arch = EM_MIPS;
#ifdef CONFIG_64BIT
- if (!test_tsk_thread_flag(task, TIF_32BIT_REGS))
+ if (!test_tsk_thread_flag(current, TIF_32BIT_REGS))
arch |= __AUDIT_ARCH_64BIT;
#endif
#if defined(__LITTLE_ENDIAN)
--
1.9.0
10 years, 8 months
