Does the order / position of audit rule's arguments matter?
by Jan Lieskovsky
Hello folks,
wasn't able to find answer to the following question in the auditctl
manual page, thus checking here - does the order / position in which the
auditctl's | /etc/audit/audit.rules' audit rule arguments are listed in
the rule matter or all permutations of the arguments are allowed?
IOW suppose the following rule:
-a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
Is
-a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
the only allowed form or are all the other possible argument permutations [*] also
valid / supported (under assumption there isn't some option missing or some new option
added of course when compared to the original rule)?
Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Technologies Team
[*] For example suppose five different /etc/audit/audit.rules configurations would use the
forms as follows below - do all of them represent equivalent requirement / setting?
(regardless how much it's likely they would be expressed in that form of)
-a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-F path=/bin/ping -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged -a always,exit
-F perm=x -F auid>=500 -F auid!=4294967295 -k privileged -a always, exit -F path/bin/ping
-F auid>=500 -F auid!=4294967295 -k privileged -a always,exit -F path=/bin/ping -F perm=x
-F auid!=4294967295 -k privileged -a always,exit -F path=/bin/ping -F perm=x -F auid>=500
..
9 years, 9 months
Re: linux-next: Tree for Jan 20 -- Kernel panic - Unable to mount root fs
by Sabrina Dubroca
Hello,
Today's linux-next doesn't boot on my qemu VM:
[ 1.248357] scsi 0:0:0:0: Direct-Access ATA QEMU HARDDISK 0 PQ: 0 ANSI: 5
[ 1.255899] sd 0:0:0:0: [sda] 8388608 512-byte logical blocks: (4.29 GB/4.00 GiB)
[ 1.258333] sd 0:0:0:0: [sda] Write Protect is off
[ 1.259475] sd 0:0:0:0: [sda] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
[ 1.268417] scsi 1:0:0:0: CD-ROM QEMU QEMU DVD-ROM 2.2. PQ: 0 ANSI: 5
[ 1.271673] sda: sda1
[ 1.281061] sd 0:0:0:0: [sda] Attached SCSI disk
[ 1.282320] VFS: Cannot open root device "sda1" or unknown-block(8,1): error -2
[ 1.283484] Please append a correct "root=" boot option; here are the available partitions:
[ 1.284748] 0100 4096 ram0 (driver?)
[ 1.285479] 0101 4096 ram1 (driver?)
[ 1.286218] 0102 4096 ram2 (driver?)
[ 1.286992] 0103 4096 ram3 (driver?)
[ 1.287741] 0104 4096 ram4 (driver?)
[ 1.288640] 0105 4096 ram5 (driver?)
[ 1.289394] 0106 4096 ram6 (driver?)
[ 1.290195] 0107 4096 ram7 (driver?)
[ 1.290962] 0108 4096 ram8 (driver?)
[ 1.291695] 0109 4096 ram9 (driver?)
[ 1.292404] 010a 4096 ram10 (driver?)
[ 1.293114] 010b 4096 ram11 (driver?)
[ 1.293922] 010c 4096 ram12 (driver?)
[ 1.294643] 010d 4096 ram13 (driver?)
[ 1.295401] 010e 4096 ram14 (driver?)
[ 1.296167] 010f 4096 ram15 (driver?)
[ 1.296975] 0800 4194304 sda driver: sd
[ 1.297697] 0801 4194272 sda1 00000000-01
[ 1.298418] Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(8,1)
[ 1.300034] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 3.19.0-rc5-next-20150120-dirty #410
[ 1.300039] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140617_173321-var-lib-archbuild-testing-x86_64-tobias 04/01/2014
[ 1.300039] ffffea0000001340 ffff88001f673dd8 ffffffff817e1197 000000000000004e
[ 1.300039] ffffffff81a6f2c8 ffff88001f673e58 ffffffff817dfd43 ffffffff81c9a860
[ 1.300039] ffff880000000010 ffff88001f673e68 ffff88001f673e08 ffff000031616473
[ 1.300039] Call Trace:
[ 1.300039] [<ffffffff817e1197>] dump_stack+0x4f/0x7b
[ 1.300039] [<ffffffff817dfd43>] panic+0xd2/0x217
[ 1.300039] [<ffffffff81efd58b>] mount_block_root+0x200/0x28d
[ 1.300039] [<ffffffff81efd78b>] mount_root+0x54/0x58
[ 1.300039] [<ffffffff81efd8f7>] prepare_namespace+0x168/0x1a1
[ 1.300039] [<ffffffff81efd2b1>] kernel_init_freeable+0x29d/0x2ad
[ 1.300039] [<ffffffff817d7440>] ? rest_init+0x140/0x140
[ 1.300039] [<ffffffff817d744e>] kernel_init+0xe/0xf0
[ 1.300039] [<ffffffff817eb87c>] ret_from_fork+0x7c/0xb0
[ 1.300039] [<ffffffff817d7440>] ? rest_init+0x140/0x140
[ 1.300039] Kernel Offset: 0x0 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffff9fffffff)
[ 1.300039] ---[ end Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(8,1)
I bisected it down to:
5dc5218840e1 fs: create proper filename objects using getname_kernel()
I reverted then reapplied each part of that patch. It works if I
leave out the hunk for do_path_lookup:
diff --git a/fs/namei.c b/fs/namei.c
index eeb3b83661f8..c3d21b79090e 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -2001,9 +2001,15 @@ static int filename_lookup(int dfd, struct filename *name,
static int do_path_lookup(int dfd, const char *name,
unsigned int flags, struct nameidata *nd)
{
- struct filename filename = { .name = name };
+ int retval;
+ struct filename *filename;
- return filename_lookup(dfd, &filename, flags, nd);
+ filename = getname_kernel(name);
+ if (unlikely(IS_ERR(filename)))
+ return PTR_ERR(filename);
+ retval = filename_lookup(dfd, filename, flags, nd);
+ putname(filename);
+ return retval;
}
/* does lookup, returns the object with parent locked */
I don't know what other info you may need.
Full dmesg for the failed boot included below.
Thanks.
[ 0.000000] Initializing cgroup subsys cpuset
[ 0.000000] Initializing cgroup subsys cpu
[ 0.000000] Initializing cgroup subsys cpuacct
[ 0.000000] Linux version 3.19.0-rc5-next-20150120-dirty (zappy@kria) (gcc version 4.9.2 20141224 (prerelease) (GCC) ) #410 SMP PREEMPT Tue Jan 20 17:27:49 CET 2015
[ 0.000000] Command line: root=/dev/sda1 console=ttyS0
[ 0.000000] e820: BIOS-provided physical RAM map:
[ 0.000000] BIOS-e820: [mem 0x0000000000000000-0x000000000009fbff] usable
[ 0.000000] BIOS-e820: [mem 0x000000000009fc00-0x000000000009ffff] reserved
[ 0.000000] BIOS-e820: [mem 0x00000000000f0000-0x00000000000fffff] reserved
[ 0.000000] BIOS-e820: [mem 0x0000000000100000-0x000000001ffdffff] usable
[ 0.000000] BIOS-e820: [mem 0x000000001ffe0000-0x000000001fffffff] reserved
[ 0.000000] BIOS-e820: [mem 0x00000000feffc000-0x00000000feffffff] reserved
[ 0.000000] BIOS-e820: [mem 0x00000000fffc0000-0x00000000ffffffff] reserved
[ 0.000000] NX (Execute Disable) protection: active
[ 0.000000] SMBIOS 2.8 present.
[ 0.000000] Hypervisor detected: KVM
[ 0.000000] AGP: No AGP bridge found
[ 0.000000] e820: last_pfn = 0x1ffe0 max_arch_pfn = 0x400000000
[ 0.000000] PAT configuration [0-7]: WB WC UC- UC WB WC UC- UC
[ 0.000000] found SMP MP-table at [mem 0x000f1010-0x000f101f] mapped at [ffff8800000f1010]
[ 0.000000] Scanning 1 areas for low memory corruption
[ 0.000000] init_memory_mapping: [mem 0x00000000-0x000fffff]
[ 0.000000] init_memory_mapping: [mem 0x1fc00000-0x1fdfffff]
[ 0.000000] init_memory_mapping: [mem 0x00100000-0x1fbfffff]
[ 0.000000] init_memory_mapping: [mem 0x1fe00000-0x1ffdffff]
[ 0.000000] ACPI: Early table checksum verification disabled
[ 0.000000] ACPI: RSDP 0x00000000000F0DD0 000014 (v00 BOCHS )
[ 0.000000] ACPI: RSDT 0x000000001FFE18BC 000034 (v01 BOCHS BXPCRSDT 00000001 BXPC 00000001)
[ 0.000000] ACPI: FACP 0x000000001FFE0E48 000074 (v01 BOCHS BXPCFACP 00000001 BXPC 00000001)
[ 0.000000] ACPI: DSDT 0x000000001FFE0040 000E08 (v01 BOCHS BXPCDSDT 00000001 BXPC 00000001)
[ 0.000000] ACPI: FACS 0x000000001FFE0000 000040
[ 0.000000] ACPI: SSDT 0x000000001FFE0EBC 000948 (v01 BOCHS BXPCSSDT 00000001 BXPC 00000001)
[ 0.000000] ACPI: APIC 0x000000001FFE1804 000080 (v01 BOCHS BXPCAPIC 00000001 BXPC 00000001)
[ 0.000000] ACPI: HPET 0x000000001FFE1884 000038 (v01 BOCHS BXPCHPET 00000001 BXPC 00000001)
[ 0.000000] kvm-clock: Using msrs 4b564d01 and 4b564d00
[ 0.000000] kvm-clock: cpu 0, msr 0:1ffdf001, primary cpu clock
[ 0.000000] Zone ranges:
[ 0.000000] DMA [mem 0x0000000000001000-0x0000000000ffffff]
[ 0.000000] DMA32 [mem 0x0000000001000000-0x000000001ffdffff]
[ 0.000000] Normal empty
[ 0.000000] Movable zone start for each node
[ 0.000000] Early memory node ranges
[ 0.000000] node 0: [mem 0x0000000000001000-0x000000000009efff]
[ 0.000000] node 0: [mem 0x0000000000100000-0x000000001ffdffff]
[ 0.000000] Initmem setup node 0 [mem 0x0000000000001000-0x000000001ffdffff]
[ 0.000000] ACPI: PM-Timer IO Port: 0x608
[ 0.000000] ACPI: LAPIC (acpi_id[0x00] lapic_id[0x00] enabled)
[ 0.000000] ACPI: LAPIC (acpi_id[0x01] lapic_id[0x01] enabled)
[ 0.000000] ACPI: LAPIC_NMI (acpi_id[0xff] dfl dfl lint[0x1])
[ 0.000000] ACPI: IOAPIC (id[0x00] address[0xfec00000] gsi_base[0])
[ 0.000000] IOAPIC[0]: apic_id 0, version 17, address 0xfec00000, GSI 0-23
[ 0.000000] ACPI: INT_SRC_OVR (bus 0 bus_irq 0 global_irq 2 dfl dfl)
[ 0.000000] ACPI: INT_SRC_OVR (bus 0 bus_irq 5 global_irq 5 high level)
[ 0.000000] ACPI: INT_SRC_OVR (bus 0 bus_irq 9 global_irq 9 high level)
[ 0.000000] ACPI: INT_SRC_OVR (bus 0 bus_irq 10 global_irq 10 high level)
[ 0.000000] ACPI: INT_SRC_OVR (bus 0 bus_irq 11 global_irq 11 high level)
[ 0.000000] Using ACPI (MADT) for SMP configuration information
[ 0.000000] ACPI: HPET id: 0x8086a201 base: 0xfed00000
[ 0.000000] smpboot: Allowing 2 CPUs, 0 hotplug CPUs
[ 0.000000] PM: Registered nosave memory: [mem 0x00000000-0x00000fff]
[ 0.000000] PM: Registered nosave memory: [mem 0x0009f000-0x0009ffff]
[ 0.000000] PM: Registered nosave memory: [mem 0x000a0000-0x000effff]
[ 0.000000] PM: Registered nosave memory: [mem 0x000f0000-0x000fffff]
[ 0.000000] e820: [mem 0x20000000-0xfeffbfff] available for PCI devices
[ 0.000000] Booting paravirtualized kernel on KVM
[ 0.000000] setup_percpu: NR_CPUS:16 nr_cpumask_bits:16 nr_cpu_ids:2 nr_node_ids:1
[ 0.000000] PERCPU: Embedded 480 pages/cpu @ffff88001f800000 s1927448 r8192 d30440 u2097152
[ 0.000000] KVM setup async PF for cpu 0
[ 0.000000] kvm-stealtime: cpu 0, msr 1f80d480
[ 0.000000] Built 1 zonelists in Zone order, mobility grouping on. Total pages: 128873
[ 0.000000] Kernel command line: root=/dev/sda1 console=ttyS0
[ 0.000000] PID hash table entries: 2048 (order: 2, 16384 bytes)
[ 0.000000] Dentry cache hash table entries: 65536 (order: 7, 524288 bytes)
[ 0.000000] Inode-cache hash table entries: 32768 (order: 6, 262144 bytes)
[ 0.000000] xsave: enabled xstate_bv 0x7, cntxt size 0x340 using standard form
[ 0.000000] AGP: Checking aperture...
[ 0.000000] AGP: No AGP bridge found
[ 0.000000] Memory: 474712K/523768K available (8132K kernel code, 1165K rwdata, 3512K rodata, 3448K init, 17440K bss, 49056K reserved, 0K cma-reserved)
[ 0.000000] SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=2, Nodes=1
[ 0.000000] Preemptible hierarchical RCU implementation.
[ 0.000000] RCU dyntick-idle grace-period acceleration is enabled.
[ 0.000000] RCU lockdep checking is enabled.
[ 0.000000] RCU restricting CPUs from NR_CPUS=16 to nr_cpu_ids=2.
[ 0.000000] RCU: Adjusting geometry for rcu_fanout_leaf=16, nr_cpu_ids=2
[ 0.000000] Running RCU self tests
[ 0.000000] NR_IRQS:4352 nr_irqs:440 16
[ 0.000000] Console: colour VGA+ 80x25
[ 0.000000] console [ttyS0] enabled
[ 0.000000] Lock dependency validator: Copyright (c) 2006 Red Hat, Inc., Ingo Molnar
[ 0.000000] ... MAX_LOCKDEP_SUBCLASSES: 8
[ 0.000000] ... MAX_LOCK_DEPTH: 48
[ 0.000000] ... MAX_LOCKDEP_KEYS: 8191
[ 0.000000] ... CLASSHASH_SIZE: 4096
[ 0.000000] ... MAX_LOCKDEP_ENTRIES: 32768
[ 0.000000] ... MAX_LOCKDEP_CHAINS: 65536
[ 0.000000] ... CHAINHASH_SIZE: 32768
[ 0.000000] memory used by lock dependency info: 8671 kB
[ 0.000000] per task-struct memory footprint: 2688 bytes
[ 0.000000] ------------------------
[ 0.000000] | Locking API testsuite:
[ 0.000000] ----------------------------------------------------------------------------
[ 0.000000] | spin |wlock |rlock |mutex | wsem | rsem |
[ 0.000000] --------------------------------------------------------------------------
[ 0.000000] A-A deadlock: ok | ok | ok | ok | ok | ok |
[ 0.000000] A-B-B-A deadlock: ok | ok | ok | ok | ok | ok |
[ 0.000000] A-B-B-C-C-A deadlock: ok | ok | ok | ok | ok | ok |
[ 0.000000] A-B-C-A-B-C deadlock: ok | ok | ok | ok | ok | ok |
[ 0.000000] A-B-B-C-C-D-D-A deadlock: ok | ok | ok | ok | ok | ok |
[ 0.000000] A-B-C-D-B-D-D-A deadlock: ok | ok | ok | ok | ok | ok |
[ 0.000000] A-B-C-D-B-C-D-A deadlock: ok | ok | ok | ok | ok | ok |
[ 0.000000] double unlock: ok | ok | ok | ok | ok | ok |
[ 0.000000] initialize held: ok | ok | ok | ok | ok | ok |
[ 0.000000] bad unlock order: ok | ok | ok | ok | ok | ok |
[ 0.000000] --------------------------------------------------------------------------
[ 0.000000] recursive read-lock: | ok | | ok |
[ 0.000000] recursive read-lock #2: | ok | | ok |
[ 0.000000] mixed read-write-lock: | ok | | ok |
[ 0.000000] mixed write-read-lock: | ok | | ok |
[ 0.000000] --------------------------------------------------------------------------
[ 0.000000] hard-irqs-on + irq-safe-A/12: ok | ok | ok |
[ 0.000000] soft-irqs-on + irq-safe-A/12: ok | ok | ok |
[ 0.000000] hard-irqs-on + irq-safe-A/21: ok | ok | ok |
[ 0.000000] soft-irqs-on + irq-safe-A/21: ok | ok | ok |
[ 0.000000] sirq-safe-A => hirqs-on/12: ok | ok | ok |
[ 0.000000] sirq-safe-A => hirqs-on/21: ok | ok | ok |
[ 0.000000] hard-safe-A + irqs-on/12: ok | ok | ok |
[ 0.000000] soft-safe-A + irqs-on/12: ok | ok | ok |
[ 0.000000] hard-safe-A + irqs-on/21: ok | ok | ok |
[ 0.000000] soft-safe-A + irqs-on/21: ok | ok | ok |
[ 0.000000] hard-safe-A + unsafe-B #1/123: ok | ok | ok |
[ 0.000000] soft-safe-A + unsafe-B #1/123: ok | ok | ok |
[ 0.000000] hard-safe-A + unsafe-B #1/132: ok | ok | ok |
[ 0.000000] soft-safe-A + unsafe-B #1/132: ok | ok | ok |
[ 0.000000] hard-safe-A + unsafe-B #1/213: ok | ok | ok |
[ 0.000000] soft-safe-A + unsafe-B #1/213: ok | ok | ok |
[ 0.000000] hard-safe-A + unsafe-B #1/231: ok | ok | ok |
[ 0.000000] soft-safe-A + unsafe-B #1/231: ok | ok | ok |
[ 0.000000] hard-safe-A + unsafe-B #1/312: ok | ok | ok |
[ 0.000000] soft-safe-A + unsafe-B #1/312: ok | ok | ok |
[ 0.000000] hard-safe-A + unsafe-B #1/321: ok | ok | ok |
[ 0.000000] soft-safe-A + unsafe-B #1/321: ok | ok | ok |
[ 0.000000] hard-safe-A + unsafe-B #2/123: ok | ok | ok |
[ 0.000000] soft-safe-A + unsafe-B #2/123: ok | ok | ok |
[ 0.000000] hard-safe-A + unsafe-B #2/132: ok | ok | ok |
[ 0.000000] soft-safe-A + unsafe-B #2/132: ok | ok | ok |
[ 0.000000] hard-safe-A + unsafe-B #2/213: ok | ok | ok |
[ 0.000000] soft-safe-A + unsafe-B #2/213: ok | ok | ok |
[ 0.000000] hard-safe-A + unsafe-B #2/231: ok | ok | ok |
[ 0.000000] soft-safe-A + unsafe-B #2/231: ok | ok | ok |
[ 0.000000] hard-safe-A + unsafe-B #2/312: ok | ok | ok |
[ 0.000000] soft-safe-A + unsafe-B #2/312: ok | ok | ok |
[ 0.000000] hard-safe-A + unsafe-B #2/321: ok | ok | ok |
[ 0.000000] soft-safe-A + unsafe-B #2/321: ok | ok | ok |
[ 0.000000] hard-irq lock-inversion/123: ok | ok | ok |
[ 0.000000] soft-irq lock-inversion/123: ok | ok | ok |
[ 0.000000] hard-irq lock-inversion/132: ok | ok | ok |
[ 0.000000] soft-irq lock-inversion/132: ok | ok | ok |
[ 0.000000] hard-irq lock-inversion/213: ok | ok | ok |
[ 0.000000] soft-irq lock-inversion/213: ok | ok | ok |
[ 0.000000] hard-irq lock-inversion/231: ok | ok | ok |
[ 0.000000] soft-irq lock-inversion/231: ok | ok | ok |
[ 0.000000] hard-irq lock-inversion/312: ok | ok | ok |
[ 0.000000] soft-irq lock-inversion/312: ok | ok | ok |
[ 0.000000] hard-irq lock-inversion/321: ok | ok | ok |
[ 0.000000] soft-irq lock-inversion/321: ok | ok | ok |
[ 0.000000] hard-irq read-recursion/123: ok |
[ 0.000000] soft-irq read-recursion/123: ok |
[ 0.000000] hard-irq read-recursion/132: ok |
[ 0.000000] soft-irq read-recursion/132: ok |
[ 0.000000] hard-irq read-recursion/213: ok |
[ 0.000000] soft-irq read-recursion/213: ok |
[ 0.000000] hard-irq read-recursion/231: ok |
[ 0.000000] soft-irq read-recursion/231: ok |
[ 0.000000] hard-irq read-recursion/312: ok |
[ 0.000000] soft-irq read-recursion/312: ok |
[ 0.000000] hard-irq read-recursion/321: ok |
[ 0.000000] soft-irq read-recursion/321: ok |
[ 0.000000] --------------------------------------------------------------------------
[ 0.000000] | Wound/wait tests |
[ 0.000000] ---------------------
[ 0.000000] ww api failures: ok | ok | ok |
[ 0.000000] ww contexts mixing: ok | ok |
[ 0.000000] finishing ww context: ok | ok | ok | ok |
[ 0.000000] locking mismatches: ok | ok | ok |
[ 0.000000] EDEADLK handling: ok | ok | ok | ok | ok | ok | ok | ok | ok | ok |
[ 0.000000] spinlock nest unlocked: ok |
[ 0.000000] -----------------------------------------------------
[ 0.000000] |block | try |context|
[ 0.000000] -----------------------------------------------------
[ 0.000000] context: ok | ok | ok |
[ 0.000000] try: ok | ok | ok |
[ 0.000000] block: ok | ok | ok |
[ 0.000000] spinlock: ok | ok | ok |
[ 0.000000] -------------------------------------------------------
[ 0.000000] Good, all 253 testcases passed! |
[ 0.000000] ---------------------------------
[ 0.000000] kmemleak: Kernel memory leak detector disabled
[ 0.000000] kmemleak: Early log buffer exceeded (2228), please increase DEBUG_KMEMLEAK_EARLY_LOG_SIZE
[ 0.000000] tsc: Detected 3303.292 MHz processor
[ 0.006666] Calibrating delay loop (skipped) preset value.. 6609.85 BogoMIPS (lpj=11010973)
[ 0.006666] pid_max: default: 32768 minimum: 301
[ 0.006666] ACPI: Core revision 20141107
[ 0.076988] ACPI: All ACPI Tables successfully acquired
[ 0.077988] Mount-cache hash table entries: 1024 (order: 1, 8192 bytes)
[ 0.078786] Mountpoint-cache hash table entries: 1024 (order: 1, 8192 bytes)
[ 0.081753] Initializing cgroup subsys blkio
[ 0.082252] Initializing cgroup subsys memory
[ 0.082840] Initializing cgroup subsys devices
[ 0.083373] Initializing cgroup subsys freezer
[ 0.083955] Initializing cgroup subsys net_cls
[ 0.084524] Initializing cgroup subsys net_prio
[ 0.085254] mce: CPU supports 10 MCE banks
[ 0.085914] Last level iTLB entries: 4KB 512, 2MB 8, 4MB 8
[ 0.086671] Last level dTLB entries: 4KB 512, 2MB 32, 4MB 32, 1GB 0
[ 0.087727] debug: unmapping init [mem 0xffffffff82083000-0xffffffff82089fff]
[ 0.092658] ftrace: allocating 27092 entries in 106 pages
[ 0.100719] Enabling x2apic
[ 0.101162] Enabled x2apic
[ 0.103341] Switched APIC routing to physical x2apic.
[ 0.105119] ..TIMER: vector=0x30 apic1=0 pin1=2 apic2=-1 pin2=-1
[ 0.105825] smpboot: CPU0: Intel(R) Core(TM) i3-3225 CPU @ 3.30GHz (fam: 06, model: 3a, stepping: 09)
[ 0.107730] Performance Events: 16-deep LBR, IvyBridge events, Intel PMU driver.
[ 0.108868] ... version: 2
[ 0.109434] ... bit width: 48
[ 0.109999] ... generic registers: 4
[ 0.109999] ... value mask: 0000ffffffffffff
[ 0.110006] ... max period: 000000007fffffff
[ 0.110758] ... fixed-purpose events: 3
[ 0.111331] ... event mask: 000000070000000f
[ 0.112681] KVM setup paravirtual spinlock
[ 0.126895] NMI watchdog: disabled (cpu0): hardware events not enabled
[ 0.134087] x86: Booting SMP configuration:
[ 0.135065] .... node #0, CPUs: #1
[ 0.006666] kvm-clock: cpu 1, msr 0:1ffdf041, secondary cpu clock
[ 0.150115] x86: Booted up 1 node, 2 CPUs
[ 0.150112] KVM setup async PF for cpu 1
[ 0.150112] kvm-stealtime: cpu 1, msr 1fa0d480
[ 0.152395] smpboot: Total of 2 processors activated (13218.71 BogoMIPS)
[ 0.154047] devtmpfs: initialized
[ 0.167282] RTC time: 16:27:59, date: 01/20/15
[ 0.169276] NET: Registered protocol family 16
[ 0.183543] cpuidle: using governor ladder
[ 0.196768] cpuidle: using governor menu
[ 0.197725] ACPI: bus type PCI registered
[ 0.198468] acpiphp: ACPI Hot Plug PCI Controller Driver version: 0.5
[ 0.200852] PCI: Using configuration type 1 for base access
[ 0.247130] ACPI: Added _OSI(Module Device)
[ 0.247906] ACPI: Added _OSI(Processor Device)
[ 0.248731] ACPI: Added _OSI(3.0 _SCP Extensions)
[ 0.249602] ACPI: Added _OSI(Processor Aggregator Device)
[ 0.275585] ACPI: Interpreter enabled
[ 0.276227] ACPI Exception: AE_NOT_FOUND, While evaluating Sleep State [\_S1_] (20141107/hwxface-580)
[ 0.277693] ACPI Exception: AE_NOT_FOUND, While evaluating Sleep State [\_S2_] (20141107/hwxface-580)
[ 0.279576] ACPI: (supports S0 S3 S4 S5)
[ 0.280005] ACPI: Using IOAPIC for interrupt routing
[ 0.281178] PCI: Using host bridge windows from ACPI; if necessary, use "pci=nocrs" and report a bug
[ 0.386427] ACPI: PCI Root Bridge [PCI0] (domain 0000 [bus 00-ff])
[ 0.386704] acpi PNP0A03:00: _OSC: OS supports [ASPM ClockPM Segments MSI]
[ 0.388165] acpi PNP0A03:00: _OSC failed (AE_NOT_FOUND); disabling ASPM
[ 0.393142] acpi PNP0A03:00: fail to add MMCONFIG information, can't access extended PCI configuration space under this bridge.
[ 0.405309] acpiphp: Slot [3] registered
[ 0.406583] acpiphp: Slot [4] registered
[ 0.407098] acpiphp: Slot [5] registered
[ 0.408249] acpiphp: Slot [6] registered
[ 0.409410] acpiphp: Slot [7] registered
[ 0.410417] acpiphp: Slot [8] registered
[ 0.411558] acpiphp: Slot [9] registered
[ 0.412698] acpiphp: Slot [10] registered
[ 0.413745] acpiphp: Slot [11] registered
[ 0.415141] acpiphp: Slot [12] registered
[ 0.416305] acpiphp: Slot [13] registered
[ 0.417085] acpiphp: Slot [14] registered
[ 0.418259] acpiphp: Slot [15] registered
[ 0.419418] acpiphp: Slot [16] registered
[ 0.420418] acpiphp: Slot [17] registered
[ 0.421468] acpiphp: Slot [18] registered
[ 0.422624] acpiphp: Slot [19] registered
[ 0.423748] acpiphp: Slot [20] registered
[ 0.424912] acpiphp: Slot [21] registered
[ 0.426073] acpiphp: Slot [22] registered
[ 0.427086] acpiphp: Slot [23] registered
[ 0.428245] acpiphp: Slot [24] registered
[ 0.429403] acpiphp: Slot [25] registered
[ 0.430415] acpiphp: Slot [26] registered
[ 0.431719] acpiphp: Slot [27] registered
[ 0.432882] acpiphp: Slot [28] registered
[ 0.433747] acpiphp: Slot [29] registered
[ 0.434955] acpiphp: Slot [30] registered
[ 0.436114] acpiphp: Slot [31] registered
[ 0.436693] PCI host bridge to bus 0000:00
[ 0.437478] pci_bus 0000:00: root bus resource [bus 00-ff]
[ 0.438499] pci_bus 0000:00: root bus resource [io 0x0000-0x0cf7]
[ 0.439658] pci_bus 0000:00: root bus resource [io 0x0d00-0xadff]
[ 0.440014] pci_bus 0000:00: root bus resource [io 0xae0f-0xaeff]
[ 0.441158] pci_bus 0000:00: root bus resource [io 0xaf20-0xafdf]
[ 0.442301] pci_bus 0000:00: root bus resource [io 0xafe4-0xffff]
[ 0.443348] pci_bus 0000:00: root bus resource [mem 0x000a0000-0x000bffff]
[ 0.444606] pci_bus 0000:00: root bus resource [mem 0x20000000-0xfebfffff]
[ 0.455053] pci 0000:00:01.1: legacy IDE quirk: reg 0x10: [io 0x01f0-0x01f7]
[ 0.455944] pci 0000:00:01.1: legacy IDE quirk: reg 0x14: [io 0x03f6]
[ 0.456673] pci 0000:00:01.1: legacy IDE quirk: reg 0x18: [io 0x0170-0x0177]
[ 0.457478] pci 0000:00:01.1: legacy IDE quirk: reg 0x1c: [io 0x0376]
[ 0.461459] pci 0000:00:01.3: quirk: [io 0x0600-0x063f] claimed by PIIX4 ACPI
[ 0.462321] pci 0000:00:01.3: quirk: [io 0x0700-0x070f] claimed by PIIX4 SMB
[ 0.490885] ACPI: PCI Interrupt Link [LNKA] (IRQs 5 *10 11)
[ 0.493666] ACPI: PCI Interrupt Link [LNKB] (IRQs 5 *10 11)
[ 0.496381] ACPI: PCI Interrupt Link [LNKC] (IRQs 5 10 *11)
[ 0.498853] ACPI: PCI Interrupt Link [LNKD] (IRQs 5 10 *11)
[ 0.500340] ACPI: PCI Interrupt Link [LNKS] (IRQs *9)
[ 0.508149] ACPI: Enabled 16 GPEs in block 00 to 0F
[ 0.509804] vgaarb: setting as boot device: PCI:0000:00:02.0
[ 0.509804] vgaarb: device added: PCI:0000:00:02.0,decodes=io+mem,owns=io+mem,locks=none
[ 0.510019] vgaarb: loaded
[ 0.510540] vgaarb: bridge control possible 0000:00:02.0
[ 0.514298] SCSI subsystem initialized
[ 0.517646] PCI: Using ACPI for IRQ routing
[ 0.522170] HPET: 3 timers in total, 0 timers will be used for per-cpu timer
[ 0.523421] hpet0: at MMIO 0xfed00000, IRQs 2, 8, 0
[ 0.524428] hpet0: 3 comparators, 64-bit 100.000000 MHz counter
[ 0.528794] Switched to clocksource kvm-clock
[ 0.669271] pnp: PnP ACPI init
[ 0.682044] pnp: PnP ACPI: found 6 devices
[ 0.727112] NET: Registered protocol family 2
[ 0.729045] TCP established hash table entries: 4096 (order: 3, 32768 bytes)
[ 0.730449] TCP bind hash table entries: 4096 (order: 6, 327680 bytes)
[ 0.731884] TCP: Hash tables configured (established 4096 bind 4096)
[ 0.733098] TCP: reno registered
[ 0.733505] UDP hash table entries: 256 (order: 3, 49152 bytes)
[ 0.734248] UDP-Lite hash table entries: 256 (order: 3, 49152 bytes)
[ 0.735538] NET: Registered protocol family 1
[ 0.737119] RPC: Registered named UNIX socket transport module.
[ 0.737885] RPC: Registered udp transport module.
[ 0.738466] RPC: Registered tcp transport module.
[ 0.739041] RPC: Registered tcp NFSv4.1 backchannel transport module.
[ 0.739833] pci 0000:00:00.0: Limiting direct PCI/PCI transfers
[ 0.740752] pci 0000:00:01.0: PIIX3: Enabling Passive Release
[ 0.741476] pci 0000:00:01.0: Activating ISA DMA hang workarounds
[ 0.745661] microcode: CPU0 sig=0x306a9, pf=0x1, revision=0x1
[ 0.746966] microcode: CPU1 sig=0x306a9, pf=0x1, revision=0x1
[ 0.748421] microcode: Microcode Update Driver: v2.00 <tigran(a)aivazian.fsnet.co.uk>, Peter Oruba
[ 0.749946] Scanning for low memory corruption every 60 seconds
[ 0.755101] futex hash table entries: 512 (order: 4, 65536 bytes)
[ 0.755925] Initialise system trusted keyring
[ 0.756742] audit: initializing netlink subsys (disabled)
[ 0.757523] audit: type=2000 audit(1421771279.698:1): initialized
[ 0.762111] HugeTLB registered 2 MB page size, pre-allocated 0 pages
[ 0.846035] zpool: loaded
[ 0.846398] zbud: loaded
[ 0.854624] VFS: Disk quotas dquot_6.5.2
[ 0.855956] VFS: Dquot-cache hash table entries: 512 (order 0, 4096 bytes)
[ 0.875173] NFS: Registering the id_resolver key type
[ 0.875857] Key type id_resolver registered
[ 0.876384] Key type id_legacy registered
[ 0.876923] nfs4filelayout_init: NFSv4 File Layout Driver Registering...
[ 0.877781] Installing knfsd (copyright (C) 1996 okir(a)monad.swb.de).
[ 0.884616] 9p: Installing v9fs 9p2000 file system support
[ 0.888951] Key type asymmetric registered
[ 0.889483] Asymmetric key parser 'x509' registered
[ 0.891038] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 252)
[ 0.892203] io scheduler noop registered
[ 0.892684] io scheduler deadline registered
[ 0.894913] io scheduler cfq registered (default)
[ 0.897956] pci_hotplug: PCI Hot Plug PCI Core version: 0.5
[ 0.899039] pciehp: PCI Express Hot Plug Controller Driver version: 0.4
[ 0.901991] input: Power Button as /devices/LNXSYSTM:00/LNXPWRBN:00/input/input0
[ 0.902956] ACPI: Power Button [PWRF]
[ 0.905511] GHES: HEST is not enabled!
[ 0.907089] Serial: 8250/16550 driver, 4 ports, IRQ sharing disabled
[ 0.932140] 00:05: ttyS0 at I/O 0x3f8 (irq = 4, base_baud = 115200) is a 16550A
[ 0.940679] Linux agpgart interface v0.103
[ 0.942041] [drm] Initialized drm 1.1.0 20060810
[ 0.946934] ram0: unknown partition table
[ 0.949760] ram1: unknown partition table
[ 0.952405] ram2: unknown partition table
[ 0.954952] ram3: unknown partition table
[ 0.957594] ram4: unknown partition table
[ 0.960184] ram5: unknown partition table
[ 0.962753] ram6: unknown partition table
[ 0.965365] ram7: unknown partition table
[ 0.967949] ram8: unknown partition table
[ 0.970591] ram9: unknown partition table
[ 0.973145] ram10: unknown partition table
[ 0.975696] ram11: unknown partition table
[ 0.978270] ram12: unknown partition table
[ 0.980850] ram13: unknown partition table
[ 0.983490] ram14: unknown partition table
[ 0.986062] ram15: unknown partition table
[ 0.987299] brd: module loaded
[ 1.012002] loop: module loaded
[ 1.015014] nbd: registered device at major 43
[ 1.053267] nullb0: unknown partition table
[ 1.056658] nullb1: unknown partition table
[ 1.059039] null: module loaded
[ 1.073543] scsi host0: ata_piix
[ 1.078934] scsi host1: ata_piix
[ 1.081142] ata1: PATA max MWDMA2 cmd 0x1f0 ctl 0x3f6 bmdma 0xc040 irq 14
[ 1.082450] ata2: PATA max MWDMA2 cmd 0x170 ctl 0x376 bmdma 0xc048 irq 15
[ 1.085557] i8042: PNP: PS/2 Controller [PNP0303:KBD,PNP0f13:MOU] at 0x60,0x64 irq 1,12
[ 1.088762] serio: i8042 KBD port at 0x60,0x64 irq 1
[ 1.090892] serio: i8042 AUX port at 0x60,0x64 irq 12
[ 1.095813] input: AT Translated Set 2 keyboard as /devices/platform/i8042/serio0/input/input1
[ 1.100173] rtc_cmos 00:00: RTC can wake from S4
[ 1.104933] rtc_cmos 00:00: rtc core: registered rtc_cmos as rtc0
[ 1.106306] rtc_cmos 00:00: alarms up to one day, 114 bytes nvram, hpet irqs
[ 1.108350] piix4_smbus 0000:00:01.3: SMBus Host Controller at 0x700, revision 0
[ 1.110844] drop_monitor: Initializing network drop monitor service
[ 1.112385] TCP: cubic registered
[ 1.118817] NET: Registered protocol family 10
[ 1.124642] NET: Registered protocol family 17
[ 1.126381] bridge: automatic filtering via arp/ip/ip6tables has been deprecated. Update your scripts to load br_netfilter if you need this.
[ 1.128949] 8021q: 802.1Q VLAN Support v1.8
[ 1.129825] 9pnet: Installing 9P2000 support
[ 1.130815] Key type dns_resolver registered
[ 1.136875] Loading compiled-in X.509 certificates
[ 1.137907] registered taskstats version 1
[ 1.140583] Magic number: 15:95:490
[ 1.141050] acpi PNP0F13:00: hash matches
[ 1.141650] rtc_cmos 00:00: setting system clock to 2015-01-20 16:28:00 UTC (1421771280)
[ 1.143381] Warning: unable to open an initial console.
[ 1.237994] ata2.00: ATAPI: QEMU DVD-ROM, 2.2.0, max UDMA/100
[ 1.239917] ata1.00: ATA-7: QEMU HARDDISK, 2.2.0, max UDMA/100
[ 1.241219] ata1.00: 8388608 sectors, multi 16: LBA48
[ 1.243389] ata1.00: configured for MWDMA2
[ 1.245792] ata2.00: configured for MWDMA2
[ 1.248357] scsi 0:0:0:0: Direct-Access ATA QEMU HARDDISK 0 PQ: 0 ANSI: 5
[ 1.255899] sd 0:0:0:0: [sda] 8388608 512-byte logical blocks: (4.29 GB/4.00 GiB)
[ 1.258333] sd 0:0:0:0: [sda] Write Protect is off
[ 1.259475] sd 0:0:0:0: [sda] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
[ 1.268417] scsi 1:0:0:0: CD-ROM QEMU QEMU DVD-ROM 2.2. PQ: 0 ANSI: 5
[ 1.271673] sda: sda1
[ 1.281061] sd 0:0:0:0: [sda] Attached SCSI disk
[ 1.282320] VFS: Cannot open root device "sda1" or unknown-block(8,1): error -2
[ 1.283484] Please append a correct "root=" boot option; here are the available partitions:
[ 1.284748] 0100 4096 ram0 (driver?)
[ 1.285479] 0101 4096 ram1 (driver?)
[ 1.286218] 0102 4096 ram2 (driver?)
[ 1.286992] 0103 4096 ram3 (driver?)
[ 1.287741] 0104 4096 ram4 (driver?)
[ 1.288640] 0105 4096 ram5 (driver?)
[ 1.289394] 0106 4096 ram6 (driver?)
[ 1.290195] 0107 4096 ram7 (driver?)
[ 1.290962] 0108 4096 ram8 (driver?)
[ 1.291695] 0109 4096 ram9 (driver?)
[ 1.292404] 010a 4096 ram10 (driver?)
[ 1.293114] 010b 4096 ram11 (driver?)
[ 1.293922] 010c 4096 ram12 (driver?)
[ 1.294643] 010d 4096 ram13 (driver?)
[ 1.295401] 010e 4096 ram14 (driver?)
[ 1.296167] 010f 4096 ram15 (driver?)
[ 1.296975] 0800 4194304 sda driver: sd
[ 1.297697] 0801 4194272 sda1 00000000-01
[ 1.298418] Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(8,1)
[ 1.300034] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 3.19.0-rc5-next-20150120-dirty #410
[ 1.300039] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140617_173321-var-lib-archbuild-testing-x86_64-tobias 04/01/2014
[ 1.300039] ffffea0000001340 ffff88001f673dd8 ffffffff817e1197 000000000000004e
[ 1.300039] ffffffff81a6f2c8 ffff88001f673e58 ffffffff817dfd43 ffffffff81c9a860
[ 1.300039] ffff880000000010 ffff88001f673e68 ffff88001f673e08 ffff000031616473
[ 1.300039] Call Trace:
[ 1.300039] [<ffffffff817e1197>] dump_stack+0x4f/0x7b
[ 1.300039] [<ffffffff817dfd43>] panic+0xd2/0x217
[ 1.300039] [<ffffffff81efd58b>] mount_block_root+0x200/0x28d
[ 1.300039] [<ffffffff81efd78b>] mount_root+0x54/0x58
[ 1.300039] [<ffffffff81efd8f7>] prepare_namespace+0x168/0x1a1
[ 1.300039] [<ffffffff81efd2b1>] kernel_init_freeable+0x29d/0x2ad
[ 1.300039] [<ffffffff817d7440>] ? rest_init+0x140/0x140
[ 1.300039] [<ffffffff817d744e>] kernel_init+0xe/0xf0
[ 1.300039] [<ffffffff817eb87c>] ret_from_fork+0x7c/0xb0
[ 1.300039] [<ffffffff817d7440>] ? rest_init+0x140/0x140
[ 1.300039] Kernel Offset: 0x0 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffff9fffffff)
[ 1.300039] ---[ end Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(8,1)
--
Sabrina
9 years, 9 months
[PATCH 0/5] Overhaul the audit filename handling
by Paul Moore
This is the same patchset that was sent earlier with the RFC prefix,
the only differences are the inclusion of a reviewer and the fact that
I've stripped the RFC prefix. I'm including this in the audit-next
branch and plan on pushing this to Linus in the next merge window.
For those of you who didn't bother looking at the RFC posting, this
patchset resolves various problems in the way audit handles filenames.
The patches rework the way audit handles filenames, removing a lot of
nasty hacks added recently, and fixing a few bugs that still remain.
Most significant to folks outside of audit, patch 5/5 does away with
the nasty getname()/putname() kludge in favor of a less ugly reference
count approach.
---
Paul Moore (5):
fs: rework getname_kernel to handle up to PATH_MAX sized filenames
fs: create proper filename objects using getname_kernel()
audit: enable filename recording via getname_kernel()
audit: fix filename matching in __audit_inode() and __audit_inode_child()
audit: replace getname()/putname() hacks with reference counters
fs/exec.c | 11 +++
fs/namei.c | 98 ++++++++++++++++++-----------
fs/open.c | 11 +++
include/linux/audit.h | 3 -
include/linux/fs.h | 9 +--
kernel/audit.h | 17 +----
kernel/auditsc.c | 167 +++++++++----------------------------------------
7 files changed, 115 insertions(+), 201 deletions(-)
9 years, 9 months
[PATCH] TaskTracker : Simplified thread information tracker.
by Tetsuo Handa
Yesterday I went to LinuxCon Japan 2014 and stopped at Red Hat's booth
and Oracle's booth. I explained about this module ( using page 92 of
http://I-love.SAKURA.ne.jp/tomoyo/LCJ2014-en.pdf ) and got positive
responses from persons who have experienced troubleshooting jobs.
I was convinced that I am not the only person who is bothered by lack of
process history information in the logs. Therefore, I repost this module
toward inclusion into mainline Linux kernel.
Changes from previous version ( http://lwn.net/Articles/575044/ ):
(1) Assign a value to "u32 *seclen" in addition to "char *secdata"
at security_task_getsecid() hook.
(2) Make calculation of time stamp a bit faster.
Background:
When an unexpected system event (e.g. reboot) occurs, the administrator may
want to identify which application triggered the event. System call auditing
could be used for recording such event. However, the audit log may not be
able to provide sufficient information for identifying the application
because the audit log does not reflect how the program was executed.
I sometimes receive "which application triggered the event" questions on RHEL
systems. TOMOYO security module can track how the program was executed, but
TOMOYO is not yet available in Fedora/RHEL distributions.
Although subj= field is added to the audit log if SELinux is not disabled,
SELinux is too difficult to customize as fine grained as I expect in order to
reflect how the program was executed. Therefore, I'm currently using AKARI
and SystemTap for emulating TOMOYO-like tracing.
But AKARI and SystemTap do not help unless the kernel module is loaded before
the unexpected system event occurs. Generally, the administrator is failing
to record the first event, and has to wait for the same event to occur again
after loading the kernel module and/or configuring auditing. I came to think
that we want a built-in kernel routine which is automatically started upon
boot so that we don't fail to record the first event.
What I did:
Assuming that multiple concurrent LSM support comes in the near future,
I wrote a trivial LSM module which emits TOMOYO-like information into the
audit logs.
Usage:
Just register this LSM module. No configuration is needed. You will get
history of current thread in the form of comm name and time stamp pairs
in the subj= field of audit logs like examples shown in the patch
description.
----------
>From ff68d3a4cd496bd263d2939848777fffc30cbc0b Mon Sep 17 00:00:00 2001
From: Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp>
Date: Fri, 23 May 2014 21:31:56 +0900
Subject: [PATCH] TaskTracker : Simplified thread information tracker.
Existing audit logs generated via system call auditing functionality include
current thread's comm name. But it is not always sufficient for identifying
which application has requested specific operations because comm name does not
reflect history of current thread.
This security module adds functionality for adding current thread's history
information like TOMOYO security module does, expecting that this module can
help us getting more information from system call auditing functionality.
type=USER_LOGIN msg=audit(1400879947.084:24): pid=4308 uid=0 auid=0 ses=2
subj="swapper/0(2014/05/23-21:17:30)=>init(2014/05/23-21:17:33)=>
switch_root(2014/05/23-21:17:34)=>init(2014/05/23-21:17:34)=>
sh(2014/05/23-21:17:56)=>mingetty(2014/05/23-21:17:56)=>
login(2014/05/23-21:19:05)" msg='op=login id=0 exe="/bin/login" hostname=?
addr=? terminal=tty1 res=success'
type=SYSCALL msg=audit(1400880014.444:26): arch=40000003 syscall=11
success=yes exit=0 a0=8140f78 a1=812b7d8 a2=812b248 a3=812b7d8 items=2
ppid=4323 pid=4355 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=pts0 ses=1 comm="tail" exe="/usr/bin/tail"
subj="swapper/0(2014/05/23-21:17:30)=>init(2014/05/23-21:17:33)=>
switch_root(2014/05/23-21:17:34)=>init(2014/05/23-21:17:34)=>
sh(2014/05/23-21:17:37)=>rc(2014/05/23-21:17:37)=>
S55sshd(2014/05/23-21:17:53)=>sshd(2014/05/23-21:17:53)=>
sshd(2014/05/23-21:18:17)=>bash(2014/05/23-21:18:21)=>
tail(2014/05/23-21:20:14)" key=(null)
Signed-off-by: Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp>
---
security/Kconfig | 6 +
security/Makefile | 2 +
security/tasktracker/Kconfig | 35 +++++
security/tasktracker/Makefile | 1 +
security/tasktracker/tasktracker.c | 282 ++++++++++++++++++++++++++++++++++++
5 files changed, 326 insertions(+), 0 deletions(-)
create mode 100644 security/tasktracker/Kconfig
create mode 100644 security/tasktracker/Makefile
create mode 100644 security/tasktracker/tasktracker.c
diff --git a/security/Kconfig b/security/Kconfig
index beb86b5..14e7d27 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -122,6 +122,7 @@ source security/smack/Kconfig
source security/tomoyo/Kconfig
source security/apparmor/Kconfig
source security/yama/Kconfig
+source security/tasktracker/Kconfig
source security/integrity/Kconfig
@@ -132,6 +133,7 @@ choice
default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO
default DEFAULT_SECURITY_APPARMOR if SECURITY_APPARMOR
default DEFAULT_SECURITY_YAMA if SECURITY_YAMA
+ default DEFAULT_SECURITY_TT if SECURITY_TT
default DEFAULT_SECURITY_DAC
help
@@ -153,6 +155,9 @@ choice
config DEFAULT_SECURITY_YAMA
bool "Yama" if SECURITY_YAMA=y
+ config DEFAULT_SECURITY_TT
+ bool "TaskTracker" if SECURITY_TT=y
+
config DEFAULT_SECURITY_DAC
bool "Unix Discretionary Access Controls"
@@ -165,6 +170,7 @@ config DEFAULT_SECURITY
default "tomoyo" if DEFAULT_SECURITY_TOMOYO
default "apparmor" if DEFAULT_SECURITY_APPARMOR
default "yama" if DEFAULT_SECURITY_YAMA
+ default "tt" if DEFAULT_SECURITY_TT
default "" if DEFAULT_SECURITY_DAC
endmenu
diff --git a/security/Makefile b/security/Makefile
index 05f1c93..28a90ed 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -8,6 +8,7 @@ subdir-$(CONFIG_SECURITY_SMACK) += smack
subdir-$(CONFIG_SECURITY_TOMOYO) += tomoyo
subdir-$(CONFIG_SECURITY_APPARMOR) += apparmor
subdir-$(CONFIG_SECURITY_YAMA) += yama
+subdir-$(CONFIG_SECURITY_TT) += tasktracker
# always enable default capabilities
obj-y += commoncap.o
@@ -22,6 +23,7 @@ obj-$(CONFIG_AUDIT) += lsm_audit.o
obj-$(CONFIG_SECURITY_TOMOYO) += tomoyo/
obj-$(CONFIG_SECURITY_APPARMOR) += apparmor/
obj-$(CONFIG_SECURITY_YAMA) += yama/
+obj-$(CONFIG_SECURITY_TT) += tasktracker/
obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o
# Object integrity file lists
diff --git a/security/tasktracker/Kconfig b/security/tasktracker/Kconfig
new file mode 100644
index 0000000..6de5354
--- /dev/null
+++ b/security/tasktracker/Kconfig
@@ -0,0 +1,35 @@
+config SECURITY_TT
+ bool "TaskTracker support"
+ depends on SECURITY
+ default n
+ help
+ Existing audit logs generated via system call auditing functionality
+ include current thread's comm name. But it is not always sufficient
+ for identifying which application has requested specific operations
+ because comm name does not reflect history of current thread.
+
+ This security module adds functionality for adding current thread's
+ history information like TOMOYO security module does, expecting that
+ this module can help us getting more information from system call
+ auditing functionality.
+
+ If you are unsure how to answer this question, answer N.
+
+ Usage:
+
+ Just register this module. No configuration is needed.
+
+ You will get history of current thread in the form of
+ comm name and time stamp pairs in the subj= field of audit logs
+ like an example shown below.
+
+ type=SYSCALL msg=audit(1400880014.444:26): arch=40000003 syscall=11
+ success=yes exit=0 a0=8140f78 a1=812b7d8 a2=812b248 a3=812b7d8
+ items=2 ppid=4323 pid=4355 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
+ egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="tail"
+ exe="/usr/bin/tail" subj="swapper/0(2014/05/23-21:17:30)=>
+ init(2014/05/23-21:17:33)=>switch_root(2014/05/23-21:17:34)=>
+ init(2014/05/23-21:17:34)=>sh(2014/05/23-21:17:37)=>
+ rc(2014/05/23-21:17:37)=>S55sshd(2014/05/23-21:17:53)=>
+ sshd(2014/05/23-21:17:53)=>sshd(2014/05/23-21:18:17)=>
+ bash(2014/05/23-21:18:21)=>tail(2014/05/23-21:20:14)" key=(null)
diff --git a/security/tasktracker/Makefile b/security/tasktracker/Makefile
new file mode 100644
index 0000000..15d03ce
--- /dev/null
+++ b/security/tasktracker/Makefile
@@ -0,0 +1 @@
+obj-$(CONFIG_SECURITY_TT) := tasktracker.o
diff --git a/security/tasktracker/tasktracker.c b/security/tasktracker/tasktracker.c
new file mode 100644
index 0000000..ec4eb0c
--- /dev/null
+++ b/security/tasktracker/tasktracker.c
@@ -0,0 +1,282 @@
+/*
+ * tasktracker.c - Simplified thread information tracker.
+ *
+ * Copyright (C) 2010-2014 Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp>
+ */
+#include <linux/security.h>
+#include <linux/binfmts.h>
+
+/* Wrapper structure for passing string buffer. */
+struct tt_record {
+ char history[1024];
+};
+
+/* Structure for representing YYYY/MM/DD hh/mm/ss. */
+struct tt_time {
+ u16 year;
+ u8 month;
+ u8 day;
+ u8 hour;
+ u8 min;
+ u8 sec;
+};
+
+/**
+ * tt_get_time - Get current time in YYYY/MM/DD hh/mm/ss format.
+ *
+ * @stamp: Pointer to "struct tt_time".
+ *
+ * Returns nothing.
+ *
+ * This function does not handle Y2038 problem.
+ */
+static void tt_get_time(struct tt_time *stamp)
+{
+ struct timeval tv;
+ static const u16 tt_eom[2][12] = {
+ { 31, 59, 90, 120, 151, 181, 212, 243, 273, 304, 334, 365 },
+ { 31, 60, 91, 121, 152, 182, 213, 244, 274, 305, 335, 366 }
+ };
+ u16 y = 1970;
+ u8 m;
+ bool r;
+ time_t time;
+ do_gettimeofday(&tv);
+ time = tv.tv_sec;
+ stamp->sec = time % 60;
+ time /= 60;
+ stamp->min = time % 60;
+ time /= 60;
+ stamp->hour = time % 24;
+ time /= 24;
+ if (time >= 16071) {
+ /* Start from 2014/01/01 rather than 1970/01/01. */
+ time -= 16071;
+ y += 44;
+ }
+ while (1) {
+ const unsigned short days = (y & 3) ? 365 : 366;
+ if (time < days)
+ break;
+ time -= days;
+ y++;
+ }
+ r = (y & 3) == 0;
+ for (m = 0; m < 11 && time >= tt_eom[r][m]; m++)
+ ;
+ if (m)
+ time -= tt_eom[r][m - 1];
+ stamp->year = y;
+ stamp->month = ++m;
+ stamp->day = ++time;
+}
+
+/**
+ * tt_update_record - Update "struct tt_record" for given credential.
+ *
+ * @record: Pointer to "struct tt_record".
+ *
+ * Returns nothing.
+ */
+static void tt_update_record(struct tt_record *record)
+{
+ char *cp;
+ int i;
+ struct tt_time stamp;
+ tt_get_time(&stamp);
+ /*
+ * Lockless update because current thread's record is not concurrently
+ * accessible, for "struct cred"->security is not visible from other
+ * threads because this function is called upon only boot up and
+ * successful execve() operation.
+ */
+ cp = record->history;
+ i = strlen(cp);
+ while (i >= sizeof(record->history) - (TASK_COMM_LEN * 4 + 30)) {
+ /*
+ * Since this record is not for making security decision,
+ * I don't care by-chance matching "=>" in task's commname.
+ */
+ char *cp2 = strstr(cp + 2, "=>");
+ if (!cp2)
+ return;
+ memmove(cp + 1, cp2, strlen(cp2) + 1);
+ i = strlen(cp);
+ }
+ if (!i)
+ *cp++ = '"';
+ else {
+ cp += i - 1;
+ *cp++ = '=';
+ *cp++ = '>';
+ }
+ /*
+ * Lockless read because this is current thread and being unexpectedly
+ * modified by other thread is not a fatal problem.
+ */
+ for (i = 0; i < TASK_COMM_LEN; i++) {
+ const unsigned char c = current->comm[i];
+ if (!c)
+ break;
+ else if (c == '"' || c == '\\' || c < 0x21 || c > 0x7e) {
+ *cp++ = '\\';
+ *cp++ = (c >> 6) + '0';
+ *cp++ = ((c >> 3) & 7) + '0';
+ *cp++ = (c & 7) + '0';
+ } else
+ *cp++ = c;
+ }
+ sprintf(cp, "(%04u/%02u/%02u-%02u:%02u:%02u)\"", stamp.year,
+ stamp.month, stamp.day, stamp.hour, stamp.min, stamp.sec);
+}
+
+/**
+ * tt_find_record - Find "struct tt_record" for given credential.
+ *
+ * @cred: Pointer to "struct cred".
+ *
+ * Returns pointer to "struct tt_record".
+ */
+static inline struct tt_record *tt_find_record(const struct cred *cred)
+{
+ return cred->security;
+}
+
+/**
+ * tt_cred_alloc_blank - Allocate memory for new credentials.
+ *
+ * @new: Pointer to "struct cred".
+ * @gfp: Memory allocation flags.
+ *
+ * Returns 0 on success, negative value otherwise.
+ */
+static int tt_cred_alloc_blank(struct cred *new, gfp_t gfp)
+{
+ new->security = kzalloc(sizeof(struct tt_record), gfp);
+ return new->security ? 0 : -ENOMEM;
+}
+
+/**
+ * tt_cred_prepare - Allocate memory for new credentials.
+ *
+ * @new: Pointer to "struct cred".
+ * @old: Pointer to "struct cred".
+ * @gfp: Memory allocation flags.
+ *
+ * Returns 0 on success, negative value otherwise.
+ */
+static int tt_cred_prepare(struct cred *new, const struct cred *old,
+ gfp_t gfp)
+{
+ if (tt_cred_alloc_blank(new, gfp))
+ return -ENOMEM;
+ strcpy(tt_find_record(new)->history, tt_find_record(old)->history);
+ return 0;
+}
+
+/**
+ * tt_cred_free - Release memory used by credentials.
+ *
+ * @cred: Pointer to "struct cred".
+ *
+ * Returns nothing.
+ */
+static void tt_cred_free(struct cred *cred)
+{
+ kfree(cred->security);
+}
+
+/**
+ * tt_cred_transfer - Transfer "struct tt_record" between credentials.
+ *
+ * @new: Pointer to "struct cred".
+ * @old: Pointer to "struct cred".
+ *
+ * Returns nothing.
+ */
+static void tt_cred_transfer(struct cred *new, const struct cred *old)
+{
+ strcpy(tt_find_record(new)->history, tt_find_record(old)->history);
+}
+
+/**
+ * tt_bprm_committing_creds - A hook which is called when do_execve() succeeded.
+ *
+ * @bprm: Pointer to "struct linux_binprm".
+ *
+ * Returns nothing.
+ */
+static void tt_bprm_committing_creds(struct linux_binprm *bprm)
+{
+ tt_update_record(tt_find_record(bprm->cred));
+}
+
+/**
+ * tt_task_getsecid - Check whether to audit or not.
+ *
+ * @p: Pointer to "struct task_struct".
+ * @secid: Pointer to flag.
+ */
+static void tt_task_getsecid(struct task_struct *p, u32 *secid)
+{
+ *secid = (p == current);
+}
+
+/**
+ * tt_secid_to_secctx - Allocate memory used for auditing.
+ *
+ * @secid: Bool flag to allocate.
+ * @secdata: Pointer to allocate memory.
+ * @seclen: Size of allocated memory.
+ *
+ * Returns 0 on success, -EINVAL otherwise.
+ */
+static int tt_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
+{
+ struct tt_record *record;
+ /* Ignore unless current thread's record is requested. */
+ if (secid != 1)
+ return -EINVAL;
+ /*
+ * We don't need to duplicate the string because current thread's
+ * record is updated upon only boot up and successful execve()
+ * operation, even if current thread's record is shared between
+ * multiple threads.
+ */
+ record = tt_find_record(current->real_cred);
+ *secdata = record->history;
+ *seclen = strlen(record->history);
+ return 0;
+}
+
+/* List of hooks. */
+static struct security_operations tasktracker_ops = {
+ .name = "tt",
+ .secid_to_secctx = tt_secid_to_secctx,
+ .task_getsecid = tt_task_getsecid,
+ .cred_prepare = tt_cred_prepare,
+ .cred_free = tt_cred_free,
+ .cred_alloc_blank = tt_cred_alloc_blank,
+ .cred_transfer = tt_cred_transfer,
+ .bprm_committing_creds = tt_bprm_committing_creds,
+};
+
+/**
+ * tt_init - Initialize this module.
+ *
+ * Returns 0 on success, panic otherwise.
+ */
+static int __init tt_init(void)
+{
+ struct cred *cred = (struct cred *) current_cred();
+ if (!security_module_enable(&tasktracker_ops))
+ return 0;
+ if (tt_cred_alloc_blank(cred, GFP_ATOMIC) ||
+ register_security(&tasktracker_ops))
+ panic("Failure registering TaskTracker");
+ tt_update_record(tt_find_record(cred));
+ pr_info("TaskTracker initialized\n");
+ return 0;
+}
+
+security_initcall(tt_init);
--
1.7.1
9 years, 9 months
ABI guarantee for auditd
by hsultan@thefroid.net
Hi,
Sorry for the deluge of questions :)
Regarding auditd, what is the ABI guarantee ? Do you guarantee that the
text contained in audit_reply->msg.data will always be the same format ?
I imagine you reserve the right to add fields, but how about removing
any or even reordering them ?
Or are people simply required to use auparse to guarantee they get
records properly ?
Also, regarding 'unofficial' ABI compatibility, when has the
audit_reply->msg.data format changed last ? Say these past 3-4 years,
were there any changes in the format or could I use a faster, but
specifically focused parser on the msgs when detecting older releases at
least ?
Thanks,
Hassan
9 years, 9 months
audit not catching accept call from a 64bit sshd
by hsultan@thefroid.net
Hi,
So I'm a bit dumbfounded by what I'm seeing on my Ubuntu 14.04 Server
LTS :
ubuntu@ip-172-31-37-137:~/test$ sudo netstat -anop |grep sshd
tcp 0 0 0.0.0.0:22 0.0.0.0:*
LISTEN 1406/sshd off (0.00/0/0)
Using file I verified that it's a 64bit process :
ubuntu@ip-172-31-37-137:~/test$ file /usr/sbin/sshd
/usr/sbin/sshd: ELF 64-bit LSB shared object, x86-64, version 1
(SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24,
BuildID[sha1]=00e04495db18849d9fa69d05f3626e66c6a6d4e1, stripped
I then ran strace on it, and launched a telnet to 127.0.0.1 : 22
ubuntu@ip-172-31-37-137:~/test$ sudo strace -p 1406
Process 1406 attached
select(7, [3 4], NULL, NULL, NULL) = 1 (in [3])
accept(3, {sa_family=AF_INET, sin_port=htons(58853),
sin_addr=inet_addr("127.0.0.1")}, [16]) = 5
fcntl(5, F_GETFL) = 0x2 (flags O_RDWR)
pipe([6, 7]) = 0
socketpair(PF_LOCAL, SOCK_STREAM, 0, [8, 9]) = 0
clone(child_stack=0,
flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD,
child_tidptr=0x7f95cba7db10) = 6224
Clearly it is calling the accept system call.
Next I look at the audit infrastructure to see what it gives me :
ubuntu@ip-172-31-37-137:~/test$ sudo auditctl -l
LIST_RULES: exit,always arch=3221225534 (0xc000003e)
syscall=accept,accept4
Then I use my own tool to catch every msg from the netlink (using
audit_get_reply) port and display each and every msg that has a struct
audit_reply->len > 0 , as well as audit msgs from netfilter/conntrack.
Just to make sure that my audit code/settings are correct, I launch a
telnet to port 22, and another one to port 631 (cups), and here's what I
see :
audit(1421190014.387:45784): audit_enabled=1 old=1 auid=1000 ses=16
res=1
[NEW] tcp 6 120 SYN_SENT src=127.0.0.1 dst=127.0.0.1
sport=58860 dport=22 [UNREPLIED] src=127.0.0.1 dst=127.0.0.1 sport=22
dport=58860
[UPDATE] tcp 6 60 SYN_RECV src=127.0.0.1 dst=127.0.0.1
sport=58860 dport=22 src=127.0.0.1 dst=127.0.0.1 sport=22 dport=58860
[UPDATE] tcp 6 432000 ESTABLISHED src=127.0.0.1 dst=127.0.0.1
sport=58860 dport=22 src=127.0.0.1 dst=127.0.0.1 sport=22 dport=58860
[ASSURED]
[UPDATE] tcp 6 120 FIN_WAIT src=127.0.0.1 dst=127.0.0.1
sport=58860 dport=22 src=127.0.0.1 dst=127.0.0.1 sport=22 dport=58860
[ASSURED]
[UPDATE] tcp 6 30 LAST_ACK src=127.0.0.1 dst=127.0.0.1
sport=58860 dport=22 src=127.0.0.1 dst=127.0.0.1 sport=22 dport=58860
[ASSURED]
[UPDATE] tcp 6 120 TIME_WAIT src=127.0.0.1 dst=127.0.0.1
sport=58860 dport=22 src=127.0.0.1 dst=127.0.0.1 sport=22 dport=58860
[ASSURED]
[NEW] tcp 6 120 SYN_SENT src=127.0.0.1 dst=127.0.0.1
sport=40478 dport=6031 [UNREPLIED] src=127.0.0.1 dst=127.0.0.1
sport=6031 dport=40478
[DESTROY] tcp 6 src=127.0.0.1 dst=127.0.0.1 sport=40478 dport=6031
[UNREPLIED] src=127.0.0.1 dst=127.0.0.1 sport=6031 dport=40478
[NEW] tcp 6 120 SYN_SENT src=127.0.0.1 dst=127.0.0.1
sport=36764 dport=631 [UNREPLIED] src=127.0.0.1 dst=127.0.0.1 sport=631
dport=36764
[UPDATE] tcp 6 60 SYN_RECV src=127.0.0.1 dst=127.0.0.1
sport=36764 dport=631 src=127.0.0.1 dst=127.0.0.1 sport=631 dport=36764
[UPDATE] tcp 6 432000 ESTABLISHED src=127.0.0.1 dst=127.0.0.1
sport=36764 dport=631 src=127.0.0.1 dst=127.0.0.1 sport=631 dport=36764
[ASSURED]
audit(1421190031.663:45785): arch=c000003e syscall=43 success=yes
exit=15 a0=b a1=7f84aee66f7c a2=7fff960572fc a3=7f84ad2b67b8 items=0
ppid=1 pid=22048 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cupsd"
exe="/usr/sbin/cupsd" key=(null)
audit(1421190031.663:45785): saddr=02008F9C7F0000010000000000000000
audit(1421190031.663:45785):
I never see the accept call for sshd ... even though connection is
established, but I see the one for cups. The machine is pretty much
idle, so there should be no msgs dropped.
Any idea what could be the reason ? I just can't see what I could be
doing wrong here.
Thanks,
Hassan
9 years, 9 months
listen & accept sycalls not present in b32 ?
by hsultan@thefroid.net
On Ubuntu 14.04 LTS I get :
sudo auditctl -a exit,always -F arch=b32 -S listen -S connect
Syscall name unknown: listen
however with b64 it works
Same with the accept syscall.
Is that expected ? How can I grab the 32bit calls then ?
Thanks,
Hassan
9 years, 9 months
[PATCH RFC] audit: move the tree pruning to a dedicated thread
by Imre Palik
From: "Palik, Imre" <imrep(a)amazon.de>
When file auditing is enabled, during a low memory situation, a memory
allocation with __GFP_FS can lead to pruning the inode cache. Which can,
in turn lead to audit_tree_freeing_mark() being called. This can call
audit_schedule_prune(), that tries to fork a pruning thread, and
waits until the thread is created. But forking needs memory, and the
memory allocations there are done with __GFP_FS.
So we are waiting merrily for some __GFP_FS memory allocations to complete,
while holding some filesystem locks. This can take a while ...
This patch creates a single thread for pruning the tree from
audit_add_tree_rule(), and thus avoids the deadlock that the on-demand thread
creation can cause.
Reported-by: Matt Wilson <msw(a)amazon.com>
Cc: Matt Wilson <msw(a)amazon.com>
Signed-off-by: Imre Palik <imrep(a)amazon.de>
---
kernel/audit_tree.c | 91 +++++++++++++++++++++++++++++++++++----------------
1 file changed, 63 insertions(+), 28 deletions(-)
diff --git a/kernel/audit_tree.c b/kernel/audit_tree.c
index 0caf1f8..0ada577 100644
--- a/kernel/audit_tree.c
+++ b/kernel/audit_tree.c
@@ -37,6 +37,7 @@ struct audit_chunk {
static LIST_HEAD(tree_list);
static LIST_HEAD(prune_list);
+static struct task_struct *prune_thread;
/*
* One struct chunk is attached to each inode of interest.
@@ -641,6 +642,55 @@ static int tag_mount(struct vfsmount *mnt, void *arg)
return tag_chunk(mnt->mnt_root->d_inode, arg);
}
+/*
+ * That gets run when evict_chunk() ends up needing to kill audit_tree.
+ * Runs from a separate thread.
+ */
+static int prune_tree_thread(void *unused)
+{
+ for (;;) {
+ set_current_state(TASK_INTERRUPTIBLE);
+ if (list_empty(&prune_list))
+ schedule();
+ __set_current_state(TASK_RUNNING);
+
+ mutex_lock(&audit_cmd_mutex);
+ mutex_lock(&audit_filter_mutex);
+
+ while (!list_empty(&prune_list)) {
+ struct audit_tree *victim;
+
+ victim = list_entry(prune_list.next,
+ struct audit_tree, list);
+ list_del_init(&victim->list);
+
+ mutex_unlock(&audit_filter_mutex);
+
+ prune_one(victim);
+
+ mutex_lock(&audit_filter_mutex);
+ }
+
+ mutex_unlock(&audit_filter_mutex);
+ mutex_unlock(&audit_cmd_mutex);
+ }
+ return 0;
+}
+
+static int launch_prune_thread(void)
+{
+ prune_thread = kthread_create(prune_tree_thread, NULL,
+ "audit_prune_tree");
+ if (IS_ERR(prune_thread)) {
+ audit_panic("cannot start thread audit_prune_tree");
+ prune_thread = NULL;
+ return -ENOSYS;
+ } else {
+ wake_up_process(prune_thread);
+ return 0;
+ }
+}
+
/* called with audit_filter_mutex */
int audit_add_tree_rule(struct audit_krule *rule)
{
@@ -663,6 +713,12 @@ int audit_add_tree_rule(struct audit_krule *rule)
/* do not set rule->tree yet */
mutex_unlock(&audit_filter_mutex);
+ if (unlikely(!prune_thread)) {
+ err = launch_prune_thread();
+ if (err)
+ goto Err;
+ }
+
err = kern_path(tree->pathname, 0, &path);
if (err)
goto Err;
@@ -713,6 +769,9 @@ int audit_tag_tree(char *old, char *new)
struct vfsmount *tagged;
int err;
+ if (!prune_thread)
+ return -ENOSYS;
+
err = kern_path(new, 0, &path2);
if (err)
return err;
@@ -800,36 +859,11 @@ int audit_tag_tree(char *old, char *new)
return failed;
}
-/*
- * That gets run when evict_chunk() ends up needing to kill audit_tree.
- * Runs from a separate thread.
- */
-static int prune_tree_thread(void *unused)
-{
- mutex_lock(&audit_cmd_mutex);
- mutex_lock(&audit_filter_mutex);
-
- while (!list_empty(&prune_list)) {
- struct audit_tree *victim;
-
- victim = list_entry(prune_list.next, struct audit_tree, list);
- list_del_init(&victim->list);
-
- mutex_unlock(&audit_filter_mutex);
-
- prune_one(victim);
-
- mutex_lock(&audit_filter_mutex);
- }
-
- mutex_unlock(&audit_filter_mutex);
- mutex_unlock(&audit_cmd_mutex);
- return 0;
-}
static void audit_schedule_prune(void)
{
- kthread_run(prune_tree_thread, NULL, "audit_prune_tree");
+ BUG_ON(!prune_thread);
+ wake_up_process(prune_thread);
}
/*
@@ -896,9 +930,10 @@ static void evict_chunk(struct audit_chunk *chunk)
for (n = 0; n < chunk->count; n++)
list_del_init(&chunk->owners[n].list);
spin_unlock(&hash_lock);
+ mutex_unlock(&audit_filter_mutex);
if (need_prune)
audit_schedule_prune();
- mutex_unlock(&audit_filter_mutex);
+
}
static int audit_tree_handle_event(struct fsnotify_group *group,
--
1.7.9.5
9 years, 9 months
[PATCH][RESEND 2] Revert "AUDIT: Allow login in non-init namespaces"
by Calvin Owens
This reverts 543bc6a1a987 "AUDIT: Allow login in non-init namespaces".
This commit incorrectly assumes that libpam treats -ECONNREFUSED as
an indicator that audit is disabled, and -EPERM or any other error
as a fatal error that prevents the login from continuing.
The opposite is in fact true: -EPERM allows the login to continue,
and -ECONNREFUSED causes it to refuse the login. This behavior has
been unchanged in upstream linux-pam since at least 2008.
Reverting this change allows libpam to again work as expected in
non-init user namespaces.
Signed-off-by: Calvin Owens <calvinowens(a)fb.com>
Cc: stable(a)vger.kernel.org
---
Relevant code in linux-pam:
https://git.fedorahosted.org/cgit/linux-pam.git/tree/libpam/pam_audit.c#n56
kernel/audit.c | 12 +-----------
1 file changed, 1 insertion(+), 11 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 80983df..656e8ce 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -640,18 +640,8 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
int err = 0;
/* Only support initial user namespace for now. */
- /*
- * We return ECONNREFUSED because it tricks userspace into thinking
- * that audit was not configured into the kernel. Lots of users
- * configure their PAM stack (because that's what the distro does)
- * to reject login if unable to send messages to audit. If we return
- * ECONNREFUSED the PAM stack thinks the kernel does not have audit
- * configured in and will let login proceed. If we return EPERM
- * userspace will reject all logins. This should be removed when we
- * support non init namespaces!!
- */
if (current_user_ns() != &init_user_ns)
- return -ECONNREFUSED;
+ return -EPERM;
switch (msg_type) {
case AUDIT_LIST:
--
2.1.1
9 years, 9 months
[RFC PATCH 0/5] Overhaul the audit filename handling
by Paul Moore
There have been some patches added to v3.19-rcX to fix various
problems in the way audit handles filenames but they have been hacks
on top of hacks, not really something we want long term. This
patchset reworks the way audit handles filenames, removing a lot of
nasty hacks added recently, and fixing a few bugs that still remain.
Most significant to folks outside of audit, patch 5/5 does away with
the nasty getname()/putname() kludge in favor of a less ugly reference
count approach.
Comments and feedback are welcome. If nothing ugly pops up on review
I'll see if Linus is interested in taking this for the next v3.19-rcX
release, otherwise I'll toss it into linux-next for v3.20.
-Paul
---
Paul Moore (5):
fs: rework getname_kernel to handle up to PATH_MAX sized filenames
fs: create proper filename objects using getname_kernel()
audit: enable filename recording via getname_kernel()
audit: fix filename matching in __audit_inode() and __audit_inode_child()
audit: replace getname()/putname() hacks with reference counters
fs/exec.c | 11 +++
fs/namei.c | 98 ++++++++++++++++++-----------
fs/open.c | 11 +++
include/linux/audit.h | 3 -
include/linux/fs.h | 9 +--
kernel/audit.h | 17 +----
kernel/auditsc.c | 167 +++++++++----------------------------------------
7 files changed, 115 insertions(+), 201 deletions(-)
9 years, 9 months