[PATCH] audit: catch errors from audit_filter_rules field checks
by Richard Guy Briggs
In the case of an error returned from a field check in an audit filter
syscall rule, it is treated as a match and the rule action is honoured.
This could cause a rule with a default of NEVER and an selinux field
check error to avoid logging.
Recommend matching with an action of ALWAYS to catch malicious abuse of
this bug. The downside of this approach is it could DoS the audit
subsystem.
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
kernel/auditsc.c | 4 ++++
1 files changed, 4 insertions(+), 0 deletions(-)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 71e14d8..6123672 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -683,6 +683,10 @@ static int audit_filter_rules(struct task_struct *tsk,
}
if (!result)
return 0;
+ if (result < 0) {
+ *state = AUDIT_RECORD_CONTEXT;
+ return 1;
+ }
}
if (ctx) {
--
1.7.1
9 years
[PATCH v2] s390: ensure that syscall arguments are properly masked on s390
by Paul Moore
From: Paul Moore <paul(a)paul-moore.com>
When executing s390 code on s390x the syscall arguments are not
properly masked, leading to some malformed audit records.
Signed-off-by: Paul Moore <paul(a)paul-moore.com>
---
arch/s390/kernel/ptrace.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/arch/s390/kernel/ptrace.c b/arch/s390/kernel/ptrace.c
index 49b1c13..defc0dc 100644
--- a/arch/s390/kernel/ptrace.c
+++ b/arch/s390/kernel/ptrace.c
@@ -822,6 +822,7 @@ long compat_arch_ptrace(struct task_struct *child, compat_long_t request,
asmlinkage long do_syscall_trace_enter(struct pt_regs *regs)
{
long ret = 0;
+ unsigned long mask = -1UL;
/* Do the secure computing check first. */
if (secure_computing()) {
@@ -849,9 +850,12 @@ asmlinkage long do_syscall_trace_enter(struct pt_regs *regs)
if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT)))
trace_sys_enter(regs, regs->gprs[2]);
- audit_syscall_entry(regs->gprs[2], regs->orig_gpr2,
- regs->gprs[3], regs->gprs[4],
- regs->gprs[5]);
+ if (is_compat_task())
+ mask = 0xffffffff;
+
+ audit_syscall_entry(regs->gprs[2], regs->orig_gpr2 & mask,
+ regs->gprs[3] & mask, regs->gprs[4] & mask,
+ regs->gprs[5] & mask);
out:
return ret ?: regs->gprs[2];
}
9 years
Report Double Fetch Bug Found in Linux-4.6.1/kernel/auditsc.c
by Pengfei Wang
Hello,
I found this Double-Fetch issue in Linux-4.6.1/kernel/auditsc.c when I
was examining the source code, which I think is a bug.
In function audit_log_single_execve_arg(), the whole argument is
fetched from user space twice via copy_from_user(). In the first loop,
it is firstly fetched (line 1038) to verify, aka looking for non-ascii
chars. While in the second loop, the whole argument is fetched again
(line 1105) from user space and used at line 1121 and line 1123
respectively depends on the previous verification.
However, a double fetch problem happens when the user space fetched
data is changed by a concurrently running user thread under race
condition during the verification and the usage, and the data
inconsistency will cause serious problems. In this case, the verified
non-ascii argument from the first loop is likely to be changed to an
ascii one (i.e. containing ‘ “ ’) which will be used in the second
loop. Then the argument is passed to audit_log_string() as none-ascii,
then move forward in audit_log_n_string() of file audit.c, the string
is enclosed with quote marks as well. Since the string contains
another quote mark in the middle, problems will happen when processing
the string based on quote mark, e.g. the string will be recognized as
a shorter one based on the middle quote mark. I believe other
consequences are also likely to be caused once the none control string
is treated as a control string, or vice versa, which is very likely to
happen under double fetch situations.
I am looking forward to a reply to confirm this, thank you!
Kind regards
Pengfei
9 years
[PATCH v4] audit: add fields to exclude filter by reusing user filter
by Richard Guy Briggs
RFE: add additional fields for use in audit filter exclude rules
https://github.com/linux-audit/audit-kernel/issues/5
Re-factor and combine audit_filter_type() with audit_filter_user() to
use audit_filter_user_rules() to enable the exclude filter to
additionally filter on PID, UID, GID, AUID, LOGINUID_SET, SUBJ_*.
The process of combining the similar audit_filter_user() and
audit_filter_type() functions, required inverting the meaning and
including the ALWAYS action of the latter.
Include audit_filter_user_rules() into audit_filter(), removing unneeded
logic in the process.
Keep the check to quit early if the list is empty.
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
v4: rebase on 4.6-based audit/next.
v3: pull audit_filter_user_rules() into audit_filter() and simplify
logic.
v2: combine audit_filter_user() and audit_filter_type() into
audit_filter().
---
include/linux/audit.h | 2 -
kernel/audit.c | 4 +-
kernel/audit.h | 2 +
kernel/auditfilter.c | 151 +++++++++++++++++--------------------------------
4 files changed, 57 insertions(+), 102 deletions(-)
diff --git a/include/linux/audit.h b/include/linux/audit.h
index e38e3fc..9d4443f 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -163,8 +163,6 @@ extern void audit_log_task_info(struct audit_buffer *ab,
extern int audit_update_lsm_rules(void);
/* Private API (for audit.c only) */
-extern int audit_filter_user(int type);
-extern int audit_filter_type(int type);
extern int audit_rule_change(int type, __u32 portid, int seq,
void *data, size_t datasz);
extern int audit_list_rules_send(struct sk_buff *request_skb, int seq);
diff --git a/kernel/audit.c b/kernel/audit.c
index 678c3f0..994588e 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -934,7 +934,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
if (!audit_enabled && msg_type != AUDIT_USER_AVC)
return 0;
- err = audit_filter_user(msg_type);
+ err = audit_filter(msg_type, AUDIT_FILTER_USER);
if (err == 1) { /* match or error */
err = 0;
if (msg_type == AUDIT_USER_TTY) {
@@ -1382,7 +1382,7 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask,
if (audit_initialized != AUDIT_INITIALIZED)
return NULL;
- if (unlikely(audit_filter_type(type)))
+ if (unlikely(!audit_filter(type, AUDIT_FILTER_TYPE)))
return NULL;
if (gfp_mask & __GFP_DIRECT_RECLAIM) {
diff --git a/kernel/audit.h b/kernel/audit.h
index cbbe6bb..1879f02 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -327,6 +327,8 @@ extern pid_t audit_sig_pid;
extern kuid_t audit_sig_uid;
extern u32 audit_sig_sid;
+extern int audit_filter(int msgtype, unsigned int listtype);
+
#ifdef CONFIG_AUDITSYSCALL
extern int __audit_signal_info(int sig, struct task_struct *t);
static inline int audit_signal_info(int sig, struct task_struct *t)
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index ff59a5e..3a67acf 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -1290,117 +1290,72 @@ int audit_compare_dname_path(const char *dname, const char *path, int parentlen)
return strncmp(p, dname, dlen);
}
-static int audit_filter_user_rules(struct audit_krule *rule, int type,
- enum audit_state *state)
-{
- int i;
-
- for (i = 0; i < rule->field_count; i++) {
- struct audit_field *f = &rule->fields[i];
- pid_t pid;
- int result = 0;
- u32 sid;
-
- switch (f->type) {
- case AUDIT_PID:
- pid = task_pid_nr(current);
- result = audit_comparator(pid, f->op, f->val);
- break;
- case AUDIT_UID:
- result = audit_uid_comparator(current_uid(), f->op, f->uid);
- break;
- case AUDIT_GID:
- result = audit_gid_comparator(current_gid(), f->op, f->gid);
- break;
- case AUDIT_LOGINUID:
- result = audit_uid_comparator(audit_get_loginuid(current),
- f->op, f->uid);
- break;
- case AUDIT_LOGINUID_SET:
- result = audit_comparator(audit_loginuid_set(current),
- f->op, f->val);
- break;
- case AUDIT_MSGTYPE:
- result = audit_comparator(type, f->op, f->val);
- break;
- case AUDIT_SUBJ_USER:
- case AUDIT_SUBJ_ROLE:
- case AUDIT_SUBJ_TYPE:
- case AUDIT_SUBJ_SEN:
- case AUDIT_SUBJ_CLR:
- if (f->lsm_rule) {
- security_task_getsecid(current, &sid);
- result = security_audit_rule_match(sid,
- f->type,
- f->op,
- f->lsm_rule,
- NULL);
- }
- break;
- }
-
- if (result <= 0)
- return result;
- }
- switch (rule->action) {
- case AUDIT_NEVER:
- *state = AUDIT_DISABLED;
- break;
- case AUDIT_ALWAYS:
- *state = AUDIT_RECORD_CONTEXT;
- break;
- }
- return 1;
-}
-
-int audit_filter_user(int type)
-{
- enum audit_state state = AUDIT_DISABLED;
- struct audit_entry *e;
- int rc, ret;
-
- ret = 1; /* Audit by default */
-
- rcu_read_lock();
- list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_USER], list) {
- rc = audit_filter_user_rules(&e->rule, type, &state);
- if (rc) {
- if (rc > 0 && state == AUDIT_DISABLED)
- ret = 0;
- break;
- }
- }
- rcu_read_unlock();
-
- return ret;
-}
-
-int audit_filter_type(int type)
+int audit_filter(int msgtype, unsigned int listtype)
{
struct audit_entry *e;
- int result = 0;
+ int ret = 1; /* Audit by default */
rcu_read_lock();
- if (list_empty(&audit_filter_list[AUDIT_FILTER_TYPE]))
+ if (list_empty(&audit_filter_list[listtype]))
goto unlock_and_return;
+ list_for_each_entry_rcu(e, &audit_filter_list[listtype], list) {
+ int i, result = 0;
- list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TYPE],
- list) {
- int i;
for (i = 0; i < e->rule.field_count; i++) {
struct audit_field *f = &e->rule.fields[i];
- if (f->type == AUDIT_MSGTYPE) {
- result = audit_comparator(type, f->op, f->val);
- if (!result)
- break;
+ pid_t pid;
+ u32 sid;
+
+ switch (f->type) {
+ case AUDIT_PID:
+ pid = task_pid_nr(current);
+ result = audit_comparator(pid, f->op, f->val);
+ break;
+ case AUDIT_UID:
+ result = audit_uid_comparator(current_uid(), f->op, f->uid);
+ break;
+ case AUDIT_GID:
+ result = audit_gid_comparator(current_gid(), f->op, f->gid);
+ break;
+ case AUDIT_LOGINUID:
+ result = audit_uid_comparator(audit_get_loginuid(current),
+ f->op, f->uid);
+ break;
+ case AUDIT_LOGINUID_SET:
+ result = audit_comparator(audit_loginuid_set(current),
+ f->op, f->val);
+ break;
+ case AUDIT_MSGTYPE:
+ result = audit_comparator(msgtype, f->op, f->val);
+ break;
+ case AUDIT_SUBJ_USER:
+ case AUDIT_SUBJ_ROLE:
+ case AUDIT_SUBJ_TYPE:
+ case AUDIT_SUBJ_SEN:
+ case AUDIT_SUBJ_CLR:
+ if (f->lsm_rule) {
+ security_task_getsecid(current, &sid);
+ result = security_audit_rule_match(sid,
+ f->type, f->op, f->lsm_rule, NULL);
+ }
+ break;
+ default:
+ goto unlock_and_return;
}
+ if (result < 0) /* error */
+ goto unlock_and_return;
+ if (!result)
+ break;
+ }
+ if (result > 0) {
+ if (e->rule.action == AUDIT_NEVER || listtype == AUDIT_FILTER_TYPE)
+ ret = 0;
+ break;
}
- if (result)
- goto unlock_and_return;
}
unlock_and_return:
rcu_read_unlock();
- return result;
+ return ret;
}
static int update_lsm_rule(struct audit_krule *r)
--
1.7.1
9 years
[PATCH v3] audit: add fields to exclude filter by reusing user filter
by Richard Guy Briggs
RFE: add additional fields for use in audit filter exclude rules
https://github.com/linux-audit/audit-kernel/issues/5
Re-factor and combine audit_filter_type() with audit_filter_user() to
use audit_filter_user_rules() to enable the exclude filter to
additionally filter on PID, UID, GID, AUID, LOGINUID_SET, SUBJ_*.
The process of combining the similar audit_filter_user() and
audit_filter_type() functions, required inverting the meaning and
including the ALWAYS action of the latter.
Include audit_filter_user_rules() into audit_filter(), removing unneeded
logic in the process.
Keep the check to quit early if the list is empty.
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
v3: pull audit_filter_user_rules() into audit_filter() and simplify
logic.
v2: combine audit_filter_user() and audit_filter_type() into
audit_filter().
---
include/linux/audit.h | 2 -
kernel/audit.c | 4 +-
kernel/audit.h | 2 +
kernel/auditfilter.c | 147 ++++++++++++++++++-------------------------------
4 files changed, 57 insertions(+), 98 deletions(-)
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 32cdafb..539c1d9 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -160,8 +160,6 @@ extern void audit_log_task_info(struct audit_buffer *ab,
extern int audit_update_lsm_rules(void);
/* Private API (for audit.c only) */
-extern int audit_filter_user(int type);
-extern int audit_filter_type(int type);
extern int audit_rule_change(int type, __u32 portid, int seq,
void *data, size_t datasz);
extern int audit_list_rules_send(struct sk_buff *request_skb, int seq);
diff --git a/kernel/audit.c b/kernel/audit.c
index 384374a..2dfaa19 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -914,7 +914,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
if (!audit_enabled && msg_type != AUDIT_USER_AVC)
return 0;
- err = audit_filter_user(msg_type);
+ err = audit_filter(msg_type, AUDIT_FILTER_USER);
if (err == 1) { /* match or error */
err = 0;
if (msg_type == AUDIT_USER_TTY) {
@@ -1362,7 +1362,7 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask,
if (audit_initialized != AUDIT_INITIALIZED)
return NULL;
- if (unlikely(audit_filter_type(type)))
+ if (unlikely(!audit_filter(type, AUDIT_FILTER_TYPE)))
return NULL;
if (gfp_mask & __GFP_DIRECT_RECLAIM) {
diff --git a/kernel/audit.h b/kernel/audit.h
index cbbe6bb..1879f02 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -327,6 +327,8 @@ extern pid_t audit_sig_pid;
extern kuid_t audit_sig_uid;
extern u32 audit_sig_sid;
+extern int audit_filter(int msgtype, unsigned int listtype);
+
#ifdef CONFIG_AUDITSYSCALL
extern int __audit_signal_info(int sig, struct task_struct *t);
static inline int audit_signal_info(int sig, struct task_struct *t)
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 96c9a1b..60579ec 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -1290,113 +1290,72 @@ int audit_compare_dname_path(const char *dname, const char *path, int parentlen)
return strncmp(p, dname, dlen);
}
-static int audit_filter_user_rules(struct audit_krule *rule, int type,
- enum audit_state *state)
+int audit_filter(int msgtype, unsigned int listtype)
{
- int i;
-
- for (i = 0; i < rule->field_count; i++) {
- struct audit_field *f = &rule->fields[i];
- pid_t pid;
- int result = 0;
- u32 sid;
-
- switch (f->type) {
- case AUDIT_PID:
- pid = task_pid_nr(current);
- result = audit_comparator(pid, f->op, f->val);
- break;
- case AUDIT_UID:
- result = audit_uid_comparator(current_uid(), f->op, f->uid);
- break;
- case AUDIT_GID:
- result = audit_gid_comparator(current_gid(), f->op, f->gid);
- break;
- case AUDIT_LOGINUID:
- result = audit_uid_comparator(audit_get_loginuid(current),
- f->op, f->uid);
- break;
- case AUDIT_LOGINUID_SET:
- result = audit_comparator(audit_loginuid_set(current),
- f->op, f->val);
- break;
- case AUDIT_MSGTYPE:
- result = audit_comparator(type, f->op, f->val);
- break;
- case AUDIT_SUBJ_USER:
- case AUDIT_SUBJ_ROLE:
- case AUDIT_SUBJ_TYPE:
- case AUDIT_SUBJ_SEN:
- case AUDIT_SUBJ_CLR:
- if (f->lsm_rule) {
- security_task_getsecid(current, &sid);
- result = security_audit_rule_match(sid,
- f->type,
- f->op,
- f->lsm_rule,
- NULL);
- }
- break;
- }
-
- if (result <= 0)
- return result;
- }
- switch (rule->action) {
- case AUDIT_NEVER: *state = AUDIT_DISABLED; break;
- case AUDIT_ALWAYS: *state = AUDIT_RECORD_CONTEXT; break;
- }
- return 1;
-}
-
-int audit_filter_user(int type)
-{
- enum audit_state state = AUDIT_DISABLED;
struct audit_entry *e;
- int rc, ret;
-
- ret = 1; /* Audit by default */
-
- rcu_read_lock();
- list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_USER], list) {
- rc = audit_filter_user_rules(&e->rule, type, &state);
- if (rc) {
- if (rc > 0 && state == AUDIT_DISABLED)
- ret = 0;
- break;
- }
- }
- rcu_read_unlock();
-
- return ret;
-}
-
-int audit_filter_type(int type)
-{
- struct audit_entry *e;
- int result = 0;
+ int ret = 1; /* Audit by default */
rcu_read_lock();
- if (list_empty(&audit_filter_list[AUDIT_FILTER_TYPE]))
+ if (list_empty(&audit_filter_list[listtype]))
goto unlock_and_return;
+ list_for_each_entry_rcu(e, &audit_filter_list[listtype], list) {
+ int i, result = 0;
- list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TYPE],
- list) {
- int i;
for (i = 0; i < e->rule.field_count; i++) {
struct audit_field *f = &e->rule.fields[i];
- if (f->type == AUDIT_MSGTYPE) {
- result = audit_comparator(type, f->op, f->val);
- if (!result)
- break;
+ pid_t pid;
+ u32 sid;
+
+ switch (f->type) {
+ case AUDIT_PID:
+ pid = task_pid_nr(current);
+ result = audit_comparator(pid, f->op, f->val);
+ break;
+ case AUDIT_UID:
+ result = audit_uid_comparator(current_uid(), f->op, f->uid);
+ break;
+ case AUDIT_GID:
+ result = audit_gid_comparator(current_gid(), f->op, f->gid);
+ break;
+ case AUDIT_LOGINUID:
+ result = audit_uid_comparator(audit_get_loginuid(current),
+ f->op, f->uid);
+ break;
+ case AUDIT_LOGINUID_SET:
+ result = audit_comparator(audit_loginuid_set(current),
+ f->op, f->val);
+ break;
+ case AUDIT_MSGTYPE:
+ result = audit_comparator(msgtype, f->op, f->val);
+ break;
+ case AUDIT_SUBJ_USER:
+ case AUDIT_SUBJ_ROLE:
+ case AUDIT_SUBJ_TYPE:
+ case AUDIT_SUBJ_SEN:
+ case AUDIT_SUBJ_CLR:
+ if (f->lsm_rule) {
+ security_task_getsecid(current, &sid);
+ result = security_audit_rule_match(sid,
+ f->type, f->op, f->lsm_rule, NULL);
+ }
+ break;
+ default:
+ goto unlock_and_return;
}
+ if (result < 0) /* error */
+ goto unlock_and_return;
+ if (!result)
+ break;
+ }
+ if (result > 0) {
+ if (e->rule.action == AUDIT_NEVER || listtype == AUDIT_FILTER_TYPE)
+ ret = 0;
+ break;
}
- if (result)
- goto unlock_and_return;
}
unlock_and_return:
rcu_read_unlock();
- return result;
+ return ret;
}
static int update_lsm_rule(struct audit_krule *r)
--
1.7.1
9 years
Question about updating audit.rules
by warron.french
I am writing puppet modules for work now. I am writing a module
specifically oriented around audit for Linux and Solaris.
But I would like to know is after updating audit.rules in Linux with
immutable mode turned on; is a restart of the audit process actually
required for the rules to take effect.
I believe it always is, but I want to be certain.
Thanks,
\\Warron French from mobile
9 years
audit 2.6 released
by Steve Grubb
Hello,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
soon. The ChangeLog is:
- Auditd support for enriched data: uid/gid, saddr splitting, arch, syscall
- Make all libraries and utilities support and use enriched events
- Define dispatcher protocol to version 2
- Standardize all saddr interpretations in auparse
- Fix another DST bug in ausearch time conversion (#1334772)
- In autrace, if rule count loop times out don't assume 0 rules (#1344268)
- In auditd, check space left a little more often (#1345854)
This release of the audit package contains among other things a major new
piece of functionality. The audit daemon can now enrich events with
interpretation information at the time that the event is logged. This means
that if a user account is deleted, the uid can still be resolved to what it
was at the time of the event.
In terms of central log aggregation, this means that aggregated logs can have
the uid mapping of the remote machine for interpretations. To enable this
functionality, you would want to edit the log_format setting in auditd.conf
and set it to ENRICHED. Restart the audit daemon and that's all there is to
it.
When the enriched logging format is active, the event is completely formatted
in the audit daemon and passed to audispd. This means that you do not need to
also set name_format in audispd.conf if you set it in auditd.conf.
If you write audispd plugins that want format set to binary, then you need to
be aware that enriched events are set with version set to AUDISP_PROTOCOL_VER2
to signify that the raw event is different and you might need to change what
you are doing. If the plugin uses string, then feed the event to auparse like
always and auparse will know what to do with it.
There is a change in interpretation for sockaddr fields. Now all the
information about the source and destination are available.
There were three bug fixes.
Please let me know if you run across any problems with this release.
-Steve
9 years
[PATCH] s390: ensure that syscall arguments are properly masked on s390
by Paul Moore
From: Paul Moore <paul(a)paul-moore.com>
When executing s390 code on s390x the syscall arguments are not
properly masked, leading to some malformed audit records.
Signed-off-by: Paul Moore <paul(a)paul-moore.com>
---
arch/s390/kernel/ptrace.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/arch/s390/kernel/ptrace.c b/arch/s390/kernel/ptrace.c
index 49b1c13..ac1dc74 100644
--- a/arch/s390/kernel/ptrace.c
+++ b/arch/s390/kernel/ptrace.c
@@ -822,6 +822,7 @@ long compat_arch_ptrace(struct task_struct *child, compat_long_t request,
asmlinkage long do_syscall_trace_enter(struct pt_regs *regs)
{
long ret = 0;
+ unsigned long mask = -1UL;
/* Do the secure computing check first. */
if (secure_computing()) {
@@ -849,9 +850,13 @@ asmlinkage long do_syscall_trace_enter(struct pt_regs *regs)
if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT)))
trace_sys_enter(regs, regs->gprs[2]);
- audit_syscall_entry(regs->gprs[2], regs->orig_gpr2,
- regs->gprs[3], regs->gprs[4],
- regs->gprs[5]);
+#ifdef CONFIG_COMPAT
+ if (test_thread_flag(TIF_31BIT))
+ mask = 0xffffffff;
+#endif
+ audit_syscall_entry(regs->gprs[2], regs->orig_gpr2 & mask,
+ regs->gprs[3] & mask, regs->gprs[4] & mask,
+ regs->gprs[5] & mask);
out:
return ret ?: regs->gprs[2];
}
9 years
[PATCH v2 00/24] Delete CURRENT_TIME and CURRENT_TIME_SEC macros
by Deepa Dinamani
The series is aimed at getting rid of CURRENT_TIME and CURRENT_TIME_SEC macros.
The macros are not y2038 safe. There is no plan to transition them into being
y2038 safe.
ktime_get_* api's can be used in their place. And, these are y2038 safe.
Thanks to Arnd Bergmann for all the guidance and discussions.
Patches 2-4 were mostly generated using coccinelle scripts.
All filesystem timestamps use current_fs_time() for right granularity as
mentioned in the respective commit texts of patches. This has a changed
signature, renamed to current_time() and moved to the fs/inode.c.
This series also serves as a preparatory series to transition vfs to 64 bit
timestamps as outlined here: https://lkml.org/lkml/2016/2/12/104 .
As per Linus's suggestion in https://lkml.org/lkml/2016/5/24/663 , all the
inode timestamp changes have been squashed into a single patch. Also,
current_time() now is used as a single generic vfs filesystem timestamp api.
It also takes struct inode* as argument instead of struct super_block*.
Posting all patches together in a bigger series so that the big picture is
clear.
As per the suggestion in https://lwn.net/Articles/672598/, CURRENT_TIME macro
bug fixes are being handled in a series separate from transitioning vfs to use.
Changes from v1:
* Change current_fs_time(struct super_block *) to current_time(struct inode *)
* Note that change to add time64_to_tm() is already part of John's
kernel tree: https://lkml.org/lkml/2016/6/17/875 .
Deepa Dinamani (24):
vfs: Add current_time() api
fs: Replace CURRENT_TIME with current_time() for inode timestamps
fs: Replace CURRENT_TIME_SEC with current_time() for inode timestamps
fs: Replace current_fs_time() with current_time()
fs: jfs: Replace CURRENT_TIME_SEC by current_time()
fs: ext4: Use current_time() for inode timestamps
fs: ubifs: Replace CURRENT_TIME_SEC with current_time
fs: btrfs: Use ktime_get_real_ts for root ctime
fs: udf: Replace CURRENT_TIME with current_time()
fs: cifs: Replace CURRENT_TIME by current_time()
fs: cifs: Replace CURRENT_TIME with ktime_get_real_ts()
fs: cifs: Replace CURRENT_TIME by get_seconds
fs: f2fs: Use ktime_get_real_seconds for sit_info times
drivers: staging: lustre: Replace CURRENT_TIME with current_time()
fs: ocfs2: Use time64_t to represent orphan scan times
fs: ocfs2: Replace CURRENT_TIME with ktime_get_real_seconds()
audit: Use timespec64 to represent audit timestamps
fs: nfs: Make nfs boot time y2038 safe
fnic: Use time64_t to represent trace timestamps
block: Replace CURRENT_TIME with ktime_get_real_ts
libceph: Replace CURRENT_TIME with ktime_get_real_ts
fs: ceph: Replace current_fs_time for request stamp
time: Delete CURRENT_TIME_SEC and CURRENT_TIME macro
time: Delete current_fs_time() function
arch/powerpc/platforms/cell/spufs/inode.c | 2 +-
arch/s390/hypfs/inode.c | 4 ++--
drivers/block/rbd.c | 2 +-
drivers/char/sonypi.c | 2 +-
drivers/infiniband/hw/qib/qib_fs.c | 2 +-
drivers/misc/ibmasm/ibmasmfs.c | 2 +-
drivers/oprofile/oprofilefs.c | 2 +-
drivers/platform/x86/sony-laptop.c | 2 +-
drivers/scsi/fnic/fnic_trace.c | 4 ++--
drivers/scsi/fnic/fnic_trace.h | 2 +-
drivers/staging/lustre/lustre/llite/llite_lib.c | 16 ++++++-------
drivers/staging/lustre/lustre/llite/namei.c | 4 ++--
drivers/staging/lustre/lustre/mdc/mdc_reint.c | 6 ++---
.../lustre/lustre/obdclass/linux/linux-obdo.c | 6 ++---
drivers/staging/lustre/lustre/obdclass/obdo.c | 6 ++---
drivers/staging/lustre/lustre/osc/osc_io.c | 2 +-
drivers/usb/core/devio.c | 18 +++++++-------
drivers/usb/gadget/function/f_fs.c | 8 +++----
drivers/usb/gadget/legacy/inode.c | 2 +-
fs/9p/vfs_inode.c | 2 +-
fs/adfs/inode.c | 2 +-
fs/affs/amigaffs.c | 6 ++---
fs/affs/inode.c | 2 +-
fs/attr.c | 2 +-
fs/autofs4/inode.c | 2 +-
fs/autofs4/root.c | 6 ++---
fs/bad_inode.c | 2 +-
fs/bfs/dir.c | 14 +++++------
fs/binfmt_misc.c | 2 +-
fs/btrfs/file.c | 6 ++---
fs/btrfs/inode.c | 22 ++++++++---------
fs/btrfs/ioctl.c | 8 +++----
fs/btrfs/root-tree.c | 3 ++-
fs/btrfs/transaction.c | 4 ++--
fs/btrfs/xattr.c | 2 +-
fs/ceph/file.c | 4 ++--
fs/ceph/inode.c | 2 +-
fs/ceph/mds_client.c | 4 +++-
fs/ceph/xattr.c | 2 +-
fs/cifs/cifsencrypt.c | 4 +++-
fs/cifs/cifssmb.c | 10 ++++----
fs/cifs/file.c | 4 ++--
fs/cifs/inode.c | 28 ++++++++++++----------
fs/coda/dir.c | 2 +-
fs/coda/file.c | 2 +-
fs/coda/inode.c | 2 +-
fs/configfs/inode.c | 6 ++---
fs/debugfs/inode.c | 2 +-
fs/devpts/inode.c | 6 ++---
fs/efivarfs/inode.c | 2 +-
fs/exofs/dir.c | 6 ++---
fs/exofs/inode.c | 4 ++--
fs/exofs/namei.c | 6 ++---
fs/ext2/acl.c | 2 +-
fs/ext2/dir.c | 6 ++---
fs/ext2/ialloc.c | 2 +-
fs/ext2/inode.c | 4 ++--
fs/ext2/ioctl.c | 4 ++--
fs/ext2/namei.c | 6 ++---
fs/ext2/super.c | 2 +-
fs/ext2/xattr.c | 2 +-
fs/ext4/acl.c | 2 +-
fs/ext4/ext4.h | 6 -----
fs/ext4/extents.c | 10 ++++----
fs/ext4/ialloc.c | 2 +-
fs/ext4/inline.c | 4 ++--
fs/ext4/inode.c | 6 ++---
fs/ext4/ioctl.c | 8 +++----
fs/ext4/namei.c | 24 ++++++++++---------
fs/ext4/super.c | 2 +-
fs/ext4/xattr.c | 2 +-
fs/f2fs/dir.c | 8 +++----
fs/f2fs/file.c | 8 +++----
fs/f2fs/inline.c | 2 +-
fs/f2fs/namei.c | 12 +++++-----
fs/f2fs/segment.c | 2 +-
fs/f2fs/segment.h | 5 ++--
fs/f2fs/xattr.c | 2 +-
fs/fat/dir.c | 2 +-
fs/fat/file.c | 6 ++---
fs/fat/inode.c | 2 +-
fs/fat/namei_msdos.c | 12 +++++-----
fs/fat/namei_vfat.c | 10 ++++----
fs/fuse/control.c | 2 +-
fs/fuse/dir.c | 2 +-
fs/gfs2/bmap.c | 8 +++----
fs/gfs2/dir.c | 12 +++++-----
fs/gfs2/inode.c | 8 +++----
fs/gfs2/quota.c | 2 +-
fs/gfs2/xattr.c | 8 +++----
fs/hfs/catalog.c | 8 +++----
fs/hfs/dir.c | 2 +-
fs/hfs/inode.c | 2 +-
fs/hfsplus/catalog.c | 8 +++----
fs/hfsplus/dir.c | 6 ++---
fs/hfsplus/inode.c | 2 +-
fs/hfsplus/ioctl.c | 2 +-
fs/hugetlbfs/inode.c | 10 ++++----
fs/inode.c | 21 +++++++++++++---
fs/jffs2/acl.c | 2 +-
fs/jffs2/fs.c | 2 +-
fs/jfs/acl.c | 2 +-
fs/jfs/inode.c | 2 +-
fs/jfs/ioctl.c | 2 +-
fs/jfs/jfs_inode.c | 2 +-
fs/jfs/namei.c | 24 +++++++++----------
fs/jfs/super.c | 2 +-
fs/jfs/xattr.c | 2 +-
fs/kernfs/inode.c | 2 +-
fs/libfs.c | 14 +++++------
fs/locks.c | 2 +-
fs/logfs/dir.c | 6 ++---
fs/logfs/file.c | 2 +-
fs/logfs/inode.c | 4 ++--
fs/logfs/readwrite.c | 4 ++--
fs/minix/bitmap.c | 2 +-
fs/minix/dir.c | 6 ++---
fs/minix/itree_common.c | 4 ++--
fs/minix/namei.c | 4 ++--
fs/nfs/client.c | 2 +-
fs/nfs/netns.h | 2 +-
fs/nfs/nfs4proc.c | 10 ++++----
fs/nfs/nfs4xdr.c | 2 +-
fs/nfsd/blocklayout.c | 2 +-
fs/nilfs2/dir.c | 6 ++---
fs/nilfs2/inode.c | 4 ++--
fs/nilfs2/ioctl.c | 2 +-
fs/nilfs2/namei.c | 6 ++---
fs/nsfs.c | 2 +-
fs/ntfs/inode.c | 2 +-
fs/ntfs/mft.c | 2 +-
fs/ocfs2/acl.c | 2 +-
fs/ocfs2/alloc.c | 2 +-
fs/ocfs2/aops.c | 2 +-
fs/ocfs2/cluster/heartbeat.c | 2 +-
fs/ocfs2/dir.c | 4 ++--
fs/ocfs2/dlmfs/dlmfs.c | 4 ++--
fs/ocfs2/file.c | 12 +++++-----
fs/ocfs2/inode.c | 2 +-
fs/ocfs2/journal.c | 4 ++--
fs/ocfs2/move_extents.c | 2 +-
fs/ocfs2/namei.c | 16 +++++++------
fs/ocfs2/ocfs2.h | 2 +-
fs/ocfs2/refcounttree.c | 4 ++--
fs/ocfs2/super.c | 2 +-
fs/ocfs2/xattr.c | 2 +-
fs/omfs/dir.c | 4 ++--
fs/omfs/inode.c | 2 +-
fs/openpromfs/inode.c | 2 +-
fs/orangefs/file.c | 2 +-
fs/orangefs/inode.c | 2 +-
fs/orangefs/namei.c | 10 ++++----
fs/pipe.c | 2 +-
fs/posix_acl.c | 2 +-
fs/proc/base.c | 2 +-
fs/proc/inode.c | 4 ++--
fs/proc/proc_sysctl.c | 2 +-
fs/proc/self.c | 2 +-
fs/proc/thread_self.c | 2 +-
fs/pstore/inode.c | 2 +-
fs/ramfs/inode.c | 6 ++---
fs/reiserfs/inode.c | 2 +-
fs/reiserfs/ioctl.c | 4 ++--
fs/reiserfs/namei.c | 12 +++++-----
fs/reiserfs/stree.c | 8 +++----
fs/reiserfs/super.c | 2 +-
fs/reiserfs/xattr.c | 6 ++---
fs/reiserfs/xattr_acl.c | 2 +-
fs/sysv/dir.c | 6 ++---
fs/sysv/ialloc.c | 2 +-
fs/sysv/itree.c | 4 ++--
fs/sysv/namei.c | 4 ++--
fs/tracefs/inode.c | 2 +-
fs/ubifs/dir.c | 10 ++++----
fs/ubifs/file.c | 12 +++++-----
fs/ubifs/ioctl.c | 2 +-
fs/ubifs/misc.h | 10 --------
fs/ubifs/sb.c | 14 +++++++----
fs/ubifs/xattr.c | 6 ++---
fs/udf/ialloc.c | 2 +-
fs/udf/inode.c | 4 ++--
fs/udf/namei.c | 20 ++++++++--------
fs/udf/super.c | 9 +++++--
fs/ufs/dir.c | 6 ++---
fs/ufs/ialloc.c | 8 ++++---
fs/ufs/inode.c | 6 ++---
fs/ufs/namei.c | 6 ++---
fs/xfs/xfs_acl.c | 2 +-
fs/xfs/xfs_inode.c | 2 +-
fs/xfs/xfs_iops.c | 2 +-
fs/xfs/xfs_trans_inode.c | 2 +-
include/linux/audit.h | 4 ++--
include/linux/fs.h | 2 +-
include/linux/time.h | 3 ---
ipc/mqueue.c | 18 +++++++-------
kernel/audit.c | 10 ++++----
kernel/audit.h | 2 +-
kernel/auditsc.c | 6 ++---
kernel/bpf/inode.c | 2 +-
kernel/time/time.c | 14 -----------
mm/shmem.c | 20 ++++++++--------
net/ceph/messenger.c | 6 +++--
net/ceph/osd_client.c | 4 ++--
net/sunrpc/rpc_pipe.c | 2 +-
security/inode.c | 2 +-
security/selinux/selinuxfs.c | 2 +-
206 files changed, 533 insertions(+), 522 deletions(-)
--
1.9.1
Cc: adilger.kernel(a)dilger.ca
Cc: adrian.hunter(a)intel.com
Cc: anna.schumaker(a)netapp.com
Cc: buchino(a)cisco.com
Cc: ceph-devel(a)vger.kernel.org
Cc: clm(a)fb.com
Cc: cm224.lee(a)samsung.com
Cc: dedekind1(a)gmail.com
Cc: dsterba(a)suse.com
Cc: elder(a)kernel.org
Cc: eparis(a)redhat.com
Cc: gregkh(a)linuxfoundation.org
Cc: hiralpat(a)cisco.com
Cc: idryomov(a)gmail.com
Cc: jack(a)suse.com
Cc: jaegeuk(a)kernel.org
Cc: jbacik(a)fb.com
Cc: jejb(a)linux.vnet.ibm.com
Cc: jfs-discussion(a)lists.sourceforge.net
Cc: jlbec(a)evilplan.org
Cc: john.stultz(a)linaro.org
Cc: linux-audit(a)redhat.com
Cc: linux-btrfs(a)vger.kernel.org
Cc: linux-ext4(a)vger.kernel.org
Cc: linux-f2fs-devel(a)lists.sourceforge.net
Cc: linux-mtd(a)lists.infradead.org
Cc: linux-nfs(a)vger.kernel.org
Cc: linux-scsi(a)vger.kernel.org
Cc: lustre-devel(a)lists.lustre.org
Cc: martin.petersen(a)oracle.com
Cc: mfasheh(a)suse.com
Cc: ocfs2-devel(a)oss.oracle.com
Cc: paul(a)paul-moore.com
Cc: sage(a)redhat.com
Cc: sfrench(a)samba.org
Cc: shaggy(a)kernel.org
Cc: sramars(a)cisco.com
Cc: trond.myklebust(a)primarydata.com
Cc: zyan(a)redhat.com
9 years
Logging from where user connected?
by Skwar Alexander
Hello
On certain servers (Ubuntu 14.04 and Ubuntu 16.04, with auditd 2.3.2
and v2.4.5), we'd like to log all the commands that root has run, or
that were run as root.
For that, I added the following rules:
# Log all commands run as (or by) root
-a exit,always -F arch=b64 -F euid=0 -S execve -k exec_root
-a exit,always -F arch=b32 -F euid=0 -S execve -k exec_root
When I now do an "ausearch -k exec_root -i", I get:
…
----
type=PATH msg=audit(20.06.2016 15:28:06.976:65023) : item=1
name=/lib64/ld-linux-x86-64.so.2 inode=2952 dev=fc:01 mode=file,755
ouid=root ogid=root rdev=00:00 nametype=NORMAL
type=PATH msg=audit(20.06.2016 15:28:06.976:65023) : item=0
name=/usr/bin/sudo inode=396945 dev=fc:01 mode=file,suid,755 ouid=root
ogid=root rdev=00:00 nametype=NORMAL
type=CWD msg=audit(20.06.2016 15:28:06.976:65023) : cwd=/home/local
type=EXECVE msg=audit(20.06.2016 15:28:06.976:65023) : argc=5 a0=sudo
a1=ausearch a2=-k a3=exec_root a4=-i
type=BPRM_FCAPS msg=audit(20.06.2016 15:28:06.976:65023) : fver=0
fp=none fi=none fe=none old_pp=none old_pi=none old_pe=none
new_pp=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,net_admin,net_raw,ipc_lock,ipc_owner,sys_module,sys_rawio,sys_chroot,sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,sys_time,sys_tty_config,mknod,lease,audit_write,audit_control,setfcap,mac_override,mac_admin,syslog,wake_alarm,block_suspend
new_pi=none
new_pe=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,net_admin,net_raw,ipc_lock,ipc_owner,sys_module,sys_rawio,sys_chroot,sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,sys_time,sys_tty_config,mknod,lease,audit_write,audit_control,setfcap,mac_override,mac_admin,syslog,wake_alarm,block_suspend
type=SYSCALL msg=audit(20.06.2016 15:28:06.976:65023) : arch=x86_64
syscall=execve success=yes exit=0 a0=0x7fff4981a280 a1=0x7f7482187bd8
a2=0x1bfcf40 a3=0x7fff49819e80 items=2 ppid=11261 pid=14093 auid=local
uid=local gid=local euid=root suid=root fsuid=root egid=local sgid=local
fsgid=local tty=pts1 ses=15 comm=sudo exe=/usr/bin/sudo key=exec_root
----
type=PATH msg=audit(20.06.2016 15:28:06.980:65025) : item=1
name=/lib64/ld-linux-x86-64.so.2 inode=2952 dev=fc:01 mode=file,755
ouid=root ogid=root rdev=00:00 nametype=NORMAL
type=PATH msg=audit(20.06.2016 15:28:06.980:65025) : item=0
name=/sbin/ausearch inode=618 dev=fc:01 mode=file,755 ouid=root
ogid=root rdev=00:00 nametype=NORMAL
type=CWD msg=audit(20.06.2016 15:28:06.980:65025) : cwd=/home/local
type=EXECVE msg=audit(20.06.2016 15:28:06.980:65025) : argc=4
a0=ausearch a1=-k a2=exec_root a3=-i
type=SYSCALL msg=audit(20.06.2016 15:28:06.980:65025) : arch=x86_64
syscall=execve success=yes exit=0 a0=0x7fc01c0e0618 a1=0x7fc01c0e0638
a2=0x7fc01c0e5cd0 a3=0x7fff84d454c0 items=2 ppid=14093 pid=14094
auid=local uid=root gid=root euid=root suid=root fsuid=root egid=root
sgid=root fsgid=root tty=pts1 ses=15 comm=ausearch exe=/sbin/ausearch
key=exec_root
Now I'd like to know, from where that user connected. That user is
on tty=pts1, so do I have to use last?
local@app01-test ~ % last pts/1
local pts/1 10.8.0.1 Mon Jun 20 13:26 still logged in
…
That's fine, as long as /var/log/wtmp* exists. But is there maybe a
way to get that information right away, without having to consult a
different logfile (eg. /var/log/wtmp)?
Additionally, if I'd like auditd to do remote logging (ie. send
logs off of the system), I'd have to use audispd, wouldn't I? How
would I then get hold of the right wtmp file? I've got the feeling,
that this might become quite complicated, if numerous servers would
do remote logging to one central system...
Would be quite thankful, if somebody could help :)
Thanks a lot,
Alexander
9 years
