[PATCH] audit: always enable syscall auditing when supported and audit is enabled
by Paul Moore
To the best of our knowledge, everyone who enables audit at compile
time also enables syscall auditing; this patch simplifies the Kconfig
menus by removing the option to disable syscall auditing when audit
is selected and the target arch supports it.
Signed-off-by: Paul Moore <pmoore(a)redhat.com>
---
init/Kconfig | 11 +++--------
1 file changed, 3 insertions(+), 8 deletions(-)
diff --git a/init/Kconfig b/init/Kconfig
index c24b6f7..d4663b1 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -299,20 +299,15 @@ config AUDIT
help
Enable auditing infrastructure that can be used with another
kernel subsystem, such as SELinux (which requires this for
- logging of avc messages output). Does not do system-call
- auditing without CONFIG_AUDITSYSCALL.
+ logging of avc messages output). System call auditing is included
+ on architectures which support it.
config HAVE_ARCH_AUDITSYSCALL
bool
config AUDITSYSCALL
- bool "Enable system-call auditing support"
+ def_bool y
depends on AUDIT && HAVE_ARCH_AUDITSYSCALL
- default y if SECURITY_SELINUX
- help
- Enable low-overhead system-call auditing infrastructure that
- can be used independently or with another kernel subsystem,
- such as SELinux.
config AUDIT_WATCH
def_bool y
5 years, 10 months
[PATCH ALT4 V2 1/2] audit: show fstype:pathname for entries with anonymous parents
by Richard Guy Briggs
Tracefs or debugfs were causing hundreds to thousands of null PATH
records to be associated with the init_module and finit_module SYSCALL
records on a few modules when the following rule was in place for
startup:
-a always,exit -F arch=x86_64 -S init_module -F key=mod-load
This happens because the parent inode is not found in the task's
audit_names list and hence treats it as anonymous. This gives us no
information other than a numerical device number that may no longer be
visible upon log inspeciton, and an inode number.
Fill in the filesystem type, filesystem magic number and full pathname
from the filesystem mount point on previously null PATH records from
entries that have an anonymous parent from the child dentry using
dentry_path_raw().
Make the dentry argument of __audit_inode_child() non-const so that we
can take a reference to it in the case of an anonymous parent with
dget() and dget_parent() to be able to later print a partial path from
the host filesystem rather than null.
Since all we are given is an inode of the parent and the dentry of the
child, finding the path from the mount point to the root of the
filesystem is more challenging that would involve searching all
vfsmounts from "/" until a matching dentry is found for that
filesystem's root dentry. Even if one is found, there may be more than
one mount point. At this point the gain seems marginal since
knowing the filesystem type and path are a significant help in tracking
down the source of the PATH records and being to address them.
Sample output:
type=PROCTITLE msg=audit(1488317694.446:143): proctitle=2F7362696E2F6D6F6470726F6265002D71002D2D006E66737634
type=PATH msg=audit(1488317694.446:143): item=797 name=tracefs(74726163):/events/nfs4/nfs4_setclientid/format inode=15969 dev=00:09 mode=0100444 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=CREATE
type=PATH msg=audit(1488317694.446:143): item=796 name=tracefs(74726163):/events/nfs4/nfs4_setclientid inode=15964 dev=00:09 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=PARENT
...
type=PATH msg=audit(1488317694.446:143): item=1 name=tracefs(74726163):/events/nfs4 inode=15571 dev=00:09 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=CREATE
type=PATH msg=audit(1488317694.446:143): item=0 name=tracefs(74726163):/events inode=119 dev=00:09 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=PARENT
type=UNKNOWN[1330] msg=audit(1488317694.446:143): name="nfsv4"
type=SYSCALL msg=audit(1488317694.446:143): arch=c000003e syscall=313 success=yes exit=0 a0=1 a1=55d5a35ce106 a2=0 a3=1 items=798 ppid=6 pid=528 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="modprobe" exe="/usr/bin/kmod" subj=system_u:system_r:insmod_t:s0 key="mod-load"
See: https://github.com/linux-audit/audit-kernel/issues/8
Test case: https://github.com/linux-audit/audit-testsuite/issues/42
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
include/linux/audit.h | 8 ++++----
kernel/audit.c | 16 ++++++++++++++++
kernel/audit.h | 1 +
kernel/auditsc.c | 8 +++++++-
4 files changed, 28 insertions(+), 5 deletions(-)
diff --git a/include/linux/audit.h b/include/linux/audit.h
index aba3a26..367a03a 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -241,7 +241,7 @@ extern void __audit_inode(struct filename *name, const struct dentry *dentry,
unsigned int flags);
extern void __audit_file(const struct file *);
extern void __audit_inode_child(struct inode *parent,
- const struct dentry *dentry,
+ struct dentry *dentry,
const unsigned char type);
extern void __audit_seccomp(unsigned long syscall, long signr, int code);
extern void __audit_ptrace(struct task_struct *t);
@@ -306,7 +306,7 @@ static inline void audit_inode_parent_hidden(struct filename *name,
AUDIT_INODE_PARENT | AUDIT_INODE_HIDDEN);
}
static inline void audit_inode_child(struct inode *parent,
- const struct dentry *dentry,
+ struct dentry *dentry,
const unsigned char type) {
if (unlikely(!audit_dummy_context()))
__audit_inode_child(parent, dentry, type);
@@ -487,7 +487,7 @@ static inline void __audit_inode(struct filename *name,
unsigned int flags)
{ }
static inline void __audit_inode_child(struct inode *parent,
- const struct dentry *dentry,
+ struct dentry *dentry,
const unsigned char type)
{ }
static inline void audit_inode(struct filename *name,
@@ -501,7 +501,7 @@ static inline void audit_inode_parent_hidden(struct filename *name,
const struct dentry *dentry)
{ }
static inline void audit_inode_child(struct inode *parent,
- const struct dentry *dentry,
+ struct dentry *dentry,
const unsigned char type)
{ }
static inline void audit_core_dumps(long signr)
diff --git a/kernel/audit.c b/kernel/audit.c
index 25dd70a..7d83c5a 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -66,6 +66,7 @@
#include <linux/freezer.h>
#include <linux/pid_namespace.h>
#include <net/netns/generic.h>
+#include <linux/dcache.h>
#include "audit.h"
@@ -1884,6 +1885,10 @@ void audit_copy_inode(struct audit_names *name, const struct dentry *dentry,
name->gid = inode->i_gid;
name->rdev = inode->i_rdev;
security_inode_getsecid(inode, &name->osid);
+ if (name->dentry) {
+ dput(name->dentry);
+ name->dentry = NULL;
+ }
audit_copy_fcaps(name, dentry);
}
@@ -1925,6 +1930,17 @@ void audit_log_name(struct audit_context *context, struct audit_names *n,
audit_log_n_untrustedstring(ab, n->name->name,
n->name_len);
}
+ } else if (n->dentry) {
+ char *fullpath;
+ const char *fullpathp;
+
+ fullpath = kmalloc(PATH_MAX, GFP_KERNEL);
+ if (!fullpath)
+ return;
+ fullpathp = dentry_path_raw(n->dentry, fullpath, PATH_MAX);
+ audit_log_format(ab, " name=%s(0x%lx):%s",
+ n->dentry->d_sb->s_type->name?:"?",
+ n->dentry->d_sb->s_magic, fullpathp?:"?");
} else
audit_log_format(ab, " name=(null)");
diff --git a/kernel/audit.h b/kernel/audit.h
index 144b7eb..2a11583 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -84,6 +84,7 @@ struct audit_names {
unsigned long ino;
dev_t dev;
+ struct dentry *dentry;
umode_t mode;
kuid_t uid;
kgid_t gid;
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 4db32e8..b3797c7 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -74,6 +74,7 @@
#include <linux/string.h>
#include <linux/uaccess.h>
#include <uapi/linux/limits.h>
+#include <linux/dcache.h>
#include "audit.h"
@@ -881,6 +882,8 @@ static inline void audit_free_names(struct audit_context *context)
list_del(&n->list);
if (n->name)
putname(n->name);
+ if (n->dentry)
+ dput(n->dentry);
if (n->should_free)
kfree(n);
}
@@ -1858,7 +1861,7 @@ void __audit_file(const struct file *file)
* unsuccessful attempts.
*/
void __audit_inode_child(struct inode *parent,
- const struct dentry *dentry,
+ struct dentry *dentry,
const unsigned char type)
{
struct audit_context *context = current->audit_context;
@@ -1914,6 +1917,7 @@ void __audit_inode_child(struct inode *parent,
if (!n)
return;
audit_copy_inode(n, NULL, parent);
+ n->dentry = dget_parent(dentry);
}
if (!found_child) {
@@ -1935,6 +1939,8 @@ void __audit_inode_child(struct inode *parent,
audit_copy_inode(found_child, dentry, inode);
else
found_child->ino = AUDIT_INO_UNSET;
+ if (!found_parent)
+ found_child->dentry = dget(dentry);
}
EXPORT_SYMBOL_GPL(__audit_inode_child);
--
1.7.1
7 years, 4 months
[PATCH] filter: add path filter with fstype
by Richard Guy Briggs
Tracefs or debugfs were causing hundreds to thousands of PATH records to
be associated with the init_module and finit_module SYSCALL records on a
few modules when the following rule was in place for startup:
-a always,exit -F arch=x86_64 -S init_module -F key=mod-load
Add the new "path" filter list anchored in __audit_inode_child() to
filter out PATH records from uninteresting filesystem types, "fstype",
keying on their kernel hexadecimal 4-octet magic identifier.
An example rule would look like:
-a never,path -F fstype=0x74726163 -F key=ignore_tracefs
-a never,path -F fstype=0x64626720 -F key=ignore_debugfs
Note: "always,path" will log the PATH record anyways and add latency.
See: https://github.com/linux-audit/audit-userspace/issues/15
See: https://github.com/linux-audit/audit-kernel/issues/8
Test case: https://github.com/linux-audit/audit-testsuite/issues/42
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
docs/audit_add_rule_data.3 | 3 +++
lib/errormsg.h | 5 +++++
lib/fieldtab.h | 2 ++
lib/flagtab.h | 2 ++
lib/libaudit.c | 26 ++++++++++++++++++++++++--
lib/libaudit.h | 10 ++++++++++
lib/private.h | 1 +
src/auditctl-listing.c | 6 ++++--
src/auditctl.c | 14 +++++++++++++-
9 files changed, 64 insertions(+), 5 deletions(-)
diff --git a/docs/audit_add_rule_data.3 b/docs/audit_add_rule_data.3
index 2321f39..4867e8c 100644
--- a/docs/audit_add_rule_data.3
+++ b/docs/audit_add_rule_data.3
@@ -22,6 +22,9 @@ AUDIT_FILTER_EXIT - Apply rule at syscall exit.
.TP
\(bu
AUDIT_FILTER_TYPE - Apply rule at audit_log_start.
+.TP
+\(bu
+AUDIT_FILTER_PATH - Apply rule at __audit_inode_child.
.LP
.PP
diff --git a/lib/errormsg.h b/lib/errormsg.h
index 50c7d50..2a6e4d6 100644
--- a/lib/errormsg.h
+++ b/lib/errormsg.h
@@ -20,6 +20,7 @@
* Authors:
* Zhang Xiliang <zhangxiliang(a)cn.fujitsu.com>
* Steve Grubb <sgrubb(a)redhat.com>
+ * Richard Guy Briggs <rgb(a)redhat.com>
*/
struct msg_tab {
@@ -70,6 +71,8 @@ static const struct msg_tab err_msgtab[] = {
{ -32, 0, "field data is missing" },
{ -33, 2, "-C field incompatible" },
{ -34, 2, "-C value incompatible" },
+ { -35, 1, "field is not valid for the filter" },
+ { -36, 1, "filter is not supported ty kernel" },
};
#define EAU_OPMISSING 1
#define EAU_FIELDUNKNOWN 2
@@ -103,4 +106,6 @@ static const struct msg_tab err_msgtab[] = {
#define EAU_DATAMISSING 32
#define EAU_COMPFIELDINCOMPAT 33
#define EAU_COMPVALINCOMPAT 34
+#define EAU_FIELDUNAVAIL 35
+#define EAU_FILTERNOSUPPORT 36
#endif
diff --git a/lib/fieldtab.h b/lib/fieldtab.h
index 0c5e39d..c425d5b 100644
--- a/lib/fieldtab.h
+++ b/lib/fieldtab.h
@@ -18,6 +18,7 @@
*
* Authors:
* Steve Grubb <sgrubb(a)redhat.com>
+ * Richard Guy Briggs <rgb(a)redhat.com>
*/
_S(AUDIT_PID, "pid" )
@@ -56,6 +57,7 @@ _S(AUDIT_WATCH, "path" )
_S(AUDIT_PERM, "perm" )
_S(AUDIT_DIR, "dir" )
_S(AUDIT_FILETYPE, "filetype" )
+_S(AUDIT_FSTYPE, "fstype" )
_S(AUDIT_OBJ_UID, "obj_uid" )
_S(AUDIT_OBJ_GID, "obj_gid" )
_S(AUDIT_FIELD_COMPARE, "field_compare" )
diff --git a/lib/flagtab.h b/lib/flagtab.h
index 4b04692..ed3e729 100644
--- a/lib/flagtab.h
+++ b/lib/flagtab.h
@@ -18,8 +18,10 @@
*
* Authors:
* Steve Grubb <sgrubb(a)redhat.com>
+ * Richard Guy Briggs <rgb(a)redhat.com>
*/
_S(AUDIT_FILTER_TASK, "task" )
_S(AUDIT_FILTER_EXIT, "exit" )
_S(AUDIT_FILTER_USER, "user" )
_S(AUDIT_FILTER_EXCLUDE, "exclude" )
+_S(AUDIT_FILTER_PATH, "path" )
diff --git a/lib/libaudit.c b/lib/libaudit.c
index 028483d..f28238a 100644
--- a/lib/libaudit.c
+++ b/lib/libaudit.c
@@ -19,6 +19,7 @@
* Authors:
* Steve Grubb <sgrubb(a)redhat.com>
* Rickard E. (Rik) Faith <faith(a)redhat.com>
+ * Richard Guy Briggs <rgb(a)redhat.com>
*/
#include "config.h"
@@ -86,6 +87,7 @@ int _audit_archadded = 0;
int _audit_syscalladded = 0;
int _audit_exeadded = 0;
int _audit_filterexcladded = 0;
+int _audit_filterpathadded = 0;
unsigned int _audit_elf = 0U;
static struct libaudit_conf config;
@@ -1475,6 +1477,23 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
}
}
+ /* PATH filter can be used only with FSTYPE field */
+ if (flags == AUDIT_FILTER_PATH) {
+ uint32_t features = audit_get_features();
+ if ((features & AUDIT_FEATURE_BITMAP_FILTER_PATH) == 0) {
+ return -EAU_FILTERNOSUPPORT;
+ } else {
+ switch(field) {
+ case AUDIT_FSTYPE:
+ _audit_filterpathadded = 1;
+ case AUDIT_FILTERKEY:
+ break;
+ default:
+ return -EAU_FIELDUNAVAIL;
+ }
+ }
+ }
+
rule->fields[rule->field_count] = field;
rule->fieldflags[rule->field_count] = op;
switch (field)
@@ -1589,7 +1608,8 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
}
if (field == AUDIT_FILTERKEY &&
!(_audit_syscalladded || _audit_permadded ||
- _audit_exeadded || _audit_filterexcladded))
+ _audit_exeadded || _audit_filterexcladded ||
+ _audit_filterpathadded))
return -EAU_KEYDEP;
vlen = strlen(v);
if (field == AUDIT_FILTERKEY &&
@@ -1724,7 +1744,7 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
return -EAU_EXITONLY;
/* fallthrough */
default:
- if (field == AUDIT_INODE) {
+ if (field == AUDIT_INODE || field == AUDIT_FSTYPE) {
if (!(op == AUDIT_NOT_EQUAL ||
op == AUDIT_EQUAL))
return -EAU_OPEQNOTEQ;
@@ -1736,6 +1756,8 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
if (!isdigit((char)*(v)))
return -EAU_FIELDVALNUM;
+ if (field == AUDIT_FSTYPE && flags != AUDIT_FILTER_PATH)
+ return -EAU_FIELDUNAVAIL;
if (field == AUDIT_INODE)
rule->values[rule->field_count] =
strtoul(v, NULL, 0);
diff --git a/lib/libaudit.h b/lib/libaudit.h
index e5c7a4d..e9c4973 100644
--- a/lib/libaudit.h
+++ b/lib/libaudit.h
@@ -277,6 +277,9 @@ extern "C" {
#define AUDIT_KEY_SEPARATOR 0x01
/* These are used in filter control */
+#ifndef AUDIT_FILTER_PATH
+#define AUDIT_FILTER_PATH 0x06 /* PATH record filter in __audit_inode_child */
+#endif
#define AUDIT_FILTER_EXCLUDE AUDIT_FILTER_TYPE
#define AUDIT_FILTER_MASK 0x07 /* Mask to get actual filter */
#define AUDIT_FILTER_UNSET 0x80 /* This value means filter is unset */
@@ -305,6 +308,9 @@ extern "C" {
#ifndef AUDIT_FEATURE_BITMAP_LOST_RESET
#define AUDIT_FEATURE_BITMAP_LOST_RESET 0x00000020
#endif
+#ifndef AUDIT_FEATURE_BITMAP_FILTER_PATH
+#define AUDIT_FEATURE_BITMAP_FILTER_PATH 0x00000040
+#endif
/* Defines for interfield comparison update */
#ifndef AUDIT_OBJ_UID
@@ -324,6 +330,10 @@ extern "C" {
#define AUDIT_SESSIONID 25
#endif
+#ifndef AUDIT_FSTYPE
+#define AUDIT_FSTYPE 26
+#endif
+
#ifndef AUDIT_COMPARE_UID_TO_OBJ_UID
#define AUDIT_COMPARE_UID_TO_OBJ_UID 1
#endif
diff --git a/lib/private.h b/lib/private.h
index 855187b..117d6e3 100644
--- a/lib/private.h
+++ b/lib/private.h
@@ -140,6 +140,7 @@ extern int _audit_archadded;
extern int _audit_syscalladded;
extern int _audit_exeadded;
extern int _audit_filterexcladded;
+extern int _audit_filterpathadded;
extern unsigned int _audit_elf;
#ifdef __cplusplus
diff --git a/src/auditctl-listing.c b/src/auditctl-listing.c
index 3bc8e71..e8640dd 100644
--- a/src/auditctl-listing.c
+++ b/src/auditctl-listing.c
@@ -91,7 +91,8 @@ static int is_watch(const struct audit_rule_data *r)
if (((r->flags & AUDIT_FILTER_MASK) != AUDIT_FILTER_USER) &&
((r->flags & AUDIT_FILTER_MASK) != AUDIT_FILTER_TASK) &&
- ((r->flags & AUDIT_FILTER_MASK) != AUDIT_FILTER_EXCLUDE)) {
+ ((r->flags & AUDIT_FILTER_MASK) != AUDIT_FILTER_EXCLUDE) &&
+ ((r->flags & AUDIT_FILTER_MASK) != AUDIT_FILTER_PATH)) {
for (i = 0; i < (AUDIT_BITMASK_SIZE-1); i++) {
if (r->mask[i] != (uint32_t)~0) {
all = 0;
@@ -139,7 +140,8 @@ static int print_syscall(const struct audit_rule_data *r, unsigned int *sc)
/* Rules on the following filters do not take a syscall */
if (((r->flags & AUDIT_FILTER_MASK) == AUDIT_FILTER_USER) ||
((r->flags & AUDIT_FILTER_MASK) == AUDIT_FILTER_TASK) ||
- ((r->flags &AUDIT_FILTER_MASK) == AUDIT_FILTER_EXCLUDE))
+ ((r->flags &AUDIT_FILTER_MASK) == AUDIT_FILTER_EXCLUDE) ||
+ ((r->flags &AUDIT_FILTER_MASK) == AUDIT_FILTER_PATH))
return 0;
/* See if its all or specific syscalls */
diff --git a/src/auditctl.c b/src/auditctl.c
index c785087..c7e8f0f 100644
--- a/src/auditctl.c
+++ b/src/auditctl.c
@@ -19,6 +19,7 @@
* Authors:
* Steve Grubb <sgrubb(a)redhat.com>
* Rickard E. (Rik) Faith <faith(a)redhat.com>
+ * Richard Guy Briggs <rgb(a)redhat.com>
*/
#include "config.h"
@@ -75,6 +76,7 @@ static int reset_vars(void)
_audit_archadded = 0;
_audit_exeadded = 0;
_audit_filterexcladded = 0;
+ _audit_filterpathadded = 0;
_audit_elf = 0;
add = AUDIT_FILTER_UNSET;
del = AUDIT_FILTER_UNSET;
@@ -152,6 +154,8 @@ static int lookup_filter(const char *str, int *filter)
*filter = AUDIT_FILTER_EXIT;
else if (strcmp(str, "user") == 0)
*filter = AUDIT_FILTER_USER;
+ else if (strcmp(str, "path") == 0)
+ *filter = AUDIT_FILTER_PATH;
else if (strcmp(str, "exclude") == 0) {
*filter = AUDIT_FILTER_EXCLUDE;
exclude = 1;
@@ -761,6 +765,13 @@ static int setopt(int count, int lineno, char *vars[])
audit_msg(LOG_ERR,
"Error: syscall auditing being added to user list");
return -1;
+ } else if (((add & (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) ==
+ AUDIT_FILTER_PATH || (del &
+ (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) ==
+ AUDIT_FILTER_PATH)) {
+ audit_msg(LOG_ERR,
+ "Error: syscall auditing being added to path list");
+ return -1;
} else if (exclude) {
audit_msg(LOG_ERR,
"Error: syscall auditing cannot be put on exclude list");
@@ -937,7 +948,8 @@ static int setopt(int count, int lineno, char *vars[])
break;
case 'k':
if (!(_audit_syscalladded || _audit_permadded ||
- _audit_exeadded || _audit_filterexcladded) ||
+ _audit_exeadded || _audit_filterexcladded ||
+ _audit_filterpathadded) ||
(add==AUDIT_FILTER_UNSET && del==AUDIT_FILTER_UNSET)) {
audit_msg(LOG_ERR,
"key option needs a watch or syscall given prior to it");
--
1.7.1
7 years, 6 months
[PATCH] gitignore: ignore normalizer generated files
by Richard Guy Briggs
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
.gitignore | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/.gitignore b/.gitignore
index ba296d3..dc566b9 100644
--- a/.gitignore
+++ b/.gitignore
@@ -33,6 +33,8 @@ audisp/audispd
audisp/plugins/remote/audisp-remote
audisp/plugins/zos-remote/audispd-zos-remote
auparse/*tabs.h
+auparse/normalize_*_maps.h
+auparse/gen_normalize_*_map
auparse/epoll_ctls.h
auparse/strsplit.c
bindings/swig/python/audit.py
--
1.7.1
7 years, 6 months
[PATCH] filterexcl: allow filterkey
by Richard Guy Briggs
The exclude rules did not permit a filterkey to be added. This isn't as
important for the exclude filter compared to the others since no records are
generated with that key, but still helps identify rules in the rules list
configuration.
Allow filterkeys to be used with the exclude filter.
See: https://github.com/linux-audit/audit-userspace/issues/14
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
lib/libaudit.c | 13 +++++++++++--
lib/private.h | 1 +
src/auditctl.c | 5 +++--
3 files changed, 15 insertions(+), 4 deletions(-)
diff --git a/lib/libaudit.c b/lib/libaudit.c
index b1f8f9c..028483d 100644
--- a/lib/libaudit.c
+++ b/lib/libaudit.c
@@ -85,6 +85,7 @@ int _audit_permadded = 0;
int _audit_archadded = 0;
int _audit_syscalladded = 0;
int _audit_exeadded = 0;
+int _audit_filterexcladded = 0;
unsigned int _audit_elf = 0U;
static struct libaudit_conf config;
@@ -1445,8 +1446,14 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
if (flags == AUDIT_FILTER_EXCLUDE) {
uint32_t features = audit_get_features();
if ((features & AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND) == 0) {
- if (field != AUDIT_MSGTYPE)
+ switch(field) {
+ case AUDIT_MSGTYPE:
+ _audit_filterexcladded = 1;
+ case AUDIT_FILTERKEY:
+ break;
+ default:
return -EAU_FIELDNOSUPPORT;
+ }
} else {
switch(field) {
case AUDIT_PID:
@@ -1459,6 +1466,8 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
case AUDIT_SUBJ_TYPE:
case AUDIT_SUBJ_SEN:
case AUDIT_SUBJ_CLR:
+ _audit_filterexcladded = 1;
+ case AUDIT_FILTERKEY:
break;
default:
return -EAU_MSGTYPECREDEXCLUDE;
@@ -1580,7 +1589,7 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
}
if (field == AUDIT_FILTERKEY &&
!(_audit_syscalladded || _audit_permadded ||
- _audit_exeadded))
+ _audit_exeadded || _audit_filterexcladded))
return -EAU_KEYDEP;
vlen = strlen(v);
if (field == AUDIT_FILTERKEY &&
diff --git a/lib/private.h b/lib/private.h
index cde1906..855187b 100644
--- a/lib/private.h
+++ b/lib/private.h
@@ -139,6 +139,7 @@ extern int _audit_permadded;
extern int _audit_archadded;
extern int _audit_syscalladded;
extern int _audit_exeadded;
+extern int _audit_filterexcladded;
extern unsigned int _audit_elf;
#ifdef __cplusplus
diff --git a/src/auditctl.c b/src/auditctl.c
index 04765f4..c785087 100644
--- a/src/auditctl.c
+++ b/src/auditctl.c
@@ -74,6 +74,7 @@ static int reset_vars(void)
_audit_permadded = 0;
_audit_archadded = 0;
_audit_exeadded = 0;
+ _audit_filterexcladded = 0;
_audit_elf = 0;
add = AUDIT_FILTER_UNSET;
del = AUDIT_FILTER_UNSET;
@@ -936,8 +937,8 @@ static int setopt(int count, int lineno, char *vars[])
break;
case 'k':
if (!(_audit_syscalladded || _audit_permadded ||
- _audit_exeadded) || (add==AUDIT_FILTER_UNSET &&
- del==AUDIT_FILTER_UNSET)) {
+ _audit_exeadded || _audit_filterexcladded) ||
+ (add==AUDIT_FILTER_UNSET && del==AUDIT_FILTER_UNSET)) {
audit_msg(LOG_ERR,
"key option needs a watch or syscall given prior to it");
retval = -1;
--
1.7.1
7 years, 6 months
[PATCH] filterkey: add errormsg reporting
by Richard Guy Briggs
Call errormsg after processing filterkey to speed up debugging.
See: https://github.com/linux-audit/audit-userspace/issues/13
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
src/auditctl.c | 4 +++-
1 files changed, 3 insertions(+), 1 deletions(-)
diff --git a/src/auditctl.c b/src/auditctl.c
index e112b16..04765f4 100644
--- a/src/auditctl.c
+++ b/src/auditctl.c
@@ -1091,8 +1091,10 @@ process_keys:
} else {
/* Add this to the rule */
int ret = audit_rule_fieldpair_data(&rule_new, cmd, flags);
- if (ret < 0)
+ if (ret != 0) {
+ audit_number_to_errmsg(ret, cmd);
retval = -1;
+ }
free(cmd);
}
}
--
1.7.1
7 years, 6 months
[PATCH 00/12] Delete CURRENT_TIME, CURRENT_TIME_SEC and current_fs_time
by Deepa Dinamani
The series contains the last unmerged uses of CURRENT_TIME,
CURRENT_TIME_SEC, and current_fs_time().
The series also deletes these apis.
All the patches except [PATCH 9/12] and [PATCH 10/12] are resend patches.
These patches fix new instances of CURRENT_TIME.
cifs and ceph patches have been squashed so that we have one patch per
filesystem.
We want to get these merged onto 4.12 release so that I can post the series
that changes vfs timestamps to use 64 bits for 4.13 release.
I'm proposing these to be merged through Andrew's tree.
Filesystem maintainers, please let Andrew know if you will be picking up
the patch in your trees.
Let me know if anybody has other preferences for merging.
Deepa Dinamani (12):
fs: f2fs: Use ktime_get_real_seconds for sit_info times
trace: Make trace_hwlat timestamp y2038 safe
fs: cifs: Replace CURRENT_TIME by other appropriate apis
fs: ceph: CURRENT_TIME with ktime_get_real_ts()
fs: ufs: Use ktime_get_real_ts64() for birthtime
audit: Use timespec64 to represent audit timestamps
fs: btrfs: Use ktime_get_real_ts for root ctime
fs: ubifs: Replace CURRENT_TIME_SEC with current_time
lustre: Replace CURRENT_TIME macro
apparmorfs: Replace CURRENT_TIME with current_time()
time: Delete CURRENT_TIME_SEC and CURRENT_TIME
time: Delete current_fs_time() function
drivers/block/rbd.c | 2 +-
drivers/staging/lustre/lustre/llite/llite_lib.c | 6 +++---
drivers/staging/lustre/lustre/osc/osc_io.c | 4 ++--
fs/btrfs/root-tree.c | 3 ++-
fs/ceph/mds_client.c | 4 +++-
fs/cifs/cifsencrypt.c | 4 +++-
fs/cifs/cifssmb.c | 10 ++++-----
fs/cifs/inode.c | 28 +++++++++++++------------
fs/f2fs/segment.c | 2 +-
fs/f2fs/segment.h | 5 +++--
fs/ubifs/dir.c | 12 +++++------
fs/ubifs/file.c | 12 +++++------
fs/ubifs/ioctl.c | 2 +-
fs/ubifs/misc.h | 10 ---------
fs/ubifs/sb.c | 14 +++++++++----
fs/ubifs/xattr.c | 6 +++---
fs/ufs/ialloc.c | 6 ++++--
include/linux/audit.h | 4 ++--
include/linux/fs.h | 1 -
include/linux/time.h | 3 ---
kernel/audit.c | 10 ++++-----
kernel/audit.h | 2 +-
kernel/auditsc.c | 6 +++---
kernel/time/time.c | 14 -------------
kernel/trace/trace_entries.h | 6 +++---
kernel/trace/trace_hwlat.c | 14 ++++++-------
kernel/trace/trace_output.c | 9 ++++----
net/ceph/messenger.c | 6 ++++--
net/ceph/osd_client.c | 4 ++--
security/apparmor/apparmorfs.c | 2 +-
30 files changed, 100 insertions(+), 111 deletions(-)
--
2.7.4
7 years, 6 months
[RFC PATCH V2 0/4] capabilities: do not audit log BPRM_FCAPS on set*id
by Richard Guy Briggs
The audit subsystem is adding a BPRM_FCAPS record when auditing setuid
application execution (SYSCALL execve). This is not expected as it was
supposed to be limited to when the file system actually had capabilities
in an extended attribute. It lists all capabilities making the event
really ugly to parse what is happening. The PATH record correctly
records the setuid bit and owner. Suppress the BPRM_FCAPS record on
set*id.
See: https://github.com/linux-audit/audit-kernel/issues/16
The patch that resolves this issue is the third. The first and second just
massage the logic to make it easier to understand.
It would be possible to address the original issue with a change of
"!uid_eq(new->euid, root_uid) || !uid_eq(new->uid, root_uid)"
to
"!(uid_eq(new->euid, root_uid) || uid_eq(new->uid, root_uid))"
but it took me long enough to understand this logic that I don't think I'd be
doing any favours by leaving it this difficult to understand.
The final patch attempts to address all the conditions that need logging based
on mailing list conversations, recoginizing there is probably some duplication
in the logic, which is why I'm posting this as an RFC for some feedback.
Richard Guy Briggs (4):
capabilities: use macros to make the logic easier to follow and
verify
capabilities: invert logic for clarity
capabilities: fix logic for effective root or real root
capabilities: auit log other surprising conditions
security/commoncap.c | 55 ++++++++++++++++++++++++++++++++-----------------
1 files changed, 36 insertions(+), 19 deletions(-)
7 years, 6 months
[PATCH 0/6 RFC] Address NETFILTER_CFG issues
by Richard Guy Briggs
There were questions about the presence and cause of unsolicited syscall events
in the logs containing NETFILTER_CFG records and sometimes unaccompanied
NETFILTER_CFG records.
During testing at least the following list of events trigger NETFILTER_CFG
records and the syscalls related (There may be more events that will trigger
this message type.):
init_module, finit_module: modprobe
setsockopt: iptables-restore, ip6tables-restore, ebtables-restore
unshare: (h?)ostnamed
clone: libvirtd
The syscall events unsolicited by any audit rule were found to be caused by a
missing !audit_dummy_context() check before creating a NETFILTER_CFG record.
Check !audit_dummy_context() before creating the NETFILTER_CFG record.
The vast majority of unaccompanied records are caused by the fedora default
rule: "-a never,task" and the occasional early startup one is I believe caused
by the iptables filter table module hard linked into the kernel rather than a
loadable module. The !audit_dummy_context() check above should avoid them.
Seemingly duplicate records are not actually exact duplicates that are caused
by netfilter table initialization in different network namespaces from the same
syscall. Recommend adding the network namespace ID (proc inode) to the record
to make this obvious.
Ebtables module initialization to register tables doesn't generate records
because it was never hooked in to audit. Recommend adding audit hooks to log
this.
See: https://github.com/linux-audit/audit-kernel/issues/25
See: https://github.com/linux-audit/audit-kernel/issues/35
See: https://github.com/linux-audit/audit-kernel/issues/43
Richard Guy Briggs (6):
netfilter: normalize x_table function declarations
netfilter: normalize ebtables function declarations
netfilter: audit only on xtables and ebtables syscall rule or
standalone
netfilter: ebtables: audit table registration
netfilter: add audit operation field
netfilter: add audit netns ID
include/linux/audit.h | 4 +-
include/linux/netfilter/x_tables.h | 1 +
include/uapi/linux/audit.h | 1 +
kernel/auditsc.c | 3 +-
net/bridge/netfilter/ebtables.c | 148 +++++++++++++++++++++++-------------
net/ipv4/netfilter/arp_tables.c | 2 +-
net/ipv4/netfilter/ip_tables.c | 2 +-
net/ipv6/netfilter/ip6_tables.c | 2 +-
net/netfilter/x_tables.c | 76 +++++++++++--------
9 files changed, 149 insertions(+), 90 deletions(-)
7 years, 6 months
