[PATCH] audit: return on memory error to avoid null pointer dereference
by Richard Guy Briggs
If there is a memory allocation error when trying to change an audit
kernel feature value, the ignored allocation error will trigger a NULL
pointer dereference oops on subsequent use of that pointer. Return
instead.
See: https://github.com/linux-audit/audit-kernel/issues/76
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
kernel/audit.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/kernel/audit.c b/kernel/audit.c
index 196d327..31cb11d 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1063,6 +1063,8 @@ static void audit_log_feature_change(int which, u32 old_feature, u32 new_feature
return;
ab = audit_log_start(context, GFP_KERNEL, AUDIT_FEATURE_CHANGE);
+ if (!ab)
+ return;
audit_log_task_info(ab, current);
audit_log_format(ab, " feature=%s old=%u new=%u old_lock=%u new_lock=%u res=%d",
audit_feature_names[which], !!old_feature, !!new_feature,
--
1.8.3.1
6 years, 8 months
[PATCH ghak8 ALT4 V4 0/3] audit: show more information for entries with anonymous parents
by Richard Guy Briggs
More than one filesystem was causing hundreds to thousands of null PATH
records to be associated with the *init_module SYSCALL records on a few
modules with corresponding audit syscall rules.
This patchset adds extra information to those PATH records to provide
insight into what is generating them, including a partial pathname,
fstype field, and two new filetypes that indicate the pathname isn't
anchored at the root of the task's root filesystem.
Richard Guy Briggs (3):
audit: show partial pathname for entries with anonymous parents
audit: append new fstype field for anonymous PATH records
audit: add new filetypes CREATE_ANON and PARENT_ANON
include/linux/audit.h | 10 ++++++----
kernel/audit.c | 41 ++++++++++++++++++++++++++++++++++++++++-
kernel/audit.h | 1 +
kernel/auditsc.c | 12 ++++++++++--
4 files changed, 57 insertions(+), 7 deletions(-)
--
1.8.3.1
6 years, 8 months
[PATCH V2] audit: remove arch_f pointer from struct audit_krule
by Richard Guy Briggs
In the process of trying to track down a potential bug altering the
registered arch for a syscall rule, I propose this simplification of
struct audit_krule that removes an unnecessary member.
The arch_f pointer was added to the struct audit_krule in commit:
e54dc2431d740a79a6bd013babade99d71b1714f ("audit signal recipients")
This is only used on addition and deletion of rules which isn't time
critical and the arch field is the first field if it is present at all,
easily found iterating over the field type. This isn't worth the
additional complexity and storage. Delete the field.
Passes audit-testsuite.
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
include/linux/audit.h | 1 -
kernel/auditfilter.c | 12 ++++++++----
2 files changed, 8 insertions(+), 5 deletions(-)
diff --git a/include/linux/audit.h b/include/linux/audit.h
index af410d9..64a3b0e 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -58,7 +58,6 @@ struct audit_krule {
u32 field_count;
char *filterkey; /* ties events to rules */
struct audit_field *fields;
- struct audit_field *arch_f; /* quick access to arch field */
struct audit_field *inode_f; /* quick access to an inode field */
struct audit_watch *watch; /* associated watch */
struct audit_tree *tree; /* associated watched tree */
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 739a6d2..a39090d 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -220,7 +220,14 @@ static inline int audit_match_class_bits(int class, u32 *mask)
static int audit_match_signal(struct audit_entry *entry)
{
- struct audit_field *arch = entry->rule.arch_f;
+ int i;
+ struct audit_field *arch = NULL;
+
+ for (i = 0; i < entry->rule.field_count; i++)
+ if (entry->rule.fields[i].type == AUDIT_ARCH) {
+ arch = &entry->rule.fields[i];
+ break;
+ }
if (!arch) {
/* When arch is unspecified, we must check both masks on biarch
@@ -496,9 +503,6 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
if (!gid_valid(f->gid))
goto exit_free;
break;
- case AUDIT_ARCH:
- entry->rule.arch_f = f;
- break;
case AUDIT_SUBJ_USER:
case AUDIT_SUBJ_ROLE:
case AUDIT_SUBJ_TYPE:
--
1.8.3.1
6 years, 8 months
[PATCH V3 0/2] audit: speed up audit syscall entry
by Richard Guy Briggs
These fixes should speed up audit syscall entry by doing away with the
audit entry filter check, moving up the valid connection check before
filling in the context and not caring if there is a bug when audit is
disabled.
Passes audit-testsuite.
See: https://github.com/linux-audit/audit-kernel/issues/6
v3:
- squash patch 1 and 2
v2:
- bail earlier to avoid setting up unneeded state
- don't bother checking for bug when disabled
Richard Guy Briggs (2):
audit: deprecate the AUDIT_FILTER_ENTRY filter
audit: bail before bug check if audit disabled
kernel/auditfilter.c | 4 ++--
kernel/auditsc.c | 22 ++++++++++------------
2 files changed, 12 insertions(+), 14 deletions(-)
--
1.8.3.1
6 years, 8 months
[PATCH] audit: session ID should not set arch quick field pointer
by Richard Guy Briggs
A bug was introduced in 8fae47705685fcaa75a1fe4c8c3e18300a702979
("audit: add support for session ID user filter")
See: https://github.com/linux-audit/audit-kernel/issues/4
When setting a session ID filter, the session ID filter field overwrote
the quick pointer reference to the arch field, potentially causing the
arch field to be misinterpreted.
Passes audit-testsuite.
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
kernel/auditfilter.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 4a1758a..739a6d2 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -496,7 +496,6 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
if (!gid_valid(f->gid))
goto exit_free;
break;
- case AUDIT_SESSIONID:
case AUDIT_ARCH:
entry->rule.arch_f = f;
break;
--
1.8.3.1
6 years, 8 months
[PATCH V2 0/3] audit: speed up audit syscall entry
by Richard Guy Briggs
These fixes should speed up audit syscall entry by doing away with the
audit entry filter check, moving up the valid connection check before
filling in the context and not caring if there is a bug when audit is
disabled.
Richard Guy Briggs (3):
audit: deprecate the AUDIT_FILTER_ENTRY filter
audit: bail ASAP on syscall entry
audit: bail before bug check if audit disabled
kernel/auditfilter.c | 4 ++--
kernel/auditsc.c | 22 ++++++++++------------
2 files changed, 12 insertions(+), 14 deletions(-)
--
1.8.3.1
6 years, 8 months
[PATCH] audit: update bugtracker and source URIs
by Richard Guy Briggs
Since the Linux Audit project has transitioned completely over to
github, update the MAINTAINERS file and the primary audit source file to
reflect that reality.
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
MAINTAINERS | 1 -
kernel/audit.c | 3 ++-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/MAINTAINERS b/MAINTAINERS
index 845fc25..fba4875 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -2479,7 +2479,6 @@ M: Paul Moore <paul(a)paul-moore.com>
M: Eric Paris <eparis(a)redhat.com>
L: linux-audit(a)redhat.com (moderated for non-subscribers)
W: https://github.com/linux-audit
-W: https://people.redhat.com/sgrubb/audit
T: git git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git
S: Supported
F: include/linux/audit.h
diff --git a/kernel/audit.c b/kernel/audit.c
index 227db99..5c25449 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -38,7 +38,8 @@
* 6) Support low-overhead kernel-based filtering to minimize the
* information that must be passed to user-space.
*
- * Example user-space utilities: http://people.redhat.com/sgrubb/audit/
+ * Audit userspace, documentation, tests, and bug/issue trackers:
+ * https://github.com/linux-audit
*/
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
--
1.8.3.1
6 years, 8 months
[PATCH] audit: deprecate the AUDIT_FILTER_ENTRY filter
by Richard Guy Briggs
The audit entry filter has been long deprecated with userspace support
finally removed in audit-v2.6.7 and plans to remove kernel support have
existed since kernel-v2.6.31.
Remove it.
Passes audit-testsuite.
See: https://github.com/linux-audit/audit-kernel/issues/6
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
kernel/auditfilter.c | 4 ++--
kernel/auditsc.c | 3 ++-
2 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 4a1758a..1bbf5de 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -258,8 +258,8 @@ static inline struct audit_entry *audit_to_entry_common(struct audit_rule_data *
goto exit_err;
#ifdef CONFIG_AUDITSYSCALL
case AUDIT_FILTER_ENTRY:
- if (rule->action == AUDIT_ALWAYS)
- goto exit_err;
+ pr_err("AUDIT_FILTER_ENTRY is deprecated\n");
+ goto exit_err;
case AUDIT_FILTER_EXIT:
case AUDIT_FILTER_TASK:
#endif
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index e80459f..9348302 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1530,7 +1530,8 @@ void __audit_syscall_entry(int major, unsigned long a1, unsigned long a2,
context->dummy = !audit_n_rules;
if (!context->dummy && state == AUDIT_BUILD_CONTEXT) {
context->prio = 0;
- state = audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_ENTRY]);
+ if (auditd_test_task(tsk))
+ return;
}
if (state == AUDIT_DISABLED)
return;
--
1.8.3.1
6 years, 8 months
RFC(V3): Audit Kernel Container IDs
by Richard Guy Briggs
Containers are a userspace concept. The kernel knows nothing of them.
The Linux audit system needs a way to be able to track the container
provenance of events and actions. Audit needs the kernel's help to do
this.
Since the concept of a container is entirely a userspace concept, a
registration from the userspace container orchestration system initiates
this. This will define a point in time and a set of resources
associated with a particular container with an audit container
identifier.
The registration is a u64 representing the audit container identifier
written to a special file in a pseudo filesystem (proc, since PID tree
already exists) representing a process that will become a parent process
in that container. This write might place restrictions on mount
namespaces required to define a container, or at least careful checking
of namespaces in the kernel to verify permissions of the orchestrator so
it can't change its own container ID. A bind mount of nsfs may be
necessary in the container orchestrator's mount namespace. This write
can only happen once per process.
Note: The justification for using a u64 is that it minimizes the
information printed in every audit record, reducing bandwidth and limits
comparisons to a single u64 which will be faster and less error-prone.
Require CAP_AUDIT_CONTROL to be able to carry out the registration. At
that time, record the target container's user-supplied audit container
identifier along with a target container's parent process (which may
become the target container's "init" process) process ID (referenced
from the initial PID namespace) in a new record AUDIT_CONTAINER with a
qualifying op=$action field.
Issue a new auxilliary record AUDIT_CONTAINER_INFO for each valid
container ID present on an auditable action or event.
Forked and cloned processes inherit their parent's audit container
identifier, referenced in the process' task_struct. Since the audit
container identifier is inherited rather than written, it can still be
written once. This will prevent tampering while allowing nesting.
(This can be implemented with an internal settable flag upon
registration that does not get copied across a fork/clone.)
Mimic setns(2) and return an error if the process has already initiated
threading or forked since this registration should happen before the
process execution is started by the orchestrator and hence should not
yet have any threads or children. If this is deemed overly restrictive,
switch all of the target's threads and children to the new containerID.
Trust the orchestrator to judiciously use and restrict CAP_AUDIT_CONTROL.
When a container ceases to exist because the last process in that
container has exited log the fact to balance the registration action.
(This is likely needed for certification accountability.)
At this point it appears unnecessary to add a container session
identifier since this is all tracked from loginuid and sessionid to
communicate with the container orchestrator to spawn an additional
session into an existing container which would be logged. It can be
added at a later date without breaking API should it be deemed
necessary.
The following namespace logging actions are not needed for certification
purposes at this point, but are helpful for tracking namespace activity.
These are auxilliary records that are associated with namespace
manipulation syscalls unshare(2), clone(2) and setns(2), so the records
will only show up if explicit syscall rules have been added to document
this activity.
Log the creation of every namespace, inheriting/adding its spawning
process' audit container identifier(s), if applicable. Include the
spawning and spawned namespace IDs (device and inode number tuples).
[AUDIT_NS_CREATE, AUDIT_NS_DESTROY] [clone(2), unshare(2), setns(2)]
Note: At this point it appears only network namespaces may need to track
container IDs apart from processes since incoming packets may cause an
auditable event before being associated with a process. Since a
namespace can be shared by processes in different containers, the
namespace will need to track all containers to which it has been
assigned.
Upon registration, the target process' namespace IDs (in the form of a
nsfs device number and inode number tuple) will be recorded in an
AUDIT_NS_INFO auxilliary record.
Log the destruction of every namespace that is no longer used by any
process, including the namespace IDs (device and inode number tuples).
[AUDIT_NS_DESTROY] [process exit, unshare(2), setns(2)]
Issue a new auxilliary record AUDIT_NS_CHANGE listing (opt: op=$action)
the parent and child namespace IDs for any changes to a process'
namespaces. [setns(2)]
Note: It may be possible to combine AUDIT_NS_* record formats and
distinguish them with an op=$action field depending on the fields
required for each message type.
The audit container identifier will need to be reaped from all
implicated namespaces upon the destruction of a container.
This namespace information adds supporting information for tracking
events not attributable to specific processes.
Changelog:
(Upstream V3)
- switch back to u64 (from pmoore, can be expanded to u128 in future if
need arises without breaking API. u32 was originally proposed, up to
c36 discussed)
- write-once, but children inherit audit container identifier and can
then still be written once
- switch to CAP_AUDIT_CONTROL
- group namespace actions together, auxilliary records to namespace
operations.
(Upstream V2)
- switch from u64 to u128 UUID
- switch from "signal" and "trigger" to "register"
- restrict registration to single process or force all threads and
children into same container
- RGB
--
Richard Guy Briggs <rgb(a)redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
6 years, 8 months
[PATCH] audit: update bugtracker and source URIs
by Richard Guy Briggs
Since the Linux Audit project has transitioned completely over to
github, update the MAINTAINERS file and the primary audit source file to
reflect that reality.
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
MAINTAINERS | 1 -
kernel/audit.c | 3 ++-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/MAINTAINERS b/MAINTAINERS
index 845fc25..fba4875 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -2479,7 +2479,6 @@ M: Paul Moore <paul(a)paul-moore.com>
M: Eric Paris <eparis(a)redhat.com>
L: linux-audit(a)redhat.com (moderated for non-subscribers)
W: https://github.com/linux-audit
-W: https://people.redhat.com/sgrubb/audit
T: git git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git
S: Supported
F: include/linux/audit.h
diff --git a/kernel/audit.c b/kernel/audit.c
index 227db99..06964f1 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -38,7 +38,8 @@
* 6) Support low-overhead kernel-based filtering to minimize the
* information that must be passed to user-space.
*
- * Example user-space utilities: http://people.redhat.com/sgrubb/audit/
+ * Audit kernel, userspace, documentation and testsuite bugtrackers and
+ * repositories: https://github.com/linux-audit
*/
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
--
1.8.3.1
6 years, 9 months