July 2018 - Linux-audit - Linux-Audit List Archives

[PATCH] audit: always enable syscall auditing when supported and audit is enabled

by Paul Moore

To the best of our knowledge, everyone who enables audit at compile time also enables syscall auditing; this patch simplifies the Kconfig menus by removing the option to disable syscall auditing when audit is selected and the target arch supports it. Signed-off-by: Paul Moore <pmoore(a)redhat.com> --- init/Kconfig | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/init/Kconfig b/init/Kconfig index c24b6f7..d4663b1 100644 --- a/init/Kconfig +++ b/init/Kconfig @@ -299,20 +299,15 @@ config AUDIT help Enable auditing infrastructure that can be used with another kernel subsystem, such as SELinux (which requires this for - logging of avc messages output). Does not do system-call - auditing without CONFIG_AUDITSYSCALL. + logging of avc messages output). System call auditing is included + on architectures which support it. config HAVE_ARCH_AUDITSYSCALL bool config AUDITSYSCALL - bool "Enable system-call auditing support" + def_bool y depends on AUDIT && HAVE_ARCH_AUDITSYSCALL - default y if SECURITY_SELINUX - help - Enable low-overhead system-call auditing infrastructure that - can be used independently or with another kernel subsystem, - such as SELinux. config AUDIT_WATCH def_bool y

5 years, 10 months

5
13
0 / 0

[PATCH ghak90 (was ghak32) V4 00/10] audit: implement container identifier

by Richard Guy Briggs

Implement kernel audit container identifier. This patchset is a fourth based on the proposal document (V3) posted: https://www.redhat.com/archives/linux-audit/2018-January/msg00014.html The first patch is the last patch from ghak81 that is included here as a convenience. The second patch implements the proc fs write to set the audit container identifier of a process, emitting an AUDIT_CONTAINER_OP record to announce the registration of that audit container identifier on that process. This patch requires userspace support for record acceptance and proper type display. The third implements the auxiliary record AUDIT_CONTAINER if an audit container identifier is identifiable with an event. This patch requires userspace support for proper type display. The 4th adds signal and ptrace support. The 5th creates a local audit context to be able to bind a standalone record with a locally created auxiliary record. The 6th patch adds audit container identifier records to the tty standalone record. The 7th adds audit container identifier filtering to the exit, exclude and user lists. This patch adds the AUDIT_CONTID field and requires auditctl userspace support for the --contid option. The 8th adds network namespace audit container identifier labelling based on member tasks' audit container identifier labels. The 9th adds audit container identifier support to standalone netfilter records that don't have a task context and lists each container to which that net namespace belongs. The 10th implements reading the audit container identifier from the proc filesystem for debugging. This patch isn't planned for upstream inclusion. Example: Set an audit container identifier of 123456 to the "sleep" task: sleep 2& child=$! echo 123456 > /proc/$child/audit_containerid; echo $? ausearch -ts recent -m container echo child:$child contid:$( cat /proc/$child/audit_containerid) This should produce a record such as: type=CONTAINER_OP msg=audit(2018-06-06 12:39:29.636:26949) : op=set opid=2209 old-contid=18446744073709551615 contid=123456 pid=628 auid=root uid=root tty=ttyS0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 comm=bash exe=/usr/bin/bash res=yes Example: Set a filter on an audit container identifier 123459 on /tmp/tmpcontainerid: contid=123459 key=tmpcontainerid auditctl -a exit,always -F dir=/tmp -F perm=wa -F contid=$contid -F key=$key perl -e "sleep 1; open(my \$tmpfile, '>', \"/tmp/$key\"); close(\$tmpfile);" & child=$! echo $contid > /proc/$child/audit_containerid sleep 2 ausearch -i -ts recent -k $key auditctl -d exit,always -F dir=/tmp -F perm=wa -F contid=$contid -F key=$key rm -f /tmp/$key This should produce an event such as: type=CONTAINER msg=audit(2018-06-06 12:46:31.707:26953) : op=task contid=123459 type=PROCTITLE msg=audit(2018-06-06 12:46:31.707:26953) : proctitle=perl -e sleep 1; open(my $tmpfile, '>', "/tmp/tmpcontainerid"); close($tmpfile); type=PATH msg=audit(2018-06-06 12:46:31.707:26953) : item=1 name=/tmp/tmpcontainerid inode=25656 dev=00:26 mode=file,644 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 type=PATH msg=audit(2018-06-06 12:46:31.707:26953) : item=0 name=/tmp/ inode=8985 dev=00:26 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 type=CWD msg=audit(2018-06-06 12:46:31.707:26953) : cwd=/root type=SYSCALL msg=audit(2018-06-06 12:46:31.707:26953) : arch=x86_64 syscall=openat success=yes exit=3 a0=0xffffffffffffff9c a1=0x5621f2b81900 a2=O_WRONLY|O_CREAT|O_TRUNC a3=0x1b6 items=2 ppid=628 pid=2232 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=ttyS0 ses=1 comm=perl exe=/usr/bin/perl subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=tmpcontainerid Includes: https://github.com/linux-audit/audit-kernel/issues/81 See: https://github.com/linux-audit/audit-kernel/issues/90 See: https://github.com/linux-audit/audit-userspace/issues/40 See: https://github.com/linux-audit/audit-testsuite/issues/64 See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Changelog: v4 - preface set with ghak81:"collect audit task parameters" - add shallyn and sgrubb acks - rename feature bitmap macro - rename cid_valid() to audit_contid_valid() - rename AUDIT_CONTAINER_ID to AUDIT_CONTAINER_OP - delete audit_get_contid_list() from headers - move work into inner if, delete "found" - change netns contid list function names - move exports for audit_log_contid audit_alloc_local audit_free_context to non-syscall patch - list contids CSV - pass in gfp flags to audit_alloc_local() (fix audit_alloc_context callers) - use "local" in lieu of abusing in_syscall for auditsc_get_stamp() - read_lock(&tasklist_lock) around children and thread check - task_lock(tsk) should be taken before first check of tsk->audit - add spin lock to contid list in aunet - restrict /proc read to CAP_AUDIT_CONTROL - remove set again prohibition and inherited flag - delete contidion spelling fix from patchset, send to netdev/linux-wireless v3 - switched from containerid in task_struct to audit_task_info (depends on ghak81) - drop INVALID_CID in favour of only AUDIT_CID_UNSET - check for !audit_task_info, throw -ENOPROTOOPT on set - changed -EPERM to -EEXIST for parent check - return AUDIT_CID_UNSET if !audit_enabled - squash child/thread check patch into AUDIT_CONTAINER_ID patch - changed -EPERM to -EBUSY for child check - separate child and thread checks, use -EALREADY for latter - move addition of op= from ptrace/signal patch to AUDIT_CONTAINER patch - fix && to || bashism in ptrace/signal patch - uninline and export function for audit_free_context() - drop CONFIG_CHANGE, FEATURE_CHANGE, ANOM_ABEND, ANOM_SECCOMP patches - move audit_enabled check (xt_AUDIT) - switched from containerid list in struct net to net_generic's struct audit_net - move containerid list iteration into audit (xt_AUDIT) - create function to move namespace switch into audit - switched /proc/PID/ entry from containerid to audit_containerid - call kzalloc with GFP_ATOMIC on in_atomic() in audit_alloc_context() - call kzalloc with GFP_ATOMIC on in_atomic() in audit_log_container_info() - use xt_net(par) instead of sock_net(skb->sk) to get net - switched record and field names: initial CONTAINER_ID, aux CONTAINER, field CONTID - allow to set own contid - open code audit_set_containerid - add contid inherited flag - ccontainerid and pcontainerid eliminated due to inherited flag - change name of container list funcitons - rename containerid to contid - convert initial container record to syscall aux - fix spelling mistake of contidion in net/rfkill/core.c to avoid contid name collision v2 - add check for children and threads - add network namespace container identifier list - add NETFILTER_PKT audit container identifier logging - patch description and documentation clean-up and example - reap unused ppid Richard Guy Briggs (10): audit: collect audit task parameters audit: add container id audit: log container info of syscalls audit: add containerid support for ptrace and signals audit: add support for non-syscall auxiliary records audit: add containerid support for tty_audit audit: add containerid filtering audit: add support for containerid to network namespaces audit: NETFILTER_PKT: record each container ID associated with a netNS debug audit: read container ID of a process drivers/tty/tty_audit.c | 5 +- fs/proc/base.c | 56 ++++++++++++++ include/linux/audit.h | 95 ++++++++++++++++++++--- include/linux/sched.h | 5 +- include/uapi/linux/audit.h | 8 +- init/init_task.c | 3 +- init/main.c | 2 + kernel/audit.c | 137 +++++++++++++++++++++++++++++++++ kernel/audit.h | 4 + kernel/auditfilter.c | 47 ++++++++++++ kernel/auditsc.c | 183 ++++++++++++++++++++++++++++++++++++++++----- kernel/fork.c | 4 +- kernel/nsproxy.c | 4 + net/netfilter/xt_AUDIT.c | 12 ++- 14 files changed, 526 insertions(+), 39 deletions(-) -- 1.8.3.1

5 years, 11 months

5
62
0 / 0

[RFC PATCH 0/3] simplify struct audit_krule reveals bug

by Richard Guy Briggs

In the process of trying to track down a potential bug altering the registered arch for a syscall rule, a simplification of struct audit_krule that removes a seemingly unnecessary member has revealed a surprising NULL pointer dereference. The struct audit_field *arch_f member should not be necessary since it is the first field present if it is present at all, and is only necessary for syscall rules, so iterating over the fields to find it is simple and only happens when adding or deleting a rule. Shrinking the struct audit_krule seemed to be a good idea, but appears to have openned a can of worms. The first patch triggered this OOPS: BUG: unable to handle kernel NULL pointer dereference at 0000000000000009 IP: audit_match_signal+0x42/0x120 PGD 0 P4D 0 Oops: 0000 [#1] SMP PTI Modules linked in: sunrpc 8139too i2c_piix4 pcspkr virtio_balloon 8139cp i2c_core mii sch_fq_codel floppy serio_raw ata_generic pata_acpi CPU: 1 PID: 325 Comm: auditctl Not tainted 4.15.0-bz1462178-arch-changed+ #636 Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 RIP: 0010:audit_match_signal+0x42/0x120 RSP: 0018:ffffc900003dfc08 EFLAGS: 00010202 RAX: 0000000000000003 RBX: ffff880036588000 RCX: 0000000000000003 RDX: ffff88003c7f02e0 RSI: ffff88003c7f02a0 RDI: ffff880036588000 RBP: ffff88003671de00 R08: 0000000000000001 R09: 0000000000000000 R10: ffff880036a0b190 R11: 0000000000000000 R12: 0000000000000000 R13: ffff880036588178 R14: ffff880036588000 R15: ffffffff8247f880 FS: 00007fa53c6d9740(0000) GS:ffff88003e400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000009 CR3: 00000000347ba000 CR4: 00000000000006e0 Call Trace: audit_rule_change+0xb32/0xce0 audit_receive_msg+0x163/0x1090 ? netlink_deliver_tap+0x90/0x350 ? kvm_sched_clock_read+0x5/0x10 ? sched_clock+0x5/0x10 audit_receive+0x4d/0xa0 netlink_unicast+0x195/0x250 netlink_sendmsg+0x2fe/0x3f0 sock_sendmsg+0x32/0x60 SYSC_sendto+0xda/0x140 ? syscall_trace_enter+0x2dc/0x400 ? return_from_SYSCALL_64+0x10/0x75 do_syscall_64+0x83/0x360 entry_SYSCALL64_slow_path+0x25/0x25 RIP: 0033:0x7fa53bbb1607 RSP: 002b:00007fff33f48c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 0000000000000444 RCX: 00007fa53bbb1607 RDX: 0000000000000444 RSI: 00007fff33f48cb0 RDI: 0000000000000003 RBP: 0000000000000431 R08: 00007fff33f48c9c R09: 000000000000000c R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000003 R13: 00007fff33f48cb0 R14: 00007fff33f48c9c R15: 00000000000003f3 Code: 01 00 00 83 3e 0b 0f 84 ef 00 00 00 31 c0 eb 0f 48 63 d0 48 c1 e2 05 48 01 f2 83 3a 0b 74 7d 83 c0 01 39 c8 75 ea 4d 85 c0 74 79 <41> 8b 78 08 e8 25 ff ed ff 85 c0 74 31 83 f8 01 75 58 48 8b 0d RIP: audit_match_signal+0x42/0x120 RSP: ffffc900003dfc08 CR2: 0000000000000009 The second patch surprisingly fixes the OOPS. Adding debug output, the OOPS is consistently happenning in the 7th STIG rule that includes an arch parameter, but the value that causes the OOPS dereferences, copies and prints out fine: -a always,exit -F arch=b32 -S adjtimex,settimeofday,stime -F key=time-change ams_: i=0 f=00000000e5612893 type=11 op=0 val=40000003 key="time-change" -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=time-change ams_: i=0 f=00000000cf222aca type=11 op=0 val=c000003e key="time-change" -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change ams_: i=0 f=00000000ad39bfc6 type=11 op=0 val=40000003 key="time-change" -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change ams_: i=0 f=00000000c9f83209 type=11 op=0 val=c000003e key="time-change" -a always,exit -F arch=b32 -S sethostname,setdomainname -F key=system-locale ams_: i=0 f=000000005a19d216 type=11 op=0 val=40000003 key="system-locale" -a always,exit -F arch=b64 -S sethostname,setdomainname -F key=system-locale ams_: i=0 f=000000003280e47a type=11 op=0 val=c000003e key="system-locale" OOPS -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod ams_: i=0 f=000000008368170a type=11 op=0 val=40000003 key="perm_mod" I'd let sleeping dogs lie, but I haven't tracked down the source of the original rule that changes arch between addition and listing (nor reproduced it yet since I don't have access to that HW arch), and it seems to reveal potentially another bug. Help! Any observations or hints? Richard Guy Briggs (3): audit: remove arch_f pointer from struct audit_krule fixup! audit: remove arch_f pointer from struct audit_krule debug! audit: remove arch_f pointer from struct audit_krule include/linux/audit.h | 1 - kernel/auditfilter.c | 18 +++++++++++++----- 2 files changed, 13 insertions(+), 6 deletions(-) -- 1.8.3.1

6 years

2
11
0 / 0

[PATCH ghak59 V2 0/6] audit: config_change normalizations and event record gathering

by Richard Guy Briggs

Make a number of changes to normalize CONFIG_CHANGE records by adding missing op= fields, providing more information in existing op fields and connecting all records to existing audit events. The user record patch is included but is *optional* since there is doubt that we want to disconnect the records from a single event. Since tree purge records are processed after the EOE record is produced, the order of operation of the EOE record and the purge will have to be reversed so that the purge records can be included in the event. For reference, here are the calling methods and function tree for all CONFIG_CHANGE events: - audit_log_config_change() "op=set" - AUDIT_SET:AUDIT_STATUS_PID - AUDIT_SET:AUDIT_STATUS_LOST - audit_do_config_change() - AUDIT_SET:AUDIT_STATUS_FAILURE - AUDIT_SET:AUDIT_STATUS_ENABLED - AUDIT_SET:AUDIT_STATUS_RATE_LIMIT - AUDIT_SET:AUDIT_STATUS_BACKLOG_LIMIT - AUDIT_SET:AUDIT_STATUS_BACKLOG_WAIT_TIME - audit_log_common_recv_msg() - AUDIT_*USER* events (not CONFIG_CHANGE like all the rest) - AUDIT_LOCKED "op=%s_rule"(add/remove) - AUDIT_TRIM "op=trim" - AUDIT_MAKE_EQUIV: "op=make_equiv" - AUDIT_TTY_SET: "op=tty_set" - audit_log_rule_change() - AUDIT_ADD_RULE -F dir=: - AUDIT_DEL_RULE -F dir=: - audit_mark_log_rule_change() - audit_autoremove_mark_rule() "op=autoremove_rule(mark)" - audit_mark_handle_event() - audit_mark_fsnotify_ops.handle_event - audit_tree_log_remove_rule() "op=remove_rule(tree:%s)" from kill_rules() - from trim_marked() - AUDIT_TRIM: audit_trim_trees() "trim" - audit_add_tree_rule() iterate_mounts err "add" - audit_add_rule() - audit_rule_change() - AUDIT_ADD_RULE -F dir=: - AUDIT_MAKE_EQUIV: audit_tag_tree() iterate_mounts err "equiv" - from audit_kill_trees() - __audit_free() "free" - do_exit() - copy_process() err - __audit_syscall_exit() "exit" - from evict_chunk() "evict" - audit_tree_freeing_mark() - audit_tree_ops.freeing_mark - audit_watch_log_rule_change() - audit_update_watch() "updated_rules(watch:inval)" : "updated_rules(watch:set)" - audit_watch_handle_event() FS_CREATE|FS_MOVED_TO, FS_DELETE|FS_MOVED_FROM - audit_watch_fsnotify_ops.handle_event - audit_remove_parent_watches() "remove_rule(watch:parent)" - audit_watch_handle_event() FS_DELETE_SELF|FS_UNMOUNT|FS_MOVE_SELF - audit_watch_fsnotify_ops.handle_event See: https://github.com/linux-audit/audit-kernel/issues/50 See: https://github.com/linux-audit/audit-kernel/issues/59 Changelog: v2: - re-order audit_log_exit() and audit_kill_trees() - drop EOE reordering patch - rebase on 4.18-rc1 (audit/next) Richard Guy Briggs (6): audit: give a clue what CONFIG_CHANGE op was involved audit: add syscall information to CONFIG_CHANGE records audit: exclude user records from syscall context audit: hand taken context to audit_kill_trees for syscall logging audit: kill trees before logging syscall exit for exit/free audit: extend config_change mark/watch/tree rule changes kernel/audit.c | 20 ++++++++++++++------ kernel/audit.h | 4 ++-- kernel/audit_fsnotify.c | 4 ++-- kernel/audit_tree.c | 28 +++++++++++++++------------- kernel/audit_watch.c | 8 +++++--- kernel/auditfilter.c | 2 +- kernel/auditsc.c | 9 ++++----- 7 files changed, 43 insertions(+), 32 deletions(-) -- 1.8.3.1

6 years, 1 month

2
12
0 / 0

[PATCH 0/10 v2] audit: Fix various races when tagging and untagging mounts

by Jan Kara

Hello, this is a second revision of the series that addresses problems I have identified when trying to understand how exactly is kernel/audit_tree.c using generic fsnotify framework. I hope I have understood all the interactions right but careful review is certainly welcome. The patches have been tested by a stress test I have written which mounts & unmounts filesystems in the directory tree while adding and removing audit rules for this tree in parallel and accessing the tree to generate events. Still some real-world testing would be welcome. Changes since v1: * Split the last patch to ease review * Rewrite test script so that it can be included in audit testsuite * Some cleanups and improvements suggested by Amir Honza

6 years, 3 months

3
31
0 / 0

[RFC PATCH ghak9 0/3] audit: Record the path of FDs passed to *at(2) syscalls

by Ondrej Mosnacek

This patchset is a prototype implementation of the feature requested in GHAK issue #9 [1]. I decided for a simple auxiliary record with just 2 fields (fd and path) that is emitted whenever we want to record the full path for a file descriptor passed to a syscall (e.g. the dirfd argument of openat(2)). I choose this approach because for some syscalls there is more than one file descriptor we might be interested in (a good example is the renameat(2) syscall). The motivation for this feature (as I understand it) is to avoid the need to reconstruct the paths corresponding to the file descriptors passed to syscalls, as this might be difficult and time consuming or even impossible in case not all of the right sycalls are being logged. Note that it is always possible to disable these records by simply adding an exclude filter rule matching all records of type FD_PATH. At this moment I only implement logging for a single syscall (openat(2)) to keep it simple. In the final version I plan to add support for other similar syscalls ()mkdirat, mknodeat, fchownat, ...). Please let me know if the general approach and the proposed record format make sense to you so I can improve/complete the solution. Thanks, Ondrej [1] https://github.com/linux-audit/audit-kernel/issues/9

6 years, 4 months

4
26
0 / 0

[PATCH ghau51/ghau40 v4 0/6] add support for audit container identifier

by Richard Guy Briggs

Add support for audit kernel container identifiers to userspace tools. The first and second add new record types. The third adds filter support. The fourth and 5th start to add search support. The last is intended for debugging and not for upstream, matching the kernel /proc read patch. See: https://github.com/linux-audit/audit-userspace/issues/51 See: https://github.com/linux-audit/audit-userspace/issues/40 See: https://github.com/linux-audit/audit-kernel/issues/90 See: https://github.com/linux-audit/audit-kernel/issues/91 See: https://github.com/linux-audit/audit-testsuite/issues/64 See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Richard Guy Briggs (6): AUDIT_CONTAINER_OP message type basic support AUDIT_CONTAINER message type basic support auditctl: add support for AUDIT_CONTID filter add ausearch containerid support start normalization containerid support libaudit: add support to get the task audit container identifier auparse/normalize_record_map.h | 1 + docs/Makefile.am | 2 +- docs/audit_get_containerid.3 | 25 ++++++ docs/auditctl.8 | 3 + lib/fieldtab.h | 1 + lib/libaudit.c | 65 ++++++++++++++ lib/libaudit.h | 16 ++++ lib/msg_typetab.h | 2 + lib/netlink.c | 1 + src/auditctl-listing.c | 21 +++++ src/aureport-options.c | 1 + src/ausearch-llist.c | 2 + src/ausearch-llist.h | 1 + src/ausearch-match.c | 3 + src/ausearch-options.c | 47 +++++++++- src/ausearch-options.h | 1 + src/ausearch-parse.c | 199 +++++++++++++++++++++++++++++++++++++++++ 17 files changed, 389 insertions(+), 2 deletions(-) create mode 100644 docs/audit_get_containerid.3 -- 1.8.3.1

6 years, 4 months

1
6
0 / 0

[RFC PATCH ghak90 (was ghak32) V3 00/10] audit: implement container identifier

by Richard Guy Briggs

Implement kernel audit container identifier. This patchset is a third based on the proposal document (V3) posted: https://www.redhat.com/archives/linux-audit/2018-January/msg00014.html The first patch implements the proc fs write to set the audit container identifier of a process, emitting an AUDIT_CONTAINER_ID record to announce the registration of that audit container identifier on that process. This patch requires userspace support for record acceptance and proper type display. The second implements the auxiliary record AUDIT_CONTAINER if an audit container identifier is identifiable with an event. This patch requires userspace support for proper type display. The third adds signal and ptrace support. The 4th creates a local audit context to be able to bind a standalone record with a locally created auxiliary record. The 5th patch adds audit container identifier records to the tty standalone record. The 6th adds audit container identifier filtering to the exit, exclude and user lists. This patch adds the AUDIT_CONTID field and requires auditctl userspace support for the --contid option. The 7th adds network namespace audit container identifier labelling based on member tasks' audit container identifier labels. The 8th adds audit container identifier support to standalone netfilter records that don't have a task context and lists each container to which that net namespace belongs. The 9th implements reading the audit container identifier from the proc filesystem for debugging. This patch isn't planned for upstream inclusion. The 10th fixes an rfkill spelling mistake in a comment that is otherwise the only match for "contid" in the kernel. Example: Set an audit container identifier of 123456 to the "sleep" task: sleep 2& child=$! echo 123456 > /proc/$child/audit_containerid; echo $? ausearch -ts recent -m container echo child:$child contid:$( cat /proc/$child/audit_containerid) This should produce a record such as: type=CONTAINER_ID msg=audit(2018-06-06 12:39:29.636:26949) : op=set opid=2209 old-contid=18446744073709551615 contid=123456 pid=628 auid=root uid=root tty=ttyS0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 comm=bash exe=/usr/bin/bash res=yes Example: Set a filter on an audit container identifier 123459 on /tmp/tmpcontainerid: contid=123459 key=tmpcontainerid auditctl -a exit,always -F dir=/tmp -F perm=wa -F contid=$contid -F key=$key perl -e "sleep 1; open(my \$tmpfile, '>', \"/tmp/$key\"); close(\$tmpfile);" & child=$! echo $contid > /proc/$child/audit_containerid sleep 2 ausearch -i -ts recent -k $key auditctl -d exit,always -F dir=/tmp -F perm=wa -F contid=$contid -F key=$key rm -f /tmp/$key This should produce an event such as: type=CONTAINER msg=audit(2018-06-06 12:46:31.707:26953) : op=task contid=123459 type=PROCTITLE msg=audit(2018-06-06 12:46:31.707:26953) : proctitle=perl -e sleep 1; open(my $tmpfile, '>', "/tmp/tmpcontainerid"); close($tmpfile); type=PATH msg=audit(2018-06-06 12:46:31.707:26953) : item=1 name=/tmp/tmpcontainerid inode=25656 dev=00:26 mode=file,644 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 type=PATH msg=audit(2018-06-06 12:46:31.707:26953) : item=0 name=/tmp/ inode=8985 dev=00:26 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 type=CWD msg=audit(2018-06-06 12:46:31.707:26953) : cwd=/root type=SYSCALL msg=audit(2018-06-06 12:46:31.707:26953) : arch=x86_64 syscall=openat success=yes exit=3 a0=0xffffffffffffff9c a1=0x5621f2b81900 a2=O_WRONLY|O_CREAT|O_TRUNC a3=0x1b6 items=2 ppid=628 pid=2232 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=ttyS0 ses=1 comm=perl exe=/usr/bin/perl subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=tmpcontainerid Requires: https://github.com/linux-audit/audit-kernel/issues/81 See: https://github.com/linux-audit/audit-kernel/issues/90 See: https://github.com/linux-audit/audit-userspace/issues/40 See: https://github.com/linux-audit/audit-testsuite/issues/64 See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Changelog: v3 - switched from containerid in task_struct to audit_task_info (depends on ghak81) - drop INVALID_CID in favour of only AUDIT_CID_UNSET - check for !audit_task_info, throw -ENOPROTOOPT on set - changed -EPERM to -EEXIST for parent check - return AUDIT_CID_UNSET if !audit_enabled - squash child/thread check patch into AUDIT_CONTAINER_ID patch - changed -EPERM to -EBUSY for child check - separate child and thread checks, use -EALREADY for latter - move addition of op= from ptrace/signal patch to AUDIT_CONTAINER patch - fix && to || bashism in ptrace/signal patch - uninline and export function for audit_free_context() - drop CONFIG_CHANGE, FEATURE_CHANGE, ANOM_ABEND, ANOM_SECCOMP patches - move audit_enabled check (xt_AUDIT) - switched from containerid list in struct net to net_generic's struct audit_net - move containerid list iteration into audit (xt_AUDIT) - create function to move namespace switch into audit - switched /proc/PID/ entry from containerid to audit_containerid - call kzalloc with GFP_ATOMIC on in_atomic() in audit_alloc_context() - call kzalloc with GFP_ATOMIC on in_atomic() in audit_log_container_info() - use xt_net(par) instead of sock_net(skb->sk) to get net - switched record and field names: initial CONTAINER_ID, aux CONTAINER, field CONTID - allow to set own contid - open code audit_set_containerid - add contid inherited flag - ccontainerid and pcontainerid eliminated due to inherited flag - change name of container list funcitons - rename containerid to contid - convert initial container record to syscall aux - fix spelling mistake of contidion in net/rfkill/core.c to avoid contid name collision v2 - add check for children and threads - add network namespace container identifier list - add NETFILTER_PKT audit container identifier logging - patch description and documentation clean-up and example - reap unused ppid Richard Guy Briggs (10): audit: add container id audit: log container info of syscalls audit: add containerid support for ptrace and signals audit: add support for non-syscall auxiliary records audit: add containerid support for tty_audit audit: add containerid filtering audit: add support for containerid to network namespaces audit: NETFILTER_PKT: record each container ID associated with a netNS debug audit: read container ID of a process rfkill: fix spelling mistake contidion to condition drivers/tty/tty_audit.c | 5 +- fs/proc/base.c | 53 +++++++++++++++++++ include/linux/audit.h | 68 ++++++++++++++++++++++++ include/uapi/linux/audit.h | 8 ++- kernel/audit.c | 114 ++++++++++++++++++++++++++++++++++++++++ kernel/audit.h | 3 ++ kernel/auditfilter.c | 47 +++++++++++++++++ kernel/auditsc.c | 128 ++++++++++++++++++++++++++++++++++++++++++--- kernel/nsproxy.c | 4 ++ net/netfilter/xt_AUDIT.c | 12 ++++- net/rfkill/core.c | 2 +- 11 files changed, 433 insertions(+), 11 deletions(-) -- 1.8.3.1

6 years, 4 months

5
53
0 / 0

[GIT PULL] Audit fixes for v4.18 (#1)

by Paul Moore

Hi Linus, A single small audit fix to guard against memory allocation failures when logging information about a kernel module load. It's small, easy to understand, and self-contained; while nothing is zero risk, this should be pretty low. Please merge for v4.18, thanks. -Paul -- The following changes since commit 5b71388663c0920848c0ee7de946970a2692b76d: audit: Fix wrong task in comparison of session ID (2018-05-21 14:27:43 -0400) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git tags/audit-pr-20180731 for you to fetch changes up to b305f7ed0f4f494ad6f3ef5667501535d5a8fa31: audit: fix potential null dereference 'context->module.name' (2018-07-30 18:09:37 -0400) ---------------------------------------------------------------- audit/stable-4.18 PR 20180731 ---------------------------------------------------------------- Yi Wang (1): audit: fix potential null dereference 'context->module.name' kernel/auditsc.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) -- paul moore www.paul-moore.com

6 years, 4 months

1
0
0 / 0

[PATCH v2] audit: fix potential null dereference 'context->module.name'

by Yi Wang

The variable 'context->module.name' may be null pointer when kmalloc return null, so it's better to check it before using to avoid null dereference. Another one more thing this patch does is using kstrdup instead of (kmalloc + strcpy), and signal a lost record via audit_log_lost. Signed-off-by: Yi Wang <wang.yi59(a)zte.com.cn> Reviewed-by: Jiang Biao <jiang.biao2(a)zte.com.cn> --- v2: use kstrdup instead of kmalloc + strcpy, and signal a lost record. Thanks to Eric and Paul. kernel/auditsc.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/kernel/auditsc.c b/kernel/auditsc.c index e80459f..713386a 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -1272,8 +1272,12 @@ static void show_special(struct audit_context *context, int *call_panic) break; case AUDIT_KERN_MODULE: audit_log_format(ab, "name="); - audit_log_untrustedstring(ab, context->module.name); - kfree(context->module.name); + if (context->module.name) { + audit_log_untrustedstring(ab, context->module.name); + kfree(context->module.name); + } else + audit_log_format(ab, "(null)"); + break; } audit_log_end(ab); @@ -2408,8 +2412,9 @@ void __audit_log_kern_module(char *name) { struct audit_context *context = current->audit_context; - context->module.name = kmalloc(strlen(name) + 1, GFP_KERNEL); - strcpy(context->module.name, name); + context->module.name = kstrdup(name, GFP_KERNEL); + if (!context->module.name) + audit_log_lost("out of memory in __audit_log_kern_module"); context->type = AUDIT_KERN_MODULE; } -- 1.8.3.1

6 years, 4 months

3
2
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Linux-audit July 2018