[PATCH] audit: mark expected switch fall-through
by Gustavo A. R. Silva
In preparation to enabling -Wimplicit-fallthrough, mark switch
cases where we are expecting to fall through.
This patch fixes the following warning:
kernel/auditfilter.c: In function ‘audit_krule_to_data’:
kernel/auditfilter.c:668:7: warning: this statement may fall through [-Wimplicit-fallthrough=]
if (krule->pflags & AUDIT_LOGINUID_LEGACY && !f->val) {
^
kernel/auditfilter.c:674:3: note: here
default:
^~~~~~~
Warning level 3 was used: -Wimplicit-fallthrough=3
Notice that, in this particular case, the code comment is modified
in accordance with what GCC is expecting to find.
This patch is part of the ongoing efforts to enable
-Wimplicit-fallthrough.
Signed-off-by: Gustavo A. R. Silva <gustavo(a)embeddedor.com>
---
kernel/auditfilter.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index add360b46b38..63f8b3f26fab 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -670,7 +670,7 @@ static struct audit_rule_data *audit_krule_to_data(struct audit_krule *krule)
data->values[i] = AUDIT_UID_UNSET;
break;
}
- /* fallthrough if set */
+ /* fall through - if set */
default:
data->values[i] = f->val;
}
--
2.20.1
4 years, 5 months
[PATCH ghak90 V6 00/10] audit: implement container identifier
by Richard Guy Briggs
Implement kernel audit container identifier.
This patchset is a fifth based on the proposal document (V3)
posted:
https://www.redhat.com/archives/linux-audit/2018-January/msg00014.html
The first patch was the last patch from ghak81 that was absorbed into
this patchset since its primary justification is the rest of this
patchset.
The second patch implements the proc fs write to set the audit container
identifier of a process, emitting an AUDIT_CONTAINER_OP record to
announce the registration of that audit container identifier on that
process. This patch requires userspace support for record acceptance
and proper type display.
The third implements reading the audit container identifier from the
proc filesystem for debugging. This patch wasn't planned for upstream
inclusion but is starting to become more likely.
The fourth implements the auxiliary record AUDIT_CONTAINER_ID if an audit
container identifier is associated with an event. This patch requires
userspace support for proper type display.
The 5th adds audit daemon signalling provenance through audit_sig_info2.
The 6th creates a local audit context to be able to bind a standalone
record with a locally created auxiliary record.
The 7th patch adds audit container identifier records to the user
standalone records.
The 8th adds audit container identifier filtering to the exit,
exclude and user lists. This patch adds the AUDIT_CONTID field and
requires auditctl userspace support for the --contid option.
The 9th adds network namespace audit container identifier labelling
based on member tasks' audit container identifier labels.
The 10th adds audit container identifier support to standalone netfilter
records that don't have a task context and lists each container to which
that net namespace belongs.
Example: Set an audit container identifier of 123456 to the "sleep" task:
sleep 2&
child=$!
echo 123456 > /proc/$child/audit_containerid; echo $?
ausearch -ts recent -m container_op
echo child:$child contid:$( cat /proc/$child/audit_containerid)
This should produce a record such as:
type=CONTAINER_OP msg=audit(2018-06-06 12:39:29.636:26949) : op=set opid=2209 contid=123456 old-contid=18446744073709551615 pid=628 auid=root uid=root tty=ttyS0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 comm=bash exe=/usr/bin/bash res=yes
Example: Set a filter on an audit container identifier 123459 on /tmp/tmpcontainerid:
contid=123459
key=tmpcontainerid
auditctl -a exit,always -F dir=/tmp -F perm=wa -F contid=$contid -F key=$key
perl -e "sleep 1; open(my \$tmpfile, '>', \"/tmp/$key\"); close(\$tmpfile);" &
child=$!
echo $contid > /proc/$child/audit_containerid
sleep 2
ausearch -i -ts recent -k $key
auditctl -d exit,always -F dir=/tmp -F perm=wa -F contid=$contid -F key=$key
rm -f /tmp/$key
This should produce an event such as:
type=CONTAINER_ID msg=audit(2018-06-06 12:46:31.707:26953) : contid=123459
type=PROCTITLE msg=audit(2018-06-06 12:46:31.707:26953) : proctitle=perl -e sleep 1; open(my $tmpfile, '>', "/tmp/tmpcontainerid"); close($tmpfile);
type=PATH msg=audit(2018-06-06 12:46:31.707:26953) : item=1 name=/tmp/tmpcontainerid inode=25656 dev=00:26 mode=file,644 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=PATH msg=audit(2018-06-06 12:46:31.707:26953) : item=0 name=/tmp/ inode=8985 dev=00:26 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=CWD msg=audit(2018-06-06 12:46:31.707:26953) : cwd=/root
type=SYSCALL msg=audit(2018-06-06 12:46:31.707:26953) : arch=x86_64 syscall=openat success=yes exit=3 a0=0xffffffffffffff9c a1=0x5621f2b81900 a2=O_WRONLY|O_CREAT|O_TRUNC a3=0x1b6 items=2 ppid=628 pid=2232 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=ttyS0 ses=1 comm=perl exe=/usr/bin/perl subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=tmpcontainerid
Example: Test multiple containers on one netns:
sleep 5 &
child1=$!
containerid1=123451
echo $containerid1 > /proc/$child1/audit_containerid
sleep 5 &
child2=$!
containerid2=123452
echo $containerid2 > /proc/$child2/audit_containerid
iptables -I INPUT -i lo -p icmp --icmp-type echo-request -j AUDIT --type accept
iptables -I INPUT -t mangle -i lo -p icmp --icmp-type echo-request -j MARK --set-mark 0x12345555
sleep 1;
bash -c "ping -q -c 1 127.0.0.1 >/dev/null 2>&1"
sleep 1;
ausearch -i -m NETFILTER_PKT -ts boot|grep mark=0x12345555
ausearch -i -m NETFILTER_PKT -ts boot|grep contid=|grep $containerid1|grep $containerid2
This should produce an event such as:
type=NETFILTER_PKT msg=audit(03/15/2019 14:16:13.369:244) : mark=0x12345555 saddr=127.0.0.1 daddr=127.0.0.1 proto=icmp
type=CONTAINER_ID msg=audit(03/15/2019 14:16:13.369:244) : contid=123452,123451
Includes the last patch of https://github.com/linux-audit/audit-kernel/issues/81
Please see the github audit kernel issue for the main feature:
https://github.com/linux-audit/audit-kernel/issues/90
and the kernel filter code:
https://github.com/linux-audit/audit-kernel/issues/91
and the network support:
https://github.com/linux-audit/audit-kernel/issues/92
Please see the github audit userspace issue for supporting record types:
https://github.com/linux-audit/audit-userspace/issues/51
and filter code:
https://github.com/linux-audit/audit-userspace/issues/40
Please see the github audit testsuiite issue for the test case:
https://github.com/linux-audit/audit-testsuite/issues/64
Please see the github audit wiki for the feature overview:
https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID
Changelog:
v6
- change TMPBUFLEN from 11 to 21 to cover the decimal value of contid
u64 (nhorman)
- fix bug overwriting ctx in struct audit_sig_info, move cid above
ctx[0] (nhorman)
- fix bug skipping remaining fields and not advancing bufp when copying
out contid in audit_krule_to_data (omosnacec)
- add acks, tidy commit descriptions, other formatting fixes (checkpatch
wrong on audit_log_lost)
- cast ull for u64 prints
- target_cid tracking was moved from the ptrace/signal patch to
container_op
- target ptrace and signal records were moved from the ptrace/signal
patch to container_id
- auditd signaller tracking was moved to a new AUDIT_SIGNAL_INFO2
request and record
- ditch unnecessary list_empty() checks
- check for null net and aunet in audit_netns_contid_add()
- swap CONTAINER_OP contid/old-contid order to ease parsing
v5
- address loginuid and sessionid syscall scope in ghak104
- address audit_context in CONFIG_AUDIT vs CONFIG_AUDITSYSCALL in ghak105
- remove tty patch, addressed in ghak106
- rebase on audit/next v5.0-rc1
w/ghak59/ghak104/ghak103/ghak100/ghak107/ghak105/ghak106/ghak105sup
- update CONTAINER_ID to CONTAINER_OP in patch description
- move audit_context in audit_task_info to CONFIG_AUDITSYSCALL
- move audit_alloc() and audit_free() out of CONFIG_AUDITSYSCALL and into
CONFIG_AUDIT and create audit_{alloc,free}_syscall
- use plain kmem_cache_alloc() rather than kmem_cache_zalloc() in audit_alloc()
- fix audit_get_contid() declaration type error
- move audit_set_contid() from auditsc.c to audit.c
- audit_log_contid() returns void
- audit_log_contid() handed contid rather than tsk
- switch from AUDIT_CONTAINER to AUDIT_CONTAINER_ID for aux record
- move audit_log_contid(tsk/contid) & audit_contid_set(tsk)/audit_contid_valid(contid)
- switch from tsk to current
- audit_alloc_local() calls audit_log_lost() on failure to allocate a context
- add AUDIT_USER* non-syscall contid record
- cosmetic cleanup double parens, goto out on err
- ditch audit_get_ns_contid_list_lock(), fix aunet lock race
- switch from all-cpu read spinlock to rcu, keep spinlock for write
- update audit_alloc_local() to use ktime_get_coarse_real_ts64()
- add nft_log support
- add call from do_exit() in audit_free() to remove contid from netns
- relegate AUDIT_CONTAINER ref= field (was op=) to debug patch
v4
- preface set with ghak81:"collect audit task parameters"
- add shallyn and sgrubb acks
- rename feature bitmap macro
- rename cid_valid() to audit_contid_valid()
- rename AUDIT_CONTAINER_ID to AUDIT_CONTAINER_OP
- delete audit_get_contid_list() from headers
- move work into inner if, delete "found"
- change netns contid list function names
- move exports for audit_log_contid audit_alloc_local audit_free_context to non-syscall patch
- list contids CSV
- pass in gfp flags to audit_alloc_local() (fix audit_alloc_context callers)
- use "local" in lieu of abusing in_syscall for auditsc_get_stamp()
- read_lock(&tasklist_lock) around children and thread check
- task_lock(tsk) should be taken before first check of tsk->audit
- add spin lock to contid list in aunet
- restrict /proc read to CAP_AUDIT_CONTROL
- remove set again prohibition and inherited flag
- delete contidion spelling fix from patchset, send to netdev/linux-wireless
v3
- switched from containerid in task_struct to audit_task_info (depends on ghak81)
- drop INVALID_CID in favour of only AUDIT_CID_UNSET
- check for !audit_task_info, throw -ENOPROTOOPT on set
- changed -EPERM to -EEXIST for parent check
- return AUDIT_CID_UNSET if !audit_enabled
- squash child/thread check patch into AUDIT_CONTAINER_ID patch
- changed -EPERM to -EBUSY for child check
- separate child and thread checks, use -EALREADY for latter
- move addition of op= from ptrace/signal patch to AUDIT_CONTAINER patch
- fix && to || bashism in ptrace/signal patch
- uninline and export function for audit_free_context()
- drop CONFIG_CHANGE, FEATURE_CHANGE, ANOM_ABEND, ANOM_SECCOMP patches
- move audit_enabled check (xt_AUDIT)
- switched from containerid list in struct net to net_generic's struct audit_net
- move containerid list iteration into audit (xt_AUDIT)
- create function to move namespace switch into audit
- switched /proc/PID/ entry from containerid to audit_containerid
- call kzalloc with GFP_ATOMIC on in_atomic() in audit_alloc_context()
- call kzalloc with GFP_ATOMIC on in_atomic() in audit_log_container_info()
- use xt_net(par) instead of sock_net(skb->sk) to get net
- switched record and field names: initial CONTAINER_ID, aux CONTAINER, field CONTID
- allow to set own contid
- open code audit_set_containerid
- add contid inherited flag
- ccontainerid and pcontainerid eliminated due to inherited flag
- change name of container list funcitons
- rename containerid to contid
- convert initial container record to syscall aux
- fix spelling mistake of contidion in net/rfkill/core.c to avoid contid name collision
v2
- add check for children and threads
- add network namespace container identifier list
- add NETFILTER_PKT audit container identifier logging
- patch description and documentation clean-up and example
- reap unused ppid
Richard Guy Briggs (10):
audit: collect audit task parameters
audit: add container id
audit: read container ID of a process
audit: log container info of syscalls
audit: add contid support for signalling the audit daemon
audit: add support for non-syscall auxiliary records
audit: add containerid support for user records
audit: add containerid filtering
audit: add support for containerid to network namespaces
audit: NETFILTER_PKT: record each container ID associated with a netNS
fs/proc/base.c | 57 +++++++-
include/linux/audit.h | 113 +++++++++++++--
include/linux/sched.h | 7 +-
include/uapi/linux/audit.h | 9 +-
init/init_task.c | 3 +-
init/main.c | 2 +
kernel/audit.c | 325 ++++++++++++++++++++++++++++++++++++++++++--
kernel/audit.h | 9 ++
kernel/auditfilter.c | 47 +++++++
kernel/auditsc.c | 90 ++++++++----
kernel/fork.c | 1 -
kernel/nsproxy.c | 4 +
net/netfilter/nft_log.c | 11 +-
net/netfilter/xt_AUDIT.c | 11 +-
security/selinux/nlmsgtab.c | 1 +
15 files changed, 627 insertions(+), 63 deletions(-)
--
1.8.3.1
5 years, 3 months
[PATCH ghau93 v1] add support to filter on sockaddr family
by Richard Guy Briggs
Provide a method to filter on network address family.
This adds support for the kernel filter for sockaddr family,
AUDIT_SADDR_FAM, adding the command line option "saddr_fam" to auditctl.
See: https://github.com/linux-audit/audit-kernel/issues/64
See: https://github.com/linux-audit/audit-userspace/issues/93
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
lib/errormsg.h | 2 ++
lib/fieldtab.h | 1 +
lib/libaudit.c | 6 ++++++
lib/libaudit.h | 3 +++
4 files changed, 12 insertions(+)
diff --git a/lib/errormsg.h b/lib/errormsg.h
index fd8c4a4b1311..fc03b2475034 100644
--- a/lib/errormsg.h
+++ b/lib/errormsg.h
@@ -70,6 +70,7 @@ struct msg_tab {
#define EAU_FIELDUNAVAIL 34
#define EAU_FILTERNOSUPPORT 35
#define EAU_FSTYPEUNKNOWN 36
+#define EAU_FIELDVALTOOBIG 37
static const struct msg_tab err_msgtab[] = {
{ -EAU_OPMISSING, 2, "-F missing operation for" },
{ -EAU_FIELDUNKNOWN, 2, "-F unknown field:" },
@@ -107,5 +108,6 @@ static const struct msg_tab err_msgtab[] = {
{ -EAU_FIELDUNAVAIL, 1, "field is not valid for the filter" },
{ -EAU_FILTERNOSUPPORT, 1, "filter is not supported by the kernel" },
{ -EAU_FSTYPEUNKNOWN, 2, "file system type is unknown for field:" },
+ { -EAU_FIELDVALTOOBIG, 2, "value is too large for field:" },
};
#endif
diff --git a/lib/fieldtab.h b/lib/fieldtab.h
index c425d5b86049..b597cafb2df8 100644
--- a/lib/fieldtab.h
+++ b/lib/fieldtab.h
@@ -69,3 +69,4 @@ _S(AUDIT_ARG3, "a3" )
_S(AUDIT_FILTERKEY, "key" )
_S(AUDIT_EXE, "exe" )
+_S(AUDIT_SADDR_FAM, "saddr_fam" )
diff --git a/lib/libaudit.c b/lib/libaudit.c
index 2af017a0e520..2e4b148edde9 100644
--- a/lib/libaudit.c
+++ b/lib/libaudit.c
@@ -40,6 +40,7 @@
#include <limits.h> /* for PATH_MAX */
#include <sys/stat.h>
#include <sys/types.h>
+#include <sys/socket.h> /* AF_MAX */
#ifdef HAVE_LIBCAP_NG
#include <cap-ng.h>
#endif
@@ -1742,6 +1743,11 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
else if (strcmp(v, "unset") == 0)
rule->values[rule->field_count] = 4294967295;
break;
+ case AUDIT_SADDR_FAM:
+ rule->values[rule->field_count] = strtoul(v, NULL, 0);
+ if (rule->values[rule->field_count] >= AF_MAX)
+ return -EAU_FIELDVALTOOBIG;
+ break;
case AUDIT_DEVMAJOR...AUDIT_INODE:
case AUDIT_SUCCESS:
if (flags != AUDIT_FILTER_EXIT)
diff --git a/lib/libaudit.h b/lib/libaudit.h
index 77e4142beea2..89fe4839a69b 100644
--- a/lib/libaudit.h
+++ b/lib/libaudit.h
@@ -356,6 +356,9 @@ extern "C" {
#ifndef AUDIT_EXE
#define AUDIT_EXE 112
#endif
+#ifndef AUDIT_SADDR_FAM
+#define AUDIT_SADDR_FAM 113
+#endif
#ifndef AUDIT_SESSIONID
#define AUDIT_SESSIONID 25
--
1.8.3.1
5 years, 5 months
[PATCH ghak64 V1] audit: add saddr_fam filter field
by Richard Guy Briggs
Provide a method to filter out sockaddr and bind calls by network
address family.
Existing SOCKADDR records are listed for any network activity.
Implement the AUDIT_SADDR_FAM field selector to be able to classify or
limit records to specific network address families, such as AF_INET or
AF_INET6.
An example of a network record that is unlikely to be useful and flood
the logs:
type=SOCKADDR msg=audit(07/27/2017 12:18:27.019:845) : saddr={ fam=local
path=/var/run/nscd/socket }
type=SYSCALL msg=audit(07/27/2017 12:18:27.019:845) : arch=x86_64
syscall=connect success=no exit=ENOENT(No such file or directory) a0=0x3
a1=0x7fff229c4980 a2=0x6e a3=0x6 items=1 ppid=3301 pid=6145 auid=sgrubb
uid=sgrubb gid=sgrubb euid=sgrubb suid=sgrubb fsuid=sgrubb egid=sgrubb
sgid=sgrubb fsgid=sgrubb tty=pts3 ses=4 comm=bash exe=/usr/bin/bash
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
key=network-test
Please see the github issue
https://github.com/linux-audit/audit-kernel/issues/64
Please see the github issue for the accompanying userspace support
https://github.com/linux-audit/audit-userspace/issues/93
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
include/uapi/linux/audit.h | 1 +
kernel/auditfilter.c | 6 ++----
kernel/auditsc.c | 5 +++++
3 files changed, 8 insertions(+), 4 deletions(-)
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index a1280af20336..c89c6495983d 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -281,6 +281,7 @@
#define AUDIT_OBJ_GID 110
#define AUDIT_FIELD_COMPARE 111
#define AUDIT_EXE 112
+#define AUDIT_SADDR_FAM 113
#define AUDIT_ARG0 200
#define AUDIT_ARG1 (AUDIT_ARG0+1)
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 2c3c2f349b23..f4bb8e61a54b 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -410,6 +410,8 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f)
/* FALL THROUGH */
case AUDIT_ARCH:
case AUDIT_FSTYPE:
+ case AUDIT_EXE:
+ case AUDIT_SADDR_FAM:
if (f->op != Audit_not_equal && f->op != Audit_equal)
return -EINVAL;
break;
@@ -425,10 +427,6 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f)
if (f->val > AUDIT_MAX_FIELD_COMPARE)
return -EINVAL;
break;
- case AUDIT_EXE:
- if (f->op != Audit_not_equal && f->op != Audit_equal)
- return -EINVAL;
- break;
}
return 0;
}
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 5371b59bde36..0a830f67ca7a 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -615,6 +615,11 @@ static int audit_filter_rules(struct task_struct *tsk,
case AUDIT_LOGINUID_SET:
result = audit_comparator(audit_loginuid_set(tsk), f->op, f->val);
break;
+ case AUDIT_SADDR_FAM:
+ if (ctx->sockaddr)
+ result = audit_comparator(ctx->sockaddr->ss_family,
+ f->op, f->val);
+ break;
case AUDIT_SUBJ_USER:
case AUDIT_SUBJ_ROLE:
case AUDIT_SUBJ_TYPE:
--
1.8.3.1
5 years, 6 months
[PATCH 0/5] vfs: track the dentry name length in name_snapshot
by Jeff Layton
name_snapshot will snapshot the current contents of a dentry's name for
later consumption. Several of those users end up needing to do a strlen
on the resulting string later. We already have that info in the original
dentry though, so we can do this a bit more efficiently by stuffing the
name length into the name_snapshot as well.
This is not well tested, but it built and booted. Do we have a testsuite
that exercises the fsnotify code, in particular?
Jeff Layton (5):
dcache: track the length of the string in struct name_snapshot
fsnotify: have fsnotify_move take a struct qstr instead of a string
fsnotify: have fsnotify() take a qstr instead of a string
fsnotify: change ->handle_event and send_to_group to take a qstr
audit: fix audit_compare_dname_path to take a qstr
fs/dcache.c | 11 +++++++----
fs/debugfs/inode.c | 2 +-
fs/kernfs/file.c | 6 ++++--
fs/namei.c | 4 ++--
fs/notify/dnotify/dnotify.c | 2 +-
fs/notify/fanotify/fanotify.c | 2 +-
fs/notify/fsnotify.c | 8 ++++----
fs/notify/inotify/inotify.h | 2 +-
fs/notify/inotify/inotify_fsnotify.c | 6 +++---
fs/overlayfs/export.c | 2 +-
include/linux/dcache.h | 2 +-
include/linux/fsnotify.h | 17 ++++++++---------
include/linux/fsnotify_backend.h | 6 +++---
kernel/audit.h | 3 ++-
kernel/audit_fsnotify.c | 5 +++--
kernel/audit_tree.c | 2 +-
kernel/audit_watch.c | 4 ++--
kernel/auditfilter.c | 7 ++++---
kernel/auditsc.c | 7 +++----
19 files changed, 52 insertions(+), 46 deletions(-)
--
2.20.1
5 years, 6 months
audisp-remote with krb5
by Ray Shaw
I've been struggling to set up audisp-remote with krb5 enabled, and also
struggling to find much information/guidance regarding it.
I'm trying to get this working on RHEL7 due to organizational
requirements. Based on the man pages, I created a key file on the server:
addprinc -randkey auditd/server.example.com
ktadd -k /home/me/audit.key auditd/server.example.com
then placed this (root:root 0400) in /etc/audit and set the following:
enable_krb5 = yes
krb5_principal = auditd
krb5_key_file = /etc/audit/audit.key
For the client:
addprinc -randkey auditd/client.example.com
ktadd -k /home/me/audisp-remote.key auditd/client.example.com
then placed this (root:root 0400) in /etc/audisp and set the following:
enable_krb5 = yes
krb5_principal = auditd/server.example.com
krb5_client_name = auditd
krb5_key_file = /etc/audisp/audisp-remote.key
I'm getting this message over and over again on the client:
Apr 17 08:21:07 client audisp-remote: GSS error: initializing context:
Success
Apr 17 08:21:07 client audisp-remote: kerberos principal: auditd/
client.example.com(a)REALM.COM
Apr 17 08:21:07 client audisp-remote: GSS error: initializing context:
Invalid token was supplied
and this on the server:
Apr 17 08:56:53 server auditd[134051]: GSS-API error: event length excedes
MAX_AUDIT_LENGTH
Apr 17 08:56:53 server auditd[134051]: TCP session from ::ffff:<client
IP>:44354 will be closed, error ignored
(sorry about having to mask the actual hostnames/IPs/etc.)
Any idea what I'm doing wrong? Based on what I've found online, it seems
most people don't use krb5, but unfortunately I'm now required to try.
We've been using audisp for years, and it works fine with krb5 disabled.
I'm...pretty sure my Kerberos realm is fine, since that's what we use for
authentication (gdm, SSH, etc.) Though it is not the RHEL-provided
Kerberos.
Any assistance would be greatly appreciated.
--Ray
5 years, 6 months
An update on my kernel "secnext" builds and testing
by Paul Moore
Hello all,
A while back I started building Fedora Rawhide kernels with the
selinux/next and audit/next branches applied, making them available
via a Fedora COPR repository. My hope was that this would help make
it easier for people to test/try the patches we had queued up for the
next merge window and also enable some additional work to do fully
automated testing of the selinux/next and audit/next trees. While I'm
not sure how many people besides myself run the secnext kernel builds
on their test systems, I have finally gotten all the pieces in place
so that we have fully automated testing for the {selinux,audit}/next
trees. It may have taken almost four years, but better late than
never :)
For those of you who are interested, the test results are sent to the
mailing list below (yes, it's a Google group, and no you don't need to
have a Google account). The build notifications and test results are
sent to a separate list simply because I didn't want to spam the main
mailing lists.
* https://groups.google.com/forum/#!forum/kernel-secnext
In addition, I've run into enough problems with COPR over the years
that I've started to build my own kernel packages from the secnext
SRPMs. While I really like the idea of COPR, the current
implementation is poorly suited for building kernel packages; perhaps
it will improve in the future, but it isn't a good solution now. I
will still keep submitting kernel builds to COPR, so those who want to
use the secnext kernels from there will continue to have that as a
valid repository, but I'm unlikely to spend any significant time
working to resolve COPR specific build problems. For those who want
to try the kernel packages that I'm building, you can find more
information at the link below:
* https://repo.paul-moore.com
At some point in the future I would like to also build secnext kernels
for other distros, but I need to spend a little bit of time learning
the "proper" way to patch and build kernel packages for those other
distros first. I'm leaning towards Debian as the first non-Fedora
distro, but if anyone has a favorite distro, with good SELinux/audit
support, please let me know.
-Paul
--
paul moore
www.paul-moore.com
5 years, 6 months
[PATCH v3] audit: fix a memory leak bug
by Wenwen Wang
In audit_rule_change(), audit_data_to_entry() is firstly invoked to
translate the payload data to the kernel's rule representation. In
audit_data_to_entry(), depending on the audit field type, an audit tree may
be created in audit_make_tree(), which eventually invokes kmalloc() to
allocate the tree. Since this tree is a temporary tree, it will be then
freed in the following execution, e.g., audit_add_rule() if the message
type is AUDIT_ADD_RULE or audit_del_rule() if the message type is
AUDIT_DEL_RULE. However, if the message type is neither AUDIT_ADD_RULE nor
AUDIT_DEL_RULE, i.e., the default case of the switch statement, this
temporary tree is not freed.
To fix this issue, only allocate the tree when the type is AUDIT_ADD_RULE
or AUDIT_DEL_RULE.
Signed-off-by: Wenwen Wang <wang6495(a)umn.edu>
---
kernel/auditfilter.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 63f8b3f..3ac71c4 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -1114,22 +1114,24 @@ int audit_rule_change(int type, int seq, void *data, size_t datasz)
int err = 0;
struct audit_entry *entry;
- entry = audit_data_to_entry(data, datasz);
- if (IS_ERR(entry))
- return PTR_ERR(entry);
-
switch (type) {
case AUDIT_ADD_RULE:
+ entry = audit_data_to_entry(data, datasz);
+ if (IS_ERR(entry))
+ return PTR_ERR(entry);
err = audit_add_rule(entry);
audit_log_rule_change("add_rule", &entry->rule, !err);
break;
case AUDIT_DEL_RULE:
+ entry = audit_data_to_entry(data, datasz);
+ if (IS_ERR(entry))
+ return PTR_ERR(entry);
err = audit_del_rule(entry);
audit_log_rule_change("remove_rule", &entry->rule, !err);
break;
default:
- err = -EINVAL;
WARN_ON(1);
+ return -EINVAL;
}
if (err || type == AUDIT_DEL_RULE) {
--
2.7.4
5 years, 6 months
[PATCH v2] audit: fix a memory leak bug
by Wenwen Wang
In audit_rule_change(), audit_data_to_entry() is firstly invoked to
translate the payload data to the kernel's rule representation. In
audit_data_to_entry(), depending on the audit field type, an audit tree may
be created in audit_make_tree(), which eventually invokes kmalloc() to
allocate the tree. Since this tree is a temporary tree, it will be then
freed in the following execution, e.g., audit_add_rule() if the message
type is AUDIT_ADD_RULE or audit_del_rule() if the message type is
AUDIT_DEL_RULE. However, if the message type is neither AUDIT_ADD_RULE nor
AUDIT_DEL_RULE, i.e., the default case of the switch statement, this
temporary tree is not freed.
To fix this issue, only allocate the tree when the type is AUDIT_ADD_RULE
or AUDIT_DEL_RULE.
Signed-off-by: Wenwen Wang <wang6495(a)umn.edu>
---
kernel/auditfilter.c | 16 +++++++++++-----
1 file changed, 11 insertions(+), 5 deletions(-)
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 63f8b3f..923b858 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -1114,22 +1114,28 @@ int audit_rule_change(int type, int seq, void *data, size_t datasz)
int err = 0;
struct audit_entry *entry;
- entry = audit_data_to_entry(data, datasz);
- if (IS_ERR(entry))
- return PTR_ERR(entry);
-
switch (type) {
case AUDIT_ADD_RULE:
+ entry = audit_data_to_entry(data, datasz);
+ if (IS_ERR(entry))
+ return PTR_ERR(entry);
+
err = audit_add_rule(entry);
audit_log_rule_change("add_rule", &entry->rule, !err);
break;
+
case AUDIT_DEL_RULE:
+ entry = audit_data_to_entry(data, datasz);
+ if (IS_ERR(entry))
+ return PTR_ERR(entry);
+
err = audit_del_rule(entry);
audit_log_rule_change("remove_rule", &entry->rule, !err);
break;
+
default:
- err = -EINVAL;
WARN_ON(1);
+ return -EINVAL;
}
if (err || type == AUDIT_DEL_RULE) {
--
2.7.4
5 years, 6 months
[PATCH] audit: fix a memory leak bug
by Wenwen Wang
In audit_rule_change(), audit_data_to_entry() is firstly invoked to
translate the payload data to the kernel's rule representation. In
audit_data_to_entry(), depending on the audit field type, an audit tree may
be created in audit_make_tree(), which eventually invokes kmalloc() to
allocate the tree. Since this tree is a temporary tree, it will be then
freed in the following execution, e.g., audit_add_rule() if the message
type is AUDIT_ADD_RULE or audit_del_rule() if the message type is
AUDIT_DEL_RULE. However, if the message type is neither AUDIT_ADD_RULE nor
AUDIT_DEL_RULE, i.e., the default case of the switch statement, this
temporary tree is not freed.
To fix this issue, free the allocated tree in the default case.
Signed-off-by: Wenwen Wang <wang6495(a)umn.edu>
---
kernel/auditfilter.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 63f8b3f..70a34db 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -1128,6 +1128,8 @@ int audit_rule_change(int type, int seq, void *data, size_t datasz)
audit_log_rule_change("remove_rule", &entry->rule, !err);
break;
default:
+ if (entry->rule.tree)
+ audit_put_tree(entry->rule.tree);
err = -EINVAL;
WARN_ON(1);
}
--
2.7.4
5 years, 6 months