[PATCH] audit: mark expected switch fall-through
by Gustavo A. R. Silva
In preparation to enabling -Wimplicit-fallthrough, mark switch
cases where we are expecting to fall through.
This patch fixes the following warning:
kernel/auditfilter.c: In function ‘audit_krule_to_data’:
kernel/auditfilter.c:668:7: warning: this statement may fall through [-Wimplicit-fallthrough=]
if (krule->pflags & AUDIT_LOGINUID_LEGACY && !f->val) {
^
kernel/auditfilter.c:674:3: note: here
default:
^~~~~~~
Warning level 3 was used: -Wimplicit-fallthrough=3
Notice that, in this particular case, the code comment is modified
in accordance with what GCC is expecting to find.
This patch is part of the ongoing efforts to enable
-Wimplicit-fallthrough.
Signed-off-by: Gustavo A. R. Silva <gustavo(a)embeddedor.com>
---
kernel/auditfilter.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index add360b46b38..63f8b3f26fab 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -670,7 +670,7 @@ static struct audit_rule_data *audit_krule_to_data(struct audit_krule *krule)
data->values[i] = AUDIT_UID_UNSET;
break;
}
- /* fallthrough if set */
+ /* fall through - if set */
default:
data->values[i] = f->val;
}
--
2.20.1
4 years, 7 months
[PATCH ghak90 V6 00/10] audit: implement container identifier
by Richard Guy Briggs
Implement kernel audit container identifier.
This patchset is a fifth based on the proposal document (V3)
posted:
https://www.redhat.com/archives/linux-audit/2018-January/msg00014.html
The first patch was the last patch from ghak81 that was absorbed into
this patchset since its primary justification is the rest of this
patchset.
The second patch implements the proc fs write to set the audit container
identifier of a process, emitting an AUDIT_CONTAINER_OP record to
announce the registration of that audit container identifier on that
process. This patch requires userspace support for record acceptance
and proper type display.
The third implements reading the audit container identifier from the
proc filesystem for debugging. This patch wasn't planned for upstream
inclusion but is starting to become more likely.
The fourth implements the auxiliary record AUDIT_CONTAINER_ID if an audit
container identifier is associated with an event. This patch requires
userspace support for proper type display.
The 5th adds audit daemon signalling provenance through audit_sig_info2.
The 6th creates a local audit context to be able to bind a standalone
record with a locally created auxiliary record.
The 7th patch adds audit container identifier records to the user
standalone records.
The 8th adds audit container identifier filtering to the exit,
exclude and user lists. This patch adds the AUDIT_CONTID field and
requires auditctl userspace support for the --contid option.
The 9th adds network namespace audit container identifier labelling
based on member tasks' audit container identifier labels.
The 10th adds audit container identifier support to standalone netfilter
records that don't have a task context and lists each container to which
that net namespace belongs.
Example: Set an audit container identifier of 123456 to the "sleep" task:
sleep 2&
child=$!
echo 123456 > /proc/$child/audit_containerid; echo $?
ausearch -ts recent -m container_op
echo child:$child contid:$( cat /proc/$child/audit_containerid)
This should produce a record such as:
type=CONTAINER_OP msg=audit(2018-06-06 12:39:29.636:26949) : op=set opid=2209 contid=123456 old-contid=18446744073709551615 pid=628 auid=root uid=root tty=ttyS0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 comm=bash exe=/usr/bin/bash res=yes
Example: Set a filter on an audit container identifier 123459 on /tmp/tmpcontainerid:
contid=123459
key=tmpcontainerid
auditctl -a exit,always -F dir=/tmp -F perm=wa -F contid=$contid -F key=$key
perl -e "sleep 1; open(my \$tmpfile, '>', \"/tmp/$key\"); close(\$tmpfile);" &
child=$!
echo $contid > /proc/$child/audit_containerid
sleep 2
ausearch -i -ts recent -k $key
auditctl -d exit,always -F dir=/tmp -F perm=wa -F contid=$contid -F key=$key
rm -f /tmp/$key
This should produce an event such as:
type=CONTAINER_ID msg=audit(2018-06-06 12:46:31.707:26953) : contid=123459
type=PROCTITLE msg=audit(2018-06-06 12:46:31.707:26953) : proctitle=perl -e sleep 1; open(my $tmpfile, '>', "/tmp/tmpcontainerid"); close($tmpfile);
type=PATH msg=audit(2018-06-06 12:46:31.707:26953) : item=1 name=/tmp/tmpcontainerid inode=25656 dev=00:26 mode=file,644 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=PATH msg=audit(2018-06-06 12:46:31.707:26953) : item=0 name=/tmp/ inode=8985 dev=00:26 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=CWD msg=audit(2018-06-06 12:46:31.707:26953) : cwd=/root
type=SYSCALL msg=audit(2018-06-06 12:46:31.707:26953) : arch=x86_64 syscall=openat success=yes exit=3 a0=0xffffffffffffff9c a1=0x5621f2b81900 a2=O_WRONLY|O_CREAT|O_TRUNC a3=0x1b6 items=2 ppid=628 pid=2232 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=ttyS0 ses=1 comm=perl exe=/usr/bin/perl subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=tmpcontainerid
Example: Test multiple containers on one netns:
sleep 5 &
child1=$!
containerid1=123451
echo $containerid1 > /proc/$child1/audit_containerid
sleep 5 &
child2=$!
containerid2=123452
echo $containerid2 > /proc/$child2/audit_containerid
iptables -I INPUT -i lo -p icmp --icmp-type echo-request -j AUDIT --type accept
iptables -I INPUT -t mangle -i lo -p icmp --icmp-type echo-request -j MARK --set-mark 0x12345555
sleep 1;
bash -c "ping -q -c 1 127.0.0.1 >/dev/null 2>&1"
sleep 1;
ausearch -i -m NETFILTER_PKT -ts boot|grep mark=0x12345555
ausearch -i -m NETFILTER_PKT -ts boot|grep contid=|grep $containerid1|grep $containerid2
This should produce an event such as:
type=NETFILTER_PKT msg=audit(03/15/2019 14:16:13.369:244) : mark=0x12345555 saddr=127.0.0.1 daddr=127.0.0.1 proto=icmp
type=CONTAINER_ID msg=audit(03/15/2019 14:16:13.369:244) : contid=123452,123451
Includes the last patch of https://github.com/linux-audit/audit-kernel/issues/81
Please see the github audit kernel issue for the main feature:
https://github.com/linux-audit/audit-kernel/issues/90
and the kernel filter code:
https://github.com/linux-audit/audit-kernel/issues/91
and the network support:
https://github.com/linux-audit/audit-kernel/issues/92
Please see the github audit userspace issue for supporting record types:
https://github.com/linux-audit/audit-userspace/issues/51
and filter code:
https://github.com/linux-audit/audit-userspace/issues/40
Please see the github audit testsuiite issue for the test case:
https://github.com/linux-audit/audit-testsuite/issues/64
Please see the github audit wiki for the feature overview:
https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID
Changelog:
v6
- change TMPBUFLEN from 11 to 21 to cover the decimal value of contid
u64 (nhorman)
- fix bug overwriting ctx in struct audit_sig_info, move cid above
ctx[0] (nhorman)
- fix bug skipping remaining fields and not advancing bufp when copying
out contid in audit_krule_to_data (omosnacec)
- add acks, tidy commit descriptions, other formatting fixes (checkpatch
wrong on audit_log_lost)
- cast ull for u64 prints
- target_cid tracking was moved from the ptrace/signal patch to
container_op
- target ptrace and signal records were moved from the ptrace/signal
patch to container_id
- auditd signaller tracking was moved to a new AUDIT_SIGNAL_INFO2
request and record
- ditch unnecessary list_empty() checks
- check for null net and aunet in audit_netns_contid_add()
- swap CONTAINER_OP contid/old-contid order to ease parsing
v5
- address loginuid and sessionid syscall scope in ghak104
- address audit_context in CONFIG_AUDIT vs CONFIG_AUDITSYSCALL in ghak105
- remove tty patch, addressed in ghak106
- rebase on audit/next v5.0-rc1
w/ghak59/ghak104/ghak103/ghak100/ghak107/ghak105/ghak106/ghak105sup
- update CONTAINER_ID to CONTAINER_OP in patch description
- move audit_context in audit_task_info to CONFIG_AUDITSYSCALL
- move audit_alloc() and audit_free() out of CONFIG_AUDITSYSCALL and into
CONFIG_AUDIT and create audit_{alloc,free}_syscall
- use plain kmem_cache_alloc() rather than kmem_cache_zalloc() in audit_alloc()
- fix audit_get_contid() declaration type error
- move audit_set_contid() from auditsc.c to audit.c
- audit_log_contid() returns void
- audit_log_contid() handed contid rather than tsk
- switch from AUDIT_CONTAINER to AUDIT_CONTAINER_ID for aux record
- move audit_log_contid(tsk/contid) & audit_contid_set(tsk)/audit_contid_valid(contid)
- switch from tsk to current
- audit_alloc_local() calls audit_log_lost() on failure to allocate a context
- add AUDIT_USER* non-syscall contid record
- cosmetic cleanup double parens, goto out on err
- ditch audit_get_ns_contid_list_lock(), fix aunet lock race
- switch from all-cpu read spinlock to rcu, keep spinlock for write
- update audit_alloc_local() to use ktime_get_coarse_real_ts64()
- add nft_log support
- add call from do_exit() in audit_free() to remove contid from netns
- relegate AUDIT_CONTAINER ref= field (was op=) to debug patch
v4
- preface set with ghak81:"collect audit task parameters"
- add shallyn and sgrubb acks
- rename feature bitmap macro
- rename cid_valid() to audit_contid_valid()
- rename AUDIT_CONTAINER_ID to AUDIT_CONTAINER_OP
- delete audit_get_contid_list() from headers
- move work into inner if, delete "found"
- change netns contid list function names
- move exports for audit_log_contid audit_alloc_local audit_free_context to non-syscall patch
- list contids CSV
- pass in gfp flags to audit_alloc_local() (fix audit_alloc_context callers)
- use "local" in lieu of abusing in_syscall for auditsc_get_stamp()
- read_lock(&tasklist_lock) around children and thread check
- task_lock(tsk) should be taken before first check of tsk->audit
- add spin lock to contid list in aunet
- restrict /proc read to CAP_AUDIT_CONTROL
- remove set again prohibition and inherited flag
- delete contidion spelling fix from patchset, send to netdev/linux-wireless
v3
- switched from containerid in task_struct to audit_task_info (depends on ghak81)
- drop INVALID_CID in favour of only AUDIT_CID_UNSET
- check for !audit_task_info, throw -ENOPROTOOPT on set
- changed -EPERM to -EEXIST for parent check
- return AUDIT_CID_UNSET if !audit_enabled
- squash child/thread check patch into AUDIT_CONTAINER_ID patch
- changed -EPERM to -EBUSY for child check
- separate child and thread checks, use -EALREADY for latter
- move addition of op= from ptrace/signal patch to AUDIT_CONTAINER patch
- fix && to || bashism in ptrace/signal patch
- uninline and export function for audit_free_context()
- drop CONFIG_CHANGE, FEATURE_CHANGE, ANOM_ABEND, ANOM_SECCOMP patches
- move audit_enabled check (xt_AUDIT)
- switched from containerid list in struct net to net_generic's struct audit_net
- move containerid list iteration into audit (xt_AUDIT)
- create function to move namespace switch into audit
- switched /proc/PID/ entry from containerid to audit_containerid
- call kzalloc with GFP_ATOMIC on in_atomic() in audit_alloc_context()
- call kzalloc with GFP_ATOMIC on in_atomic() in audit_log_container_info()
- use xt_net(par) instead of sock_net(skb->sk) to get net
- switched record and field names: initial CONTAINER_ID, aux CONTAINER, field CONTID
- allow to set own contid
- open code audit_set_containerid
- add contid inherited flag
- ccontainerid and pcontainerid eliminated due to inherited flag
- change name of container list funcitons
- rename containerid to contid
- convert initial container record to syscall aux
- fix spelling mistake of contidion in net/rfkill/core.c to avoid contid name collision
v2
- add check for children and threads
- add network namespace container identifier list
- add NETFILTER_PKT audit container identifier logging
- patch description and documentation clean-up and example
- reap unused ppid
Richard Guy Briggs (10):
audit: collect audit task parameters
audit: add container id
audit: read container ID of a process
audit: log container info of syscalls
audit: add contid support for signalling the audit daemon
audit: add support for non-syscall auxiliary records
audit: add containerid support for user records
audit: add containerid filtering
audit: add support for containerid to network namespaces
audit: NETFILTER_PKT: record each container ID associated with a netNS
fs/proc/base.c | 57 +++++++-
include/linux/audit.h | 113 +++++++++++++--
include/linux/sched.h | 7 +-
include/uapi/linux/audit.h | 9 +-
init/init_task.c | 3 +-
init/main.c | 2 +
kernel/audit.c | 325 ++++++++++++++++++++++++++++++++++++++++++--
kernel/audit.h | 9 ++
kernel/auditfilter.c | 47 +++++++
kernel/auditsc.c | 90 ++++++++----
kernel/fork.c | 1 -
kernel/nsproxy.c | 4 +
net/netfilter/nft_log.c | 11 +-
net/netfilter/xt_AUDIT.c | 11 +-
security/selinux/nlmsgtab.c | 1 +
15 files changed, 627 insertions(+), 63 deletions(-)
--
1.8.3.1
5 years, 5 months
[PATCH ghak57 V2] selinux: format all invalid context as untrusted
by Richard Guy Briggs
The userspace tools expect all fields of the same name to be logged
consistently with the same encoding. Since the invalid_context fields
contain untrusted strings in selinux_inode_setxattr()
and selinux_setprocattr(), encode all instances of this field the same
way as though they were untrusted even though
compute_sid_handle_invalid_context() and security_sid_mls_copy() are
trusted.
Please see github issue
https://github.com/linux-audit/audit-kernel/issues/57
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
security/selinux/ss/services.c | 29 +++++++++++++++++++----------
1 file changed, 19 insertions(+), 10 deletions(-)
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index cc043bc8fd4c..a1c89ac22f1d 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -1588,6 +1588,7 @@ static int compute_sid_handle_invalid_context(
struct policydb *policydb = &state->ss->policydb;
char *s = NULL, *t = NULL, *n = NULL;
u32 slen, tlen, nlen;
+ struct audit_buffer *ab;
if (context_struct_to_string(policydb, scontext, &s, &slen))
goto out;
@@ -1595,12 +1596,14 @@ static int compute_sid_handle_invalid_context(
goto out;
if (context_struct_to_string(policydb, newcontext, &n, &nlen))
goto out;
- audit_log(audit_context(), GFP_ATOMIC, AUDIT_SELINUX_ERR,
- "op=security_compute_sid invalid_context=%s"
- " scontext=%s"
- " tcontext=%s"
- " tclass=%s",
- n, s, t, sym_name(policydb, SYM_CLASSES, tclass-1));
+ ab = audit_log_start(audit_context(), GFP_ATOMIC, AUDIT_SELINUX_ERR);
+ audit_log_format(ab,
+ "op=security_compute_sid invalid_context=");
+ /* no need to record the NUL with untrusted strings */
+ audit_log_n_untrustedstring(ab, n, nlen - 1);
+ audit_log_format(ab, " scontext=%s tcontext=%s tclass=%s",
+ s, t, sym_name(policydb, SYM_CLASSES, tclass-1));
+ audit_log_end(ab);
out:
kfree(s);
kfree(t);
@@ -3007,10 +3010,16 @@ int security_sid_mls_copy(struct selinux_state *state,
if (rc) {
if (!context_struct_to_string(policydb, &newcon, &s,
&len)) {
- audit_log(audit_context(),
- GFP_ATOMIC, AUDIT_SELINUX_ERR,
- "op=security_sid_mls_copy "
- "invalid_context=%s", s);
+ struct audit_buffer *ab;
+
+ ab = audit_log_start(audit_context(),
+ GFP_ATOMIC,
+ AUDIT_SELINUX_ERR);
+ audit_log_format(ab,
+ "op=security_sid_mls_copy invalid_context=");
+ /* don't record NUL with untrusted strings */
+ audit_log_n_untrustedstring(ab, s, len - 1);
+ audit_log_end(ab);
kfree(s);
}
goto out_unlock;
--
1.8.3.1
5 years, 5 months
Re: [PATCH v3 21/24] Audit: Store LSM audit information in an lsmblob
by Paul Moore
On Mon, Jun 24, 2019 at 9:01 PM Casey Schaufler <casey(a)schaufler-ca.com> wrote:
> On 6/24/2019 2:33 PM, John Johansen wrote:
> > On 6/21/19 11:52 AM, Casey Schaufler wrote:
> >> Change the audit code to store full lsmblob data instead of
> >> a single u32 secid. This allows for multiple security modules
> >> to use the audit system at the same time. It also allows the
> >> removal of scaffolding code that was included during the
> >> revision of LSM interfaces.
> >>
> >> Signed-off-by: Casey Schaufler <casey(a)schaufler-ca.com>
> > I know Kees raised this too, but I haven't seen a reply
> >
> > Eric (Paul is already CCed): I have directly added you because of
> > the question below.
> >
> > In summary there isn't necessarily a single secid any more, and
> > we need to know whether dropping the logging of the secid or
> > logging all secids is the correct action.
>
> It is to be considered that this is an error case. If
> everything is working normally you should have produced
> a secctx previously, which you'll have included in the
> audit record. Including the secid in the record ought to
> be pointless, as the secid is strictly an internal token
> with no meaning outside the running kernel. You are providing
> no security relevant information by providing the secid.
> I will grant the possibility that the secid might be useful
> in debugging, but for that a pr_warn is more appropriate
> than a field in the audit record.
FWIW, this probably should have been CC'd to the audit list.
I agree that this is an error case (security_secid_to_secctx() failed
to resolve the secid) and further that logging the secid, or a
collection of secids, has little value the way things currently work.
Since secids are a private kernel implementation detail, we don't
really display them outside the context of the kernel, including in
the audit logs. Recording a secid in this case doesn't provide
anything meaningful since secids aren't recorded in the audit record
stream, only the secctxs, and there is no "magic decoder ring" to go
between the two in the audit logs, or anywhere else in userspace for
that matter.
> >> ---
> >> kernel/audit.h | 6 +++---
> >> kernel/auditsc.c | 38 +++++++++++---------------------------
> >> 2 files changed, 14 insertions(+), 30 deletions(-)
...
> >> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> >> index 0478680cd0a8..d3ad13f11788 100644
> >> --- a/kernel/auditsc.c
> >> +++ b/kernel/auditsc.c
> >> @@ -1187,21 +1184,18 @@ static void show_special(struct audit_context *context, int *call_panic)
> >> context->socketcall.args[i]);
> >> break; }
> >> case AUDIT_IPC: {
> >> - u32 osid = context->ipc.osid;
> >> + struct lsmblob *olsm = &context->ipc.olsm;
> >>
> >> audit_log_format(ab, "ouid=%u ogid=%u mode=%#ho",
> >> from_kuid(&init_user_ns, context->ipc.uid),
> >> from_kgid(&init_user_ns, context->ipc.gid),
> >> context->ipc.mode);
> >> - if (osid) {
> >> + if (lsmblob_is_set(olsm)) {
> >> struct lsmcontext lsmcxt;
> >> - struct lsmblob blob;
> >>
> >> - lsmblob_init(&blob, osid);
> >> - if (security_secid_to_secctx(&blob, &lsmcxt)) {
> >> - audit_log_format(ab, " osid=%u", osid);
> > I am not comfortable just dropping this I would think logging all secids is the
> > correct action here.
> >
> >
> >> + if (security_secid_to_secctx(olsm, &lsmcxt))
> >> *call_panic = 1;
> >> - } else {
> >> + else {
> >> audit_log_format(ab, " obj=%s", lsmcxt.context);
> >> security_release_secctx(&lsmcxt);
> >> }
--
paul moore
www.paul-moore.com
5 years, 6 months
Possible memory leak in auparse_interpret_sock_parts()
by Tarun Ramesh
Hi,
In the function auparse_interpret_sock_parts() in auparse/auparse.c, for
the line:
const char *val = nvlist_interp_cur_val(r, au->escape_mode);
I see that the function nvlist_interp_cur_val() eventually calls
auparse_do_interpretation() which has the comment "Returns a malloc'ed
buffer that the caller must free"
The call path is:
nvlist_interp_cur_val() -> interpret() -> auparse_do_interpretation()
In auparse_interpret_sock_parts():
const char *val = nvlist_interp_cur_val(r, au->escape_mode);
is called and then the value of 'val' is overwritten by:
val = strstr(tmp, field);
The initial memory pointed to by 'val' is never freed, which might be a
memory leak.
Please let me know if I;m missing something.
Thanks,
Tarun
5 years, 6 months
audit-3.0
by MAUPERTUIS, PHILIPPE
Hi,
On the mailing list a few days ago, it was announce that Audit-3.0 alpha8 was available.
I am a little bit confused because on a RHEL 8 server I get :
rpm -q audit
audit-3.0-0.10.20180831git0047a6c.el8.x86_64
What are the link between the Rhel 8 rpm and the version audit-3.0 announced.
I can't imagine RHEL8 using an alpha version.
As the side note the Rhel 8 rpm has the following description
rpm -qi audit
Name : audit
Version : 3.0
Release : 0.10.20180831git0047a6c.el8
Architecture: x86_64
Install Date: Mon 17 Jun 2019 05:55:23 PM CEST
Group : Unspecified
Size : 678098
License : GPLv2+
Signature : RSA/SHA256, Wed 09 Jan 2019 07:26:49 PM CET, Key ID 199e2f91fd431d51
Source RPM : audit-3.0-0.10.20180831git0047a6c.el8.src.rpm
Build Date : Wed 09 Jan 2019 06:26:29 PM CET
Build Host : x86-vm-06.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor : Red Hat, Inc.
URL : http://people.redhat.com/sgrubb/audit/
Summary : User space tools for 2.6 kernel auditing
Of course the kernel for REHL8 is :
rpm -q kernel
kernel-4.18.0-80.el8.x86_64
Any clarification is welcome
Philippe
equensWorldline is a registered trade mark and trading name owned by the Worldline Group through its holding company.
This e-mail and the documents attached are confidential and intended solely for the addressee. If you receive this e-mail in error, you are not authorized to copy, disclose, use or retain it. Please notify the sender immediately and delete this email from your systems. As emails may be intercepted, amended or lost, they are not secure. EquensWorldline and the Worldline Group therefore can accept no liability for any errors or their content. Although equensWorldline and the Worldline Group endeavours to maintain a virus-free network, we do not warrant that this transmission is virus-free and can accept no liability for any damages resulting from any virus transmitted. The risks are deemed to be accepted by everyone who communicates with equensWorldline and the Worldline Group by email
5 years, 6 months
[PATCH ghak57 V1] selinux: format all invalid context as untrusted
by Richard Guy Briggs
All instances of one field type should be encoded in the same way.
Since some invalid_context fields can contain untrusted strings, encode
all instances of this field the same way.
Please see github issue
https://github.com/linux-audit/audit-kernel/issues/57
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
Passes audit-testsuite.
security/selinux/ss/services.c | 48 +++++++++++++++++++++++++++++++++---------
1 file changed, 38 insertions(+), 10 deletions(-)
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index cc043bc8fd4c..817576802f7d 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -1588,6 +1588,8 @@ static int compute_sid_handle_invalid_context(
struct policydb *policydb = &state->ss->policydb;
char *s = NULL, *t = NULL, *n = NULL;
u32 slen, tlen, nlen;
+ struct audit_buffer *ab;
+ size_t audit_size;
if (context_struct_to_string(policydb, scontext, &s, &slen))
goto out;
@@ -1595,12 +1597,22 @@ static int compute_sid_handle_invalid_context(
goto out;
if (context_struct_to_string(policydb, newcontext, &n, &nlen))
goto out;
- audit_log(audit_context(), GFP_ATOMIC, AUDIT_SELINUX_ERR,
- "op=security_compute_sid invalid_context=%s"
- " scontext=%s"
- " tcontext=%s"
- " tclass=%s",
- n, s, t, sym_name(policydb, SYM_CLASSES, tclass-1));
+ /* We strip a nul only if it is at the end, otherwise the
+ * context contains a nul and we should audit that */
+ if (n) {
+ if (n[nlen - 1] == '\0')
+ audit_size = nlen - 1;
+ else
+ audit_size = nlen;
+ } else {
+ audit_size = 0;
+ }
+ ab = audit_log_start(audit_context(), GFP_ATOMIC, AUDIT_SELINUX_ERR);
+ audit_log_format(ab, "op=security_compute_sid invalid_context=");
+ audit_log_n_untrustedstring(ab, n, audit_size);
+ audit_log_format(ab, " scontext=%s tcontext=%s tclass=%s",
+ s, t, sym_name(policydb, SYM_CLASSES, tclass-1));
+ audit_log_end(ab);
out:
kfree(s);
kfree(t);
@@ -3007,10 +3019,26 @@ int security_sid_mls_copy(struct selinux_state *state,
if (rc) {
if (!context_struct_to_string(policydb, &newcon, &s,
&len)) {
- audit_log(audit_context(),
- GFP_ATOMIC, AUDIT_SELINUX_ERR,
- "op=security_sid_mls_copy "
- "invalid_context=%s", s);
+ struct audit_buffer *ab;
+ size_t audit_size;
+
+ /* We strip a nul only if it is at the
+ * end, otherwise the context contains a
+ * nul and we should audit that */
+ if (s) {
+ if (s[len - 1] == '\0')
+ audit_size = len - 1;
+ else
+ audit_size = len;
+ } else {
+ audit_size = 0;
+ }
+ ab = audit_log_start(audit_context(),
+ GFP_ATOMIC,
+ AUDIT_SELINUX_ERR);
+ audit_log_format(ab, "op=security_sid_mls_copy invalid_context=");
+ audit_log_n_untrustedstring(ab, s, audit_size);
+ audit_log_end(ab);
kfree(s);
}
goto out_unlock;
--
1.8.3.1
5 years, 6 months
auparse_feed callback on EOE record
by Tarun Ramesh
Hi,
I'm using libauparse version 2.8.3. I am trying to experiment with
auparse_feed() with records directly received from audit_get_reply()
instead of from a log file.
My code is as follows:
(I have left out declarations and error handling for brevity)
/*******************************/
auditfd = audit_open();
rc = audit_is_enabled(auditfd);
if (0 == rc)
{
rc = audit_set_enabled(auditfd, 1);
}
rc = audit_set_pid(auditfd, getpid(), WAIT_YES);
rule = (struct audit_rule_data *) malloc(sizeof(struct
audit_rule_data));
memset(rule, 0, sizeof(struct audit_rule_data));
rc = audit_add_dir(&rule, "/home");
rc = audit_update_watch_perms(rule, AUDIT_PERM_WRITE | AUDIT_PERM_ATTR);
rc = audit_delete_rule_data(auditfd, rule, AUDIT_FILTER_EXIT,
AUDIT_ALWAYS);
rc = audit_add_rule_data(auditfd, rule, AUDIT_FILTER_EXIT,
AUDIT_ALWAYS);
event_cnt = (int *) malloc(sizeof(int));
au = auparse_init(AUSOURCE_FEED, NULL);
auparse_add_callback(au, on_audit_event, event_cnt, free); // callback
function added here
auparse_set_escape_mode(au, AUPARSE_ESC_RAW);
pfd[0].fd = auditfd;
pfd[0].events = POLLIN;
while (1)
{
do
{
rc = poll(pfd, 1, 1000); // 1 sec
}
while (rc < 0 && EINTR == errno);
if (pfd[0].revents & POLLIN)
{
struct audit_reply reply;
pfd[0].revents = 0;
rc = audit_get_reply(auditfd, &reply, GET_REPLY_NONBLOCKING, 0);
if (rc > 0)
{
int rc = 0;
char type_name[50] = {0};
printf("type: %d: %s\n", reply.type,
audit_msg_type_to_name(reply.type));
printf("len: %d\n", reply.len);
if (NULL != audit_msg_type_to_name(reply.type))
{
strncpy(type_name, audit_msg_type_to_name(reply.type),
49);
}
reply.message[reply.len] = '\0';
printf("message: %s\n", reply.message);
if (record_buffer_len < (reply.len + 10 +
strlen(type_name)))
{
record_buffer_len = (reply.len + 10 +
strlen(type_name));
record_buffer = realloc(record_buffer,
record_buffer_len * sizeof(char));
}
memset(record_buffer, 0, record_buffer_len);
snprintf(record_buffer, (record_buffer_len - 1), "type=%s
%.*s\n", type_name, reply.len, reply.message);
printf("to auparse: %s\n", record_buffer); // record_buffer
is then passed to auparse_feed()
printf("=======================================\n\n");
rc = auparse_feed(au, record_buffer, record_buffer_len);
if (-1 == rc)
{
perror("auparse_feed ");
}
}
}
}
auparse_flush_feed(au);
auparse_destroy(au);
/*******************************/
The callback function on_audit_event() just goes through the records one by
one and prints the fields and values. I have added a rule to watch for file
edits in the /home folder. I see the records for file creation in this
folder being received, however it looks like the callback function is not
being called when an EOE record is received. Please let me know if I'm
missing something.
Creating a file "test.txt" generates the following output:
type: 1300: SYSCALL
len: 305
message: audit(1560234865.559:6870): arch=c000003e syscall=257 success=yes
exit=3 a0=ffffff9c a1=7fffe4c1529a a2=941 a3=1b6 items=2 ppid=6374
pid=17381 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000
egid=1000 sgid=1000 fsgid=1000 tty=pts4 ses=4 comm="touch" exe="/bin/touch"
subj==unconfined key=(null)
*to auparse:* type=SYSCALL audit(1560234865.559:6870): arch=c000003e
syscall=257 success=yes exit=3 a0=ffffff9c a1=7fffe4c1529a a2=941 a3=1b6
items=2 ppid=6374 pid=17381 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000
fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts4 ses=4 comm="touch"
exe="/bin/touch" subj==unconfined key=(null)
=======================================
type: 1307: CWD
len: 45
message: audit(1560234865.559:6870): cwd="/home/tarun"
*to auparse: *type=CWD audit(1560234865.559:6870): cwd="/home/tarun"
=======================================
type: 1302: PATH
len: 206
message: audit(1560234865.559:6870): item=0 name="/home/tarun"
inode=14286851 dev=103:02 mode=040755 ouid=1000 ogid=1000 rdev=00:00
nametype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0
cap_fver=0
*to auparse: *type=PATH audit(1560234865.559:6870): item=0
name="/home/tarun" inode=14286851 dev=103:02 mode=040755 ouid=1000
ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0000000000000000
cap_fi=0000000000000000 cap_fe=0 cap_fver=0
=======================================
type: 1302: PATH
len: 204
message: audit(1560234865.559:6870): item=1 name="test.txt" inode=14309805
dev=103:02 mode=0100664 ouid=1000 ogid=1000 rdev=00:00 nametype=CREATE
cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
*to auparse:* type=PATH audit(1560234865.559:6870): item=1 name="test.txt"
inode=14309805 dev=103:02 mode=0100664 ouid=1000 ogid=1000 rdev=00:00
nametype=CREATE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0
cap_fver=0
=======================================
type: 1327: PROCTITLE
len: 66
message: audit(1560234865.559:6870): proctitle=746F75636800746573742E747874
*to auparse:* type=PROCTITLE audit(1560234865.559:6870):
proctitle=746F75636800746573742E747874
=======================================
type: 1320: EOE
len: 28
message: audit(1560234865.559:6870):
*to auparse:* type=EOE audit(1560234865.559:6870):
=======================================
The lines marked "to auparse" is the data I'm sending to auparse_feed().
Please let me know if I need to change the format of the buffer I need to
pass to auparse_feed(), or if I'm missing something else.
Thanks in advance,
Tarun
5 years, 6 months
Audit-3.0 alpha8 available
by Steve Grubb
Hello,
This is to let everyone know that another audit-3.0 pre-release was made.
This rolls up a lot more fixes in the master branch since the last pre-release
was announced. Despite the designation of alpha, I feel that this is a
production quality release and can be treated that way. It has been pushed
into all supported releases of Fedora to indicate that I feel it's a good
release with significant fixes/features that people would want. The release is
based off of the tree as of commit f58ec40.
You can find the release here:
http://people.redhat.com/sgrubb/audit/audit-3.0-alpha8.tar.gz
Changelog is here:
https://github.com/linux-audit/audit-userspace/blob/
f58ec40668157969d7b55b7ad3cbd21f93ac428c/ChangeLog
The reason this has not been declared a stable 3.0 release is simply because
we are still waiting for container support to land. In any event, if you find
any problems with this "release", please email this list or file an issue in
github.
Thanks,
-Steve
5 years, 6 months
[PATCH] selinux: log raw contexts as untrusted strings
by Ondrej Mosnacek
These strings may come from untrusted sources (e.g. file xattrs) so they
need to be properly escaped.
Reproducer:
# setenforce 0
# touch /tmp/test
# setfattr -n security.selinux -v 'kuřecí řízek' /tmp/test
# runcon system_u:system_r:sshd_t:s0 cat /tmp/test
(look at the generated AVCs)
Actual result:
type=AVC [...] trawcon=kuřecí řízek
Expected result:
type=AVC [...] trawcon=6B75C5996563C3AD20C599C3AD7A656B
Fixes: fede148324c3 ("selinux: log invalid contexts in AVCs")
Cc: stable(a)vger.kernel.org # v5.1+
Signed-off-by: Ondrej Mosnacek <omosnace(a)redhat.com>
---
security/selinux/avc.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index 8346a4f7c5d7..a99be508f93d 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -739,14 +739,20 @@ static void avc_audit_post_callback(struct audit_buffer *ab, void *a)
rc = security_sid_to_context_inval(sad->state, sad->ssid, &scontext,
&scontext_len);
if (!rc && scontext) {
- audit_log_format(ab, " srawcon=%s", scontext);
+ if (scontext_len && scontext[scontext_len - 1] == '\0')
+ scontext_len--;
+ audit_log_format(ab, " srawcon=");
+ audit_log_n_untrustedstring(ab, scontext, scontext_len);
kfree(scontext);
}
rc = security_sid_to_context_inval(sad->state, sad->tsid, &scontext,
&scontext_len);
if (!rc && scontext) {
- audit_log_format(ab, " trawcon=%s", scontext);
+ if (scontext_len && scontext[scontext_len - 1] == '\0')
+ scontext_len--;
+ audit_log_format(ab, " trawcon=");
+ audit_log_n_untrustedstring(ab, scontext, scontext_len);
kfree(scontext);
}
}
--
2.20.1
5 years, 6 months