[GIT PULL] Audit patches for v5.3
by Paul Moore
Hi Linus,
This PR is a bit early, but with some vacation time coming up I wanted
to send this out now just in case the remote Internet Gods decide not
to smile on me once the merge window opens. The patchset for v5.3 is
pretty minor this time, the highlights include:
- When the audit daemon is sent a signal, ensure we deliver
information about the sender even when syscall auditing is not
enabled/supported.
- Add the ability to filter audit records based on network address family.
- Tighten the audit field filtering restrictions on string based fields.
- Cleanup the audit field filtering verification code.
- Remove a few BUG() calls from the audit code.
Please pull this once the merge window opens,
-Paul
--
The following changes since commit a188339ca5a396acc588e5851ed7e19f66b0ebd9:
Linux 5.2-rc1 (2019-05-19 15:47:09 -0700)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git
tags/audit-pr-20190702
for you to fetch changes up to 839d05e413856bd686a33b59294d4e8238169320:
audit: remove the BUG() calls in the audit rule comparison functions
(2019-05-30 12:53:42 -0400)
----------------------------------------------------------------
audit/stable-5.3 PR 20190702
----------------------------------------------------------------
Paul Moore (1):
audit: remove the BUG() calls in the audit rule comparison functions
Richard Guy Briggs (4):
audit: deliver signal_info regarless of syscall
audit: re-structure audit field valid checks
audit: add saddr_fam filter field
audit: enforce op for string fields
include/linux/audit.h | 9 +++++++
include/uapi/linux/audit.h | 1 +
kernel/audit.c | 27 +++++++++++++++++++++
kernel/audit.h | 8 ++++--
kernel/auditfilter.c | 62 ++++++++++++++++++++++++++---------------
kernel/auditsc.c | 42 +++++++++++++++++---------------
kernel/signal.c | 2 +-
7 files changed, 105 insertions(+), 46 deletions(-)
--
paul moore
www.paul-moore.com
5 years, 3 months
[PATCH ghak57 V2] selinux: format all invalid context as untrusted
by Richard Guy Briggs
The userspace tools expect all fields of the same name to be logged
consistently with the same encoding. Since the invalid_context fields
contain untrusted strings in selinux_inode_setxattr()
and selinux_setprocattr(), encode all instances of this field the same
way as though they were untrusted even though
compute_sid_handle_invalid_context() and security_sid_mls_copy() are
trusted.
Please see github issue
https://github.com/linux-audit/audit-kernel/issues/57
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
security/selinux/ss/services.c | 29 +++++++++++++++++++----------
1 file changed, 19 insertions(+), 10 deletions(-)
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index cc043bc8fd4c..a1c89ac22f1d 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -1588,6 +1588,7 @@ static int compute_sid_handle_invalid_context(
struct policydb *policydb = &state->ss->policydb;
char *s = NULL, *t = NULL, *n = NULL;
u32 slen, tlen, nlen;
+ struct audit_buffer *ab;
if (context_struct_to_string(policydb, scontext, &s, &slen))
goto out;
@@ -1595,12 +1596,14 @@ static int compute_sid_handle_invalid_context(
goto out;
if (context_struct_to_string(policydb, newcontext, &n, &nlen))
goto out;
- audit_log(audit_context(), GFP_ATOMIC, AUDIT_SELINUX_ERR,
- "op=security_compute_sid invalid_context=%s"
- " scontext=%s"
- " tcontext=%s"
- " tclass=%s",
- n, s, t, sym_name(policydb, SYM_CLASSES, tclass-1));
+ ab = audit_log_start(audit_context(), GFP_ATOMIC, AUDIT_SELINUX_ERR);
+ audit_log_format(ab,
+ "op=security_compute_sid invalid_context=");
+ /* no need to record the NUL with untrusted strings */
+ audit_log_n_untrustedstring(ab, n, nlen - 1);
+ audit_log_format(ab, " scontext=%s tcontext=%s tclass=%s",
+ s, t, sym_name(policydb, SYM_CLASSES, tclass-1));
+ audit_log_end(ab);
out:
kfree(s);
kfree(t);
@@ -3007,10 +3010,16 @@ int security_sid_mls_copy(struct selinux_state *state,
if (rc) {
if (!context_struct_to_string(policydb, &newcon, &s,
&len)) {
- audit_log(audit_context(),
- GFP_ATOMIC, AUDIT_SELINUX_ERR,
- "op=security_sid_mls_copy "
- "invalid_context=%s", s);
+ struct audit_buffer *ab;
+
+ ab = audit_log_start(audit_context(),
+ GFP_ATOMIC,
+ AUDIT_SELINUX_ERR);
+ audit_log_format(ab,
+ "op=security_sid_mls_copy invalid_context=");
+ /* don't record NUL with untrusted strings */
+ audit_log_n_untrustedstring(ab, s, len - 1);
+ audit_log_end(ab);
kfree(s);
}
goto out_unlock;
--
1.8.3.1
5 years, 4 months