Disassociating ima_filter_rule* from security_audit_rule*
by Casey Schaufler
After the last round of comments on the LSM stacking patches
Dmitry Mastykin <dmastykin(a)astralinux.ru> pointed out a
conundrum with reuse of the security_audit_rule functions
in integrity rule processing. The audit system wants to
match rules for any security module that as one. The
integrity system wants to match rules for a single, explicitly
defined LSM. The two sub-systems use common code in security.c
which needs to be changed to support multiple LSMs, but needs
to be changed differently for each of these cases. While it
would be possible to create frankensteinish versions of the
security_audit_rule functions that would handle both cases
it seems that creating "real" versions of the ima_filter_rule
functions would be considerably cleaner and easier to maintain
going forward.
I'm suggesting this now, while I'm still working on the patches,
in case there's a solid reason that frankencode is absolutely
everybody's favored approach. I plan to propose the disassociation
as a patch separate from and in advance of the stacking series.
Thanks all.
2 years, 12 months
[PATCH v2 RESEND] powerpc/audit: Convert powerpc to AUDIT_ARCH_COMPAT_GENERIC
by Christophe Leroy
Commit e65e1fc2d24b ("[PATCH] syscall class hookup for all normal
targets") added generic support for AUDIT but that didn't include
support for bi-arch like powerpc.
Commit 4b58841149dc ("audit: Add generic compat syscall support")
added generic support for bi-arch.
Convert powerpc to that bi-arch generic audit support.
Cc: Paul Moore <paul(a)paul-moore.com>
Cc: Eric Paris <eparis(a)redhat.com>
Signed-off-by: Christophe Leroy <christophe.leroy(a)csgroup.eu>
---
Resending v2 with Audit people in Cc
v2:
- Missing 'git add' for arch/powerpc/include/asm/unistd32.h
- Finalised commit description
---
arch/powerpc/Kconfig | 5 +-
arch/powerpc/include/asm/unistd32.h | 7 +++
arch/powerpc/kernel/Makefile | 3 --
arch/powerpc/kernel/audit.c | 84 -----------------------------
arch/powerpc/kernel/compat_audit.c | 44 ---------------
5 files changed, 8 insertions(+), 135 deletions(-)
create mode 100644 arch/powerpc/include/asm/unistd32.h
delete mode 100644 arch/powerpc/kernel/audit.c
delete mode 100644 arch/powerpc/kernel/compat_audit.c
diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
index 663766fbf505..5472358609d2 100644
--- a/arch/powerpc/Kconfig
+++ b/arch/powerpc/Kconfig
@@ -163,6 +163,7 @@ config PPC
select ARCH_WANT_IRQS_OFF_ACTIVATE_MM
select ARCH_WANT_LD_ORPHAN_WARN
select ARCH_WEAK_RELEASE_ACQUIRE
+ select AUDIT_ARCH_COMPAT_GENERIC
select BINFMT_ELF
select BUILDTIME_TABLE_SORT
select CLONE_BACKWARDS
@@ -316,10 +317,6 @@ config GENERIC_TBSYNC
bool
default y if PPC32 && SMP
-config AUDIT_ARCH
- bool
- default y
-
config GENERIC_BUG
bool
default y
diff --git a/arch/powerpc/include/asm/unistd32.h b/arch/powerpc/include/asm/unistd32.h
new file mode 100644
index 000000000000..07689897d206
--- /dev/null
+++ b/arch/powerpc/include/asm/unistd32.h
@@ -0,0 +1,7 @@
+/* SPDX-License-Identifier: GPL-2.0-or-later */
+#ifndef _ASM_POWERPC_UNISTD32_H_
+#define _ASM_POWERPC_UNISTD32_H_
+
+#include <asm/unistd_32.h>
+
+#endif /* _ASM_POWERPC_UNISTD32_H_ */
diff --git a/arch/powerpc/kernel/Makefile b/arch/powerpc/kernel/Makefile
index 7be36c1e1db6..825121eba3c2 100644
--- a/arch/powerpc/kernel/Makefile
+++ b/arch/powerpc/kernel/Makefile
@@ -125,9 +125,6 @@ obj-$(CONFIG_PCI) += pci_$(BITS).o $(pci64-y) \
pci-common.o pci_of_scan.o
obj-$(CONFIG_PCI_MSI) += msi.o
-obj-$(CONFIG_AUDIT) += audit.o
-obj64-$(CONFIG_AUDIT) += compat_audit.o
-
obj-$(CONFIG_PPC_IO_WORKAROUNDS) += io-workarounds.o
obj-y += trace/
diff --git a/arch/powerpc/kernel/audit.c b/arch/powerpc/kernel/audit.c
deleted file mode 100644
index a2dddd7f3d09..000000000000
--- a/arch/powerpc/kernel/audit.c
+++ /dev/null
@@ -1,84 +0,0 @@
-// SPDX-License-Identifier: GPL-2.0
-#include <linux/init.h>
-#include <linux/types.h>
-#include <linux/audit.h>
-#include <asm/unistd.h>
-
-static unsigned dir_class[] = {
-#include <asm-generic/audit_dir_write.h>
-~0U
-};
-
-static unsigned read_class[] = {
-#include <asm-generic/audit_read.h>
-~0U
-};
-
-static unsigned write_class[] = {
-#include <asm-generic/audit_write.h>
-~0U
-};
-
-static unsigned chattr_class[] = {
-#include <asm-generic/audit_change_attr.h>
-~0U
-};
-
-static unsigned signal_class[] = {
-#include <asm-generic/audit_signal.h>
-~0U
-};
-
-int audit_classify_arch(int arch)
-{
-#ifdef CONFIG_PPC64
- if (arch == AUDIT_ARCH_PPC)
- return 1;
-#endif
- return 0;
-}
-
-int audit_classify_syscall(int abi, unsigned syscall)
-{
-#ifdef CONFIG_PPC64
- extern int ppc32_classify_syscall(unsigned);
- if (abi == AUDIT_ARCH_PPC)
- return ppc32_classify_syscall(syscall);
-#endif
- switch(syscall) {
- case __NR_open:
- return 2;
- case __NR_openat:
- return 3;
- case __NR_socketcall:
- return 4;
- case __NR_execve:
- return 5;
- default:
- return 0;
- }
-}
-
-static int __init audit_classes_init(void)
-{
-#ifdef CONFIG_PPC64
- extern __u32 ppc32_dir_class[];
- extern __u32 ppc32_write_class[];
- extern __u32 ppc32_read_class[];
- extern __u32 ppc32_chattr_class[];
- extern __u32 ppc32_signal_class[];
- audit_register_class(AUDIT_CLASS_WRITE_32, ppc32_write_class);
- audit_register_class(AUDIT_CLASS_READ_32, ppc32_read_class);
- audit_register_class(AUDIT_CLASS_DIR_WRITE_32, ppc32_dir_class);
- audit_register_class(AUDIT_CLASS_CHATTR_32, ppc32_chattr_class);
- audit_register_class(AUDIT_CLASS_SIGNAL_32, ppc32_signal_class);
-#endif
- audit_register_class(AUDIT_CLASS_WRITE, write_class);
- audit_register_class(AUDIT_CLASS_READ, read_class);
- audit_register_class(AUDIT_CLASS_DIR_WRITE, dir_class);
- audit_register_class(AUDIT_CLASS_CHATTR, chattr_class);
- audit_register_class(AUDIT_CLASS_SIGNAL, signal_class);
- return 0;
-}
-
-__initcall(audit_classes_init);
diff --git a/arch/powerpc/kernel/compat_audit.c b/arch/powerpc/kernel/compat_audit.c
deleted file mode 100644
index 55c6ccda0a85..000000000000
--- a/arch/powerpc/kernel/compat_audit.c
+++ /dev/null
@@ -1,44 +0,0 @@
-// SPDX-License-Identifier: GPL-2.0
-#undef __powerpc64__
-#include <asm/unistd.h>
-
-unsigned ppc32_dir_class[] = {
-#include <asm-generic/audit_dir_write.h>
-~0U
-};
-
-unsigned ppc32_chattr_class[] = {
-#include <asm-generic/audit_change_attr.h>
-~0U
-};
-
-unsigned ppc32_write_class[] = {
-#include <asm-generic/audit_write.h>
-~0U
-};
-
-unsigned ppc32_read_class[] = {
-#include <asm-generic/audit_read.h>
-~0U
-};
-
-unsigned ppc32_signal_class[] = {
-#include <asm-generic/audit_signal.h>
-~0U
-};
-
-int ppc32_classify_syscall(unsigned syscall)
-{
- switch(syscall) {
- case __NR_open:
- return 2;
- case __NR_openat:
- return 3;
- case __NR_socketcall:
- return 4;
- case __NR_execve:
- return 5;
- default:
- return 1;
- }
-}
--
2.25.0
2 years, 12 months
[PATCH v3 0/7] Add uringop support
by Richard Guy Briggs
Audit support for iouring went into the upstream kernel with commit
5bd2182d58e9 ("audit,io_uring,io-wq: add some basic audit support to io_uring")
and commit 67daf270cebc ("audit: add filtering for io_uring records").
Add userspace support for AUDIT_URINGOP records, uringop fields and the
AUDIT_FILTER_URING_EXIT filter list.
Changelog:
v3
- rebase on openat2
- re-factor and re-order patchset
v2
- check for watch before adding perm
- update manpage to include filesystem filter
- add support for the AUDIT_URINGOP record type
- update support for the uring filter list: doc, -U op, op names
- add uringop support to ausearch
- add uringop support to aureport
- lots of bug fixes
Richard Guy Briggs (7):
add basic support for the AUDIT_URINGOP record type
add support for the uring filter list
add support for uringop names
add field support for the AUDIT_URINGOP record type
add ausearch --uringop option
add aureport --uringop option
add iouring support to the normalizer
audisp/plugins/ids/model_behavior.c | 1 +
auparse/auparse-defs.h | 2 +-
auparse/auparse-idata.h | 1 +
auparse/ellist.c | 7 ++
auparse/interpret.c | 21 ++++-
auparse/normalize.c | 1 +
auparse/normalize_record_map.h | 1 +
auparse/rnode.h | 1 +
auparse/typetab.h | 1 +
bindings/python/auparse_python.c | 1 +
contrib/plugin/audisp-example.c | 1 +
docs/audit.rules.7 | 19 +++--
docs/audit_add_rule_data.3 | 4 +
docs/auditctl.8 | 10 ++-
docs/aureport.8 | 3 +
docs/ausearch.8 | 3 +
lib/Makefile.am | 17 +++-
lib/flagtab.h | 11 +--
lib/libaudit.c | 50 ++++++++---
lib/libaudit.h | 11 +++
lib/lookup_table.c | 21 +++++
lib/msg_typetab.h | 1 +
lib/private.h | 1 +
lib/test/lookup_test.c | 17 ++++
lib/uringop_table.h | 62 ++++++++++++++
src/auditctl-listing.c | 52 ++++++++----
src/auditctl.c | 121 +++++++++++++++++++++++----
src/auditd-event.c | 1 +
src/aureport-options.c | 19 ++++-
src/aureport-options.h | 2 +-
src/aureport-output.c | 37 +++++++++
src/aureport-scan.c | 26 ++++++
src/aureport-scan.h | 2 +
src/aureport.c | 3 +-
src/ausearch-common.h | 1 +
src/ausearch-llist.c | 2 +
src/ausearch-llist.h | 1 +
src/ausearch-lookup.c | 25 ++++++
src/ausearch-lookup.h | 1 +
src/ausearch-match.c | 6 +-
src/ausearch-options.c | 36 +++++++-
src/ausearch-parse.c | 123 +++++++++++++++++++++++++++-
src/ausearch-report.c | 21 ++++-
43 files changed, 677 insertions(+), 70 deletions(-)
create mode 100644 lib/uringop_table.h
--
2.27.0
2 years, 12 months
[GIT PULL] Audit patches for v5.16
by Paul Moore
Hi Linus,
Here is the audit pull request for v5.16 with a note about merge
conflicts following the (very) short list of highlight(s) below.
** Highlight
- Add some additional audit logging to capture the openat2() syscall
open_how struct info. Previous variations of the open()/openat()
syscalls allowed audit admins to inspect the syscall args to get the
information contained in the new open_how struct used in openat2().
** Merge Notes
- I'm expecting three trees to add new audit record types during this
merge window: SELinux, block/device-mapper, and audit. I've already
talked with the different maintainers and there shouldn't be any
duplicated values, but I expect you will see some merge conflicts in
include/uapi/linux/audit.h; the "correct" values should end up as:
+#define AUDIT_URINGOP 1336 /* io_uring operation */
+#define AUDIT_OPENAT2 1337 /* Record showing openat2 how args */
+#define AUDIT_DM_CTRL 1338 /* Device Mapper target control */
+#define AUDIT_DM_EVENT 1339 /* Device Mapper events */
Thanks,
-Paul
--
The following changes since commit 6880fa6c56601bb8ed59df6c30fd390cc5f6dd8f:
Linux 5.15-rc1 (2021-09-12 16:28:37 -0700)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git
tags/audit-pr-20211101
for you to fetch changes up to d9516f346e8b8e9c7dd37976a06a5bde1a871d6f:
audit: return early if the filter rule has a lower priority
(2021-10-18 18:34:37 -0400)
----------------------------------------------------------------
audit/stable-5.16 PR 20211101
----------------------------------------------------------------
Cai Huoqing (1):
audit: Convert to SPDX identifier
Christophe Leroy (1):
audit: rename struct node to struct audit_node to prevent future name
collisions
Gaosheng Cui (1):
audit: return early if the filter rule has a lower priority
Ondrej Mosnacek (1):
lsm_audit: avoid overloading the "key" audit field
Richard Guy Briggs (3):
audit: replace magic audit syscall class numbers with macros
audit: add support for the openat2 syscall
audit: add OPENAT2 record to list "how" info
MAINTAINERS | 1 +
arch/alpha/kernel/audit.c | 10 +++++---
arch/ia64/kernel/audit.c | 10 +++++---
arch/parisc/kernel/audit.c | 10 +++++---
arch/parisc/kernel/compat_audit.c | 11 +++++---
arch/powerpc/kernel/audit.c | 12 +++++----
arch/powerpc/kernel/compat_audit.c | 13 ++++++----
arch/s390/kernel/audit.c | 12 +++++----
arch/s390/kernel/compat_audit.c | 13 ++++++----
arch/sparc/kernel/audit.c | 12 +++++----
arch/sparc/kernel/compat_audit.c | 13 ++++++----
arch/x86/ia32/audit.c | 13 ++++++----
arch/x86/kernel/audit_64.c | 10 +++++---
fs/open.c | 2 ++
include/linux/audit.h | 11 ++++++++
include/linux/audit_arch.h | 24 ++++++++++++++++++
include/uapi/linux/audit.h | 1 +
kernel/audit.h | 2 ++
kernel/audit_tree.c | 20 +++++++--------
kernel/auditsc.c | 51 +++++++++++++++++++-------------
lib/audit.c | 14 +++++++----
lib/compat_audit.c | 15 +++++++----
security/lsm_audit.c | 2 +-
23 files changed, 184 insertions(+), 98 deletions(-)
create mode 100644 include/linux/audit_arch.h
--
paul moore
www.paul-moore.com
2 years, 12 months