New audit-perms patch [ Re: Audit perms check on recv ]

The attached patch addresses Stephen's comments about re-using dummy_capget code and properly checking capabilities in selinux_netlink_send. To review, it 1. adds two new capabilities, CAP_AUDIT_READ and CAP_AUDIT_WRITE 2. changes dummy.c and selinux/hooks.c to set the netlink_audit message's eff_cap field to accurately reflect the capabilities of the sender, 3. checks for the capabilities required for the requested audit action in the eff_cap field at audit_msg_recv 4. adds checks to ensure that the message lengths are at least long enough to hold the structures they claim to hold. thanks, -serge Index: linux-2.6.10-rc3-mm1/include/linux/capability.h =================================================================== --- linux-2.6.10-rc3-mm1.orig/include/linux/capability.h 2004-10-18 16:53:44.000000000 -0500 +++ linux-2.6.10-rc3-mm1/include/linux/capability.h 2004-12-27 11:27:11.000000000 -0600 @@ -284,6 +284,14 @@ typedef __u32 kernel_cap_t; #define CAP_LEASE 28 +/* Allow reading of audit subsystem parameters */ + +#define CAP_AUDIT_READ 29 + +/* Allow control of audit subsystem */ + +#define CAP_AUDIT_WRITE 30 + #ifdef __KERNEL__ /* * Bounding set Index: linux-2.6.10-rc3-mm1/include/linux/netlink.h =================================================================== --- linux-2.6.10-rc3-mm1.orig/include/linux/netlink.h 2004-12-27 11:24:14.000000000 -0600 +++ linux-2.6.10-rc3-mm1/include/linux/netlink.h 2004-12-27 11:27:11.000000000 -0600 @@ -120,6 +120,7 @@ extern int netlink_attach(int unit, int extern void netlink_detach(int unit); extern int netlink_post(int unit, struct sk_buff *skb); extern struct sock *netlink_kernel_create(int unit, void (*input)(struct sock *sk, int len)); +extern int netlink_get_msgtype(struct sk_buff *skb); extern void netlink_ack(struct sk_buff *in_skb, struct nlmsghdr *nlh, int err); extern int netlink_unicast(struct sock *ssk, struct sk_buff *skb, __u32 pid, int nonblock); extern int netlink_broadcast(struct sock *ssk, struct sk_buff *skb, __u32 pid, Index: linux-2.6.10-rc3-mm1/kernel/audit.c =================================================================== --- linux-2.6.10-rc3-mm1.orig/kernel/audit.c 2004-12-27 11:24:40.000000000 -0600 +++ linux-2.6.10-rc3-mm1/kernel/audit.c 2004-12-27 11:27:11.000000000 -0600 @@ -300,15 +300,60 @@ nlmsg_failure: /* Used by NLMSG_PUT */ kfree_skb(skb); } +/* + * This function causes two checks on the incoming audit control + * message. 1. netlink_get_msgtype() will perform a length check, + * and 2. we check for CAP_AUDIT perms on a message which might + * change audit params. + */ +int audit_netlink_ok(struct sk_buff *skb) +{ + int err = 0; + int msgtype; + + msgtype = netlink_get_msgtype(skb); + + switch(msgtype) { + case 0: /* not an audit msg */ + + case AUDIT_GET: + case AUDIT_LIST: + if (!cap_raised(NETLINK_CB (skb).eff_cap, + CAP_AUDIT_READ)) + err = -EPERM; + break; + + case AUDIT_SET: + case AUDIT_USER: + case AUDIT_LOGIN: + + case AUDIT_ADD: + case AUDIT_DEL: + if (!cap_raised(NETLINK_CB (skb).eff_cap, + CAP_AUDIT_WRITE)) + err = -EPERM; + break; + + default: /* permission denied: bad msg */ + err = -EINVAL; + } + + return err; +} + static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) { u32 uid, pid, seq; void *data; struct audit_status *status_get, status_set; struct audit_login *login; - int err = 0; + int err; struct audit_buffer *ab; + err = audit_netlink_ok(skb); + if (err) + return err; + pid = NETLINK_CREDS(skb)->pid; uid = NETLINK_CREDS(skb)->uid; seq = nlh->nlmsg_seq; @@ -327,8 +372,8 @@ static int audit_receive_msg(struct sk_b &status_set, sizeof(status_set)); break; case AUDIT_SET: - if (!capable(CAP_SYS_ADMIN)) - return -EPERM; + if (nlh->nlmsg_len < sizeof(struct audit_status)) + return -EINVAL; status_get = (struct audit_status *)data; if (status_get->mask & AUDIT_STATUS_ENABLED) { err = audit_set_enabled(status_get->enabled); @@ -364,8 +409,8 @@ static int audit_receive_msg(struct sk_b audit_log_end(ab); break; case AUDIT_LOGIN: - if (!capable(CAP_SYS_ADMIN)) - return -EPERM; + if (nlh->nlmsg_len < sizeof(struct audit_login)) + return -EINVAL; login = (struct audit_login *)data; ab = audit_log_start(NULL); if (ab) { @@ -384,9 +429,12 @@ static int audit_receive_msg(struct sk_b login->loginuid); #endif break; - case AUDIT_LIST: case AUDIT_ADD: case AUDIT_DEL: + if (nlh->nlmsg_len < sizeof(struct audit_rule)) + return -EINVAL; + /* fallthrough */ + case AUDIT_LIST: #ifdef CONFIG_AUDITSYSCALL err = audit_receive_filter(nlh->nlmsg_type, pid, uid, seq, data); @@ -394,7 +442,7 @@ static int audit_receive_msg(struct sk_b err = -EOPNOTSUPP; #endif break; - default: + default: /* no longer needed... */ err = -EINVAL; break; } Index: linux-2.6.10-rc3-mm1/kernel/auditsc.c =================================================================== --- linux-2.6.10-rc3-mm1.orig/kernel/auditsc.c 2004-10-18 16:54:54.000000000 -0500 +++ linux-2.6.10-rc3-mm1/kernel/auditsc.c 2004-12-27 11:27:11.000000000 -0600 @@ -250,8 +250,6 @@ int audit_receive_filter(int type, int p audit_send_reply(pid, seq, AUDIT_LIST, 1, 1, NULL, 0); break; case AUDIT_ADD: - if (!capable(CAP_SYS_ADMIN)) - return -EPERM; if (!(entry = kmalloc(sizeof(*entry), GFP_KERNEL))) return -ENOMEM; if (audit_copy_rule(&entry->rule, data)) { Index: linux-2.6.10-rc3-mm1/net/netlink/af_netlink.c =================================================================== --- linux-2.6.10-rc3-mm1.orig/net/netlink/af_netlink.c 2004-12-27 11:24:17.000000000 -0600 +++ linux-2.6.10-rc3-mm1/net/netlink/af_netlink.c 2004-12-27 11:27:11.000000000 -0600 @@ -518,6 +518,18 @@ static int netlink_connect(struct socket return err; } +int netlink_get_msgtype(struct sk_buff *skb) +{ + struct nlmsghdr *nlh = (struct nlmsghdr *)skb->data; + + if (skb->len < NLMSG_SPACE(0)) + return -EINVAL; + + if (nlh->nlmsg_len < sizeof(*nlh) || skb->len < nlh->nlmsg_len) + return -EINVAL; + return nlh->nlmsg_type; +} + static int netlink_getname(struct socket *sock, struct sockaddr *addr, int *addr_len, int peer) { struct sock *sk = sock->sk; @@ -1511,6 +1523,7 @@ MODULE_LICENSE("GPL"); MODULE_ALIAS_NETPROTO(PF_NETLINK); +EXPORT_SYMBOL(netlink_get_msgtype); EXPORT_SYMBOL(netlink_ack); EXPORT_SYMBOL(netlink_broadcast); EXPORT_SYMBOL(netlink_dump_start); Index: linux-2.6.10-rc3-mm1/security/dummy.c =================================================================== --- linux-2.6.10-rc3-mm1.orig/security/dummy.c 2004-12-27 11:24:40.000000000 -0600 +++ linux-2.6.10-rc3-mm1/security/dummy.c 2004-12-27 17:24:10.000000000 -0600 @@ -741,10 +741,11 @@ static int dummy_sem_semop (struct sem_a static int dummy_netlink_send (struct sock *sk, struct sk_buff *skb) { - if (current->euid == 0) - cap_raise (NETLINK_CB (skb).eff_cap, CAP_NET_ADMIN); - else - NETLINK_CB (skb).eff_cap = 0; + kernel_cap_t dummy_cap, eff_cap; + + dummy_capget(current, &eff_cap, &dummy_cap, &dummy_cap); + NETLINK_CB (skb).eff_cap = eff_cap; + return 0; } Index: linux-2.6.10-rc3-mm1/security/selinux/hooks.c =================================================================== --- linux-2.6.10-rc3-mm1.orig/security/selinux/hooks.c 2004-12-27 11:24:40.000000000 -0600 +++ linux-2.6.10-rc3-mm1/security/selinux/hooks.c 2004-12-27 17:17:29.000000000 -0600 @@ -3564,12 +3564,19 @@ static inline int selinux_nlmsg_perm(str static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb) { - int err = 0; + struct task_security_struct *tsec; + struct av_decision avd; + int err; - if (capable(CAP_NET_ADMIN)) - cap_raise (NETLINK_CB (skb).eff_cap, CAP_NET_ADMIN); - else - NETLINK_CB(skb).eff_cap = 0; + err = secondary_ops->netlink_send(sk, skb); + if (err) + return err; + + tsec = current->security; + + security_compute_av(tsec->sid, tsec->sid, SECCLASS_CAPABILITY, ~0, + &avd); + cap_mask(NETLINK_CB(skb).eff_cap, avd.allowed); if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS) err = selinux_nlmsg_perm(sk, skb);