April 2006 - Linux-audit - Linux-Audit List Archives

[PATCH git] fix warning introduced by execve patches

by Amy Griffis

Fix warning introduced by execve patch #1 in lspp.b7 branch. Please fold this in with lspp.b7 3ccec7a3b847f0ea5b04775dab0990a7d03052f7 on next rebase. Signed-off-by: Amy Griffis <amy.griffis(a)hp.com> --- kernel/auditsc.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) 8948d72d140eea1c4df513a19db597f3f2d002f2 diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 9286fea..43512c1 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -702,7 +702,7 @@ static void audit_log_exit(struct audit_ case AUDIT_EXECVE: { struct audit_aux_data_execve *axi = (void *)aux; int i; - char *p; + const char *p; for (i = 0, p = axi->mem; i < axi->argc; i++) { audit_log_format(ab, "a%d=", i); p = audit_log_untrustedstring(ab, p); -- 1.3.0

18 years, 8 months

1
0
0 / 0

[PATCH git] make selinux_audit_rule_update() remove safely

by Amy Griffis

(Al, this is a fix for the -mm patch audit-support-for-context-based-audit-filtering-2.patch. Please fold in with lspp.b7 3811b185122022cd5e59b1ca85342b820e3b3e22 on next rebase.) Use list_for_each_entry_safe() in selinux_audit_rule_update() to protect against call_rcu() on list entries while traversing. Signed-off-by: Amy Griffis <amy.griffis(a)hp.com> --- kernel/auditfilter.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) 71476af7bf618dee43c9ac86b0227882df412152 diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index 7b91a1e..f1151a2 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -1397,7 +1397,7 @@ static inline int audit_rule_has_selinux * updated rule. */ int selinux_audit_rule_update(void) { - struct audit_entry *entry, *nentry; + struct audit_entry *entry, *n, *nentry; struct audit_watch *watch; int i, err = 0; @@ -1405,7 +1405,7 @@ int selinux_audit_rule_update(void) mutex_lock(&audit_filter_mutex); for (i = 0; i < AUDIT_NR_FILTERS; i++) { - list_for_each_entry(entry, &audit_filter_list[i], list) { + list_for_each_entry_safe(entry, n, &audit_filter_list[i], list) { if (!audit_rule_has_selinux(&entry->rule)) continue; -- 1.3.0

18 years, 8 months

1
0
0 / 0

another issue with Audit

by Loulwa Salem

This is a really strange problem .. seems like I have a knack to finding those. I am running lspp.18 kernel (SELinux in permissive mode), audit-1.2.1 on an x86_64 system. Here is what is happening .. someone else please try this and let me know if you see the same problem... # auditctl -w /tmp/file1 >> works fine # auditctl -w /tmp/file6 Error sending add rule request (File exists) # auditctl -w /tmp/afile Error sending add rule request (File exists) # auditctl -w /tmp/newfile >> works fine # auditctl -w /tmp/thefile Error sending add rule request (File exists) Here is what I noticed from this pattern ... as long as the length of the file name I am adding watch on is the same, it says the watch already exists... So I tried something else to see if only the file name matters or the whole path length ... # mkdir /foo # auditctl -w /foo/file3 >> notice .. same length as /tmp/file1 Error sending add rule request (File exists) # auditctl -w /foo/foofile >> notice .. same length as /tmp/newfile Error sending add rule request (File exists) # auditctl -w /foo/anotherfile >> works fine So you see ... even using a different directory still says the watch exists. If this is happening with others .. this definitely seems like a bug to me. Thanks, -Loulwa

18 years, 8 months

4
4
0 / 0

[PATCH] execve argument logging

by Alexander Viro

diff --git a/fs/exec.c b/fs/exec.c --- a/fs/exec.c +++ b/fs/exec.c @@ -49,6 +49,7 @@ #include <linux/rmap.h> #include <linux/acct.h> #include <linux/cn_proc.h> +#include <linux/audit.h> #include <asm/uaccess.h> #include <asm/mmu_context.h> @@ -1085,6 +1086,11 @@ int search_binary_handler(struct linux_b /* kernel module loader fixup */ /* so we don't try to load run modprobe in kernel space. */ set_fs(USER_DS); + + retval = audit_bprm(bprm); + if (retval) + return retval; + retval = -ENOENT; for (try=0; try<2; try++) { read_lock(&binfmt_lock); diff --git a/include/linux/audit.h b/include/linux/audit.h --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -83,6 +83,7 @@ #define AUDIT_CONFIG_CHANGE 1305 /* Audit system configuration change */ #define AUDIT_SOCKADDR 1306 /* sockaddr copied as syscall arg */ #define AUDIT_CWD 1307 /* Current working directory */ +#define AUDIT_EXECVE 1309 /* execve arguments */ #define AUDIT_IPC_SET_PERM 1311 /* IPC new permissions record type */ #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */ @@ -283,6 +284,7 @@ struct audit_buffer; struct audit_context; struct inode; struct netlink_skb_parms; +struct linux_binprm; #define AUDITSC_INVALID 0 #define AUDITSC_SUCCESS 1 @@ -322,6 +324,7 @@ extern int audit_set_loginuid(struct ta extern uid_t audit_get_loginuid(struct audit_context *ctx); extern int audit_ipc_obj(struct kern_ipc_perm *ipcp); extern int audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode, struct kern_ipc_perm *ipcp); +extern int audit_bprm(struct linux_binprm *bprm); extern int audit_socketcall(int nargs, unsigned long *args); extern int audit_sockaddr(int len, void *addr); extern int audit_avc_path(struct dentry *dentry, struct vfsmount *mnt); @@ -342,6 +345,7 @@ extern int audit_set_macxattr(const char #define audit_get_loginuid(c) ({ -1; }) #define audit_ipc_obj(i) ({ 0; }) #define audit_ipc_set_perm(q,u,g,m,i) ({ 0; }) +#define audit_bprm(p) ({ 0; }) #define audit_socketcall(n,a) ({ 0; }) #define audit_sockaddr(len, addr) ({ 0; }) #define audit_avc_path(dentry, mnt) ({ 0; }) @@ -364,7 +368,7 @@ extern void audit_log_end(struct au extern void audit_log_hex(struct audit_buffer *ab, const unsigned char *buf, size_t len); -extern void audit_log_untrustedstring(struct audit_buffer *ab, +extern const char * audit_log_untrustedstring(struct audit_buffer *ab, const char *string); extern void audit_log_d_path(struct audit_buffer *ab, const char *prefix, diff --git a/kernel/audit.c b/kernel/audit.c --- a/kernel/audit.c +++ b/kernel/audit.c @@ -998,18 +998,20 @@ void audit_log_hex(struct audit_buffer * * or a space. Unescaped strings will start and end with a double quote mark. * Strings that are escaped are printed in hex (2 digits per char). */ -void audit_log_untrustedstring(struct audit_buffer *ab, const char *string) +const char *audit_log_untrustedstring(struct audit_buffer *ab, const char *string) { const unsigned char *p = string; + size_t len = strlen(string); while (*p) { if (*p == '"' || *p < 0x21 || *p > 0x7f) { - audit_log_hex(ab, string, strlen(string)); - return; + audit_log_hex(ab, string, len); + return string + len + 1; } p++; } audit_log_format(ab, "\"%s\"", string); + return p + 1; } /* This is a helper-function to print the escaped d_path */ diff --git a/kernel/auditsc.c b/kernel/auditsc.c --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -59,6 +59,7 @@ #include <linux/list.h> #include <linux/tty.h> #include <linux/selinux.h> +#include <linux/binfmts.h> #include "audit.h" @@ -110,6 +111,13 @@ struct audit_aux_data_ipcctl { u32 osid; }; +struct audit_aux_data_execve { + struct audit_aux_data d; + int argc; + int envc; + char mem[0]; +}; + struct audit_aux_data_socketcall { struct audit_aux_data d; int nargs; @@ -667,6 +675,16 @@ static void audit_log_exit(struct audit_ kfree(ctx); } break; } + case AUDIT_EXECVE: { + struct audit_aux_data_execve *axi = (void *)aux; + int i; + char *p; + for (i = 0, p = axi->mem; i < axi->argc; i++) { + audit_log_format(ab, "a%d=", i); + p = audit_log_untrustedstring(ab, p); + audit_log_format(ab, "\n"); + } + break; } case AUDIT_SOCKETCALL: { int i; @@ -1231,6 +1249,39 @@ int audit_ipc_set_perm(unsigned long qby return 0; } +int audit_bprm(struct linux_binprm *bprm) +{ + struct audit_aux_data_execve *ax; + struct audit_context *context = current->audit_context; + unsigned long p, next; + void *to; + + if (likely(!audit_enabled || !context)) + return 0; + + ax = kmalloc(sizeof(*ax) + PAGE_SIZE * MAX_ARG_PAGES - bprm->p, + GFP_KERNEL); + if (!ax) + return -ENOMEM; + + ax->argc = bprm->argc; + ax->envc = bprm->envc; + for (p = bprm->p, to = ax->mem; p < MAX_ARG_PAGES*PAGE_SIZE; p = next) { + struct page *page = bprm->page[p / PAGE_SIZE]; + void *kaddr = kmap(page); + next = (p + PAGE_SIZE) & ~(PAGE_SIZE - 1); + memcpy(to, kaddr + (p & (PAGE_SIZE - 1)), next - p); + to += next - p; + kunmap(page); + } + + ax->d.type = AUDIT_EXECVE; + ax->d.next = context->aux; + context->aux = (void *)ax; + return 0; +} + + /** * audit_socketcall - record audit data for sys_socketcall * @nargs: number of args

18 years, 8 months

3
7
0 / 0

Re: [RFC][PATCH 9/11] security: AppArmor - Audit changes

by Amy Griffis

Tony Jones wrote: [Wed Apr 19 2006, 01:50:18PM EDT] > This patch adds AppArmor support to the audit subsystem. > > It creates id 1500 (already included in the the upstream auditd package) for > AppArmor messages. > > It also exports the audit_log_vformat function (analagous to having both > printk and vprintk exported). linux-audit (cc'd) will likely want to review these changes. > > Signed-off-by: Tony Jones <tonyj(a)suse.de> > > --- > include/linux/audit.h | 5 +++++ > kernel/audit.c | 3 ++- > 2 files changed, 7 insertions(+), 1 deletion(-) > > --- linux-2.6.17-rc1.orig/include/linux/audit.h > +++ linux-2.6.17-rc1/include/linux/audit.h > @@ -95,6 +95,8 @@ > #define AUDIT_LAST_KERN_ANOM_MSG 1799 > #define AUDIT_ANOM_PROMISCUOUS 1700 /* Device changed promiscuous mode */ > > +#define AUDIT_AA 1500 /* AppArmor audit */ > + > #define AUDIT_KERNEL 2000 /* Asynchronous audit record. NOT A REQUEST. */ > > /* Rule flags */ > @@ -349,6 +351,9 @@ > __attribute__((format(printf,4,5))); > > extern struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type); > +extern void audit_log_vformat(struct audit_buffer *ab, > + const char *fmt, va_list args) > + __attribute__((format(printf,2,0))); > extern void audit_log_format(struct audit_buffer *ab, > const char *fmt, ...) > __attribute__((format(printf,2,3))); > --- linux-2.6.17-rc1.orig/kernel/audit.c > +++ linux-2.6.17-rc1/kernel/audit.c > @@ -797,7 +797,7 @@ > * will be called a second time. Currently, we assume that a printk > * can't format message larger than 1024 bytes, so we don't either. > */ > -static void audit_log_vformat(struct audit_buffer *ab, const char *fmt, > +void audit_log_vformat(struct audit_buffer *ab, const char *fmt, > va_list args) > { > int len, avail; > @@ -999,4 +999,5 @@ > EXPORT_SYMBOL(audit_log_start); > EXPORT_SYMBOL(audit_log_end); > EXPORT_SYMBOL(audit_log_format); > +EXPORT_SYMBOL(audit_log_vformat); > EXPORT_SYMBOL(audit_log); > - > To unsubscribe from this list: send the line "unsubscribe linux-kernel" in > the body of a message to majordomo(a)vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > Please read the FAQ at http://www.tux.org/lkml/ >

18 years, 8 months

3
2
0 / 0

Problem with audit

by Loulwa Salem

I am running lspp.17 kernel with audit-1.2.1 on an x86_64 system. I noticed this behavior (has anyone encountered anything similar) After a reboot, the first auditctl command that I try will not work, After that it works fine. Example: # auditctl -l Error sending rule list request (Operation not permitted) # auditctl -l No rules -- Reboot -- # auditctl -a entry,always -S chmod Error sending add rule request (Operation not permitted) # auditctl -a entry,always -S chmod # auditctl -l LIST_RULES: entry,always syscall=chmod The problem is reproducible .. and it happens no matter what auditctl command you try at first (listing, adding watches, or adding rules .. etc) - Loulwa

18 years, 8 months

2
8
0 / 0

[RFC: 2.6 patch] kernel/audit.c: remove unused exports

by Adrian Bunk

This patch removes the following unused EXPORT_SYMBOL's: - audit_log_start - audit_log_end - audit_log_format - audit_log Signed-off-by: Adrian Bunk <bunk(a)stusta.de> --- linux-2.6.17-rc1-mm3-full/kernel/audit.c.old 2006-04-20 22:38:17.000000000 +0200 +++ linux-2.6.17-rc1-mm3-full/kernel/audit.c 2006-04-20 22:40:03.000000000 +0200 @@ -1092,7 +1092,3 @@ } } -EXPORT_SYMBOL(audit_log_start); -EXPORT_SYMBOL(audit_log_end); -EXPORT_SYMBOL(audit_log_format); -EXPORT_SYMBOL(audit_log);

18 years, 8 months

4
8
0 / 0

Q: audit log rotation.

by The UnSeen

Is there a way to dictate the format of naming convention of the rotated logfiles to better reflect the date range of the data contained in the file instead of simply audit.log.1, audit.log.2, etc? Something perhaps defined in the /etc/auditd.conf file? I'm used to the BSM scheme personally. It would make it easier to manage the files for archiving purposes (IMHO). Also, it would be nice (if it doesn't exist already) to have a way to do audit reductions 1 event on a line instead of X lines for an event. Ian

18 years, 8 months

4
3
0 / 0

audit 1.2.1 released

by Steve Grubb

Hi, I've just released a new version of the audit daemon. It can be downloaded from http://people.redhat.com/sgrubb/audit It will also be in rawhide tomorrow. The Changelog is: - New message type for trusted apps - Add new keywords: today, yesterday, & now for ausearch and aureport - Make audit_log_user_avc_message really send to syslog on error - Updated syscall tables in auditctl - Deprecated the 'possible' action for syscall rules in auditctl - Update watch code to use file syscalls instead of 'all' in auditctl This is mostly a bugfix release. Let me know if there are any problems with it. -Steve

18 years, 8 months

2
2
0 / 0

Filesystem access statistics

by Rudi Chiarito

Hi, I subscribed to the list after checking with Steve that it was not an outlandish choice of places where to ask my questions. I need to look at a portion of the filesystem namespace and maintain aggregate statistics on access patterns. In other words, I have a large filesystem and would like to find out which are the hot spots. I don't need to keep track of every single file access: since the file count is in the order of millions, that would swamp the actual I/O, the analysis and the people looking at the final data. It would make sense to just group accesses by looking at the top N levels (anything accessed at levels N+1, N+2, etc. would be coalesced into the parent directory at level N). I think that I can't be the only one with such a need. In my case, the information is going to be used to change the way the tree is going to be laid out in the future, as well as determining when parts of it can be made read-only (after an inactivity period). I can also see the information being useful for selective incremental backups - just look at the hot spots - or for smarter ordering during a disaster recovery restore (if you're recovering from random access storage, not tape). Maybe even locate/slocate/rlocate/mlocate could take advantage of it. What would be the best approach to this? Inotify doesn't seem to cut it, because it can't handle recursive watches. I can't afford placing watches all over the place. Given the sheer number of operations being tracked, it looks like I'd need some custom code that audits all file/directory operations, determines if there's a match (I'm only interested in a specific tree, not everything under /), increments internal counters and throws the event away. Is there code I could look at for ideas? Thanks in advance for any help. -- Rudi

18 years, 8 months

2
3
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Linux-audit April 2006