[PATCH git] fix warning introduced by execve patches
by Amy Griffis
Fix warning introduced by execve patch #1 in lspp.b7 branch. Please
fold this in with lspp.b7 3ccec7a3b847f0ea5b04775dab0990a7d03052f7 on
next rebase.
Signed-off-by: Amy Griffis <amy.griffis(a)hp.com>
---
kernel/auditsc.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
8948d72d140eea1c4df513a19db597f3f2d002f2
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 9286fea..43512c1 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -702,7 +702,7 @@ static void audit_log_exit(struct audit_
case AUDIT_EXECVE: {
struct audit_aux_data_execve *axi = (void *)aux;
int i;
- char *p;
+ const char *p;
for (i = 0, p = axi->mem; i < axi->argc; i++) {
audit_log_format(ab, "a%d=", i);
p = audit_log_untrustedstring(ab, p);
--
1.3.0
19 years, 10 months
[PATCH git] make selinux_audit_rule_update() remove safely
by Amy Griffis
(Al, this is a fix for the -mm patch
audit-support-for-context-based-audit-filtering-2.patch. Please fold
in with lspp.b7 3811b185122022cd5e59b1ca85342b820e3b3e22 on next
rebase.)
Use list_for_each_entry_safe() in selinux_audit_rule_update() to
protect against call_rcu() on list entries while traversing.
Signed-off-by: Amy Griffis <amy.griffis(a)hp.com>
---
kernel/auditfilter.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
71476af7bf618dee43c9ac86b0227882df412152
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 7b91a1e..f1151a2 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -1397,7 +1397,7 @@ static inline int audit_rule_has_selinux
* updated rule. */
int selinux_audit_rule_update(void)
{
- struct audit_entry *entry, *nentry;
+ struct audit_entry *entry, *n, *nentry;
struct audit_watch *watch;
int i, err = 0;
@@ -1405,7 +1405,7 @@ int selinux_audit_rule_update(void)
mutex_lock(&audit_filter_mutex);
for (i = 0; i < AUDIT_NR_FILTERS; i++) {
- list_for_each_entry(entry, &audit_filter_list[i], list) {
+ list_for_each_entry_safe(entry, n, &audit_filter_list[i], list) {
if (!audit_rule_has_selinux(&entry->rule))
continue;
--
1.3.0
19 years, 10 months
another issue with Audit
by Loulwa Salem
This is a really strange problem .. seems like I have a knack to finding those.
I am running lspp.18 kernel (SELinux in permissive mode), audit-1.2.1 on an
x86_64 system.
Here is what is happening .. someone else please try this and let me know if you
see the same problem...
# auditctl -w /tmp/file1 >> works fine
# auditctl -w /tmp/file6
Error sending add rule request (File exists)
# auditctl -w /tmp/afile
Error sending add rule request (File exists)
# auditctl -w /tmp/newfile >> works fine
# auditctl -w /tmp/thefile
Error sending add rule request (File exists)
Here is what I noticed from this pattern ... as long as the length of the file
name I am adding watch on is the same, it says the watch already exists... So I
tried something else to see if only the file name matters or the whole path
length ...
# mkdir /foo
# auditctl -w /foo/file3 >> notice .. same length as /tmp/file1
Error sending add rule request (File exists)
# auditctl -w /foo/foofile >> notice .. same length as /tmp/newfile
Error sending add rule request (File exists)
# auditctl -w /foo/anotherfile >> works fine
So you see ... even using a different directory still says the watch exists.
If this is happening with others .. this definitely seems like a bug to me.
Thanks,
-Loulwa
19 years, 10 months
[PATCH] execve argument logging
by Alexander Viro
diff --git a/fs/exec.c b/fs/exec.c
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -49,6 +49,7 @@
#include <linux/rmap.h>
#include <linux/acct.h>
#include <linux/cn_proc.h>
+#include <linux/audit.h>
#include <asm/uaccess.h>
#include <asm/mmu_context.h>
@@ -1085,6 +1086,11 @@ int search_binary_handler(struct linux_b
/* kernel module loader fixup */
/* so we don't try to load run modprobe in kernel space. */
set_fs(USER_DS);
+
+ retval = audit_bprm(bprm);
+ if (retval)
+ return retval;
+
retval = -ENOENT;
for (try=0; try<2; try++) {
read_lock(&binfmt_lock);
diff --git a/include/linux/audit.h b/include/linux/audit.h
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -83,6 +83,7 @@
#define AUDIT_CONFIG_CHANGE 1305 /* Audit system configuration change */
#define AUDIT_SOCKADDR 1306 /* sockaddr copied as syscall arg */
#define AUDIT_CWD 1307 /* Current working directory */
+#define AUDIT_EXECVE 1309 /* execve arguments */
#define AUDIT_IPC_SET_PERM 1311 /* IPC new permissions record type */
#define AUDIT_AVC 1400 /* SE Linux avc denial or grant */
@@ -283,6 +284,7 @@ struct audit_buffer;
struct audit_context;
struct inode;
struct netlink_skb_parms;
+struct linux_binprm;
#define AUDITSC_INVALID 0
#define AUDITSC_SUCCESS 1
@@ -322,6 +324,7 @@ extern int audit_set_loginuid(struct ta
extern uid_t audit_get_loginuid(struct audit_context *ctx);
extern int audit_ipc_obj(struct kern_ipc_perm *ipcp);
extern int audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode, struct kern_ipc_perm *ipcp);
+extern int audit_bprm(struct linux_binprm *bprm);
extern int audit_socketcall(int nargs, unsigned long *args);
extern int audit_sockaddr(int len, void *addr);
extern int audit_avc_path(struct dentry *dentry, struct vfsmount *mnt);
@@ -342,6 +345,7 @@ extern int audit_set_macxattr(const char
#define audit_get_loginuid(c) ({ -1; })
#define audit_ipc_obj(i) ({ 0; })
#define audit_ipc_set_perm(q,u,g,m,i) ({ 0; })
+#define audit_bprm(p) ({ 0; })
#define audit_socketcall(n,a) ({ 0; })
#define audit_sockaddr(len, addr) ({ 0; })
#define audit_avc_path(dentry, mnt) ({ 0; })
@@ -364,7 +368,7 @@ extern void audit_log_end(struct au
extern void audit_log_hex(struct audit_buffer *ab,
const unsigned char *buf,
size_t len);
-extern void audit_log_untrustedstring(struct audit_buffer *ab,
+extern const char * audit_log_untrustedstring(struct audit_buffer *ab,
const char *string);
extern void audit_log_d_path(struct audit_buffer *ab,
const char *prefix,
diff --git a/kernel/audit.c b/kernel/audit.c
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -998,18 +998,20 @@ void audit_log_hex(struct audit_buffer *
* or a space. Unescaped strings will start and end with a double quote mark.
* Strings that are escaped are printed in hex (2 digits per char).
*/
-void audit_log_untrustedstring(struct audit_buffer *ab, const char *string)
+const char *audit_log_untrustedstring(struct audit_buffer *ab, const char *string)
{
const unsigned char *p = string;
+ size_t len = strlen(string);
while (*p) {
if (*p == '"' || *p < 0x21 || *p > 0x7f) {
- audit_log_hex(ab, string, strlen(string));
- return;
+ audit_log_hex(ab, string, len);
+ return string + len + 1;
}
p++;
}
audit_log_format(ab, "\"%s\"", string);
+ return p + 1;
}
/* This is a helper-function to print the escaped d_path */
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -59,6 +59,7 @@
#include <linux/list.h>
#include <linux/tty.h>
#include <linux/selinux.h>
+#include <linux/binfmts.h>
#include "audit.h"
@@ -110,6 +111,13 @@ struct audit_aux_data_ipcctl {
u32 osid;
};
+struct audit_aux_data_execve {
+ struct audit_aux_data d;
+ int argc;
+ int envc;
+ char mem[0];
+};
+
struct audit_aux_data_socketcall {
struct audit_aux_data d;
int nargs;
@@ -667,6 +675,16 @@ static void audit_log_exit(struct audit_
kfree(ctx);
}
break; }
+ case AUDIT_EXECVE: {
+ struct audit_aux_data_execve *axi = (void *)aux;
+ int i;
+ char *p;
+ for (i = 0, p = axi->mem; i < axi->argc; i++) {
+ audit_log_format(ab, "a%d=", i);
+ p = audit_log_untrustedstring(ab, p);
+ audit_log_format(ab, "\n");
+ }
+ break; }
case AUDIT_SOCKETCALL: {
int i;
@@ -1231,6 +1249,39 @@ int audit_ipc_set_perm(unsigned long qby
return 0;
}
+int audit_bprm(struct linux_binprm *bprm)
+{
+ struct audit_aux_data_execve *ax;
+ struct audit_context *context = current->audit_context;
+ unsigned long p, next;
+ void *to;
+
+ if (likely(!audit_enabled || !context))
+ return 0;
+
+ ax = kmalloc(sizeof(*ax) + PAGE_SIZE * MAX_ARG_PAGES - bprm->p,
+ GFP_KERNEL);
+ if (!ax)
+ return -ENOMEM;
+
+ ax->argc = bprm->argc;
+ ax->envc = bprm->envc;
+ for (p = bprm->p, to = ax->mem; p < MAX_ARG_PAGES*PAGE_SIZE; p = next) {
+ struct page *page = bprm->page[p / PAGE_SIZE];
+ void *kaddr = kmap(page);
+ next = (p + PAGE_SIZE) & ~(PAGE_SIZE - 1);
+ memcpy(to, kaddr + (p & (PAGE_SIZE - 1)), next - p);
+ to += next - p;
+ kunmap(page);
+ }
+
+ ax->d.type = AUDIT_EXECVE;
+ ax->d.next = context->aux;
+ context->aux = (void *)ax;
+ return 0;
+}
+
+
/**
* audit_socketcall - record audit data for sys_socketcall
* @nargs: number of args
19 years, 10 months
Re: [RFC][PATCH 9/11] security: AppArmor - Audit changes
by Amy Griffis
Tony Jones wrote: [Wed Apr 19 2006, 01:50:18PM EDT]
> This patch adds AppArmor support to the audit subsystem.
>
> It creates id 1500 (already included in the the upstream auditd package) for
> AppArmor messages.
>
> It also exports the audit_log_vformat function (analagous to having both
> printk and vprintk exported).
linux-audit (cc'd) will likely want to review these changes.
>
> Signed-off-by: Tony Jones <tonyj(a)suse.de>
>
> ---
> include/linux/audit.h | 5 +++++
> kernel/audit.c | 3 ++-
> 2 files changed, 7 insertions(+), 1 deletion(-)
>
> --- linux-2.6.17-rc1.orig/include/linux/audit.h
> +++ linux-2.6.17-rc1/include/linux/audit.h
> @@ -95,6 +95,8 @@
> #define AUDIT_LAST_KERN_ANOM_MSG 1799
> #define AUDIT_ANOM_PROMISCUOUS 1700 /* Device changed promiscuous mode */
>
> +#define AUDIT_AA 1500 /* AppArmor audit */
> +
> #define AUDIT_KERNEL 2000 /* Asynchronous audit record. NOT A REQUEST. */
>
> /* Rule flags */
> @@ -349,6 +351,9 @@
> __attribute__((format(printf,4,5)));
>
> extern struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type);
> +extern void audit_log_vformat(struct audit_buffer *ab,
> + const char *fmt, va_list args)
> + __attribute__((format(printf,2,0)));
> extern void audit_log_format(struct audit_buffer *ab,
> const char *fmt, ...)
> __attribute__((format(printf,2,3)));
> --- linux-2.6.17-rc1.orig/kernel/audit.c
> +++ linux-2.6.17-rc1/kernel/audit.c
> @@ -797,7 +797,7 @@
> * will be called a second time. Currently, we assume that a printk
> * can't format message larger than 1024 bytes, so we don't either.
> */
> -static void audit_log_vformat(struct audit_buffer *ab, const char *fmt,
> +void audit_log_vformat(struct audit_buffer *ab, const char *fmt,
> va_list args)
> {
> int len, avail;
> @@ -999,4 +999,5 @@
> EXPORT_SYMBOL(audit_log_start);
> EXPORT_SYMBOL(audit_log_end);
> EXPORT_SYMBOL(audit_log_format);
> +EXPORT_SYMBOL(audit_log_vformat);
> EXPORT_SYMBOL(audit_log);
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo(a)vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
>
19 years, 10 months
Problem with audit
by Loulwa Salem
I am running lspp.17 kernel with audit-1.2.1 on an x86_64 system.
I noticed this behavior (has anyone encountered anything similar)
After a reboot, the first auditctl command that I try will not work, After that
it works fine.
Example:
# auditctl -l
Error sending rule list request (Operation not permitted)
# auditctl -l
No rules
-- Reboot --
# auditctl -a entry,always -S chmod
Error sending add rule request (Operation not permitted)
# auditctl -a entry,always -S chmod
# auditctl -l
LIST_RULES: entry,always syscall=chmod
The problem is reproducible .. and it happens no matter what auditctl command
you try at first (listing, adding watches, or adding rules .. etc)
- Loulwa
19 years, 10 months
[RFC: 2.6 patch] kernel/audit.c: remove unused exports
by Adrian Bunk
This patch removes the following unused EXPORT_SYMBOL's:
- audit_log_start
- audit_log_end
- audit_log_format
- audit_log
Signed-off-by: Adrian Bunk <bunk(a)stusta.de>
--- linux-2.6.17-rc1-mm3-full/kernel/audit.c.old 2006-04-20 22:38:17.000000000 +0200
+++ linux-2.6.17-rc1-mm3-full/kernel/audit.c 2006-04-20 22:40:03.000000000 +0200
@@ -1092,7 +1092,3 @@
}
}
-EXPORT_SYMBOL(audit_log_start);
-EXPORT_SYMBOL(audit_log_end);
-EXPORT_SYMBOL(audit_log_format);
-EXPORT_SYMBOL(audit_log);
19 years, 10 months
Q: audit log rotation.
by The UnSeen
Is there a way to dictate the format of naming convention of the rotated
logfiles to better reflect the date range of the data contained in the
file instead of simply audit.log.1, audit.log.2, etc? Something perhaps
defined in the /etc/auditd.conf file? I'm used to the BSM scheme
personally. It would make it easier to manage the files for archiving
purposes (IMHO).
Also, it would be nice (if it doesn't exist already) to have a way to do
audit reductions 1 event on a line instead of X lines for an event.
Ian
19 years, 10 months
audit 1.2.1 released
by Steve Grubb
Hi,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit It will also be in rawhide
tomorrow. The Changelog is:
- New message type for trusted apps
- Add new keywords: today, yesterday, & now for ausearch and aureport
- Make audit_log_user_avc_message really send to syslog on error
- Updated syscall tables in auditctl
- Deprecated the 'possible' action for syscall rules in auditctl
- Update watch code to use file syscalls instead of 'all' in auditctl
This is mostly a bugfix release. Let me know if there are any problems with
it.
-Steve
19 years, 11 months
Filesystem access statistics
by Rudi Chiarito
Hi,
I subscribed to the list after checking with Steve that it was not an
outlandish choice of places where to ask my questions.
I need to look at a portion of the filesystem namespace and maintain
aggregate statistics on access patterns. In other words, I have a large
filesystem and would like to find out which are the hot spots. I don't
need to keep track of every single file access: since the file count is
in the order of millions, that would swamp the actual I/O, the
analysis and the people looking at the final data. It would make sense
to just group accesses by looking at the top N levels (anything
accessed at levels N+1, N+2, etc. would be coalesced into the parent
directory at level N).
I think that I can't be the only one with such a need. In my case, the
information is going to be used to change the way the tree is going to
be laid out in the future, as well as determining when parts of it can
be made read-only (after an inactivity period). I can also see the
information being useful for selective incremental backups - just look
at the hot spots - or for smarter ordering during a disaster recovery
restore (if you're recovering from random access storage, not tape).
Maybe even locate/slocate/rlocate/mlocate could take advantage of it.
What would be the best approach to this? Inotify doesn't seem to cut it,
because it can't handle recursive watches. I can't afford placing
watches all over the place. Given the sheer number of operations being
tracked, it looks like I'd need some custom code that audits all
file/directory operations, determines if there's a match (I'm only
interested in a specific tree, not everything under /), increments
internal counters and throws the event away. Is there code I could look
at for ideas?
Thanks in advance for any help.
--
Rudi
19 years, 11 months
