December 2012 - Linux-audit - Linux-Audit List Archives

[PATCH] Support for auditing on the actions of a not-yet-executed process.

by Peter Moody

eg: -a exit,always -F arch=b64 -S socket -F 'a0!=1' -F exe=/bin/bash -F success=1 to see instances of /bin/bash opening a non-local socket. Or -a exit,always -F arch=b64 -S socket -F 'a0!=1' -F exe_children=/bin/bash -F success=1 to instances of /bin/bash, and any descendant processes, opening a non local socket. proposed https://www.redhat.com/archives/linux-audit/2012-June/msg00002.html and it seemed like there was interest. Signed-off-by: Peter Moody <pmoody(a)google.com> --- trunk/lib/errormsg.h | 2 +- trunk/lib/fieldtab.h | 2 ++ trunk/lib/libaudit.c | 11 +++++++++++ trunk/lib/libaudit.h | 7 ++++++- 4 files changed, 20 insertions(+), 2 deletions(-) diff --git a/trunk/lib/errormsg.h b/trunk/lib/errormsg.h index 4d996d5..cd595ec 100644 --- a/trunk/lib/errormsg.h +++ b/trunk/lib/errormsg.h @@ -51,7 +51,7 @@ static const struct msg_tab err_msgtab[] = { { -15, 2, "-F unknown errno -"}, { -16, 2, "-F unknown file type - " }, { -17, 1, "can only be used with exit and entry filter list" }, - { -18, 1, "" }, // Unused + { -18, 1, "only takes = operator" }, { -19, 0, "Key field needs a watch or syscall given prior to it" }, { -20, 2, "-F missing value after operation for" }, { -21, 2, "-F value should be number for" }, diff --git a/trunk/lib/fieldtab.h b/trunk/lib/fieldtab.h index c0432cc..245b541 100644 --- a/trunk/lib/fieldtab.h +++ b/trunk/lib/fieldtab.h @@ -66,3 +66,5 @@ _S(AUDIT_ARG3, "a3" ) _S(AUDIT_FILTERKEY, "key" ) _S(AUDIT_FIELD_COMPARE, "field_compare" ) +_S(AUDIT_EXE, "exe" ) +_S(AUDIT_EXE_CHILDREN, "exe_children" ) diff --git a/trunk/lib/libaudit.c b/trunk/lib/libaudit.c index 20eaf5f..06eed86 100644 --- a/trunk/lib/libaudit.c +++ b/trunk/lib/libaudit.c @@ -1400,6 +1400,17 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair, else return -21; break; + case AUDIT_EXE_CHILDREN: + case AUDIT_EXE: + { + struct stat buf; + if ((stat(v, &buf)) < 0) + return -2; + if (op != AUDIT_EQUAL) + return -18; + rule->values[rule->field_count] = (unsigned long)buf.st_ino; + } + break; case AUDIT_DEVMAJOR...AUDIT_INODE: case AUDIT_SUCCESS: if (flags != AUDIT_FILTER_EXIT) diff --git a/trunk/lib/libaudit.h b/trunk/lib/libaudit.h index 89dd588..2c8a802 100644 --- a/trunk/lib/libaudit.h +++ b/trunk/lib/libaudit.h @@ -243,6 +243,12 @@ extern "C" { #ifndef AUDIT_FIELD_COMPARE #define AUDIT_FIELD_COMPARE 111 #endif +#ifndef AUDIT_EXE +#define AUDIT_EXE 112 +#endif +#ifndef AUDIT_EXE_CHILDREN +#define AUDIT_EXE_CHILDREN 113 +#endif #ifndef AUDIT_COMPARE_UID_TO_OBJ_UID #define AUDIT_COMPARE_UID_TO_OBJ_UID 1 @@ -524,4 +530,3 @@ extern void audit_rule_free_data(struct audit_rule_data *rule); #endif #endif - -- 1.7.7.3

10 years, 7 months

3
3
0 / 0

[PATCH] audit: audit on the future execution of a binary.

by Peter Moody

This adds the ability audit the actions of a not-yet-running process, as well as the children of a not-yet-running process. Signed-off-by: Peter Moody <pmoody(a)google.com> --- include/linux/audit.h | 2 ++ kernel/auditfilter.c | 6 ++++++ kernel/auditsc.c | 47 +++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 55 insertions(+), 0 deletions(-) diff --git a/include/linux/audit.h b/include/linux/audit.h index 22f292a..5506cb1 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -260,6 +260,8 @@ #define AUDIT_OBJ_UID 109 #define AUDIT_OBJ_GID 110 #define AUDIT_FIELD_COMPARE 111 +#define AUDIT_EXE 112 +#define AUDIT_EXE_CHILDREN 113 #define AUDIT_ARG0 200 #define AUDIT_ARG1 (AUDIT_ARG0+1) diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index a6c3f1a..1e6c571 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -546,6 +546,12 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data, if (f->val > AUDIT_MAX_FIELD_COMPARE) goto exit_free; break; + case AUDIT_EXE: + case AUDIT_EXE_CHILDREN: + if (f->op != Audit_equal) { + goto exit_free; + } + break; default: goto exit_free; } diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 4b96415..9cebe95 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -46,6 +46,7 @@ #include <asm/types.h> #include <linux/atomic.h> #include <linux/fs.h> +#include <linux/dcache.h> #include <linux/namei.h> #include <linux/mm.h> #include <linux/export.h> @@ -68,6 +69,7 @@ #include <linux/capability.h> #include <linux/fs_struct.h> #include <linux/compat.h> +#include <linux/sched.h> #include "audit.h" @@ -592,6 +594,35 @@ static int audit_field_compare(struct task_struct *tsk, return 0; } +int audit_match_exe(struct task_struct *tsk, struct audit_field *f) +{ + int result = 0; + struct mm_struct *mm; + struct vm_area_struct *vma; + + if (!tsk) + goto out; + + mm = tsk->mm; + if (!mm) + goto out; + + down_read(&mm->mmap_sem); + vma = mm->mmap; + while (vma) { + if ((vma->vm_flags & VM_EXECUTABLE) && + vma->vm_file) { + struct inode *ino = vma->vm_file->f_path.dentry->d_inode; + result = audit_comparator(ino->i_ino, f->op, f->val); + break; + } + vma = vma->vm_next; + } + up_read(&mm->mmap_sem); +out: + return result; +} + /* Determine if any context name data matches a rule's watch data */ /* Compare a task_struct with an audit_rule. Return 1 on match, 0 * otherwise. @@ -629,6 +660,22 @@ static int audit_filter_rules(struct task_struct *tsk, result = audit_comparator(ctx->ppid, f->op, f->val); } break; + case AUDIT_EXE: + result = audit_match_exe(tsk, f); + break; + case AUDIT_EXE_CHILDREN: + { + struct task_struct *ptsk; + for (ptsk = tsk; + ptsk->parent->pid > 0; + ptsk = find_task_by_vpid(ptsk->parent->pid)) { + if (audit_match_exe(ptsk, f)) { + ++result; + break; + } + } + } + break; case AUDIT_UID: result = audit_comparator(cred->uid, f->op, f->val); break; -- 1.7.7.3

11 years, 3 months

4
9
0 / 0

user message limits

by LC Bruzenak

I know I can go look at the code, however I figured I'd ask here first about the limits on the user message in both audit_log_user_message and ausearch. With audit_log_user_message the maximum length allowed appears to be around MAX_AUDIT_MESSAGE_LENGTH-100. I think it may depend on the executable name length (and other stuff auto-pushed into the string) which is why I say "around". Even when I get a successful return value (from audit_log_user_message), I don't get my string back out in "ausearch" unless it is WAY smaller - ~1K or less I think. Any ideas/thoughts? This is the latest (1.7.11-2) audit package. Thx, LCB. -- LC (Lenny) Bruzenak lenny(a)magitekltd.com

11 years, 3 months

5
17
0 / 0

[PATCH] Use python-config to find python include directories

by Tyler Hicks

In Ubuntu's current development release, the Python header files have been split up for multiarch reasons. /usr/include/python2.7/Python.h includes pyconfig.h, which is in /usr/include/x86_64-linux-gnu/python2.7/. This causes a build failure beacuse the architecture specific include directory is not searched by the audit build system. This patch uses the python-config tool, normally provided by the Python development package, to determine include directories and improves the readability of the Python section of configure.ac by adding appropriate indentation. Signed-off-by: Tyler Hicks <tyhicks(a)canonical.com> --- bindings/python/Makefile.am | 2 +- configure.ac | 27 ++++++++++++++++----------- swig/Makefile.am | 3 +-- 3 files changed, 18 insertions(+), 14 deletions(-) diff --git a/bindings/python/Makefile.am b/bindings/python/Makefile.am index 4bbe75d..c53c235 100644 --- a/bindings/python/Makefile.am +++ b/bindings/python/Makefile.am @@ -26,6 +26,6 @@ CONFIG_CLEAN_FILES = *.loT *.rej *.orig pyexec_LTLIBRARIES = auparse.la auparse_la_SOURCES = auparse_python.c -auparse_la_CPPFLAGS = -I$(top_srcdir)/auparse $(AM_CPPFLAGS) -I/usr/include/python$(PYTHON_VERSION) -fno-strict-aliasing +auparse_la_CPPFLAGS = -I$(top_srcdir)/auparse $(AM_CPPFLAGS) $(PYTHON_INCLUDES) -fno-strict-aliasing auparse_la_LDFLAGS = -module -avoid-version -Wl,-z,relro auparse_la_LIBADD = ../../auparse/libauparse.la ../../lib/libaudit.la diff --git a/configure.ac b/configure.ac index 40972ce..f6ad07a 100644 --- a/configure.ac +++ b/configure.ac @@ -88,20 +88,24 @@ if test x$use_python = xno ; then python_found="no" AC_MSG_RESULT(no) else -AC_MSG_RESULT(testing) -AM_PATH_PYTHON -if test -f /usr/include/python${am_cv_python_version}/Python.h ; then - python_found="yes" - AC_MSG_NOTICE(Python bindings will be built) -else - python_found="no" - if test x$use_python = xyes ; then - AC_MSG_ERROR([Python explicitly required and python headers found]) + AC_MSG_RESULT(testing) + AM_PATH_PYTHON + AC_PATH_PROG([PYTHON_CONFIG], [python$PYTHON_VERSION-config python-config], no) + if test x$PYTHON_CONFIG = xno ; then + python_found="no" + if test x$use_python = xyes ; then + AC_MSG_ERROR([Python explicitly required and python-config not found]) + else + AC_MSG_WARN("python-config not found - python bindings will not be made") + fi else - AC_MSG_WARN("Python headers not found - python bindings will not be made") + python_found="yes" + AC_MSG_NOTICE(Python bindings will be built) + AC_MSG_CHECKING(Python header include directories) + PYTHON_INCLUDES=`$PYTHON_CONFIG --includes` + AC_MSG_RESULT([$PYTHON_INCLUDES]) fi fi -fi AM_CONDITIONAL(HAVE_PYTHON, test ${python_found} = "yes") #auditd listener @@ -274,6 +278,7 @@ fi # See if we want to support lower capabilities for plugins LIBCAP_NG_PATH +AC_SUBST(PYTHON_INCLUDES) AC_SUBST(DEBUG) AC_SUBST(LIBWRAP_LIBS) #AC_SUBST(libev_LIBS) diff --git a/swig/Makefile.am b/swig/Makefile.am index 5f26ac0..f204356 100644 --- a/swig/Makefile.am +++ b/swig/Makefile.am @@ -22,8 +22,7 @@ EXTRA_DIST = auditswig.i CONFIG_CLEAN_FILES = *.loT *.rej *.orig AM_CFLAGS = -fPIC -DPIC -fno-strict-aliasing -PYLIBVER ?= python$(PYTHON_VERSION) -INCLUDES = -I. -I$(top_builddir) -I${top_srcdir}/lib -I/usr/include/$(PYLIBVER) +INCLUDES = -I. -I$(top_builddir) -I${top_srcdir}/lib $(PYTHON_INCLUDES) LIBS = $(top_builddir)/lib/libaudit.la pyexec_PYTHON = audit.py pyexec_LTLIBRARIES = _audit.la -- 1.7.10.4

12 years

1
1
0 / 0

audit 2.2.2 released

by Steve Grubb

Hi, I've just released a new version of the audit daemon. It can be downloaded from http://people.redhat.com/sgrubb/audit. It will also be in rawhide soon. The ChangeLog is: - In auditd, tcp_max_per_addr was allowing 1 more connection than specified - In ausearch, fix matching of object records - Auditctl was returning -1 when listing rules filtered on a key field - Add interpretations for CAP_BLOCK_SUSPEND and CAP_COMPROMISE_KERNEL - Add armv5tejl, armv5tel, armv6l and armv7l machine types (Nathaniel Husted) - Updates for the 3.6 kernel - Add auparse_feed_has_data function to libauparse - Update audisp-prelude to use auparse_feed_has_data - Add support to conditionally build auditd network listener (Tyler Hicks) - In auditd, reset a flag after receiving USR1 signal info when rotating logs - Add optional systemd init script support - Add support for SECCOMP event type - Don't interpret aN_len field in EXECVE records (#869555) - In audisp-remote, do better job of draining queue - Fix capability parsing in ausearch/auparse - Interpret BPRM_FCAPS capability fields - Add ANOM_LINK event type This is mostly a bugfix release with updated support for newer kernels. There is also new support for systemd style config files. If you compile using make check, you may need to apply this patch: https://fedorahosted.org/audit/changeset/738/ based on whether or not it breaks. I am thinking this test needs revising for next release. Please let me know if you run across any problems with this release. -Steve

12 years

1
0
0 / 0

pam_tty_audit

by Pieter Baele

Hi, I've some problems configuring the pam_tty_audit module: In which pam.d files do I need to configure pam_tty_audit? (RHEL) It seems system-auth is not enough. Purpose: auditing root and a list of users according to a glob pattern. I don't want to miss something (logging in from sudo, su -, console, ssh...) (example here: root and "user1") On RHEL6 I have system-auth, su, su-l: session required pam_tty_audit.so disable=* enable=root,user1 And for sudo open_only is recommended??? session required pam_tty_audit.so open_only enable=root,user1 But if user1 does log on, no commands are logged.... Any idea?

12 years

2
1
0 / 0

Auditd Fails to start

by audit＠mm.st

I have a RH 5 system that I setup auditd on. It works fine. I then cloned the RH 5 system using dd and on the new system auditd will not start. I don't see anything obvious that would cause this. Here is the output of auditd -f: Config file /etc/audit/auditd.conf opened for parsing log_file_parser called with: /var/log/audit/audit.log log_format_parser called with: RAW log_group_parser called with: root priority_boost_parser called with: 4 flush_parser called with: INCREMENTAL freq_parser called with: 20 num_logs_parser called with: 99 qos_parser called with: lossy dispatch_parser called with: /sbin/audispd name_format_parser called with: user name_parser called with: lb.example.com max_log_size_parser called with: 100 max_log_size_action_parser called with: ROTATE space_left_parser called with: 500 space_action_parser called with: email action_mail_acct_parser called with: john.smith(a)example.com The audit daemon is exiting.

12 years

1
0
0 / 0

[PATCH] audit: fix event coverage of AUDIT_ANOM_LINK

by Kees Cook

The userspace audit tools didn't like the existing formatting of the AUDIT_ANOM_LINK event. It needed to be expanded to emit an AUDIT_PATH event as well, so this implements the change. The bulk of the patch is moving code out of auditsc.c into audit.c and audit.h for general use. It expands audit_log_name to include an optional "struct path" argument for the simple case of just needing to report a pathname. This also makes audit_log_task_info available when syscall auditing is not enabled so an admin can make sense of the audit report (which would have only shown path information, not process information). Reported-by: Steve Grubb <sgrubb(a)redhat.com> Signed-off-by: Kees Cook <keescook(a)chromium.org> --- include/linux/audit.h | 16 ++- kernel/audit.c | 247 ++++++++++++++++++++++++++++++++-- kernel/audit.h | 157 ++++++++++++++++++++++ kernel/auditsc.c | 354 +------------------------------------------------ 4 files changed, 406 insertions(+), 368 deletions(-) diff --git a/include/linux/audit.h b/include/linux/audit.h index bce729a..ec23d40 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -183,8 +183,6 @@ static inline int audit_get_sessionid(struct task_struct *tsk) return tsk->sessionid; } -extern void audit_log_task_context(struct audit_buffer *ab); -extern void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk); extern void __audit_ipc_obj(struct kern_ipc_perm *ipcp); extern void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode); extern int __audit_bprm(struct linux_binprm *bprm); @@ -338,11 +336,6 @@ static inline int audit_get_sessionid(struct task_struct *tsk) { return -1; } -static inline void audit_log_task_context(struct audit_buffer *ab) -{ } -static inline void audit_log_task_info(struct audit_buffer *ab, - struct task_struct *tsk) -{ } static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp) { } static inline void audit_ipc_set_perm(unsigned long qbytes, uid_t uid, @@ -427,6 +420,10 @@ static inline void audit_log_secctx(struct audit_buffer *ab, u32 secid) { } #endif +extern void audit_log_task_context(struct audit_buffer *ab); +extern void audit_log_task_info(struct audit_buffer *ab, + struct task_struct *tsk); + extern int audit_update_lsm_rules(void); /* Private API (for audit.c only) */ @@ -474,6 +471,11 @@ static inline void audit_log_link_denied(const char *string, { } static inline void audit_log_secctx(struct audit_buffer *ab, u32 secid) { } +static inline void audit_log_task_context(struct audit_buffer *ab) +{ } +static inline void audit_log_task_info(struct audit_buffer *ab, + struct task_struct *tsk) +{ } #define audit_enabled 0 #endif /* CONFIG_AUDIT */ static inline void audit_log_string(struct audit_buffer *ab, const char *buf) diff --git a/kernel/audit.c b/kernel/audit.c index 40414e9..16585f5 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -49,6 +49,7 @@ #include <linux/slab.h> #include <linux/err.h> #include <linux/kthread.h> +#include <linux/syscalls.h> #include <linux/audit.h> @@ -1429,6 +1430,224 @@ void audit_log_key(struct audit_buffer *ab, char *key) audit_log_format(ab, "(null)"); } +void audit_log_cap(struct audit_buffer *ab, char *prefix, kernel_cap_t *cap) +{ + int i; + + audit_log_format(ab, " %s=", prefix); + CAP_FOR_EACH_U32(i) { + audit_log_format(ab, "%08x", + cap->cap[(_KERNEL_CAPABILITY_U32S-1) - i]); + } +} + +void audit_log_fcaps(struct audit_buffer *ab, struct audit_names *name) +{ + kernel_cap_t *perm = &name->fcap.permitted; + kernel_cap_t *inh = &name->fcap.inheritable; + int log = 0; + + if (!cap_isclear(*perm)) { + audit_log_cap(ab, "cap_fp", perm); + log = 1; + } + if (!cap_isclear(*inh)) { + audit_log_cap(ab, "cap_fi", inh); + log = 1; + } + + if (log) + audit_log_format(ab, " cap_fe=%d cap_fver=%x", + name->fcap.fE, name->fcap_ver); +} + +static inline int audit_copy_fcaps(struct audit_names *name, + const struct dentry *dentry) +{ + struct cpu_vfs_cap_data caps; + int rc; + + if (!dentry) + return 0; + + rc = get_vfs_caps_from_disk(dentry, &caps); + if (rc) + return rc; + + name->fcap.permitted = caps.permitted; + name->fcap.inheritable = caps.inheritable; + name->fcap.fE = !!(caps.magic_etc & VFS_CAP_FLAGS_EFFECTIVE); + name->fcap_ver = (caps.magic_etc & VFS_CAP_REVISION_MASK) >> + VFS_CAP_REVISION_SHIFT; + + return 0; +} + +/* Copy inode data into an audit_names. */ +void audit_copy_inode(struct audit_names *name, const struct dentry *dentry, + const struct inode *inode) +{ + name->ino = inode->i_ino; + name->dev = inode->i_sb->s_dev; + name->mode = inode->i_mode; + name->uid = inode->i_uid; + name->gid = inode->i_gid; + name->rdev = inode->i_rdev; + security_inode_getsecid(inode, &name->osid); + audit_copy_fcaps(name, dentry); +} + +/** + * audit_log_name - produce AUDIT_PATH record from struct audit_names + * @context: audit_context for the task + * @n: audit_names structure with reportable details + * @path: optional path to report instead of audit_names->name + * @record_num: record number to report when handling a list of names + * @call_panic: optional pointer to int that will be updated if secid fails + */ +void audit_log_name(struct audit_context *context, struct audit_names *n, + struct path *path, int record_num, int *call_panic) +{ + struct audit_buffer *ab; + ab = audit_log_start(context, GFP_KERNEL, AUDIT_PATH); + if (!ab) + return; + + audit_log_format(ab, "item=%d", record_num); + + if (path) + audit_log_d_path(ab, " name=", path); + else if (n->name) { + switch (n->name_len) { + case AUDIT_NAME_FULL: + /* log the full path */ + audit_log_format(ab, " name="); + audit_log_untrustedstring(ab, n->name->name); + break; + case 0: + /* name was specified as a relative path and the + * directory component is the cwd */ + audit_log_d_path(ab, " name=", &context->pwd); + break; + default: + /* log the name's directory component */ + audit_log_format(ab, " name="); + audit_log_n_untrustedstring(ab, n->name->name, + n->name_len); + } + } else + audit_log_format(ab, " name=(null)"); + + if (n->ino != (unsigned long)-1) { + audit_log_format(ab, " inode=%lu" \ + " dev=%02x:%02x mode=%#ho" \ + " ouid=%u ogid=%u rdev=%02x:%02x", + n->ino, + MAJOR(n->dev), + MINOR(n->dev), + n->mode, + from_kuid(&init_user_ns, n->uid), + from_kgid(&init_user_ns, n->gid), + MAJOR(n->rdev), + MINOR(n->rdev)); + } + if (n->osid != 0) { + char *ctx = NULL; + u32 len; + if (security_secid_to_secctx( + n->osid, &ctx, &len)) { + audit_log_format(ab, " osid=%u", n->osid); + if (call_panic) + *call_panic = 2; + } else { + audit_log_format(ab, " obj=%s", ctx); + security_release_secctx(ctx, len); + } + } + + audit_log_fcaps(ab, n); + audit_log_end(ab); +} + +void audit_log_task_context(struct audit_buffer *ab) +{ + char *ctx = NULL; + unsigned len; + int error; + u32 sid; + + security_task_getsecid(current, &sid); + if (!sid) + return; + + error = security_secid_to_secctx(sid, &ctx, &len); + if (error) { + if (error != -EINVAL) + goto error_path; + return; + } + + audit_log_format(ab, " subj=%s", ctx); + security_release_secctx(ctx, len); + return; + +error_path: + audit_panic("error in audit_log_task_context"); + return; +} +EXPORT_SYMBOL(audit_log_task_context); + +void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk) +{ + const struct cred *cred; + char name[sizeof(tsk->comm)]; + struct mm_struct *mm = tsk->mm; + char *tty; + + if (!ab) + return; + + /* tsk == current */ + cred = current_cred(); + + spin_lock_irq(&tsk->sighand->siglock); + if (tsk->signal && tsk->signal->tty && tsk->signal->tty->name) + tty = tsk->signal->tty->name; + else + tty = "(none)"; + spin_unlock_irq(&tsk->sighand->siglock); + + audit_log_format(ab, + " ppid=%ld pid=%d auid=%u uid=%u gid=%u" + " euid=%u suid=%u fsuid=%u" + " egid=%u sgid=%u fsgid=%u ses=%u tty=%s", + sys_getppid(), + tsk->pid, + from_kuid(&init_user_ns, audit_get_loginuid(tsk)), + from_kuid(&init_user_ns, cred->uid), + from_kgid(&init_user_ns, cred->gid), + from_kuid(&init_user_ns, cred->euid), + from_kuid(&init_user_ns, cred->suid), + from_kuid(&init_user_ns, cred->fsuid), + from_kgid(&init_user_ns, cred->egid), + from_kgid(&init_user_ns, cred->sgid), + from_kgid(&init_user_ns, cred->fsgid), + audit_get_sessionid(tsk), tty); + + get_task_comm(name, tsk); + audit_log_format(ab, " comm="); + audit_log_untrustedstring(ab, name); + + if (mm) { + down_read(&mm->mmap_sem); + if (mm->exe_file) + audit_log_d_path(ab, " exe=", &mm->exe_file->f_path); + up_read(&mm->mmap_sem); + } + audit_log_task_context(ab); +} +EXPORT_SYMBOL(audit_log_task_info); + /** * audit_log_link_denied - report a link restriction denial * @operation: specific link opreation @@ -1437,19 +1656,31 @@ void audit_log_key(struct audit_buffer *ab, char *key) void audit_log_link_denied(const char *operation, struct path *link) { struct audit_buffer *ab; + struct audit_names *name; + + name = kzalloc(sizeof(*name), GFP_NOFS); + if (!name) + return; + /* Generate AUDIT_ANOM_LINK with subject, operation, outcome. */ ab = audit_log_start(current->audit_context, GFP_KERNEL, AUDIT_ANOM_LINK); if (!ab) - return; - audit_log_format(ab, "op=%s action=denied", operation); - audit_log_format(ab, " pid=%d comm=", current->pid); - audit_log_untrustedstring(ab, current->comm); - audit_log_d_path(ab, " path=", link); - audit_log_format(ab, " dev="); - audit_log_untrustedstring(ab, link->dentry->d_inode->i_sb->s_id); - audit_log_format(ab, " ino=%lu", link->dentry->d_inode->i_ino); + goto out; + audit_log_format(ab, "op=%s", operation); +#ifndef CONFIG_AUDITSYSCALL + /* This is needed if built without syscall auditing. */ + audit_log_task_info(ab, current); +#endif + audit_log_format(ab, " res=0"); audit_log_end(ab); + + /* Generate AUDIT_PATH record with object. */ + name->type = AUDIT_TYPE_NORMAL; + audit_copy_inode(name, link->dentry, link->dentry->d_inode); + audit_log_name(current->audit_context, name, link, 0, NULL); +out: + kfree(name); } /** diff --git a/kernel/audit.h b/kernel/audit.h index d51cba8..2598b1e 100644 --- a/kernel/audit.h +++ b/kernel/audit.h @@ -22,6 +22,7 @@ #include <linux/fs.h> #include <linux/audit.h> #include <linux/skbuff.h> +#include <uapi/linux/mqueue.h> /* 0 = no checking 1 = put_count checking @@ -29,6 +30,11 @@ */ #define AUDIT_DEBUG 0 +/* AUDIT_NAMES is the number of slots we reserve in the audit_context + * for saving names from getname(). If we get more names we will allocate + * a name dynamically and also add those to the list anchored by names_list. */ +#define AUDIT_NAMES 5 + /* At task start time, the audit_state is set in the audit_context using a per-task filter. At syscall entry, the audit_state is augmented by the syscall filter. */ @@ -59,9 +65,160 @@ struct audit_entry { struct audit_krule rule; }; +struct audit_cap_data { + kernel_cap_t permitted; + kernel_cap_t inheritable; + union { + unsigned int fE; /* effective bit of file cap */ + kernel_cap_t effective; /* effective set of process */ + }; +}; + +/* When fs/namei.c:getname() is called, we store the pointer in name and + * we don't let putname() free it (instead we free all of the saved + * pointers at syscall exit time). + * + * Further, in fs/namei.c:path_lookup() we store the inode and device. + */ +struct audit_names { + struct list_head list; /* audit_context->names_list */ + + struct filename *name; + int name_len; /* number of chars to log */ + bool name_put; /* call __putname()? */ + + unsigned long ino; + dev_t dev; + umode_t mode; + kuid_t uid; + kgid_t gid; + dev_t rdev; + u32 osid; + struct audit_cap_data fcap; + unsigned int fcap_ver; + unsigned char type; /* record type */ + /* + * This was an allocated audit_names and not from the array of + * names allocated in the task audit context. Thus this name + * should be freed on syscall exit. + */ + bool should_free; +}; + +/* The per-task audit context. */ +struct audit_context { + int dummy; /* must be the first element */ + int in_syscall; /* 1 if task is in a syscall */ + enum audit_state state, current_state; + unsigned int serial; /* serial number for record */ + int major; /* syscall number */ + struct timespec ctime; /* time of syscall entry */ + unsigned long argv[4]; /* syscall arguments */ + long return_code;/* syscall return code */ + u64 prio; + int return_valid; /* return code is valid */ + /* + * The names_list is the list of all audit_names collected during this + * syscall. The first AUDIT_NAMES entries in the names_list will + * actually be from the preallocated_names array for performance + * reasons. Except during allocation they should never be referenced + * through the preallocated_names array and should only be found/used + * by running the names_list. + */ + struct audit_names preallocated_names[AUDIT_NAMES]; + int name_count; /* total records in names_list */ + struct list_head names_list; /* anchor for audit_names->list */ + char *filterkey; /* key for rule that triggered record */ + struct path pwd; + struct audit_context *previous; /* For nested syscalls */ + struct audit_aux_data *aux; + struct audit_aux_data *aux_pids; + struct sockaddr_storage *sockaddr; + size_t sockaddr_len; + /* Save things to print about task_struct */ + pid_t pid, ppid; + kuid_t uid, euid, suid, fsuid; + kgid_t gid, egid, sgid, fsgid; + unsigned long personality; + int arch; + + pid_t target_pid; + kuid_t target_auid; + kuid_t target_uid; + unsigned int target_sessionid; + u32 target_sid; + char target_comm[TASK_COMM_LEN]; + + struct audit_tree_refs *trees, *first_trees; + struct list_head killed_trees; + int tree_count; + + int type; + union { + struct { + int nargs; + long args[6]; + } socketcall; + struct { + kuid_t uid; + kgid_t gid; + umode_t mode; + u32 osid; + int has_perm; + uid_t perm_uid; + gid_t perm_gid; + umode_t perm_mode; + unsigned long qbytes; + } ipc; + struct { + mqd_t mqdes; + struct mq_attr mqstat; + } mq_getsetattr; + struct { + mqd_t mqdes; + int sigev_signo; + } mq_notify; + struct { + mqd_t mqdes; + size_t msg_len; + unsigned int msg_prio; + struct timespec abs_timeout; + } mq_sendrecv; + struct { + int oflag; + umode_t mode; + struct mq_attr attr; + } mq_open; + struct { + pid_t pid; + struct audit_cap_data cap; + } capset; + struct { + int fd; + int flags; + } mmap; + }; + int fds[2]; + +#if AUDIT_DEBUG + int put_count; + int ino_count; +#endif +}; + #ifdef CONFIG_AUDIT extern int audit_enabled; extern int audit_ever_enabled; + +extern void audit_copy_inode(struct audit_names *name, + const struct dentry *dentry, + const struct inode *inode); +extern void audit_log_cap(struct audit_buffer *ab, char *prefix, + kernel_cap_t *cap); +extern void audit_log_fcaps(struct audit_buffer *ab, struct audit_names *name); +extern void audit_log_name(struct audit_context *context, + struct audit_names *n, struct path *path, + int record_num, int *call_panic); #endif extern int audit_pid; diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 2f186ed..6ff826e 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -76,11 +76,6 @@ #define AUDITSC_SUCCESS 1 #define AUDITSC_FAILURE 2 -/* AUDIT_NAMES is the number of slots we reserve in the audit_context - * for saving names from getname(). If we get more names we will allocate - * a name dynamically and also add those to the list anchored by names_list. */ -#define AUDIT_NAMES 5 - /* no execve audit message should be longer than this (userspace limits) */ #define MAX_EXECVE_AUDIT_LEN 7500 @@ -90,44 +85,6 @@ int audit_n_rules; /* determines whether we collect data for signals sent */ int audit_signals; -struct audit_cap_data { - kernel_cap_t permitted; - kernel_cap_t inheritable; - union { - unsigned int fE; /* effective bit of a file capability */ - kernel_cap_t effective; /* effective set of a process */ - }; -}; - -/* When fs/namei.c:getname() is called, we store the pointer in name and - * we don't let putname() free it (instead we free all of the saved - * pointers at syscall exit time). - * - * Further, in fs/namei.c:path_lookup() we store the inode and device. - */ -struct audit_names { - struct list_head list; /* audit_context->names_list */ - struct filename *name; - unsigned long ino; - dev_t dev; - umode_t mode; - kuid_t uid; - kgid_t gid; - dev_t rdev; - u32 osid; - struct audit_cap_data fcap; - unsigned int fcap_ver; - int name_len; /* number of name's characters to log */ - unsigned char type; /* record type */ - bool name_put; /* call __putname() for this name */ - /* - * This was an allocated audit_names and not from the array of - * names allocated in the task audit context. Thus this name - * should be freed on syscall exit - */ - bool should_free; -}; - struct audit_aux_data { struct audit_aux_data *next; int type; @@ -175,107 +132,6 @@ struct audit_tree_refs { struct audit_chunk *c[31]; }; -/* The per-task audit context. */ -struct audit_context { - int dummy; /* must be the first element */ - int in_syscall; /* 1 if task is in a syscall */ - enum audit_state state, current_state; - unsigned int serial; /* serial number for record */ - int major; /* syscall number */ - struct timespec ctime; /* time of syscall entry */ - unsigned long argv[4]; /* syscall arguments */ - long return_code;/* syscall return code */ - u64 prio; - int return_valid; /* return code is valid */ - /* - * The names_list is the list of all audit_names collected during this - * syscall. The first AUDIT_NAMES entries in the names_list will - * actually be from the preallocated_names array for performance - * reasons. Except during allocation they should never be referenced - * through the preallocated_names array and should only be found/used - * by running the names_list. - */ - struct audit_names preallocated_names[AUDIT_NAMES]; - int name_count; /* total records in names_list */ - struct list_head names_list; /* anchor for struct audit_names->list */ - char * filterkey; /* key for rule that triggered record */ - struct path pwd; - struct audit_context *previous; /* For nested syscalls */ - struct audit_aux_data *aux; - struct audit_aux_data *aux_pids; - struct sockaddr_storage *sockaddr; - size_t sockaddr_len; - /* Save things to print about task_struct */ - pid_t pid, ppid; - kuid_t uid, euid, suid, fsuid; - kgid_t gid, egid, sgid, fsgid; - unsigned long personality; - int arch; - - pid_t target_pid; - kuid_t target_auid; - kuid_t target_uid; - unsigned int target_sessionid; - u32 target_sid; - char target_comm[TASK_COMM_LEN]; - - struct audit_tree_refs *trees, *first_trees; - struct list_head killed_trees; - int tree_count; - - int type; - union { - struct { - int nargs; - long args[6]; - } socketcall; - struct { - kuid_t uid; - kgid_t gid; - umode_t mode; - u32 osid; - int has_perm; - uid_t perm_uid; - gid_t perm_gid; - umode_t perm_mode; - unsigned long qbytes; - } ipc; - struct { - mqd_t mqdes; - struct mq_attr mqstat; - } mq_getsetattr; - struct { - mqd_t mqdes; - int sigev_signo; - } mq_notify; - struct { - mqd_t mqdes; - size_t msg_len; - unsigned int msg_prio; - struct timespec abs_timeout; - } mq_sendrecv; - struct { - int oflag; - umode_t mode; - struct mq_attr attr; - } mq_open; - struct { - pid_t pid; - struct audit_cap_data cap; - } capset; - struct { - int fd; - int flags; - } mmap; - }; - int fds[2]; - -#if AUDIT_DEBUG - int put_count; - int ino_count; -#endif -}; - static inline int open_arg(int flags, int mask) { int n = ACC_MODE(flags); @@ -1116,88 +972,6 @@ static inline void audit_free_context(struct audit_context *context) printk(KERN_ERR "audit: freed %d contexts\n", count); } -void audit_log_task_context(struct audit_buffer *ab) -{ - char *ctx = NULL; - unsigned len; - int error; - u32 sid; - - security_task_getsecid(current, &sid); - if (!sid) - return; - - error = security_secid_to_secctx(sid, &ctx, &len); - if (error) { - if (error != -EINVAL) - goto error_path; - return; - } - - audit_log_format(ab, " subj=%s", ctx); - security_release_secctx(ctx, len); - return; - -error_path: - audit_panic("error in audit_log_task_context"); - return; -} - -EXPORT_SYMBOL(audit_log_task_context); - -void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk) -{ - const struct cred *cred; - char name[sizeof(tsk->comm)]; - struct mm_struct *mm = tsk->mm; - char *tty; - - if (!ab) - return; - - /* tsk == current */ - cred = current_cred(); - - spin_lock_irq(&tsk->sighand->siglock); - if (tsk->signal && tsk->signal->tty && tsk->signal->tty->name) - tty = tsk->signal->tty->name; - else - tty = "(none)"; - spin_unlock_irq(&tsk->sighand->siglock); - - - audit_log_format(ab, - " ppid=%ld pid=%d auid=%u uid=%u gid=%u" - " euid=%u suid=%u fsuid=%u" - " egid=%u sgid=%u fsgid=%u ses=%u tty=%s", - sys_getppid(), - tsk->pid, - from_kuid(&init_user_ns, tsk->loginuid), - from_kuid(&init_user_ns, cred->uid), - from_kgid(&init_user_ns, cred->gid), - from_kuid(&init_user_ns, cred->euid), - from_kuid(&init_user_ns, cred->suid), - from_kuid(&init_user_ns, cred->fsuid), - from_kgid(&init_user_ns, cred->egid), - from_kgid(&init_user_ns, cred->sgid), - from_kgid(&init_user_ns, cred->fsgid), - tsk->sessionid, tty); - - get_task_comm(name, tsk); - audit_log_format(ab, " comm="); - audit_log_untrustedstring(ab, name); - - if (mm) { - down_read(&mm->mmap_sem); - if (mm->exe_file) - audit_log_d_path(ab, " exe=", &mm->exe_file->f_path); - up_read(&mm->mmap_sem); - } - audit_log_task_context(ab); -} - -EXPORT_SYMBOL(audit_log_task_info); - static int audit_log_pid_context(struct audit_context *context, pid_t pid, kuid_t auid, kuid_t uid, unsigned int sessionid, u32 sid, char *comm) @@ -1413,35 +1187,6 @@ static void audit_log_execve_info(struct audit_context *context, kfree(buf); } -static void audit_log_cap(struct audit_buffer *ab, char *prefix, kernel_cap_t *cap) -{ - int i; - - audit_log_format(ab, " %s=", prefix); - CAP_FOR_EACH_U32(i) { - audit_log_format(ab, "%08x", cap->cap[(_KERNEL_CAPABILITY_U32S-1) - i]); - } -} - -static void audit_log_fcaps(struct audit_buffer *ab, struct audit_names *name) -{ - kernel_cap_t *perm = &name->fcap.permitted; - kernel_cap_t *inh = &name->fcap.inheritable; - int log = 0; - - if (!cap_isclear(*perm)) { - audit_log_cap(ab, "cap_fp", perm); - log = 1; - } - if (!cap_isclear(*inh)) { - audit_log_cap(ab, "cap_fi", inh); - log = 1; - } - - if (log) - audit_log_format(ab, " cap_fe=%d cap_fver=%x", name->fcap.fE, name->fcap_ver); -} - static void show_special(struct audit_context *context, int *call_panic) { struct audit_buffer *ab; @@ -1539,68 +1284,6 @@ static void show_special(struct audit_context *context, int *call_panic) audit_log_end(ab); } -static void audit_log_name(struct audit_context *context, struct audit_names *n, - int record_num, int *call_panic) -{ - struct audit_buffer *ab; - ab = audit_log_start(context, GFP_KERNEL, AUDIT_PATH); - if (!ab) - return; /* audit_panic has been called */ - - audit_log_format(ab, "item=%d", record_num); - - if (n->name) { - switch (n->name_len) { - case AUDIT_NAME_FULL: - /* log the full path */ - audit_log_format(ab, " name="); - audit_log_untrustedstring(ab, n->name->name); - break; - case 0: - /* name was specified as a relative path and the - * directory component is the cwd */ - audit_log_d_path(ab, " name=", &context->pwd); - break; - default: - /* log the name's directory component */ - audit_log_format(ab, " name="); - audit_log_n_untrustedstring(ab, n->name->name, - n->name_len); - } - } else - audit_log_format(ab, " name=(null)"); - - if (n->ino != (unsigned long)-1) { - audit_log_format(ab, " inode=%lu" - " dev=%02x:%02x mode=%#ho" - " ouid=%u ogid=%u rdev=%02x:%02x", - n->ino, - MAJOR(n->dev), - MINOR(n->dev), - n->mode, - from_kuid(&init_user_ns, n->uid), - from_kgid(&init_user_ns, n->gid), - MAJOR(n->rdev), - MINOR(n->rdev)); - } - if (n->osid != 0) { - char *ctx = NULL; - u32 len; - if (security_secid_to_secctx( - n->osid, &ctx, &len)) { - audit_log_format(ab, " osid=%u", n->osid); - *call_panic = 2; - } else { - audit_log_format(ab, " obj=%s", ctx); - security_release_secctx(ctx, len); - } - } - - audit_log_fcaps(ab, n); - - audit_log_end(ab); -} - static void audit_log_exit(struct audit_context *context, struct task_struct *tsk) { int i, call_panic = 0; @@ -1718,7 +1401,7 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts i = 0; list_for_each_entry(n, &context->names_list, list) - audit_log_name(context, n, i++, &call_panic); + audit_log_name(context, n, NULL, i++, &call_panic); /* Send end of event record to help user space know we are finished */ ab = audit_log_start(context, GFP_KERNEL, AUDIT_EOE); @@ -2126,41 +1809,6 @@ void audit_putname(struct filename *name) #endif } -static inline int audit_copy_fcaps(struct audit_names *name, const struct dentry *dentry) -{ - struct cpu_vfs_cap_data caps; - int rc; - - if (!dentry) - return 0; - - rc = get_vfs_caps_from_disk(dentry, &caps); - if (rc) - return rc; - - name->fcap.permitted = caps.permitted; - name->fcap.inheritable = caps.inheritable; - name->fcap.fE = !!(caps.magic_etc & VFS_CAP_FLAGS_EFFECTIVE); - name->fcap_ver = (caps.magic_etc & VFS_CAP_REVISION_MASK) >> VFS_CAP_REVISION_SHIFT; - - return 0; -} - - -/* Copy inode data into an audit_names. */ -static void audit_copy_inode(struct audit_names *name, const struct dentry *dentry, - const struct inode *inode) -{ - name->ino = inode->i_ino; - name->dev = inode->i_sb->s_dev; - name->mode = inode->i_mode; - name->uid = inode->i_uid; - name->gid = inode->i_gid; - name->rdev = inode->i_rdev; - security_inode_getsecid(inode, &name->osid); - audit_copy_fcaps(name, dentry); -} - /** * __audit_inode - store the inode and device from a lookup * @name: name being audited -- 1.7.9.5 -- Kees Cook Chrome OS Security

12 years

2
5
0 / 0

Questions about --with-alpha and --with-armeb configure flags

by Laurent Bigonville

Hello, I've several questions about the --with-alpha and --with-armeb build-time flags. 1) are --with-alpha and --with-armeb intended to be enabled only on these architectures on could they also be enabled on any other one? If I understand correctly it's only adding arch detection and syscall tables to ausyscall. Why are these syscall table conditional? 2) Is --with-armeb meant for ARMEB (aka ARM big-endian) or is it meant for ARM with embedded ABI? The help message of the configure says the later but it seems to be badly named. If somebody could enlighten me, Kind regards Laurent Bigonville

12 years

4
10
0 / 0

Please add support for arm "armv5tel" processor

by Laurent Bigonville

Hi, Could you please add the support for the "armv5tel" processor (Marvell Kirkwood SoC) Index: lib/machinetab.h =================================================================== --- lib/machinetab.h (révision 732) +++ lib/machinetab.h (copie de travail) @@ -35,6 +35,7 @@ #endif #ifdef WITH_ARMEB _S(MACH_ARMEB, "armeb" ) +_S(MACH_ARMEB, "armv5tel") _S(MACH_ARMEB, "armv5tejl") _S(MACH_ARMEB, "armv7l") _S(MACH_ARMEB, "armv6l") Cheers Laurent Bigonville

12 years

1
0
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Linux-audit December 2012