[PATCH] audit/userspace: add support for the parisc architecture
by Helge Deller
The patch below adds support for the parisc architecture to the audit
userspace tool.
It would be great if you could apply this patch to trunk.
I posted the corresponding Linux kernel patch to the parisc mailing list
(https://patchwork.kernel.org/patch/3046731/) and plan to push it upstream when
the merge window for Linux kernel v3.13 opens.
Signed-off-by: Helge Deller <deller(a)gmx.de>
--- audit-2.3.2.orig/lib/Makefile.am
+++ audit-2.3.2/lib/Makefile.am
@@ -40,7 +40,7 @@ nodist_libaudit_la_SOURCES = $(BUILT_SOU
BUILT_SOURCES = actiontabs.h errtabs.h fieldtabs.h flagtabs.h \
ftypetabs.h i386_tables.h ia64_tables.h machinetabs.h \
msg_typetabs.h optabs.h ppc_tables.h s390_tables.h \
- s390x_tables.h x86_64_tables.h
+ s390x_tables.h x86_64_tables.h parisc_tables.h
if USE_ALPHA
BUILT_SOURCES += alpha_tables.h
endif
@@ -54,7 +54,7 @@ noinst_PROGRAMS = gen_actiontabs_h gen_e
gen_flagtabs_h gen_ftypetabs_h gen_i386_tables_h \
gen_ia64_tables_h gen_machinetabs_h gen_msg_typetabs_h \
gen_optabs_h gen_ppc_tables_h gen_s390_tables_h \
- gen_s390x_tables_h gen_x86_64_tables_h
+ gen_s390x_tables_h gen_x86_64_tables_h gen_parisc_tables_h
if USE_ALPHA
noinst_PROGRAMS += gen_alpha_tables_h
endif
@@ -142,6 +142,11 @@ gen_ppc_tables_h_CFLAGS = $(AM_CFLAGS) '
ppc_tables.h: gen_ppc_tables_h Makefile
./gen_ppc_tables_h --lowercase --i2s --s2i ppc_syscall > $@
+gen_parisc_tables_h_SOURCES = gen_tables.c gen_tables.h parisc_table.h
+gen_parisc_tables_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="parisc_table.h"'
+parisc_tables.h: gen_parisc_tables_h Makefile
+ ./gen_parisc_tables_h --lowercase --i2s --s2i parisc_syscall > $@
+
gen_s390_tables_h_SOURCES = gen_tables.c gen_tables.h s390_table.h
gen_s390_tables_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="s390_table.h"'
s390_tables.h: gen_s390_tables_h Makefile
--- audit-2.3.2.orig/lib/libaudit.c
+++ audit-2.3.2/lib/libaudit.c
@@ -1304,6 +1304,9 @@ int audit_rule_fieldpair_data(struct aud
machine == MACH_PPC64)
machine = MACH_PPC;
else if (bits == ~__AUDIT_ARCH_64BIT &&
+ machine == MACH_PARISC64)
+ machine = MACH_PARISC;
+ else if (bits == ~__AUDIT_ARCH_64BIT &&
machine == MACH_S390X)
machine = MACH_S390;
@@ -1324,6 +1327,10 @@ int audit_rule_fieldpair_data(struct aud
if (bits == __AUDIT_ARCH_64BIT)
return -6;
break;
+ case MACH_PARISC:
+ if (bits == __AUDIT_ARCH_64BIT)
+ return -6;
+ break;
case MACH_S390:
if (bits == __AUDIT_ARCH_64BIT)
return -6;
@@ -1342,6 +1349,7 @@ int audit_rule_fieldpair_data(struct aud
#endif
case MACH_86_64: /* fallthrough */
case MACH_PPC64: /* fallthrough */
+ case MACH_PARISC64: /* fallthrough */
case MACH_S390X: /* fallthrough */
break;
default:
--- audit-2.3.2.orig/lib/libaudit.h
+++ audit-2.3.2/lib/libaudit.h
@@ -417,7 +417,9 @@ typedef enum {
MACH_S390,
MACH_ALPHA,
MACH_ARMEB,
- MACH_AARCH64
+ MACH_AARCH64,
+ MACH_PARISC64,
+ MACH_PARISC
} machine_t;
/* These are the valid audit failure tunable enum values */
--- audit-2.3.2.orig/lib/lookup_table.c
+++ audit-2.3.2/lib/lookup_table.c
@@ -47,6 +47,7 @@
#include "i386_tables.h"
#include "ia64_tables.h"
#include "ppc_tables.h"
+#include "parisc_tables.h"
#include "s390_tables.h"
#include "s390x_tables.h"
#include "x86_64_tables.h"
@@ -82,6 +83,8 @@ static const struct int_transtab elftab[
#ifdef WITH_AARCH64
{ MACH_AARCH64, AUDIT_ARCH_AARCH64},
#endif
+ { MACH_PARISC64,AUDIT_ARCH_PARISC64 },
+ { MACH_PARISC, AUDIT_ARCH_PARISC },
};
#define AUDIT_ELF_NAMES (sizeof(elftab)/sizeof(elftab[0]))
@@ -126,6 +129,10 @@ int audit_name_to_syscall(const char *sc
case MACH_PPC:
found = ppc_syscall_s2i(sc, &res);
break;
+ case MACH_PARISC64:
+ case MACH_PARISC:
+ found = parisc_syscall_s2i(sc, &res);
+ break;
case MACH_S390X:
found = s390x_syscall_s2i(sc, &res);
break;
@@ -171,6 +178,9 @@ const char *audit_syscall_to_name(int sc
case MACH_PPC64:
case MACH_PPC:
return ppc_syscall_i2s(sc);
+ case MACH_PARISC64:
+ case MACH_PARISC:
+ return parisc_syscall_i2s(sc);
case MACH_S390X:
return s390x_syscall_i2s(sc);
case MACH_S390:
--- audit-2.3.2.orig/lib/machinetab.h
+++ audit-2.3.2/lib/machinetab.h
@@ -43,3 +43,5 @@ _S(MACH_ARMEB, "armv7l")
#ifdef WITH_AARCH64
_S(MACH_AARCH64, "aarch64" )
#endif
+_S(MACH_PARISC64, "parisc64" )
+_S(MACH_PARISC, "parisc" )
--- /dev/null
+++ audit-2.3.2/lib/parisc_table.h
@@ -0,0 +1,333 @@
+_S(0, "restart_syscall")
+_S(1, "exit")
+_S(2, "fork")
+_S(3, "read")
+_S(4, "write")
+_S(5, "open")
+_S(6, "close")
+_S(7, "waitpid")
+_S(8, "creat")
+_S(9, "link")
+_S(10, "unlink")
+_S(11, "execve")
+_S(12, "chdir")
+_S(13, "time")
+_S(14, "mknod")
+_S(15, "chmod")
+_S(16, "lchown")
+_S(17, "socket")
+_S(18, "stat")
+_S(19, "lseek")
+_S(20, "getpid")
+_S(21, "mount")
+_S(22, "bind")
+_S(23, "setuid")
+_S(24, "getuid")
+_S(25, "stime")
+_S(26, "ptrace")
+_S(27, "alarm")
+_S(28, "fstat")
+_S(29, "pause")
+_S(30, "utime")
+_S(31, "connect")
+_S(32, "listen")
+_S(33, "access")
+_S(34, "nice")
+_S(35, "accept")
+_S(36, "sync")
+_S(37, "kill")
+_S(38, "rename")
+_S(39, "mkdir")
+_S(40, "rmdir")
+_S(41, "dup")
+_S(42, "pipe")
+_S(43, "times")
+_S(44, "getsockname")
+_S(45, "brk")
+_S(46, "setgid")
+_S(47, "getgid")
+_S(48, "signal")
+_S(49, "geteuid")
+_S(50, "getegid")
+_S(51, "acct")
+_S(52, "umount2")
+_S(53, "getpeername")
+_S(54, "ioctl")
+_S(55, "fcntl")
+_S(56, "socketpair")
+_S(57, "setpgid")
+_S(58, "send")
+_S(59, "uname")
+_S(60, "umask")
+_S(61, "chroot")
+_S(62, "ustat")
+_S(63, "dup2")
+_S(64, "getppid")
+_S(65, "getpgrp")
+_S(66, "setsid")
+_S(67, "pivot_root")
+_S(68, "sgetmask")
+_S(69, "ssetmask")
+_S(70, "setreuid")
+_S(71, "setregid")
+_S(72, "mincore")
+_S(73, "sigpending")
+_S(74, "sethostname")
+_S(75, "setrlimit")
+_S(76, "getrlimit")
+_S(77, "getrusage")
+_S(78, "gettimeofday")
+_S(79, "settimeofday")
+_S(80, "getgroups")
+_S(81, "setgroups")
+_S(82, "sendto")
+_S(83, "symlink")
+_S(84, "lstat")
+_S(85, "readlink")
+_S(86, "uselib")
+_S(87, "swapon")
+_S(88, "reboot")
+_S(89, "mmap2")
+_S(90, "mmap")
+_S(91, "munmap")
+_S(92, "truncate")
+_S(93, "ftruncate")
+_S(94, "fchmod")
+_S(95, "fchown")
+_S(96, "getpriority")
+_S(97, "setpriority")
+_S(98, "recv")
+_S(99, "statfs")
+_S(100, "fstatfs")
+_S(101, "stat64")
+_S(103, "syslog")
+_S(104, "setitimer")
+_S(105, "getitimer")
+_S(106, "capget")
+_S(107, "capset")
+_S(108, "pread64")
+_S(109, "pwrite64")
+_S(110, "getcwd")
+_S(111, "vhangup")
+_S(112, "fstat64")
+_S(113, "vfork")
+_S(114, "wait4")
+_S(115, "swapoff")
+_S(116, "sysinfo")
+_S(117, "shutdown")
+_S(118, "fsync")
+_S(119, "madvise")
+_S(120, "clone")
+_S(121, "setdomainname")
+_S(122, "sendfile")
+_S(123, "recvfrom")
+_S(124, "adjtimex")
+_S(125, "mprotect")
+_S(126, "sigprocmask")
+_S(127, "create_module")
+_S(128, "init_module")
+_S(129, "delete_module")
+_S(130, "get_kernel_syms")
+_S(131, "quotactl")
+_S(132, "getpgid")
+_S(133, "fchdir")
+_S(134, "bdflush")
+_S(135, "sysfs")
+_S(136, "personality")
+_S(137, "afs_syscall")
+_S(138, "setfsuid")
+_S(139, "setfsgid")
+_S(140, "_llseek")
+_S(141, "getdents")
+_S(142, "_newselect")
+_S(143, "flock")
+_S(144, "msync")
+_S(145, "readv")
+_S(146, "writev")
+_S(147, "getsid")
+_S(148, "fdatasync")
+_S(149, "_sysctl")
+_S(150, "mlock")
+_S(151, "munlock")
+_S(152, "mlockall")
+_S(153, "munlockall")
+_S(154, "sched_setparam")
+_S(155, "sched_getparam")
+_S(156, "sched_setscheduler")
+_S(157, "sched_getscheduler")
+_S(158, "sched_yield")
+_S(159, "sched_get_priority_max")
+_S(160, "sched_get_priority_min")
+_S(161, "sched_rr_get_interval")
+_S(162, "nanosleep")
+_S(163, "mremap")
+_S(164, "setresuid")
+_S(165, "getresuid")
+_S(166, "sigaltstack")
+_S(167, "query_module")
+_S(168, "poll")
+_S(169, "nfsservctl")
+_S(170, "setresgid")
+_S(171, "getresgid")
+_S(172, "prctl")
+_S(173, "rt_sigreturn")
+_S(174, "rt_sigaction")
+_S(175, "rt_sigprocmask")
+_S(176, "rt_sigpending")
+_S(177, "rt_sigtimedwait")
+_S(178, "rt_sigqueueinfo")
+_S(179, "rt_sigsuspend")
+_S(180, "chown")
+_S(181, "setsockopt")
+_S(182, "getsockopt")
+_S(183, "sendmsg")
+_S(184, "recvmsg")
+_S(185, "semop")
+_S(186, "semget")
+_S(187, "semctl")
+_S(188, "msgsnd")
+_S(189, "msgrcv")
+_S(190, "msgget")
+_S(191, "msgctl")
+_S(192, "shmat")
+_S(193, "shmdt")
+_S(194, "shmget")
+_S(195, "shmctl")
+_S(196, "getpmsg")
+_S(197, "putpmsg")
+_S(198, "lstat64")
+_S(199, "truncate64")
+_S(200, "ftruncate64")
+_S(201, "getdents64")
+_S(202, "fcntl64")
+_S(203, "attrctl")
+_S(204, "acl_get")
+_S(205, "acl_set")
+_S(206, "gettid")
+_S(207, "readahead")
+_S(208, "tkill")
+_S(209, "sendfile64")
+_S(210, "futex")
+_S(211, "sched_setaffinity")
+_S(212, "sched_getaffinity")
+_S(213, "set_thread_area")
+_S(214, "get_thread_area")
+_S(215, "io_setup")
+_S(216, "io_destroy")
+_S(217, "io_getevents")
+_S(218, "io_submit")
+_S(219, "io_cancel")
+_S(220, "alloc_hugepages")
+_S(221, "free_hugepages")
+_S(222, "exit_group")
+_S(223, "lookup_dcookie")
+_S(224, "epoll_create")
+_S(225, "epoll_ctl")
+_S(226, "epoll_wait")
+_S(227, "remap_file_pages")
+_S(228, "semtimedop")
+_S(229, "mq_open")
+_S(230, "mq_unlink")
+_S(231, "mq_timedsend")
+_S(232, "mq_timedreceive")
+_S(233, "mq_notify")
+_S(234, "mq_getsetattr")
+_S(235, "waitid")
+_S(236, "fadvise64_64")
+_S(237, "set_tid_address")
+_S(238, "setxattr")
+_S(239, "lsetxattr")
+_S(240, "fsetxattr")
+_S(241, "getxattr")
+_S(242, "lgetxattr")
+_S(243, "fgetxattr")
+_S(244, "listxattr")
+_S(245, "llistxattr")
+_S(246, "flistxattr")
+_S(247, "removexattr")
+_S(248, "lremovexattr")
+_S(249, "fremovexattr")
+_S(250, "timer_create")
+_S(251, "timer_settime")
+_S(252, "timer_gettime")
+_S(253, "timer_getoverrun")
+_S(254, "timer_delete")
+_S(255, "clock_settime")
+_S(256, "clock_gettime")
+_S(257, "clock_getres")
+_S(258, "clock_nanosleep")
+_S(259, "tgkill")
+_S(260, "mbind")
+_S(261, "get_mempolicy")
+_S(262, "set_mempolicy")
+_S(263, "vserver")
+_S(264, "add_key")
+_S(265, "request_key")
+_S(266, "keyctl")
+_S(267, "ioprio_set")
+_S(268, "ioprio_get")
+_S(269, "inotify_init")
+_S(270, "inotify_add_watch")
+_S(271, "inotify_rm_watch")
+_S(272, "migrate_pages")
+_S(273, "pselect6")
+_S(274, "ppoll")
+_S(275, "openat")
+_S(276, "mkdirat")
+_S(277, "mknodat")
+_S(278, "fchownat")
+_S(279, "futimesat")
+_S(280, "fstatat64")
+_S(281, "unlinkat")
+_S(282, "renameat")
+_S(283, "linkat")
+_S(284, "symlinkat")
+_S(285, "readlinkat")
+_S(286, "fchmodat")
+_S(287, "faccessat")
+_S(288, "unshare")
+_S(289, "set_robust_list")
+_S(290, "get_robust_list")
+_S(291, "splice")
+_S(292, "sync_file_range")
+_S(293, "tee")
+_S(294, "vmsplice")
+_S(295, "move_pages")
+_S(296, "getcpu")
+_S(297, "epoll_pwait")
+_S(298, "statfs64")
+_S(299, "fstatfs64")
+_S(300, "kexec_load")
+_S(301, "utimensat")
+_S(302, "signalfd")
+_S(303, "timerfd")
+_S(304, "eventfd")
+_S(305, "fallocate")
+_S(306, "timerfd_create")
+_S(307, "timerfd_settime")
+_S(308, "timerfd_gettime")
+_S(309, "signalfd4")
+_S(310, "eventfd2")
+_S(311, "epoll_create1")
+_S(312, "dup3")
+_S(313, "pipe2")
+_S(314, "inotify_init1")
+_S(315, "preadv")
+_S(316, "pwritev")
+_S(317, "rt_tgsigqueueinfo")
+_S(318, "perf_event_open")
+_S(319, "recvmmsg")
+_S(320, "accept4")
+_S(321, "prlimit64")
+_S(322, "fanotify_init")
+_S(323, "fanotify_mark")
+_S(324, "clock_adjtime")
+_S(325, "name_to_handle_at")
+_S(326, "open_by_handle_at")
+_S(327, "syncfs")
+_S(328, "setns")
+_S(329, "sendmmsg")
+_S(330, "process_vm_readv")
+_S(331, "process_vm_writev")
+_S(332, "kcmp")
+_S(333, "finit_module")
--- audit-2.3.2.orig/lib/syscall-update.txt
+++ audit-2.3.2/lib/syscall-update.txt
@@ -18,3 +18,6 @@ For adding new arches, the following mig
cat unistd.h | grep '^#define __NR_' | tr -d ')' | tr 'NR+' ' ' | awk '{ printf "_S(%s, \"%s\")\n", $6, $3 }; '
it will still need hand editing
+
+for parisc:
+cat /usr/include/hppa-linux-gnu/asm/unistd.h | grep '^#define __NR_' | grep \(__NR_Linux | sed "s/#define *__NR_//g" | tr -d ")" | awk '{ printf "_S(%s, \"%s\")\n", $4, $1 };'
--- audit-2.3.2.orig/lib/test/lookup_test.c
+++ audit-2.3.2/lib/test/lookup_test.c
@@ -222,6 +222,23 @@ test_ppc_table(void)
}
static void
+test_parisc_table(void)
+{
+ static const struct entry t[] = {
+#include "../parisc_table.h"
+ };
+
+ printf("Testing parisc_table...\n");
+#define I2S(I) audit_syscall_to_name((I), MACH_PARISC)
+#define S2I(S) audit_name_to_syscall((S), MACH_PARISC)
+ TEST_I2S(0);
+ TEST_S2I(-1);
+#undef I2S
+#undef S2I
+}
+
+
+static void
test_s390_table(void)
{
static const struct entry t[] = {
@@ -415,6 +432,7 @@ main(void)
test_i386_table();
test_ia64_table();
test_ppc_table();
+ test_parisc_table();
test_s390_table();
test_s390x_table();
test_x86_64_table();
10 years, 11 months
[PATCH][RFC] audit: log namespace inode numbers
by Richard Guy Briggs
Log the namespace details of a task.
---
Does anyone have comments on this patch?
I'm looking for guidance on which types of messages should have namespace
information included. I've included too many, I suspect.
I also wonder if displaying these inode numbers in hexadecimal makes more sense
than decimal, since they are all based around 0xF0000000. These are all with
reference to the proc filesystem, so a device number should not be necessary to
qualify them.
include/linux/audit.h | 1 +
kernel/audit.c | 29 +++++++++++++++++++++++++++++
kernel/audit_watch.c | 1 +
kernel/auditfilter.c | 1 +
kernel/auditsc.c | 5 +++++
5 files changed, 37 insertions(+), 0 deletions(-)
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 6976219..75fa602 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -92,6 +92,7 @@ extern int audit_classify_arch(int arch);
struct filename;
extern void audit_log_session_info(struct audit_buffer *ab);
+extern void audit_log_namespace_info(struct audit_buffer *ab, struct task_struct *tsk);
#ifdef CONFIG_AUDITSYSCALL
/* These are defined in auditsc.c */
diff --git a/kernel/audit.c b/kernel/audit.c
index dc03a30..b4c39a9 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -62,7 +62,15 @@
#endif
#include <linux/freezer.h>
#include <linux/tty.h>
+#include <linux/nsproxy.h>
+#include <linux/utsname.h>
+#include <linux/ipc_namespace.h>
+#include "../fs/mount.h"
+#include <linux/mount.h>
+#include <linux/mnt_namespace.h>
#include <linux/pid_namespace.h>
+#include <net/net_namespace.h>
+#include <linux/user_namespace.h>
#include <net/netns/generic.h>
#include "audit.h"
@@ -292,6 +300,7 @@ static int audit_log_config_change(char *function_name, int new, int old,
return rc;
audit_log_format(ab, "%s=%d old=%d", function_name, new, old);
audit_log_session_info(ab);
+ audit_log_namespace_info(ab, current);
rc = audit_log_task_context(ab);
if (rc)
allow_changes = 0; /* Something weird, deny request */
@@ -657,6 +666,7 @@ static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type)
return rc;
audit_log_format(*ab, "pid=%d uid=%u", task_tgid_vnr(current), uid);
audit_log_session_info(*ab);
+ audit_log_namespace_info(*ab, current);
audit_log_task_context(*ab);
return rc;
@@ -689,6 +699,7 @@ static void audit_log_feature_change(int which, u32 old_feature, u32 new_feature
return;
ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_FEATURE_CHANGE);
+ audit_log_namespace_info(ab, current);
audit_log_format(ab, "feature=%s old=%d new=%d old_lock=%d new_lock=%d res=%d",
audit_feature_names[which], !!old_feature, !!new_feature,
!!old_lock, !!new_lock, res);
@@ -1621,6 +1632,23 @@ void audit_log_session_info(struct audit_buffer *ab)
audit_log_format(ab, " auid=%u ses=%u", auid, sessionid);
}
+void audit_log_namespace_info(struct audit_buffer *ab, struct task_struct *tsk)
+{
+ struct nsproxy *nsproxy;
+
+ rcu_read_lock();
+ audit_log_format(ab, " pidns=%x", task_active_pid_ns(tsk)->proc_inum);
+ nsproxy = task_nsproxy(tsk);
+ if (nsproxy != NULL) {
+ audit_log_format(ab, " usrns=%x", nsproxy->net_ns->user_ns->proc_inum);
+ audit_log_format(ab, " utsns=%x", nsproxy->uts_ns->proc_inum);
+ audit_log_format(ab, " ipcns=%x", nsproxy->ipc_ns->proc_inum);
+ audit_log_format(ab, " mntns=%x", nsproxy->mnt_ns->proc_inum);
+ audit_log_format(ab, " netns=%x", nsproxy->net_ns->proc_inum);
+ }
+ rcu_read_unlock();
+}
+
void audit_log_key(struct audit_buffer *ab, char *key)
{
audit_log_format(ab, " key=");
@@ -1890,6 +1918,7 @@ void audit_log_link_denied(const char *operation, struct path *link)
goto out;
audit_log_format(ab, "op=%s", operation);
audit_log_task_info(ab, current);
+ audit_log_namespace_info(ab, current);
audit_log_format(ab, " res=0");
audit_log_end(ab);
diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c
index 22831c4..2382a3e 100644
--- a/kernel/audit_watch.c
+++ b/kernel/audit_watch.c
@@ -245,6 +245,7 @@ static void audit_watch_log_rule_change(struct audit_krule *r, struct audit_watc
audit_log_format(ab, "auid=%u ses=%u op=",
from_kuid(&init_user_ns, audit_get_loginuid(current)),
audit_get_sessionid(current));
+ audit_log_namespace_info(ab, current);
audit_log_string(ab, op);
audit_log_format(ab, " path=");
audit_log_untrustedstring(ab, w->path);
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 14a78cc..9c4b004 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -1014,6 +1014,7 @@ static void audit_log_rule_change(char *action, struct audit_krule *rule, int re
if (!ab)
return;
audit_log_format(ab, "auid=%u ses=%u" ,loginuid, sessionid);
+ audit_log_namespace_info(ab, current);
audit_log_task_context(ab);
audit_log_format(ab, " op=");
audit_log_string(ab, action);
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 10176cd..3c73a3b 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -974,6 +974,7 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid,
audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid,
from_kuid(&init_user_ns, auid),
from_kuid(&init_user_ns, uid), sessionid);
+ audit_log_namespace_info(ab, current);
if (sid) {
if (security_secid_to_secctx(sid, &ctx, &len)) {
audit_log_format(ab, " obj=(none)");
@@ -1302,6 +1303,7 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
context->name_count);
audit_log_task_info(ab, tsk);
+ audit_log_namespace_info(ab, current);
audit_log_key(ab, context->filterkey);
audit_log_end(ab);
@@ -1987,6 +1989,7 @@ static void audit_log_set_loginuid(kuid_t koldloginuid, kuid_t kloginuid,
current->pid, uid,
oldloginuid, loginuid, oldsessionid, sessionid,
!rc);
+ audit_log_namespace_info(ab, current);
audit_log_end(ab);
}
@@ -2400,6 +2403,7 @@ void audit_core_dumps(long signr)
if (unlikely(!ab))
return;
audit_log_task(ab);
+ audit_log_namespace_info(ab, current);
audit_log_format(ab, " sig=%ld", signr);
audit_log_end(ab);
}
@@ -2412,6 +2416,7 @@ void __audit_seccomp(unsigned long syscall, long signr, int code)
if (unlikely(!ab))
return;
audit_log_task(ab);
+ audit_log_namespace_info(ab, current);
audit_log_format(ab, " sig=%ld", signr);
audit_log_format(ab, " syscall=%ld", syscall);
audit_log_format(ab, " compat=%d", is_compat_task());
--
1.7.1
10 years, 11 months
Clear kernel audit buffer?
by Aaron Lewis
Hi,
I'm doing a stress test on auditd, so I add a rule to monitor "open"
syscall, then I use a c program to generate massive amount of logs.
The program finished and exited.
But I generated too much, if I kill auditd and start it again, I can
still see a lot of type=SYSCALL logs. (But not CWD or PATH)
Can I clear the existing buffer?
--
Best Regards,
Aaron Lewis - PGP: 0xDFE6C29E ( http://keyserver.veridis.com )
Finger Print: 9482 448F C7C3 896C 1DFE 7DD3 2492 A7D0 DFE6 C29E
10 years, 11 months
[PATCH] audit: correct a type mismatch in audit_syscall_exit()
by AKASHI Takahiro
audit_syscall_exit() saves a result of regs_return_value() in intermediate
"int" variable and passes it to __audit_syscall_exit(), which expects its
second argument as a "long" value.
This will result in truncating the value returned by a system call and
making a wrong audit record.
I don't know why gcc compiler doesn't complain about this, but anyway it
causes a problem at runtime on arm64 (and probably most 64-bit archs).
Signed-off-by: AKASHI Takahiro <takahiro.akashi(a)linaro.org>
---
include/linux/audit.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/linux/audit.h b/include/linux/audit.h
index c49a312..3dcb3f0 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -144,7 +144,7 @@ static inline void audit_syscall_exit(void *pt_regs)
{
if (unlikely(current->audit_context)) {
int success = is_syscall_success(pt_regs);
- int return_code = regs_return_value(pt_regs);
+ long return_code = regs_return_value(pt_regs);
__audit_syscall_exit(success, return_code);
}
--
1.7.9.5
10 years, 11 months
[PATCH 1/2] audit: print error message when fail to create audit socket
by Gao feng
print the error message and then return -ENOMEM.
Signed-off-by: Gao feng <gaofeng(a)cn.fujitsu.com>
---
kernel/audit.c | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 2a0ed0b..041b951 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1083,12 +1083,11 @@ static int __net_init audit_net_init(struct net *net)
pr_info("audit: initializing netlink socket in namespace\n");
aunet->nlsk = netlink_kernel_create(net, NETLINK_AUDIT, &cfg);
- if (aunet->nlsk == NULL)
- return -ENOMEM;
- if (!aunet->nlsk)
+ if (aunet->nlsk == NULL) {
audit_panic("cannot initialize netlink socket in namespace");
- else
- aunet->nlsk->sk_sndtimeo = MAX_SCHEDULE_TIMEOUT;
+ return -ENOMEM;
+ }
+ aunet->nlsk->sk_sndtimeo = MAX_SCHEDULE_TIMEOUT;
return 0;
}
--
1.8.3.1
10 years, 11 months
Architecture of auditd
by Aaron Lewis
Hi I wrote a very simple program to retrieve netlink sockets (audit messages),
But it stuck at recvfrom, am I missing something?
#include <stdio.h>
#include <unistd.h>
#include <assert.h>
#include <string.h>
#include <stdlib.h>
#include <math.h>
#include <sys/socket.h>
#include <linux/netlink.h>
#define ERR_QUIT(a) do { perror(a); exit (1); } while (0);
#ifndef PF_NETLINK
# define PF_NETLINK 16
#endif
char message [10000];
int main (int argc , char **argv)
{
int fd, len;
struct sockaddr_nl nladdr;
socklen_t nladdrlen = sizeof(nladdr);
fd = socket(PF_NETLINK, SOCK_RAW, NETLINK_AUDIT);
if (fd < 0)
ERR_QUIT("socket");
len = recvfrom(fd, &message, sizeof(message), 0, (struct
sockaddr*)&nladdr, &nladdrlen);
if (len < 0)
ERR_QUIT("recvfrom");
printf ("Received %d bytes\n", len);
return 0;
}
--
Best Regards,
Aaron Lewis - PGP: 0xDFE6C29E ( http://keyserver.veridis.com )
Finger Print: 9482 448F C7C3 896C 1DFE 7DD3 2492 A7D0 DFE6 C29E
10 years, 12 months
Make the dispatcher run faster?
by Aaron Lewis
Hi,
I've replaced the dispatcher with a self-written one, it only prints
what it sees.
Now I run auditd -f to make it stay foreground, and feed it with a
massive amount of data,
But the dispatcher prints one line for each second. Is there any speed
limitation?
If so, how do I change that
Thanks!
--
Best Regards,
Aaron Lewis - PGP: 0xDFE6C29E ( http://keyserver.veridis.com )
Finger Print: 9482 448F C7C3 896C 1DFE 7DD3 2492 A7D0 DFE6 C29E
10 years, 12 months
Bug in auditing of sys_symlink
by Aaron Lewis
Hi,
Looks like on 2.6.32 kernel there was a bug with sys_symlink,
I'm trying to monitor all symlinks that points to a specific dir, so I added:
-a exit,always -F arch=b64 -S symlink -F success=1 -F dir=/secure
But "ln -s /secure/file /tmp/file" doesn't trigger alert
And "cd /secure; ln -s /bin/ls" does.
So I guess the auditing implementation is somehow incomplete?
--
Best Regards,
Aaron Lewis - PGP: 0xDFE6C29E ( http://keyserver.veridis.com )
Finger Print: 9482 448F C7C3 896C 1DFE 7DD3 2492 A7D0 DFE6 C29E
10 years, 12 months
[PATCH 3.2 027/185] audit: printk USER_AVC messages when audit isn't enabled
by Ben Hutchings
3.2.54-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Tyler Hicks <tyhicks(a)canonical.com>
commit 0868a5e150bc4c47e7a003367cd755811eb41e0b upstream.
When the audit=1 kernel parameter is absent and auditd is not running,
AUDIT_USER_AVC messages are being silently discarded.
AUDIT_USER_AVC messages should be sent to userspace using printk(), as
mentioned in the commit message of 4a4cd633 ("AUDIT: Optimise the
audit-disabled case for discarding user messages").
When audit_enabled is 0, audit_receive_msg() discards all user messages
except for AUDIT_USER_AVC messages. However, audit_log_common_recv_msg()
refuses to allocate an audit_buffer if audit_enabled is 0. The fix is to
special case AUDIT_USER_AVC messages in both functions.
It looks like commit 50397bd1 ("[AUDIT] clean up audit_receive_msg()")
introduced this bug.
Signed-off-by: Tyler Hicks <tyhicks(a)canonical.com>
Cc: Al Viro <viro(a)zeniv.linux.org.uk>
Cc: Eric Paris <eparis(a)redhat.com>
Cc: linux-audit(a)redhat.com
Acked-by: Kees Cook <keescook(a)chromium.org>
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
Signed-off-by: Eric Paris <eparis(a)redhat.com>
Signed-off-by: Ben Hutchings <ben(a)decadent.org.uk>
---
kernel/audit.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -625,7 +625,7 @@ static int audit_log_common_recv_msg(str
char *ctx = NULL;
u32 len;
- if (!audit_enabled) {
+ if (!audit_enabled && msg_type != AUDIT_USER_AVC) {
*ab = NULL;
return rc;
}
11 years