December 2013 - Linux-audit - Linux-Audit List Archives

nlmsg_len in audit netlink messages going to userspace

by Richard Guy Briggs

Hi (primarily Eric and Steve), In audit_log_end(), nlh->nlmsg_len is incorrectly set: nlh->nlmsg_len = ab->skb->len - NLMSG_HDRLEN; Since this is a known bug and anticipated by userspace, we can't change it without disrupting userspace or somehow synchronizing a fix between the two. The function audit_make_reply() also generates netlink messges for userspace, indirectly called by audit_receive_msg() cases: AUDIT_GET AUDIT_SIGNAL_INFO AUDIT_TTY_GET AUDIT_LIST_RULES AUDIT_GET_FEATURE It doesn't make the same nlmsg_len change above. Should it, to be consistent, or does userspace already know about those being correct? The userspace->kernel direction has recently been updated to fix all the cases, I think. - RGB -- Richard Guy Briggs <rbriggs(a)redhat.com> Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545

11 years

1
0
0 / 0

[PATCH 3.5 51/90] audit: printk USER_AVC messages when audit isn't enabled

by Luis Henriques

3.5.7.27 -stable review patch. If anyone has any objections, please let me know. ------------------ From: Tyler Hicks <tyhicks(a)canonical.com> commit 0868a5e150bc4c47e7a003367cd755811eb41e0b upstream. When the audit=1 kernel parameter is absent and auditd is not running, AUDIT_USER_AVC messages are being silently discarded. AUDIT_USER_AVC messages should be sent to userspace using printk(), as mentioned in the commit message of 4a4cd633 ("AUDIT: Optimise the audit-disabled case for discarding user messages"). When audit_enabled is 0, audit_receive_msg() discards all user messages except for AUDIT_USER_AVC messages. However, audit_log_common_recv_msg() refuses to allocate an audit_buffer if audit_enabled is 0. The fix is to special case AUDIT_USER_AVC messages in both functions. It looks like commit 50397bd1 ("[AUDIT] clean up audit_receive_msg()") introduced this bug. Signed-off-by: Tyler Hicks <tyhicks(a)canonical.com> Cc: Al Viro <viro(a)zeniv.linux.org.uk> Cc: Eric Paris <eparis(a)redhat.com> Cc: linux-audit(a)redhat.com Acked-by: Kees Cook <keescook(a)chromium.org> Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com> Signed-off-by: Eric Paris <eparis(a)redhat.com> [ luis: backported to 3.5: adjusted context ] Signed-off-by: Luis Henriques <luis.henriques(a)canonical.com> --- kernel/audit.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/audit.c b/kernel/audit.c index 5917dfe..f02d3fc 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -625,7 +625,7 @@ static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type, char *ctx = NULL; u32 len; - if (!audit_enabled) { + if (!audit_enabled && msg_type != AUDIT_USER_AVC) { *ab = NULL; return rc; } -- 1.8.3.2

11 years

1
0
0 / 0

[3.11.y.z extended stable] Patch "audit: printk USER_AVC messages when audit isn't enabled" has been added to staging queue

by Luis Henriques

This is a note to let you know that I have just added a patch titled audit: printk USER_AVC messages when audit isn't enabled to the linux-3.11.y-queue branch of the 3.11.y.z extended stable tree which can be found at: http://kernel.ubuntu.com/git?p=ubuntu/linux.git;a=shortlog;h=refs/heads/l... If you, or anyone else, feels it should not be added to this tree, please reply to this email. For more information about the 3.11.y.z tree, see https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable Thanks. -Luis ------ >From e476d1a0daf238115c7c0599f1faafc08527fee6 Mon Sep 17 00:00:00 2001 From: Tyler Hicks <tyhicks(a)canonical.com> Date: Thu, 25 Jul 2013 18:02:55 -0700 Subject: audit: printk USER_AVC messages when audit isn't enabled commit 0868a5e150bc4c47e7a003367cd755811eb41e0b upstream. When the audit=1 kernel parameter is absent and auditd is not running, AUDIT_USER_AVC messages are being silently discarded. AUDIT_USER_AVC messages should be sent to userspace using printk(), as mentioned in the commit message of 4a4cd633 ("AUDIT: Optimise the audit-disabled case for discarding user messages"). When audit_enabled is 0, audit_receive_msg() discards all user messages except for AUDIT_USER_AVC messages. However, audit_log_common_recv_msg() refuses to allocate an audit_buffer if audit_enabled is 0. The fix is to special case AUDIT_USER_AVC messages in both functions. It looks like commit 50397bd1 ("[AUDIT] clean up audit_receive_msg()") introduced this bug. Signed-off-by: Tyler Hicks <tyhicks(a)canonical.com> Cc: Al Viro <viro(a)zeniv.linux.org.uk> Cc: Eric Paris <eparis(a)redhat.com> Cc: linux-audit(a)redhat.com Acked-by: Kees Cook <keescook(a)chromium.org> Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com> Signed-off-by: Eric Paris <eparis(a)redhat.com> Signed-off-by: Luis Henriques <luis.henriques(a)canonical.com> --- kernel/audit.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/audit.c b/kernel/audit.c index 7b0e23a..f5dc4b5 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -613,7 +613,7 @@ static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type) int rc = 0; uid_t uid = from_kuid(&init_user_ns, current_uid()); - if (!audit_enabled) { + if (!audit_enabled && msg_type != AUDIT_USER_AVC) { *ab = NULL; return rc; } -- 1.8.3.2

11 years

1
0
0 / 0

Namespaces in event records

by Ondrej Moris

Hi, I am wondering if there is a way to get namespaces related to an audit event? There are obviously no namespace fields and I do not see them in the message as well. It might be important to audit a namespace of the process causing the event... or not? -- Ondrej Moriš, RHCSA, RHCE, RHCSS, RHCVA Quality Assurance Engineer BaseOS QE - Security Email: omoris(a)redhat.com Web: www.cz.redhat.com IRC: omoris at #qa #urt #brno, #penguins Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic

11 years

2
1
0 / 0

[PATCH 3.12 105/212] audit: printk USER_AVC messages when audit isnt enabled

by Greg Kroah-Hartman

3.12-stable review patch. If anyone has any objections, please let me know. ------------------ From: Tyler Hicks <tyhicks(a)canonical.com> commit 0868a5e150bc4c47e7a003367cd755811eb41e0b upstream. When the audit=1 kernel parameter is absent and auditd is not running, AUDIT_USER_AVC messages are being silently discarded. AUDIT_USER_AVC messages should be sent to userspace using printk(), as mentioned in the commit message of 4a4cd633 ("AUDIT: Optimise the audit-disabled case for discarding user messages"). When audit_enabled is 0, audit_receive_msg() discards all user messages except for AUDIT_USER_AVC messages. However, audit_log_common_recv_msg() refuses to allocate an audit_buffer if audit_enabled is 0. The fix is to special case AUDIT_USER_AVC messages in both functions. It looks like commit 50397bd1 ("[AUDIT] clean up audit_receive_msg()") introduced this bug. Signed-off-by: Tyler Hicks <tyhicks(a)canonical.com> Cc: Al Viro <viro(a)zeniv.linux.org.uk> Cc: Eric Paris <eparis(a)redhat.com> Cc: linux-audit(a)redhat.com Acked-by: Kees Cook <keescook(a)chromium.org> Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com> Signed-off-by: Eric Paris <eparis(a)redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- kernel/audit.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/kernel/audit.c +++ b/kernel/audit.c @@ -613,7 +613,7 @@ static int audit_log_common_recv_msg(str int rc = 0; uid_t uid = from_kuid(&init_user_ns, current_uid()); - if (!audit_enabled) { + if (!audit_enabled && msg_type != AUDIT_USER_AVC) { *ab = NULL; return rc; }

11 years

1
0
0 / 0

[PATCH 3.10 081/173] audit: printk USER_AVC messages when audit isnt enabled

by Greg Kroah-Hartman

3.10-stable review patch. If anyone has any objections, please let me know. ------------------ From: Tyler Hicks <tyhicks(a)canonical.com> commit 0868a5e150bc4c47e7a003367cd755811eb41e0b upstream. When the audit=1 kernel parameter is absent and auditd is not running, AUDIT_USER_AVC messages are being silently discarded. AUDIT_USER_AVC messages should be sent to userspace using printk(), as mentioned in the commit message of 4a4cd633 ("AUDIT: Optimise the audit-disabled case for discarding user messages"). When audit_enabled is 0, audit_receive_msg() discards all user messages except for AUDIT_USER_AVC messages. However, audit_log_common_recv_msg() refuses to allocate an audit_buffer if audit_enabled is 0. The fix is to special case AUDIT_USER_AVC messages in both functions. It looks like commit 50397bd1 ("[AUDIT] clean up audit_receive_msg()") introduced this bug. Signed-off-by: Tyler Hicks <tyhicks(a)canonical.com> Cc: Al Viro <viro(a)zeniv.linux.org.uk> Cc: Eric Paris <eparis(a)redhat.com> Cc: linux-audit(a)redhat.com Acked-by: Kees Cook <keescook(a)chromium.org> Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com> Signed-off-by: Eric Paris <eparis(a)redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- kernel/audit.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/kernel/audit.c +++ b/kernel/audit.c @@ -613,7 +613,7 @@ static int audit_log_common_recv_msg(str int rc = 0; uid_t uid = from_kuid(&init_user_ns, current_uid()); - if (!audit_enabled) { + if (!audit_enabled && msg_type != AUDIT_USER_AVC) { *ab = NULL; return rc; }

11 years

1
0
0 / 0

[PATCH 3.4 36/60] audit: printk USER_AVC messages when audit isnt enabled

by Greg Kroah-Hartman

3.4-stable review patch. If anyone has any objections, please let me know. ------------------ From: Tyler Hicks <tyhicks(a)canonical.com> commit 0868a5e150bc4c47e7a003367cd755811eb41e0b upstream. When the audit=1 kernel parameter is absent and auditd is not running, AUDIT_USER_AVC messages are being silently discarded. AUDIT_USER_AVC messages should be sent to userspace using printk(), as mentioned in the commit message of 4a4cd633 ("AUDIT: Optimise the audit-disabled case for discarding user messages"). When audit_enabled is 0, audit_receive_msg() discards all user messages except for AUDIT_USER_AVC messages. However, audit_log_common_recv_msg() refuses to allocate an audit_buffer if audit_enabled is 0. The fix is to special case AUDIT_USER_AVC messages in both functions. It looks like commit 50397bd1 ("[AUDIT] clean up audit_receive_msg()") introduced this bug. Signed-off-by: Tyler Hicks <tyhicks(a)canonical.com> Cc: Al Viro <viro(a)zeniv.linux.org.uk> Cc: Eric Paris <eparis(a)redhat.com> Cc: linux-audit(a)redhat.com Acked-by: Kees Cook <keescook(a)chromium.org> Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com> Signed-off-by: Eric Paris <eparis(a)redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- kernel/audit.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/kernel/audit.c +++ b/kernel/audit.c @@ -625,7 +625,7 @@ static int audit_log_common_recv_msg(str char *ctx = NULL; u32 len; - if (!audit_enabled) { + if (!audit_enabled && msg_type != AUDIT_USER_AVC) { *ab = NULL; return rc; }

11 years

1
0
0 / 0

Follow up on command line auditing

by William Roberts

Just following up on this since the holiday, any traction? Changelog since last post: * Rebase on latest master [PATCH] audit: Audit proc cmdline value

11 years

2
6
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Linux-audit December 2013