[PATCH 1/1] Added exe field to audit core dump signal log
by Paul Davies C
Currently when the coredump signals are logged by the audit system , the
actual path to the executable is not logged. Without details of exe , the
system admin may not have an exact idea on what program failed.
This patch changes the audit_log_task() so that the path to the exe is also
logged.
Signed-off-by: Paul Davies C <pauldaviesc(a)gmail.com>
---
kernel/auditsc.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 9845cb3..988de72 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -2353,6 +2353,7 @@ static void audit_log_task(struct audit_buffer *ab)
kuid_t auid, uid;
kgid_t gid;
unsigned int sessionid;
+ struct mm_struct *mm = current->mm;
auid = audit_get_loginuid(current);
sessionid = audit_get_sessionid(current);
@@ -2366,6 +2367,12 @@ static void audit_log_task(struct audit_buffer *ab)
audit_log_task_context(ab);
audit_log_format(ab, " pid=%d comm=", current->pid);
audit_log_untrustedstring(ab, current->comm);
+ if (mm) {
+ down_read(&mm->mmap_sem);
+ if (mm->exe_file)
+ audit_log_d_path(ab, " exe=", &mm->exe_file->f_path);
+ up_read(&mm->mmap_sem);
+ }
}
static void audit_log_abend(struct audit_buffer *ab, char *reason, long signr)
--
1.7.9.5
9 years, 4 months
[PATCH v10 0/3] arm64: Add audit support
by AKASHI Takahiro
(This patchset was already acked by the maintainers, and
re-targeting v3.17. See change history.)
(I don't think that discussions below about ptrace() have impact on
this patchset.
http://lists.infradead.org/pipermail/linux-arm-kernel/2014-July/268923.html
)
This patchset adds system call audit support on arm64.
Both 32-bit (AUDIT_ARCH_ARM) and 64-bit tasks (AUDIT_ARCH_AARCH64)
are supported. Since arm64 has the exact same set of system calls
on LE and BE, we don't care about endianness (or more specifically
__AUDIT_ARCH_64BIT bit in AUDIT_ARCH_*).
This patch should work correctly with:
* userspace audit tool (v2.3.6 or later)
This code was tested on both 32-bit and 64-bit LE userland
in the following two ways:
1) basic operations with auditctl/autrace
# auditctl -a exit,always -S openat -F path=/etc/inittab
# auditctl -a exit,always -F dir=/tmp -F perm=rw
# auditctl -a task,always
# autrace /bin/ls
by comparing output from autrace with one from strace
2) audit-test-code (+ my workarounds for arm/arm64)
by running "audit-tool", "filter" and "syscalls" test categories.
Changes v9 -> v10:
* rebased on 3.16-rc3
* included Catalin's patch[1/3] and added more syscall definitions for 3.16
Changes v8 -> v9:
* rebased on 3.15-rc, especially due to the change of syscall_get_arch()
interface [1,2/2]
Changes v7 -> v8:
* aligned with the change in "audit: generic compat system call audit
support" v5 [1/2]
* aligned with the change in "arm64: split syscall_trace() into separate
functions for enter/exit" v5 [2/2]
Changes v6 -> v7:
* changed an include file in syscall.h from <linux/audit.h> to
<uapi/linux/audit.h> [1/2]
* aligned with the patch, "arm64: split syscall_trace() into separate
functions for enter/exit" [2/2]
Changes v5 -> v6:
* removed and put "arm64: Add regs_return_value() in syscall.h" patch into
a separate set
* aligned with the change in "arm64: make a single hook to syscall_trace()
for all syscall features" v3 [1/2]
Changes v4 -> v5:
* rebased to 3.14-rcX
* added a guard against TIF_SYSCALL_AUDIT [3/3]
* aligned with the change in "arm64: make a single hook to syscall_trace()
for all syscall features" v2 [3/3]
Changes v3 -> v4:
* Modified to sync with the patch, "make a single hook to syscall_trace()
for all syscall features"
* aligned with "audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL" patch
Changes v2 -> v3:
* Remove asm/audit.h.
See "generic compat syscall audit support" patch v4
* Remove endianness dependency, ie. AUDIT_ARCH_ARMEB/AARCH64EB.
* Remove kernel/syscalls/Makefile which was used to create unistd32.h.
See Catalin's "Add __NR_* definitions for compat syscalls" patch
Changes v1 -> v2:
* Modified to utilize "generic compat system call audit" [3/6, 4/6, 5/6]
Please note that a required header, unistd_32.h, is automatically
generated from unistd32.h.
* Refer to regs->orig_x0 instead of regs->x0 as the first argument of
system call in audit_syscall_entry() [6/6]
* Include "Add regs_return_value() in syscall.h" patch [2/6],
which was not intentionally included in v1 because it could be added
by "kprobes support".
AKASHI Takahiro (2):
arm64: Add audit support
arm64: audit: Add audit hook in syscall_trace_enter/exit()
Catalin Marinas (1):
arm64: Add __NR_* definitions for compat syscalls
arch/arm64/Kconfig | 2 +
arch/arm64/include/asm/syscall.h | 14 +
arch/arm64/include/asm/unistd.h | 17 +
arch/arm64/include/asm/unistd32.h | 1166 ++++++++++++++++++++++++-------------
arch/arm64/kernel/entry.S | 1 -
arch/arm64/kernel/kuser32.S | 2 +-
arch/arm64/kernel/ptrace.c | 7 +
arch/arm64/kernel/signal32.c | 2 +-
arch/arm64/kernel/sys_compat.c | 2 +-
include/uapi/linux/audit.h | 1 +
10 files changed, 810 insertions(+), 404 deletions(-)
--
1.7.9.5
9 years, 9 months
[PATCH] TaskTracker : Simplified thread information tracker.
by Tetsuo Handa
Yesterday I went to LinuxCon Japan 2014 and stopped at Red Hat's booth
and Oracle's booth. I explained about this module ( using page 92 of
http://I-love.SAKURA.ne.jp/tomoyo/LCJ2014-en.pdf ) and got positive
responses from persons who have experienced troubleshooting jobs.
I was convinced that I am not the only person who is bothered by lack of
process history information in the logs. Therefore, I repost this module
toward inclusion into mainline Linux kernel.
Changes from previous version ( http://lwn.net/Articles/575044/ ):
(1) Assign a value to "u32 *seclen" in addition to "char *secdata"
at security_task_getsecid() hook.
(2) Make calculation of time stamp a bit faster.
Background:
When an unexpected system event (e.g. reboot) occurs, the administrator may
want to identify which application triggered the event. System call auditing
could be used for recording such event. However, the audit log may not be
able to provide sufficient information for identifying the application
because the audit log does not reflect how the program was executed.
I sometimes receive "which application triggered the event" questions on RHEL
systems. TOMOYO security module can track how the program was executed, but
TOMOYO is not yet available in Fedora/RHEL distributions.
Although subj= field is added to the audit log if SELinux is not disabled,
SELinux is too difficult to customize as fine grained as I expect in order to
reflect how the program was executed. Therefore, I'm currently using AKARI
and SystemTap for emulating TOMOYO-like tracing.
But AKARI and SystemTap do not help unless the kernel module is loaded before
the unexpected system event occurs. Generally, the administrator is failing
to record the first event, and has to wait for the same event to occur again
after loading the kernel module and/or configuring auditing. I came to think
that we want a built-in kernel routine which is automatically started upon
boot so that we don't fail to record the first event.
What I did:
Assuming that multiple concurrent LSM support comes in the near future,
I wrote a trivial LSM module which emits TOMOYO-like information into the
audit logs.
Usage:
Just register this LSM module. No configuration is needed. You will get
history of current thread in the form of comm name and time stamp pairs
in the subj= field of audit logs like examples shown in the patch
description.
----------
>From ff68d3a4cd496bd263d2939848777fffc30cbc0b Mon Sep 17 00:00:00 2001
From: Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp>
Date: Fri, 23 May 2014 21:31:56 +0900
Subject: [PATCH] TaskTracker : Simplified thread information tracker.
Existing audit logs generated via system call auditing functionality include
current thread's comm name. But it is not always sufficient for identifying
which application has requested specific operations because comm name does not
reflect history of current thread.
This security module adds functionality for adding current thread's history
information like TOMOYO security module does, expecting that this module can
help us getting more information from system call auditing functionality.
type=USER_LOGIN msg=audit(1400879947.084:24): pid=4308 uid=0 auid=0 ses=2
subj="swapper/0(2014/05/23-21:17:30)=>init(2014/05/23-21:17:33)=>
switch_root(2014/05/23-21:17:34)=>init(2014/05/23-21:17:34)=>
sh(2014/05/23-21:17:56)=>mingetty(2014/05/23-21:17:56)=>
login(2014/05/23-21:19:05)" msg='op=login id=0 exe="/bin/login" hostname=?
addr=? terminal=tty1 res=success'
type=SYSCALL msg=audit(1400880014.444:26): arch=40000003 syscall=11
success=yes exit=0 a0=8140f78 a1=812b7d8 a2=812b248 a3=812b7d8 items=2
ppid=4323 pid=4355 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=pts0 ses=1 comm="tail" exe="/usr/bin/tail"
subj="swapper/0(2014/05/23-21:17:30)=>init(2014/05/23-21:17:33)=>
switch_root(2014/05/23-21:17:34)=>init(2014/05/23-21:17:34)=>
sh(2014/05/23-21:17:37)=>rc(2014/05/23-21:17:37)=>
S55sshd(2014/05/23-21:17:53)=>sshd(2014/05/23-21:17:53)=>
sshd(2014/05/23-21:18:17)=>bash(2014/05/23-21:18:21)=>
tail(2014/05/23-21:20:14)" key=(null)
Signed-off-by: Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp>
---
security/Kconfig | 6 +
security/Makefile | 2 +
security/tasktracker/Kconfig | 35 +++++
security/tasktracker/Makefile | 1 +
security/tasktracker/tasktracker.c | 282 ++++++++++++++++++++++++++++++++++++
5 files changed, 326 insertions(+), 0 deletions(-)
create mode 100644 security/tasktracker/Kconfig
create mode 100644 security/tasktracker/Makefile
create mode 100644 security/tasktracker/tasktracker.c
diff --git a/security/Kconfig b/security/Kconfig
index beb86b5..14e7d27 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -122,6 +122,7 @@ source security/smack/Kconfig
source security/tomoyo/Kconfig
source security/apparmor/Kconfig
source security/yama/Kconfig
+source security/tasktracker/Kconfig
source security/integrity/Kconfig
@@ -132,6 +133,7 @@ choice
default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO
default DEFAULT_SECURITY_APPARMOR if SECURITY_APPARMOR
default DEFAULT_SECURITY_YAMA if SECURITY_YAMA
+ default DEFAULT_SECURITY_TT if SECURITY_TT
default DEFAULT_SECURITY_DAC
help
@@ -153,6 +155,9 @@ choice
config DEFAULT_SECURITY_YAMA
bool "Yama" if SECURITY_YAMA=y
+ config DEFAULT_SECURITY_TT
+ bool "TaskTracker" if SECURITY_TT=y
+
config DEFAULT_SECURITY_DAC
bool "Unix Discretionary Access Controls"
@@ -165,6 +170,7 @@ config DEFAULT_SECURITY
default "tomoyo" if DEFAULT_SECURITY_TOMOYO
default "apparmor" if DEFAULT_SECURITY_APPARMOR
default "yama" if DEFAULT_SECURITY_YAMA
+ default "tt" if DEFAULT_SECURITY_TT
default "" if DEFAULT_SECURITY_DAC
endmenu
diff --git a/security/Makefile b/security/Makefile
index 05f1c93..28a90ed 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -8,6 +8,7 @@ subdir-$(CONFIG_SECURITY_SMACK) += smack
subdir-$(CONFIG_SECURITY_TOMOYO) += tomoyo
subdir-$(CONFIG_SECURITY_APPARMOR) += apparmor
subdir-$(CONFIG_SECURITY_YAMA) += yama
+subdir-$(CONFIG_SECURITY_TT) += tasktracker
# always enable default capabilities
obj-y += commoncap.o
@@ -22,6 +23,7 @@ obj-$(CONFIG_AUDIT) += lsm_audit.o
obj-$(CONFIG_SECURITY_TOMOYO) += tomoyo/
obj-$(CONFIG_SECURITY_APPARMOR) += apparmor/
obj-$(CONFIG_SECURITY_YAMA) += yama/
+obj-$(CONFIG_SECURITY_TT) += tasktracker/
obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o
# Object integrity file lists
diff --git a/security/tasktracker/Kconfig b/security/tasktracker/Kconfig
new file mode 100644
index 0000000..6de5354
--- /dev/null
+++ b/security/tasktracker/Kconfig
@@ -0,0 +1,35 @@
+config SECURITY_TT
+ bool "TaskTracker support"
+ depends on SECURITY
+ default n
+ help
+ Existing audit logs generated via system call auditing functionality
+ include current thread's comm name. But it is not always sufficient
+ for identifying which application has requested specific operations
+ because comm name does not reflect history of current thread.
+
+ This security module adds functionality for adding current thread's
+ history information like TOMOYO security module does, expecting that
+ this module can help us getting more information from system call
+ auditing functionality.
+
+ If you are unsure how to answer this question, answer N.
+
+ Usage:
+
+ Just register this module. No configuration is needed.
+
+ You will get history of current thread in the form of
+ comm name and time stamp pairs in the subj= field of audit logs
+ like an example shown below.
+
+ type=SYSCALL msg=audit(1400880014.444:26): arch=40000003 syscall=11
+ success=yes exit=0 a0=8140f78 a1=812b7d8 a2=812b248 a3=812b7d8
+ items=2 ppid=4323 pid=4355 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
+ egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="tail"
+ exe="/usr/bin/tail" subj="swapper/0(2014/05/23-21:17:30)=>
+ init(2014/05/23-21:17:33)=>switch_root(2014/05/23-21:17:34)=>
+ init(2014/05/23-21:17:34)=>sh(2014/05/23-21:17:37)=>
+ rc(2014/05/23-21:17:37)=>S55sshd(2014/05/23-21:17:53)=>
+ sshd(2014/05/23-21:17:53)=>sshd(2014/05/23-21:18:17)=>
+ bash(2014/05/23-21:18:21)=>tail(2014/05/23-21:20:14)" key=(null)
diff --git a/security/tasktracker/Makefile b/security/tasktracker/Makefile
new file mode 100644
index 0000000..15d03ce
--- /dev/null
+++ b/security/tasktracker/Makefile
@@ -0,0 +1 @@
+obj-$(CONFIG_SECURITY_TT) := tasktracker.o
diff --git a/security/tasktracker/tasktracker.c b/security/tasktracker/tasktracker.c
new file mode 100644
index 0000000..ec4eb0c
--- /dev/null
+++ b/security/tasktracker/tasktracker.c
@@ -0,0 +1,282 @@
+/*
+ * tasktracker.c - Simplified thread information tracker.
+ *
+ * Copyright (C) 2010-2014 Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp>
+ */
+#include <linux/security.h>
+#include <linux/binfmts.h>
+
+/* Wrapper structure for passing string buffer. */
+struct tt_record {
+ char history[1024];
+};
+
+/* Structure for representing YYYY/MM/DD hh/mm/ss. */
+struct tt_time {
+ u16 year;
+ u8 month;
+ u8 day;
+ u8 hour;
+ u8 min;
+ u8 sec;
+};
+
+/**
+ * tt_get_time - Get current time in YYYY/MM/DD hh/mm/ss format.
+ *
+ * @stamp: Pointer to "struct tt_time".
+ *
+ * Returns nothing.
+ *
+ * This function does not handle Y2038 problem.
+ */
+static void tt_get_time(struct tt_time *stamp)
+{
+ struct timeval tv;
+ static const u16 tt_eom[2][12] = {
+ { 31, 59, 90, 120, 151, 181, 212, 243, 273, 304, 334, 365 },
+ { 31, 60, 91, 121, 152, 182, 213, 244, 274, 305, 335, 366 }
+ };
+ u16 y = 1970;
+ u8 m;
+ bool r;
+ time_t time;
+ do_gettimeofday(&tv);
+ time = tv.tv_sec;
+ stamp->sec = time % 60;
+ time /= 60;
+ stamp->min = time % 60;
+ time /= 60;
+ stamp->hour = time % 24;
+ time /= 24;
+ if (time >= 16071) {
+ /* Start from 2014/01/01 rather than 1970/01/01. */
+ time -= 16071;
+ y += 44;
+ }
+ while (1) {
+ const unsigned short days = (y & 3) ? 365 : 366;
+ if (time < days)
+ break;
+ time -= days;
+ y++;
+ }
+ r = (y & 3) == 0;
+ for (m = 0; m < 11 && time >= tt_eom[r][m]; m++)
+ ;
+ if (m)
+ time -= tt_eom[r][m - 1];
+ stamp->year = y;
+ stamp->month = ++m;
+ stamp->day = ++time;
+}
+
+/**
+ * tt_update_record - Update "struct tt_record" for given credential.
+ *
+ * @record: Pointer to "struct tt_record".
+ *
+ * Returns nothing.
+ */
+static void tt_update_record(struct tt_record *record)
+{
+ char *cp;
+ int i;
+ struct tt_time stamp;
+ tt_get_time(&stamp);
+ /*
+ * Lockless update because current thread's record is not concurrently
+ * accessible, for "struct cred"->security is not visible from other
+ * threads because this function is called upon only boot up and
+ * successful execve() operation.
+ */
+ cp = record->history;
+ i = strlen(cp);
+ while (i >= sizeof(record->history) - (TASK_COMM_LEN * 4 + 30)) {
+ /*
+ * Since this record is not for making security decision,
+ * I don't care by-chance matching "=>" in task's commname.
+ */
+ char *cp2 = strstr(cp + 2, "=>");
+ if (!cp2)
+ return;
+ memmove(cp + 1, cp2, strlen(cp2) + 1);
+ i = strlen(cp);
+ }
+ if (!i)
+ *cp++ = '"';
+ else {
+ cp += i - 1;
+ *cp++ = '=';
+ *cp++ = '>';
+ }
+ /*
+ * Lockless read because this is current thread and being unexpectedly
+ * modified by other thread is not a fatal problem.
+ */
+ for (i = 0; i < TASK_COMM_LEN; i++) {
+ const unsigned char c = current->comm[i];
+ if (!c)
+ break;
+ else if (c == '"' || c == '\\' || c < 0x21 || c > 0x7e) {
+ *cp++ = '\\';
+ *cp++ = (c >> 6) + '0';
+ *cp++ = ((c >> 3) & 7) + '0';
+ *cp++ = (c & 7) + '0';
+ } else
+ *cp++ = c;
+ }
+ sprintf(cp, "(%04u/%02u/%02u-%02u:%02u:%02u)\"", stamp.year,
+ stamp.month, stamp.day, stamp.hour, stamp.min, stamp.sec);
+}
+
+/**
+ * tt_find_record - Find "struct tt_record" for given credential.
+ *
+ * @cred: Pointer to "struct cred".
+ *
+ * Returns pointer to "struct tt_record".
+ */
+static inline struct tt_record *tt_find_record(const struct cred *cred)
+{
+ return cred->security;
+}
+
+/**
+ * tt_cred_alloc_blank - Allocate memory for new credentials.
+ *
+ * @new: Pointer to "struct cred".
+ * @gfp: Memory allocation flags.
+ *
+ * Returns 0 on success, negative value otherwise.
+ */
+static int tt_cred_alloc_blank(struct cred *new, gfp_t gfp)
+{
+ new->security = kzalloc(sizeof(struct tt_record), gfp);
+ return new->security ? 0 : -ENOMEM;
+}
+
+/**
+ * tt_cred_prepare - Allocate memory for new credentials.
+ *
+ * @new: Pointer to "struct cred".
+ * @old: Pointer to "struct cred".
+ * @gfp: Memory allocation flags.
+ *
+ * Returns 0 on success, negative value otherwise.
+ */
+static int tt_cred_prepare(struct cred *new, const struct cred *old,
+ gfp_t gfp)
+{
+ if (tt_cred_alloc_blank(new, gfp))
+ return -ENOMEM;
+ strcpy(tt_find_record(new)->history, tt_find_record(old)->history);
+ return 0;
+}
+
+/**
+ * tt_cred_free - Release memory used by credentials.
+ *
+ * @cred: Pointer to "struct cred".
+ *
+ * Returns nothing.
+ */
+static void tt_cred_free(struct cred *cred)
+{
+ kfree(cred->security);
+}
+
+/**
+ * tt_cred_transfer - Transfer "struct tt_record" between credentials.
+ *
+ * @new: Pointer to "struct cred".
+ * @old: Pointer to "struct cred".
+ *
+ * Returns nothing.
+ */
+static void tt_cred_transfer(struct cred *new, const struct cred *old)
+{
+ strcpy(tt_find_record(new)->history, tt_find_record(old)->history);
+}
+
+/**
+ * tt_bprm_committing_creds - A hook which is called when do_execve() succeeded.
+ *
+ * @bprm: Pointer to "struct linux_binprm".
+ *
+ * Returns nothing.
+ */
+static void tt_bprm_committing_creds(struct linux_binprm *bprm)
+{
+ tt_update_record(tt_find_record(bprm->cred));
+}
+
+/**
+ * tt_task_getsecid - Check whether to audit or not.
+ *
+ * @p: Pointer to "struct task_struct".
+ * @secid: Pointer to flag.
+ */
+static void tt_task_getsecid(struct task_struct *p, u32 *secid)
+{
+ *secid = (p == current);
+}
+
+/**
+ * tt_secid_to_secctx - Allocate memory used for auditing.
+ *
+ * @secid: Bool flag to allocate.
+ * @secdata: Pointer to allocate memory.
+ * @seclen: Size of allocated memory.
+ *
+ * Returns 0 on success, -EINVAL otherwise.
+ */
+static int tt_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
+{
+ struct tt_record *record;
+ /* Ignore unless current thread's record is requested. */
+ if (secid != 1)
+ return -EINVAL;
+ /*
+ * We don't need to duplicate the string because current thread's
+ * record is updated upon only boot up and successful execve()
+ * operation, even if current thread's record is shared between
+ * multiple threads.
+ */
+ record = tt_find_record(current->real_cred);
+ *secdata = record->history;
+ *seclen = strlen(record->history);
+ return 0;
+}
+
+/* List of hooks. */
+static struct security_operations tasktracker_ops = {
+ .name = "tt",
+ .secid_to_secctx = tt_secid_to_secctx,
+ .task_getsecid = tt_task_getsecid,
+ .cred_prepare = tt_cred_prepare,
+ .cred_free = tt_cred_free,
+ .cred_alloc_blank = tt_cred_alloc_blank,
+ .cred_transfer = tt_cred_transfer,
+ .bprm_committing_creds = tt_bprm_committing_creds,
+};
+
+/**
+ * tt_init - Initialize this module.
+ *
+ * Returns 0 on success, panic otherwise.
+ */
+static int __init tt_init(void)
+{
+ struct cred *cred = (struct cred *) current_cred();
+ if (!security_module_enable(&tasktracker_ops))
+ return 0;
+ if (tt_cred_alloc_blank(cred, GFP_ATOMIC) ||
+ register_security(&tasktracker_ops))
+ panic("Failure registering TaskTracker");
+ tt_update_record(tt_find_record(cred));
+ pr_info("TaskTracker initialized\n");
+ return 0;
+}
+
+security_initcall(tt_init);
--
1.7.1
9 years, 9 months
How to audit socket close system call?
by Jie Cui
Hi all~
How to audit socket close system call?
I can audit the socket connection by 'connect' system call.
I can also audit the socket termination by 'shutdown' system call.
But I can't figure out how to audit when the socket is closed.
Does the 'close' system call works? However all the file close events will
also be auditing. That's not what I want.
9 years, 10 months
[GIT PULL] Audit fixes for 3.19 #2
by Paul Moore
Hi Linus,
One audit patch to resolve a panic/oops when recording filenames in the audit
log, see the mail archive link below. The fix isn't as nice as I would like,
as it involves an allocate/copy of the filename, but it solves the problem and
the overhead should only affect users who have configured audit rules
involving file names. We'll revisit this issue with future kernels in an
attempt to make this suck less, but in the meantime I think this fix should go
into the next release of v3.19-rcX.
* https://marc.info/?t=141986927600001&r=1&w=2
Thanks,
-Paul
---
The following changes since commit 041d7b98ffe59c59fdd639931dea7d74f9aa9a59:
audit: restore AUDIT_LOGINUID unset ABI (2014-12-23 16:40:18 -0500)
are available in the git repository at:
git://git.infradead.org/users/pcmoore/audit upstream
for you to fetch changes up to fcf22d8267ad2601fe9b6c549d1be96401c23e0b:
audit: create private file name copies when auditing inodes (2014-12-30
09:26:21 -0500)
----------------------------------------------------------------
Paul Moore (1):
audit: create private file name copies when auditing inodes
kernel/auditsc.c | 49 ++++++++++++++++++++++++++++++++++++++++---------
1 file changed, 40 insertions(+), 9 deletions(-)
9 years, 10 months
[PATCH] audit: create private file name copies when auditing inodes
by Paul Moore
Unfortunately, while commit 4a928436 ("audit: correctly record file
names with different path name types") fixed a problem where we were
not recording filenames, it created a new problem by attempting to use
these file names after they had been freed. This patch resolves the
issue by creating a copy of the filename which the audit subsystem
frees after it is done with the string.
At some point it would be nice to resolve this issue with refcounts,
or something similar, instead of having to allocate/copy strings, but
that is almost surely beyond the scope of a -rcX patch so we'll defer
that for later. On the plus side, only audit users should be impacted
by the string copying.
Reported-by: Toralf Foerster <toralf.foerster(a)gmx.de>
Signed-off-by: Paul Moore <pmoore(a)redhat.com>
---
kernel/auditsc.c | 49 ++++++++++++++++++++++++++++++++++++++++---------
1 file changed, 40 insertions(+), 9 deletions(-)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 287b3d3..793e9e9 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -72,6 +72,8 @@
#include <linux/fs_struct.h>
#include <linux/compat.h>
#include <linux/ctype.h>
+#include <linux/string.h>
+#include <uapi/linux/limits.h>
#include "audit.h"
@@ -1861,8 +1863,7 @@ void __audit_inode(struct filename *name, const struct dentry *dentry,
}
list_for_each_entry_reverse(n, &context->names_list, list) {
- /* does the name pointer match? */
- if (!n->name || n->name->name != name->name)
+ if (!n->name || strcmp(n->name->name, name->name))
continue;
/* match the correct record type */
@@ -1881,14 +1882,44 @@ out_alloc:
n = audit_alloc_name(context, AUDIT_TYPE_UNKNOWN);
if (!n)
return;
- if (name)
- /* since name is not NULL we know there is already a matching
- * name record, see audit_getname(), so there must be a type
- * mismatch; reuse the string path since the original name
- * record will keep the string valid until we free it in
- * audit_free_names() */
- n->name = name;
+ /* unfortunately, while we may have a path name to record with the
+ * inode, we can't always rely on the string lasting until the end of
+ * the syscall so we need to create our own copy, it may fail due to
+ * memory allocation issues, but we do our best */
+ if (name) {
+ /* we can't use getname_kernel() due to size limits */
+ size_t len = strlen(name->name) + 1;
+ struct filename *new = __getname();
+
+ if (unlikely(!new))
+ goto out;
+
+ if (len <= (PATH_MAX - sizeof(*new))) {
+ new->name = (char *)(new) + sizeof(*new);
+ new->separate = false;
+ } else if (len <= PATH_MAX) {
+ /* this looks odd, but is due to final_putname() */
+ struct filename *new2;
+ new2 = kmalloc(sizeof(*new2), GFP_KERNEL);
+ if (unlikely(!new2)) {
+ __putname(new);
+ goto out;
+ }
+ new2->name = (char *)new;
+ new2->separate = true;
+ new = new2;
+ } else {
+ /* we should never get here, but let's be safe */
+ __putname(new);
+ goto out;
+ }
+ strlcpy((char *)new->name, name->name, len);
+ new->uptr = NULL;
+ new->aname = n;
+ n->name = new;
+ n->name_put = true;
+ }
out:
if (parent) {
n->name_len = n->name ? parent_len(n->name->name) : AUDIT_NAME_FULL;
9 years, 10 months
Re: v3.19-rc2: crashes during boot (syslog-ng, rpcbind ...)
by Paul Moore
On Monday, December 29, 2014 05:24:38 PM Toralf Förster wrote:
> On 12/29/2014 05:21 PM, Paul Moore wrote:
> > On Mon, Dec 29, 2014 at 11:07 AM, Toralf Förster wrote:
> >> A x86 KVM guest running at a 64 bit Gentoo hardened host system the
> >> following crashes appeared reproducible (screen shots attached.
> >>
> >> If I removed syslog-ng from the runlevel default, then the crash just
> >> appeared a little bit later at another subsystem>
> >
> > It looks like it doesn't like something in audit_compare_dname_path();
> > I'll take a look and see what I can find, there is a patch in -rc2
> > which touched some related code.
> >
> > I didn't see this problem in my earlier testing, can you share your
> > .config?
>
> ofc - attached
[NOTE: added linux-audit to the CC line, I should have done that earlier]
I believe I can reproduce this now; I'm seeing slightly different panics, but
it is "close enough" and based on some quality time with the code I believe
they are both symptoms of the same root cause.
To help verify that I'm heading down the right path, could you share your
audit configuration as well? If that's not possible, can you at least confirm
that you using a few audit directory watches?
--
paul moore
www.paul-moore.com
9 years, 10 months
WASP for Linux 7?
by Margaret M Sanders
Expertise:
Is there a WASP for Linux 7? What is the accepted and accredited security scanning app for Linux 7--is it SECSCN?
Thank you,
MS
SwRI
ISSO/ATA
-----Original Message-----
From: linux-audit-bounces(a)redhat.com [mailto:linux-audit-bounces@redhat.com] On Behalf Of Paul Moore
Sent: Monday, December 29, 2014 1:42 PM
To: Toralf Förster
Cc: linux-audit(a)redhat.com; linux Kernel
Subject: Re: v3.19-rc2: crashes during boot (syslog-ng, rpcbind ...)
On Monday, December 29, 2014 05:24:38 PM Toralf Förster wrote:
> On 12/29/2014 05:21 PM, Paul Moore wrote:
> > On Mon, Dec 29, 2014 at 11:07 AM, Toralf Förster wrote:
> >> A x86 KVM guest running at a 64 bit Gentoo hardened host system the
> >> following crashes appeared reproducible (screen shots attached.
> >>
> >> If I removed syslog-ng from the runlevel default, then the crash
> >> just appeared a little bit later at another subsystem>
> >
> > It looks like it doesn't like something in
> > audit_compare_dname_path(); I'll take a look and see what I can
> > find, there is a patch in -rc2 which touched some related code.
> >
> > I didn't see this problem in my earlier testing, can you share your
> > .config?
>
> ofc - attached
[NOTE: added linux-audit to the CC line, I should have done that earlier]
I believe I can reproduce this now; I'm seeing slightly different panics, but it is "close enough" and based on some quality time with the code I believe they are both symptoms of the same root cause.
To help verify that I'm heading down the right path, could you share your audit configuration as well? If that's not possible, can you at least confirm that you using a few audit directory watches?
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
9 years, 10 months
[GIT PULL] Audit fixes for 3.19
by Paul Moore
Hi Linus,
Four patches to fix various problems with the audit subsystem, all are fairly
small and straightforward. One patch fixes a problem where we weren't using
the correct gfp allocation flags (GFP_KERNEL regardless of context, oops), one
patch fixes a problem with old userspace tools (this was broken for a while),
one patch fixes a problem where we weren't recording pathnames correctly, and
one fixes a problem with PID based filters. In general I don't think there is
anything controversial with this patchset, and it fixes some rather
unfortunate bugs; the allocation flag one can be particularly scary looking
for users. Please pull for the next v3.19-rcX.
Thanks,
-Paul
---
The following changes since commit 0f7e94ee40d06f7a04e039392dfee8244bd8a7e0:
Merge branch 'next' into upstream for v3.19 (2014-12-09 14:38:30 -0500)
are available in the git repository at:
git://git.infradead.org/users/pcmoore/audit upstream
for you to fetch changes up to 041d7b98ffe59c59fdd639931dea7d74f9aa9a59:
audit: restore AUDIT_LOGINUID unset ABI (2014-12-23 16:40:18 -0500)
----------------------------------------------------------------
Paul Moore (2):
audit: don't attempt to lookup PIDs when changing PID filtering audit
rules
audit: correctly record file names with different path name types
Richard Guy Briggs (2):
audit: use supplied gfp_mask from audit_buffer in
kauditd_send_multicast_skb
audit: restore AUDIT_LOGINUID unset ABI
include/linux/audit.h | 4 ++++
kernel/audit.c | 8 ++++----
kernel/auditfilter.c | 23 ++++++++++-------------
kernel/auditsc.c | 14 ++++++++++----
4 files changed, 28 insertions(+), 21 deletions(-)
9 years, 10 months