[PATCH] audit: always enable syscall auditing when supported and audit is enabled
by Paul Moore
To the best of our knowledge, everyone who enables audit at compile
time also enables syscall auditing; this patch simplifies the Kconfig
menus by removing the option to disable syscall auditing when audit
is selected and the target arch supports it.
Signed-off-by: Paul Moore <pmoore(a)redhat.com>
---
init/Kconfig | 11 +++--------
1 file changed, 3 insertions(+), 8 deletions(-)
diff --git a/init/Kconfig b/init/Kconfig
index c24b6f7..d4663b1 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -299,20 +299,15 @@ config AUDIT
help
Enable auditing infrastructure that can be used with another
kernel subsystem, such as SELinux (which requires this for
- logging of avc messages output). Does not do system-call
- auditing without CONFIG_AUDITSYSCALL.
+ logging of avc messages output). System call auditing is included
+ on architectures which support it.
config HAVE_ARCH_AUDITSYSCALL
bool
config AUDITSYSCALL
- bool "Enable system-call auditing support"
+ def_bool y
depends on AUDIT && HAVE_ARCH_AUDITSYSCALL
- default y if SECURITY_SELINUX
- help
- Enable low-overhead system-call auditing infrastructure that
- can be used independently or with another kernel subsystem,
- such as SELinux.
config AUDIT_WATCH
def_bool y
5 years, 10 months
Audit, lxc containers and logged paths
by Michele Giacomoli
Hello everybody,
I need to watch folders inside unprivileged linux containers. From what
I know it's not possible to run audit inside a lxc guest, so I set up
audit inside the host to log access to dirs using absolute path (e.g.
/var/lib/lxc/mycontainer/rootfs/etc/) and it works, but giving a look at
the logs I found that both the paths of the executable and the path that
has been accessed are relative to the container (i.e. /bin/ls and
/etc/passwd), so I don't have a clue of which is the container that
generated the record. I could compare the uid that generated it whith
the uids set for the containers, but it seems an ugly solution.
Can audit be configured for logging the absolute paths, or give me a
hint of the container that generated the record?
Best regards
Michele
8 years, 5 months
[PATCH v3 00/24] Delete CURRENT_TIME_SEC and replace current_fs_time()
by Deepa Dinamani
The series is aimed at getting rid of CURRENT_TIME, CURRENT_TIME_SEC macros
and replacing current_fs_time() with current_time().
The macros are not y2038 safe. There is no plan to transition them into being
y2038 safe.
ktime_get_* api's can be used in their place. And, these are y2038 safe.
CURRENT_TIME will be deleted after 4.8 rc1 as there is a dependency function
time64_to_tm() for one of the CURRENT_TIME occurance.
Thanks to Arnd Bergmann for all the guidance and discussions.
Patches 3-5 were mostly generated using coccinelle.
All filesystem timestamps use current_fs_time() for right granularity as
mentioned in the respective commit texts of patches. This has a changed
signature, renamed to current_time() and moved to the fs/inode.c.
This series also serves as a preparatory series to transition vfs to 64 bit
timestamps as outlined here: https://lkml.org/lkml/2016/2/12/104 .
As per Linus's suggestion in https://lkml.org/lkml/2016/5/24/663 , all the
inode timestamp changes have been squashed into a single patch. Also,
current_time() now is used as a single generic vfs filesystem timestamp api.
It also takes struct inode* as argument instead of struct super_block*.
Posting all patches together in a bigger series so that the big picture is
clear.
As per the suggestion in https://lwn.net/Articles/672598/, CURRENT_TIME macro
bug fixes are being handled in a series separate from transitioning vfs to use.
Changes since v2:
* Fix buildbot error for uninitalized sb in inode.
* Minor fixes according to Arnd's comments.
* Leave out the fnic and deletion of CURRENT_TIME to be submitted after 4.8 rc1.
Deepa Dinamani (24):
vfs: Add current_time() api
fs: proc: Delete inode time initializations in proc_alloc_inode()
fs: Replace CURRENT_TIME with current_time() for inode timestamps
fs: Replace CURRENT_TIME_SEC with current_time() for inode timestamps
fs: Replace current_fs_time() with current_time()
fs: jfs: Replace CURRENT_TIME_SEC by current_time()
fs: ext4: Use current_time() for inode timestamps
fs: ubifs: Replace CURRENT_TIME_SEC with current_time
fs: btrfs: Use ktime_get_real_ts for root ctime
fs: udf: Replace CURRENT_TIME with current_time()
fs: cifs: Replace CURRENT_TIME by current_time()
fs: cifs: Replace CURRENT_TIME with ktime_get_real_ts()
fs: cifs: Replace CURRENT_TIME by get_seconds
fs: f2fs: Use ktime_get_real_seconds for sit_info times
drivers: staging: lustre: Replace CURRENT_TIME with current_time()
fs: ocfs2: Use time64_t to represent orphan scan times
fs: ocfs2: Replace CURRENT_TIME with ktime_get_real_seconds()
audit: Use timespec64 to represent audit timestamps
fs: nfs: Make nfs boot time y2038 safe
block: Replace CURRENT_TIME with ktime_get_real_ts
libceph: Replace CURRENT_TIME with ktime_get_real_ts
fs: ceph: Replace current_fs_time for request stamp
time: Delete current_fs_time() function
time: Delete CURRENT_TIME_SEC
arch/powerpc/platforms/cell/spufs/inode.c | 2 +-
arch/s390/hypfs/inode.c | 4 +--
drivers/block/rbd.c | 2 +-
drivers/char/sonypi.c | 2 +-
drivers/infiniband/hw/qib/qib_fs.c | 2 +-
drivers/misc/ibmasm/ibmasmfs.c | 2 +-
drivers/oprofile/oprofilefs.c | 2 +-
drivers/platform/x86/sony-laptop.c | 2 +-
drivers/staging/lustre/lustre/llite/llite_lib.c | 16 ++++++------
drivers/staging/lustre/lustre/llite/namei.c | 4 +--
drivers/staging/lustre/lustre/mdc/mdc_reint.c | 6 ++---
.../lustre/lustre/obdclass/linux/linux-obdo.c | 6 ++---
drivers/staging/lustre/lustre/obdclass/obdo.c | 6 ++---
drivers/staging/lustre/lustre/osc/osc_io.c | 2 +-
drivers/usb/core/devio.c | 18 +++++++-------
drivers/usb/gadget/function/f_fs.c | 8 +++---
drivers/usb/gadget/legacy/inode.c | 2 +-
fs/9p/vfs_inode.c | 2 +-
fs/adfs/inode.c | 2 +-
fs/affs/amigaffs.c | 6 ++---
fs/affs/inode.c | 2 +-
fs/attr.c | 2 +-
fs/autofs4/inode.c | 2 +-
fs/autofs4/root.c | 6 ++---
fs/bad_inode.c | 2 +-
fs/bfs/dir.c | 14 +++++------
fs/binfmt_misc.c | 2 +-
fs/btrfs/file.c | 6 ++---
fs/btrfs/inode.c | 22 ++++++++--------
fs/btrfs/ioctl.c | 8 +++---
fs/btrfs/root-tree.c | 3 ++-
fs/btrfs/transaction.c | 4 +--
fs/btrfs/xattr.c | 2 +-
fs/ceph/file.c | 4 +--
fs/ceph/inode.c | 2 +-
fs/ceph/mds_client.c | 4 ++-
fs/ceph/xattr.c | 2 +-
fs/cifs/cifsencrypt.c | 4 ++-
fs/cifs/cifssmb.c | 10 ++++----
fs/cifs/file.c | 4 +--
fs/cifs/inode.c | 28 +++++++++++----------
fs/coda/dir.c | 2 +-
fs/coda/file.c | 2 +-
fs/coda/inode.c | 2 +-
fs/configfs/inode.c | 6 ++---
fs/debugfs/inode.c | 2 +-
fs/devpts/inode.c | 6 ++---
fs/efivarfs/inode.c | 2 +-
fs/exofs/dir.c | 6 ++---
fs/exofs/inode.c | 4 +--
fs/exofs/namei.c | 6 ++---
fs/ext2/acl.c | 2 +-
fs/ext2/dir.c | 6 ++---
fs/ext2/ialloc.c | 2 +-
fs/ext2/inode.c | 4 +--
fs/ext2/ioctl.c | 4 +--
fs/ext2/namei.c | 6 ++---
fs/ext2/super.c | 2 +-
fs/ext2/xattr.c | 2 +-
fs/ext4/acl.c | 2 +-
fs/ext4/ext4.h | 6 -----
fs/ext4/extents.c | 10 ++++----
fs/ext4/ialloc.c | 2 +-
fs/ext4/inline.c | 4 +--
fs/ext4/inode.c | 6 ++---
fs/ext4/ioctl.c | 8 +++---
fs/ext4/namei.c | 24 ++++++++++--------
fs/ext4/super.c | 2 +-
fs/ext4/xattr.c | 2 +-
fs/f2fs/dir.c | 8 +++---
fs/f2fs/file.c | 8 +++---
fs/f2fs/inline.c | 2 +-
fs/f2fs/namei.c | 12 ++++-----
fs/f2fs/segment.c | 2 +-
fs/f2fs/segment.h | 5 ++--
fs/f2fs/xattr.c | 2 +-
fs/fat/dir.c | 2 +-
fs/fat/file.c | 6 ++---
fs/fat/inode.c | 2 +-
fs/fat/namei_msdos.c | 12 ++++-----
fs/fat/namei_vfat.c | 10 ++++----
fs/fuse/control.c | 2 +-
fs/fuse/dir.c | 2 +-
fs/gfs2/bmap.c | 8 +++---
fs/gfs2/dir.c | 12 ++++-----
fs/gfs2/inode.c | 8 +++---
fs/gfs2/quota.c | 2 +-
fs/gfs2/xattr.c | 8 +++---
fs/hfs/catalog.c | 8 +++---
fs/hfs/dir.c | 2 +-
fs/hfs/inode.c | 2 +-
fs/hfsplus/catalog.c | 8 +++---
fs/hfsplus/dir.c | 6 ++---
fs/hfsplus/inode.c | 2 +-
fs/hfsplus/ioctl.c | 2 +-
fs/hugetlbfs/inode.c | 10 ++++----
fs/inode.c | 29 +++++++++++++++++++---
fs/jffs2/acl.c | 2 +-
fs/jffs2/fs.c | 2 +-
fs/jfs/acl.c | 2 +-
fs/jfs/inode.c | 2 +-
fs/jfs/ioctl.c | 2 +-
fs/jfs/jfs_inode.c | 2 +-
fs/jfs/namei.c | 24 +++++++++---------
fs/jfs/super.c | 2 +-
fs/jfs/xattr.c | 2 +-
fs/kernfs/inode.c | 2 +-
fs/libfs.c | 14 +++++------
fs/locks.c | 2 +-
fs/logfs/dir.c | 6 ++---
fs/logfs/file.c | 2 +-
fs/logfs/inode.c | 4 +--
fs/logfs/readwrite.c | 4 +--
fs/minix/bitmap.c | 2 +-
fs/minix/dir.c | 6 ++---
fs/minix/itree_common.c | 4 +--
fs/minix/namei.c | 4 +--
fs/nfs/client.c | 2 +-
fs/nfs/netns.h | 2 +-
fs/nfs/nfs4proc.c | 10 +++++---
fs/nfs/nfs4xdr.c | 2 +-
fs/nfsd/blocklayout.c | 2 +-
fs/nilfs2/dir.c | 6 ++---
fs/nilfs2/inode.c | 4 +--
fs/nilfs2/ioctl.c | 2 +-
fs/nilfs2/namei.c | 6 ++---
fs/nsfs.c | 2 +-
fs/ntfs/inode.c | 2 +-
fs/ntfs/mft.c | 2 +-
fs/ocfs2/acl.c | 2 +-
fs/ocfs2/alloc.c | 2 +-
fs/ocfs2/aops.c | 2 +-
fs/ocfs2/cluster/heartbeat.c | 2 +-
fs/ocfs2/dir.c | 4 +--
fs/ocfs2/dlmfs/dlmfs.c | 4 +--
fs/ocfs2/file.c | 12 ++++-----
fs/ocfs2/inode.c | 2 +-
fs/ocfs2/journal.c | 4 +--
fs/ocfs2/move_extents.c | 2 +-
fs/ocfs2/namei.c | 16 ++++++------
fs/ocfs2/ocfs2.h | 2 +-
fs/ocfs2/refcounttree.c | 4 +--
fs/ocfs2/super.c | 2 +-
fs/ocfs2/xattr.c | 2 +-
fs/omfs/dir.c | 4 +--
fs/omfs/inode.c | 2 +-
fs/openpromfs/inode.c | 2 +-
fs/orangefs/file.c | 2 +-
fs/orangefs/inode.c | 2 +-
fs/orangefs/namei.c | 10 ++++----
fs/pipe.c | 2 +-
fs/posix_acl.c | 2 +-
fs/proc/base.c | 2 +-
fs/proc/inode.c | 3 +--
fs/proc/proc_sysctl.c | 2 +-
fs/proc/self.c | 2 +-
fs/proc/thread_self.c | 2 +-
fs/pstore/inode.c | 2 +-
fs/ramfs/inode.c | 6 ++---
fs/reiserfs/inode.c | 2 +-
fs/reiserfs/ioctl.c | 4 +--
fs/reiserfs/namei.c | 12 ++++-----
fs/reiserfs/stree.c | 8 +++---
fs/reiserfs/super.c | 2 +-
fs/reiserfs/xattr.c | 6 ++---
fs/reiserfs/xattr_acl.c | 2 +-
fs/sysv/dir.c | 6 ++---
fs/sysv/ialloc.c | 2 +-
fs/sysv/itree.c | 4 +--
fs/sysv/namei.c | 4 +--
fs/tracefs/inode.c | 2 +-
fs/ubifs/dir.c | 10 ++++----
fs/ubifs/file.c | 12 ++++-----
fs/ubifs/ioctl.c | 2 +-
fs/ubifs/misc.h | 10 --------
fs/ubifs/sb.c | 14 ++++++++---
fs/ubifs/xattr.c | 6 ++---
fs/udf/ialloc.c | 2 +-
fs/udf/inode.c | 4 +--
fs/udf/namei.c | 20 +++++++--------
fs/udf/super.c | 9 ++++---
fs/ufs/dir.c | 6 ++---
fs/ufs/ialloc.c | 8 +++---
fs/ufs/inode.c | 6 ++---
fs/ufs/namei.c | 6 ++---
fs/xfs/xfs_acl.c | 2 +-
fs/xfs/xfs_inode.c | 2 +-
fs/xfs/xfs_iops.c | 2 +-
fs/xfs/xfs_trans_inode.c | 2 +-
include/linux/audit.h | 4 +--
include/linux/fs.h | 2 +-
include/linux/time.h | 1 -
ipc/mqueue.c | 18 +++++++-------
kernel/audit.c | 10 ++++----
kernel/audit.h | 2 +-
kernel/auditsc.c | 6 ++---
kernel/bpf/inode.c | 2 +-
kernel/time/time.c | 14 -----------
mm/shmem.c | 20 +++++++--------
net/ceph/messenger.c | 6 +++--
net/ceph/osd_client.c | 4 +--
net/sunrpc/rpc_pipe.c | 2 +-
security/inode.c | 2 +-
security/selinux/selinuxfs.c | 2 +-
204 files changed, 536 insertions(+), 518 deletions(-)
--
1.9.1
Cc: adilger.kernel(a)dilger.ca
Cc: adrian.hunter(a)intel.com
Cc: anna.schumaker(a)netapp.com
Cc: ceph-devel(a)vger.kernel.org
Cc: clm(a)fb.com
Cc: cm224.lee(a)samsung.com
Cc: dedekind1(a)gmail.com
Cc: dsterba(a)suse.com
Cc: elder(a)kernel.org
Cc: eparis(a)redhat.com
Cc: gregkh(a)linuxfoundation.org
Cc: idryomov(a)gmail.com
Cc: jack(a)suse.com
Cc: jaegeuk(a)kernel.org
Cc: jbacik(a)fb.com
Cc: jfs-discussion(a)lists.sourceforge.net
Cc: jlbec(a)evilplan.org
Cc: john.stultz(a)linaro.org
Cc: linux-audit(a)redhat.com
Cc: linux-btrfs(a)vger.kernel.org
Cc: linux-ext4(a)vger.kernel.org
Cc: linux-f2fs-devel(a)lists.sourceforge.net
Cc: linux-mtd(a)lists.infradead.org
Cc: linux-nfs(a)vger.kernel.org
Cc: lustre-devel(a)lists.lustre.org
Cc: mfasheh(a)suse.com
Cc: ocfs2-devel(a)oss.oracle.com
Cc: paul(a)paul-moore.com
Cc: sage(a)redhat.com
Cc: sfrench(a)samba.org
Cc: shaggy(a)kernel.org
Cc: trond.myklebust(a)primarydata.com
Cc: zyan(a)redhat.com
8 years, 5 months
[GIT PULL] Audit fixes for 4.7 (#1)
by Paul Moore
Hi Linus,
Two small patches to fix audit problems in 4.7-rcX; the first fixes a
potential kref leak, the second removes some header file noise. The
first is an important bug fix that really should go in before 4.7 is
released, the second is not critical, but falls into the
very-nice-to-have category so I'm including in the pull request; if
you object to the second let me know and I'll send a new request with
just the first patch.
Both patches are straightforward, self-contained, and pass our
testsuite without problem; please merge into the next v4.7-rcX
release.
Thanks,
-Paul
---
The following changes since commit 188e3c5cd2b672620291e64a21f1598fe91e40b6:
tty: provide tty_name() even without CONFIG_TTY (2016-04-27 17:12:58 -0400)
are available in the git repository at:
git://git.infradead.org/users/pcmoore/audit stable-4.7
for you to fetch changes up to 3f5be2da8565c1cce5655bb0948fcc957c6eb6c6:
audit: move audit_get_tty to reduce scope and kabi changes
(2016-06-28 15:48:48 -0400)
----------------------------------------------------------------
Richard Guy Briggs (2):
audit: move calcs after alloc and check when logging set loginuid
audit: move audit_get_tty to reduce scope and kabi changes
include/linux/audit.h | 24 ------------------------
kernel/audit.c | 17 +++++++++++++++++
kernel/audit.h | 4 ++++
kernel/auditsc.c | 8 ++++----
4 files changed, 25 insertions(+), 28 deletions(-)
--
paul moore
security @ redhat
8 years, 5 months
Inconsistencies between shipped initscript and .service file
by Laurent Bigonville
Hi,
I think there are inconsistencies between the behavior of the shipped
LSB inistscript and the systemd .service.
The sysconfig config file sets USE_AUGENRULES="no" and
AUDITD_CLEAN_STOP="yes" while the .service file is actually doing the
opposite.
I guess that the sysconfig config should be modified (even if it's a
quite minor issue)?
Regards,
Laurent Bigonville
8 years, 5 months
audit 2.6.1 released
by Steve Grubb
Hello,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
soon. The ChangeLog is:
- Do capabilities check rather than uid
- Auditd fixup directory and file permissions on startup
- Add some missing config items to auditd reconfigure
- In audisp-remote add warn_once and warn_once_continue action handlers
- In audisp-remote only emit 1 warning when disk_full or error is reached.
- Aulast now searches on user name as a string for enriched events
- Ausearch now searches on user name as a string for enriched events
- Create audit-stop.rules to clean up audit subsystem on stop
- Adjust LDFLAGS for cross compiled helper utilities (Laurent Bigonville)
- Fix event formatting issue in audispd
- Fix bug causing ack to not be sent from auditd to audisp-remote
This release follows the last one quickly because its a bugfix release. The
last release had a lot of code churn and debug and testing was not 100%
complete. The biggest issue was that during the creation of the protocol 2
format handler in auditspd, some newlines got stripped from the formatting.
This caused problems for any protocol 1 events. The likely effect is audispd
plugins not working correctly.
There was also a bug in auditd due to refactoring the code to retry sending
events to the dispatcher. The effect of the bug was to zero out the ack
function when receiving remote events. This caused audisp-remote to retry
sending the event over and over because it timed out thinking the server was
have comm problems.
It was also pointed out that some people don't want audit events of any kind
going to syslog when the audit daemon was stopped. This update adds a new file,
audit-stop.rules, which gets loaded when the audit daemon stops. The current
rules disables the audit subsystem and deletes all rules.
The conversion to enriched events was not complete in 2.6. The ausearch and
aulast program needed to use the user name as a string to search for events.
audisp-remote was reworked to only emit 1 warning when disk_full or error is
reached. New config options were added to help accomplish this. There is now
warn_once and warn_once_continue options for failures. It acts like the syslog
option except it only sends one. Read the man page for more details.
It was also found that not all config options were being loaded when the audit
daemon received SIGHUP.
The audit daemon will now fix logging directory ownership and mode during
restart or config reload. This will help everyone who sets the log access group
because it will restore the config after an upgrade.
Almost every place that uid was checked for root has been updated to do a
capability check instead.
Please let me know if you run across any problems with this release.
-Steve
8 years, 5 months
Reset the LDFLAGS and building helper executables
by Laurent Bigonville
Hello,
When enabling the hardening flags on debian (adding bindnow and PIE) I
get the following message:
gcc -DHAVE_CONFIG_H -I. -I../../../lib -I.. -I. -I../../..
-I../../../auparse '-DTABLE_H="actiontab.h"' -g -O2 -c -o
gen_actiontabs_h-gen_tables.o `test -f 'gen_tables.c' || echo
'../../../lib/'`gen_tables.c
/bin/bash ../libtool --tag=CC --mode=link gcc
'-DTABLE_H="actiontab.h"' -g -O2 -fPIE -pie -Wl,-z,relro -Wl,-z,now
-Wl,--as-needed -o gen_actiontabs_h gen_actiontabs_h-gen_tables.o
libtool: link: gcc -DTABLE_H=\"actiontab.h\" -g -O2 -fPIE -pie -Wl,-z
-Wl,relro -Wl,-z -Wl,now -Wl,--as-needed -o gen_actiontabs_h
gen_actiontabs_h-gen_tables.o
/usr/bin/ld: gen_actiontabs_h-gen_tables.o: relocation R_X86_64_32
against `.rodata.str1.1' can not be used when making a shared object;
recompile with -fPIC
gen_actiontabs_h-gen_tables.o: error adding symbols: Bad value
collect2: error: ld returned 1 exit status
Looking that build system, it seems that CFLAGS and CPPFLAGS for these
executables are overriden in lib/Makefile.am and auparse/Makefile.am
(with CFLAGS_FOR_BUILD and CPPFLAGS_FOR_BUILD) but the LDFLAGS are left
untouched.
Shouldn't the LDFLAGS also be reset when building these executables?
Regards,
Laurent Bigonville
8 years, 5 months
[PATCH] audit: move audit_get_tty to reduce scope and kabi changes
by Richard Guy Briggs
The only users of audit_get_tty and audit_put_tty are internal to audit,
so move it out of include/linux/audit.h to kernel.h and create a proper
function rather than inlining it. This also reduces kABI changes.
Suggested-by: Paul Moore <pmoore(a)redhat.com>
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
include/linux/audit.h | 24 ------------------------
kernel/audit.c | 17 +++++++++++++++++
kernel/audit.h | 4 ++++
kernel/auditsc.c | 1 -
4 files changed, 21 insertions(+), 25 deletions(-)
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 32cdafb..b40ed5d 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -26,7 +26,6 @@
#include <linux/sched.h>
#include <linux/ptrace.h>
#include <uapi/linux/audit.h>
-#include <linux/tty.h>
#define AUDIT_INO_UNSET ((unsigned long)-1)
#define AUDIT_DEV_UNSET ((dev_t)-1)
@@ -344,23 +343,6 @@ static inline unsigned int audit_get_sessionid(struct task_struct *tsk)
return tsk->sessionid;
}
-static inline struct tty_struct *audit_get_tty(struct task_struct *tsk)
-{
- struct tty_struct *tty = NULL;
- unsigned long flags;
-
- spin_lock_irqsave(&tsk->sighand->siglock, flags);
- if (tsk->signal)
- tty = tty_kref_get(tsk->signal->tty);
- spin_unlock_irqrestore(&tsk->sighand->siglock, flags);
- return tty;
-}
-
-static inline void audit_put_tty(struct tty_struct *tty)
-{
- tty_kref_put(tty);
-}
-
extern void __audit_ipc_obj(struct kern_ipc_perm *ipcp);
extern void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode);
extern void __audit_bprm(struct linux_binprm *bprm);
@@ -518,12 +500,6 @@ static inline unsigned int audit_get_sessionid(struct task_struct *tsk)
{
return -1;
}
-static inline struct tty_struct *audit_get_tty(struct task_struct *tsk)
-{
- return NULL;
-}
-static inline void audit_put_tty(struct tty_struct *tty)
-{ }
static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp)
{ }
static inline void audit_ipc_set_perm(unsigned long qbytes, uid_t uid,
diff --git a/kernel/audit.c b/kernel/audit.c
index 384374a..d597101 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1866,6 +1866,23 @@ out_null:
audit_log_format(ab, " exe=(null)");
}
+struct tty_struct *audit_get_tty(struct task_struct *tsk)
+{
+ struct tty_struct *tty = NULL;
+ unsigned long flags;
+
+ spin_lock_irqsave(&tsk->sighand->siglock, flags);
+ if (tsk->signal)
+ tty = tty_kref_get(tsk->signal->tty);
+ spin_unlock_irqrestore(&tsk->sighand->siglock, flags);
+ return tty;
+}
+
+void audit_put_tty(struct tty_struct *tty)
+{
+ tty_kref_put(tty);
+}
+
void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk)
{
const struct cred *cred;
diff --git a/kernel/audit.h b/kernel/audit.h
index cbbe6bb..a492f4c 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -23,6 +23,7 @@
#include <linux/audit.h>
#include <linux/skbuff.h>
#include <uapi/linux/mqueue.h>
+#include <linux/tty.h>
/* AUDIT_NAMES is the number of slots we reserve in the audit_context
* for saving names from getname(). If we get more names we will allocate
@@ -262,6 +263,9 @@ extern struct audit_entry *audit_dupe_rule(struct audit_krule *old);
extern void audit_log_d_path_exe(struct audit_buffer *ab,
struct mm_struct *mm);
+extern struct tty_struct *audit_get_tty(struct task_struct *tsk);
+extern void audit_put_tty(struct tty_struct *tty);
+
/* audit watch functions */
#ifdef CONFIG_AUDIT_WATCH
extern void audit_put_watch(struct audit_watch *watch);
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 33dafa7..60a354e 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -63,7 +63,6 @@
#include <asm/unistd.h>
#include <linux/security.h>
#include <linux/list.h>
-#include <linux/tty.h>
#include <linux/binfmts.h>
#include <linux/highmem.h>
#include <linux/syscalls.h>
--
1.7.1
8 years, 5 months
[PATCH] audit: move calcs after alloc and check when logging set loginuid
by Richard Guy Briggs
Move the calculations of values after the allocation in case the
allocation fails. This avoids wasting effort in the rare case that it
fails, but more importantly saves us extra logic to release the tty ref.
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
kernel/auditsc.c | 7 ++++---
1 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 71e14d8..33dafa7 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1985,14 +1985,15 @@ static void audit_log_set_loginuid(kuid_t koldloginuid, kuid_t kloginuid,
if (!audit_enabled)
return;
+ ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN);
+ if (!ab)
+ return;
+
uid = from_kuid(&init_user_ns, task_uid(current));
oldloginuid = from_kuid(&init_user_ns, koldloginuid);
loginuid = from_kuid(&init_user_ns, kloginuid),
tty = audit_get_tty(current);
- ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN);
- if (!ab)
- return;
audit_log_format(ab, "pid=%d uid=%u", task_pid_nr(current), uid);
audit_log_task_context(ab);
audit_log_format(ab, " old-auid=%u auid=%u tty=%s old-ses=%u ses=%u res=%d",
--
1.7.1
8 years, 5 months
