[PATCH] audit: always enable syscall auditing when supported and audit is enabled
by Paul Moore
To the best of our knowledge, everyone who enables audit at compile
time also enables syscall auditing; this patch simplifies the Kconfig
menus by removing the option to disable syscall auditing when audit
is selected and the target arch supports it.
Signed-off-by: Paul Moore <pmoore(a)redhat.com>
---
init/Kconfig | 11 +++--------
1 file changed, 3 insertions(+), 8 deletions(-)
diff --git a/init/Kconfig b/init/Kconfig
index c24b6f7..d4663b1 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -299,20 +299,15 @@ config AUDIT
help
Enable auditing infrastructure that can be used with another
kernel subsystem, such as SELinux (which requires this for
- logging of avc messages output). Does not do system-call
- auditing without CONFIG_AUDITSYSCALL.
+ logging of avc messages output). System call auditing is included
+ on architectures which support it.
config HAVE_ARCH_AUDITSYSCALL
bool
config AUDITSYSCALL
- bool "Enable system-call auditing support"
+ def_bool y
depends on AUDIT && HAVE_ARCH_AUDITSYSCALL
- default y if SECURITY_SELINUX
- help
- Enable low-overhead system-call auditing infrastructure that
- can be used independently or with another kernel subsystem,
- such as SELinux.
config AUDIT_WATCH
def_bool y
5 years, 9 months
space_left_action=exec only works once?
by Bond Masuda
Hello,
I configured space_left and space_left_action to run a script that
compresses and moves older audit log files from /var/log/audit. It
appears to work 1 time, and then doesn't work anymore until I kill the
auditd daemon and start it again.
Is this expected and/or desired behavior? I didn't see anything in the
man pages about this behavior. I was hoping to have my script run every
time the space_left threshold is hit so as to not run out of logging
disk space. Is there something I can do to accomplish this?
Thanks,
Bond
7 years, 7 months
AUDIT_NETFILTER_PKT message format
by Richard Guy Briggs
Hi,
I'm just starting to look at the normalization of AUDIT_NETFILTER_PKT
event messages and it is not quite as straightforward as I had expected.
It is being tracked here:
https://github.com/linux-audit/audit-kernel/issues/11
and refers to a previous posting from Mr. Dash Four from four years ago
to which there was no reply.
The example given in the tracker above for "frag=" is fairly
straightforward, but digging more, there are a number of others that are
not quite so obvious.
How many different combinations of fields is acceptable? Can we create
new message types for each one, or is there a preferred way to indicate
which sub-type it is other than implicit from the arguments given?
Others that are straightforward:
- The first "truncated=" gets pulled in with "0".
- "mark=" gets pulled in with "0".
Ones that are not so straightforward:
- "secmark" depends on a kernel config setting, so should it always be
present but "(none)" if that kernel feature is compiled out?
- ARPHRD_ETHER pulls in 3 fields, I would pull them all in and set them
to "(none)" to indicate that type isn't present.
- audit_ip4() and audit_ip6 share "saddr=", "daddr=", proto=", but ip4
adds "ipid=", which would be set to "(none)" for ip6.
- audit_proto() pulls in "truncated=" again, then either "sport=" and
"dport=" OR "icmptype=" and "icmpcode=".
If all fields are pulled in, we end up adding 10 fields beyond a
standard well-formed packet, and 15 beyond a truncated packet.
Note: In the cases of "mark" and "secmark" both are unions. In the case of
"mark", I don't see a problem since it isn't conditionally compiled out
and won't be mis-interpreted. In the case of "secmark=", it could be
mis-interpreted as offload_fwd_mark if that field is even compiled in,
but that would be addressed in the compiler directive...
One last question: Does anyone have a test suite that can generate any
or all of these types of packets?
Thanks!
- RGB
--
Richard Guy Briggs <rgb(a)redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635
7 years, 8 months
[PATCH V4] audit: add feature audit_lost reset
by Richard Guy Briggs
Add a method to reset the audit_lost value.
An AUDIT_SET message with the AUDIT_STATUS_LOST flag set by itself
will return a positive value repesenting the current audit_lost value
and reset the counter to zero. If AUDIT_STATUS_LOST is not the
only flag set, the reset command will be ignored. The value sent with
the command is ignored. The return value will be the +ve lost value at
reset time.
An AUDIT_CONFIG_CHANGE message will be queued to the listening audit
daemon. The message will be a standard CONFIG_CHANGE message with the
fields "lost=0" and "old=" with the latter containing the value of
audit_lost at reset time.
See: https://github.com/linux-audit/audit-kernel/issues/3
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
There is a merge conflict anticipated with the exclude filter
FEATURE_BITMAP patch (ghak5)
v2:
Switch from AUDIT_GET to AUDIT_SET
Remove AUDIT_FEATURE and AUDIT_FEATURE_BITMAP
Return +ve lost value, reply AUDIT_LOST_RESET msg to sender
v3:
Switch, from reply to sender, to queue to audit log
v4:
Switch from LOST_RESET to CONFIG_CHANGE log msg
Re-add AUDIT_FEATURE_BITMASK
---
---
include/uapi/linux/audit.h | 6 +++++-
kernel/audit.c | 8 +++++++-
2 files changed, 12 insertions(+), 2 deletions(-)
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index c8dc97b..3f24110 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -326,15 +326,19 @@ enum {
#define AUDIT_STATUS_RATE_LIMIT 0x0008
#define AUDIT_STATUS_BACKLOG_LIMIT 0x0010
#define AUDIT_STATUS_BACKLOG_WAIT_TIME 0x0020
+#define AUDIT_STATUS_LOST 0x0040
#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT 0x00000001
#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME 0x00000002
#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH 0x00000004
#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER 0x00000010
+#define AUDIT_FEATURE_BITMAP_LOST_RESET 0x00000020
+
#define AUDIT_FEATURE_BITMAP_ALL (AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT | \
AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME | \
AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH | \
- AUDIT_FEATURE_BITMAP_SESSIONID_FILTER)
+ AUDIT_FEATURE_BITMAP_SESSIONID_FILTER | \
+ AUDIT_FEATURE_BITMAP_LOST_RESET)
/* deprecated: AUDIT_VERSION_* */
#define AUDIT_VERSION_LATEST AUDIT_FEATURE_BITMAP_ALL
diff --git a/kernel/audit.c b/kernel/audit.c
index 57acf25..25dd70a 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -121,7 +121,7 @@ u32 audit_sig_sid = 0;
3) suppressed due to audit_rate_limit
4) suppressed due to audit_backlog_limit
*/
-static atomic_t audit_lost = ATOMIC_INIT(0);
+static atomic_t audit_lost = ATOMIC_INIT(0);
/* The netlink socket. */
static struct sock *audit_sock;
@@ -1052,6 +1052,12 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
if (err < 0)
return err;
}
+ if (s.mask == AUDIT_STATUS_LOST) {
+ u32 lost = atomic_xchg(&audit_lost, 0);
+
+ audit_log_config_change("lost", 0, lost, 1);
+ return lost;
+ }
break;
}
case AUDIT_GET_FEATURE:
--
1.7.1
7 years, 8 months
[RFC PATCH] audit: normalize NETFILTER_PKT
by Richard Guy Briggs
Eliminate flipping in and out of message fields.
https://github.com/linux-audit/audit-kernel/issues/11
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
net/netfilter/xt_AUDIT.c | 92 +++++++++++++++++++++++++++++++++-------------
1 files changed, 66 insertions(+), 26 deletions(-)
diff --git a/net/netfilter/xt_AUDIT.c b/net/netfilter/xt_AUDIT.c
index 4973cbd..8089ec2 100644
--- a/net/netfilter/xt_AUDIT.c
+++ b/net/netfilter/xt_AUDIT.c
@@ -31,24 +31,41 @@ MODULE_ALIAS("ip6t_AUDIT");
MODULE_ALIAS("ebt_AUDIT");
MODULE_ALIAS("arpt_AUDIT");
+struct nfpkt_par {
+ int ipv;
+ int iptrunc;
+ const void *saddr;
+ const void *daddr;
+ u16 ipid;
+ u8 proto;
+ u8 frag;
+ int ptrunc;
+ u16 sport;
+ u16 dport;
+ u8 icmpt;
+ u8 icmpc;
+};
+
static void audit_proto(struct audit_buffer *ab, struct sk_buff *skb,
- unsigned int proto, unsigned int offset)
+ unsigned int proto, unsigned int offset, struct nfpkt_par *apar)
{
switch (proto) {
case IPPROTO_TCP:
case IPPROTO_UDP:
- case IPPROTO_UDPLITE: {
+ case IPPROTO_UDPLITE:
+ case IPPROTO_DCCP:
+ case IPPROTO_SCTP: {
const __be16 *pptr;
__be16 _ports[2];
pptr = skb_header_pointer(skb, offset, sizeof(_ports), _ports);
if (pptr == NULL) {
- audit_log_format(ab, " truncated=1");
+ apar->ptrunc = 1;
return;
}
+ apar->sport = ntohs(pptr[0]);
+ apar->dport = ntohs(pptr[1]);
- audit_log_format(ab, " sport=%hu dport=%hu",
- ntohs(pptr[0]), ntohs(pptr[1]));
}
break;
@@ -59,41 +76,43 @@ static void audit_proto(struct audit_buffer *ab, struct sk_buff *skb,
iptr = skb_header_pointer(skb, offset, sizeof(_ih), &_ih);
if (iptr == NULL) {
- audit_log_format(ab, " truncated=1");
+ apar->ptrunc = 1;
return;
}
-
- audit_log_format(ab, " icmptype=%hhu icmpcode=%hhu",
- iptr[0], iptr[1]);
+ apar->icmpt = iptr[0];
+ apar->icmpc = iptr[1];
}
break;
}
}
-static void audit_ip4(struct audit_buffer *ab, struct sk_buff *skb)
+static void audit_ip4(struct audit_buffer *ab, struct sk_buff *skb, struct nfpkt_par *apar)
{
struct iphdr _iph;
const struct iphdr *ih;
+ apar->ipv = 4;
ih = skb_header_pointer(skb, 0, sizeof(_iph), &_iph);
if (!ih) {
- audit_log_format(ab, " truncated=1");
+ apar->iptrunc = 1;
return;
}
- audit_log_format(ab, " saddr=%pI4 daddr=%pI4 ipid=%hu proto=%hhu",
- &ih->saddr, &ih->daddr, ntohs(ih->id), ih->protocol);
+ apar->saddr = &ih->saddr;
+ apar->daddr = &ih->daddr;
+ apar->ipid = ntohs(ih->id);
+ apar->proto = ih->protocol;
if (ntohs(ih->frag_off) & IP_OFFSET) {
- audit_log_format(ab, " frag=1");
+ apar->frag = 1;
return;
}
- audit_proto(ab, skb, ih->protocol, ih->ihl * 4);
+ audit_proto(ab, skb, ih->protocol, ih->ihl * 4, apar);
}
-static void audit_ip6(struct audit_buffer *ab, struct sk_buff *skb)
+static void audit_ip6(struct audit_buffer *ab, struct sk_buff *skb, struct nfpkt_par *apar)
{
struct ipv6hdr _ip6h;
const struct ipv6hdr *ih;
@@ -101,9 +120,10 @@ static void audit_ip6(struct audit_buffer *ab, struct sk_buff *skb)
__be16 frag_off;
int offset;
+ apar->ipv = 6;
ih = skb_header_pointer(skb, skb_network_offset(skb), sizeof(_ip6h), &_ip6h);
if (!ih) {
- audit_log_format(ab, " truncated=1");
+ apar->iptrunc = 1;
return;
}
@@ -111,11 +131,12 @@ static void audit_ip6(struct audit_buffer *ab, struct sk_buff *skb)
offset = ipv6_skip_exthdr(skb, skb_network_offset(skb) + sizeof(_ip6h),
&nexthdr, &frag_off);
- audit_log_format(ab, " saddr=%pI6c daddr=%pI6c proto=%hhu",
- &ih->saddr, &ih->daddr, nexthdr);
+ apar->saddr = &ih->saddr;
+ apar->daddr = &ih->daddr;
+ apar->proto = nexthdr;
if (offset)
- audit_proto(ab, skb, nexthdr, offset);
+ audit_proto(ab, skb, nexthdr, offset, apar);
}
static unsigned int
@@ -123,6 +144,9 @@ audit_tg(struct sk_buff *skb, const struct xt_action_param *par)
{
const struct xt_audit_info *info = par->targinfo;
struct audit_buffer *ab;
+ struct nfpkt_par apar = {
+ -1, -1, NULL, NULL, -1, -1, -1, -1, -1, -1, -1, -1
+ };
if (audit_enabled == 0)
goto errout;
@@ -136,8 +160,7 @@ audit_tg(struct sk_buff *skb, const struct xt_action_param *par)
par->in ? par->in->name : "?",
par->out ? par->out->name : "?");
- if (skb->mark)
- audit_log_format(ab, " mark=%#x", skb->mark);
+ audit_log_format(ab, " mark=%#x", skb->mark ?: -1);
if (skb->dev && skb->dev->type == ARPHRD_ETHER) {
audit_log_format(ab, " smac=%pM dmac=%pM macproto=0x%04x",
@@ -147,25 +170,42 @@ audit_tg(struct sk_buff *skb, const struct xt_action_param *par)
if (par->family == NFPROTO_BRIDGE) {
switch (eth_hdr(skb)->h_proto) {
case htons(ETH_P_IP):
- audit_ip4(ab, skb);
+ audit_ip4(ab, skb, &apar);
break;
case htons(ETH_P_IPV6):
- audit_ip6(ab, skb);
+ audit_ip6(ab, skb, &apar);
break;
}
}
+ } else {
+ audit_log_format(ab, " smac=? dmac=? macproto=0xffff");
}
switch (par->family) {
case NFPROTO_IPV4:
- audit_ip4(ab, skb);
+ audit_ip4(ab, skb, &apar);
break;
case NFPROTO_IPV6:
- audit_ip6(ab, skb);
+ audit_ip6(ab, skb, &apar);
+ break;
+ }
+
+ switch (apar.ipv) {
+ case 4:
+ audit_log_format(ab, " trunc=%d saddr=%pI4 daddr=%pI4 ipid=%hu proto=%hhu frag=%d",
+ apar.iptrunc, apar.saddr, apar.daddr, apar.ipid, apar.proto, apar.frag);
+ break;
+ case 6:
+ audit_log_format(ab, " trunc=%d saddr=%pI6c daddr=%pI6c ipid=-1 proto=%hhu frag=-1",
+ apar.iptrunc, apar.saddr, apar.daddr, apar.proto);
break;
+ default:
+ audit_log_format(ab, " trunc=-1 saddr=? daddr=? ipid=-1 proto=-1 frag=-1");
}
+ audit_log_format(ab, " trunc=%d sport=%hu dport=%hu icmptype=%hhu icmpcode=%hhu",
+ apar.ptrunc, apar.sport, apar.dport, apar.icmpt, apar.icmpc);
#ifdef CONFIG_NETWORK_SECMARK
if (skb->secmark)
--
1.7.1
7 years, 8 months
[RFC] [PATCH] audit: log module name on init_module
by Richard Guy Briggs
This adds a new auxiliary record MODULE_INIT to the SYSCALL event.
We get finit_module for free since it made most sense to hook this in to
load_module().
https://github.com/linux-audit/audit-kernel/issues/7
https://github.com/linux-audit/audit-kernel/wiki/RFE-Module-load-record-f...
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
include/linux/audit.h | 12 ++++++++++++
include/uapi/linux/audit.h | 1 +
kernel/audit.h | 3 +++
kernel/auditsc.c | 20 ++++++++++++++++++++
kernel/module.c | 5 ++++-
5 files changed, 40 insertions(+), 1 deletions(-)
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 2be99b2..7bb23d5 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -360,6 +360,7 @@ extern int __audit_log_bprm_fcaps(struct linux_binprm *bprm,
const struct cred *old);
extern void __audit_log_capset(const struct cred *new, const struct cred *old);
extern void __audit_mmap_fd(int fd, int flags);
+extern void __audit_module_init(char *name);
static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp)
{
@@ -450,6 +451,12 @@ static inline void audit_mmap_fd(int fd, int flags)
__audit_mmap_fd(fd, flags);
}
+static inline void audit_module_init(char *name)
+{
+ if (!audit_dummy_context())
+ __audit_module_init(name);
+}
+
extern int audit_n_rules;
extern int audit_signals;
#else /* CONFIG_AUDITSYSCALL */
@@ -561,6 +568,11 @@ static inline void audit_log_capset(const struct cred *new,
{ }
static inline void audit_mmap_fd(int fd, int flags)
{ }
+
+static inline void audit_module_init(char *name)
+{
+}
+
static inline void audit_ptrace(struct task_struct *t)
{ }
#define audit_n_rules 0
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 3f24110..4a328b4 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -111,6 +111,7 @@
#define AUDIT_PROCTITLE 1327 /* Proctitle emit event */
#define AUDIT_FEATURE_CHANGE 1328 /* audit log listing feature changes */
#define AUDIT_REPLACE 1329 /* Replace auditd if this packet unanswerd */
+#define AUDIT_MODULE_INIT 1330 /* Module init event */
#define AUDIT_AVC 1400 /* SE Linux avc denial or grant */
#define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */
diff --git a/kernel/audit.h b/kernel/audit.h
index 431444c..144b7eb 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -199,6 +199,9 @@ struct audit_context {
struct {
int argc;
} execve;
+ struct {
+ char *name;
+ } module;
};
int fds[2];
struct audit_proctitle proctitle;
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index bb5f504..3e12678 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1172,6 +1172,14 @@ out:
kfree(buf_head);
}
+static void audit_log_kern_module(struct audit_context *context,
+ struct audit_buffer **ab)
+{
+ audit_log_format(*ab, " name=");
+ audit_log_untrustedstring(*ab, context->module.name);
+ kfree(context->module.name);
+}
+
static void show_special(struct audit_context *context, int *call_panic)
{
struct audit_buffer *ab;
@@ -1268,6 +1276,9 @@ static void show_special(struct audit_context *context, int *call_panic)
case AUDIT_EXECVE: {
audit_log_execve_info(context, &ab);
break; }
+ case AUDIT_MODULE_INIT:
+ audit_log_kern_module(context, &ab);
+ break;
}
audit_log_end(ab);
}
@@ -2368,6 +2379,15 @@ void __audit_mmap_fd(int fd, int flags)
context->type = AUDIT_MMAP;
}
+void __audit_module_init(char *name)
+{
+ struct audit_context *context = current->audit_context;
+
+ context->module.name = kmalloc(strlen(name) + 1, GFP_KERNEL);
+ strcpy(context->module.name, name);
+ context->type = AUDIT_MODULE_INIT;
+}
+
static void audit_log_task(struct audit_buffer *ab)
{
kuid_t auid, uid;
diff --git a/kernel/module.c b/kernel/module.c
index 529efae..678407e 100644
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -61,6 +61,7 @@
#include <linux/pfn.h>
#include <linux/bsearch.h>
#include <linux/dynamic_debug.h>
+#include <linux/audit.h>
#include <uapi/linux/module.h>
#include "module-internal.h"
@@ -3593,6 +3594,8 @@ static int load_module(struct load_info *info, const char __user *uargs,
goto free_copy;
}
+ audit_module_init(mod->name);
+
/* Reserve our place in the list. */
err = add_unformed_module(mod);
if (err)
@@ -3681,7 +3684,7 @@ static int load_module(struct load_info *info, const char __user *uargs,
mod->name, after_dashes);
}
- /* Link in to syfs. */
+ /* Link in to sysfs. */
err = mod_sysfs_setup(mod, info, mod->kp, mod->num_kp);
if (err < 0)
goto coming_cleanup;
--
1.7.1
7 years, 9 months
[PATCH] ghak14: update readme to reflect rhel7 needs
by Richard Guy Briggs
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
README | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/README b/README
index a01b748..39f987d 100644
--- a/README
+++ b/README
@@ -25,6 +25,8 @@ given below:
perl-Time-HiRes \
glibc.i686 \
glibc-devel.i686
+ RHEL7 also needs
+ # dnf install libgcc.i686
Debian based systems
# apt-get install perl-modules \
--
1.7.1
7 years, 9 months
Problem with watching power commands - key is not logged
by Damian Tykałowski
Hi
I'm struggling to get proper auditing of usage of power commands, here's
what I've got in rules
[root@host01 ~]# cat /etc/audit/audit.rules | grep power
-w /sbin/shutdown -p rwx -k power
-w /sbin/poweroff -p rwx -k power
-w /sbin/reboot -p rwx -k power
-w /sbin/halt -p rwx -k power
-w shutdown -p rwx -k power
-w poweroff -p rwx -k power
-w reboot -p rwx -k power
-w halt -p rwx -k power
However despite full host reboot/refreshing rules I'm not getting events
with proper key "power"
[root@host01 ~]# cat /var/log/audit/audit.log | grep power
<empty>
Events are logged though but without key
type=USER_CMD msg=audit(1485604576.755:679): pid=3490 uid=5004 auid=5004
ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
msg='cwd="/home/user01" cmd="reboot" terminal=pts/0 res=success'
type=USER_CMD msg=audit(1485604729.923:658): pid=3428 uid=5004 auid=5004
ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
msg='cwd="/home/user01" cmd="reboot" terminal=pts/0 res=success'
Any idea what is wrong? Rules with other keys seems to work.
7 years, 9 months
[RFC] [PATCH] audit: log module name on init_module
by Richard Guy Briggs
This adds a new auxiliary record MODULE_INIT to the SYSCALL event.
We get finit_module for free since it made most sense to hook this in to
load_module().
https://github.com/linux-audit/audit-kernel/issues/7
https://github.com/linux-audit/audit-kernel/wiki/RFE-Module-load-record-f...
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
include/linux/audit.h | 12 ++++++++++++
include/uapi/linux/audit.h | 1 +
kernel/audit.h | 3 +++
kernel/auditsc.c | 20 ++++++++++++++++++++
kernel/module.c | 5 ++++-
5 files changed, 40 insertions(+), 1 deletions(-)
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 476bc12..6222042 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -358,6 +358,7 @@ extern int __audit_log_bprm_fcaps(struct linux_binprm *bprm,
const struct cred *old);
extern void __audit_log_capset(const struct cred *new, const struct cred *old);
extern void __audit_mmap_fd(int fd, int flags);
+extern void __audit_module_init(char *name);
static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp)
{
@@ -434,6 +435,12 @@ static inline void audit_mmap_fd(int fd, int flags)
__audit_mmap_fd(fd, flags);
}
+static inline void audit_module_init(char *name)
+{
+ if (!audit_dummy_context())
+ __audit_module_init(name);
+}
+
extern int audit_n_rules;
extern int audit_signals;
#else /* CONFIG_AUDITSYSCALL */
@@ -539,6 +546,11 @@ static inline void audit_log_capset(const struct cred *new,
{ }
static inline void audit_mmap_fd(int fd, int flags)
{ }
+
+static inline void audit_module_init(char *name)
+{
+}
+
static inline void audit_ptrace(struct task_struct *t)
{ }
#define audit_n_rules 0
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 843540c..513c930 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -110,6 +110,7 @@
#define AUDIT_SECCOMP 1326 /* Secure Computing event */
#define AUDIT_PROCTITLE 1327 /* Proctitle emit event */
#define AUDIT_FEATURE_CHANGE 1328 /* audit log listing feature changes */
+#define AUDIT_MODULE_INIT 1329 /* Module init event */
#define AUDIT_AVC 1400 /* SE Linux avc denial or grant */
#define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */
diff --git a/kernel/audit.h b/kernel/audit.h
index de6cbb7..cf86486 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -198,6 +198,9 @@ struct audit_context {
struct {
int argc;
} execve;
+ struct {
+ char *name;
+ } module;
};
int fds[2];
struct audit_proctitle proctitle;
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index b86cc04..93967b8 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1168,6 +1168,14 @@ static void audit_log_execve_info(struct audit_context *context,
kfree(buf);
}
+static void audit_log_kern_module(struct audit_context *context,
+ struct audit_buffer **ab)
+{
+ audit_log_format(*ab, " name=");
+ audit_log_untrustedstring(*ab, context->module.name);
+ kfree(context->module.name);
+}
+
static void show_special(struct audit_context *context, int *call_panic)
{
struct audit_buffer *ab;
@@ -1264,6 +1272,9 @@ static void show_special(struct audit_context *context, int *call_panic)
case AUDIT_EXECVE: {
audit_log_execve_info(context, &ab);
break; }
+ case AUDIT_MODULE_INIT:
+ audit_log_kern_module(context, &ab);
+ break;
}
audit_log_end(ab);
}
@@ -2356,6 +2367,15 @@ void __audit_mmap_fd(int fd, int flags)
context->type = AUDIT_MMAP;
}
+void __audit_module_init(char *name)
+{
+ struct audit_context *context = current->audit_context;
+
+ context->module.name = kmalloc(strlen(name) + 1, GFP_KERNEL);
+ strcpy(context->module.name, name);
+ context->type = AUDIT_MODULE_INIT;
+}
+
static void audit_log_task(struct audit_buffer *ab)
{
kuid_t auid, uid;
diff --git a/kernel/module.c b/kernel/module.c
index 8f051a1..214ba85 100644
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -59,6 +59,7 @@
#include <linux/jump_label.h>
#include <linux/pfn.h>
#include <linux/bsearch.h>
+#include <linux/audit.h>
#include <uapi/linux/module.h>
#include "module-internal.h"
@@ -3441,6 +3442,8 @@ static int load_module(struct load_info *info, const char __user *uargs,
goto free_copy;
}
+ audit_module_init(mod->name);
+
/* Reserve our place in the list. */
err = add_unformed_module(mod);
if (err)
@@ -3525,7 +3528,7 @@ static int load_module(struct load_info *info, const char __user *uargs,
mod->name, after_dashes);
}
- /* Link in to syfs. */
+ /* Link in to sysfs. */
err = mod_sysfs_setup(mod, info, mod->kp, mod->num_kp);
if (err < 0)
goto bug_cleanup;
--
1.7.1
7 years, 9 months