[PATCH] audit: always enable syscall auditing when supported and audit is enabled
by Paul Moore
To the best of our knowledge, everyone who enables audit at compile
time also enables syscall auditing; this patch simplifies the Kconfig
menus by removing the option to disable syscall auditing when audit
is selected and the target arch supports it.
Signed-off-by: Paul Moore <pmoore(a)redhat.com>
---
init/Kconfig | 11 +++--------
1 file changed, 3 insertions(+), 8 deletions(-)
diff --git a/init/Kconfig b/init/Kconfig
index c24b6f7..d4663b1 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -299,20 +299,15 @@ config AUDIT
help
Enable auditing infrastructure that can be used with another
kernel subsystem, such as SELinux (which requires this for
- logging of avc messages output). Does not do system-call
- auditing without CONFIG_AUDITSYSCALL.
+ logging of avc messages output). System call auditing is included
+ on architectures which support it.
config HAVE_ARCH_AUDITSYSCALL
bool
config AUDITSYSCALL
- bool "Enable system-call auditing support"
+ def_bool y
depends on AUDIT && HAVE_ARCH_AUDITSYSCALL
- default y if SECURITY_SELINUX
- help
- Enable low-overhead system-call auditing infrastructure that
- can be used independently or with another kernel subsystem,
- such as SELinux.
config AUDIT_WATCH
def_bool y
5 years, 9 months
[PATCH ALT4 V2 1/2] audit: show fstype:pathname for entries with anonymous parents
by Richard Guy Briggs
Tracefs or debugfs were causing hundreds to thousands of null PATH
records to be associated with the init_module and finit_module SYSCALL
records on a few modules when the following rule was in place for
startup:
-a always,exit -F arch=x86_64 -S init_module -F key=mod-load
This happens because the parent inode is not found in the task's
audit_names list and hence treats it as anonymous. This gives us no
information other than a numerical device number that may no longer be
visible upon log inspeciton, and an inode number.
Fill in the filesystem type, filesystem magic number and full pathname
from the filesystem mount point on previously null PATH records from
entries that have an anonymous parent from the child dentry using
dentry_path_raw().
Make the dentry argument of __audit_inode_child() non-const so that we
can take a reference to it in the case of an anonymous parent with
dget() and dget_parent() to be able to later print a partial path from
the host filesystem rather than null.
Since all we are given is an inode of the parent and the dentry of the
child, finding the path from the mount point to the root of the
filesystem is more challenging that would involve searching all
vfsmounts from "/" until a matching dentry is found for that
filesystem's root dentry. Even if one is found, there may be more than
one mount point. At this point the gain seems marginal since
knowing the filesystem type and path are a significant help in tracking
down the source of the PATH records and being to address them.
Sample output:
type=PROCTITLE msg=audit(1488317694.446:143): proctitle=2F7362696E2F6D6F6470726F6265002D71002D2D006E66737634
type=PATH msg=audit(1488317694.446:143): item=797 name=tracefs(74726163):/events/nfs4/nfs4_setclientid/format inode=15969 dev=00:09 mode=0100444 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=CREATE
type=PATH msg=audit(1488317694.446:143): item=796 name=tracefs(74726163):/events/nfs4/nfs4_setclientid inode=15964 dev=00:09 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=PARENT
...
type=PATH msg=audit(1488317694.446:143): item=1 name=tracefs(74726163):/events/nfs4 inode=15571 dev=00:09 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=CREATE
type=PATH msg=audit(1488317694.446:143): item=0 name=tracefs(74726163):/events inode=119 dev=00:09 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=PARENT
type=UNKNOWN[1330] msg=audit(1488317694.446:143): name="nfsv4"
type=SYSCALL msg=audit(1488317694.446:143): arch=c000003e syscall=313 success=yes exit=0 a0=1 a1=55d5a35ce106 a2=0 a3=1 items=798 ppid=6 pid=528 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="modprobe" exe="/usr/bin/kmod" subj=system_u:system_r:insmod_t:s0 key="mod-load"
See: https://github.com/linux-audit/audit-kernel/issues/8
Test case: https://github.com/linux-audit/audit-testsuite/issues/42
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
include/linux/audit.h | 8 ++++----
kernel/audit.c | 16 ++++++++++++++++
kernel/audit.h | 1 +
kernel/auditsc.c | 8 +++++++-
4 files changed, 28 insertions(+), 5 deletions(-)
diff --git a/include/linux/audit.h b/include/linux/audit.h
index aba3a26..367a03a 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -241,7 +241,7 @@ extern void __audit_inode(struct filename *name, const struct dentry *dentry,
unsigned int flags);
extern void __audit_file(const struct file *);
extern void __audit_inode_child(struct inode *parent,
- const struct dentry *dentry,
+ struct dentry *dentry,
const unsigned char type);
extern void __audit_seccomp(unsigned long syscall, long signr, int code);
extern void __audit_ptrace(struct task_struct *t);
@@ -306,7 +306,7 @@ static inline void audit_inode_parent_hidden(struct filename *name,
AUDIT_INODE_PARENT | AUDIT_INODE_HIDDEN);
}
static inline void audit_inode_child(struct inode *parent,
- const struct dentry *dentry,
+ struct dentry *dentry,
const unsigned char type) {
if (unlikely(!audit_dummy_context()))
__audit_inode_child(parent, dentry, type);
@@ -487,7 +487,7 @@ static inline void __audit_inode(struct filename *name,
unsigned int flags)
{ }
static inline void __audit_inode_child(struct inode *parent,
- const struct dentry *dentry,
+ struct dentry *dentry,
const unsigned char type)
{ }
static inline void audit_inode(struct filename *name,
@@ -501,7 +501,7 @@ static inline void audit_inode_parent_hidden(struct filename *name,
const struct dentry *dentry)
{ }
static inline void audit_inode_child(struct inode *parent,
- const struct dentry *dentry,
+ struct dentry *dentry,
const unsigned char type)
{ }
static inline void audit_core_dumps(long signr)
diff --git a/kernel/audit.c b/kernel/audit.c
index 25dd70a..7d83c5a 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -66,6 +66,7 @@
#include <linux/freezer.h>
#include <linux/pid_namespace.h>
#include <net/netns/generic.h>
+#include <linux/dcache.h>
#include "audit.h"
@@ -1884,6 +1885,10 @@ void audit_copy_inode(struct audit_names *name, const struct dentry *dentry,
name->gid = inode->i_gid;
name->rdev = inode->i_rdev;
security_inode_getsecid(inode, &name->osid);
+ if (name->dentry) {
+ dput(name->dentry);
+ name->dentry = NULL;
+ }
audit_copy_fcaps(name, dentry);
}
@@ -1925,6 +1930,17 @@ void audit_log_name(struct audit_context *context, struct audit_names *n,
audit_log_n_untrustedstring(ab, n->name->name,
n->name_len);
}
+ } else if (n->dentry) {
+ char *fullpath;
+ const char *fullpathp;
+
+ fullpath = kmalloc(PATH_MAX, GFP_KERNEL);
+ if (!fullpath)
+ return;
+ fullpathp = dentry_path_raw(n->dentry, fullpath, PATH_MAX);
+ audit_log_format(ab, " name=%s(0x%lx):%s",
+ n->dentry->d_sb->s_type->name?:"?",
+ n->dentry->d_sb->s_magic, fullpathp?:"?");
} else
audit_log_format(ab, " name=(null)");
diff --git a/kernel/audit.h b/kernel/audit.h
index 144b7eb..2a11583 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -84,6 +84,7 @@ struct audit_names {
unsigned long ino;
dev_t dev;
+ struct dentry *dentry;
umode_t mode;
kuid_t uid;
kgid_t gid;
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 4db32e8..b3797c7 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -74,6 +74,7 @@
#include <linux/string.h>
#include <linux/uaccess.h>
#include <uapi/linux/limits.h>
+#include <linux/dcache.h>
#include "audit.h"
@@ -881,6 +882,8 @@ static inline void audit_free_names(struct audit_context *context)
list_del(&n->list);
if (n->name)
putname(n->name);
+ if (n->dentry)
+ dput(n->dentry);
if (n->should_free)
kfree(n);
}
@@ -1858,7 +1861,7 @@ void __audit_file(const struct file *file)
* unsuccessful attempts.
*/
void __audit_inode_child(struct inode *parent,
- const struct dentry *dentry,
+ struct dentry *dentry,
const unsigned char type)
{
struct audit_context *context = current->audit_context;
@@ -1914,6 +1917,7 @@ void __audit_inode_child(struct inode *parent,
if (!n)
return;
audit_copy_inode(n, NULL, parent);
+ n->dentry = dget_parent(dentry);
}
if (!found_child) {
@@ -1935,6 +1939,8 @@ void __audit_inode_child(struct inode *parent,
audit_copy_inode(found_child, dentry, inode);
else
found_child->ino = AUDIT_INO_UNSET;
+ if (!found_parent)
+ found_child->dentry = dget(dentry);
}
EXPORT_SYMBOL_GPL(__audit_inode_child);
--
1.7.1
7 years, 2 months
[PATCH] filter: add path filter with fstype
by Richard Guy Briggs
Tracefs or debugfs were causing hundreds to thousands of PATH records to
be associated with the init_module and finit_module SYSCALL records on a
few modules when the following rule was in place for startup:
-a always,exit -F arch=x86_64 -S init_module -F key=mod-load
Add the new "path" filter list anchored in __audit_inode_child() to
filter out PATH records from uninteresting filesystem types, "fstype",
keying on their kernel hexadecimal 4-octet magic identifier.
An example rule would look like:
-a never,path -F fstype=0x74726163 -F key=ignore_tracefs
-a never,path -F fstype=0x64626720 -F key=ignore_debugfs
Note: "always,path" will log the PATH record anyways and add latency.
See: https://github.com/linux-audit/audit-userspace/issues/15
See: https://github.com/linux-audit/audit-kernel/issues/8
Test case: https://github.com/linux-audit/audit-testsuite/issues/42
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
docs/audit_add_rule_data.3 | 3 +++
lib/errormsg.h | 5 +++++
lib/fieldtab.h | 2 ++
lib/flagtab.h | 2 ++
lib/libaudit.c | 26 ++++++++++++++++++++++++--
lib/libaudit.h | 10 ++++++++++
lib/private.h | 1 +
src/auditctl-listing.c | 6 ++++--
src/auditctl.c | 14 +++++++++++++-
9 files changed, 64 insertions(+), 5 deletions(-)
diff --git a/docs/audit_add_rule_data.3 b/docs/audit_add_rule_data.3
index 2321f39..4867e8c 100644
--- a/docs/audit_add_rule_data.3
+++ b/docs/audit_add_rule_data.3
@@ -22,6 +22,9 @@ AUDIT_FILTER_EXIT - Apply rule at syscall exit.
.TP
\(bu
AUDIT_FILTER_TYPE - Apply rule at audit_log_start.
+.TP
+\(bu
+AUDIT_FILTER_PATH - Apply rule at __audit_inode_child.
.LP
.PP
diff --git a/lib/errormsg.h b/lib/errormsg.h
index 50c7d50..2a6e4d6 100644
--- a/lib/errormsg.h
+++ b/lib/errormsg.h
@@ -20,6 +20,7 @@
* Authors:
* Zhang Xiliang <zhangxiliang(a)cn.fujitsu.com>
* Steve Grubb <sgrubb(a)redhat.com>
+ * Richard Guy Briggs <rgb(a)redhat.com>
*/
struct msg_tab {
@@ -70,6 +71,8 @@ static const struct msg_tab err_msgtab[] = {
{ -32, 0, "field data is missing" },
{ -33, 2, "-C field incompatible" },
{ -34, 2, "-C value incompatible" },
+ { -35, 1, "field is not valid for the filter" },
+ { -36, 1, "filter is not supported ty kernel" },
};
#define EAU_OPMISSING 1
#define EAU_FIELDUNKNOWN 2
@@ -103,4 +106,6 @@ static const struct msg_tab err_msgtab[] = {
#define EAU_DATAMISSING 32
#define EAU_COMPFIELDINCOMPAT 33
#define EAU_COMPVALINCOMPAT 34
+#define EAU_FIELDUNAVAIL 35
+#define EAU_FILTERNOSUPPORT 36
#endif
diff --git a/lib/fieldtab.h b/lib/fieldtab.h
index 0c5e39d..c425d5b 100644
--- a/lib/fieldtab.h
+++ b/lib/fieldtab.h
@@ -18,6 +18,7 @@
*
* Authors:
* Steve Grubb <sgrubb(a)redhat.com>
+ * Richard Guy Briggs <rgb(a)redhat.com>
*/
_S(AUDIT_PID, "pid" )
@@ -56,6 +57,7 @@ _S(AUDIT_WATCH, "path" )
_S(AUDIT_PERM, "perm" )
_S(AUDIT_DIR, "dir" )
_S(AUDIT_FILETYPE, "filetype" )
+_S(AUDIT_FSTYPE, "fstype" )
_S(AUDIT_OBJ_UID, "obj_uid" )
_S(AUDIT_OBJ_GID, "obj_gid" )
_S(AUDIT_FIELD_COMPARE, "field_compare" )
diff --git a/lib/flagtab.h b/lib/flagtab.h
index 4b04692..ed3e729 100644
--- a/lib/flagtab.h
+++ b/lib/flagtab.h
@@ -18,8 +18,10 @@
*
* Authors:
* Steve Grubb <sgrubb(a)redhat.com>
+ * Richard Guy Briggs <rgb(a)redhat.com>
*/
_S(AUDIT_FILTER_TASK, "task" )
_S(AUDIT_FILTER_EXIT, "exit" )
_S(AUDIT_FILTER_USER, "user" )
_S(AUDIT_FILTER_EXCLUDE, "exclude" )
+_S(AUDIT_FILTER_PATH, "path" )
diff --git a/lib/libaudit.c b/lib/libaudit.c
index 028483d..f28238a 100644
--- a/lib/libaudit.c
+++ b/lib/libaudit.c
@@ -19,6 +19,7 @@
* Authors:
* Steve Grubb <sgrubb(a)redhat.com>
* Rickard E. (Rik) Faith <faith(a)redhat.com>
+ * Richard Guy Briggs <rgb(a)redhat.com>
*/
#include "config.h"
@@ -86,6 +87,7 @@ int _audit_archadded = 0;
int _audit_syscalladded = 0;
int _audit_exeadded = 0;
int _audit_filterexcladded = 0;
+int _audit_filterpathadded = 0;
unsigned int _audit_elf = 0U;
static struct libaudit_conf config;
@@ -1475,6 +1477,23 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
}
}
+ /* PATH filter can be used only with FSTYPE field */
+ if (flags == AUDIT_FILTER_PATH) {
+ uint32_t features = audit_get_features();
+ if ((features & AUDIT_FEATURE_BITMAP_FILTER_PATH) == 0) {
+ return -EAU_FILTERNOSUPPORT;
+ } else {
+ switch(field) {
+ case AUDIT_FSTYPE:
+ _audit_filterpathadded = 1;
+ case AUDIT_FILTERKEY:
+ break;
+ default:
+ return -EAU_FIELDUNAVAIL;
+ }
+ }
+ }
+
rule->fields[rule->field_count] = field;
rule->fieldflags[rule->field_count] = op;
switch (field)
@@ -1589,7 +1608,8 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
}
if (field == AUDIT_FILTERKEY &&
!(_audit_syscalladded || _audit_permadded ||
- _audit_exeadded || _audit_filterexcladded))
+ _audit_exeadded || _audit_filterexcladded ||
+ _audit_filterpathadded))
return -EAU_KEYDEP;
vlen = strlen(v);
if (field == AUDIT_FILTERKEY &&
@@ -1724,7 +1744,7 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
return -EAU_EXITONLY;
/* fallthrough */
default:
- if (field == AUDIT_INODE) {
+ if (field == AUDIT_INODE || field == AUDIT_FSTYPE) {
if (!(op == AUDIT_NOT_EQUAL ||
op == AUDIT_EQUAL))
return -EAU_OPEQNOTEQ;
@@ -1736,6 +1756,8 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
if (!isdigit((char)*(v)))
return -EAU_FIELDVALNUM;
+ if (field == AUDIT_FSTYPE && flags != AUDIT_FILTER_PATH)
+ return -EAU_FIELDUNAVAIL;
if (field == AUDIT_INODE)
rule->values[rule->field_count] =
strtoul(v, NULL, 0);
diff --git a/lib/libaudit.h b/lib/libaudit.h
index e5c7a4d..e9c4973 100644
--- a/lib/libaudit.h
+++ b/lib/libaudit.h
@@ -277,6 +277,9 @@ extern "C" {
#define AUDIT_KEY_SEPARATOR 0x01
/* These are used in filter control */
+#ifndef AUDIT_FILTER_PATH
+#define AUDIT_FILTER_PATH 0x06 /* PATH record filter in __audit_inode_child */
+#endif
#define AUDIT_FILTER_EXCLUDE AUDIT_FILTER_TYPE
#define AUDIT_FILTER_MASK 0x07 /* Mask to get actual filter */
#define AUDIT_FILTER_UNSET 0x80 /* This value means filter is unset */
@@ -305,6 +308,9 @@ extern "C" {
#ifndef AUDIT_FEATURE_BITMAP_LOST_RESET
#define AUDIT_FEATURE_BITMAP_LOST_RESET 0x00000020
#endif
+#ifndef AUDIT_FEATURE_BITMAP_FILTER_PATH
+#define AUDIT_FEATURE_BITMAP_FILTER_PATH 0x00000040
+#endif
/* Defines for interfield comparison update */
#ifndef AUDIT_OBJ_UID
@@ -324,6 +330,10 @@ extern "C" {
#define AUDIT_SESSIONID 25
#endif
+#ifndef AUDIT_FSTYPE
+#define AUDIT_FSTYPE 26
+#endif
+
#ifndef AUDIT_COMPARE_UID_TO_OBJ_UID
#define AUDIT_COMPARE_UID_TO_OBJ_UID 1
#endif
diff --git a/lib/private.h b/lib/private.h
index 855187b..117d6e3 100644
--- a/lib/private.h
+++ b/lib/private.h
@@ -140,6 +140,7 @@ extern int _audit_archadded;
extern int _audit_syscalladded;
extern int _audit_exeadded;
extern int _audit_filterexcladded;
+extern int _audit_filterpathadded;
extern unsigned int _audit_elf;
#ifdef __cplusplus
diff --git a/src/auditctl-listing.c b/src/auditctl-listing.c
index 3bc8e71..e8640dd 100644
--- a/src/auditctl-listing.c
+++ b/src/auditctl-listing.c
@@ -91,7 +91,8 @@ static int is_watch(const struct audit_rule_data *r)
if (((r->flags & AUDIT_FILTER_MASK) != AUDIT_FILTER_USER) &&
((r->flags & AUDIT_FILTER_MASK) != AUDIT_FILTER_TASK) &&
- ((r->flags & AUDIT_FILTER_MASK) != AUDIT_FILTER_EXCLUDE)) {
+ ((r->flags & AUDIT_FILTER_MASK) != AUDIT_FILTER_EXCLUDE) &&
+ ((r->flags & AUDIT_FILTER_MASK) != AUDIT_FILTER_PATH)) {
for (i = 0; i < (AUDIT_BITMASK_SIZE-1); i++) {
if (r->mask[i] != (uint32_t)~0) {
all = 0;
@@ -139,7 +140,8 @@ static int print_syscall(const struct audit_rule_data *r, unsigned int *sc)
/* Rules on the following filters do not take a syscall */
if (((r->flags & AUDIT_FILTER_MASK) == AUDIT_FILTER_USER) ||
((r->flags & AUDIT_FILTER_MASK) == AUDIT_FILTER_TASK) ||
- ((r->flags &AUDIT_FILTER_MASK) == AUDIT_FILTER_EXCLUDE))
+ ((r->flags &AUDIT_FILTER_MASK) == AUDIT_FILTER_EXCLUDE) ||
+ ((r->flags &AUDIT_FILTER_MASK) == AUDIT_FILTER_PATH))
return 0;
/* See if its all or specific syscalls */
diff --git a/src/auditctl.c b/src/auditctl.c
index c785087..c7e8f0f 100644
--- a/src/auditctl.c
+++ b/src/auditctl.c
@@ -19,6 +19,7 @@
* Authors:
* Steve Grubb <sgrubb(a)redhat.com>
* Rickard E. (Rik) Faith <faith(a)redhat.com>
+ * Richard Guy Briggs <rgb(a)redhat.com>
*/
#include "config.h"
@@ -75,6 +76,7 @@ static int reset_vars(void)
_audit_archadded = 0;
_audit_exeadded = 0;
_audit_filterexcladded = 0;
+ _audit_filterpathadded = 0;
_audit_elf = 0;
add = AUDIT_FILTER_UNSET;
del = AUDIT_FILTER_UNSET;
@@ -152,6 +154,8 @@ static int lookup_filter(const char *str, int *filter)
*filter = AUDIT_FILTER_EXIT;
else if (strcmp(str, "user") == 0)
*filter = AUDIT_FILTER_USER;
+ else if (strcmp(str, "path") == 0)
+ *filter = AUDIT_FILTER_PATH;
else if (strcmp(str, "exclude") == 0) {
*filter = AUDIT_FILTER_EXCLUDE;
exclude = 1;
@@ -761,6 +765,13 @@ static int setopt(int count, int lineno, char *vars[])
audit_msg(LOG_ERR,
"Error: syscall auditing being added to user list");
return -1;
+ } else if (((add & (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) ==
+ AUDIT_FILTER_PATH || (del &
+ (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) ==
+ AUDIT_FILTER_PATH)) {
+ audit_msg(LOG_ERR,
+ "Error: syscall auditing being added to path list");
+ return -1;
} else if (exclude) {
audit_msg(LOG_ERR,
"Error: syscall auditing cannot be put on exclude list");
@@ -937,7 +948,8 @@ static int setopt(int count, int lineno, char *vars[])
break;
case 'k':
if (!(_audit_syscalladded || _audit_permadded ||
- _audit_exeadded || _audit_filterexcladded) ||
+ _audit_exeadded || _audit_filterexcladded ||
+ _audit_filterpathadded) ||
(add==AUDIT_FILTER_UNSET && del==AUDIT_FILTER_UNSET)) {
audit_msg(LOG_ERR,
"key option needs a watch or syscall given prior to it");
--
1.7.1
7 years, 4 months
[PATCH] gitignore: ignore normalizer generated files
by Richard Guy Briggs
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
.gitignore | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/.gitignore b/.gitignore
index ba296d3..dc566b9 100644
--- a/.gitignore
+++ b/.gitignore
@@ -33,6 +33,8 @@ audisp/audispd
audisp/plugins/remote/audisp-remote
audisp/plugins/zos-remote/audispd-zos-remote
auparse/*tabs.h
+auparse/normalize_*_maps.h
+auparse/gen_normalize_*_map
auparse/epoll_ctls.h
auparse/strsplit.c
bindings/swig/python/audit.py
--
1.7.1
7 years, 4 months
[PATCH] filterexcl: allow filterkey
by Richard Guy Briggs
The exclude rules did not permit a filterkey to be added. This isn't as
important for the exclude filter compared to the others since no records are
generated with that key, but still helps identify rules in the rules list
configuration.
Allow filterkeys to be used with the exclude filter.
See: https://github.com/linux-audit/audit-userspace/issues/14
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
lib/libaudit.c | 13 +++++++++++--
lib/private.h | 1 +
src/auditctl.c | 5 +++--
3 files changed, 15 insertions(+), 4 deletions(-)
diff --git a/lib/libaudit.c b/lib/libaudit.c
index b1f8f9c..028483d 100644
--- a/lib/libaudit.c
+++ b/lib/libaudit.c
@@ -85,6 +85,7 @@ int _audit_permadded = 0;
int _audit_archadded = 0;
int _audit_syscalladded = 0;
int _audit_exeadded = 0;
+int _audit_filterexcladded = 0;
unsigned int _audit_elf = 0U;
static struct libaudit_conf config;
@@ -1445,8 +1446,14 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
if (flags == AUDIT_FILTER_EXCLUDE) {
uint32_t features = audit_get_features();
if ((features & AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND) == 0) {
- if (field != AUDIT_MSGTYPE)
+ switch(field) {
+ case AUDIT_MSGTYPE:
+ _audit_filterexcladded = 1;
+ case AUDIT_FILTERKEY:
+ break;
+ default:
return -EAU_FIELDNOSUPPORT;
+ }
} else {
switch(field) {
case AUDIT_PID:
@@ -1459,6 +1466,8 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
case AUDIT_SUBJ_TYPE:
case AUDIT_SUBJ_SEN:
case AUDIT_SUBJ_CLR:
+ _audit_filterexcladded = 1;
+ case AUDIT_FILTERKEY:
break;
default:
return -EAU_MSGTYPECREDEXCLUDE;
@@ -1580,7 +1589,7 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
}
if (field == AUDIT_FILTERKEY &&
!(_audit_syscalladded || _audit_permadded ||
- _audit_exeadded))
+ _audit_exeadded || _audit_filterexcladded))
return -EAU_KEYDEP;
vlen = strlen(v);
if (field == AUDIT_FILTERKEY &&
diff --git a/lib/private.h b/lib/private.h
index cde1906..855187b 100644
--- a/lib/private.h
+++ b/lib/private.h
@@ -139,6 +139,7 @@ extern int _audit_permadded;
extern int _audit_archadded;
extern int _audit_syscalladded;
extern int _audit_exeadded;
+extern int _audit_filterexcladded;
extern unsigned int _audit_elf;
#ifdef __cplusplus
diff --git a/src/auditctl.c b/src/auditctl.c
index 04765f4..c785087 100644
--- a/src/auditctl.c
+++ b/src/auditctl.c
@@ -74,6 +74,7 @@ static int reset_vars(void)
_audit_permadded = 0;
_audit_archadded = 0;
_audit_exeadded = 0;
+ _audit_filterexcladded = 0;
_audit_elf = 0;
add = AUDIT_FILTER_UNSET;
del = AUDIT_FILTER_UNSET;
@@ -936,8 +937,8 @@ static int setopt(int count, int lineno, char *vars[])
break;
case 'k':
if (!(_audit_syscalladded || _audit_permadded ||
- _audit_exeadded) || (add==AUDIT_FILTER_UNSET &&
- del==AUDIT_FILTER_UNSET)) {
+ _audit_exeadded || _audit_filterexcladded) ||
+ (add==AUDIT_FILTER_UNSET && del==AUDIT_FILTER_UNSET)) {
audit_msg(LOG_ERR,
"key option needs a watch or syscall given prior to it");
retval = -1;
--
1.7.1
7 years, 4 months
[PATCH] filterkey: add errormsg reporting
by Richard Guy Briggs
Call errormsg after processing filterkey to speed up debugging.
See: https://github.com/linux-audit/audit-userspace/issues/13
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
src/auditctl.c | 4 +++-
1 files changed, 3 insertions(+), 1 deletions(-)
diff --git a/src/auditctl.c b/src/auditctl.c
index e112b16..04765f4 100644
--- a/src/auditctl.c
+++ b/src/auditctl.c
@@ -1091,8 +1091,10 @@ process_keys:
} else {
/* Add this to the rule */
int ret = audit_rule_fieldpair_data(&rule_new, cmd, flags);
- if (ret < 0)
+ if (ret != 0) {
+ audit_number_to_errmsg(ret, cmd);
retval = -1;
+ }
free(cmd);
}
}
--
1.7.1
7 years, 4 months
[PATCH 00/12] Delete CURRENT_TIME, CURRENT_TIME_SEC and current_fs_time
by Deepa Dinamani
The series contains the last unmerged uses of CURRENT_TIME,
CURRENT_TIME_SEC, and current_fs_time().
The series also deletes these apis.
All the patches except [PATCH 9/12] and [PATCH 10/12] are resend patches.
These patches fix new instances of CURRENT_TIME.
cifs and ceph patches have been squashed so that we have one patch per
filesystem.
We want to get these merged onto 4.12 release so that I can post the series
that changes vfs timestamps to use 64 bits for 4.13 release.
I'm proposing these to be merged through Andrew's tree.
Filesystem maintainers, please let Andrew know if you will be picking up
the patch in your trees.
Let me know if anybody has other preferences for merging.
Deepa Dinamani (12):
fs: f2fs: Use ktime_get_real_seconds for sit_info times
trace: Make trace_hwlat timestamp y2038 safe
fs: cifs: Replace CURRENT_TIME by other appropriate apis
fs: ceph: CURRENT_TIME with ktime_get_real_ts()
fs: ufs: Use ktime_get_real_ts64() for birthtime
audit: Use timespec64 to represent audit timestamps
fs: btrfs: Use ktime_get_real_ts for root ctime
fs: ubifs: Replace CURRENT_TIME_SEC with current_time
lustre: Replace CURRENT_TIME macro
apparmorfs: Replace CURRENT_TIME with current_time()
time: Delete CURRENT_TIME_SEC and CURRENT_TIME
time: Delete current_fs_time() function
drivers/block/rbd.c | 2 +-
drivers/staging/lustre/lustre/llite/llite_lib.c | 6 +++---
drivers/staging/lustre/lustre/osc/osc_io.c | 4 ++--
fs/btrfs/root-tree.c | 3 ++-
fs/ceph/mds_client.c | 4 +++-
fs/cifs/cifsencrypt.c | 4 +++-
fs/cifs/cifssmb.c | 10 ++++-----
fs/cifs/inode.c | 28 +++++++++++++------------
fs/f2fs/segment.c | 2 +-
fs/f2fs/segment.h | 5 +++--
fs/ubifs/dir.c | 12 +++++------
fs/ubifs/file.c | 12 +++++------
fs/ubifs/ioctl.c | 2 +-
fs/ubifs/misc.h | 10 ---------
fs/ubifs/sb.c | 14 +++++++++----
fs/ubifs/xattr.c | 6 +++---
fs/ufs/ialloc.c | 6 ++++--
include/linux/audit.h | 4 ++--
include/linux/fs.h | 1 -
include/linux/time.h | 3 ---
kernel/audit.c | 10 ++++-----
kernel/audit.h | 2 +-
kernel/auditsc.c | 6 +++---
kernel/time/time.c | 14 -------------
kernel/trace/trace_entries.h | 6 +++---
kernel/trace/trace_hwlat.c | 14 ++++++-------
kernel/trace/trace_output.c | 9 ++++----
net/ceph/messenger.c | 6 ++++--
net/ceph/osd_client.c | 4 ++--
security/apparmor/apparmorfs.c | 2 +-
30 files changed, 100 insertions(+), 111 deletions(-)
--
2.7.4
7 years, 5 months
[RFC][PATCH] audit: add ambient capabilities to CAPSET and BPRM_FCAPS records
by Richard Guy Briggs
Capabilities were augmented to include ambient capabilities in v4.3
commit 58319057b784 ("capabilities: ambient capabilities").
Add ambient capabilities to the audit BPRM_FCAPS and CAPSET records.
The record contains fields "old_pp", "old_pi", "old_pe", "new_pp",
"new_pi", "new_pe" so in keeping with the previous record
normalizations, change the "new_*" variants to simply drop the "new_"
prefix.
A sample of the replaced BPRM_FCAPS record:
RAW: type=BPRM_FCAPS msg=audit(1491468034.252:237): fver=2 fp=0000000000200000 fi=0000000000000000 fe=1 old_pp=0000000000000000 old_pi=0000000000000000 old_pe=0000000000000000 old_pa=0000000000000000 pp=0000000000200000 pi=0000000000000000 pe=0000000000200000 pa=0000000000000000
INTERPRET: type=BPRM_FCAPS msg=audit(04/06/2017 04:40:34.252:237) : fver=2 fp=sys_admin fi=none fe=chown old_pp=none old_pi=none old_pe=none old_pa=none pp=sys_admin pi=none pe=sys_admin pa=none
A sample of the replaced CAPSET record:
RAW: type=CAPSET msg=audit(1491469502.371:242): pid=833 cap_pi=0000003fffffffff cap_pp=0000003fffffffff cap_pe=0000003fffffffff cap_pa=0000000000000000
INTERPRET: type=CAPSET msg=audit(04/06/2017 05:05:02.371:242) : pid=833
cap_pi=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,net_admin,net_raw,ipc_lock,ipc_owner,sys_module,sys_rawio,sys_chroot,sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,sys_time,sys_tty_config,mknod,lease,audit_write,audit_control,setfcap,mac_override,mac_admin,syslog,wake_alarm,block_suspend,audit_read
cap_pp=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,net_admin,net_raw,ipc_lock,ipc_owner,sys_module,sys_rawio,sys_chroot,sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,sys_time,sys_tty_config,mknod,lease,audit_write,audit_control,setfcap,mac_override,mac_admin,syslog,wake_alarm,block_suspend,audit_read
cap_pe=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,net_admin,net_raw,ipc_lock,ipc_owner,sys_module,sys_rawio,sys_chroot,sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,sys_time,sys_tty_config,mknod,lease,audit_write,audit_control,setfcap,mac_override,mac_admin,syslog,wake_alarm,block_suspend,audit_read
cap_pa=none
See: https://github.com/linux-audit/audit-kernel/issues/40
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
kernel/audit.h | 1 +
kernel/auditsc.c | 12 +++++++++---
2 files changed, 10 insertions(+), 3 deletions(-)
diff --git a/kernel/audit.h b/kernel/audit.h
index 144b7eb..364b155 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -68,6 +68,7 @@ struct audit_cap_data {
unsigned int fE; /* effective bit of file cap */
kernel_cap_t effective; /* effective set of process */
};
+ kernel_cap_t ambient;
};
/* When fs/namei.c:getname() is called, we store the pointer in name and bump
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 4db32e8..ebfa93d 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1260,6 +1260,7 @@ static void show_special(struct audit_context *context, int *call_panic)
audit_log_cap(ab, "cap_pi", &context->capset.cap.inheritable);
audit_log_cap(ab, "cap_pp", &context->capset.cap.permitted);
audit_log_cap(ab, "cap_pe", &context->capset.cap.effective);
+ audit_log_cap(ab, "cap_pa", &context->capset.cap.ambient);
break;
case AUDIT_MMAP:
audit_log_format(ab, "fd=%d flags=0x%x", context->mmap.fd,
@@ -1381,9 +1382,11 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
audit_log_cap(ab, "old_pp", &axs->old_pcap.permitted);
audit_log_cap(ab, "old_pi", &axs->old_pcap.inheritable);
audit_log_cap(ab, "old_pe", &axs->old_pcap.effective);
- audit_log_cap(ab, "new_pp", &axs->new_pcap.permitted);
- audit_log_cap(ab, "new_pi", &axs->new_pcap.inheritable);
- audit_log_cap(ab, "new_pe", &axs->new_pcap.effective);
+ audit_log_cap(ab, "old_pa", &axs->old_pcap.ambient);
+ audit_log_cap(ab, "pp", &axs->new_pcap.permitted);
+ audit_log_cap(ab, "pi", &axs->new_pcap.inheritable);
+ audit_log_cap(ab, "pe", &axs->new_pcap.effective);
+ audit_log_cap(ab, "pa", &axs->new_pcap.ambient);
break; }
}
@@ -2340,10 +2343,12 @@ int __audit_log_bprm_fcaps(struct linux_binprm *bprm,
ax->old_pcap.permitted = old->cap_permitted;
ax->old_pcap.inheritable = old->cap_inheritable;
ax->old_pcap.effective = old->cap_effective;
+ ax->old_pcap.ambient = old->cap_ambient;
ax->new_pcap.permitted = new->cap_permitted;
ax->new_pcap.inheritable = new->cap_inheritable;
ax->new_pcap.effective = new->cap_effective;
+ ax->new_pcap.ambient = new->cap_ambient;
return 0;
}
@@ -2362,6 +2367,7 @@ void __audit_log_capset(const struct cred *new, const struct cred *old)
context->capset.cap.effective = new->cap_effective;
context->capset.cap.inheritable = new->cap_effective;
context->capset.cap.permitted = new->cap_permitted;
+ context->capset.cap.ambient = new->cap_ambient;
context->type = AUDIT_CAPSET;
}
--
1.7.1
7 years, 5 months
[PATCH 1/2] errormsg: correct a number of messages that have drifted
by Richard Guy Briggs
A number of error message descriptions have drifted from the conditions that
caused them in audit_rule_fieldpair_data() including expansion of fields to be
used by the user filter list, restriction to the exit list only and changing an
operator to "equals" only. Correct these, using the new errormsg macros.
See: https://github.com/linux-audit/audit-userspace/issues/12
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
lib/errormsg.h | 4 ++--
lib/libaudit.c | 10 +++++-----
2 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/lib/errormsg.h b/lib/errormsg.h
index 17ff767..35b7f95 100644
--- a/lib/errormsg.h
+++ b/lib/errormsg.h
@@ -44,7 +44,7 @@ static const struct msg_tab err_msgtab[] = {
{ -6, 1, "requested bit level not supported by machine" },
{ -7, 1, "can only be used with exit filter list" },
{ -8, 2, "-F unknown message type -" },
- { -9, 0, "msgtype field can only be used with exclude filter list" },
+ { -9, 0, "msgtype field can only be used with exclude or user filter list" },
{ -10, 0, "Failed upgrading rule" },
{ -11, 0, "String value too long" },
{ -12, 0, "Only msgtype, *uid, *gid, pid, and subj* fields can be used with exclude filter" },
@@ -76,7 +76,7 @@ static const struct msg_tab err_msgtab[] = {
#define EAU_ARCHNOBIT 6
#define EAU_EXITONLY 7
#define EAU_MSGTYPEUNKNOWN 8
-#define EAU_MSGTYPEEXCLUDE 9
+#define EAU_MSGTYPEEXCLUDEUSER 9
#define EAU_UPGRADEFAIL 10
#define EAU_STRTOOLONG 11
#define EAU_MSGTYPECREDEXCLUDE 12
diff --git a/lib/libaudit.c b/lib/libaudit.c
index a3b4261..b481f52 100644
--- a/lib/libaudit.c
+++ b/lib/libaudit.c
@@ -1516,7 +1516,7 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
break;
case AUDIT_EXIT:
if (flags != AUDIT_FILTER_EXIT)
- return -7;
+ return -EAU_EXITONLY;
vlen = strlen(v);
if (isdigit((char)*(v)))
rule->values[rule->field_count] =
@@ -1535,7 +1535,7 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
case AUDIT_MSGTYPE:
if (flags != AUDIT_FILTER_EXCLUDE &&
flags != AUDIT_FILTER_USER)
- return -EAU_MSGTYPEEXCLUDE;
+ return -EAU_MSGTYPEEXCLUDEUSER;
if (isdigit((char)*(v)))
rule->values[rule->field_count] =
@@ -1639,7 +1639,7 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
if (flags != AUDIT_FILTER_EXIT)
return -EAU_EXITONLY;
else if (op != AUDIT_EQUAL)
- return -EAU_OPEQNOTEQ;
+ return -EAU_OPEQ;
else {
unsigned int i, len, val = 0;
@@ -1670,7 +1670,7 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
break;
case AUDIT_FILETYPE:
if (!(flags == AUDIT_FILTER_EXIT))
- return -EAU_EXITENTRYONLY;
+ return -EAU_EXITONLY;
rule->values[rule->field_count] =
audit_name_to_ftype(v);
if ((int)rule->values[rule->field_count] < 0) {
@@ -1722,7 +1722,7 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
}
if (field == AUDIT_PPID && !(flags==AUDIT_FILTER_EXIT))
- return -EAU_EXITENTRYONLY;
+ return -EAU_EXITONLY;
if (!isdigit((char)*(v)))
return -EAU_FIELDVALNUM;
--
1.7.1
7 years, 5 months