December 2018 - Linux-audit - Linux-Audit List Archives

[PATCH] audit: always enable syscall auditing when supported and audit is enabled

by Paul Moore

To the best of our knowledge, everyone who enables audit at compile time also enables syscall auditing; this patch simplifies the Kconfig menus by removing the option to disable syscall auditing when audit is selected and the target arch supports it. Signed-off-by: Paul Moore <pmoore(a)redhat.com> --- init/Kconfig | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/init/Kconfig b/init/Kconfig index c24b6f7..d4663b1 100644 --- a/init/Kconfig +++ b/init/Kconfig @@ -299,20 +299,15 @@ config AUDIT help Enable auditing infrastructure that can be used with another kernel subsystem, such as SELinux (which requires this for - logging of avc messages output). Does not do system-call - auditing without CONFIG_AUDITSYSCALL. + logging of avc messages output). System call auditing is included + on architectures which support it. config HAVE_ARCH_AUDITSYSCALL bool config AUDITSYSCALL - bool "Enable system-call auditing support" + def_bool y depends on AUDIT && HAVE_ARCH_AUDITSYSCALL - default y if SECURITY_SELINUX - help - Enable low-overhead system-call auditing infrastructure that - can be used independently or with another kernel subsystem, - such as SELinux. config AUDIT_WATCH def_bool y

5 years, 9 months

5
13
0 / 0

[PATCH ghak90 (was ghak32) V4 00/10] audit: implement container identifier

by Richard Guy Briggs

Implement kernel audit container identifier. This patchset is a fourth based on the proposal document (V3) posted: https://www.redhat.com/archives/linux-audit/2018-January/msg00014.html The first patch is the last patch from ghak81 that is included here as a convenience. The second patch implements the proc fs write to set the audit container identifier of a process, emitting an AUDIT_CONTAINER_OP record to announce the registration of that audit container identifier on that process. This patch requires userspace support for record acceptance and proper type display. The third implements the auxiliary record AUDIT_CONTAINER if an audit container identifier is identifiable with an event. This patch requires userspace support for proper type display. The 4th adds signal and ptrace support. The 5th creates a local audit context to be able to bind a standalone record with a locally created auxiliary record. The 6th patch adds audit container identifier records to the tty standalone record. The 7th adds audit container identifier filtering to the exit, exclude and user lists. This patch adds the AUDIT_CONTID field and requires auditctl userspace support for the --contid option. The 8th adds network namespace audit container identifier labelling based on member tasks' audit container identifier labels. The 9th adds audit container identifier support to standalone netfilter records that don't have a task context and lists each container to which that net namespace belongs. The 10th implements reading the audit container identifier from the proc filesystem for debugging. This patch isn't planned for upstream inclusion. Example: Set an audit container identifier of 123456 to the "sleep" task: sleep 2& child=$! echo 123456 > /proc/$child/audit_containerid; echo $? ausearch -ts recent -m container echo child:$child contid:$( cat /proc/$child/audit_containerid) This should produce a record such as: type=CONTAINER_OP msg=audit(2018-06-06 12:39:29.636:26949) : op=set opid=2209 old-contid=18446744073709551615 contid=123456 pid=628 auid=root uid=root tty=ttyS0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 comm=bash exe=/usr/bin/bash res=yes Example: Set a filter on an audit container identifier 123459 on /tmp/tmpcontainerid: contid=123459 key=tmpcontainerid auditctl -a exit,always -F dir=/tmp -F perm=wa -F contid=$contid -F key=$key perl -e "sleep 1; open(my \$tmpfile, '>', \"/tmp/$key\"); close(\$tmpfile);" & child=$! echo $contid > /proc/$child/audit_containerid sleep 2 ausearch -i -ts recent -k $key auditctl -d exit,always -F dir=/tmp -F perm=wa -F contid=$contid -F key=$key rm -f /tmp/$key This should produce an event such as: type=CONTAINER msg=audit(2018-06-06 12:46:31.707:26953) : op=task contid=123459 type=PROCTITLE msg=audit(2018-06-06 12:46:31.707:26953) : proctitle=perl -e sleep 1; open(my $tmpfile, '>', "/tmp/tmpcontainerid"); close($tmpfile); type=PATH msg=audit(2018-06-06 12:46:31.707:26953) : item=1 name=/tmp/tmpcontainerid inode=25656 dev=00:26 mode=file,644 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 type=PATH msg=audit(2018-06-06 12:46:31.707:26953) : item=0 name=/tmp/ inode=8985 dev=00:26 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 type=CWD msg=audit(2018-06-06 12:46:31.707:26953) : cwd=/root type=SYSCALL msg=audit(2018-06-06 12:46:31.707:26953) : arch=x86_64 syscall=openat success=yes exit=3 a0=0xffffffffffffff9c a1=0x5621f2b81900 a2=O_WRONLY|O_CREAT|O_TRUNC a3=0x1b6 items=2 ppid=628 pid=2232 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=ttyS0 ses=1 comm=perl exe=/usr/bin/perl subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=tmpcontainerid Includes: https://github.com/linux-audit/audit-kernel/issues/81 See: https://github.com/linux-audit/audit-kernel/issues/90 See: https://github.com/linux-audit/audit-userspace/issues/40 See: https://github.com/linux-audit/audit-testsuite/issues/64 See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Changelog: v4 - preface set with ghak81:"collect audit task parameters" - add shallyn and sgrubb acks - rename feature bitmap macro - rename cid_valid() to audit_contid_valid() - rename AUDIT_CONTAINER_ID to AUDIT_CONTAINER_OP - delete audit_get_contid_list() from headers - move work into inner if, delete "found" - change netns contid list function names - move exports for audit_log_contid audit_alloc_local audit_free_context to non-syscall patch - list contids CSV - pass in gfp flags to audit_alloc_local() (fix audit_alloc_context callers) - use "local" in lieu of abusing in_syscall for auditsc_get_stamp() - read_lock(&tasklist_lock) around children and thread check - task_lock(tsk) should be taken before first check of tsk->audit - add spin lock to contid list in aunet - restrict /proc read to CAP_AUDIT_CONTROL - remove set again prohibition and inherited flag - delete contidion spelling fix from patchset, send to netdev/linux-wireless v3 - switched from containerid in task_struct to audit_task_info (depends on ghak81) - drop INVALID_CID in favour of only AUDIT_CID_UNSET - check for !audit_task_info, throw -ENOPROTOOPT on set - changed -EPERM to -EEXIST for parent check - return AUDIT_CID_UNSET if !audit_enabled - squash child/thread check patch into AUDIT_CONTAINER_ID patch - changed -EPERM to -EBUSY for child check - separate child and thread checks, use -EALREADY for latter - move addition of op= from ptrace/signal patch to AUDIT_CONTAINER patch - fix && to || bashism in ptrace/signal patch - uninline and export function for audit_free_context() - drop CONFIG_CHANGE, FEATURE_CHANGE, ANOM_ABEND, ANOM_SECCOMP patches - move audit_enabled check (xt_AUDIT) - switched from containerid list in struct net to net_generic's struct audit_net - move containerid list iteration into audit (xt_AUDIT) - create function to move namespace switch into audit - switched /proc/PID/ entry from containerid to audit_containerid - call kzalloc with GFP_ATOMIC on in_atomic() in audit_alloc_context() - call kzalloc with GFP_ATOMIC on in_atomic() in audit_log_container_info() - use xt_net(par) instead of sock_net(skb->sk) to get net - switched record and field names: initial CONTAINER_ID, aux CONTAINER, field CONTID - allow to set own contid - open code audit_set_containerid - add contid inherited flag - ccontainerid and pcontainerid eliminated due to inherited flag - change name of container list funcitons - rename containerid to contid - convert initial container record to syscall aux - fix spelling mistake of contidion in net/rfkill/core.c to avoid contid name collision v2 - add check for children and threads - add network namespace container identifier list - add NETFILTER_PKT audit container identifier logging - patch description and documentation clean-up and example - reap unused ppid Richard Guy Briggs (10): audit: collect audit task parameters audit: add container id audit: log container info of syscalls audit: add containerid support for ptrace and signals audit: add support for non-syscall auxiliary records audit: add containerid support for tty_audit audit: add containerid filtering audit: add support for containerid to network namespaces audit: NETFILTER_PKT: record each container ID associated with a netNS debug audit: read container ID of a process drivers/tty/tty_audit.c | 5 +- fs/proc/base.c | 56 ++++++++++++++ include/linux/audit.h | 95 ++++++++++++++++++++--- include/linux/sched.h | 5 +- include/uapi/linux/audit.h | 8 +- init/init_task.c | 3 +- init/main.c | 2 + kernel/audit.c | 137 +++++++++++++++++++++++++++++++++ kernel/audit.h | 4 + kernel/auditfilter.c | 47 ++++++++++++ kernel/auditsc.c | 183 ++++++++++++++++++++++++++++++++++++++++----- kernel/fork.c | 4 +- kernel/nsproxy.c | 4 + net/netfilter/xt_AUDIT.c | 12 ++- 14 files changed, 526 insertions(+), 39 deletions(-) -- 1.8.3.1

5 years, 9 months

5
62
0 / 0

[PATCH ghak59 V3 0/4] audit: config_change normalizations and event record gathering

by Richard Guy Briggs

Make a number of changes to normalize CONFIG_CHANGE records by adding missing op= fields, providing more information in existing op fields (optional last patch) and connecting all records to existing audit events. The user record needs special-casing since its content isn't directly related to the call that logs it. Since tree purge records are processed after the EOE record is produced, the order of operation of the EOE record and the purge will have to be reversed so that the purge records can be included in the event. The last patch is included for completeness understanding it may be more information than necessary. For reference, here are the calling methods and function tree for all CONFIG_CHANGE events with fields: - audit_log_config_change() - add "op=set" to fields: "[op] <param-name> old auid ses subj res" - AUDIT_SET:AUDIT_STATUS_PID - AUDIT_SET:AUDIT_STATUS_LOST - audit_do_config_change() - AUDIT_SET:AUDIT_STATUS_FAILURE - AUDIT_SET:AUDIT_STATUS_ENABLED - AUDIT_SET:AUDIT_STATUS_RATE_LIMIT - AUDIT_SET:AUDIT_STATUS_BACKLOG_LIMIT - AUDIT_SET:AUDIT_STATUS_BACKLOG_WAIT_TIME - audit_log_rule_change() - fields: "auid ses subj op key list res" - AUDIT_ADD_RULE -F dir=... - AUDIT_DEL_RULE -F dir=... - audit_log_common_recv_msg() - fields: "pid uid auid ses subj ..." - AUDIT_*USER* events (not CONFIG_CHANGE like all the rest) - AUDIT_LOCKED add "op={add,remove}_rule" to "[op] audit_enabled res" - AUDIT_TRIM "op=trim res" - AUDIT_MAKE_EQUIV: "op=make_equiv old new res" - AUDIT_TTY_SET: "op=tty_set old-enabled new-enabled old-log_passwd new-log_passwd res" - audit_mark_log_rule_change() - add ":mark" to op in fields: "uid ses op=autoremove_rule[] path key list res" - audit_autoremove_mark_rule() - audit_mark_handle_event() - audit_mark_fsnotify_ops.handle_event - audit_tree_log_remove_rule() called from kill_rules() - add to op ":tree:%s" to fields: "op=remove_rule[] dir key list res" - from trim_marked() - AUDIT_TRIM: audit_trim_trees() "trim" - audit_add_tree_rule() iterate_mounts err "add" - audit_add_rule() - audit_rule_change() - AUDIT_ADD_RULE -F dir=... - AUDIT_MAKE_EQUIV: audit_tag_tree() iterate_mounts err "equiv" - from audit_kill_trees() - __audit_free() "free" - do_exit() - copy_process() err - __audit_syscall_exit() "exit" - from evict_chunk() "evict" - audit_tree_freeing_mark() - audit_tree_ops.freeing_mark - audit_watch_log_rule_change() add to op ":watch:%s" to fields "auid ses op={updated,remove}_rule[] path key list res" - audit_update_watch() "updated_rules:watch:inval" : "updated_rules:watch:set" - audit_watch_handle_event() FS_CREATE|FS_MOVED_TO, FS_DELETE|FS_MOVED_FROM - audit_watch_fsnotify_ops.handle_event - audit_remove_parent_watches() "remove_rule:watch:parent" - audit_watch_handle_event() FS_DELETE_SELF|FS_UNMOUNT|FS_MOVE_SELF - audit_watch_fsnotify_ops.handle_event - audit_seccomp_actions_logged() - fields: "op actions old-actions res" See: https://github.com/linux-audit/audit-kernel/issues/50 See: https://github.com/linux-audit/audit-kernel/issues/59 Sources of AUDIT_CONFIG_CHANGE records and their current and proposed fields are listed here https://github.com/linux-audit/audit-kernel/issues/59#issuecomment-445055154 Changelog: v3: - un-clever %s_rule to not break up op values - create audit_log_user_recv_msg() and squash into record connection - squash kill_trees context handling with kill-trees before EOE - rebase on audit/next (v4.20-rc1) with 2a1fe215e730 ("audit: use current whenever possible") - remove parens in extended format v2: - re-order audit_log_exit() and audit_kill_trees() - drop EOE reordering patch - rebase on 4.18-rc1 (audit/next) Richard Guy Briggs (4): audit: give a clue what CONFIG_CHANGE op was involved audit: add syscall information to CONFIG_CHANGE records audit: hand taken context to audit_kill_trees for syscall logging audit: extend config_change mark/watch/tree rule changes kernel/audit.c | 33 +++++++++++++++++++++++---------- kernel/audit.h | 4 ++-- kernel/audit_fsnotify.c | 4 ++-- kernel/audit_tree.c | 28 +++++++++++++++------------- kernel/audit_watch.c | 8 +++++--- kernel/auditfilter.c | 2 +- kernel/auditsc.c | 12 ++++++------ 7 files changed, 54 insertions(+), 37 deletions(-) -- 1.8.3.1

5 years, 10 months

3
28
0 / 0

[GIT PULL] Audit patches for v4.21

by Paul Moore

Hi Linus, In the finest of holiday of traditions, I have a number of gifts to share today. While most of them are re-gifts from others, unlike the typical re-gift, these are things you will want in and around your tree; I promise. This pull request is perhaps a bit larger than our typical PR, but most of it comes from Jan's rework of audit's fanotify code; a very welcome improvement. We ran this through our normal regression tests, as well as some newly created stress tests and everything looks good. Richard added a few patches, mostly cleaning up a few things and and shortening some of the audit records that we send to userspace; a change the userspace folks are quite happy about. Finally YueHaibing and I kick in a few patches to simplify things a bit and make the code less prone to errors. Lastly, I want to say thanks one more time to everyone who has contributed patches, testing, and code reviews for the audit subsystem over the past year. The project is what it is due to your help and contributions - thank you. Thanks, -Paul -- The following changes since commit 651022382c7f8da46cb4872a545ee1da6d097d2a: Linux 4.20-rc1 (2018-11-04 15:37:52 -0800) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git tags/audit-pr-20181224 for you to fetch changes up to d406db524c32ca35bd85cada28a547fff3115715: audit: remove duplicated include from audit.c (2018-12-14 12:09:30 -0500) ---------------------------------------------------------------- audit/stable-4.21 PR 20181224 ---------------------------------------------------------------- Jan Kara (14): audit_tree: Remove mark->lock locking audit: Fix possible spurious -ENOSPC error audit: Fix possible tagging failures audit: Embed key into chunk audit: Make hash table insertion safe against concurrent lookups audit: Factor out chunk replacement code audit: Remove pointless check in insert_hash() audit: Provide helper for dropping mark's chunk reference audit: Allocate fsnotify mark independently of chunk audit: Guarantee forward progress of chunk untagging audit: Drop all unused chunk nodes during deletion audit: Simplify locking around untag_chunk() audit: Replace chunk attached to mark instead of replacing mark audit: Use 'mark' name for fsnotify_mark variables Paul Moore (2): audit: minimize our use of audit_log_format() audit: use current whenever possible Richard Guy Briggs (5): audit: print empty EXECVE args audit: localize audit_log_session_info prototype audit: use session_info helper audit: remove WATCH and TREE config options audit: shorten PATH cap values when zero YueHaibing (1): audit: remove duplicated include from audit.c drivers/tty/tty_audit.c | 13 +- include/linux/audit.h | 8 +- init/Kconfig | 9 - kernel/Makefile | 4 +- kernel/audit.c | 62 ++--- kernel/audit.h | 10 +- kernel/audit_fsnotify.c | 6 +- kernel/audit_tree.c | 498 ++++++++++++++++++++---------------- kernel/audit_watch.c | 6 +- kernel/auditsc.c | 150 ++++++------ security/integrity/ima/ima_api.c | 2 +- 11 files changed, 395 insertions(+), 373 deletions(-) -- paul moore www.paul-moore.com

5 years, 10 months

2
1
0 / 0

Found (and fixed) ausearch checkpoint bug

by Burn Alting

When running ausearch against a single file with the --checkpoint option, the file's device number and inode are not recorded in the resultant checkpoint file. That is for the most recent released audit package [root@auditdtest audit-userspace]# rpm -q audit audit-3.0-0.5.20181218gitbdb72c0.fc29.x86_64 We see the error via [root@auditdtest audit-userspace]# rm -f /tmp/checkpoint.txt; ausearch --input /var/log/audit/audit.log.2 --checkpoint /tmp/checkpoint.txt > /dev/null; cat /tmp/checkpoint.txt dev=0x0 inode=0 output=auditdtest.auditd.test.dom 1545477871.508:116403 0x514 Which is incorrect. The following is correct. [root@auditdtest audit-userspace]# rm -f /tmp/checkpoint.txt; ./src/.libs/ausearch --input /var/log/audit/audit.log.2 -- checkpoint /tmp/checkpoint.txt > /dev/null; cat /tmp/checkpoint.txt dev=0xFD00 inode=25326469 output=auditdtest.auditd.test.dom 1545477871.508:116403 0x514 [root@auditdtest audit-userspace]# A Pull Request with the fix has been submitted on github - https://github.com/linux-audit/audit-userspace/pull/77 Regards Burn

5 years, 10 months

2
1
0 / 0

[PATCH v5 00/25] ptrace: add PTRACE_GET_SYSCALL_INFO request

by Dmitry V. Levin

PTRACE_GET_SYSCALL_INFO is a generic ptrace API that lets ptracer obtain details of the syscall the tracee is blocked in. There are two reasons for a special syscall-related ptrace request. Firstly, with the current ptrace API there are cases when ptracer cannot retrieve necessary information about syscalls. Some examples include: * The notorious int-0x80-from-64-bit-task issue. See [1] for details. In short, if a 64-bit task performs a syscall through int 0x80, its tracer has no reliable means to find out that the syscall was, in fact, a compat syscall, and misidentifies it. * Syscall-enter-stop and syscall-exit-stop look the same for the tracer. Common practice is to keep track of the sequence of ptrace-stops in order not to mix the two syscall-stops up. But it is not as simple as it looks; for example, strace had a (just recently fixed) long-standing bug where attaching strace to a tracee that is performing the execve system call led to the tracer identifying the following syscall-exit-stop as syscall-enter-stop, which messed up all the state tracking. * Since the introduction of commit 84d77d3f06e7e8dea057d10e8ec77ad71f721be3 ("ptrace: Don't allow accessing an undumpable mm"), both PTRACE_PEEKDATA and process_vm_readv become unavailable when the process dumpable flag is cleared. On such architectures as ia64 this results in all syscall arguments being unavailable for the tracer. Secondly, ptracers also have to support a lot of arch-specific code for obtaining information about the tracee. For some architectures, this requires a ptrace(PTRACE_PEEKUSER, ...) invocation for every syscall argument and return value. PTRACE_GET_SYSCALL_INFO returns the following structure: struct ptrace_syscall_info { __u8 op; /* PTRACE_SYSCALL_INFO_* */ __u8 __pad0[3]; __u32 arch; __u64 instruction_pointer; __u64 stack_pointer; __u64 frame_pointer; union { struct { __u64 nr; __u64 args[6]; } entry; struct { __s64 rval; __u8 is_error; __u8 __pad1[7]; } exit; struct { __u64 nr; __u64 args[6]; __u32 ret_data; __u8 __pad2[4]; } seccomp; }; }; The structure was chosen according to [2], except for the following changes: * seccomp substructure was added as a superset of entry substructure; * the type of nr field was changed from int to __u64 because syscall numbers are, as a practical matter, 64 bits; * stack_pointer and frame_pointer fields were added along with instruction_pointer field since they are readily available and can save the tracer from extra PTRACE_GETREGS/PTRACE_GETREGSET calls; * arch is always initialized to aid with tracing system calls such as execve(); * instruction_pointer, stack_pointer, and frame_pointer are always initialized so they could be easily obtained for non-syscall stops; * a boolean is_error field was added along with rval field, this way the tracer can more reliably distinguish a return value from an error value. strace has been ported to PTRACE_GET_SYSCALL_INFO, you can find it at [3] and [4]. [1] https://lore.kernel.org/lkml/CA+55aFzcSVmdDj9Lh_gdbz1OzHyEm6ZrGPBDAJnywm2... [2] https://lore.kernel.org/lkml/CAObL_7GM0n80N7J_DFw_eQyfLyzq+sf4y2AvsCCV88T... [3] https://github.com/strace/strace/commits/ldv/PTRACE_GET_SYSCALL_INFO [4] https://gitlab.com/strace/strace/commits/ldv/PTRACE_GET_SYSCALL_INFO Notes: v5: * Merge separate series and patches into the single series. * Change PTRACE_EVENTMSG_SYSCALL_{ENTRY,EXIT} values as requested by Oleg. * Change struct ptrace_syscall_info: generalize instruction_pointer, stack_pointer, and frame_pointer fields by moving them from ptrace_syscall_info.{entry,seccomp} substructures to ptrace_syscall_info and initializing them for all stops. * Add PTRACE_SYSCALL_INFO_NONE, assign it to ptrace_syscall_info.op when not in a syscall stop, so e.g. "strace -i" could use the same PTRACE_SYSCALL_INFO_SECCOMP interface to obtain instruction_pointer when the tracee is in a signal stop. * Patch all remaining architectures to provide all necessary syscall_get_* functions. * Make available for all architectures: do not conditionalize on CONFIG_HAVE_ARCH_TRACEHOOK since all syscall_get_* functions are implemented on all architectures. * Add a test for PTRACE_GET_SYSCALL_INFO to selftests/ptrace. v4: * Do not introduce task_struct.ptrace_event, use child->last_siginfo->si_code instead. * Implement PTRACE_SYSCALL_INFO_SECCOMP and ptrace_syscall_info.seccomp support along with PTRACE_SYSCALL_INFO_{ENTRY,EXIT} and ptrace_syscall_info.{entry,exit}. v3: * Change struct ptrace_syscall_info. * Support PTRACE_EVENT_SECCOMP by adding ptrace_event to task_struct. * Add proper defines for ptrace_syscall_info.op values. * Rename PT_SYSCALL_IS_ENTERING and PT_SYSCALL_IS_EXITING to PTRACE_EVENTMSG_SYSCALL_ENTRY and PTRACE_EVENTMSG_SYSCALL_EXIT * and move them to uapi. v2: * Do not use task->ptrace. * Replace entry_info.is_compat with entry_info.arch, use syscall_get_arch(). * Use addr argument of sys_ptrace to get expected size of the struct; return full size of the struct. Dmitry V. Levin (23): alpha: define remaining syscall_get_* functions Move EM_ARCOMPACT and EM_ARCV2 to uapi/linux/elf-em.h arc: define syscall_get_arch() c6x: define syscall_get_arch() elf-em.h: add EM_CSKY csky: define syscall_get_arch() h8300: define remaining syscall_get_* functions Move EM_HEXAGON to uapi/linux/elf-em.h hexagon: define remaining syscall_get_* functions Move EM_NDS32 to uapi/linux/elf-em.h nds32: define syscall_get_arch() nios2: define syscall_get_arch() m68k: add asm/syscall.h mips: define syscall_get_error() parisc: define syscall_get_error() powerpc: define syscall_get_error() riscv: define syscall_get_arch() Move EM_XTENSA to uapi/linux/elf-em.h xtensa: define syscall_get_* functions Move EM_UNICORE to uapi/linux/elf-em.h unicore32: add asm/syscall.h syscall_get_arch: add "struct task_struct *" argument selftests/ptrace: add a test case for PTRACE_GET_SYSCALL_INFO Elvira Khabirova (2): powerpc/ptrace: replace ptrace_report_syscall() with a tracehook call ptrace: add PTRACE_GET_SYSCALL_INFO request arch/alpha/include/asm/syscall.h | 29 +- arch/arc/include/asm/elf.h | 6 +- arch/arc/include/asm/syscall.h | 11 + arch/arm/include/asm/syscall.h | 2 +- arch/arm64/include/asm/syscall.h | 4 +- arch/c6x/include/asm/syscall.h | 7 + arch/csky/include/asm/syscall.h | 7 + arch/h8300/include/asm/syscall.h | 18 ++ arch/hexagon/include/asm/elf.h | 6 +- arch/hexagon/include/asm/syscall.h | 20 ++ arch/ia64/include/asm/syscall.h | 2 +- arch/m68k/include/asm/syscall.h | 39 +++ arch/microblaze/include/asm/syscall.h | 2 +- arch/mips/include/asm/syscall.h | 12 +- arch/mips/kernel/ptrace.c | 2 +- arch/nds32/include/asm/elf.h | 3 +- arch/nds32/include/asm/syscall.h | 8 + arch/nios2/include/asm/syscall.h | 6 + arch/openrisc/include/asm/syscall.h | 2 +- arch/parisc/include/asm/syscall.h | 11 +- arch/powerpc/include/asm/syscall.h | 20 +- arch/powerpc/kernel/ptrace.c | 7 +- arch/riscv/include/asm/syscall.h | 10 + arch/s390/include/asm/syscall.h | 4 +- arch/sh/include/asm/syscall_32.h | 2 +- arch/sh/include/asm/syscall_64.h | 2 +- arch/sparc/include/asm/syscall.h | 5 +- arch/unicore32/include/asm/elf.h | 3 +- arch/unicore32/include/asm/syscall.h | 45 +++ arch/x86/include/asm/syscall.h | 8 +- arch/x86/um/asm/syscall.h | 2 +- arch/xtensa/include/asm/elf.h | 2 +- arch/xtensa/include/asm/syscall.h | 69 +++++ include/asm-generic/syscall.h | 5 +- include/linux/tracehook.h | 9 +- include/uapi/linux/audit.h | 16 ++ include/uapi/linux/elf-em.h | 8 + include/uapi/linux/ptrace.h | 39 +++ kernel/auditsc.c | 4 +- kernel/ptrace.c | 99 ++++++- kernel/seccomp.c | 4 +- tools/testing/selftests/ptrace/.gitignore | 1 + tools/testing/selftests/ptrace/Makefile | 2 +- .../selftests/ptrace/get_syscall_info.c | 272 ++++++++++++++++++ 44 files changed, 783 insertions(+), 52 deletions(-) create mode 100644 arch/m68k/include/asm/syscall.h create mode 100644 arch/unicore32/include/asm/syscall.h create mode 100644 tools/testing/selftests/ptrace/get_syscall_info.c -- ldv

5 years, 11 months

4
20
0 / 0

[RFC PATCH] audit-testsuite: improve our chances of losing records in lost_reset

by Paul Moore

From: Paul Moore <paul(a)paul-moore.com> If the point of the lost_reset test is to flood the system with audit records, why are we restricting ourselves with a filter? Let's log everything. Signed-off-by: Paul Moore <paul(a)paul-moore.com> --- tests/lost_reset/test | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/lost_reset/test b/tests/lost_reset/test index af82f0b..054e1e0 100755 --- a/tests/lost_reset/test +++ b/tests/lost_reset/test @@ -57,7 +57,7 @@ for ( $i = 0 ; $i < $iterations ; $i++ ) { # iteration count # Add rule to generate audit queue events from floodping $result = - system("auditctl -a exit,always -S all -F pid=$ping_pid >/dev/null 2>&1"); + system("auditctl -a exit,always -S all >/dev/null 2>&1"); my $counter = 0; my $timeout = 50; @@ -82,7 +82,7 @@ for ( $i = 0 ; $i < $iterations ; $i++ ) { # iteration count } kill 'TERM', $ping_pid; - system("auditctl -d exit,always -S all -F pid=$ping_pid >/dev/null 2>&1"); + system("auditctl -d exit,always -S all >/dev/null 2>&1"); # Restart the daemon to collect messages in the log system("service auditd start >/dev/null 2>&1");

5 years, 11 months

3
7
0 / 0

[RFC PATCH ghak100 V1 0/2] audit: avoid umount hangs on missing mount

by Richard Guy Briggs

On user and remote filesystems, a forced umount can still hang due to attemting to fetch the fcaps of a mounted filesystem that is no longer available. These two patches take different approaches to address this, one by avoiding the lookup when the MNT_FORCE flag is included, the other by providing a method to filter out auditing specified types of filesystems. This can happen on ceph, cifs, 9p, lustre, fuse (gluster) or NFS. Arguably the better way to address this issue is to disable auditing processes that touch removable filesystems. Please see the github issue tracker https://github.com/linux-audit/audit-kernel/issues/100 Richard Guy Briggs (2): audit: avoid fcaps on MNT_FORCE audit: moar filter PATH records keyed on filesystem magic fs/namei.c | 2 +- fs/namespace.c | 3 +++ include/linux/audit.h | 8 ++++++-- kernel/audit.c | 5 +++-- kernel/audit.h | 2 +- kernel/auditsc.c | 29 ++++++++++++++++++++++++++--- 6 files changed, 40 insertions(+), 9 deletions(-) -- 1.8.3.1

5 years, 11 months

4
11
0 / 0

[PATCH v6 00/27] ptrace: add PTRACE_GET_SYSCALL_INFO request

by Dmitry V. Levin

PTRACE_GET_SYSCALL_INFO is a generic ptrace API that lets ptracer obtain details of the syscall the tracee is blocked in. There are two reasons for a special syscall-related ptrace request. Firstly, with the current ptrace API there are cases when ptracer cannot retrieve necessary information about syscalls. Some examples include: * The notorious int-0x80-from-64-bit-task issue. See [1] for details. In short, if a 64-bit task performs a syscall through int 0x80, its tracer has no reliable means to find out that the syscall was, in fact, a compat syscall, and misidentifies it. * Syscall-enter-stop and syscall-exit-stop look the same for the tracer. Common practice is to keep track of the sequence of ptrace-stops in order not to mix the two syscall-stops up. But it is not as simple as it looks; for example, strace had a (just recently fixed) long-standing bug where attaching strace to a tracee that is performing the execve system call led to the tracer identifying the following syscall-exit-stop as syscall-enter-stop, which messed up all the state tracking. * Since the introduction of commit 84d77d3f06e7e8dea057d10e8ec77ad71f721be3 ("ptrace: Don't allow accessing an undumpable mm"), both PTRACE_PEEKDATA and process_vm_readv become unavailable when the process dumpable flag is cleared. On such architectures as ia64 this results in all syscall arguments being unavailable for the tracer. Secondly, ptracers also have to support a lot of arch-specific code for obtaining information about the tracee. For some architectures, this requires a ptrace(PTRACE_PEEKUSER, ...) invocation for every syscall argument and return value. PTRACE_GET_SYSCALL_INFO returns the following structure: struct ptrace_syscall_info { __u8 op; /* PTRACE_SYSCALL_INFO_* */ __u32 arch __attribute__((__aligned__(sizeof(__u32)))); __u64 instruction_pointer; __u64 stack_pointer; union { struct { __u64 nr; __u64 args[6]; } entry; struct { __s64 rval; __u8 is_error; } exit; struct { __u64 nr; __u64 args[6]; __u32 ret_data; } seccomp; }; }; The structure was chosen according to [2], except for the following changes: * seccomp substructure was added as a superset of entry substructure; * the type of nr field was changed from int to __u64 because syscall numbers are, as a practical matter, 64 bits; * stack_pointer field was added along with instruction_pointer field since it is readily available and can save the tracer from extra PTRACE_GETREGS/PTRACE_GETREGSET calls; * arch is always initialized to aid with tracing system calls * such as execve(); * instruction_pointer and stack_pointer are always initialized so they could be easily obtained for non-syscall stops; * a boolean is_error field was added along with rval field, this way the tracer can more reliably distinguish a return value from an error value. strace has been ported to PTRACE_GET_SYSCALL_INFO, you can find it in [3] and [4]. [1] https://lore.kernel.org/lkml/CA+55aFzcSVmdDj9Lh_gdbz1OzHyEm6ZrGPBDAJnywm2... [2] https://lore.kernel.org/lkml/CAObL_7GM0n80N7J_DFw_eQyfLyzq+sf4y2AvsCCV88T... [3] https://github.com/strace/strace/commits/ldv/PTRACE_GET_SYSCALL_INFO [4] https://gitlab.com/strace/strace/commits/ldv/PTRACE_GET_SYSCALL_INFO --- Notes: v6: * Add syscall_get_arguments and syscall_set_arguments wrappers to asm-generic/syscall.h, requested by Geert. * Change PTRACE_GET_SYSCALL_INFO return code: do not take trailing paddings into account, use the end of the last field of the structure being written. * Change struct ptrace_syscall_info: * remove .frame_pointer field, is is not needed and not portable; * make .arch field explicitly aligned, remove no longer needed padding before .arch field; * remove trailing pads, they are no longer needed. v5: * Merge separate series and patches into the single series. * Change PTRACE_EVENTMSG_SYSCALL_{ENTRY,EXIT} values as requested by Oleg. * Change struct ptrace_syscall_info: generalize instruction_pointer, stack_pointer, and frame_pointer fields by moving them from ptrace_syscall_info.{entry,seccomp} substructures to ptrace_syscall_info and initializing them for all stops. * Add PTRACE_SYSCALL_INFO_NONE, set it when not in a syscall stop, so e.g. "strace -i" could use PTRACE_SYSCALL_INFO_SECCOMP to obtain instruction_pointer when the tracee is in a signal stop. * Patch all remaining architectures to provide all necessary syscall_get_* functions. * Make available for all architectures: do not conditionalize on CONFIG_HAVE_ARCH_TRACEHOOK since all syscall_get_* functions are implemented on all architectures. * Add a test for PTRACE_GET_SYSCALL_INFO to selftests/ptrace. v4: * Do not introduce task_struct.ptrace_event, use child->last_siginfo->si_code instead. * Implement PTRACE_SYSCALL_INFO_SECCOMP and ptrace_syscall_info.seccomp support along with PTRACE_SYSCALL_INFO_{ENTRY,EXIT} and ptrace_syscall_info.{entry,exit}. v3: * Change struct ptrace_syscall_info. * Support PTRACE_EVENT_SECCOMP by adding ptrace_event to task_struct. * Add proper defines for ptrace_syscall_info.op values. * Rename PT_SYSCALL_IS_ENTERING and PT_SYSCALL_IS_EXITING to PTRACE_EVENTMSG_SYSCALL_ENTRY and PTRACE_EVENTMSG_SYSCALL_EXIT * and move them to uapi. v2: * Do not use task->ptrace. * Replace entry_info.is_compat with entry_info.arch, use syscall_get_arch(). * Use addr argument of sys_ptrace to get expected size of the struct; return full size of the struct. Dmitry V. Levin (25): asm-generic/syscall.h: prepare for inclusion by other files asm-generic/syscall.h: turn syscall_[gs]et_arguments into wrappers alpha: define remaining syscall_get_* functions Move EM_ARCOMPACT and EM_ARCV2 to uapi/linux/elf-em.h arc: define syscall_get_arch() c6x: define syscall_get_arch() elf-em.h: add EM_CSKY csky: define syscall_get_arch() h8300: define remaining syscall_get_* functions Move EM_HEXAGON to uapi/linux/elf-em.h hexagon: define remaining syscall_get_* functions Move EM_NDS32 to uapi/linux/elf-em.h nds32: define syscall_get_arch() nios2: define syscall_get_arch() m68k: add asm/syscall.h mips: define syscall_get_error() parisc: define syscall_get_error() powerpc: define syscall_get_error() riscv: define syscall_get_arch() Move EM_XTENSA to uapi/linux/elf-em.h xtensa: define syscall_get_* functions Move EM_UNICORE to uapi/linux/elf-em.h unicore32: add asm/syscall.h syscall_get_arch: add "struct task_struct *" argument selftests/ptrace: add a test case for PTRACE_GET_SYSCALL_INFO Elvira Khabirova (2): powerpc/ptrace: replace ptrace_report_syscall() with a tracehook call ptrace: add PTRACE_GET_SYSCALL_INFO request arch/alpha/include/asm/syscall.h | 31 +- arch/arc/include/asm/elf.h | 6 +- arch/arc/include/asm/syscall.h | 11 + arch/arm/include/asm/syscall.h | 2 +- arch/arm64/include/asm/syscall.h | 4 +- arch/c6x/include/asm/syscall.h | 7 + arch/csky/include/asm/syscall.h | 7 + arch/h8300/include/asm/syscall.h | 19 ++ arch/hexagon/include/asm/elf.h | 6 +- arch/hexagon/include/asm/syscall.h | 22 ++ arch/ia64/include/asm/syscall.h | 2 +- arch/m68k/include/asm/syscall.h | 42 +++ arch/microblaze/include/asm/syscall.h | 2 +- arch/mips/include/asm/syscall.h | 12 +- arch/mips/kernel/ptrace.c | 2 +- arch/nds32/include/asm/elf.h | 3 +- arch/nds32/include/asm/syscall.h | 8 + arch/nios2/include/asm/syscall.h | 6 + arch/openrisc/include/asm/syscall.h | 2 +- arch/parisc/include/asm/syscall.h | 11 +- arch/powerpc/include/asm/syscall.h | 20 +- arch/powerpc/kernel/ptrace.c | 7 +- arch/riscv/include/asm/syscall.h | 10 + arch/s390/include/asm/syscall.h | 4 +- arch/sh/include/asm/syscall_32.h | 2 +- arch/sh/include/asm/syscall_64.h | 2 +- arch/sparc/include/asm/syscall.h | 5 +- arch/unicore32/include/asm/elf.h | 3 +- arch/unicore32/include/asm/syscall.h | 46 +++ arch/x86/include/asm/syscall.h | 8 +- arch/x86/um/asm/syscall.h | 2 +- arch/xtensa/include/asm/elf.h | 2 +- arch/xtensa/include/asm/syscall.h | 65 +++++ include/asm-generic/syscall.h | 85 ++++-- include/linux/tracehook.h | 9 +- include/uapi/linux/audit.h | 16 ++ include/uapi/linux/elf-em.h | 8 + include/uapi/linux/ptrace.h | 35 +++ kernel/auditsc.c | 4 +- kernel/ptrace.c | 101 ++++++- kernel/seccomp.c | 4 +- tools/testing/selftests/ptrace/.gitignore | 1 + tools/testing/selftests/ptrace/Makefile | 2 +- .../selftests/ptrace/get_syscall_info.c | 271 ++++++++++++++++++ 44 files changed, 851 insertions(+), 66 deletions(-) create mode 100644 arch/m68k/include/asm/syscall.h create mode 100644 arch/unicore32/include/asm/syscall.h create mode 100644 tools/testing/selftests/ptrace/get_syscall_info.c -- ldv

5 years, 11 months

3
13
0 / 0

[PATCH -next] audit: remove duplicated include from audit.c

by YueHaibing

Remove duplicated include. Signed-off-by: YueHaibing <yuehaibing(a)huawei.com> --- kernel/audit.c | 1 - 1 file changed, 1 deletion(-) diff --git a/kernel/audit.c b/kernel/audit.c index a0a4544..632d360 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -60,7 +60,6 @@ #include <linux/mutex.h> #include <linux/gfp.h> #include <linux/pid.h> -#include <linux/slab.h> #include <linux/audit.h> -- 2.7.0

5 years, 11 months

2
3
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Linux-audit December 2018