September 2019 - Linux-audit - Linux-Audit List Archives

[PATCH] audit: mark expected switch fall-through

by Gustavo A. R. Silva

In preparation to enabling -Wimplicit-fallthrough, mark switch cases where we are expecting to fall through. This patch fixes the following warning: kernel/auditfilter.c: In function ‘audit_krule_to_data’: kernel/auditfilter.c:668:7: warning: this statement may fall through [-Wimplicit-fallthrough=] if (krule->pflags & AUDIT_LOGINUID_LEGACY && !f->val) { ^ kernel/auditfilter.c:674:3: note: here default: ^~~~~~~ Warning level 3 was used: -Wimplicit-fallthrough=3 Notice that, in this particular case, the code comment is modified in accordance with what GCC is expecting to find. This patch is part of the ongoing efforts to enable -Wimplicit-fallthrough. Signed-off-by: Gustavo A. R. Silva <gustavo(a)embeddedor.com> --- kernel/auditfilter.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index add360b46b38..63f8b3f26fab 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -670,7 +670,7 @@ static struct audit_rule_data *audit_krule_to_data(struct audit_krule *krule) data->values[i] = AUDIT_UID_UNSET; break; } - /* fallthrough if set */ + /* fall through - if set */ default: data->values[i] = f->val; } -- 2.20.1

4 years

3
3
0 / 0

[PATCH ghak90 V7 00/21] audit: implement container identifier

by Richard Guy Briggs

Implement kernel audit container identifier. This patchset is a seventh based on the proposal document (V3) posted: https://www.redhat.com/archives/linux-audit/2018-January/msg00014.html The first patch was the last patch from ghak81 that was absorbed into this patchset since its primary justification is the rest of this patchset. The second patch implements the proc fs write to set the audit container identifier of a process, emitting an AUDIT_CONTAINER_OP record to announce the registration of that audit container identifier on that process. This patch requires userspace support for record acceptance and proper type display. The third implements reading the audit container identifier from the proc filesystem for debugging. This patch wasn't planned for upstream inclusion but is starting to become more likely. The fourth converts over from a simple u64 to a list member that includes owner information to check for descendancy, allow process injection into a container and prevent id reuse by other orchestrators. The fifth logs the drop of an audit container identifier once all tasks using that audit container identifier have exited. The 6th limits the total number of containers on a system. The 7th implements the auxiliary record AUDIT_CONTAINER_ID if an audit container identifier is associated with an event. This patch requires userspace support for proper type display. The 8th adds audit daemon signalling provenance through audit_sig_info2. The 9th creates a local audit context to be able to bind a standalone record with a locally created auxiliary record. The 10th patch adds audit container identifier records to the user standalone records. The 11th adds audit container identifier filtering to the exit, exclude and user lists. This patch adds the AUDIT_CONTID field and requires auditctl userspace support for the --contid option. The 12th adds network namespace audit container identifier labelling based on member tasks' audit container identifier labels. The 13th adds audit container identifier support to standalone netfilter records that don't have a task context and lists each container to which that net namespace belongs. The 14th checks that the target is a descendant for nesting and the 15th refactors to avoid a duplicate of the copied function. The 16th and 17th add audit netlink interfaces for the /proc audit_containerid, loginuid and sessionid. The 18th adds tracking and reporting for container nesting. This patch could be split up and the chunks applied to earlier patches if this nesting tracking and reporting approach is acceptable. Arguably this is the only way to be able to report activity in a nested container that also affects its parent containers. The 19th limits the container nesting depth. The 20th adds a mechanism to allow a process to be designated as a container orchestrator/engine in non-init user namespaces and the 21st adds a /proc interface for testing only. Example: Set an audit container identifier of 123456 to the "sleep" task: sleep 2& child=$! echo 123456 > /proc/$child/audit_containerid; echo $? ausearch -ts recent -m container_op echo child:$child contid:$( cat /proc/$child/audit_containerid) This should produce a record such as: type=CONTAINER_OP msg=audit(2018-06-06 12:39:29.636:26949) : op=set opid=2209 contid=123456 old-contid=18446744073709551615 pid=628 auid=root uid=root tty=ttyS0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 comm=bash exe=/usr/bin/bash res=yes Example: Set a filter on an audit container identifier 123459 on /tmp/tmpcontainerid: contid=123459 key=tmpcontainerid auditctl -a exit,always -F dir=/tmp -F perm=wa -F contid=$contid -F key=$key perl -e "sleep 1; open(my \$tmpfile, '>', \"/tmp/$key\"); close(\$tmpfile);" & child=$! echo $contid > /proc/$child/audit_containerid sleep 2 ausearch -i -ts recent -k $key auditctl -d exit,always -F dir=/tmp -F perm=wa -F contid=$contid -F key=$key rm -f /tmp/$key This should produce an event such as: type=CONTAINER_ID msg=audit(2018-06-06 12:46:31.707:26953) : contid=123459 type=PROCTITLE msg=audit(2018-06-06 12:46:31.707:26953) : proctitle=perl -e sleep 1; open(my $tmpfile, '>', "/tmp/tmpcontainerid"); close($tmpfile); type=PATH msg=audit(2018-06-06 12:46:31.707:26953) : item=1 name=/tmp/tmpcontainerid inode=25656 dev=00:26 mode=file,644 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 type=PATH msg=audit(2018-06-06 12:46:31.707:26953) : item=0 name=/tmp/ inode=8985 dev=00:26 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 type=CWD msg=audit(2018-06-06 12:46:31.707:26953) : cwd=/root type=SYSCALL msg=audit(2018-06-06 12:46:31.707:26953) : arch=x86_64 syscall=openat success=yes exit=3 a0=0xffffffffffffff9c a1=0x5621f2b81900 a2=O_WRONLY|O_CREAT|O_TRUNC a3=0x1b6 items=2 ppid=628 pid=2232 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=ttyS0 ses=1 comm=perl exe=/usr/bin/perl subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=tmpcontainerid Example: Test multiple containers on one netns: sleep 5 & child1=$! containerid1=123451 echo $containerid1 > /proc/$child1/audit_containerid sleep 5 & child2=$! containerid2=123452 echo $containerid2 > /proc/$child2/audit_containerid iptables -I INPUT -i lo -p icmp --icmp-type echo-request -j AUDIT --type accept iptables -I INPUT -t mangle -i lo -p icmp --icmp-type echo-request -j MARK --set-mark 0x12345555 sleep 1; bash -c "ping -q -c 1 127.0.0.1 >/dev/null 2>&1" sleep 1; ausearch -i -m NETFILTER_PKT -ts boot|grep mark=0x12345555 ausearch -i -m NETFILTER_PKT -ts boot|grep contid=|grep $containerid1|grep $containerid2 This should produce an event such as: type=NETFILTER_PKT msg=audit(03/15/2019 14:16:13.369:244) : mark=0x12345555 saddr=127.0.0.1 daddr=127.0.0.1 proto=icmp type=CONTAINER_ID msg=audit(03/15/2019 14:16:13.369:244) : contid=123452,123451 Includes the last patch of https://github.com/linux-audit/audit-kernel/issues/81 Please see the github audit kernel issue for the main feature: https://github.com/linux-audit/audit-kernel/issues/90 and the kernel filter code: https://github.com/linux-audit/audit-kernel/issues/91 and the network support: https://github.com/linux-audit/audit-kernel/issues/92 Please see the github audit userspace issue for supporting record types: https://github.com/linux-audit/audit-userspace/issues/51 and filter code: https://github.com/linux-audit/audit-userspace/issues/40 Please see the github audit testsuiite issue for the test case: https://github.com/linux-audit/audit-testsuite/issues/64 Please see the github audit wiki for the feature overview: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Changelog: v7 - remove BUG() in audit_comparator64() - rebase on v5.2-rc1 audit/next - resolve merge conflict with ghak111 (signal_info regardless syscall) - resolve merge conflict with ghak73 (audit_field_valid) - resolve merge conflict with ghak64 (saddr_fam filter) - resolve merge conflict with ghak10 (ntp audit) change AUDIT_CONTAINER_ID from 1332 to 1334 - rebase on v5.3-rc1 audit/next - track container owner - only permit setting contid of descendants for nesting - track drop of contid and permit reuse - track and report container nesting - permit filtering on any nested contid - set/get contid and loginuid/sessionid via netlink - implement capcontid to enable orchestrators in non-init user namespaces - limit number of containers - limit depth of container nesting v6 - change TMPBUFLEN from 11 to 21 to cover the decimal value of contid u64 (nhorman) - fix bug overwriting ctx in struct audit_sig_info, move cid above ctx[0] (nhorman) - fix bug skipping remaining fields and not advancing bufp when copying out contid in audit_krule_to_data (omosnacec) - add acks, tidy commit descriptions, other formatting fixes (checkpatch wrong on audit_log_lost) - cast ull for u64 prints - target_cid tracking was moved from the ptrace/signal patch to container_op - target ptrace and signal records were moved from the ptrace/signal patch to container_id - auditd signaller tracking was moved to a new AUDIT_SIGNAL_INFO2 request and record - ditch unnecessary list_empty() checks - check for null net and aunet in audit_netns_contid_add() - swap CONTAINER_OP contid/old-contid order to ease parsing v5 - address loginuid and sessionid syscall scope in ghak104 - address audit_context in CONFIG_AUDIT vs CONFIG_AUDITSYSCALL in ghak105 - remove tty patch, addressed in ghak106 - rebase on audit/next v5.0-rc1 w/ghak59/ghak104/ghak103/ghak100/ghak107/ghak105/ghak106/ghak105sup - update CONTAINER_ID to CONTAINER_OP in patch description - move audit_context in audit_task_info to CONFIG_AUDITSYSCALL - move audit_alloc() and audit_free() out of CONFIG_AUDITSYSCALL and into CONFIG_AUDIT and create audit_{alloc,free}_syscall - use plain kmem_cache_alloc() rather than kmem_cache_zalloc() in audit_alloc() - fix audit_get_contid() declaration type error - move audit_set_contid() from auditsc.c to audit.c - audit_log_contid() returns void - audit_log_contid() handed contid rather than tsk - switch from AUDIT_CONTAINER to AUDIT_CONTAINER_ID for aux record - move audit_log_contid(tsk/contid) & audit_contid_set(tsk)/audit_contid_valid(contid) - switch from tsk to current - audit_alloc_local() calls audit_log_lost() on failure to allocate a context - add AUDIT_USER* non-syscall contid record - cosmetic cleanup double parens, goto out on err - ditch audit_get_ns_contid_list_lock(), fix aunet lock race - switch from all-cpu read spinlock to rcu, keep spinlock for write - update audit_alloc_local() to use ktime_get_coarse_real_ts64() - add nft_log support - add call from do_exit() in audit_free() to remove contid from netns - relegate AUDIT_CONTAINER ref= field (was op=) to debug patch v4 - preface set with ghak81:"collect audit task parameters" - add shallyn and sgrubb acks - rename feature bitmap macro - rename cid_valid() to audit_contid_valid() - rename AUDIT_CONTAINER_ID to AUDIT_CONTAINER_OP - delete audit_get_contid_list() from headers - move work into inner if, delete "found" - change netns contid list function names - move exports for audit_log_contid audit_alloc_local audit_free_context to non-syscall patch - list contids CSV - pass in gfp flags to audit_alloc_local() (fix audit_alloc_context callers) - use "local" in lieu of abusing in_syscall for auditsc_get_stamp() - read_lock(&tasklist_lock) around children and thread check - task_lock(tsk) should be taken before first check of tsk->audit - add spin lock to contid list in aunet - restrict /proc read to CAP_AUDIT_CONTROL - remove set again prohibition and inherited flag - delete contidion spelling fix from patchset, send to netdev/linux-wireless v3 - switched from containerid in task_struct to audit_task_info (depends on ghak81) - drop INVALID_CID in favour of only AUDIT_CID_UNSET - check for !audit_task_info, throw -ENOPROTOOPT on set - changed -EPERM to -EEXIST for parent check - return AUDIT_CID_UNSET if !audit_enabled - squash child/thread check patch into AUDIT_CONTAINER_ID patch - changed -EPERM to -EBUSY for child check - separate child and thread checks, use -EALREADY for latter - move addition of op= from ptrace/signal patch to AUDIT_CONTAINER patch - fix && to || bashism in ptrace/signal patch - uninline and export function for audit_free_context() - drop CONFIG_CHANGE, FEATURE_CHANGE, ANOM_ABEND, ANOM_SECCOMP patches - move audit_enabled check (xt_AUDIT) - switched from containerid list in struct net to net_generic's struct audit_net - move containerid list iteration into audit (xt_AUDIT) - create function to move namespace switch into audit - switched /proc/PID/ entry from containerid to audit_containerid - call kzalloc with GFP_ATOMIC on in_atomic() in audit_alloc_context() - call kzalloc with GFP_ATOMIC on in_atomic() in audit_log_container_info() - use xt_net(par) instead of sock_net(skb->sk) to get net - switched record and field names: initial CONTAINER_ID, aux CONTAINER, field CONTID - allow to set own contid - open code audit_set_containerid - add contid inherited flag - ccontainerid and pcontainerid eliminated due to inherited flag - change name of container list funcitons - rename containerid to contid - convert initial container record to syscall aux - fix spelling mistake of contidion in net/rfkill/core.c to avoid contid name collision v2 - add check for children and threads - add network namespace container identifier list - add NETFILTER_PKT audit container identifier logging - patch description and documentation clean-up and example - reap unused ppid Richard Guy Briggs (21): audit: collect audit task parameters audit: add container id audit: read container ID of a process audit: convert to contid list to check for orch/engine ownership audit: log drop of contid on exit of last task audit: contid limit of 32k imposed to avoid DoS audit: log container info of syscalls audit: add contid support for signalling the audit daemon audit: add support for non-syscall auxiliary records audit: add containerid support for user records audit: add containerid filtering audit: add support for containerid to network namespaces audit: NETFILTER_PKT: record each container ID associated with a netNS audit: contid check descendancy and nesting sched: pull task_is_descendant into kernel/sched/core.c audit: add support for contid set/get by netlink audit: add support for loginuid/sessionid set/get by netlink audit: track container nesting audit: check cont depth audit: add capcontid to set contid outside init_user_ns audit: add proc interface for capcontid fs/proc/base.c | 112 ++++++- include/linux/audit.h | 148 ++++++++- include/linux/sched.h | 10 +- include/uapi/linux/audit.h | 16 +- init/init_task.c | 3 +- init/main.c | 2 + kernel/audit.c | 728 +++++++++++++++++++++++++++++++++++++++++++- kernel/audit.h | 38 +++ kernel/auditfilter.c | 64 ++++ kernel/auditsc.c | 91 ++++-- kernel/fork.c | 1 - kernel/nsproxy.c | 4 + kernel/sched/core.c | 33 ++ net/netfilter/nft_log.c | 11 +- net/netfilter/xt_AUDIT.c | 11 +- security/selinux/nlmsgtab.c | 1 + security/yama/yama_lsm.c | 33 -- 17 files changed, 1210 insertions(+), 96 deletions(-) -- 1.8.3.1

4 years, 5 months

5
71
0 / 0

Re: ntp audit spew.

by Paul Moore

On Mon, Sep 23, 2019 at 11:50 AM Dave Jones <davej(a)codemonkey.org.uk> wrote: > > I have some hosts that are constantly spewing audit messages like so: > > [46897.591182] audit: type=1333 audit(1569250288.663:220): op=offset old=2543677901372 new=2980866217213 > [46897.591184] audit: type=1333 audit(1569250288.663:221): op=freq old=-2443166611284 new=-2436281764244 > [48850.604005] audit: type=1333 audit(1569252241.675:222): op=offset old=1850302393317 new=3190241577926 > [48850.604008] audit: type=1333 audit(1569252241.675:223): op=freq old=-2436281764244 new=-2413071187316 > [49926.567270] audit: type=1333 audit(1569253317.638:224): op=offset old=2453141035832 new=2372389610455 > [49926.567273] audit: type=1333 audit(1569253317.638:225): op=freq old=-2413071187316 new=-2403561671476 > > This gets emitted every time ntp makes an adjustment, which is apparently very frequent on some hosts. > > > Audit isn't even enabled on these machines. > > # auditctl -l > No rules [NOTE: added linux-audit to the CC line] There is an audit mailing list, please CC it when you have audit concerns/questions/etc. What happens when you run 'auditctl -a never,task'? That *should* silence those messages as the audit_ntp_log() function has the requisite audit_dummy_context() check. FWIW, this is the distro default for many (most? all?) distros; for example, check /etc/audit/audit.rules on a stock Fedora system. A more selective configuration could simply exclude the TIME_ADJNTPVAL record (type 1333) from the records that the kernel emits. We could also add a audit_enabled check at the top of audit_ntp_log()/__audit_ntp_log(), but I imagine some of that depends on the various security requirements (they can be bizzare and I can't say I'm up to date on all those - Steve Grubb should be able to comment on that). -- paul moore www.paul-moore.com

4 years, 6 months

7
24
0 / 0

[RFC] audit support for BPF notification

by Jiri Olsa

hi, I posted initial change that allows auditd to log BPF program load/unload events, it's in here: https://github.com/linux-audit/audit-userspace/pull/104 We tried to push pure AUDIT interface for BPF program notification, but it was denied, the discussion is in here: https://marc.info/?t=153866123200003&r=1&w=2 The outcome of the discussion was to use perf event interface for BPF notification and use it in some deamon.. audit was our first choice. thoughts? thanks, jirka

4 years, 6 months

5
11
0 / 0

[PATCH] audit: Report suspicious O_CREAT usage

by Kees Cook

This renames the very specific audit_log_link_denied() to audit_log_path_denied() and adds the AUDIT_* type as an argument. This allows for the creation of the new AUDIT_ANOM_CREAT that can be used to report the fifo/regular file creation restrictions that were introduced in commit 30aba6656f61 ("namei: allow restricted O_CREAT of FIFOs and regular files"). Without this change, discovering that the restriction is enabled can be very challenging: https://lore.kernel.org/lkml/CA+jJMxvkqjXHy3DnV5MVhFTL2RUhg0WQ-XVFW3ngDQO... Reported-by: Jérémie Galarneau <jeremie.galarneau(a)efficios.com> Signed-off-by: Kees Cook <keescook(a)chromium.org> --- This is not a complete fix because reporting was broken in commit 15564ff0a16e ("audit: make ANOM_LINK obey audit_enabled and audit_dummy_context") which specifically goes against the intention of these records: they should _always_ be reported. If auditing isn't enabled, they should be ratelimited. Instead of using audit, should this just go back to using pr_ratelimited()? --- fs/namei.c | 7 +++++-- include/linux/audit.h | 5 +++-- include/uapi/linux/audit.h | 1 + kernel/audit.c | 11 ++++++----- 4 files changed, 15 insertions(+), 9 deletions(-) diff --git a/fs/namei.c b/fs/namei.c index 671c3c1a3425..0e60f81e1d5a 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -925,7 +925,7 @@ static inline int may_follow_link(struct nameidata *nd) return -ECHILD; audit_inode(nd->name, nd->stack[0].link.dentry, 0); - audit_log_link_denied("follow_link"); + audit_log_path_denied(AUDIT_ANOM_LINK, "follow_link"); return -EACCES; } @@ -993,7 +993,7 @@ static int may_linkat(struct path *link) if (safe_hardlink_source(inode) || inode_owner_or_capable(inode)) return 0; - audit_log_link_denied("linkat"); + audit_log_path_denied(AUDIT_ANOM_LINK, "linkat"); return -EPERM; } @@ -1031,6 +1031,9 @@ static int may_create_in_sticky(struct dentry * const dir, (dir->d_inode->i_mode & 0020 && ((sysctl_protected_fifos >= 2 && S_ISFIFO(inode->i_mode)) || (sysctl_protected_regular >= 2 && S_ISREG(inode->i_mode))))) { + audit_log_path_denied(AUDIT_ANOM_CREAT, + S_ISFIFO(inode->i_mode) ? "fifo" + : "regular"); return -EACCES; } return 0; diff --git a/include/linux/audit.h b/include/linux/audit.h index aee3dc9eb378..b3715e2ee1c5 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -156,7 +156,8 @@ extern void audit_log_d_path(struct audit_buffer *ab, const struct path *path); extern void audit_log_key(struct audit_buffer *ab, char *key); -extern void audit_log_link_denied(const char *operation); +extern void audit_log_path_denied(int type, + const char *operation); extern void audit_log_lost(const char *message); extern int audit_log_task_context(struct audit_buffer *ab); @@ -217,7 +218,7 @@ static inline void audit_log_d_path(struct audit_buffer *ab, { } static inline void audit_log_key(struct audit_buffer *ab, char *key) { } -static inline void audit_log_link_denied(const char *string) +static inline void audit_log_path_denied(int type, const char *string); { } static inline int audit_log_task_context(struct audit_buffer *ab) { diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h index c89c6495983d..3ad935527177 100644 --- a/include/uapi/linux/audit.h +++ b/include/uapi/linux/audit.h @@ -143,6 +143,7 @@ #define AUDIT_ANOM_PROMISCUOUS 1700 /* Device changed promiscuous mode */ #define AUDIT_ANOM_ABEND 1701 /* Process ended abnormally */ #define AUDIT_ANOM_LINK 1702 /* Suspicious use of file links */ +#define AUDIT_ANOM_CREAT 1703 /* Suspicious file creation */ #define AUDIT_INTEGRITY_DATA 1800 /* Data integrity verification */ #define AUDIT_INTEGRITY_METADATA 1801 /* Metadata integrity verification */ #define AUDIT_INTEGRITY_STATUS 1802 /* Integrity enable status */ diff --git a/kernel/audit.c b/kernel/audit.c index da8dc0db5bd3..ed7402ac81b6 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -2155,18 +2155,19 @@ void audit_log_task_info(struct audit_buffer *ab) EXPORT_SYMBOL(audit_log_task_info); /** - * audit_log_link_denied - report a link restriction denial - * @operation: specific link operation + * audit_log_path_denied - report a path restriction denial + * @type: audit message type (AUDIT_ANOM_LINK, AUDIT_ANOM_CREAT, etc) + * @operation: specific operation name */ -void audit_log_link_denied(const char *operation) +void audit_log_path_denied(int type, const char *operation) { struct audit_buffer *ab; if (!audit_enabled || audit_dummy_context()) return; - /* Generate AUDIT_ANOM_LINK with subject, operation, outcome. */ - ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_ANOM_LINK); + /* Generate log with subject, operation, outcome. */ + ab = audit_log_start(audit_context(), GFP_KERNEL, type); if (!ab) return; audit_log_format(ab, "op=%s", operation); -- 2.17.1 -- Kees Cook

4 years, 7 months

4
8
0 / 0

[PATCH 0/2] Fix perltidy on Travis CI

by Paul Moore

The version of perltidy currently available in Travis CI via Ubuntu 16.04 LTS doesn't produce the same output as the perltidy shipped in more modern distros. This patchset addresses this by installing perltidy from the upstream sources. --- Paul Moore (2): audit-testsuite: use our own version of perltidy in the Travis CI tests audit-testsuite: fix the style according to ./tools/check-syntax .travis.yml | 10 +++++++++- tests/exec_execve/test | 2 +- tests/exec_name/test | 2 +- tests/file_create/test | 2 +- tests/file_delete/test | 2 +- tests/file_rename/test | 2 +- tests/filter_exclude/test | 2 +- tests/filter_sessionid/test | 2 +- tests/login_tty/test | 2 +- tests/lost_reset/test | 2 +- tests/netfilter_pkt/test | 2 +- tests/syscall_module/test | 2 +- tests/syscall_socketcall/test | 2 +- tests/syscalls_file/test | 2 +- tests/user_msg/test | 2 +- tests_manual/stress_tree/test | 2 +- tests_manual/syscall_module_path_filter/test | 1 + 17 files changed, 25 insertions(+), 16 deletions(-)

4 years, 7 months

1
2
0 / 0

[PATCH ghau51/ghau40 v7 00/12] add support for audit container identifier

by Richard Guy Briggs

Add support for audit kernel container identifiers to userspace tools. The first and second add new record types. The third adds filter support. The fourth and 5th start to add search support. The 6th is to read the calling process' audit container identifier from the /proc filesystem matching the kernel /proc read patch. The 7th is to fix signal support and the 8th is to learn the audit container identifier of the process that signals the audit daemon. The 9th is a touch up to allow the contid field to be interpreted as a CSV list. The 10th and 11th add audit netlink support for setting and getting contid, loginuid and sessionid preparing to deprecate the /proc interface. The last adds audit library support to allow a process to give permission to a container orchestrator in a non-init user namespace via audit netlink messages. See: https://github.com/linux-audit/audit-userspace/issues/51 See: https://github.com/linux-audit/audit-userspace/issues/40 See: https://github.com/linux-audit/audit-kernel/issues/90 See: https://github.com/linux-audit/audit-kernel/issues/91 See: https://github.com/linux-audit/audit-testsuite/issues/64 See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Changelog: v7 - rebase on ghau90 and touchup - rebase on ghak10 support (change AUDIT_CONTAINER_ID to 1334) - render type contid as a CSV - switch from /proc to audit netlink to set/get contid, auid/sessionid - add support for capcontid v6 - auditd signaller tracking was moved to a new AUDIT_SIGNAL_INFO2 request and record - swap CONTAINER_OP contid/old-contid to ease parsing - add to auparse v5 - updated aux record from AUDIT_CONTAINER to AUDIT_CONTAINER_ID - add AUDIT_CONTAINER_ID to normalization - rebase on AUDIT_ANOM_LINK and AUDIT_MAC_CALIPSO_ADD v4 - change from AUDIT_CONTAINER_ID to AUDIT_CONTAINER_OP - change from AUDIT_FEATURE_BITMAP_CONTAINERID_FILTER to AUDIT_FEATURE_BITMAP_CONTAINERID - change from event_container_id to event_contid internally - change from container_id to contid and event_container_id to event_contid internally - change command line option from --container-id to --contid v3 - change from AUDIT_CONTAINER to AUDIT_CONTAINER_ID - change from AUDIT_CONTAINER_INFO to AUDIT_CONTAINER - change from AUDIT_CONTAINERID to AUDIT_CONTID - update github issue refs - add audit_get_containerid - change event_container_id default value - add --containerid to ausearch options help text - update ausearch parser and error codes v2 - rebase on UINT_MAX patch - add patches for AUDIT_CONTAINER, AUDIT_CONTAINER_INFO, ausearch, normalization Richard Guy Briggs (12): AUDIT_CONTAINER_OP message type basic support AUDIT_CONTAINER_ID message type basic support auditctl: add support for AUDIT_CONTID filter add ausearch containerid support start normalization containerid support libaudit: add support to get the task audit container identifier signal_info: only print context if it is available. add support for audit_signal_info2 contid: interpret correctly CONTAINER_ID contid field csv contid: switch from /proc to netlink loginuid/sessionid: switch from /proc to netlink libaudit: add support to get and set capcontid on a task auparse/auditd-config.c | 1 + auparse/auparse-defs.h | 3 +- auparse/interpret.c | 10 + auparse/normalize_record_map.h | 2 + auparse/typetab.h | 2 + bindings/python/auparse_python.c | 1 + docs/Makefile.am | 3 +- docs/audit_get_containerid.3 | 25 +++ docs/audit_request_signal_info.3 | 1 + docs/audit_set_containerid.3 | 24 +++ docs/auditctl.8 | 3 + lib/fieldtab.h | 1 + lib/libaudit.c | 425 ++++++++++++++++++++++++++++++++------- lib/libaudit.h | 73 +++++++ lib/msg_typetab.h | 10 + lib/netlink.c | 15 ++ src/auditctl-listing.c | 21 ++ src/auditd-config.c | 1 + src/auditd-config.h | 1 + src/auditd-event.c | 28 ++- src/auditd-reconfig.c | 25 ++- src/auditd.c | 3 +- src/aureport-options.c | 1 + src/ausearch-llist.c | 2 + src/ausearch-llist.h | 1 + src/ausearch-match.c | 3 + src/ausearch-options.c | 47 ++++- src/ausearch-options.h | 1 + src/ausearch-parse.c | 197 ++++++++++++++++++ src/ausearch-report.c | 6 +- 30 files changed, 848 insertions(+), 88 deletions(-) create mode 100644 docs/audit_get_containerid.3 create mode 100644 docs/audit_set_containerid.3 -- 1.8.3.1

4 years, 8 months

1
14
0 / 0

[PATCH][RFC] audit: set wait time to zero when audit failed

by Li RongQing

if audit_log_start failed because queue is full, kauditd is waiting the receiving queue empty, but no receiver, a task will be forced to wait 60 seconds for each audited syscall, and it will be hang for a very long time so at this condition, set the wait time to zero to reduce wait, and restore wait time when audit works again it partially restore the commit 3197542482df ("audit: rework audit_log_start()") Signed-off-by: Li RongQing <lirongqing(a)baidu.com> Signed-off-by: Liang ZhiCheng <liangzhicheng(a)baidu.com> --- reboot is taking a very long time on my machine(centos 6u4 +kernel 5.3) since TIF_SYSCALL_AUDIT is set by default, and when reboot, userspace process which receiver audit message , will be killed, and lead to that no user drain the audit queue git bitsect show it is caused by 3197542482df ("audit: rework audit_log_start()") kernel/audit.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/kernel/audit.c b/kernel/audit.c index da8dc0db5bd3..6de23599fd43 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -119,6 +119,7 @@ static u32 audit_rate_limit; * When set to zero, this means unlimited. */ static u32 audit_backlog_limit = 64; #define AUDIT_BACKLOG_WAIT_TIME (60 * HZ) +static u32 audit_backlog_wait_time_master = AUDIT_BACKLOG_WAIT_TIME; static u32 audit_backlog_wait_time = AUDIT_BACKLOG_WAIT_TIME; /* The identity of the user shutting down the audit system. */ @@ -435,7 +436,7 @@ static int audit_set_backlog_limit(u32 limit) static int audit_set_backlog_wait_time(u32 timeout) { return audit_do_config_change("audit_backlog_wait_time", - &audit_backlog_wait_time, timeout); + &audit_backlog_wait_time_master, timeout); } static int audit_set_enabled(u32 state) @@ -1202,7 +1203,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) s.lost = atomic_read(&audit_lost); s.backlog = skb_queue_len(&audit_queue); s.feature_bitmap = AUDIT_FEATURE_BITMAP_ALL; - s.backlog_wait_time = audit_backlog_wait_time; + s.backlog_wait_time = audit_backlog_wait_time_master; audit_send_reply(skb, seq, AUDIT_GET, 0, 0, &s, sizeof(s)); break; } @@ -1785,11 +1786,15 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, skb_queue_len(&audit_queue), audit_backlog_limit); audit_log_lost("backlog limit exceeded"); + audit_backlog_wait_time = 0; return NULL; } } } + if (audit_backlog_wait_time != audit_backlog_wait_time_master) + audit_backlog_wait_time = audit_backlog_wait_time_master; + ab = audit_buffer_alloc(ctx, gfp_mask, type); if (!ab) { audit_log_lost("out of memory in audit_log_start"); -- 2.16.2

4 years, 8 months

5
12
0 / 0

RFC(V4): Audit Kernel Container IDs

by Richard Guy Briggs

Containers are a userspace concept. The kernel knows nothing of them. The Linux audit system needs a way to be able to track the container provenance of events and actions. Audit needs the kernel's help to do this. The motivations are: - A sysadmin needs to be able to filter unwanted, irrelevant or unimportant messages before they fill the queue so that important messages don't get lost. This is a certification requirement. - Security claims need to be made about containers, requiring tracking of actions within those containers to ensure compliance with established security policies. - It will be required to route messages from events local to an audit daemon instance or host audit daemon instance. - nsIDs were considered seriously, but turns out to be insufficient for efficient filtering, routing, and tracking. Since the concept of a container is entirely a userspace concept, a registration from the userspace container orchestration system initiates this. This will define a point in time and a set of resources associated with a particular container with an audit container identifier. The registration is a u64 representing the audit container identifier. This is written to a special file in a pseudo filesystem (proc, since PID tree already exists) representing a process that will become a parent process in that container. This write might place restrictions on mount namespaces required to define a container, or at least careful checking of namespaces in the kernel to verify permissions of the orchestrator so it can't change its own container ID. A bind mount of nsfs may be necessary in the container orchestrator's mount namespace. This write can only happen once per process. Note: The justification for using a u64 is that it minimizes the information printed in every audit record, reducing bandwidth and limits comparisons to a single u64 which will be faster and less error-prone. [ALT: The registration is a netlink message to the audit subsystem of type AUDIT_SET_CONTID with a data structure including a u32 representing the PID of the target process to become the parent process in that container and a u64 representing the audit container identifier. :ALT] Require CAP_AUDIT_CONTROL to be able to carry out the registration. At that time, record the target container's user-supplied audit container identifier along with a target container's parent process (which may become the target container's "init" process) process ID (referenced from the initial PID namespace) in a new record AUDIT_CONTAINER_OP with a qualifying op=$action field. Issue a new auxilliary record AUDIT_CONTAINER_ID for each valid audit container identifier present on an auditable action or event. Forked and cloned processes inherit their parent's audit container identifier, referenced from the process' task_struct indirectly in the audit pointer to a struct audit_task_info. Since the audit container identifier is inherited rather than written, it can still be written once. This will prevent tampering while allowing nesting. Mimic setns(2) and return an error if the process has already initiated threading or forked since this registration should happen before the process execution is started by the orchestrator and hence should not yet have any threads or children. If this is deemed overly restrictive, switch all of the target's threads and children to the new containerID. Trust the orchestrator to judiciously use and restrict CAP_AUDIT_CONTROL. The audit container identifier will be stored in a refcounted kernel object that is searchable in a hashtabled list for efficient access. This is so that multiple container orchestrators/engines can operate on one machine without danger of them trampling each other's audit container identifiers. The owner of each container will also be stored to be able to permit tasks to be injected into an existing container only by its owner. The total number of containers can be restricted by a total count. To permit nesting containers, the target container must be a descendant process of the container orchestrator and the container's parent container (if set) will be stored in the audit container identifier kernel object. Report the chain of contids back to the top level container of a process. Filters will check the chain of contids back to the top container. The total depth of container nesting can be restricted. When a container ceases to exist because the last process in that container has exited log the fact to balance the registration action. (This is likely needed for certification accountability.) At this point it appears unnecessary to add a container session identifier since this is all tracked from loginuid and sessionid to communicate with the container orchestrator to spawn an additional session into an existing container which would be logged. It can be added at a later date without breaking API should it be deemed necessary. To permit container nesting beyond the initial user namespace, add a capcontid flag per process in its audit audit_task_info struct to store this ability communicated either via /proc/PID/capcontid or an audit netlink message type AUDIT_SET_CAPCONTID. The following namespace logging actions are not needed for certification purposes at this point, but are helpful for tracking namespace activity. These are auxilliary records that are associated with namespace manipulation syscalls unshare(2), clone(2) and setns(2), so the records will only show up if explicit syscall rules have been added to document this activity. Log the creation of every namespace, inheriting/adding its spawning process' audit container identifier(s), if applicable. Include the spawning and spawned namespace IDs (device and inode number tuples). [AUDIT_NS_CREATE, AUDIT_NS_DESTROY] [clone(2), unshare(2), setns(2)] Note: At this point it appears only network namespaces may need to track container IDs apart from processes since incoming packets may cause an auditable event before being associated with a process. Since a namespace can be shared by processes in different containers, the namespace will need to track all containers to which it has been assigned. Upon registration, the target process' namespace IDs (in the form of a nsfs device number and inode number tuple) will be recorded in an AUDIT_NS_INFO auxilliary record. Log the destruction of every namespace that is no longer used by any process, including the namespace IDs (device and inode number tuples). [AUDIT_NS_DESTROY] [process exit, unshare(2), setns(2)] Issue a new auxilliary record AUDIT_NS_CHANGE listing (opt: op=$action) the parent and child namespace IDs for any changes to a process' namespaces. [setns(2)] Note: It may be possible to combine AUDIT_NS_* record formats and distinguish them with an op=$action field depending on the fields required for each message type. The audit container identifier will need to be reaped from all implicated namespaces upon the destruction of a container. This namespace information adds supporting information for tracking events not attributable to specific processes. Changelog: (Upstream V4) - Add elaborated motivations. - Switch AUDIT_CONTAINER to AUDIT_CONTAINER_OP - Switch AUDIT_CONTAINER_INFO to AUDIT_CONTAINER_ID - Add capcontid to mimic CAP_AUDIT_CONTROL in non-init user namespaces - Check for max contid depth - Check for max contid quantity - Store the contid in a refcounted kernel object filed by hashtable lists - Mediate contid registration between peer orchestrators - Allow injection of processes into an existing container by container owner (Upstream V3) - switch back to u64 (from pmoore, can be expanded to u128 in future if need arises without breaking API. u32 was originally proposed, up to c36 discussed) - write-once, but children inherit audit container identifier and can then still be written once - switch to CAP_AUDIT_CONTROL - group namespace actions together, auxilliary records to namespace operations. (Upstream V2) - switch from u64 to u128 UUID - switch from "signal" and "trigger" to "register" - restrict registration to single process or force all threads and children into same container - RGB -- Richard Guy Briggs <rgb(a)redhat.com> Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635

4 years, 8 months

1
0
0 / 0

No audit/next patches for the v5.4 merge window

by Paul Moore

A quick note in case anyone was wondering ... we don't have anything queued up in audit/next for the v5.4 merge window, so no audit updates this time around. -- paul moore www.paul-moore.com

4 years, 8 months

1
0
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Linux-audit September 2019