April 2020 - Linux-audit - Linux-Audit List Archives

[PATCH ghak90 V8 00/16] audit: implement container identifier

by Richard Guy Briggs

Implement kernel audit container identifier. This patchset is an eighth based on the proposal document (V4) posted: https://www.redhat.com/archives/linux-audit/2019-September/msg00052.html The first patch was the last patch from ghak81 that was absorbed into this patchset since its primary justification is the rest of this patchset. The second patch implements the proc fs write to set the audit container identifier of a process, emitting an AUDIT_CONTAINER_OP record to announce the registration of that audit container identifier on that process. This patch requires userspace support for record acceptance and proper type display. The third implements reading the audit container identifier from the proc filesystem for debugging. This patch wasn't planned for upstream inclusion but is starting to become more likely. The fourth converts over from a simple u64 to a list member that includes owner information to check for descendancy, allow process injection into a container and prevent id reuse by other orchestrators. The fifth logs the drop of an audit container identifier once all tasks using that audit container identifier have exited. The 6th implements the auxiliary record AUDIT_CONTAINER_ID if an audit container identifier is associated with an event. This patch requires userspace support for proper type display. The 7th adds audit daemon signalling provenance through audit_sig_info2. The 8th creates a local audit context to be able to bind a standalone record with a locally created auxiliary record. The 9th patch adds audit container identifier records to the user standalone records. The 10th adds audit container identifier filtering to the exit, exclude and user lists. This patch adds the AUDIT_CONTID field and requires auditctl userspace support for the --contid option. The 11th adds network namespace audit container identifier labelling based on member tasks' audit container identifier labels which supports standalone netfilter records that don't have a task context and lists each container to which that net namespace belongs. The 12th checks that the target is a descendant for nesting and refactors to avoid a duplicate of the copied function. The 13th adds tracking and reporting for container nesting. This enables kernel filtering and userspace searches of nested audit container identifiers. The 14th checks and clamps the nesting depth of containers while the 15th checks and clamps the total number of audit container identifiers sharing one network namespace. The combination of these two pararmeters prevents the overflow of the contid field in CONTAINER_* records. The 16th adds a mechanism to allow a process to be designated as a container orchestrator/engine in non-init user namespaces. Example: Set an audit container identifier of 123456 to the "sleep" task: sleep 2& child=$! echo 123456 > /proc/$child/audit_containerid; echo $? ausearch -ts recent -m container_op echo child:$child contid:$( cat /proc/$child/audit_containerid) This should produce a record such as: type=CONTAINER_OP msg=audit(2018-06-06 12:39:29.636:26949) : op=set opid=2209 contid=123456 old-contid=18446744073709551615 Example: Set a filter on an audit container identifier 123459 on /tmp/tmpcontainerid: contid=123459 key=tmpcontainerid auditctl -a exit,always -F dir=/tmp -F perm=wa -F contid=$contid -F key=$key perl -e "sleep 1; open(my \$tmpfile, '>', \"/tmp/$key\"); close(\$tmpfile);" & child=$! echo $contid > /proc/$child/audit_containerid sleep 2 ausearch -i -ts recent -k $key auditctl -d exit,always -F dir=/tmp -F perm=wa -F contid=$contid -F key=$key rm -f /tmp/$key This should produce an event such as: type=CONTAINER_ID msg=audit(2018-06-06 12:46:31.707:26953) : contid=123459 type=PROCTITLE msg=audit(2018-06-06 12:46:31.707:26953) : proctitle=perl -e sleep 1; open(my $tmpfile, '>', "/tmp/tmpcontainerid"); close($tmpfile); type=PATH msg=audit(2018-06-06 12:46:31.707:26953) : item=1 name=/tmp/tmpcontainerid inode=25656 dev=00:26 mode=file,644 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 type=PATH msg=audit(2018-06-06 12:46:31.707:26953) : item=0 name=/tmp/ inode=8985 dev=00:26 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 type=CWD msg=audit(2018-06-06 12:46:31.707:26953) : cwd=/root type=SYSCALL msg=audit(2018-06-06 12:46:31.707:26953) : arch=x86_64 syscall=openat success=yes exit=3 a0=0xffffffffffffff9c a1=0x5621f2b81900 a2=O_WRONLY|O_CREAT|O_TRUNC a3=0x1b6 items=2 ppid=628 pid=2232 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=ttyS0 ses=1 comm=perl exe=/usr/bin/perl subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=tmpcontainerid Example: Test multiple containers on one netns: sleep 5 & child1=$! containerid1=123451 echo $containerid1 > /proc/$child1/audit_containerid sleep 5 & child2=$! containerid2=123452 echo $containerid2 > /proc/$child2/audit_containerid iptables -I INPUT -i lo -p icmp --icmp-type echo-request -j AUDIT --type accept iptables -I INPUT -t mangle -i lo -p icmp --icmp-type echo-request -j MARK --set-mark 0x12345555 sleep 1; bash -c "ping -q -c 1 127.0.0.1 >/dev/null 2>&1" sleep 1; ausearch -i -m NETFILTER_PKT -ts boot|grep mark=0x12345555 ausearch -i -m NETFILTER_PKT -ts boot|grep contid=|grep $containerid1|grep $containerid2 This should produce an event such as: type=NETFILTER_PKT msg=audit(03/15/2019 14:16:13.369:244) : mark=0x12345555 saddr=127.0.0.1 daddr=127.0.0.1 proto=icmp type=CONTAINER_ID msg=audit(03/15/2019 14:16:13.369:244) : contid=123452,123451 Includes the last patch of https://github.com/linux-audit/audit-kernel/issues/81 Please see the github audit kernel issue for the main feature: https://github.com/linux-audit/audit-kernel/issues/90 and the kernel filter code: https://github.com/linux-audit/audit-kernel/issues/91 and the network support: https://github.com/linux-audit/audit-kernel/issues/92 Please see the github audit userspace issue for supporting record types: https://github.com/linux-audit/audit-userspace/issues/51 and filter code: https://github.com/linux-audit/audit-userspace/issues/40 Please see the github audit testsuiite issue for the test case: https://github.com/linux-audit/audit-testsuite/issues/64 https://github.com/rgbriggs/audit-testsuite/tree/ghat64-contid https://githu.com/linux-audit/audit-testsuite/pull/91 Please see the github audit wiki for the feature overview: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID The code is also posted at: git://toccata2.tricolour.ca/linux-2.6-rgb.git ghak90-audit-containerID.v8 Changelog: v8 - rebase on v5.5-rc1 audit/next - remove subject attrs in CONTAINER_OP record - group audit_contid_list_lock with audit_contid_hash - in audit_{set,log}_contid(), break out of loop after finding target - use target var to size kmalloc - rework audit_cont_owner() to bool audit_contid_isowner() and move to where used - create static void audit_cont_hold(struct audit_contobj *cont) { refcount_inc(&cont->refcount); } - rename audit_cont{,_*} refs to audit_contobj{,_*} - prefix special local functions with _ [audit_contobj*()] - protect contid list traversals with rcu_read_lock() and updates with audit_contid_list_lock - protect real_parent in audit_contid_depth() with rcu_dereference - give new contid field nesting format in patch description - squash task_is_descendant() - squash support for NETFILTER_PKT into network namespaces - limit nesting depth based on record length overflow, bandwidth and storage - implent control for audit container identifier nesting depth limit - make room for audit_bpf patches (bump CONTAINER_ID to 1335) - squash proc interface into capcontid - remove netlink access to loginuid/sessionid/contid/capcontid - delete 32k contid limit patch - document potential overlap between signal delivery and contid reuse - document audit_contobj_list_lock coverage - document disappearing orch task injection limitation - limit the number of containers that can be associated with a network namespace - implent control for audit container identifier netns count limit v7 - remove BUG() in audit_comparator64() - rebase on v5.2-rc1 audit/next - resolve merge conflict with ghak111 (signal_info regardless syscall) - resolve merge conflict with ghak73 (audit_field_valid) - resolve merge conflict with ghak64 (saddr_fam filter) - resolve merge conflict with ghak10 (ntp audit) change AUDIT_CONTAINER_ID from 1332 to 1334 - rebase on v5.3-rc1 audit/next - track container owner - only permit setting contid of descendants for nesting - track drop of contid and permit reuse - track and report container nesting - permit filtering on any nested contid - set/get contid and loginuid/sessionid via netlink - implement capcontid to enable orchestrators in non-init user namespaces - limit number of containers - limit depth of container nesting v6 - change TMPBUFLEN from 11 to 21 to cover the decimal value of contid u64 (nhorman) - fix bug overwriting ctx in struct audit_sig_info, move cid above ctx[0] (nhorman) - fix bug skipping remaining fields and not advancing bufp when copying out contid in audit_krule_to_data (omosnacec) - add acks, tidy commit descriptions, other formatting fixes (checkpatch wrong on audit_log_lost) - cast ull for u64 prints - target_cid tracking was moved from the ptrace/signal patch to container_op - target ptrace and signal records were moved from the ptrace/signal patch to container_id - auditd signaller tracking was moved to a new AUDIT_SIGNAL_INFO2 request and record - ditch unnecessary list_empty() checks - check for null net and aunet in audit_netns_contid_add() - swap CONTAINER_OP contid/old-contid order to ease parsing v5 - address loginuid and sessionid syscall scope in ghak104 - address audit_context in CONFIG_AUDIT vs CONFIG_AUDITSYSCALL in ghak105 - remove tty patch, addressed in ghak106 - rebase on audit/next v5.0-rc1 w/ghak59/ghak104/ghak103/ghak100/ghak107/ghak105/ghak106/ghak105sup - update CONTAINER_ID to CONTAINER_OP in patch description - move audit_context in audit_task_info to CONFIG_AUDITSYSCALL - move audit_alloc() and audit_free() out of CONFIG_AUDITSYSCALL and into CONFIG_AUDIT and create audit_{alloc,free}_syscall - use plain kmem_cache_alloc() rather than kmem_cache_zalloc() in audit_alloc() - fix audit_get_contid() declaration type error - move audit_set_contid() from auditsc.c to audit.c - audit_log_contid() returns void - audit_log_contid() handed contid rather than tsk - switch from AUDIT_CONTAINER to AUDIT_CONTAINER_ID for aux record - move audit_log_contid(tsk/contid) & audit_contid_set(tsk)/audit_contid_valid(contid) - switch from tsk to current - audit_alloc_local() calls audit_log_lost() on failure to allocate a context - add AUDIT_USER* non-syscall contid record - cosmetic cleanup double parens, goto out on err - ditch audit_get_ns_contid_list_lock(), fix aunet lock race - switch from all-cpu read spinlock to rcu, keep spinlock for write - update audit_alloc_local() to use ktime_get_coarse_real_ts64() - add nft_log support - add call from do_exit() in audit_free() to remove contid from netns - relegate AUDIT_CONTAINER ref= field (was op=) to debug patch v4 - preface set with ghak81:"collect audit task parameters" - add shallyn and sgrubb acks - rename feature bitmap macro - rename cid_valid() to audit_contid_valid() - rename AUDIT_CONTAINER_ID to AUDIT_CONTAINER_OP - delete audit_get_contid_list() from headers - move work into inner if, delete "found" - change netns contid list function names - move exports for audit_log_contid audit_alloc_local audit_free_context to non-syscall patch - list contids CSV - pass in gfp flags to audit_alloc_local() (fix audit_alloc_context callers) - use "local" in lieu of abusing in_syscall for auditsc_get_stamp() - read_lock(&tasklist_lock) around children and thread check - task_lock(tsk) should be taken before first check of tsk->audit - add spin lock to contid list in aunet - restrict /proc read to CAP_AUDIT_CONTROL - remove set again prohibition and inherited flag - delete contidion spelling fix from patchset, send to netdev/linux-wireless v3 - switched from containerid in task_struct to audit_task_info (depends on ghak81) - drop INVALID_CID in favour of only AUDIT_CID_UNSET - check for !audit_task_info, throw -ENOPROTOOPT on set - changed -EPERM to -EEXIST for parent check - return AUDIT_CID_UNSET if !audit_enabled - squash child/thread check patch into AUDIT_CONTAINER_ID patch - changed -EPERM to -EBUSY for child check - separate child and thread checks, use -EALREADY for latter - move addition of op= from ptrace/signal patch to AUDIT_CONTAINER patch - fix && to || bashism in ptrace/signal patch - uninline and export function for audit_free_context() - drop CONFIG_CHANGE, FEATURE_CHANGE, ANOM_ABEND, ANOM_SECCOMP patches - move audit_enabled check (xt_AUDIT) - switched from containerid list in struct net to net_generic's struct audit_net - move containerid list iteration into audit (xt_AUDIT) - create function to move namespace switch into audit - switched /proc/PID/ entry from containerid to audit_containerid - call kzalloc with GFP_ATOMIC on in_atomic() in audit_alloc_context() - call kzalloc with GFP_ATOMIC on in_atomic() in audit_log_container_info() - use xt_net(par) instead of sock_net(skb->sk) to get net - switched record and field names: initial CONTAINER_ID, aux CONTAINER, field CONTID - allow to set own contid - open code audit_set_containerid - add contid inherited flag - ccontainerid and pcontainerid eliminated due to inherited flag - change name of container list funcitons - rename containerid to contid - convert initial container record to syscall aux - fix spelling mistake of contidion in net/rfkill/core.c to avoid contid name collision v2 - add check for children and threads - add network namespace container identifier list - add NETFILTER_PKT audit container identifier logging - patch description and documentation clean-up and example - reap unused ppid Richard Guy Briggs (16): audit: collect audit task parameters audit: add container id audit: read container ID of a process audit: convert to contid list to check for orch/engine ownership audit: log drop of contid on exit of last task audit: log container info of syscalls audit: add contid support for signalling the audit daemon audit: add support for non-syscall auxiliary records audit: add containerid support for user records audit: add containerid filtering audit: add support for containerid to network namespaces audit: contid check descendancy and nesting audit: track container nesting audit: check contid depth and add limit config param audit: check contid count per netns and add config param limit audit: add capcontid to set contid outside init_user_ns fs/proc/base.c | 112 +++++++- include/linux/audit.h | 140 +++++++++- include/linux/nsproxy.h | 2 +- include/linux/sched.h | 10 +- include/uapi/linux/audit.h | 14 +- init/init_task.c | 3 +- init/main.c | 2 + kernel/audit.c | 626 +++++++++++++++++++++++++++++++++++++++++++- kernel/audit.h | 29 ++ kernel/auditfilter.c | 61 +++++ kernel/auditsc.c | 91 +++++-- kernel/fork.c | 11 +- kernel/nsproxy.c | 27 +- kernel/sched/core.c | 33 +++ net/netfilter/nft_log.c | 11 +- net/netfilter/xt_AUDIT.c | 11 +- security/selinux/nlmsgtab.c | 1 + security/yama/yama_lsm.c | 33 --- 18 files changed, 1115 insertions(+), 102 deletions(-) -- 1.8.3.1

3 years, 11 months

4
101
0 / 0

[PATCH 1/3 RESEND] sched: Remove __rcu annotation from cred pointer

by Amol Grover

task_struct::cred (subjective credentials) is *always* used task-synchronously, hence, does not require RCU semantics. task_struct::real_cred (objective credentials) can be used in RCU context and its __rcu annotation is retained. However, task_struct::cred and task_struct::real_cred *may* point to the same object, hence, the object pointed to by task_struct::cred *may* have RCU delayed freeing. Suggested-by: Jann Horn <jannh(a)google.com> Co-developed-by: Joel Fernandes (Google) <joel(a)joelfernandes.org> Signed-off-by: Joel Fernandes (Google) <joel(a)joelfernandes.org> Signed-off-by: Amol Grover <frextrite(a)gmail.com> --- include/linux/sched.h | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/include/linux/sched.h b/include/linux/sched.h index 716ad1d8d95e..39924e6e0cf2 100644 --- a/include/linux/sched.h +++ b/include/linux/sched.h @@ -879,8 +879,11 @@ struct task_struct { /* Objective and real subjective task credentials (COW): */ const struct cred __rcu *real_cred; - /* Effective (overridable) subjective task credentials (COW): */ - const struct cred __rcu *cred; + /* + * Effective (overridable) subjective task credentials (COW) + * which is used task-synchronously + */ + const struct cred *cred; #ifdef CONFIG_KEYS /* Cached requested key. */ -- 2.24.1

3 years, 11 months

3
12
0 / 0

[PATCH ghak25 v4 0/3] Address NETFILTER_CFG issues

by Richard Guy Briggs

There were questions about the presence and cause of unsolicited syscall events in the logs containing NETFILTER_CFG records and sometimes unaccompanied NETFILTER_CFG records. During testing at least the following list of events trigger NETFILTER_CFG records and the syscalls related (There may be more events that will trigger this message type.): init_module, finit_module: modprobe delete_module: rmmod setsockopt: iptables-restore, ip6tables-restore, ebtables-restore unshare: (h?)ostnamed, updatedb clone: libvirtd kernel threads garbage collecting empty ebtables The syscall events unsolicited by any audit rule were found to be caused by a missing !audit_dummy_context() check before issuing a NETFILTER_CFG record. In fact, since this is a configuration change it is required, and we always want the accompanying syscall record even with no rules present, so this has been addressed by ghak120. The vast majority of unaccompanied records are caused by the fedora default rule: "-a never,task" and the occasional early startup one is I believe caused by the iptables filter table module hard linked into the kernel rather than a loadable module. A couple of other factors should help eliminate unaccompanied records which include commit cb74ed278f80 ("audit: always enable syscall auditing when supported and audit is enabled") which makes sure that when audit is enabled, so automatically is syscall auditing, and ghak66 which addressed initializing audit before PID 1. Ebtables module initialization to register tables doesn't generate records because it was never hooked in to audit. Recommend adding audit hooks to log this covered by ghak43 covered by patch 1. Table unregistration was never logged, which is now covered by ghak44 in patch 2. Unaccompanied records were caused by kernel threads automatically unregistering empty ebtables, which necessitates adding subject credentials covered in patch 3. Seemingly duplicate records are not actually exact duplicates that are caused by netfilter table initialization in different network namespaces from the same syscall. Recommend adding the network namespace ID (proc inode and dev) to the record to make this obvious (address later with ghak79 after nsid patches). See: https://github.com/linux-audit/audit-kernel/issues/25 See: https://github.com/linux-audit/audit-kernel/issues/35 See: https://github.com/linux-audit/audit-kernel/issues/43 See: https://github.com/linux-audit/audit-kernel/issues/44 Changelog: v4 - rebase on audit/next v5.7-rc1 - fix checkpatch.pl errors/warnings in 1/3 and 2/3 v3 - rebase on v5.6-rc1 audit/next - change audit_nf_cfg to audit_log_nfcfg - squash 2,3,4,5 to 1 and update patch descriptions - add subject credentials to cover garbage collecting kernel threads v2 - Rebase (audit/next 5.5-rc1) to get audit_context access and ebt_register_table ret code - Split x_tables and ebtables updates - Check audit_dummy_context - Store struct audit_nfcfg params in audit_context, abstract to audit_nf_cfg() call - Restore back to "table, family, entries" from "family, table, entries" - Log unregistration of tables - Add "op=" at the end of the AUDIT_NETFILTER_CFG record - Defer nsid patch (ghak79) to once nsid patchset upstreamed (ghak32) - Add ghak refs - Ditch NETFILTER_CFGSOLO record Richard Guy Briggs (3): audit: tidy and extend netfilter_cfg x_tables and ebtables logging netfilter: add audit table unregister actions audit: add subj creds to NETFILTER_CFG record to cover async unregister include/linux/audit.h | 22 +++++++++++++++++++++ kernel/auditsc.c | 43 +++++++++++++++++++++++++++++++++++++++++ net/bridge/netfilter/ebtables.c | 14 ++++++-------- net/netfilter/x_tables.c | 14 +++++--------- 4 files changed, 76 insertions(+), 17 deletions(-) -- 1.8.3.1

3 years, 12 months

4
20
0 / 0

[PATCH] audit: mark expected switch fall-through

by Gustavo A. R. Silva

In preparation to enabling -Wimplicit-fallthrough, mark switch cases where we are expecting to fall through. This patch fixes the following warning: kernel/auditfilter.c: In function ‘audit_krule_to_data’: kernel/auditfilter.c:668:7: warning: this statement may fall through [-Wimplicit-fallthrough=] if (krule->pflags & AUDIT_LOGINUID_LEGACY && !f->val) { ^ kernel/auditfilter.c:674:3: note: here default: ^~~~~~~ Warning level 3 was used: -Wimplicit-fallthrough=3 Notice that, in this particular case, the code comment is modified in accordance with what GCC is expecting to find. This patch is part of the ongoing efforts to enable -Wimplicit-fallthrough. Signed-off-by: Gustavo A. R. Silva <gustavo(a)embeddedor.com> --- kernel/auditfilter.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index add360b46b38..63f8b3f26fab 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -670,7 +670,7 @@ static struct audit_rule_data *audit_krule_to_data(struct audit_krule *krule) data->values[i] = AUDIT_UID_UNSET; break; } - /* fallthrough if set */ + /* fall through - if set */ default: data->values[i] = f->val; } -- 2.20.1

4 years

3
3
0 / 0

Re: [PATCH Resend] MIPS: Add syscall auditing support

by Huacai Chen

CC audit maintainers and audit mail-list. Huacai On Thu, Mar 12, 2020 at 5:33 PM Huacai Chen <chenhc(a)lemote.com> wrote: > > From: Ralf Baechle <ralf(a)linux-mips.org> > > The original patch is from Ralf. I have maintained it for more than six > years on Loongson platform, and it works perfectly. Most of the commit > messages are written by Ralf. > > MIPS doesn't quite fit into the existing pattern of other architectures > and I'd appreciate your comments and maybe even an Acked-by. > > - Linux on MIPS extends the traditional syscall table used by older UNIX > implementations. This is why 32-bit Linux syscalls are starting from > 4000; the native 64-bit syscalls start from 5000 and the N32 compat ABI > from 6000. The existing syscall bitmap is only large enough for at most > 2048 syscalls, so I had to increase AUDIT_BITMASK_SIZE to 256 which > provides enough space for 8192 syscalls. Because include/uapi/linux/ > audit.h and AUDIT_BITMASK_SIZE are exported to userspace I've used an > #ifdef __mips__ for this. > > - The code treats the little endian MIPS architecture as separate from > big endian. Combined with the 3 ABIs that's 6 combinations. I tried > to sort of follow the example set by ARM which explicitly lists the > (rare) big endian architecture variant - but it doesn't seem to very > useful so I wonder if this could be squashed to just the three ABIs > without consideration of endianess? > > Signed-off-by: Ralf Baechle <ralf(a)linux-mips.org> > Signed-off-by: Huacai Chen <chenhc(a)lemote.com> > --- > arch/mips/Kconfig | 13 +++++ > arch/mips/include/asm/abi.h | 1 + > arch/mips/include/asm/unistd.h | 10 ++++ > arch/mips/include/uapi/asm/unistd.h | 21 ++++---- > arch/mips/kernel/Makefile | 4 ++ > arch/mips/kernel/audit-n32.c | 58 ++++++++++++++++++++++ > arch/mips/kernel/audit-native.c | 97 +++++++++++++++++++++++++++++++++++++ > arch/mips/kernel/audit-o32.c | 60 +++++++++++++++++++++++ > arch/mips/kernel/signal.c | 18 +++++++ > arch/mips/kernel/signal_n32.c | 8 +++ > arch/mips/kernel/signal_o32.c | 8 +++ > include/uapi/linux/audit.h | 10 ++++ > kernel/auditsc.c | 13 +++++ > 13 files changed, 312 insertions(+), 9 deletions(-) > create mode 100644 arch/mips/kernel/audit-n32.c > create mode 100644 arch/mips/kernel/audit-native.c > create mode 100644 arch/mips/kernel/audit-o32.c > > diff --git a/arch/mips/Kconfig b/arch/mips/Kconfig > index 27f800f..ac71fb0 100644 > --- a/arch/mips/Kconfig > +++ b/arch/mips/Kconfig > @@ -17,6 +17,7 @@ config MIPS > select ARCH_USE_QUEUED_SPINLOCKS > select ARCH_WANT_DEFAULT_TOPDOWN_MMAP_LAYOUT if MMU > select ARCH_WANT_IPC_PARSE_VERSION > + select AUDIT_ARCH > select BUILDTIME_TABLE_SORT > select CLONE_BACKWARDS > select CPU_NO_EFFICIENT_FFS if (TARGET_ISA_REV < 1) > @@ -40,6 +41,7 @@ config MIPS > select GENERIC_TIME_VSYSCALL > select GUP_GET_PTE_LOW_HIGH if CPU_MIPS32 && PHYS_ADDR_T_64BIT > select HANDLE_DOMAIN_IRQ > + select HAVE_ARCH_AUDITSYSCALL > select HAVE_ARCH_COMPILER_H > select HAVE_ARCH_JUMP_LABEL > select HAVE_ARCH_KGDB > @@ -1121,6 +1123,15 @@ config FW_ARC > config ARCH_MAY_HAVE_PC_FDC > bool > > +config AUDIT_ARCH > + bool > + > +config AUDITSYSCALL_O32 > + bool > + > +config AUDITSYSCALL_N32 > + bool > + > config BOOT_RAW > bool > > @@ -3192,6 +3203,7 @@ config MIPS32_O32 > select COMPAT > select MIPS32_COMPAT > select SYSVIPC_COMPAT if SYSVIPC > + select AUDITSYSCALL_O32 if AUDITSYSCALL > help > Select this option if you want to run o32 binaries. These are pure > 32-bit binaries as used by the 32-bit Linux/MIPS port. Most of > @@ -3206,6 +3218,7 @@ config MIPS32_N32 > select COMPAT > select MIPS32_COMPAT > select SYSVIPC_COMPAT if SYSVIPC > + select AUDITSYSCALL_N32 if AUDITSYSCALL > help > Select this option if you want to run n32 binaries. These are > 64-bit binaries using 32-bit quantities for addressing and certain > diff --git a/arch/mips/include/asm/abi.h b/arch/mips/include/asm/abi.h > index dba7f4b..6e717a4a 100644 > --- a/arch/mips/include/asm/abi.h > +++ b/arch/mips/include/asm/abi.h > @@ -21,6 +21,7 @@ struct mips_abi { > int (* const setup_rt_frame)(void *sig_return, struct ksignal *ksig, > struct pt_regs *regs, sigset_t *set); > const unsigned long restart; > + const int audit_arch; > > unsigned off_sc_fpregs; > unsigned off_sc_fpc_csr; > diff --git a/arch/mips/include/asm/unistd.h b/arch/mips/include/asm/unistd.h > index 5d70bab..80f5b5b 100644 > --- a/arch/mips/include/asm/unistd.h > +++ b/arch/mips/include/asm/unistd.h > @@ -59,4 +59,14 @@ > > #endif /* !__ASSEMBLY__ */ > > +#ifdef CONFIG_MIPS32_N32 > +#define NR_syscalls (__NR_N32_Linux + __NR_N32_Linux_syscalls) > +#elif defined(CONFIG_64BIT) > +#define NR_syscalls (__NR_64_Linux + __NR_64_Linux_syscalls) > +#elif defined(CONFIG_32BIT) > +#define NR_syscalls (__NR_O32_Linux + __NR_O32_Linux_syscalls) > +#else > +#error Must know ABIs in use to define NR_syscalls > +#endif > + > #endif /* _ASM_UNISTD_H */ > diff --git a/arch/mips/include/uapi/asm/unistd.h b/arch/mips/include/uapi/asm/unistd.h > index 4abe387..b501ea1 100644 > --- a/arch/mips/include/uapi/asm/unistd.h > +++ b/arch/mips/include/uapi/asm/unistd.h > @@ -6,34 +6,37 @@ > * > * Copyright (C) 1995, 96, 97, 98, 99, 2000 by Ralf Baechle > * Copyright (C) 1999, 2000 Silicon Graphics, Inc. > - * > - * Changed system calls macros _syscall5 - _syscall7 to push args 5 to 7 onto > - * the stack. Robin Farine for ACN S.A, Copyright (C) 1996 by ACN S.A > */ > #ifndef _UAPI_ASM_UNISTD_H > #define _UAPI_ASM_UNISTD_H > > #include <asm/sgidefs.h> > > -#if _MIPS_SIM == _MIPS_SIM_ABI32 > +#if (defined(__WANT_SYSCALL_NUMBERS) && \ > + (__WANT_SYSCALL_NUMBERS == _MIPS_SIM_ABI32)) || \ > + (!defined(__WANT_SYSCALL_NUMBERS) && _MIPS_SIM == _MIPS_SIM_ABI32) > > #define __NR_Linux 4000 > #include <asm/unistd_o32.h> > > -#endif /* _MIPS_SIM == _MIPS_SIM_ABI32 */ > +#endif /* Want O32 || _MIPS_SIM == _MIPS_SIM_ABI32 */ > > -#if _MIPS_SIM == _MIPS_SIM_ABI64 > +#if (defined(__WANT_SYSCALL_NUMBERS) && \ > + (__WANT_SYSCALL_NUMBERS == _MIPS_SIM_ABI64)) || \ > + (!defined(__WANT_SYSCALL_NUMBERS) && _MIPS_SIM == _MIPS_SIM_ABI64) > > #define __NR_Linux 5000 > #include <asm/unistd_n64.h> > > -#endif /* _MIPS_SIM == _MIPS_SIM_ABI64 */ > +#endif /* Want N64 || _MIPS_SIM == _MIPS_SIM_ABI64 */ > > -#if _MIPS_SIM == _MIPS_SIM_NABI32 > +#if (defined(__WANT_SYSCALL_NUMBERS) && \ > + (__WANT_SYSCALL_NUMBERS == _MIPS_SIM_NABI32)) || \ > + (!defined(__WANT_SYSCALL_NUMBERS) && _MIPS_SIM == _MIPS_SIM_NABI32) > > #define __NR_Linux 6000 > #include <asm/unistd_n32.h> > > -#endif /* _MIPS_SIM == _MIPS_SIM_NABI32 */ > +#endif /* Want N32 || _MIPS_SIM == _MIPS_SIM_NABI32 */ > > #endif /* _UAPI_ASM_UNISTD_H */ > diff --git a/arch/mips/kernel/Makefile b/arch/mips/kernel/Makefile > index d6e97df..a7ac38d 100644 > --- a/arch/mips/kernel/Makefile > +++ b/arch/mips/kernel/Makefile > @@ -106,6 +106,10 @@ obj-$(CONFIG_HW_PERF_EVENTS) += perf_event_mipsxx.o > obj-$(CONFIG_JUMP_LABEL) += jump_label.o > obj-$(CONFIG_UPROBES) += uprobes.o > > +obj-$(CONFIG_AUDITSYSCALL_O32) += audit-o32.o > +obj-$(CONFIG_AUDITSYSCALL_N32) += audit-n32.o > +obj-$(CONFIG_AUDITSYSCALL) += audit-native.o > + > obj-$(CONFIG_MIPS_CM) += mips-cm.o > obj-$(CONFIG_MIPS_CPC) += mips-cpc.o > > diff --git a/arch/mips/kernel/audit-n32.c b/arch/mips/kernel/audit-n32.c > new file mode 100644 > index 00000000..2248badc > --- /dev/null > +++ b/arch/mips/kernel/audit-n32.c > @@ -0,0 +1,58 @@ > +#define __WANT_SYSCALL_NUMBERS _MIPS_SIM_NABI32 > + > +#include <linux/init.h> > +#include <linux/types.h> > +#include <linux/audit.h> > +#include <asm/unistd.h> > + > +static unsigned dir_class_n32[] = { > +#include <asm-generic/audit_dir_write.h> > +~0U > +}; > + > +static unsigned read_class_n32[] = { > +#include <asm-generic/audit_read.h> > +~0U > +}; > + > +static unsigned write_class_n32[] = { > +#include <asm-generic/audit_write.h> > +~0U > +}; > + > +static unsigned chattr_class_n32[] = { > +#include <asm-generic/audit_change_attr.h> > +~0U > +}; > + > +static unsigned signal_class_n32[] = { > +#include <asm-generic/audit_signal.h> > +~0U > +}; > + > +int audit_classify_syscall_n32(int abi, unsigned syscall) > +{ > + switch (syscall) { > + case __NR_open: > + return 2; > + case __NR_openat: > + return 3; > + case __NR_execve: > + return 5; > + default: > + return 0; > + } > +} > + > +static int __init audit_classes_n32_init(void) > +{ > + audit_register_class(AUDIT_CLASS_WRITE_N32, write_class_n32); > + audit_register_class(AUDIT_CLASS_READ_N32, read_class_n32); > + audit_register_class(AUDIT_CLASS_DIR_WRITE_N32, dir_class_n32); > + audit_register_class(AUDIT_CLASS_CHATTR_N32, chattr_class_n32); > + audit_register_class(AUDIT_CLASS_SIGNAL_N32, signal_class_n32); > + > + return 0; > +} > + > +__initcall(audit_classes_n32_init); > diff --git a/arch/mips/kernel/audit-native.c b/arch/mips/kernel/audit-native.c > new file mode 100644 > index 00000000..09ae3db > --- /dev/null > +++ b/arch/mips/kernel/audit-native.c > @@ -0,0 +1,97 @@ > +#include <linux/init.h> > +#include <linux/types.h> > +#include <linux/audit.h> > +#include <asm/unistd.h> > + > +static unsigned dir_class[] = { > +#include <asm-generic/audit_dir_write.h> > +~0U > +}; > + > +static unsigned read_class[] = { > +#include <asm-generic/audit_read.h> > +~0U > +}; > + > +static unsigned write_class[] = { > +#include <asm-generic/audit_write.h> > +~0U > +}; > + > +static unsigned chattr_class[] = { > +#include <asm-generic/audit_change_attr.h> > +~0U > +}; > + > +static unsigned signal_class[] = { > +#include <asm-generic/audit_signal.h> > +~0U > +}; > + > + > +/* > + * Pretend to be a single architecture > + */ > +int audit_classify_arch(int arch) > +{ > + return 0; > +} > + > +extern int audit_classify_syscall_o32(int abi, unsigned syscall); > +extern int audit_classify_syscall_n32(int abi, unsigned syscall); > + > +int audit_classify_syscall(int abi, unsigned syscall) > +{ > + int res; > + > + switch (syscall) { > + case __NR_open: > + res = 2; > + break; > + > + case __NR_openat: > + res = 3; > + break; > + > +#ifdef __NR_socketcall /* Only exists on O32 */ > + case __NR_socketcall: > + res = 4; > + break; > +#endif > + case __NR_execve: > + res = 5; > + break; > + default: > +#ifdef CONFIG_AUDITSYSCALL_O32 > + res = audit_classify_syscall_o32(abi, syscall); > + if (res) > + break; > +#endif > +#ifdef CONFIG_AUDITSYSCALL_N32 > + res = audit_classify_syscall_n32(abi, syscall); > + if (res) > + break; > +#endif > + if (abi == AUDIT_ARCH_MIPS || abi == AUDIT_ARCH_MIPSEL) > + res = 1; > + else if (abi == AUDIT_ARCH_MIPS64 || abi == AUDIT_ARCH_MIPSEL64) > + res = 0; > + else if (abi == AUDIT_ARCH_MIPS64N32 || abi == AUDIT_ARCH_MIPSEL64N32) > + res = 6; > + } > + > + return res; > +} > + > +static int __init audit_classes_init(void) > +{ > + audit_register_class(AUDIT_CLASS_WRITE, write_class); > + audit_register_class(AUDIT_CLASS_READ, read_class); > + audit_register_class(AUDIT_CLASS_DIR_WRITE, dir_class); > + audit_register_class(AUDIT_CLASS_CHATTR, chattr_class); > + audit_register_class(AUDIT_CLASS_SIGNAL, signal_class); > + > + return 0; > +} > + > +__initcall(audit_classes_init); > diff --git a/arch/mips/kernel/audit-o32.c b/arch/mips/kernel/audit-o32.c > new file mode 100644 > index 00000000..e8b9b50 > --- /dev/null > +++ b/arch/mips/kernel/audit-o32.c > @@ -0,0 +1,60 @@ > +#define __WANT_SYSCALL_NUMBERS _MIPS_SIM_ABI32 > + > +#include <linux/init.h> > +#include <linux/types.h> > +#include <linux/audit.h> > +#include <linux/unistd.h> > + > +static unsigned dir_class_o32[] = { > +#include <asm-generic/audit_dir_write.h> > +~0U > +}; > + > +static unsigned read_class_o32[] = { > +#include <asm-generic/audit_read.h> > +~0U > +}; > + > +static unsigned write_class_o32[] = { > +#include <asm-generic/audit_write.h> > +~0U > +}; > + > +static unsigned chattr_class_o32[] = { > +#include <asm-generic/audit_change_attr.h> > +~0U > +}; > + > +static unsigned signal_class_o32[] = { > +#include <asm-generic/audit_signal.h> > +~0U > +}; > + > +int audit_classify_syscall_o32(int abi, unsigned syscall) > +{ > + switch (syscall) { > + case __NR_open: > + return 2; > + case __NR_openat: > + return 3; > + case __NR_socketcall: > + return 4; > + case __NR_execve: > + return 5; > + default: > + return 0; > + } > +} > + > +static int __init audit_classes_o32_init(void) > +{ > + audit_register_class(AUDIT_CLASS_WRITE_32, write_class_o32); > + audit_register_class(AUDIT_CLASS_READ_32, read_class_o32); > + audit_register_class(AUDIT_CLASS_DIR_WRITE_32, dir_class_o32); > + audit_register_class(AUDIT_CLASS_CHATTR_32, chattr_class_o32); > + audit_register_class(AUDIT_CLASS_SIGNAL_32, signal_class_o32); > + > + return 0; > +} > + > +__initcall(audit_classes_o32_init); > diff --git a/arch/mips/kernel/signal.c b/arch/mips/kernel/signal.c > index f6efabc..b79d9a9 100644 > --- a/arch/mips/kernel/signal.c > +++ b/arch/mips/kernel/signal.c > @@ -8,6 +8,7 @@ > * Copyright (C) 1999, 2000 Silicon Graphics, Inc. > * Copyright (C) 2014, Imagination Technologies Ltd. > */ > +#include <linux/audit.h> > #include <linux/cache.h> > #include <linux/context_tracking.h> > #include <linux/irqflags.h> > @@ -790,6 +791,23 @@ struct mips_abi mips_abi = { > #endif > .setup_rt_frame = setup_rt_frame, > .restart = __NR_restart_syscall, > +#ifdef CONFIG_64BIT > +# ifdef __BIG_ENDIAN > + .audit_arch = AUDIT_ARCH_MIPS64, > +# elif defined(__LITTLE_ENDIAN) > + .audit_arch = AUDIT_ARCH_MIPSEL64, > +# else > +# error "Neither big nor little endian ???" > +# endif > +#else > +# ifdef __BIG_ENDIAN > + .audit_arch = AUDIT_ARCH_MIPS, > +# elif defined(__LITTLE_ENDIAN) > + .audit_arch = AUDIT_ARCH_MIPSEL, > +# else > +# error "Neither big nor little endian ???" > +# endif > +#endif > > .off_sc_fpregs = offsetof(struct sigcontext, sc_fpregs), > .off_sc_fpc_csr = offsetof(struct sigcontext, sc_fpc_csr), > diff --git a/arch/mips/kernel/signal_n32.c b/arch/mips/kernel/signal_n32.c > index 7bd00fa..ed03ea1 100644 > --- a/arch/mips/kernel/signal_n32.c > +++ b/arch/mips/kernel/signal_n32.c > @@ -2,6 +2,7 @@ > /* > * Copyright (C) 2003 Broadcom Corporation > */ > +#include <linux/audit.h> > #include <linux/cache.h> > #include <linux/sched.h> > #include <linux/mm.h> > @@ -140,6 +141,13 @@ static int setup_rt_frame_n32(void *sig_return, struct ksignal *ksig, > struct mips_abi mips_abi_n32 = { > .setup_rt_frame = setup_rt_frame_n32, > .restart = __NR_N32_restart_syscall, > +#ifdef __BIG_ENDIAN > + .audit_arch = AUDIT_ARCH_MIPS64N32, > +#elif defined(__LITTLE_ENDIAN) > + .audit_arch = AUDIT_ARCH_MIPSEL64N32, > +#else > +# error "Neither big nor little endian ???" > +#endif > > .off_sc_fpregs = offsetof(struct sigcontext, sc_fpregs), > .off_sc_fpc_csr = offsetof(struct sigcontext, sc_fpc_csr), > diff --git a/arch/mips/kernel/signal_o32.c b/arch/mips/kernel/signal_o32.c > index 299a7a2..9f4ad0a 100644 > --- a/arch/mips/kernel/signal_o32.c > +++ b/arch/mips/kernel/signal_o32.c > @@ -8,6 +8,7 @@ > * Copyright (C) 1999, 2000 Silicon Graphics, Inc. > * Copyright (C) 2016, Imagination Technologies Ltd. > */ > +#include <linux/audit.h> > #include <linux/compiler.h> > #include <linux/errno.h> > #include <linux/signal.h> > @@ -244,6 +245,13 @@ struct mips_abi mips_abi_32 = { > .setup_frame = setup_frame_32, > .setup_rt_frame = setup_rt_frame_32, > .restart = __NR_O32_restart_syscall, > +#ifdef __BIG_ENDIAN > + .audit_arch = AUDIT_ARCH_MIPS, > +#elif defined(__LITTLE_ENDIAN) > + .audit_arch = AUDIT_ARCH_MIPSEL, > +#else > +# error "Neither big nor little endian ???" > +#endif > > .off_sc_fpregs = offsetof(struct sigcontext32, sc_fpregs), > .off_sc_fpc_csr = offsetof(struct sigcontext32, sc_fpc_csr), > diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h > index a534d71..336c1eb 100644 > --- a/include/uapi/linux/audit.h > +++ b/include/uapi/linux/audit.h > @@ -179,7 +179,11 @@ > * AUDIT_LIST commands must be implemented. */ > #define AUDIT_MAX_FIELDS 64 > #define AUDIT_MAX_KEY_LEN 256 > +#ifdef __mips__ > +#define AUDIT_BITMASK_SIZE 256 > +#else > #define AUDIT_BITMASK_SIZE 64 > +#endif > #define AUDIT_WORD(nr) ((__u32)((nr)/32)) > #define AUDIT_BIT(nr) (1 << ((nr) - AUDIT_WORD(nr)*32)) > > @@ -195,6 +199,12 @@ > #define AUDIT_CLASS_SIGNAL 8 > #define AUDIT_CLASS_SIGNAL_32 9 > > +#define AUDIT_CLASS_DIR_WRITE_N32 10 > +#define AUDIT_CLASS_CHATTR_N32 11 > +#define AUDIT_CLASS_READ_N32 12 > +#define AUDIT_CLASS_WRITE_N32 13 > +#define AUDIT_CLASS_SIGNAL_N32 14 > + > /* This bitmask is used to validate user input. It represents all bits that > * are currently used in an audit field constant understood by the kernel. > * If you are adding a new #define AUDIT_<whatever>, please ensure that > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > index 4effe01..cf223c0 100644 > --- a/kernel/auditsc.c > +++ b/kernel/auditsc.c > @@ -168,6 +168,19 @@ static int audit_match_perm(struct audit_context *ctx, int mask) > return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND); > case 5: /* execve */ > return mask & AUDIT_PERM_EXEC; > +#ifdef CONFIG_MIPS > + case 6: /* for N32 */ > + if ((mask & AUDIT_PERM_WRITE) && > + audit_match_class(AUDIT_CLASS_WRITE_N32, n)) > + return 1; > + if ((mask & AUDIT_PERM_READ) && > + audit_match_class(AUDIT_CLASS_READ_N32, n)) > + return 1; > + if ((mask & AUDIT_PERM_ATTR) && > + audit_match_class(AUDIT_CLASS_CHATTR_N32, n)) > + return 1; > + return 0; > +#endif > default: > return 0; > } > -- > 2.7.0 >

4 years

2
1
0 / 0

[PATCH] audit: make symbol 'audit_nfcfgs' static

by Zheng Bin

Fix sparse warnings: kernel/auditsc.c:138:32: warning: symbol 'audit_nfcfgs' was not declared. Should it be static? Reported-by: Hulk Robot <hulkci(a)huawei.com> Signed-off-by: Zheng Bin <zhengbin13(a)huawei.com> --- kernel/auditsc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/auditsc.c b/kernel/auditsc.c index d281c18d1771..cfe3486e5f31 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -135,7 +135,7 @@ struct audit_nfcfgop_tab { const char *s; }; -const struct audit_nfcfgop_tab audit_nfcfgs[] = { +static const struct audit_nfcfgop_tab audit_nfcfgs[] = { { AUDIT_XT_OP_REGISTER, "register" }, { AUDIT_XT_OP_REPLACE, "replace" }, { AUDIT_XT_OP_UNREGISTER, "unregister" }, -- 2.26.0.106.g9fadedd

4 years

2
1
0 / 0

[PATCH ghak28 V8] audit: log audit netlink multicast bind and unbind events

by Richard Guy Briggs

Log information about programs connecting to and disconnecting from the audit netlink multicast socket. This is needed so that during investigations a security officer can tell who or what had access to the audit trail. This helps to meet the FAU_SAR.2 requirement for Common Criteria. Here is the systemd startup event: type=PROCTITLE msg=audit(2020-04-22 10:10:21.787:10) : proctitle=/init type=SYSCALL msg=audit(2020-04-22 10:10:21.787:10) : arch=x86_64 syscall=bind success=yes exit=0 a0=0x19 a1=0x555f4aac7e90 a2=0xc a3=0x7ffcb792ff44 items=0 ppid=0 pid=1 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd exe=/usr/lib/systemd/systemd subj=kernel key=(null) type=UNKNOWN[1335] msg=audit(2020-04-22 10:10:21.787:10) : pid=1 uid=root auid=unset tty=(none) ses=unset subj=kernel comm=systemd exe=/usr/lib/systemd/systemd nl-mcgrp=1 op=connect res=yes And events from the test suite that just uses close(): type=PROCTITLE msg=audit(2020-04-22 11:47:08.501:442) : proctitle=/usr/bin/perl -w amcast_joinpart/test type=SYSCALL msg=audit(2020-04-22 11:47:08.501:442) : arch=x86_64 syscall=bind success=yes exit=0 a0=0x7 a1=0x563004378760 a2=0xc a3=0x0 items=0 ppid=815 pid=818 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=ttyS0 ses=1 comm=perl exe=/usr/bin/perl subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=UNKNOWN[1335] msg=audit(2020-04-22 11:47:08.501:442) : pid=818 uid=root auid=root tty=ttyS0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 comm=perl exe=/usr/bin/perl nl-mcgrp=1 op=connect res=yes type=UNKNOWN[1335] msg=audit(2020-04-22 11:47:08.501:443) : pid=818 uid=root auid=root tty=ttyS0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 comm=perl exe=/usr/bin/perl nl-mcgrp=1 op=disconnect res=yes And the events from the test suite using setsockopt with NETLINK_DROP_MEMBERSHIP: type=PROCTITLE msg=audit(2020-04-22 11:39:53.291:439) : proctitle=/usr/bin/perl -w amcast_joinpart/test type=SYSCALL msg=audit(2020-04-22 11:39:53.291:439) : arch=x86_64 syscall=bind success=yes exit=0 a0=0x7 a1=0x5560877c2d20 a2=0xc a3=0x0 items=0 ppid=772 pid=775 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=ttyS0 ses=1 comm=perl exe=/usr/bin/perl subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=UNKNOWN[1335] msg=audit(2020-04-22 11:39:53.291:439) : pid=775 uid=root auid=root tty=ttyS0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 comm=perl exe=/usr/bin/perl nl-mcgrp=1 op=connect res=yes type=PROCTITLE msg=audit(2020-04-22 11:39:53.292:440) : proctitle=/usr/bin/perl -w amcast_joinpart/test type=SYSCALL msg=audit(2020-04-22 11:39:53.292:440) : arch=x86_64 syscall=setsockopt success=yes exit=0 a0=0x7 a1=SOL_NETLINK a2=0x2 a3=0x7ffc8366f000 items=0 ppid=772 pid=775 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=ttyS0 ses=1 comm=perl exe=/usr/bin/perl subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=UNKNOWN[1335] msg=audit(2020-04-22 11:39:53.292:440) : pid=775 uid=root auid=root tty=ttyS0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 comm=perl exe=/usr/bin/perl nl-mcgrp=1 op=disconnect res=yes Please see the upstream issue tracker at https://github.com/linux-audit/audit-kernel/issues/28 With the feature description at https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Multicast-Sock... The testsuite support is at https://github.com/rgbriggs/audit-testsuite/compare/ghak28-mcast-part-join https://github.com/linux-audit/audit-testsuite/pull/93 And the userspace support patch is at https://github.com/linux-audit/audit-userspace/pull/114 Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com> --- Note: subj attrs included due to missing syscall record for disconnect on close Note: tried refactor of subj attrs, but this is yet another new order. Changelog: v8: - rebase on audit/next v5.7-rc1 - clean up patch description sample records v7: - rename audit_log_multicast_bind to audit_log_multicast v6: - rebased on 5.6-rc1 audit/next and audit log BPF - updated patch description sample records v5: - rebased on 5.5-rc1 audit/next - group bind/unbind ops - add audit context - justify message number skip - check audit_enabled - change field name from nlnk-grp to nl-mcgrp - fix whitespace issues v4: - 2017-10-13 sgrubb - squash to 1 patch - rebase on KERN_MODULE event - open code subj attrs v3: - 2016-11-30 sgrubb - rebase on REPLACE event - minimize audit_log_format calls - rename audit_log_bind to audit_log_multicast_bind v2: - 2015-07-23 sgrubb - spin off audit_log_task_simple in seperate patch v1: - 2014-10-07 rgb --- include/uapi/linux/audit.h | 1 + kernel/audit.c | 48 ++++++++++++++++++++++++++++++++++++++++++---- 2 files changed, 45 insertions(+), 4 deletions(-) diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h index a534d71e689a..9b6a973f4cc3 100644 --- a/include/uapi/linux/audit.h +++ b/include/uapi/linux/audit.h @@ -117,6 +117,7 @@ #define AUDIT_TIME_INJOFFSET 1332 /* Timekeeping offset injected */ #define AUDIT_TIME_ADJNTPVAL 1333 /* NTP value adjustment */ #define AUDIT_BPF 1334 /* BPF subsystem */ +#define AUDIT_EVENT_LISTENER 1335 /* Task joined multicast read socket */ #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */ #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */ diff --git a/kernel/audit.c b/kernel/audit.c index b69c8b460341..5c738cfb4a7e 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -1522,20 +1522,60 @@ static void audit_receive(struct sk_buff *skb) audit_ctl_unlock(); } +/* Log information about who is connecting to the audit multicast socket */ +static void audit_log_multicast(int group, const char *op, int err) +{ + const struct cred *cred; + struct tty_struct *tty; + char comm[sizeof(current->comm)]; + struct audit_buffer *ab; + + if (!audit_enabled) + return; + + ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_EVENT_LISTENER); + if (!ab) + return; + + cred = current_cred(); + tty = audit_get_tty(); + audit_log_format(ab, "pid=%u uid=%u auid=%u tty=%s ses=%u", + task_pid_nr(current), + from_kuid(&init_user_ns, cred->uid), + from_kuid(&init_user_ns, audit_get_loginuid(current)), + tty ? tty_name(tty) : "(none)", + audit_get_sessionid(current)); + audit_put_tty(tty); + audit_log_task_context(ab); /* subj= */ + audit_log_format(ab, " comm="); + audit_log_untrustedstring(ab, get_task_comm(comm, current)); + audit_log_d_path_exe(ab, current->mm); /* exe= */ + audit_log_format(ab, " nl-mcgrp=%d op=%s res=%d", group, op, !err); + audit_log_end(ab); +} + /* Run custom bind function on netlink socket group connect or bind requests. */ -static int audit_bind(struct net *net, int group) +static int audit_multicast_bind(struct net *net, int group) { + int err = 0; + if (!capable(CAP_AUDIT_READ)) - return -EPERM; + err = -EPERM; + audit_log_multicast(group, "connect", err); + return err; +} - return 0; +static void audit_multicast_unbind(struct net *net, int group) +{ + audit_log_multicast(group, "disconnect", 0); } static int __net_init audit_net_init(struct net *net) { struct netlink_kernel_cfg cfg = { .input = audit_receive, - .bind = audit_bind, + .bind = audit_multicast_bind, + .unbind = audit_multicast_unbind, .flags = NL_CFG_F_NONROOT_RECV, .groups = AUDIT_NLGRP_MAX, }; -- 1.8.3.1

4 years

2
1
0 / 0

multicast listeners and audit events to kmsg

by Luca BRUNO

Hi all, I'm trying to re-spin a very old thread related to multicast listeners and audit events to kmsg. One surprising kernel behavior when using only a multicast listener to collect audit events (in this case, systemd-journald) is that audit events end up spamming the console [0]. [0] https://github.com/systemd/systemd/issues/15324 After a bunch of digging, it seems like this is due to a long-standing RFE on the kernel side [1] (plus further references on BZ and LKML). [1] https://github.com/linux-audit/audit-kernel/issues/102 Apparently there isn't a clear consensus on how this should be approached. Looking at the github and bugzilla tickets, it seems to me that Eric and Paul initially had in mind some logic based on multicast listener detection, while Richard doesn't deem that reliable and suggests an explicit configuration. I'm not personally knowledgeable enough to judge kernel-land approaches (nor to implement them), but I'd be happy if the audit folks could converge to a consensus on how to implement this RFE, how it would be consumed by userland, and what would be the kernel default behavior once this RFE is implemented. For Richard and the "explicit configuration" approach in particular, I'm missing some further details: * Is the current behavior considered buggy, or is that intended to be kept as the default? * Would this be tweaked via a (boolean?) sysctl, and what would be the semantics of flipping it? * How would this play with namespacing, especially netns? Ciao, Luca

4 years

7
14
0 / 0

[GIT PULL] Audit fixes for v5.7 (#1)

by Paul Moore

Hi Linus, One small audit patch for the next v5.7-rcX release. You can read the commit description, but basically it fixes a missing length check on input from userspace, nothing crazy. Thanks, -Paul -- The following changes since commit ae83d0b416db002fe95601e7f97f64b59514d936: Linux 5.7-rc2 (2020-04-19 14:35:30 -0700) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git tags/audit-pr-20200422 for you to fetch changes up to 763dafc520add02a1f4639b500c509acc0ea8e5b: audit: check the length of userspace generated audit records (2020-04-20 17:10:58 -0400) ---------------------------------------------------------------- audit/stable-5.7 PR 20200422 ---------------------------------------------------------------- Paul Moore (1): audit: check the length of userspace generated audit records kernel/audit.c | 3 +++ 1 file changed, 3 insertions(+) -- paul moore www.paul-moore.com

4 years

2
1
0 / 0

[PATCH] audit: allow audit_reusename to check kernel path

by Yiwen Gu

Currently, audit_reusename check file path only by comparing userspace pointer "uptr", without checking the situation where the file name is different with the same uptr. Add kname into audit_reusename function to check file names from the audit_names list. Signed-off-by: Yiwen Gu <guyiwen(a)huawei.com> --- fs/namei.c | 9 +++++---- include/linux/audit.h | 11 +++++++---- kernel/auditsc.c | 7 ++++--- 3 files changed, 16 insertions(+), 11 deletions(-) diff --git a/fs/namei.c b/fs/namei.c index db6565c99825..d5fb4bd12aec 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -128,13 +128,10 @@ struct filename * getname_flags(const char __user *filename, int flags, int *empty) { struct filename *result; + struct filename *result_audit; char *kname; int len; - result = audit_reusename(filename); - if (result) - return result; - result = __getname(); if (unlikely(!result)) return ERR_PTR(-ENOMEM); @@ -197,6 +194,10 @@ getname_flags(const char __user *filename, int flags, int *empty) } } + result_audit = audit_reusename(filename, kname); + if (result_audit) + return result_audit; + result->uptr = filename; result->aname = NULL; audit_getname(result); diff --git a/include/linux/audit.h b/include/linux/audit.h index f9ceae57ca8d..71fb783f14c4 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -266,7 +266,8 @@ extern void __audit_free(struct task_struct *task); extern void __audit_syscall_entry(int major, unsigned long a0, unsigned long a1, unsigned long a2, unsigned long a3); extern void __audit_syscall_exit(int ret_success, long ret_value); -extern struct filename *__audit_reusename(const __user char *uptr); +extern struct filename *__audit_reusename(const __user char *uptr, + const char *kname); extern void __audit_getname(struct filename *name); extern void __audit_inode(struct filename *name, const struct dentry *dentry, @@ -316,10 +317,11 @@ static inline void audit_syscall_exit(void *pt_regs) __audit_syscall_exit(success, return_code); } } -static inline struct filename *audit_reusename(const __user char *name) +static inline struct filename *audit_reusename(const __user char *name, + const char *kname) { if (unlikely(!audit_dummy_context())) - return __audit_reusename(name); + return __audit_reusename(name, kname); return NULL; } static inline void audit_getname(struct filename *name) @@ -539,7 +541,8 @@ static inline struct audit_context *audit_context(void) { return NULL; } -static inline struct filename *audit_reusename(const __user char *name) +static inline struct filename *audit_reusename(const __user char *name, + const char *kname) { return NULL; } diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 4effe01ebbe2..62ffc02abb98 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -1843,13 +1843,14 @@ static struct audit_names *audit_alloc_name(struct audit_context *context, /** * __audit_reusename - fill out filename with info from existing entry * @uptr: userland ptr to pathname + * @kname: kernel pathname string * * Search the audit_names list for the current audit context. If there is an - * existing entry with a matching "uptr" then return the filename + * existing entry with matching "uptr" and "kname" then return the filename * associated with that audit_name. If not, return NULL. */ struct filename * -__audit_reusename(const __user char *uptr) +__audit_reusename(const __user char *uptr, const char *kname) { struct audit_context *context = audit_context(); struct audit_names *n; @@ -1857,7 +1858,7 @@ __audit_reusename(const __user char *uptr) list_for_each_entry(n, &context->names_list, list) { if (!n->name) continue; - if (n->name->uptr == uptr) { + if (n->name->uptr == uptr && !strcmp(kname, n->name->name)) { n->name->refcnt++; return n->name; } -- 2.17.1

4 years

3
2
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Linux-audit April 2020