[PATCH ghak90 V8 00/16] audit: implement container identifier
by Richard Guy Briggs
Implement kernel audit container identifier.
This patchset is an eighth based on the proposal document (V4) posted:
https://www.redhat.com/archives/linux-audit/2019-September/msg00052.html
The first patch was the last patch from ghak81 that was absorbed into
this patchset since its primary justification is the rest of this
patchset.
The second patch implements the proc fs write to set the audit container
identifier of a process, emitting an AUDIT_CONTAINER_OP record to
announce the registration of that audit container identifier on that
process. This patch requires userspace support for record acceptance
and proper type display.
The third implements reading the audit container identifier from the
proc filesystem for debugging. This patch wasn't planned for upstream
inclusion but is starting to become more likely.
The fourth converts over from a simple u64 to a list member that includes
owner information to check for descendancy, allow process injection into
a container and prevent id reuse by other orchestrators.
The fifth logs the drop of an audit container identifier once all tasks
using that audit container identifier have exited.
The 6th implements the auxiliary record AUDIT_CONTAINER_ID if an audit
container identifier is associated with an event. This patch requires
userspace support for proper type display.
The 7th adds audit daemon signalling provenance through audit_sig_info2.
The 8th creates a local audit context to be able to bind a standalone
record with a locally created auxiliary record.
The 9th patch adds audit container identifier records to the user
standalone records.
The 10th adds audit container identifier filtering to the exit,
exclude and user lists. This patch adds the AUDIT_CONTID field and
requires auditctl userspace support for the --contid option.
The 11th adds network namespace audit container identifier labelling
based on member tasks' audit container identifier labels which supports
standalone netfilter records that don't have a task context and lists
each container to which that net namespace belongs.
The 12th checks that the target is a descendant for nesting and
refactors to avoid a duplicate of the copied function.
The 13th adds tracking and reporting for container nesting.
This enables kernel filtering and userspace searches of nested audit
container identifiers.
The 14th checks and clamps the nesting depth of containers while the
15th checks and clamps the total number of audit container identifiers
sharing one network namespace. The combination of these two pararmeters
prevents the overflow of the contid field in CONTAINER_* records.
The 16th adds a mechanism to allow a process to be designated as a
container orchestrator/engine in non-init user namespaces.
Example: Set an audit container identifier of 123456 to the "sleep" task:
sleep 2&
child=$!
echo 123456 > /proc/$child/audit_containerid; echo $?
ausearch -ts recent -m container_op
echo child:$child contid:$( cat /proc/$child/audit_containerid)
This should produce a record such as:
type=CONTAINER_OP msg=audit(2018-06-06 12:39:29.636:26949) : op=set opid=2209 contid=123456 old-contid=18446744073709551615
Example: Set a filter on an audit container identifier 123459 on /tmp/tmpcontainerid:
contid=123459
key=tmpcontainerid
auditctl -a exit,always -F dir=/tmp -F perm=wa -F contid=$contid -F key=$key
perl -e "sleep 1; open(my \$tmpfile, '>', \"/tmp/$key\"); close(\$tmpfile);" &
child=$!
echo $contid > /proc/$child/audit_containerid
sleep 2
ausearch -i -ts recent -k $key
auditctl -d exit,always -F dir=/tmp -F perm=wa -F contid=$contid -F key=$key
rm -f /tmp/$key
This should produce an event such as:
type=CONTAINER_ID msg=audit(2018-06-06 12:46:31.707:26953) : contid=123459
type=PROCTITLE msg=audit(2018-06-06 12:46:31.707:26953) : proctitle=perl -e sleep 1; open(my $tmpfile, '>', "/tmp/tmpcontainerid"); close($tmpfile);
type=PATH msg=audit(2018-06-06 12:46:31.707:26953) : item=1 name=/tmp/tmpcontainerid inode=25656 dev=00:26 mode=file,644 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=PATH msg=audit(2018-06-06 12:46:31.707:26953) : item=0 name=/tmp/ inode=8985 dev=00:26 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=CWD msg=audit(2018-06-06 12:46:31.707:26953) : cwd=/root
type=SYSCALL msg=audit(2018-06-06 12:46:31.707:26953) : arch=x86_64 syscall=openat success=yes exit=3 a0=0xffffffffffffff9c a1=0x5621f2b81900 a2=O_WRONLY|O_CREAT|O_TRUNC a3=0x1b6 items=2 ppid=628 pid=2232 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=ttyS0 ses=1 comm=perl exe=/usr/bin/perl subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=tmpcontainerid
Example: Test multiple containers on one netns:
sleep 5 &
child1=$!
containerid1=123451
echo $containerid1 > /proc/$child1/audit_containerid
sleep 5 &
child2=$!
containerid2=123452
echo $containerid2 > /proc/$child2/audit_containerid
iptables -I INPUT -i lo -p icmp --icmp-type echo-request -j AUDIT --type accept
iptables -I INPUT -t mangle -i lo -p icmp --icmp-type echo-request -j MARK --set-mark 0x12345555
sleep 1;
bash -c "ping -q -c 1 127.0.0.1 >/dev/null 2>&1"
sleep 1;
ausearch -i -m NETFILTER_PKT -ts boot|grep mark=0x12345555
ausearch -i -m NETFILTER_PKT -ts boot|grep contid=|grep $containerid1|grep $containerid2
This should produce an event such as:
type=NETFILTER_PKT msg=audit(03/15/2019 14:16:13.369:244) : mark=0x12345555 saddr=127.0.0.1 daddr=127.0.0.1 proto=icmp
type=CONTAINER_ID msg=audit(03/15/2019 14:16:13.369:244) : contid=123452,123451
Includes the last patch of https://github.com/linux-audit/audit-kernel/issues/81
Please see the github audit kernel issue for the main feature:
https://github.com/linux-audit/audit-kernel/issues/90
and the kernel filter code:
https://github.com/linux-audit/audit-kernel/issues/91
and the network support:
https://github.com/linux-audit/audit-kernel/issues/92
Please see the github audit userspace issue for supporting record types:
https://github.com/linux-audit/audit-userspace/issues/51
and filter code:
https://github.com/linux-audit/audit-userspace/issues/40
Please see the github audit testsuiite issue for the test case:
https://github.com/linux-audit/audit-testsuite/issues/64
https://github.com/rgbriggs/audit-testsuite/tree/ghat64-contid
https://githu.com/linux-audit/audit-testsuite/pull/91
Please see the github audit wiki for the feature overview:
https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID
The code is also posted at:
git://toccata2.tricolour.ca/linux-2.6-rgb.git ghak90-audit-containerID.v8
Changelog:
v8
- rebase on v5.5-rc1 audit/next
- remove subject attrs in CONTAINER_OP record
- group audit_contid_list_lock with audit_contid_hash
- in audit_{set,log}_contid(), break out of loop after finding target
- use target var to size kmalloc
- rework audit_cont_owner() to bool audit_contid_isowner() and move to where used
- create static void audit_cont_hold(struct audit_contobj *cont) { refcount_inc(&cont->refcount); }
- rename audit_cont{,_*} refs to audit_contobj{,_*}
- prefix special local functions with _ [audit_contobj*()]
- protect contid list traversals with rcu_read_lock() and updates with audit_contid_list_lock
- protect real_parent in audit_contid_depth() with rcu_dereference
- give new contid field nesting format in patch description
- squash task_is_descendant()
- squash support for NETFILTER_PKT into network namespaces
- limit nesting depth based on record length overflow, bandwidth and storage
- implent control for audit container identifier nesting depth limit
- make room for audit_bpf patches (bump CONTAINER_ID to 1335)
- squash proc interface into capcontid
- remove netlink access to loginuid/sessionid/contid/capcontid
- delete 32k contid limit patch
- document potential overlap between signal delivery and contid reuse
- document audit_contobj_list_lock coverage
- document disappearing orch task injection limitation
- limit the number of containers that can be associated with a network namespace
- implent control for audit container identifier netns count limit
v7
- remove BUG() in audit_comparator64()
- rebase on v5.2-rc1 audit/next
- resolve merge conflict with ghak111 (signal_info regardless syscall)
- resolve merge conflict with ghak73 (audit_field_valid)
- resolve merge conflict with ghak64 (saddr_fam filter)
- resolve merge conflict with ghak10 (ntp audit) change AUDIT_CONTAINER_ID from 1332 to 1334
- rebase on v5.3-rc1 audit/next
- track container owner
- only permit setting contid of descendants for nesting
- track drop of contid and permit reuse
- track and report container nesting
- permit filtering on any nested contid
- set/get contid and loginuid/sessionid via netlink
- implement capcontid to enable orchestrators in non-init user
namespaces
- limit number of containers
- limit depth of container nesting
v6
- change TMPBUFLEN from 11 to 21 to cover the decimal value of contid
u64 (nhorman)
- fix bug overwriting ctx in struct audit_sig_info, move cid above
ctx[0] (nhorman)
- fix bug skipping remaining fields and not advancing bufp when copying
out contid in audit_krule_to_data (omosnacec)
- add acks, tidy commit descriptions, other formatting fixes (checkpatch
wrong on audit_log_lost)
- cast ull for u64 prints
- target_cid tracking was moved from the ptrace/signal patch to
container_op
- target ptrace and signal records were moved from the ptrace/signal
patch to container_id
- auditd signaller tracking was moved to a new AUDIT_SIGNAL_INFO2
request and record
- ditch unnecessary list_empty() checks
- check for null net and aunet in audit_netns_contid_add()
- swap CONTAINER_OP contid/old-contid order to ease parsing
v5
- address loginuid and sessionid syscall scope in ghak104
- address audit_context in CONFIG_AUDIT vs CONFIG_AUDITSYSCALL in ghak105
- remove tty patch, addressed in ghak106
- rebase on audit/next v5.0-rc1
w/ghak59/ghak104/ghak103/ghak100/ghak107/ghak105/ghak106/ghak105sup
- update CONTAINER_ID to CONTAINER_OP in patch description
- move audit_context in audit_task_info to CONFIG_AUDITSYSCALL
- move audit_alloc() and audit_free() out of CONFIG_AUDITSYSCALL and into
CONFIG_AUDIT and create audit_{alloc,free}_syscall
- use plain kmem_cache_alloc() rather than kmem_cache_zalloc() in audit_alloc()
- fix audit_get_contid() declaration type error
- move audit_set_contid() from auditsc.c to audit.c
- audit_log_contid() returns void
- audit_log_contid() handed contid rather than tsk
- switch from AUDIT_CONTAINER to AUDIT_CONTAINER_ID for aux record
- move audit_log_contid(tsk/contid) & audit_contid_set(tsk)/audit_contid_valid(contid)
- switch from tsk to current
- audit_alloc_local() calls audit_log_lost() on failure to allocate a context
- add AUDIT_USER* non-syscall contid record
- cosmetic cleanup double parens, goto out on err
- ditch audit_get_ns_contid_list_lock(), fix aunet lock race
- switch from all-cpu read spinlock to rcu, keep spinlock for write
- update audit_alloc_local() to use ktime_get_coarse_real_ts64()
- add nft_log support
- add call from do_exit() in audit_free() to remove contid from netns
- relegate AUDIT_CONTAINER ref= field (was op=) to debug patch
v4
- preface set with ghak81:"collect audit task parameters"
- add shallyn and sgrubb acks
- rename feature bitmap macro
- rename cid_valid() to audit_contid_valid()
- rename AUDIT_CONTAINER_ID to AUDIT_CONTAINER_OP
- delete audit_get_contid_list() from headers
- move work into inner if, delete "found"
- change netns contid list function names
- move exports for audit_log_contid audit_alloc_local audit_free_context to non-syscall patch
- list contids CSV
- pass in gfp flags to audit_alloc_local() (fix audit_alloc_context callers)
- use "local" in lieu of abusing in_syscall for auditsc_get_stamp()
- read_lock(&tasklist_lock) around children and thread check
- task_lock(tsk) should be taken before first check of tsk->audit
- add spin lock to contid list in aunet
- restrict /proc read to CAP_AUDIT_CONTROL
- remove set again prohibition and inherited flag
- delete contidion spelling fix from patchset, send to netdev/linux-wireless
v3
- switched from containerid in task_struct to audit_task_info (depends on ghak81)
- drop INVALID_CID in favour of only AUDIT_CID_UNSET
- check for !audit_task_info, throw -ENOPROTOOPT on set
- changed -EPERM to -EEXIST for parent check
- return AUDIT_CID_UNSET if !audit_enabled
- squash child/thread check patch into AUDIT_CONTAINER_ID patch
- changed -EPERM to -EBUSY for child check
- separate child and thread checks, use -EALREADY for latter
- move addition of op= from ptrace/signal patch to AUDIT_CONTAINER patch
- fix && to || bashism in ptrace/signal patch
- uninline and export function for audit_free_context()
- drop CONFIG_CHANGE, FEATURE_CHANGE, ANOM_ABEND, ANOM_SECCOMP patches
- move audit_enabled check (xt_AUDIT)
- switched from containerid list in struct net to net_generic's struct audit_net
- move containerid list iteration into audit (xt_AUDIT)
- create function to move namespace switch into audit
- switched /proc/PID/ entry from containerid to audit_containerid
- call kzalloc with GFP_ATOMIC on in_atomic() in audit_alloc_context()
- call kzalloc with GFP_ATOMIC on in_atomic() in audit_log_container_info()
- use xt_net(par) instead of sock_net(skb->sk) to get net
- switched record and field names: initial CONTAINER_ID, aux CONTAINER, field CONTID
- allow to set own contid
- open code audit_set_containerid
- add contid inherited flag
- ccontainerid and pcontainerid eliminated due to inherited flag
- change name of container list funcitons
- rename containerid to contid
- convert initial container record to syscall aux
- fix spelling mistake of contidion in net/rfkill/core.c to avoid contid name collision
v2
- add check for children and threads
- add network namespace container identifier list
- add NETFILTER_PKT audit container identifier logging
- patch description and documentation clean-up and example
- reap unused ppid
Richard Guy Briggs (16):
audit: collect audit task parameters
audit: add container id
audit: read container ID of a process
audit: convert to contid list to check for orch/engine ownership
audit: log drop of contid on exit of last task
audit: log container info of syscalls
audit: add contid support for signalling the audit daemon
audit: add support for non-syscall auxiliary records
audit: add containerid support for user records
audit: add containerid filtering
audit: add support for containerid to network namespaces
audit: contid check descendancy and nesting
audit: track container nesting
audit: check contid depth and add limit config param
audit: check contid count per netns and add config param limit
audit: add capcontid to set contid outside init_user_ns
fs/proc/base.c | 112 +++++++-
include/linux/audit.h | 140 +++++++++-
include/linux/nsproxy.h | 2 +-
include/linux/sched.h | 10 +-
include/uapi/linux/audit.h | 14 +-
init/init_task.c | 3 +-
init/main.c | 2 +
kernel/audit.c | 626 +++++++++++++++++++++++++++++++++++++++++++-
kernel/audit.h | 29 ++
kernel/auditfilter.c | 61 +++++
kernel/auditsc.c | 91 +++++--
kernel/fork.c | 11 +-
kernel/nsproxy.c | 27 +-
kernel/sched/core.c | 33 +++
net/netfilter/nft_log.c | 11 +-
net/netfilter/xt_AUDIT.c | 11 +-
security/selinux/nlmsgtab.c | 1 +
security/yama/yama_lsm.c | 33 ---
18 files changed, 1115 insertions(+), 102 deletions(-)
--
1.8.3.1
4 years, 5 months
[PATCH 1/3 RESEND] sched: Remove __rcu annotation from cred pointer
by Amol Grover
task_struct::cred (subjective credentials) is *always* used
task-synchronously, hence, does not require RCU semantics.
task_struct::real_cred (objective credentials) can be used in
RCU context and its __rcu annotation is retained.
However, task_struct::cred and task_struct::real_cred *may*
point to the same object, hence, the object pointed to by
task_struct::cred *may* have RCU delayed freeing.
Suggested-by: Jann Horn <jannh(a)google.com>
Co-developed-by: Joel Fernandes (Google) <joel(a)joelfernandes.org>
Signed-off-by: Joel Fernandes (Google) <joel(a)joelfernandes.org>
Signed-off-by: Amol Grover <frextrite(a)gmail.com>
---
include/linux/sched.h | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/include/linux/sched.h b/include/linux/sched.h
index 716ad1d8d95e..39924e6e0cf2 100644
--- a/include/linux/sched.h
+++ b/include/linux/sched.h
@@ -879,8 +879,11 @@ struct task_struct {
/* Objective and real subjective task credentials (COW): */
const struct cred __rcu *real_cred;
- /* Effective (overridable) subjective task credentials (COW): */
- const struct cred __rcu *cred;
+ /*
+ * Effective (overridable) subjective task credentials (COW)
+ * which is used task-synchronously
+ */
+ const struct cred *cred;
#ifdef CONFIG_KEYS
/* Cached requested key. */
--
2.24.1
4 years, 6 months
[PATCH ghak25 v4 0/3] Address NETFILTER_CFG issues
by Richard Guy Briggs
There were questions about the presence and cause of unsolicited syscall events
in the logs containing NETFILTER_CFG records and sometimes unaccompanied
NETFILTER_CFG records.
During testing at least the following list of events trigger NETFILTER_CFG
records and the syscalls related (There may be more events that will trigger
this message type.):
init_module, finit_module: modprobe
delete_module: rmmod
setsockopt: iptables-restore, ip6tables-restore, ebtables-restore
unshare: (h?)ostnamed, updatedb
clone: libvirtd
kernel threads garbage collecting empty ebtables
The syscall events unsolicited by any audit rule were found to be caused by a
missing !audit_dummy_context() check before issuing a NETFILTER_CFG
record. In fact, since this is a configuration change it is required,
and we always want the accompanying syscall record even with no rules
present, so this has been addressed by ghak120.
The vast majority of unaccompanied records are caused by the fedora default
rule: "-a never,task" and the occasional early startup one is I believe caused
by the iptables filter table module hard linked into the kernel rather than a
loadable module.
A couple of other factors should help eliminate unaccompanied records
which include commit cb74ed278f80 ("audit: always enable syscall
auditing when supported and audit is enabled") which makes sure that
when audit is enabled, so automatically is syscall auditing, and ghak66
which addressed initializing audit before PID 1.
Ebtables module initialization to register tables doesn't generate records
because it was never hooked in to audit. Recommend adding audit hooks to log
this covered by ghak43 covered by patch 1.
Table unregistration was never logged, which is now covered by ghak44 in
patch 2. Unaccompanied records were caused by kernel threads
automatically unregistering empty ebtables, which necessitates adding
subject credentials covered in patch 3.
Seemingly duplicate records are not actually exact duplicates that are caused
by netfilter table initialization in different network namespaces from the same
syscall. Recommend adding the network namespace ID (proc inode and dev)
to the record to make this obvious (address later with ghak79 after nsid
patches).
See: https://github.com/linux-audit/audit-kernel/issues/25
See: https://github.com/linux-audit/audit-kernel/issues/35
See: https://github.com/linux-audit/audit-kernel/issues/43
See: https://github.com/linux-audit/audit-kernel/issues/44
Changelog:
v4
- rebase on audit/next v5.7-rc1
- fix checkpatch.pl errors/warnings in 1/3 and 2/3
v3
- rebase on v5.6-rc1 audit/next
- change audit_nf_cfg to audit_log_nfcfg
- squash 2,3,4,5 to 1 and update patch descriptions
- add subject credentials to cover garbage collecting kernel threads
v2
- Rebase (audit/next 5.5-rc1) to get audit_context access and ebt_register_table ret code
- Split x_tables and ebtables updates
- Check audit_dummy_context
- Store struct audit_nfcfg params in audit_context, abstract to audit_nf_cfg() call
- Restore back to "table, family, entries" from "family, table, entries"
- Log unregistration of tables
- Add "op=" at the end of the AUDIT_NETFILTER_CFG record
- Defer nsid patch (ghak79) to once nsid patchset upstreamed (ghak32)
- Add ghak refs
- Ditch NETFILTER_CFGSOLO record
Richard Guy Briggs (3):
audit: tidy and extend netfilter_cfg x_tables and ebtables logging
netfilter: add audit table unregister actions
audit: add subj creds to NETFILTER_CFG record to cover async
unregister
include/linux/audit.h | 22 +++++++++++++++++++++
kernel/auditsc.c | 43 +++++++++++++++++++++++++++++++++++++++++
net/bridge/netfilter/ebtables.c | 14 ++++++--------
net/netfilter/x_tables.c | 14 +++++---------
4 files changed, 76 insertions(+), 17 deletions(-)
--
1.8.3.1
4 years, 6 months
[PATCH] audit: mark expected switch fall-through
by Gustavo A. R. Silva
In preparation to enabling -Wimplicit-fallthrough, mark switch
cases where we are expecting to fall through.
This patch fixes the following warning:
kernel/auditfilter.c: In function ‘audit_krule_to_data’:
kernel/auditfilter.c:668:7: warning: this statement may fall through [-Wimplicit-fallthrough=]
if (krule->pflags & AUDIT_LOGINUID_LEGACY && !f->val) {
^
kernel/auditfilter.c:674:3: note: here
default:
^~~~~~~
Warning level 3 was used: -Wimplicit-fallthrough=3
Notice that, in this particular case, the code comment is modified
in accordance with what GCC is expecting to find.
This patch is part of the ongoing efforts to enable
-Wimplicit-fallthrough.
Signed-off-by: Gustavo A. R. Silva <gustavo(a)embeddedor.com>
---
kernel/auditfilter.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index add360b46b38..63f8b3f26fab 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -670,7 +670,7 @@ static struct audit_rule_data *audit_krule_to_data(struct audit_krule *krule)
data->values[i] = AUDIT_UID_UNSET;
break;
}
- /* fallthrough if set */
+ /* fall through - if set */
default:
data->values[i] = f->val;
}
--
2.20.1
4 years, 7 months
Re: [PATCH Resend] MIPS: Add syscall auditing support
by Huacai Chen
CC audit maintainers and audit mail-list.
Huacai
On Thu, Mar 12, 2020 at 5:33 PM Huacai Chen <chenhc(a)lemote.com> wrote:
>
> From: Ralf Baechle <ralf(a)linux-mips.org>
>
> The original patch is from Ralf. I have maintained it for more than six
> years on Loongson platform, and it works perfectly. Most of the commit
> messages are written by Ralf.
>
> MIPS doesn't quite fit into the existing pattern of other architectures
> and I'd appreciate your comments and maybe even an Acked-by.
>
> - Linux on MIPS extends the traditional syscall table used by older UNIX
> implementations. This is why 32-bit Linux syscalls are starting from
> 4000; the native 64-bit syscalls start from 5000 and the N32 compat ABI
> from 6000. The existing syscall bitmap is only large enough for at most
> 2048 syscalls, so I had to increase AUDIT_BITMASK_SIZE to 256 which
> provides enough space for 8192 syscalls. Because include/uapi/linux/
> audit.h and AUDIT_BITMASK_SIZE are exported to userspace I've used an
> #ifdef __mips__ for this.
>
> - The code treats the little endian MIPS architecture as separate from
> big endian. Combined with the 3 ABIs that's 6 combinations. I tried
> to sort of follow the example set by ARM which explicitly lists the
> (rare) big endian architecture variant - but it doesn't seem to very
> useful so I wonder if this could be squashed to just the three ABIs
> without consideration of endianess?
>
> Signed-off-by: Ralf Baechle <ralf(a)linux-mips.org>
> Signed-off-by: Huacai Chen <chenhc(a)lemote.com>
> ---
> arch/mips/Kconfig | 13 +++++
> arch/mips/include/asm/abi.h | 1 +
> arch/mips/include/asm/unistd.h | 10 ++++
> arch/mips/include/uapi/asm/unistd.h | 21 ++++----
> arch/mips/kernel/Makefile | 4 ++
> arch/mips/kernel/audit-n32.c | 58 ++++++++++++++++++++++
> arch/mips/kernel/audit-native.c | 97 +++++++++++++++++++++++++++++++++++++
> arch/mips/kernel/audit-o32.c | 60 +++++++++++++++++++++++
> arch/mips/kernel/signal.c | 18 +++++++
> arch/mips/kernel/signal_n32.c | 8 +++
> arch/mips/kernel/signal_o32.c | 8 +++
> include/uapi/linux/audit.h | 10 ++++
> kernel/auditsc.c | 13 +++++
> 13 files changed, 312 insertions(+), 9 deletions(-)
> create mode 100644 arch/mips/kernel/audit-n32.c
> create mode 100644 arch/mips/kernel/audit-native.c
> create mode 100644 arch/mips/kernel/audit-o32.c
>
> diff --git a/arch/mips/Kconfig b/arch/mips/Kconfig
> index 27f800f..ac71fb0 100644
> --- a/arch/mips/Kconfig
> +++ b/arch/mips/Kconfig
> @@ -17,6 +17,7 @@ config MIPS
> select ARCH_USE_QUEUED_SPINLOCKS
> select ARCH_WANT_DEFAULT_TOPDOWN_MMAP_LAYOUT if MMU
> select ARCH_WANT_IPC_PARSE_VERSION
> + select AUDIT_ARCH
> select BUILDTIME_TABLE_SORT
> select CLONE_BACKWARDS
> select CPU_NO_EFFICIENT_FFS if (TARGET_ISA_REV < 1)
> @@ -40,6 +41,7 @@ config MIPS
> select GENERIC_TIME_VSYSCALL
> select GUP_GET_PTE_LOW_HIGH if CPU_MIPS32 && PHYS_ADDR_T_64BIT
> select HANDLE_DOMAIN_IRQ
> + select HAVE_ARCH_AUDITSYSCALL
> select HAVE_ARCH_COMPILER_H
> select HAVE_ARCH_JUMP_LABEL
> select HAVE_ARCH_KGDB
> @@ -1121,6 +1123,15 @@ config FW_ARC
> config ARCH_MAY_HAVE_PC_FDC
> bool
>
> +config AUDIT_ARCH
> + bool
> +
> +config AUDITSYSCALL_O32
> + bool
> +
> +config AUDITSYSCALL_N32
> + bool
> +
> config BOOT_RAW
> bool
>
> @@ -3192,6 +3203,7 @@ config MIPS32_O32
> select COMPAT
> select MIPS32_COMPAT
> select SYSVIPC_COMPAT if SYSVIPC
> + select AUDITSYSCALL_O32 if AUDITSYSCALL
> help
> Select this option if you want to run o32 binaries. These are pure
> 32-bit binaries as used by the 32-bit Linux/MIPS port. Most of
> @@ -3206,6 +3218,7 @@ config MIPS32_N32
> select COMPAT
> select MIPS32_COMPAT
> select SYSVIPC_COMPAT if SYSVIPC
> + select AUDITSYSCALL_N32 if AUDITSYSCALL
> help
> Select this option if you want to run n32 binaries. These are
> 64-bit binaries using 32-bit quantities for addressing and certain
> diff --git a/arch/mips/include/asm/abi.h b/arch/mips/include/asm/abi.h
> index dba7f4b..6e717a4a 100644
> --- a/arch/mips/include/asm/abi.h
> +++ b/arch/mips/include/asm/abi.h
> @@ -21,6 +21,7 @@ struct mips_abi {
> int (* const setup_rt_frame)(void *sig_return, struct ksignal *ksig,
> struct pt_regs *regs, sigset_t *set);
> const unsigned long restart;
> + const int audit_arch;
>
> unsigned off_sc_fpregs;
> unsigned off_sc_fpc_csr;
> diff --git a/arch/mips/include/asm/unistd.h b/arch/mips/include/asm/unistd.h
> index 5d70bab..80f5b5b 100644
> --- a/arch/mips/include/asm/unistd.h
> +++ b/arch/mips/include/asm/unistd.h
> @@ -59,4 +59,14 @@
>
> #endif /* !__ASSEMBLY__ */
>
> +#ifdef CONFIG_MIPS32_N32
> +#define NR_syscalls (__NR_N32_Linux + __NR_N32_Linux_syscalls)
> +#elif defined(CONFIG_64BIT)
> +#define NR_syscalls (__NR_64_Linux + __NR_64_Linux_syscalls)
> +#elif defined(CONFIG_32BIT)
> +#define NR_syscalls (__NR_O32_Linux + __NR_O32_Linux_syscalls)
> +#else
> +#error Must know ABIs in use to define NR_syscalls
> +#endif
> +
> #endif /* _ASM_UNISTD_H */
> diff --git a/arch/mips/include/uapi/asm/unistd.h b/arch/mips/include/uapi/asm/unistd.h
> index 4abe387..b501ea1 100644
> --- a/arch/mips/include/uapi/asm/unistd.h
> +++ b/arch/mips/include/uapi/asm/unistd.h
> @@ -6,34 +6,37 @@
> *
> * Copyright (C) 1995, 96, 97, 98, 99, 2000 by Ralf Baechle
> * Copyright (C) 1999, 2000 Silicon Graphics, Inc.
> - *
> - * Changed system calls macros _syscall5 - _syscall7 to push args 5 to 7 onto
> - * the stack. Robin Farine for ACN S.A, Copyright (C) 1996 by ACN S.A
> */
> #ifndef _UAPI_ASM_UNISTD_H
> #define _UAPI_ASM_UNISTD_H
>
> #include <asm/sgidefs.h>
>
> -#if _MIPS_SIM == _MIPS_SIM_ABI32
> +#if (defined(__WANT_SYSCALL_NUMBERS) && \
> + (__WANT_SYSCALL_NUMBERS == _MIPS_SIM_ABI32)) || \
> + (!defined(__WANT_SYSCALL_NUMBERS) && _MIPS_SIM == _MIPS_SIM_ABI32)
>
> #define __NR_Linux 4000
> #include <asm/unistd_o32.h>
>
> -#endif /* _MIPS_SIM == _MIPS_SIM_ABI32 */
> +#endif /* Want O32 || _MIPS_SIM == _MIPS_SIM_ABI32 */
>
> -#if _MIPS_SIM == _MIPS_SIM_ABI64
> +#if (defined(__WANT_SYSCALL_NUMBERS) && \
> + (__WANT_SYSCALL_NUMBERS == _MIPS_SIM_ABI64)) || \
> + (!defined(__WANT_SYSCALL_NUMBERS) && _MIPS_SIM == _MIPS_SIM_ABI64)
>
> #define __NR_Linux 5000
> #include <asm/unistd_n64.h>
>
> -#endif /* _MIPS_SIM == _MIPS_SIM_ABI64 */
> +#endif /* Want N64 || _MIPS_SIM == _MIPS_SIM_ABI64 */
>
> -#if _MIPS_SIM == _MIPS_SIM_NABI32
> +#if (defined(__WANT_SYSCALL_NUMBERS) && \
> + (__WANT_SYSCALL_NUMBERS == _MIPS_SIM_NABI32)) || \
> + (!defined(__WANT_SYSCALL_NUMBERS) && _MIPS_SIM == _MIPS_SIM_NABI32)
>
> #define __NR_Linux 6000
> #include <asm/unistd_n32.h>
>
> -#endif /* _MIPS_SIM == _MIPS_SIM_NABI32 */
> +#endif /* Want N32 || _MIPS_SIM == _MIPS_SIM_NABI32 */
>
> #endif /* _UAPI_ASM_UNISTD_H */
> diff --git a/arch/mips/kernel/Makefile b/arch/mips/kernel/Makefile
> index d6e97df..a7ac38d 100644
> --- a/arch/mips/kernel/Makefile
> +++ b/arch/mips/kernel/Makefile
> @@ -106,6 +106,10 @@ obj-$(CONFIG_HW_PERF_EVENTS) += perf_event_mipsxx.o
> obj-$(CONFIG_JUMP_LABEL) += jump_label.o
> obj-$(CONFIG_UPROBES) += uprobes.o
>
> +obj-$(CONFIG_AUDITSYSCALL_O32) += audit-o32.o
> +obj-$(CONFIG_AUDITSYSCALL_N32) += audit-n32.o
> +obj-$(CONFIG_AUDITSYSCALL) += audit-native.o
> +
> obj-$(CONFIG_MIPS_CM) += mips-cm.o
> obj-$(CONFIG_MIPS_CPC) += mips-cpc.o
>
> diff --git a/arch/mips/kernel/audit-n32.c b/arch/mips/kernel/audit-n32.c
> new file mode 100644
> index 00000000..2248badc
> --- /dev/null
> +++ b/arch/mips/kernel/audit-n32.c
> @@ -0,0 +1,58 @@
> +#define __WANT_SYSCALL_NUMBERS _MIPS_SIM_NABI32
> +
> +#include <linux/init.h>
> +#include <linux/types.h>
> +#include <linux/audit.h>
> +#include <asm/unistd.h>
> +
> +static unsigned dir_class_n32[] = {
> +#include <asm-generic/audit_dir_write.h>
> +~0U
> +};
> +
> +static unsigned read_class_n32[] = {
> +#include <asm-generic/audit_read.h>
> +~0U
> +};
> +
> +static unsigned write_class_n32[] = {
> +#include <asm-generic/audit_write.h>
> +~0U
> +};
> +
> +static unsigned chattr_class_n32[] = {
> +#include <asm-generic/audit_change_attr.h>
> +~0U
> +};
> +
> +static unsigned signal_class_n32[] = {
> +#include <asm-generic/audit_signal.h>
> +~0U
> +};
> +
> +int audit_classify_syscall_n32(int abi, unsigned syscall)
> +{
> + switch (syscall) {
> + case __NR_open:
> + return 2;
> + case __NR_openat:
> + return 3;
> + case __NR_execve:
> + return 5;
> + default:
> + return 0;
> + }
> +}
> +
> +static int __init audit_classes_n32_init(void)
> +{
> + audit_register_class(AUDIT_CLASS_WRITE_N32, write_class_n32);
> + audit_register_class(AUDIT_CLASS_READ_N32, read_class_n32);
> + audit_register_class(AUDIT_CLASS_DIR_WRITE_N32, dir_class_n32);
> + audit_register_class(AUDIT_CLASS_CHATTR_N32, chattr_class_n32);
> + audit_register_class(AUDIT_CLASS_SIGNAL_N32, signal_class_n32);
> +
> + return 0;
> +}
> +
> +__initcall(audit_classes_n32_init);
> diff --git a/arch/mips/kernel/audit-native.c b/arch/mips/kernel/audit-native.c
> new file mode 100644
> index 00000000..09ae3db
> --- /dev/null
> +++ b/arch/mips/kernel/audit-native.c
> @@ -0,0 +1,97 @@
> +#include <linux/init.h>
> +#include <linux/types.h>
> +#include <linux/audit.h>
> +#include <asm/unistd.h>
> +
> +static unsigned dir_class[] = {
> +#include <asm-generic/audit_dir_write.h>
> +~0U
> +};
> +
> +static unsigned read_class[] = {
> +#include <asm-generic/audit_read.h>
> +~0U
> +};
> +
> +static unsigned write_class[] = {
> +#include <asm-generic/audit_write.h>
> +~0U
> +};
> +
> +static unsigned chattr_class[] = {
> +#include <asm-generic/audit_change_attr.h>
> +~0U
> +};
> +
> +static unsigned signal_class[] = {
> +#include <asm-generic/audit_signal.h>
> +~0U
> +};
> +
> +
> +/*
> + * Pretend to be a single architecture
> + */
> +int audit_classify_arch(int arch)
> +{
> + return 0;
> +}
> +
> +extern int audit_classify_syscall_o32(int abi, unsigned syscall);
> +extern int audit_classify_syscall_n32(int abi, unsigned syscall);
> +
> +int audit_classify_syscall(int abi, unsigned syscall)
> +{
> + int res;
> +
> + switch (syscall) {
> + case __NR_open:
> + res = 2;
> + break;
> +
> + case __NR_openat:
> + res = 3;
> + break;
> +
> +#ifdef __NR_socketcall /* Only exists on O32 */
> + case __NR_socketcall:
> + res = 4;
> + break;
> +#endif
> + case __NR_execve:
> + res = 5;
> + break;
> + default:
> +#ifdef CONFIG_AUDITSYSCALL_O32
> + res = audit_classify_syscall_o32(abi, syscall);
> + if (res)
> + break;
> +#endif
> +#ifdef CONFIG_AUDITSYSCALL_N32
> + res = audit_classify_syscall_n32(abi, syscall);
> + if (res)
> + break;
> +#endif
> + if (abi == AUDIT_ARCH_MIPS || abi == AUDIT_ARCH_MIPSEL)
> + res = 1;
> + else if (abi == AUDIT_ARCH_MIPS64 || abi == AUDIT_ARCH_MIPSEL64)
> + res = 0;
> + else if (abi == AUDIT_ARCH_MIPS64N32 || abi == AUDIT_ARCH_MIPSEL64N32)
> + res = 6;
> + }
> +
> + return res;
> +}
> +
> +static int __init audit_classes_init(void)
> +{
> + audit_register_class(AUDIT_CLASS_WRITE, write_class);
> + audit_register_class(AUDIT_CLASS_READ, read_class);
> + audit_register_class(AUDIT_CLASS_DIR_WRITE, dir_class);
> + audit_register_class(AUDIT_CLASS_CHATTR, chattr_class);
> + audit_register_class(AUDIT_CLASS_SIGNAL, signal_class);
> +
> + return 0;
> +}
> +
> +__initcall(audit_classes_init);
> diff --git a/arch/mips/kernel/audit-o32.c b/arch/mips/kernel/audit-o32.c
> new file mode 100644
> index 00000000..e8b9b50
> --- /dev/null
> +++ b/arch/mips/kernel/audit-o32.c
> @@ -0,0 +1,60 @@
> +#define __WANT_SYSCALL_NUMBERS _MIPS_SIM_ABI32
> +
> +#include <linux/init.h>
> +#include <linux/types.h>
> +#include <linux/audit.h>
> +#include <linux/unistd.h>
> +
> +static unsigned dir_class_o32[] = {
> +#include <asm-generic/audit_dir_write.h>
> +~0U
> +};
> +
> +static unsigned read_class_o32[] = {
> +#include <asm-generic/audit_read.h>
> +~0U
> +};
> +
> +static unsigned write_class_o32[] = {
> +#include <asm-generic/audit_write.h>
> +~0U
> +};
> +
> +static unsigned chattr_class_o32[] = {
> +#include <asm-generic/audit_change_attr.h>
> +~0U
> +};
> +
> +static unsigned signal_class_o32[] = {
> +#include <asm-generic/audit_signal.h>
> +~0U
> +};
> +
> +int audit_classify_syscall_o32(int abi, unsigned syscall)
> +{
> + switch (syscall) {
> + case __NR_open:
> + return 2;
> + case __NR_openat:
> + return 3;
> + case __NR_socketcall:
> + return 4;
> + case __NR_execve:
> + return 5;
> + default:
> + return 0;
> + }
> +}
> +
> +static int __init audit_classes_o32_init(void)
> +{
> + audit_register_class(AUDIT_CLASS_WRITE_32, write_class_o32);
> + audit_register_class(AUDIT_CLASS_READ_32, read_class_o32);
> + audit_register_class(AUDIT_CLASS_DIR_WRITE_32, dir_class_o32);
> + audit_register_class(AUDIT_CLASS_CHATTR_32, chattr_class_o32);
> + audit_register_class(AUDIT_CLASS_SIGNAL_32, signal_class_o32);
> +
> + return 0;
> +}
> +
> +__initcall(audit_classes_o32_init);
> diff --git a/arch/mips/kernel/signal.c b/arch/mips/kernel/signal.c
> index f6efabc..b79d9a9 100644
> --- a/arch/mips/kernel/signal.c
> +++ b/arch/mips/kernel/signal.c
> @@ -8,6 +8,7 @@
> * Copyright (C) 1999, 2000 Silicon Graphics, Inc.
> * Copyright (C) 2014, Imagination Technologies Ltd.
> */
> +#include <linux/audit.h>
> #include <linux/cache.h>
> #include <linux/context_tracking.h>
> #include <linux/irqflags.h>
> @@ -790,6 +791,23 @@ struct mips_abi mips_abi = {
> #endif
> .setup_rt_frame = setup_rt_frame,
> .restart = __NR_restart_syscall,
> +#ifdef CONFIG_64BIT
> +# ifdef __BIG_ENDIAN
> + .audit_arch = AUDIT_ARCH_MIPS64,
> +# elif defined(__LITTLE_ENDIAN)
> + .audit_arch = AUDIT_ARCH_MIPSEL64,
> +# else
> +# error "Neither big nor little endian ???"
> +# endif
> +#else
> +# ifdef __BIG_ENDIAN
> + .audit_arch = AUDIT_ARCH_MIPS,
> +# elif defined(__LITTLE_ENDIAN)
> + .audit_arch = AUDIT_ARCH_MIPSEL,
> +# else
> +# error "Neither big nor little endian ???"
> +# endif
> +#endif
>
> .off_sc_fpregs = offsetof(struct sigcontext, sc_fpregs),
> .off_sc_fpc_csr = offsetof(struct sigcontext, sc_fpc_csr),
> diff --git a/arch/mips/kernel/signal_n32.c b/arch/mips/kernel/signal_n32.c
> index 7bd00fa..ed03ea1 100644
> --- a/arch/mips/kernel/signal_n32.c
> +++ b/arch/mips/kernel/signal_n32.c
> @@ -2,6 +2,7 @@
> /*
> * Copyright (C) 2003 Broadcom Corporation
> */
> +#include <linux/audit.h>
> #include <linux/cache.h>
> #include <linux/sched.h>
> #include <linux/mm.h>
> @@ -140,6 +141,13 @@ static int setup_rt_frame_n32(void *sig_return, struct ksignal *ksig,
> struct mips_abi mips_abi_n32 = {
> .setup_rt_frame = setup_rt_frame_n32,
> .restart = __NR_N32_restart_syscall,
> +#ifdef __BIG_ENDIAN
> + .audit_arch = AUDIT_ARCH_MIPS64N32,
> +#elif defined(__LITTLE_ENDIAN)
> + .audit_arch = AUDIT_ARCH_MIPSEL64N32,
> +#else
> +# error "Neither big nor little endian ???"
> +#endif
>
> .off_sc_fpregs = offsetof(struct sigcontext, sc_fpregs),
> .off_sc_fpc_csr = offsetof(struct sigcontext, sc_fpc_csr),
> diff --git a/arch/mips/kernel/signal_o32.c b/arch/mips/kernel/signal_o32.c
> index 299a7a2..9f4ad0a 100644
> --- a/arch/mips/kernel/signal_o32.c
> +++ b/arch/mips/kernel/signal_o32.c
> @@ -8,6 +8,7 @@
> * Copyright (C) 1999, 2000 Silicon Graphics, Inc.
> * Copyright (C) 2016, Imagination Technologies Ltd.
> */
> +#include <linux/audit.h>
> #include <linux/compiler.h>
> #include <linux/errno.h>
> #include <linux/signal.h>
> @@ -244,6 +245,13 @@ struct mips_abi mips_abi_32 = {
> .setup_frame = setup_frame_32,
> .setup_rt_frame = setup_rt_frame_32,
> .restart = __NR_O32_restart_syscall,
> +#ifdef __BIG_ENDIAN
> + .audit_arch = AUDIT_ARCH_MIPS,
> +#elif defined(__LITTLE_ENDIAN)
> + .audit_arch = AUDIT_ARCH_MIPSEL,
> +#else
> +# error "Neither big nor little endian ???"
> +#endif
>
> .off_sc_fpregs = offsetof(struct sigcontext32, sc_fpregs),
> .off_sc_fpc_csr = offsetof(struct sigcontext32, sc_fpc_csr),
> diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> index a534d71..336c1eb 100644
> --- a/include/uapi/linux/audit.h
> +++ b/include/uapi/linux/audit.h
> @@ -179,7 +179,11 @@
> * AUDIT_LIST commands must be implemented. */
> #define AUDIT_MAX_FIELDS 64
> #define AUDIT_MAX_KEY_LEN 256
> +#ifdef __mips__
> +#define AUDIT_BITMASK_SIZE 256
> +#else
> #define AUDIT_BITMASK_SIZE 64
> +#endif
> #define AUDIT_WORD(nr) ((__u32)((nr)/32))
> #define AUDIT_BIT(nr) (1 << ((nr) - AUDIT_WORD(nr)*32))
>
> @@ -195,6 +199,12 @@
> #define AUDIT_CLASS_SIGNAL 8
> #define AUDIT_CLASS_SIGNAL_32 9
>
> +#define AUDIT_CLASS_DIR_WRITE_N32 10
> +#define AUDIT_CLASS_CHATTR_N32 11
> +#define AUDIT_CLASS_READ_N32 12
> +#define AUDIT_CLASS_WRITE_N32 13
> +#define AUDIT_CLASS_SIGNAL_N32 14
> +
> /* This bitmask is used to validate user input. It represents all bits that
> * are currently used in an audit field constant understood by the kernel.
> * If you are adding a new #define AUDIT_<whatever>, please ensure that
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index 4effe01..cf223c0 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -168,6 +168,19 @@ static int audit_match_perm(struct audit_context *ctx, int mask)
> return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND);
> case 5: /* execve */
> return mask & AUDIT_PERM_EXEC;
> +#ifdef CONFIG_MIPS
> + case 6: /* for N32 */
> + if ((mask & AUDIT_PERM_WRITE) &&
> + audit_match_class(AUDIT_CLASS_WRITE_N32, n))
> + return 1;
> + if ((mask & AUDIT_PERM_READ) &&
> + audit_match_class(AUDIT_CLASS_READ_N32, n))
> + return 1;
> + if ((mask & AUDIT_PERM_ATTR) &&
> + audit_match_class(AUDIT_CLASS_CHATTR_N32, n))
> + return 1;
> + return 0;
> +#endif
> default:
> return 0;
> }
> --
> 2.7.0
>
4 years, 7 months
[PATCH] audit: make symbol 'audit_nfcfgs' static
by Zheng Bin
Fix sparse warnings:
kernel/auditsc.c:138:32: warning: symbol 'audit_nfcfgs' was not declared. Should it be static?
Reported-by: Hulk Robot <hulkci(a)huawei.com>
Signed-off-by: Zheng Bin <zhengbin13(a)huawei.com>
---
kernel/auditsc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index d281c18d1771..cfe3486e5f31 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -135,7 +135,7 @@ struct audit_nfcfgop_tab {
const char *s;
};
-const struct audit_nfcfgop_tab audit_nfcfgs[] = {
+static const struct audit_nfcfgop_tab audit_nfcfgs[] = {
{ AUDIT_XT_OP_REGISTER, "register" },
{ AUDIT_XT_OP_REPLACE, "replace" },
{ AUDIT_XT_OP_UNREGISTER, "unregister" },
--
2.26.0.106.g9fadedd
4 years, 7 months
[PATCH ghak28 V8] audit: log audit netlink multicast bind and unbind events
by Richard Guy Briggs
Log information about programs connecting to and disconnecting from the
audit netlink multicast socket. This is needed so that during
investigations a security officer can tell who or what had access to the
audit trail. This helps to meet the FAU_SAR.2 requirement for Common
Criteria.
Here is the systemd startup event:
type=PROCTITLE msg=audit(2020-04-22 10:10:21.787:10) : proctitle=/init
type=SYSCALL msg=audit(2020-04-22 10:10:21.787:10) : arch=x86_64 syscall=bind success=yes exit=0 a0=0x19 a1=0x555f4aac7e90 a2=0xc a3=0x7ffcb792ff44 items=0 ppid=0 pid=1 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd exe=/usr/lib/systemd/systemd subj=kernel key=(null)
type=UNKNOWN[1335] msg=audit(2020-04-22 10:10:21.787:10) : pid=1 uid=root auid=unset tty=(none) ses=unset subj=kernel comm=systemd exe=/usr/lib/systemd/systemd nl-mcgrp=1 op=connect res=yes
And events from the test suite that just uses close():
type=PROCTITLE msg=audit(2020-04-22 11:47:08.501:442) : proctitle=/usr/bin/perl -w amcast_joinpart/test
type=SYSCALL msg=audit(2020-04-22 11:47:08.501:442) : arch=x86_64 syscall=bind success=yes exit=0 a0=0x7 a1=0x563004378760 a2=0xc a3=0x0 items=0 ppid=815 pid=818 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=ttyS0 ses=1 comm=perl exe=/usr/bin/perl subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=UNKNOWN[1335] msg=audit(2020-04-22 11:47:08.501:442) : pid=818 uid=root auid=root tty=ttyS0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 comm=perl exe=/usr/bin/perl nl-mcgrp=1 op=connect res=yes
type=UNKNOWN[1335] msg=audit(2020-04-22 11:47:08.501:443) : pid=818 uid=root auid=root tty=ttyS0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 comm=perl exe=/usr/bin/perl nl-mcgrp=1 op=disconnect res=yes
And the events from the test suite using setsockopt with NETLINK_DROP_MEMBERSHIP:
type=PROCTITLE msg=audit(2020-04-22 11:39:53.291:439) : proctitle=/usr/bin/perl -w amcast_joinpart/test
type=SYSCALL msg=audit(2020-04-22 11:39:53.291:439) : arch=x86_64 syscall=bind success=yes exit=0 a0=0x7 a1=0x5560877c2d20 a2=0xc a3=0x0 items=0 ppid=772 pid=775 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=ttyS0 ses=1 comm=perl exe=/usr/bin/perl subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=UNKNOWN[1335] msg=audit(2020-04-22 11:39:53.291:439) : pid=775 uid=root auid=root tty=ttyS0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 comm=perl exe=/usr/bin/perl nl-mcgrp=1 op=connect res=yes
type=PROCTITLE msg=audit(2020-04-22 11:39:53.292:440) : proctitle=/usr/bin/perl -w amcast_joinpart/test
type=SYSCALL msg=audit(2020-04-22 11:39:53.292:440) : arch=x86_64 syscall=setsockopt success=yes exit=0 a0=0x7 a1=SOL_NETLINK a2=0x2 a3=0x7ffc8366f000 items=0 ppid=772 pid=775 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=ttyS0 ses=1 comm=perl exe=/usr/bin/perl subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=UNKNOWN[1335] msg=audit(2020-04-22 11:39:53.292:440) : pid=775 uid=root auid=root tty=ttyS0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 comm=perl exe=/usr/bin/perl nl-mcgrp=1 op=disconnect res=yes
Please see the upstream issue tracker at
https://github.com/linux-audit/audit-kernel/issues/28
With the feature description at
https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Multicast-Sock...
The testsuite support is at
https://github.com/rgbriggs/audit-testsuite/compare/ghak28-mcast-part-join
https://github.com/linux-audit/audit-testsuite/pull/93
And the userspace support patch is at
https://github.com/linux-audit/audit-userspace/pull/114
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
Note: subj attrs included due to missing syscall record for disconnect on close
Note: tried refactor of subj attrs, but this is yet another new order.
Changelog:
v8:
- rebase on audit/next v5.7-rc1
- clean up patch description sample records
v7:
- rename audit_log_multicast_bind to audit_log_multicast
v6:
- rebased on 5.6-rc1 audit/next and audit log BPF
- updated patch description sample records
v5:
- rebased on 5.5-rc1 audit/next
- group bind/unbind ops
- add audit context
- justify message number skip
- check audit_enabled
- change field name from nlnk-grp to nl-mcgrp
- fix whitespace issues
v4:
- 2017-10-13 sgrubb
- squash to 1 patch
- rebase on KERN_MODULE event
- open code subj attrs
v3:
- 2016-11-30 sgrubb
- rebase on REPLACE event
- minimize audit_log_format calls
- rename audit_log_bind to audit_log_multicast_bind
v2:
- 2015-07-23 sgrubb
- spin off audit_log_task_simple in seperate patch
v1:
- 2014-10-07 rgb
---
include/uapi/linux/audit.h | 1 +
kernel/audit.c | 48 ++++++++++++++++++++++++++++++++++++++++++----
2 files changed, 45 insertions(+), 4 deletions(-)
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index a534d71e689a..9b6a973f4cc3 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -117,6 +117,7 @@
#define AUDIT_TIME_INJOFFSET 1332 /* Timekeeping offset injected */
#define AUDIT_TIME_ADJNTPVAL 1333 /* NTP value adjustment */
#define AUDIT_BPF 1334 /* BPF subsystem */
+#define AUDIT_EVENT_LISTENER 1335 /* Task joined multicast read socket */
#define AUDIT_AVC 1400 /* SE Linux avc denial or grant */
#define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */
diff --git a/kernel/audit.c b/kernel/audit.c
index b69c8b460341..5c738cfb4a7e 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1522,20 +1522,60 @@ static void audit_receive(struct sk_buff *skb)
audit_ctl_unlock();
}
+/* Log information about who is connecting to the audit multicast socket */
+static void audit_log_multicast(int group, const char *op, int err)
+{
+ const struct cred *cred;
+ struct tty_struct *tty;
+ char comm[sizeof(current->comm)];
+ struct audit_buffer *ab;
+
+ if (!audit_enabled)
+ return;
+
+ ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_EVENT_LISTENER);
+ if (!ab)
+ return;
+
+ cred = current_cred();
+ tty = audit_get_tty();
+ audit_log_format(ab, "pid=%u uid=%u auid=%u tty=%s ses=%u",
+ task_pid_nr(current),
+ from_kuid(&init_user_ns, cred->uid),
+ from_kuid(&init_user_ns, audit_get_loginuid(current)),
+ tty ? tty_name(tty) : "(none)",
+ audit_get_sessionid(current));
+ audit_put_tty(tty);
+ audit_log_task_context(ab); /* subj= */
+ audit_log_format(ab, " comm=");
+ audit_log_untrustedstring(ab, get_task_comm(comm, current));
+ audit_log_d_path_exe(ab, current->mm); /* exe= */
+ audit_log_format(ab, " nl-mcgrp=%d op=%s res=%d", group, op, !err);
+ audit_log_end(ab);
+}
+
/* Run custom bind function on netlink socket group connect or bind requests. */
-static int audit_bind(struct net *net, int group)
+static int audit_multicast_bind(struct net *net, int group)
{
+ int err = 0;
+
if (!capable(CAP_AUDIT_READ))
- return -EPERM;
+ err = -EPERM;
+ audit_log_multicast(group, "connect", err);
+ return err;
+}
- return 0;
+static void audit_multicast_unbind(struct net *net, int group)
+{
+ audit_log_multicast(group, "disconnect", 0);
}
static int __net_init audit_net_init(struct net *net)
{
struct netlink_kernel_cfg cfg = {
.input = audit_receive,
- .bind = audit_bind,
+ .bind = audit_multicast_bind,
+ .unbind = audit_multicast_unbind,
.flags = NL_CFG_F_NONROOT_RECV,
.groups = AUDIT_NLGRP_MAX,
};
--
1.8.3.1
4 years, 7 months
multicast listeners and audit events to kmsg
by Luca BRUNO
Hi all,
I'm trying to re-spin a very old thread related to multicast listeners
and audit events to kmsg.
One surprising kernel behavior when using only a multicast listener
to collect audit events (in this case, systemd-journald) is that
audit events end up spamming the console [0].
[0] https://github.com/systemd/systemd/issues/15324
After a bunch of digging, it seems like this is due to a long-standing
RFE on the kernel side [1] (plus further references on BZ and LKML).
[1] https://github.com/linux-audit/audit-kernel/issues/102
Apparently there isn't a clear consensus on how this should be
approached. Looking at the github and bugzilla tickets, it seems to me
that Eric and Paul initially had in mind some logic based on multicast
listener detection, while Richard doesn't deem that reliable and
suggests an explicit configuration.
I'm not personally knowledgeable enough to judge kernel-land
approaches (nor to implement them), but I'd be happy if the audit folks
could converge to a consensus on how to implement this RFE, how it
would be consumed by userland, and what would be the kernel default
behavior once this RFE is implemented.
For Richard and the "explicit configuration" approach in particular, I'm
missing some further details:
* Is the current behavior considered buggy, or is that intended to be
kept as the default?
* Would this be tweaked via a (boolean?) sysctl, and what would be the
semantics of flipping it?
* How would this play with namespacing, especially netns?
Ciao, Luca
4 years, 7 months
[GIT PULL] Audit fixes for v5.7 (#1)
by Paul Moore
Hi Linus,
One small audit patch for the next v5.7-rcX release. You can read the
commit description, but basically it fixes a missing length check on
input from userspace, nothing crazy.
Thanks,
-Paul
--
The following changes since commit ae83d0b416db002fe95601e7f97f64b59514d936:
Linux 5.7-rc2 (2020-04-19 14:35:30 -0700)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git
tags/audit-pr-20200422
for you to fetch changes up to 763dafc520add02a1f4639b500c509acc0ea8e5b:
audit: check the length of userspace generated audit records
(2020-04-20 17:10:58 -0400)
----------------------------------------------------------------
audit/stable-5.7 PR 20200422
----------------------------------------------------------------
Paul Moore (1):
audit: check the length of userspace generated audit records
kernel/audit.c | 3 +++
1 file changed, 3 insertions(+)
--
paul moore
www.paul-moore.com
4 years, 7 months
[PATCH] audit: allow audit_reusename to check kernel path
by Yiwen Gu
Currently, audit_reusename check file path only by comparing
userspace pointer "uptr", without checking the situation where
the file name is different with the same uptr.
Add kname into audit_reusename function to check file names
from the audit_names list.
Signed-off-by: Yiwen Gu <guyiwen(a)huawei.com>
---
fs/namei.c | 9 +++++----
include/linux/audit.h | 11 +++++++----
kernel/auditsc.c | 7 ++++---
3 files changed, 16 insertions(+), 11 deletions(-)
diff --git a/fs/namei.c b/fs/namei.c
index db6565c99825..d5fb4bd12aec 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -128,13 +128,10 @@ struct filename *
getname_flags(const char __user *filename, int flags, int *empty)
{
struct filename *result;
+ struct filename *result_audit;
char *kname;
int len;
- result = audit_reusename(filename);
- if (result)
- return result;
-
result = __getname();
if (unlikely(!result))
return ERR_PTR(-ENOMEM);
@@ -197,6 +194,10 @@ getname_flags(const char __user *filename, int flags, int *empty)
}
}
+ result_audit = audit_reusename(filename, kname);
+ if (result_audit)
+ return result_audit;
+
result->uptr = filename;
result->aname = NULL;
audit_getname(result);
diff --git a/include/linux/audit.h b/include/linux/audit.h
index f9ceae57ca8d..71fb783f14c4 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -266,7 +266,8 @@ extern void __audit_free(struct task_struct *task);
extern void __audit_syscall_entry(int major, unsigned long a0, unsigned long a1,
unsigned long a2, unsigned long a3);
extern void __audit_syscall_exit(int ret_success, long ret_value);
-extern struct filename *__audit_reusename(const __user char *uptr);
+extern struct filename *__audit_reusename(const __user char *uptr,
+ const char *kname);
extern void __audit_getname(struct filename *name);
extern void __audit_inode(struct filename *name, const struct dentry *dentry,
@@ -316,10 +317,11 @@ static inline void audit_syscall_exit(void *pt_regs)
__audit_syscall_exit(success, return_code);
}
}
-static inline struct filename *audit_reusename(const __user char *name)
+static inline struct filename *audit_reusename(const __user char *name,
+ const char *kname)
{
if (unlikely(!audit_dummy_context()))
- return __audit_reusename(name);
+ return __audit_reusename(name, kname);
return NULL;
}
static inline void audit_getname(struct filename *name)
@@ -539,7 +541,8 @@ static inline struct audit_context *audit_context(void)
{
return NULL;
}
-static inline struct filename *audit_reusename(const __user char *name)
+static inline struct filename *audit_reusename(const __user char *name,
+ const char *kname)
{
return NULL;
}
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 4effe01ebbe2..62ffc02abb98 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1843,13 +1843,14 @@ static struct audit_names *audit_alloc_name(struct audit_context *context,
/**
* __audit_reusename - fill out filename with info from existing entry
* @uptr: userland ptr to pathname
+ * @kname: kernel pathname string
*
* Search the audit_names list for the current audit context. If there is an
- * existing entry with a matching "uptr" then return the filename
+ * existing entry with matching "uptr" and "kname" then return the filename
* associated with that audit_name. If not, return NULL.
*/
struct filename *
-__audit_reusename(const __user char *uptr)
+__audit_reusename(const __user char *uptr, const char *kname)
{
struct audit_context *context = audit_context();
struct audit_names *n;
@@ -1857,7 +1858,7 @@ __audit_reusename(const __user char *uptr)
list_for_each_entry(n, &context->names_list, list) {
if (!n->name)
continue;
- if (n->name->uptr == uptr) {
+ if (n->name->uptr == uptr && !strcmp(kname, n->name->name)) {
n->name->refcnt++;
return n->name;
}
--
2.17.1
4 years, 7 months