[PATCH 1/2] audit: remove redundant data_len check
by Shreenidhi Shedi
data_len is already getting checked if it's less than 2 earlier in this
function.
Signed-off-by: Shreenidhi Shedi <sshedi(a)vmware.com>
---
kernel/audit.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 7690c29d4..0749211d5 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1390,7 +1390,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
str);
} else {
audit_log_format(ab, " data=");
- if (data_len > 0 && str[data_len - 1] == '\0')
+ if (str[data_len - 1] == '\0')
data_len--;
audit_log_n_untrustedstring(ab, str, data_len);
}
--
2.36.1
2 years, 4 months
Linux v5.19 and audit
by Paul Moore
In case anyone is curious and hasn't been tracking the audit kernel
tree very closely, there are no outstanding kernel patches queued for
v5.19 so there will be no audit kernel PR for this development cycle.
--
paul-moore.com
2 years, 5 months
Help setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr
by Alex Triantafillidis (DESIGN LABORATORY INC)
Hello Audit,
I am trying to implement a set of rules related to “xattrs” on a MS CBL-Mariner 1.0.
I am following this guide<https://static.open-scap.org/ssg-guides/ssg-rhel8-guide-hipaa.html#xccdf_...>.
Record Events that Modify the System's Discretionary Access Controls Group contains 13 rules
[ref]<https://static.open-scap.org/ssg-guides/ssg-rhel8-guide-hipaa.html#xccdf_...> At a minimum, the audit system should collect file permission changes for all users and root. Note that the "-F arch=b32" lines should be present even on a 64 bit system. These commands identify system calls for auditing. Even if the system is 64 bit it can still execute 32 bit system calls. Additionally, these rules can be configured in a number of ways while still achieving the desired effect. An example of this is that the "-S" calls could be split up and placed on separate lines, however, this is less efficient. Add the following to /etc/audit/audit.rules:
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If your system is 64 bit then these lines should be duplicated and the arch=b32 replaced with arch=b64 as follows:
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
Thing is I get error to any of setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr.
bash: setxattr: command not found
Is there any way I can enable the above in Mariner?
Thank you.
AlexT
2 years, 5 months
[PATCH v3 0/3] fanotify: Allow user space to pass back additional audit info
by Richard Guy Briggs
The Fanotify API can be used for access control by requesting permission
event notification. The user space tooling that uses it may have a
complicated policy that inherently contains additional context for the
decision. If this information were available in the audit trail, policy
writers can close the loop on debugging policy. Also, if this additional
information were available, it would enable the creation of tools that
can suggest changes to the policy similar to how audit2allow can help
refine labeled security.
This patch defines 2 additional fields within the response structure
returned from user space on a permission event. The first field is 32
bits for the context type. The context type will describe what the
meaning is of the second field. The audit system will separate the
pieces and log them individually.
The audit function was updated to log the additional information in the
AUDIT_FANOTIFY record. The following is an example of the new record
format:
type=FANOTIFY msg=audit(1600385147.372:590): resp=2 fan_type=1 fan_ctx=17
changelog:
v1:
- first version by Steve Grubb <sgrubb(a)redhat.com>
Link: https://lore.kernel.org/r/2042449.irdbgypaU6@x2
v2:
- enhancements suggested by Jan Kara <jack(a)suse.cz>
- 1/3 change %d to %u in pr_debug
- 2/3 change response from __u32 to __u16
- mod struct fanotify_response and fanotify_perm_event add extra_info_type, extra_info_buf
- extra_info_buf size max FANOTIFY_MAX_RESPONSE_EXTRA_LEN, add struct fanotify_response_audit_rule
- extend debug statements
- remove unneeded macros
- [internal] change interface to finish_permission_event() and process_access_response()
- 3/3 update format of extra information
- [internal] change interface to audit_fanotify()
- change ctx_type= to fan_type=
Link: https://lore.kernel.org/r/cover.1651174324.git.rgb@redhat.com
v3:
- 1/3 switch {,__}audit_fanotify() from uint to u32
- 2/3 re-add fanotify_get_response switch case FAN_DENY: to avoid unnecessary churn
- add FAN_EXTRA flag to indicate more info and break with old kernel
- change response from u16 to u32 to avoid endian issues
- change extra_info_buf to union
- move low-cost fd check earlier
- change FAN_RESPONSE_INFO_AUDIT_NONE to FAN_RESPONSE_INFO_NONE
- switch to u32 for internal and __u32 for uapi
Link: https://lore.kernel.org/r/cover.1652724390.git.rgb@redhat.com
Richard Guy Briggs (3):
fanotify: Ensure consistent variable type for response
fanotify: define struct members to hold response decision context
fanotify: Allow audit to use the full permission event response
fs/notify/fanotify/fanotify.c | 6 ++-
fs/notify/fanotify/fanotify.h | 4 +-
fs/notify/fanotify/fanotify_user.c | 76 +++++++++++++++++++-----------
include/linux/audit.h | 9 ++--
include/linux/fanotify.h | 3 ++
include/uapi/linux/fanotify.h | 22 ++++++++-
kernel/auditsc.c | 18 +++++--
7 files changed, 100 insertions(+), 38 deletions(-)
--
2.27.0
2 years, 5 months
[GIT PULL] Audit fixes for v5.18 (#1)
by Paul Moore
Linus,
A single audit patch to fix a problem where a task's audit_context was
not being properly reset with io_uring. Please merge for v5.18.
Thanks,
-Paul
--
The following changes since commit 42226c989789d8da4af1de0c31070c96726d990c:
Linux 5.18-rc7 (2022-05-15 18:08:58 -0700)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git
tags/audit-pr-20220518
for you to fetch changes up to 69e9cd66ae1392437234a63a3a1d60b6655f92ef:
audit,io_uring,io-wq: call __audit_uring_exit for dummy contexts
(2022-05-17 15:03:36 -0400)
----------------------------------------------------------------
audit/stable-5.18 PR 20220518
----------------------------------------------------------------
Julian Orth (1):
audit,io_uring,io-wq: call __audit_uring_exit for dummy contexts
include/linux/audit.h | 2 +-
kernel/auditsc.c | 6 ++++++
2 files changed, 7 insertions(+), 1 deletion(-)
--
paul-moore.com
2 years, 5 months
[ANNOUNCE][CFP] Linux Security Summit Europe 2022
by Reshetova, Elena
==============================================================================
ANNOUNCEMENT AND CALL FOR PARTICIPATION
LINUX SECURITY SUMMIT EUROPE 2022
15-16 September
Dublin, Ireland & Virtual
==============================================================================
DESCRIPTION
Linux Security Summit Europe (LSS-EU) is a technical forum for
collaboration between Linux developers, researchers, and end-users. Its
primary aim is to foster community efforts in analysing and solving Linux
security challenges.
The program committee currently seeks proposals for:
* Refereed Presentations:
45 minutes in length.
* Panel Discussion Topics:
45 minutes in length.
* Short Topics:
30 minutes in total, including at least 10 minutes discussion.
* Tutorials
90 minutes in length.
Tutorial sessions should be focused on advanced Linux security defense
topics within areas such as the kernel, compiler, and security-related
libraries. Priority will be given to tutorials created for this conference,
and those where the presenter a leading subject matter expert on the topic.
Topic areas include, but are not limited to:
* Kernel self-protection
* Access control
* Cryptography and key management
* Integrity policy and enforcement
* Hardware Security
* IoT and embedded security
* Virtualization and containers
* System-specific system hardening
* Case studies
* Security tools
* Security UX
* Emerging technologies, threats & techniques
Proposals should be submitted via:
https://events.linuxfoundation.org/linux-security-summit-europe/
Note that for 2022, we are returning to having both North American and
European events (LSS-NA will be held in June in Austin, Texas).
LSS-EU DATES
* CFP close: July 1
* CFP notifications: July 26
* Schedule announced: July 28
* Event: September 15-16
WHO SHOULD ATTEND
We're seeking a diverse range of attendees and welcome participation by
people involved in Linux security development, operations, and research.
LSS is a unique global event that provides the opportunity to present and
discuss your work or research with key Linux security community members and
maintainers. It's also useful for those who wish to keep up with the latest
in Linux security development and to provide input to the development
process.
WEB SITE
https://events.linuxfoundation.org/linux-security-summit-europe/
TWITTER
For event updates and announcements, follow:
https://twitter.com/LinuxSecSummit
#linuxsecuritysummit
PROGRAM COMMITTEE
The program committee for LSS 2021 is:
* Elena Reshetova, Intel
* James Morris, Microsoft
* Serge Hallyn, Cisco
* Paul Moore, Microsoft
* Stephen Smalley, NSA
* John Johansen, Canonical
* Kees Cook, Google
* Casey Schaufler, Intel
* Mimi Zohar, IBM
* David A. Wheeler, Linux Foundation
The program committee may be contacted as a group via email:
lss-pc () lists.linuxfoundation.org
2 years, 5 months
[PATCH 0/1] audit, io_uring, io-wq: call __audit_uring_exit for dummy contexts
by Julian Orth
After porting my wayland compositor to io_uring, I noticed that my logs
were getting spammed with the following messages (tested with 5.17.7 and
5.18.0-rc7):
WARNING: CPU: 10 PID: 983 at kernel/auditsc.c:2041 __audit_syscall_entry+0x1>
Modules linked in: vrf wireguard curve25519_x86_64 libchacha20poly1305 chach>
ipmi_msghandler crypto_user ip_tables x_tables ext4 crc32c_generic crc16 mb>
CPU: 10 PID: 983 Comm: jay Tainted: G W 5.18.0-rc7-dirty #5 1>
Hardware name: Gigabyte Technology Co., Ltd. B450M DS3H/B450M DS3H-CF, BIOS >
RIP: 0010:__audit_syscall_entry+0x111/0x140
Code: e8 24 69 ff ff 48 8b 34 24 48 8b 54 24 08 85 c0 48 8b 4c 24 10 4c 8b 4>
RSP: 0018:ffffa6e480887de8 EFLAGS: 00010202
RAX: 0000000000000000 RBX: ffff969c92f22400 RCX: 0000000000000001
RDX: 0000000000000001 RSI: 0000000000000007 RDI: ffff969c8fa4c080
RBP: 00000000000001aa R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000002 R11: 0000000000000001 R12: 00000000000001aa
R13: ffffa6e480887f58 R14: 00000000000001aa R15: 0000000000000000
FS: 00007fefe020f040(0000) GS:ffff96a39ea80000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fefac429000 CR3: 0000000103674000 CR4: 00000000003506e0
Call Trace:
<TASK>
? get_signal+0x8d/0x990
syscall_trace_enter.constprop.0+0x121/0x1a0
do_syscall_64+0x36/0x80
? arch_do_signal_or_restart+0x44/0x750
? syscall_exit_to_user_mode+0x22/0x40
? exit_to_user_mode_prepare+0xd3/0x140
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7fefe0d0b67d
Code: 5d c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 4>
RSP: 002b:00007fff383a6c58 EFLAGS: 00000246 ORIG_RAX: 00000000000001aa
RAX: ffffffffffffffda RBX: 00005595f1c25e00 RCX: 00007fefe0d0b67d
RDX: 0000000000000001 RSI: 0000000000000001 RDI: 0000000000000007
RBP: 00005595f1c1b700 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000001
R13: 0000000000000005 R14: 00005595f1c21f60 R15: 0000000000000001
</TASK>
---[ end trace 0000000000000000 ]---
audit: unrecoverable error in audit_syscall_entry()
I traced this to the context not being reset after audit_uring_entry if
the created context was a dummy context. I am surprised that I would be
the first one to find this problem but maybe io_uring is rarely used on
systems where auditing is enabled or a recent kernel change elsewhere
caused this problem to surface.
Julian Orth (1):
audit,io_uring,io-wq: call __audit_uring_exit for dummy contexts
include/linux/audit.h | 2 +-
kernel/auditsc.c | 6 ++++++
2 files changed, 7 insertions(+), 1 deletion(-)
--
2.36.1
2 years, 5 months
[PATCH v2 0/3] fanotify: Allow user space to pass back additional audit info
by Richard Guy Briggs
The Fanotify API can be used for access control by requesting permission
event notification. The user space tooling that uses it may have a
complicated policy that inherently contains additional context for the
decision. If this information were available in the audit trail, policy
writers can close the loop on debugging policy. Also, if this additional
information were available, it would enable the creation of tools that
can suggest changes to the policy similar to how audit2allow can help
refine labeled security.
This patch defines 2 additional fields within the response structure
returned from user space on a permission event. The first field is 16
bits for the context type. The context type will describe what the
meaning is of the second field. The audit system will separate the
pieces and log them individually.
The audit function was updated to log the additional information in the
AUDIT_FANOTIFY record. The following is an example of the new record
format:
type=FANOTIFY msg=audit(1600385147.372:590): resp=2 fan_type=1 fan_ctx=17
changelog:
v1:
- first version by Steve Grubb <sgrubb(a)redhat.com>
Link: https://lore.kernel.org/r/2042449.irdbgypaU6@x2
v2:
- enhancements suggested by Jan Kara <jack(a)suse.cz>
- 1/3 change %d to %u in pr_debug
- 2/3 change response from __u32 to __u16
- mod struct fanotify_response and fanotify_perm_event add extra_info_type, extra_info_buf
- extra_info_buf size max FANOTIFY_MAX_RESPONSE_EXTRA_LEN, add struct fanotify_response_audit_rule
- extend debug statements
- remove unneeded macros
- [internal] change interface to finish_permission_event() and process_access_response()
- 3/3 update format of extra information
- [internal] change interface to audit_fanotify()
- change ctx_type= to fan_type=
Link: https://lore.kernel.org/r/cover.1651174324.git.rgb@redhat.com
Richard Guy Briggs (3):
fanotify: Ensure consistent variable type for response
fanotify: define struct members to hold response decision context
fanotify: Allow audit to use the full permission event response
fs/notify/fanotify/fanotify.c | 5 ++-
fs/notify/fanotify/fanotify.h | 4 +-
fs/notify/fanotify/fanotify_user.c | 59 ++++++++++++++++++++----------
include/linux/audit.h | 8 ++--
include/linux/fanotify.h | 3 ++
include/uapi/linux/fanotify.h | 27 +++++++++++++-
kernel/auditsc.c | 18 +++++++--
7 files changed, 94 insertions(+), 30 deletions(-)
--
2.27.0
2 years, 5 months
[PATCH 1/5] char: lp: ensure that index has not exceeded LP_NO
by Shreenidhi Shedi
Signed-off-by: Shreenidhi Shedi <sshedi(a)vmware.com>
---
drivers/char/lp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/char/lp.c b/drivers/char/lp.c
index 0e22e3b0a04e..d474d02b6c7f 100644
--- a/drivers/char/lp.c
+++ b/drivers/char/lp.c
@@ -972,7 +972,7 @@ static void lp_attach(struct parport *port)
if (port_num[i] == -1)
break;
- if (!lp_register(i, port))
+ if (i < LP_NO && !lp_register(i, port))
lp_count++;
break;
--
2.36.1
2 years, 5 months