[PATCH] Audit: add session id to audit messages

Friday, 14 December 2007

In order to correlate audit records to an individual login add a session
id.  This is incremented every time a user logs in and is included in
almost all messages which currently output the auid.  The field is
labeled ses=  or oses=

Signed-off-by: Eric Paris <eparis(a)redhat.com&gt;

---

This patch does not currently implement sessionid information for audit
messages generated from netlink messages.  That means no sessionid will
be found in things like userspace generated audit messages, audit system
configuration changes, or changes to labeled networking.  A patch to
support those messages (and the requisite changes to netlink) will be
forthcoming.

This patch applies on top of the previous OBJ_PID record changes.

Example records:
type=LOGIN msg=audit(1197663142.722:137): login pid=2764 uid=0 old auid=0 new auid=0 old
ses=1 new ses=13
type=SYSCALL msg=audit(1197665485.338:142): arch=c000003e syscall=62 success=yes exit=0
a0=1 a1=f a2=0 a3=0 items=0 ppid=2184 pid=2189 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=pts0 ses=13 comm="bash" exe="/bin/bash"
subj=root:system_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=OBJ_PID msg=audit(1197665485.338:142): opid=1 oauid=-1 ouid=0 oses=-1
obj=system_u:system_r:init_t:s0 ocomm="init"

 drivers/char/tty_audit.c       |   21 +++++++++++-----
 include/linux/audit.h          |    2 +
 kernel/auditsc.c               |   50 ++++++++++++++++++++++++++++++++--------
 net/core/dev.c                 |    5 ++-
 security/selinux/selinuxfs.c   |   17 ++++++++-----
 security/selinux/ss/services.c |    5 ++-
 6 files changed, 72 insertions(+), 28 deletions(-)

diff --git a/drivers/char/tty_audit.c b/drivers/char/tty_audit.c
index d222012..490fea3 100644
--- a/drivers/char/tty_audit.c
+++ b/drivers/char/tty_audit.c
@@ -73,7 +73,7 @@ static void tty_audit_buf_put(struct tty_audit_buf *buf)
  *	@tsk with @loginuid.  @buf->mutex must be locked.
  */
 static void tty_audit_buf_push(struct task_struct *tsk, uid_t loginuid,
-			       struct tty_audit_buf *buf)
+			       unsigned int sessionid, struct tty_audit_buf *buf)
 {
 	struct audit_buffer *ab;
 
@@ -85,9 +85,9 @@ static void tty_audit_buf_push(struct task_struct *tsk, uid_t loginuid,
 	if (ab) {
 		char name[sizeof(tsk->comm)];
 
-		audit_log_format(ab, "tty pid=%u uid=%u auid=%u major=%d "
-				 "minor=%d comm=", tsk->pid, tsk->uid,
-				 loginuid, buf->major, buf->minor);
+		audit_log_format(ab, "tty pid=%u uid=%u auid=%u ses=%u "
+				 "major=%d minor=%d comm=", tsk->pid, tsk->uid,
+				 loginuid, sessionid, buf->major, buf->minor);
 		get_task_comm(name, tsk);
 		audit_log_untrustedstring(ab, name);
 		audit_log_format(ab, " data=");
@@ -105,8 +105,10 @@ static void tty_audit_buf_push(struct task_struct *tsk, uid_t
loginuid,
  */
 static void tty_audit_buf_push_current(struct tty_audit_buf *buf)
 {
-	tty_audit_buf_push(current, audit_get_loginuid(current->audit_context),
-			   buf);
+	struct audit_context *ctx = current->audit_context;
+	uid_t auid = audit_get_loginuid(ctx);
+	unsigned int sessionid = audit_get_sessionid(ctx);
+	tty_audit_buf_push(current, auid, sessionid, buf);
 }
 
 /**
@@ -152,6 +154,11 @@ void tty_audit_fork(struct signal_struct *sig)
 void tty_audit_push_task(struct task_struct *tsk, uid_t loginuid)
 {
 	struct tty_audit_buf *buf;
+	/* FIXME I think this is correct.  Check against netlink once that is
+	 * I really need to read this code more closely.  But that's for
+	 * another patch.
+	 */
+	unsigned int sessionid = audit_get_sessionid(tsk->audit_context);
 
 	spin_lock_irq(&tsk->sighand->siglock);
 	buf = tsk->signal->tty_audit_buf;
@@ -162,7 +169,7 @@ void tty_audit_push_task(struct task_struct *tsk, uid_t loginuid)
 		return;
 
 	mutex_lock(&buf->mutex);
-	tty_audit_buf_push(tsk, loginuid, buf);
+	tty_audit_buf_push(tsk, loginuid, sessionid, buf);
 	mutex_unlock(&buf->mutex);
 
 	tty_audit_buf_put(buf);
diff --git a/include/linux/audit.h b/include/linux/audit.h
index c687816..2f2ab1f 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -408,6 +408,7 @@ extern void auditsc_get_stamp(struct audit_context *ctx,
 			      struct timespec *t, unsigned int *serial);
 extern int  audit_set_loginuid(struct task_struct *task, uid_t loginuid);
 extern uid_t audit_get_loginuid(struct audit_context *ctx);
+extern unsigned int audit_get_sessionid(struct audit_context *ctx);
 extern void audit_log_task_context(struct audit_buffer *ab);
 extern int __audit_ipc_obj(struct kern_ipc_perm *ipcp);
 extern int __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, mode_t
mode);
@@ -487,6 +488,7 @@ extern int audit_signals;
 #define audit_core_dumps(i) do { ; } while (0)
 #define auditsc_get_stamp(c,t,s) do { BUG(); } while (0)
 #define audit_get_loginuid(c) ({ -1; })
+#define audit_get_sessionid(c) ({ -1; })
 #define audit_log_task_context(b) do { ; } while (0)
 #define audit_ipc_obj(i) ({ 0; })
 #define audit_ipc_set_perm(q,u,g,m) ({ 0; })
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 6d53e75..1feb9ec 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -178,6 +178,7 @@ struct audit_aux_data_pids {
 	pid_t			target_pid[AUDIT_AUX_PIDS];
 	uid_t			target_auid[AUDIT_AUX_PIDS];
 	uid_t			target_uid[AUDIT_AUX_PIDS];
+	unsigned int		target_sessionid[AUDIT_AUX_PIDS];
 	u32			target_sid[AUDIT_AUX_PIDS];
 	char 			target_comm[AUDIT_AUX_PIDS][TASK_COMM_LEN];
 	int			pid_count;
@@ -196,6 +197,7 @@ struct audit_context {
 	unsigned int	    serial;     /* serial number for record */
 	struct timespec	    ctime;      /* time of syscall entry */
 	uid_t		    loginuid;   /* login uid (identity) */
+	unsigned int	    sessionid; /* each login gets a session id */
 	int		    major;      /* syscall number */
 	unsigned long	    argv[4];    /* syscall arguments */
 	int		    return_valid; /* return code is valid */
@@ -220,6 +222,7 @@ struct audit_context {
 	pid_t		    target_pid;
 	uid_t		    target_auid;
 	uid_t		    target_uid;
+	unsigned int	    target_sessionid;
 	u32		    target_sid;
 	char		    target_comm[TASK_COMM_LEN];
 
@@ -790,10 +793,12 @@ static inline void audit_zero_context(struct audit_context
*context,
 				      enum audit_state state)
 {
 	uid_t loginuid = context->loginuid;
+	unsigned int sessionid = context->sessionid;
 
 	memset(context, 0, sizeof(*context));
 	context->state      = state;
 	context->loginuid   = loginuid;
+	context->sessionid  = sessionid;
 }
 
 static inline struct audit_context *audit_alloc_context(enum audit_state state)
@@ -834,8 +839,11 @@ int audit_alloc(struct task_struct *tsk)
 
 				/* Preserve login uid */
 	context->loginuid = -1;
-	if (current->audit_context)
+	context->sessionid = -1;
+	if (current->audit_context) {
 		context->loginuid = current->audit_context->loginuid;
+		context->sessionid = current->audit_context->sessionid;
+	}
 
 	tsk->audit_context  = context;
 	set_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT);
@@ -928,7 +936,8 @@ static void audit_log_task_info(struct audit_buffer *ab, struct
task_struct *tsk
 }
 
 static int audit_log_pid_context(struct audit_context *context, pid_t pid,
-				 uid_t auid, uid_t uid, u32 sid, char *comm)
+				 uid_t auid, uid_t uid, unsigned int sessionid,
+				 u32 sid, char *comm)
 {
 	struct audit_buffer *ab;
 	char *s = NULL;
@@ -939,7 +948,8 @@ static int audit_log_pid_context(struct audit_context *context, pid_t
pid,
 	if (!ab)
 		return 1;
 
-	audit_log_format(ab, "opid=%d oauid=%d ouid=%d", pid, auid, uid);
+	audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid, auid,
+			 uid, sessionid);
 	if (selinux_sid_to_string(sid, &s, &len)) {
 		audit_log_format(ab, " obj=(none)");
 		rc = 1;
@@ -1048,7 +1058,7 @@ static void audit_log_exit(struct audit_context *context, struct
task_struct *ts
 		  " a0=%lx a1=%lx a2=%lx a3=%lx items=%d"
 		  " ppid=%d pid=%d auid=%u uid=%u gid=%u"
 		  " euid=%u suid=%u fsuid=%u"
-		  " egid=%u sgid=%u fsgid=%u tty=%s",
+		  " egid=%u sgid=%u fsgid=%u tty=%s ses=%u",
 		  context->argv[0],
 		  context->argv[1],
 		  context->argv[2],
@@ -1060,7 +1070,8 @@ static void audit_log_exit(struct audit_context *context, struct
task_struct *ts
 		  context->uid,
 		  context->gid,
 		  context->euid, context->suid, context->fsuid,
-		  context->egid, context->sgid, context->fsgid, tty);
+		  context->egid, context->sgid, context->fsgid, tty,
+		  context->sessionid);
 
 	mutex_unlock(&tty_mutex);
 
@@ -1179,6 +1190,7 @@ static void audit_log_exit(struct audit_context *context, struct
task_struct *ts
 			if (audit_log_pid_context(context, axs->target_pid[i],
 						  axs->target_auid[i],
 						  axs->target_uid[i],
+						  axs->target_sessionid[i],
 						  axs->target_sid[i],
 						  axs->target_comm[i]))
 				call_panic = 1;
@@ -1187,6 +1199,7 @@ static void audit_log_exit(struct audit_context *context, struct
task_struct *ts
 	if (context->target_pid &&
 	    audit_log_pid_context(context, context->target_pid,
 				  context->target_auid, context->target_uid,
+				  context->target_sessionid, 
 				  context->target_sid, context->target_comm))
 			call_panic = 1;
 
@@ -1779,6 +1792,9 @@ void auditsc_get_stamp(struct audit_context *ctx,
 	ctx->auditable = 1;
 }
 
+/* global counter which is incremented every time something logs in */
+static atomic_t session_id = ATOMIC_INIT(0);
+
 /**
  * audit_set_loginuid - set a task's audit_context loginuid
  * @task: task whose audit context is being modified
@@ -1793,6 +1809,7 @@ int audit_set_loginuid(struct task_struct *task, uid_t loginuid)
 	struct audit_context *context = task->audit_context;
 
 	if (context) {
+		unsigned int sessionid = atomic_inc_return(&session_id);
 		/* Only log if audit is enabled */
 		if (context->in_syscall) {
 			struct audit_buffer *ab;
@@ -1800,13 +1817,16 @@ int audit_set_loginuid(struct task_struct *task, uid_t loginuid)
 			ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN);
 			if (ab) {
 				audit_log_format(ab, "login pid=%d uid=%u "
-					"old auid=%u new auid=%u",
+					"old auid=%u new auid=%u"
+					" old ses=%u new ses=%u",
 					task->pid, task->uid,
-					context->loginuid, loginuid);
+					context->loginuid, loginuid,
+					context->sessionid, sessionid);
 				audit_log_end(ab);
 			}
 		}
 		context->loginuid = loginuid;
+		context->sessionid = sessionid;
 	}
 	return 0;
 }
@@ -1824,6 +1844,11 @@ uid_t audit_get_loginuid(struct audit_context *ctx)
 
 EXPORT_SYMBOL(audit_get_loginuid);
 
+unsigned int audit_get_sessionid(struct audit_context *ctx)
+{
+	return ctx ? ctx->sessionid : -1;
+}
+
 /**
  * __audit_mq_open - record audit data for a POSIX MQ open
  * @oflag: open flag
@@ -2208,6 +2233,7 @@ void __audit_ptrace(struct task_struct *t)
 	context->target_pid = t->pid;
 	context->target_auid = audit_get_loginuid(t->audit_context);
 	context->target_uid = t->uid;
+	context->target_sessionid = audit_get_sessionid(t->audit_context);
 	selinux_get_task_sid(t, &context->target_sid);
 	memcpy(context->target_comm, t->comm, TASK_COMM_LEN);
 }
@@ -2248,6 +2274,7 @@ int __audit_signal_info(int sig, struct task_struct *t)
 		ctx->target_pid = t->tgid;
 		ctx->target_auid = audit_get_loginuid(t->audit_context);
 		ctx->target_uid = t->uid;
+		ctx->target_sessionid = audit_get_sessionid(t->audit_context);
 		selinux_get_task_sid(t, &ctx->target_sid);
 		memcpy(ctx->target_comm, t->comm, TASK_COMM_LEN);
 		return 0;
@@ -2268,6 +2295,7 @@ int __audit_signal_info(int sig, struct task_struct *t)
 	axp->target_pid[axp->pid_count] = t->tgid;
 	axp->target_auid[axp->pid_count] = audit_get_loginuid(t->audit_context);
 	axp->target_uid[axp->pid_count] = t->uid;
+	axp->target_sessionid[axp->pid_count] = audit_get_sessionid(t->audit_context);
 	selinux_get_task_sid(t, &axp->target_sid[axp->pid_count]);
 	memcpy(axp->target_comm[axp->pid_count], t->comm, TASK_COMM_LEN);
 	axp->pid_count++;
@@ -2285,7 +2313,10 @@ int __audit_signal_info(int sig, struct task_struct *t)
 void audit_core_dumps(long signr)
 {
 	struct audit_buffer *ab;
+	struct audit_context *ctx = current->audit_context;
 	u32 sid;
+	uid_t auid = audit_get_loginuid(ctx);
+	unsigned int sessionid = audit_get_sessionid(ctx);
 
 	if (!audit_enabled)
 		return;
@@ -2294,9 +2325,8 @@ void audit_core_dumps(long signr)
 		return;
 
 	ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND);
-	audit_log_format(ab, "auid=%u uid=%u gid=%u",
-			audit_get_loginuid(current->audit_context),
-			current->uid, current->gid);
+	audit_log_format(ab, "auid=%u uid=%u gid=%u ses=%u",
+			auid, current->uid, current->gid, sessionid);
 	selinux_get_task_sid(current, &sid);
 	if (sid) {
 		char *ctx = NULL;
diff --git a/net/core/dev.c b/net/core/dev.c
index 26a3a3a..07d3963 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -2759,10 +2759,11 @@ static void __dev_set_promiscuity(struct net_device *dev, int
inc)
 							       "left");
 		audit_log(current->audit_context, GFP_ATOMIC,
 			AUDIT_ANOM_PROMISCUOUS,
-			"dev=%s prom=%d old_prom=%d auid=%u",
+			"dev=%s prom=%d old_prom=%d auid=%u ses=%u",
 			dev->name, (dev->flags & IFF_PROMISC),
 			(old_flags & IFF_PROMISC),
-			audit_get_loginuid(current->audit_context));
+			audit_get_loginuid(current->audit_context),
+			audit_get_sessionid(current->audit_context));
 
 		if (dev->change_rx_flags)
 			dev->change_rx_flags(dev, IFF_PROMISC);
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index 2fa483f..432e803 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -158,9 +158,10 @@ static ssize_t sel_write_enforce(struct file * file, const char
__user * buf,
 		if (length)
 			goto out;
 		audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_STATUS,
-			"enforcing=%d old_enforcing=%d auid=%u", new_value, 
-			selinux_enforcing,
-			audit_get_loginuid(current->audit_context));
+			"enforcing=%d old_enforcing=%d auid=%u ses=%u",
+			new_value, selinux_enforcing,
+			audit_get_loginuid(current->audit_context),
+			audit_get_sessionid(current->audit_context));
 		selinux_enforcing = new_value;
 		if (selinux_enforcing)
 			avc_ss_reset(0);
@@ -229,8 +230,9 @@ static ssize_t sel_write_disable(struct file * file, const char __user
* buf,
 		if (length < 0)
 			goto out;
 		audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_STATUS,
-			"selinux=0 auid=%u",
-			audit_get_loginuid(current->audit_context));
+			"selinux=0 auid=%u ses=%u",
+			audit_get_loginuid(current->audit_context),
+			audit_get_sessionid(current->audit_context));
 	}
 
 	length = count;
@@ -335,8 +337,9 @@ out1:
 		(security_get_allow_unknown() ? "allow" : "deny")));
 
 	audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_POLICY_LOAD,
-		"policy loaded auid=%u",
-		audit_get_loginuid(current->audit_context));
+		"policy loaded auid=%u ses=%u",
+		audit_get_loginuid(current->audit_context),
+		audit_get_sessionid(current->audit_context));
 out:
 	mutex_unlock(&sel_mutex);
 	vfree(data);
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index d572dc9..c1ea08c 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -1897,11 +1897,12 @@ int security_set_bools(int len, int *values)
 		if (!!values[i] != policydb.bool_val_to_struct[i]->state) {
 			audit_log(current->audit_context, GFP_ATOMIC,
 				AUDIT_MAC_CONFIG_CHANGE,
-				"bool=%s val=%d old_val=%d auid=%u",
+				"bool=%s val=%d old_val=%d auid=%u ses=%u",
 				policydb.p_bool_val_to_name[i],
 				!!values[i],
 				policydb.bool_val_to_struct[i]->state,
-				audit_get_loginuid(current->audit_context));
+				audit_get_loginuid(current->audit_context),
+				audit_get_sessionid(current->audit_context));
 		}
 		if (values[i]) {
 			policydb.bool_val_to_struct[i]->state = 1;



    

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

[PATCH] Audit: add session id to audit messages