5:55 p.m.
Hello,
Attached to this e-mail is my first iteration of the file system
auditing piece needed for CAPP EAL4. I appreciate all feedback, but
please read the TODO list prior to sending me feedback on something
I'm already aware of. I've not stressed tested this code nor have I
done any formal FVT. The testing I have done has been.. minimal.
I've mostly seen if given scenarios work (move one watched file to
another watched location, create a hardlink to /etc/passwd from
/home/me, etc).
At this time, I'm unable to provide you with the userspace patch I
wrote, but encourage someone on this list to add the functionality to
libaudit/auditctl and submit the patch (Steve :)?). If you'd like my
"guidance" please e-mail me privately.
ABOUT:
Thus far, the patch being submitted with this e-mail implements a
rudimentary file system auditing capability using the in-kernel audit
subsystem. From userspace, an administrator passes into the kernel a
pathname and filterkey pair. The terminating file or directory does
not have to exist at the time a watch point is created for it, but
it's parent does.
If at any point the parent is destroyed, auditing information for its
children is lost. Likewise, if we mount over watched paths, we lose
auditing information, until we unmount. Currently, there is no
decision on whether or not we ought to give the audit subsystem the
capability of dynamically remapping watch paths onto new mounts or
supporting theoretical watch paths where watch paths are arbitrary and
if they should come into existence within the filesystem, they become
watched and thus auditable. Also, if I remember my code correctly, if
you move out of a watch path into a path that is not being watched,
your watch field is still pointing in a watch list, and will be
audited. If you destroy this file or directory and recreate it in the
same (unwatched) path, it will no longer be audited. I think I need
to add a field to the watch where we can enable/disable this behavior
per watch entry.
Provided both syscall auditing and file system auditing are both
configured and enabled, when a syscall of interest accesses a file or
directory being watched, it collects information about that file or
directory (via it's inode and watch entry) and adds it to the
audit_context of that syscall. When the syscall exits, any files or
directory information collected is sent to userspace to be logged.
TODOs:
* Add RCU locking in the appropriate places to make SMP-safe
* Switch over to slab caches for struct audit_data, struct audit_file,
and struct audit_watch
* Think about how I can make it so an administrator can say, "Watch
this file only on the syscall open where uid=0" -- As of right now, if
filesystem auditing is on, every syscall (being audited) that accesses
a watched file or directory collects information about it and
generates a record. Is this sufficient?
* Make it so filesystem auditing can be dynamically enabled/disabled
from userspace, rather then being "enabled" if configured or
"disabled" if not configured at boot time.
* Add/remove unnecessary information about the file or directory being
collected in the audit context. Input on this?
--
- Timothy R. Chavez
7:32 a.m.
Can we make the i_audit field in struct inode dependent on
CONFIG_AUDITFILESYSTEM?
As I understand it, this watches only extant inodes. You can't watch for
attempts to read or create a non-existent file. Is that functionality
not required?
I'll refrain from heckling about locking since you mentioned it
yourself :)
--
dwmw2
9:47 a.m.
On Thu, 20 Jan 2005 13:32:27 +0000, David Woodhouse <dwmw2(a)infradead.org> wrote:
Can we make the i_audit field in struct inode dependent on
CONFIG_AUDITFILESYSTEM?
Sure, I'm glad you pointed that out.
As I understand it, this watches only extant inodes. You can't watch for
attempts to read or create a non-existent file. Is that functionality
not required?
I'm fairly sure that for CAPP, this capability is not required.
Granted, it would be useful for other types of auditing.
I'll test this when I get into work to make sure, but I believe that
this is kind of supported in the case where we try to <access> a file
that exists, but we don't have <access> too. We'll get a record for
the syscall and for the file (sharing the same serial number) and in
the record for the syscall, we should see the error code as its return
value right?
To log accesses on non-existent files, it'd probably be sufficient to
hook d_lookup. At that point I have my parent dentry/inode and know
my name. I can simply check to see if its being watched or not and if
it is, record the attempt.
I'll refrain from heckling about locking since you mentioned it
yourself :)
Thanks :-)
--
dwmw2
--
- Timothy R. Chavez
9:58 a.m.
On Thu, 2005-01-20 at 09:47 -0600, Timothy R. Chavez wrote:
On Thu, 20 Jan 2005 13:32:27 +0000, David Woodhouse
<dwmw2(a)infradead.org> wrote:
> Can we make the i_audit field in struct inode dependent on
> CONFIG_AUDITFILESYSTEM?
Sure, I'm glad you pointed that out.
You also have to do likewise in fs/inode.c, and fs/namei.c doesn't build
with CONFIG_AUDITFILESYSTEM disabled because it uses the return value of
audit_notify_watch().
You don't seem to be logging the _result_ of the permission() call, or
am I missing something?
--- ./fs/inode.c~ 2005-01-20 15:45:43.000000000 +0000
+++ ./fs/inode.c 2005-01-20 15:54:34.744093992 +0000
@@ -135,7 +135,9 @@ static struct inode *alloc_inode(struct
inode->i_cdev = NULL;
inode->i_rdev = 0;
inode->i_security = NULL;
+#ifdef CONFIG_AUDITFILESYSTEM
inode->i_audit = NULL;
+#endif
inode->dirtied_when = 0;
if (security_inode_alloc(inode)) {
if (inode->i_sb->s_op->destroy_inode)
--- ./include/linux/fs.h~ 2005-01-20 15:53:54.635065632 +0000
+++ ./include/linux/fs.h 2005-01-20 15:53:27.413077728 +0000
@@ -1,4 +1,4 @@
-##ifndef _LINUX_FS_H
+#ifndef _LINUX_FS_H
#define _LINUX_FS_H
/*
@@ -451,7 +451,9 @@ struct inode {
#ifdef CONFIG_QUOTA
struct dquot *i_dquot[MAXQUOTAS];
#endif
+#ifdef CONFIG_AUDITFILESYSTEM
struct audit_data *i_audit;
+#endif
/* These three should probably be a union */
struct list_head i_devices;
struct pipe_inode_info *i_pipe;
--- ./include/linux/audit.h~ 2005-01-20 15:45:43.000000000 +0000
+++ ./include/linux/audit.h 2005-01-20 15:49:20.346091408 +0000
@@ -188,7 +188,7 @@ extern int audit_notify_watch(struct tas
#define audit_putname(n) do { ; } while (0)
#define audit_inode(n,i,d) do { ; } while (0)
#define audit_get_loginuid(c) ({ -1; })
-#define audit_notify_watch(t,i,m) do { ; } while(0)
+#define audit_notify_watch(t,i,m) ({ 0; })
#endif
#ifdef CONFIG_AUDITFILESYSTEM
--
dwmw2
11:05 a.m.
On Thu, 20 Jan 2005 15:58:20 +0000, David Woodhouse <dwmw2(a)infradead.org> wrote:
On Thu, 2005-01-20 at 09:47 -0600, Timothy R. Chavez wrote:
> On Thu, 20 Jan 2005 13:32:27 +0000, David Woodhouse <dwmw2(a)infradead.org>
wrote:
> > Can we make the i_audit field in struct inode dependent on
> > CONFIG_AUDITFILESYSTEM?
>
> Sure, I'm glad you pointed that out.
You also have to do likewise in fs/inode.c, and fs/namei.c doesn't build
with CONFIG_AUDITFILESYSTEM disabled because it uses the return value of
audit_notify_watch().
Doh! Thanks
You don't seem to be logging the _result_ of the permission() call, or
am I missing something?
Good question, actually. I just did a test and tried to cp a user
file into /etc at a watched location, and it logs the syscall and
attempted file access, and in theory the exit (return_value) of the
syscall should be negative, upon failure, right? And this should tell
you the entire story ("Access to this <watched file>
<succeeded/failed>"). But its giving me some super large number in
the log as the exit/return code... Maybe I'm missing something, but
why is the return code being logged out with a %u and not a %d?
if (context->return_valid)
audit_log_format(ab, " exit=%u", context->return_code);
<snip>
--
dwmw2
--
- Timothy R. Chavez
11:12 a.m.
On Thursday 20 January 2005 12:05, Timothy R. Chavez wrote:
But its giving me some super large number in the log as the
exit/return code... Maybe I'm missing something, but why is
the return code being logged out with a %u and not a %d?
Yes, that should be a %d. The fix was sent in a patch Peter submitted
upstream. It was accepted into 2.6.11 which is now rc status.
-Steve
1:31 p.m.
Hello,
Just a note. I've detected a rather careless bug. When I switched
audit_watch from a void function to return an integer, the only case
where I'd get anything other then return of 0 would be if I failed on
memory allocation for a new inode->i_audit. However, this -ENOMEM was
not being handled because it can not be escalated. This being the
case, I'm having to rework the system and create a preallocation
stradegy that guarantees when I'm in audit_watch, I'll have the
necessary memory. This also allows me to handle the -ENOMEM case,
just at an earlier point.
I hope to have this done by today, RCU locking tonight or tommorow.
--
- Timothy R. Chavez
10:09 a.m.
On Thu, Jan 20, 2005 at 09:47:11AM -0600, Timothy R. Chavez wrote:
On Thu, 20 Jan 2005 13:32:27 +0000, David Woodhouse
<dwmw2(a)infradead.org> wrote:
> As I understand it, this watches only extant inodes. You can't watch for
> attempts to read or create a non-existent file. Is that functionality
> not required?
I'm fairly sure that for CAPP, this capability is not required.
Granted, it would be useful for other types of auditing.
The CAPP and LSPP requirements only concern access to objects, and a
nonexistent file isn't an object to which access needs to be monitored.
To log accesses on non-existent files, it'd probably be
sufficient to
hook d_lookup. At that point I have my parent dentry/inode and know
my name. I can simply check to see if its being watched or not and if
it is, record the attempt.
Note that many programs will try to open tons of nonexistent files due to
various preconfigured locations for config files etc. Such access would
need to be filtered to be at all useful. But you mention that this could
be done via the watch list, which would solve this.
Auditing of failed attempts to create new files may be useful to find out
if someone is trying to create a ~/.ssh/authorized_keys file or something
else with a potential security impact. This should be a fairly rare
occurence, so I think a simple rule to audit all failed file creation
attempts would probably be sufficient. A full watch list based solution
would be optimal but I'd consider that to be a low priority.
-Klaus
9:20 p.m.
* Timothy R. Chavez (chavezt(a)gmail.com) wrote:
rudimentary file system auditing capability using the in-kernel
audit
subsystem. From userspace, an administrator passes into the kernel a
pathname and filterkey pair. The terminating file or directory does
not have to exist at the time a watch point is created for it, but
it's parent does.
What is a filterkey?
TODOs:
* Add RCU locking in the appropriate places to make SMP-safe
Is RCU a requirement, or just some real locking?
* Switch over to slab caches for struct audit_data, struct
audit_file,
and struct audit_watch
Yes, please.
* Think about how I can make it so an administrator can say,
"Watch
this file only on the syscall open where uid=0" -- As of right now, if
filesystem auditing is on, every syscall (being audited) that accesses
a watched file or directory collects information about it and
generates a record. Is this sufficient?
Seems intuitively useful to at least be able to watch a file regardless
of who touched it, or what syscall was used. I think you'd especially
want to know if you had some non uid=0 process that wrote to a sensitive
file abusing it's CAP_DAC_OVERRIDE privilege for example.
* Make it so filesystem auditing can be dynamically enabled/disabled
from userspace, rather then being "enabled" if configured or
"disabled" if not configured at boot time.
* Add/remove unnecessary information about the file or directory being
collected in the audit context. Input on this?
I missed which parts are unnecessary?
diff -Npru linux-2.6.10/Makefile linux-2.6.10-audit/Makefile
--- linux-2.6.10/Makefile 2004-12-24 15:35:01.000000000 -0600
+++ linux-2.6.10-audit/Makefile 2005-01-19 11:17:19.000000000 -0600
@@ -1,8 +1,8 @@
VERSION = 2
PATCHLEVEL = 6
SUBLEVEL = 10
-EXTRAVERSION =
-NAME=Woozy Numbat
+EXTRAVERSION =-auditfs-tc1
+NAME=
Probably not really necessary.
--- linux-2.6.10/arch/i386/defconfig 2004-12-24 15:35:01.000000000
-0600
+++ linux-2.6.10-audit/arch/i386/defconfig 2005-01-07
15:44:26.000000000 -0600
@@ -23,6 +23,7 @@ CONFIG_POSIX_MQUEUE=y
CONFIG_SYSCTL=y
CONFIG_AUDIT=y
CONFIG_AUDITSYSCALL=y
+CONFIG_AUDITFILESYSTEM=y
Yes here, but default Kconfig is N?
diff -Npru linux-2.6.10/fs/dcache.c linux-2.6.10-audit/fs/dcache.c
--- linux-2.6.10/fs/dcache.c 2004-12-24 15:34:00.000000000 -0600
+++ linux-2.6.10-audit/fs/dcache.c 2005-01-18 14:20:18.000000000 -0600
@@ -32,6 +32,7 @@
#include <linux/seqlock.h>
#include <linux/swap.h>
#include <linux/bootmem.h>
+#include <linux/audit.h>
/* #define DCACHE_DEBUG 1 */
@@ -781,6 +782,7 @@ void d_instantiate(struct dentry *entry,
entry->d_inode = inode;
spin_unlock(&dcache_lock);
security_d_instantiate(entry, inode);
+ audit_watch(entry);
}
/**
@@ -920,6 +922,7 @@ struct dentry *d_splice_alias(struct ino
security_d_instantiate(dentry, inode);
d_rehash(dentry);
}
+ audit_watch(dentry);
} else
d_add(dentry, inode);
return new;
@@ -1266,6 +1269,7 @@ already_unhashed:
spin_unlock(&dentry->d_lock);
write_sequnlock(&rename_lock);
spin_unlock(&dcache_lock);
+ audit_watch(dentry);
Hmm, I don't think this does what you mentioned. Here, a rename gets the
new pathname watchpoint, so you could lose the inode watch with a rename.
}
/**
diff -Npru linux-2.6.10/fs/inode.c linux-2.6.10-audit/fs/inode.c
--- linux-2.6.10/fs/inode.c 2004-12-24 15:35:40.000000000 -0600
+++ linux-2.6.10-audit/fs/inode.c 2005-01-17 17:44:59.000000000 -0600
@@ -135,6 +135,7 @@ static struct inode *alloc_inode(struct
inode->i_cdev = NULL;
inode->i_rdev = 0;
inode->i_security = NULL;
+ inode->i_audit = NULL;
inode->dirtied_when = 0;
if (security_inode_alloc(inode)) {
if (inode->i_sb->s_op->destroy_inode)
diff -Npru linux-2.6.10/fs/namei.c linux-2.6.10-audit/fs/namei.c
--- linux-2.6.10/fs/namei.c 2004-12-24 15:34:30.000000000 -0600
+++ linux-2.6.10-audit/fs/namei.c 2005-01-18 13:03:18.000000000 -0600
@@ -232,6 +232,10 @@ int permission(struct inode * inode,int
/* Ordinary permission routines do not understand MAY_APPEND. */
submask = mask & ~MAY_APPEND;
+ retval = audit_notify_watch(current, inode, mask);
+ if (retval < 0)
+ return retval;
I wouldn't expect this to fail.
if (inode->i_op && inode->i_op->permission)
retval = inode->i_op->permission(inode, submask, nd);
else
diff -Npru linux-2.6.10/include/linux/audit.h linux-2.6.10-audit/include/linux/audit.h
--- linux-2.6.10/include/linux/audit.h 2005-01-19 15:18:52.000000000 -0600
+++ linux-2.6.10-audit/include/linux/audit.h 2005-01-19 15:37:56.000000000 -0600
@@ -25,14 +25,16 @@
#define _LINUX_AUDIT_H_
/* Request and reply types */
-#define AUDIT_GET 1000 /* Get status */
-#define AUDIT_SET 1001 /* Set status (enable/disable/auditd) */
-#define AUDIT_LIST 1002 /* List filtering rules */
-#define AUDIT_ADD 1003 /* Add filtering rule */
-#define AUDIT_DEL 1004 /* Delete filtering rule */
-#define AUDIT_USER 1005 /* Send a message from user-space */
-#define AUDIT_LOGIN 1006 /* Define the login id and informaiton */
-#define AUDIT_KERNEL 2000 /* Asynchronous audit record. NOT A REQUEST. */
+#define AUDIT_GET 1000 /* Get status */
+#define AUDIT_SET 1001 /* Set status (enable/disable/auditd) */
+#define AUDIT_LIST 1002 /* List filtering rules */
+#define AUDIT_ADD 1003 /* Add filtering rule */
+#define AUDIT_DEL 1004 /* Delete filtering rule */
+#define AUDIT_USER 1005 /* Send a message from user-space */
+#define AUDIT_LOGIN 1006 /* Define the login id and information */
+#define AUDIT_WATCH_INS 1007 /* Insert file/dir watch entry */
+#define AUDIT_WATCH_REM 1008 /* Remove file/dir watch entry */
+#define AUDIT_KERNEL 2000 /* Asynchronous audit record. NOT A REQUEST. */
/* Rule flags */
#define AUDIT_PER_TASK 0x01 /* Apply rule at task creation (not syscall) */
@@ -74,7 +76,7 @@
#define AUDIT_DEVMINOR 101
#define AUDIT_INODE 102
#define AUDIT_EXIT 103
-#define AUDIT_SUCCESS 104 /* exit >= 0; value ignored */
+#define AUDIT_SUCCESS 104 /* exit >= 0; value ignored */
#define AUDIT_ARG0 200
#define AUDIT_ARG1 (AUDIT_ARG0+1)
@@ -129,6 +131,31 @@ struct audit_rule { /* for AUDIT_LIST,
__u32 values[AUDIT_MAX_FIELDS];
};
+/* Input structure for fs object auditing */
+
+struct audit_watch_request {
+ char *path;
+ char *fk;
s/fk/filterkey/?
+ int pathlen;
+ int fklen;
+};
+
+/* Watch entry */
+
+/* Following two structs must be commented out for userspace copy */
+
+struct audit_watch {
+ char *name;
+ char *fk;
+ struct list_head list;
+};
Anyway to come up with name distintion between this data and the
function? And with many of these at 16bytes each on 32bit, it's a large
waste (smallest kmalloc slab is 32bytes iirc)
+struct audit_data {
+ struct audit_watch *watch;
+ struct list_head watchlist;
+};
Does audit_watch ever exist without audit_data? Looking through, it
seems like they can be decoupled, but that's only on rename, where I
think you wouldn't want to change, or drop the whole thing and start
over.
@@ -155,6 +182,8 @@ extern int audit_receive_filter(int typ
extern void audit_get_stamp(struct audit_context *ctx,
struct timespec *t, int *serial);
extern int audit_set_loginuid(struct audit_context *ctx, uid_t loginuid);
+extern int audit_notify_watch(struct task_struct *task, struct inode *inode,
+ int mask);
#else
#define audit_alloc(t) ({ 0; })
#define audit_free(t) do { ; } while (0)
@@ -163,8 +192,22 @@ extern int audit_set_loginuid(struct au
#define audit_getname(n) do { ; } while (0)
#define audit_putname(n) do { ; } while (0)
#define audit_inode(n,i,d) do { ; } while (0)
+#define audit_notify_watch(t,i,m) do { ; } while(0)
#endif
+#ifdef CONFIG_AUDITFILESYSTEM
+extern int audit_receive_watch(int type, int pid, int uid, int seq,
+ struct audit_watch_request *req);
+extern int audit_watch(struct dentry *dentry);
+extern void audit_inode_free(struct inode *inode);
+extern struct audit_data *audit_inode_alloc(void);
+#else
+#define audit_receive_watch(t,p,u,s,r) do { ; } while(0)
+#define audit_watch(d) do { ; } while(0)
+#define audit_inode_free(i) do { ; } while(0)
+#define audit_inode_alloc() do { ; } while(0)
+#endif
+
#ifdef CONFIG_AUDIT
/* These are defined in audit.c */
/* Public API */
diff -Npru linux-2.6.10/include/linux/fs.h linux-2.6.10-audit/include/linux/fs.h
--- linux-2.6.10/include/linux/fs.h 2004-12-24 15:34:27.000000000 -0600
+++ linux-2.6.10-audit/include/linux/fs.h 2005-01-07 16:17:20.000000000 -0600
@@ -27,6 +27,7 @@ struct poll_table_struct;
struct kstatfs;
struct vm_area_struct;
struct vfsmount;
+struct audit_data;
/*
* It's silly to have NR_OPEN bigger than NR_FILE, but you can change
@@ -459,6 +460,7 @@ struct inode {
#ifdef CONFIG_QUOTA
struct dquot *i_dquot[MAXQUOTAS];
#endif
+ struct audit_data *i_audit;
/* These three should probably be a union */
struct list_head i_devices;
struct pipe_inode_info *i_pipe;
diff -Npru linux-2.6.10/init/Kconfig linux-2.6.10-audit/init/Kconfig
--- linux-2.6.10/init/Kconfig 2004-12-24 15:35:24.000000000 -0600
+++ linux-2.6.10-audit/init/Kconfig 2005-01-16 22:35:08.000000000 -0600
@@ -174,6 +174,17 @@ config AUDITSYSCALL
can be used independently or with another kernel subsystem,
such as SELinux.
+config AUDITFILESYSTEM
+ bool "Enable filesystem auditing support"
+ depends on AUDITSYSCALL
+ default n
+ help
+ Generate audit records for regular files or directories that
+ are being watched for access by audited syscalls. To insert
+ and remove watch points into the filesystem you may use the
+ auditctl program provided with auditd. For more information,
+ 'man auditctl'
+
config LOG_BUF_SHIFT
int "Kernel log buffer size (16 => 64KB, 17 => 128KB)" if DEBUG_KERNEL
range 12 21
diff -Npru linux-2.6.10/kernel/Makefile linux-2.6.10-audit/kernel/Makefile
--- linux-2.6.10/kernel/Makefile 2004-12-24 15:34:26.000000000 -0600
+++ linux-2.6.10-audit/kernel/Makefile 2005-01-05 15:23:14.000000000 -0600
@@ -23,6 +23,7 @@ obj-$(CONFIG_IKCONFIG_PROC) += configs.o
obj-$(CONFIG_STOP_MACHINE) += stop_machine.o
obj-$(CONFIG_AUDIT) += audit.o
obj-$(CONFIG_AUDITSYSCALL) += auditsc.o
+obj-$(CONFIG_AUDITFILESYSTEM) += auditfs.o
obj-$(CONFIG_KPROBES) += kprobes.o
obj-$(CONFIG_SYSFS) += ksysfs.o
obj-$(CONFIG_GENERIC_HARDIRQS) += irq/
diff -Npru linux-2.6.10/kernel/audit.c linux-2.6.10-audit/kernel/audit.c
--- linux-2.6.10/kernel/audit.c 2004-12-24 15:35:50.000000000 -0600
+++ linux-2.6.10-audit/kernel/audit.c 2005-01-19 11:30:02.000000000 -0600
@@ -20,6 +20,7 @@
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*
* Written by Rickard E. (Rik) Faith <faith(a)redhat.com>
+ * Modified by Timothy R. Chavez <chavezt(a)us.ibm.com>
*
* Goals: 1) Integrate fully with SELinux.
* 2) Minimal run-time overhead:
@@ -46,7 +47,6 @@
#include <asm/types.h>
#include <linux/mm.h>
#include <linux/module.h>
-
#include <linux/audit.h>
#include <net/sock.h>
@@ -60,6 +60,9 @@ static int audit_initialized;
/* No syscall auditing will take place unless audit_enabled != 0. */
int audit_enabled;
+/* No filesystem auditing will take place unless audit_filesystem != 0 */
+int audit_filesystem;
Err, this is only set based on config. So it doesn't really do
anything.
+
/* Default state when kernel boots without any parameters. */
static int audit_default;
@@ -394,6 +397,15 @@ static int audit_receive_msg(struct sk_b
err = -EOPNOTSUPP;
#endif
break;
+#ifdef CONFIG_AUDITFILESYSTEM
+ case AUDIT_WATCH_INS:
+ case AUDIT_WATCH_REM:
+ err = audit_receive_watch(nlh->nlmsg_type, pid, uid, seq,
+ data);
+#else
+ err = -EOPNOTSUPP;
+#endif
+ break;
default:
err = -EINVAL;
break;
@@ -533,6 +545,16 @@ int __init audit_init(void)
audit_initialized = 1;
audit_enabled = audit_default;
+/* FIXME:
+ * We should be able to enable/disable filesystem auditing dynamically,
+ * after we boot up. Configuring support for it should != automatic
+ * enablement.
+ */
+#ifdef CONFIG_AUDITFILESYSTEM
+ audit_filesystem = 1;
+#else
+ audit_filesystem = 0;
+#endif
Oh, nm, I see the fixme comment ;-)
audit_log(NULL, "initialized");
return 0;
}
diff -Npru linux-2.6.10/kernel/auditfs.c linux-2.6.10-audit/kernel/auditfs.c
--- linux-2.6.10/kernel/auditfs.c 1969-12-31 17:00:00.000000000 -0700
+++ linux-2.6.10-audit/kernel/auditfs.c 2005-01-19 14:48:08.000000000 -0600
@@ -0,0 +1,396 @@
+/* auditfs.c -- Filesystem auditing support -*- linux-c -*-
+ * Implements filesystem auditing support, depends on kernel/auditsc.c
+ *
+ * Copyright 2005 International Business Machines Corp. (IBM)
+ * All Rights Reserved.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ *
+ * Written by Timothy R. Chavez <chavezt(a)us.ibm.com>
+ *
+ */
+
+#include <linux/init.h>
+
+#include <linux/fs.h>
+#include <linux/sched.h>
+#include <linux/kernel.h>
+#include <linux/namei.h>
+#include <linux/mount.h>
+#include <linux/list.h>
+#include <linux/mm.h>
+#include <linux/audit.h>
+
+#include <asm/types.h>
+#include <asm/uaccess.h>
+
+/* Helper functions */
+
+struct audit_lookup {
+ char *name;
+ struct dentry *dentry;
+ struct dentry *parent;
+};
+
+/* audit_path_lookup - Look up a string path and store the parent dentry,
+ * string name of the file/dir we're interested in,
+ * and optionally, the dentry of the file/dir we're
+ * interested in if it exists
+ *
+ * @path - String path (ie: "/etc/passwd")
+ * @lup - Lookup structure
These aren't proper docbook style comments.
+ *
+ * NOTE: caller must dput dentries if necessary
+ */
+static int audit_path_lookup(const char *path, struct audit_lookup *lup)
+{
+ int ret;
+ struct nameidata nd;
+
+ ret = path_lookup(path, LOOKUP_PARENT | LOOKUP_FOLLOW, &nd);
+ if (ret < 0)
+ goto audit_path_lookup_exit;
+
+ lup->parent = dget(nd.dentry);
+ lup->dentry = d_lookup(nd.dentry, &nd.last);
+ lup->name = kmalloc(strlen(nd.last.name) + 1, GFP_KERNEL);
+ if (!lup->name)
+ return -ENOMEM;
Never called path_release()
+ strcpy(lup->name, nd.last.name);
+
+ path_release(&nd);
+
+ audit_path_lookup_exit:
+ return ret;
+}
+
+/* audit_fetch_watch - If the string name matches that of
+ * of a watch entry in the parent dentry
+ * then return that watch structure.
+ *
+ * @name - String name (ie: "passwd")
+ * @parent - The dentry of the inode whose watchlist
+ we want to traverse
+ */
DocBook comments here too, I think they all need to be redone.
+static struct audit_watch *audit_fetch_watch(const char *name,
+ struct dentry *parent)
+{
+ struct audit_data *data;
+ struct audit_watch *watch, *ret = NULL;
+
+ data = parent->d_inode->i_audit;
+ if (!data)
+ goto audit_fetch_watch_exit;
+
+ if (list_empty(&data->watchlist))
+ goto audit_fetch_watch_exit;
list_for_each will tell you if it's empty.
+ list_for_each_entry(watch, &data->watchlist, list)
+ if (!strcmp(watch->name, name)) {
+ ret = watch;
+ goto audit_fetch_watch_exit;
usually just break;
+ }
Have a feel for how many are usually in a list? for /etc, for example,
maybe a hash is better?
+ audit_fetch_watch_exit:
+ return ret;
+}
+
+static struct audit_watch *audit_watch_alloc(void)
+{
+ struct audit_watch *watch;
+
+ watch = kmalloc(sizeof(struct audit_watch), GFP_KERNEL);
+ if (!watch)
+ return NULL;
+
+ watch->name = NULL;
+ watch->fk = NULL;
+
I'd do:
if (watch) {
watch->name = NULL;
watch->fk = NULL;
}
+ return watch;
To get a single point of return. Most places that are leaking would
benefit from this type of coding style.
+}
+
+static void audit_watch_free(struct audit_watch *watch)
+{
+ if (watch) {
+ if (watch->name)
+ kfree(watch->name);
+ if (watch->fk)
+ kfree(watch->fk);
kfree(NULL) is fine.
+ kfree(watch);
+ }
+}
+
+/* audit_create_watch - Add a watch entry to the dentry's parent's
+ * watchlist with the given name and
+ * fk.
+ *
+ * @name - String name (ie: "passwd")
+ * @fk - String fk (ie: "fk_file_passwd")
+ * @parent - The dentry of the inode with relevant
+ * watchlist
+ */
+
+static int
+audit_create_watch(const char *name, const char *fk, struct dentry *parent)
+{
+ struct audit_watch *watch;
+
+ /* FIXME: More appropriate errno for something that already exists? */
+ watch = audit_fetch_watch(name, parent);
+ if (watch)
+ return -EINVAL;
EEXIST? EBUSY?
+
+ if (!parent->d_inode->i_audit) {
+ parent->d_inode->i_audit = audit_inode_alloc();
+ if (!parent->d_inode->i_audit)
+ return -ENOMEM;
+ }
+
+ watch = audit_watch_alloc();
+ if (!watch)
+ return -ENOMEM;
Possible memory leak.
+ watch->name = kmalloc(strlen(name) + 1, GFP_KERNEL);
+ if (!watch->name)
+ return -ENOMEM;
+ watch->fk = kmalloc(strlen(fk) + 1, GFP_KERNEL);
+ if (!watch->fk)
+ return -ENOMEM;
More possible memory leaks.
+ strcpy(watch->name, name);
+ strcpy(watch->fk, fk);
+
+ list_add(&watch->list, &parent->d_inode->i_audit->watchlist);
We won't go into the locking ;-)
+ return 0;
+}
+
+/* audit_destroy_watch - Find the watch entry and then physically
+ * destroy it.
+ *
+ * @name - String name (ie: "passwd")
+ * @parent - The dentry of the inode with relevant
+ * watchlist
+ */
+
+static int audit_destroy_watch(const char *name, struct dentry *parent)
+{
+ struct audit_watch *watch;
+
+ /* FIXME: More appropriate errno for something that does not exist? */
+ watch = audit_fetch_watch(name, parent);
+ if (!watch)
+ return -EINVAL;
-EEXIST?
+
+ list_del_init(&watch->list);
+ audit_watch_free(watch);
+
+ if (!parent->d_inode->i_audit->watch &&
+ list_empty(&parent->d_inode->i_audit->watchlist))
+ audit_inode_free(parent->d_inode);
+
+ return 0;
+}
+
+/* audit_insert_watch - Insert a watch entry for req->name
+ * with req->fk into the filesystem.
+ *
+ * @req - The request originating from userspace.
+ *
+ * (Called by audit_receive_watch())
+ */
+
+static int audit_insert_watch(struct audit_watch_request *req)
+{
+ int ret;
+ char *fk, *path;
+ struct audit_lookup lup;
Why can't you just use nameidata?
+ path = kmalloc(req->pathlen, GFP_KERNEL);
+ if (!path)
+ return -ENOMEM;
+ fk = kmalloc(req->fklen, GFP_KERNEL);
+ if (!fk)
+ return -ENOMEM;
Possible memleak.
+ ret = strncpy_from_user(path, req->path, req->pathlen);
+ if (ret < 0)
+ return ret;
+ ret = strncpy_from_user(fk, req->fk, req->fklen);
+ if (ret < 0)
+ return ret;
req->pathlen is user specified. it can't overflow path, but should
these be checked against valid values, say PATH_MAX?
+ ret = audit_path_lookup(path, &lup);
+ if (ret < 0)
+ goto audit_insert_watch_exit;
+
+ ret = audit_create_watch(lup.name, fk, lup.parent);
+ if (ret < 0)
+ goto audit_insert_watch_exit;
+
+ ret = audit_watch(lup.dentry);
+
+ audit_insert_watch_exit:
CodingStyle, no tab before label.
+ if (lup.parent)
+ dput(lup.parent);
+ if (lup.dentry)
+ dput(lup.dentry);
+ return ret;
Never kfree path, fk, or lup.name.
+}
+
+/* audit_remove_watch - Remove a watch entry for req->name
+ * from the filesystem.
+ *
+ * @req - The request originating from userspace.
+ *
+ * (Called by audit_watch_receive())
+ */
+
+static int audit_remove_watch(struct audit_watch_request *req)
+{
+ int ret;
+ char *path;
+ struct audit_lookup lup;
Why not use nameidata?
+ path = kmalloc(req->pathlen, GFP_KERNEL);
+ if (!path)
+ return -ENOMEM;
getname()?
+ ret = strncpy_from_user(path, req->path, req->pathlen);
+ if (ret < 0)
+ goto audit_remove_watch_exit;
+
+ ret = audit_path_lookup(req->path, &lup);
That's the userspace pointer, should pass path.
+ if (ret < 0)
+ goto audit_remove_watch_exit;
+
+ ret = audit_destroy_watch(lup.name, lup.parent);
+ if (ret < 0)
+ goto audit_remove_watch_exit;
+
+ if (!lup.dentry)
+ goto audit_remove_watch_exit;
+
+ /* Free up inode audit data, if possible */
+ lup.dentry->d_inode->i_audit->watch = NULL;
audit_inode_free() does this too. is this safe? in audit_inode_free
you check against i_audit == NULL.
+ if (list_empty(&lup.dentry->d_inode->i_audit->watchlist))
+ audit_inode_free(lup.dentry->d_inode);
+
+ audit_remove_watch_exit:
CodingStyle, no tab before label.
+ if (lup.parent)
+ dput(lup.parent);
+ if (lup.dentry)
+ dput(lup.dentry);
+ return ret;
You never kfree path or lup.name.
+}
+
+/* Public interface */
+
+struct audit_data *audit_inode_alloc(void)
+{
+ struct audit_data *data;
+
+ data = kmalloc(sizeof(struct audit_data), GFP_KERNEL);
+ if (!data)
+ return NULL;
+
+ data->watch = NULL;
+ INIT_LIST_HEAD(&data->watchlist);
+
+ return data;
+}
+
+void audit_inode_free(struct inode *inode)
+{
+ struct audit_watch *watch, *tmp;
+
+ if (!inode->i_audit)
+ return;
+
+ inode->i_audit->watch = NULL;
+ list_for_each_entry_safe(watch, tmp, &inode->i_audit->watchlist,
+ list) {
+ list_del(&watch->list);
+ audit_watch_free(watch);
+ }
+
+ kfree(inode->i_audit);
+ inode->i_audit = NULL;
+}
+
+/* If child exists in parent's watchlist, the child will point
+ * into the parent's watchlist at its own entry. Otherwise,
+ * it will point to NULL
+ *
+ * Hook appears in: fs/dcache.c:d_instantiate(), d_move(), and d_splice_alias()
+ */
+int audit_watch(struct dentry *dentry)
+{
+ struct audit_watch *watch;
+
+ /* NOTE: Not being watched != error */
+ if (!dentry || !dentry->d_inode)
+ return 0;
+
+ watch = audit_fetch_watch(dentry->d_name.name, dentry->d_parent);
+ if (!watch)
+ return 0;
+
+ /* In the event that we're being watched, but not yet allocated. */
+ if (!dentry->d_inode->i_audit) {
+ dentry->d_inode->i_audit = audit_inode_alloc();
+ if (!dentry->d_inode->i_audit)
+ return -ENOMEM;
+ }
+ dentry->d_inode->i_audit->watch = watch;
+
+ return 0;
+}
+
+/* Called from kernel/audit.c by audit_receive_msg()
+ *
+ * Code path for watch insertions:
+ * audit_receive_watch()->audit_insert_watch()->audit_create_watch()
+ * Code path for watch removals:
+ * audit_receive_watch()->audit_remove_watch()->audit_destroy_watch()
+ *
+ */
+int
+audit_receive_watch(int type, int pid, int uid, int seq,
+ struct audit_watch_request *req)
+{
+ int ret;
+
+ switch (type) {
+ case AUDIT_WATCH_INS:
+ ret = audit_insert_watch(req);
+ break;
+ case AUDIT_WATCH_REM:
+ ret = audit_remove_watch(req);
+ break;
+ default:
+ return -EINVAL;
do you want to reply to userspace here or below on error?
+ }
+
+ /* Need to return something more meaningful to userspace and
+ * update comment that states audit_send_reply is only called
+ * from auditsc.c
+ */
+ if (!ret)
+ audit_send_reply(pid, seq, type, 0, 1, NULL, 0);
+
+ return ret;
+}
diff -Npru linux-2.6.10/kernel/auditsc.c linux-2.6.10-audit/kernel/auditsc.c
--- linux-2.6.10/kernel/auditsc.c 2004-12-24 15:35:24.000000000 -0600
+++ linux-2.6.10-audit/kernel/auditsc.c 2005-01-19 15:39:22.000000000 -0600
@@ -19,6 +19,7 @@
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*
* Written by Rickard E. (Rik) Faith <faith(a)redhat.com>
+ * Modified by Timothy R. Chavez <chavezt(a)us.ibm.com>
*
* Many of the ideas implemented here are from Stephen C. Tweedie,
* especially the idea of avoiding a copy by using getname.
@@ -49,6 +50,11 @@
/* No syscall auditing will take place unless audit_enabled != 0. */
extern int audit_enabled;
+/* No syscall will collect information about auditable file/dirs
+ * unless audit_filesystem != 0
+ */
+extern int audit_filesystem;
+
/* AUDIT_NAMES is the number of slots we reserve in the audit_context
* for saving names from getname(). */
#define AUDIT_NAMES 20
@@ -113,6 +119,7 @@ struct audit_context {
uid_t uid, euid, suid, fsuid;
gid_t gid, egid, sgid, fsgid;
unsigned long personality;
+ struct list_head watched; /* The auditable files/dirs accessed */
#if AUDIT_DEBUG
int put_count;
@@ -134,6 +141,22 @@ struct audit_entry {
struct audit_rule rule;
};
+/* The structure that stores information about files/directories being
+ * watched in the filesystem, that the syscall accessed.
+ */
+
+struct audit_file {
+ char *name;
+ char *fk;
+ unsigned long ino;
+ umode_t mode;
+ uid_t uid;
+ gid_t gid;
+ dev_t rdev;
+ int mask;
+ struct list_head list;
+};
+
/* Check to see if two rules are identical. It is called from
* audit_del_rule during AUDIT_DEL. */
static int audit_compare_rule(struct audit_rule *a, struct audit_rule *b)
@@ -506,6 +529,44 @@ static inline void audit_free_names(stru
context->name_count = 0;
}
+static struct audit_file *audit_file_alloc(void)
+{
+ struct audit_file *file;
+
+ file = kmalloc(sizeof(struct audit_file), GFP_KERNEL);
+ if (!file)
+ return NULL;
+
+ file->name = NULL;
+ file->fk = NULL;
+
+ return file;
single point of return.
+}
+
+static void audit_file_free(struct audit_file *file)
+{
+ if (file) {
+ if (file->name)
+ kfree(file->name);
+ if (file->fk)
+ kfree(file->fk);
kfree(NULL) ok.
+ kfree(file);
+ }
+}
+
+static inline void audit_free_files(struct audit_context *context)
+{
+ struct audit_file *file, *tmp;
+
+ if (!audit_filesystem)
+ return;
I don't think that's right. If it was dynamically turned off (after
fixme is fixed) then this could leak some already created audit_files,
right?
+
+ list_for_each_entry_safe(file, tmp, &context->watched, list) {
+ list_del(&file->list);
+ audit_file_free(file);
+ }
+}
+
static inline void audit_zero_context(struct audit_context *context,
enum audit_state state)
{
@@ -514,6 +575,7 @@ static inline void audit_zero_context(st
memset(context, 0, sizeof(*context));
context->state = state;
context->loginuid = loginuid;
+ INIT_LIST_HEAD(&context->watched);
}
static inline struct audit_context *audit_alloc_context(enum audit_state state)
@@ -572,6 +634,7 @@ static inline void audit_free_context(st
context->name_count, count);
}
audit_free_names(context);
+ audit_free_files(context);
kfree(context);
context = previous;
} while (context);
@@ -582,6 +645,7 @@ static inline void audit_free_context(st
static void audit_log_exit(struct audit_context *context)
{
int i;
+ struct audit_file *file;
struct audit_buffer *ab;
ab = audit_log_start(context);
@@ -628,6 +692,24 @@ static void audit_log_exit(struct audit_
MINOR(context->names[i].rdev));
audit_log_end(ab);
}
+
+ if (!audit_filesystem)
+ return;
+ list_for_each_entry(file, &context->watched, list) {
+ ab = audit_log_start(context);
+ if (!ab)
+ continue;
+
+ /* Do we need more information? */
+ audit_log_format(ab,
+ "name=%s filter_key=%s inode=%lu inode_mode=%d "
+ "inode_uid=%d inode_gid=%d inode_dev=%02x:%02x "
+ "mask=%d",
+ file->name, file->fk, file->ino, file->mode,
+ file->uid, file->gid, MAJOR(file->rdev),
+ MINOR(file->rdev), file->mask);
+ audit_log_end(ab);
+ }
}
/* Free a per-task audit context. Called from copy_process and
@@ -791,6 +873,7 @@ void audit_syscall_exit(struct task_stru
tsk->audit_context = new_context;
} else {
audit_free_names(context);
+ audit_free_files(context);
audit_zero_context(context, context->state);
tsk->audit_context = context;
}
@@ -914,3 +997,58 @@ int audit_set_loginuid(struct audit_cont
}
return 0;
}
+
+/* If file/dir has an audit_context and has filesystem auditing
+ * turned on, then if this inode is being watched, collect info
+ * about it.
+ *
+ * Hook located in: fs/namie.c:permission()
+ */
+
+int audit_notify_watch(struct task_struct *task, struct inode *inode,
+ int mask)
+{
+ struct audit_context *context;
+ struct audit_file *file;
+
+ context = current->audit_context;
Technically, this is a bug. You pass the task, but use current.
Luckily, this only appears to be called in current context.
+ /* Do we have a context and are we in a syscall? */
+ if (!context || !context->in_syscall)
+ return 0;
+
+ /* Do we care about file system auditing? */
+ if (!audit_filesystem)
+ return 0;
+
+ /* Are we being watched? */
+ if (!inode->i_audit || !inode->i_audit->watch)
+ return 0;
+
+ file = audit_file_alloc();
+ if (!file)
+ return -ENOMEM;
+
+ file->name = kmalloc(strlen(inode->i_audit->watch->name) + 1,
+ GFP_KERNEL);
+ if (!file->name)
+ return -ENOMEM;
+
+ file->fk = kmalloc(strlen(inode->i_audit->watch->fk) + 1,
+ GFP_KERNEL);
+ if (!file->fk)
+ return -ENOMEM;
Anyway to avoid these extra allocations (which leak on failure paths ;-)?
Like refcount the watch struct and pass that along? Ditto for the inode
data.
+ strcpy(file->name, inode->i_audit->watch->name);
+ strcpy(file->fk, inode->i_audit->watch->fk);
+ file->ino = inode->i_ino;
+ file->uid = inode->i_uid;
+ file->gid = inode->i_gid;
+ file->rdev = inode->i_rdev;
+ file->mask = mask;
+
+ list_add(&file->list, &task->audit_context->watched);
+
+ return 0;
+}
+
9:50 a.m.
On Thu, 2005-01-20 at 19:20 -0800, Chris Wright wrote:
> * Add RCU locking in the appropriate places to make SMP-safe
Is RCU a requirement, or just some real locking?
rwlocking should suffice for now, but eventually a spinlock to prevent
concurrent writers and rcu to prevent deletion of a watch entry while
another process is using it seems ideal.
Given his ambitious goals of doing locking overnight, I think rwlocks
are the way to go for now :)
Seems intuitively useful to at least be able to watch a file
regardless
of who touched it, or what syscall was used. I think you'd especially
want to know if you had some non uid=0 process that wrote to a sensitive
file abusing it's CAP_DAC_OVERRIDE privilege for example.
Perhaps we should print out current->cap_effective? Or is that
overkill? Or perhaps an actual "security_identify_process(task, buf,
len)" hook would be useful, where commoncap could print out the
capabilities, and selinux could print out the context. Maybe that's
closer to debug info...
> * Add/remove unnecessary information about the file or directory
being
> collected in the audit context. Input on this?
I missed which parts are unnecessary?
It sounds like he's worried about the 7 line audit_log_format line he
has, but I think that's all good info.
How do people feel about the general approach and limitations? For
instance, you can't ask to watch /etc/passwd if /etc does not yet
exist, or, if you ask to watch /etc/passwd, then mount another fs
over /etc, you quietly lose that watch entry. (Tim: please correct me
if I'm wrong) The alternative, however, is to deal with deeper
pathnames in the kernel, which is always frowned upon. Are we satisfied
with saying that 'mount' could be modified in userspace to do the right
thing in recreating watch entries? Perhaps we could even use inotify +
a userspace daemon for the mkdir /etc case, to create new audit entries
based on some config file. This goes beyond CAPP requirements (else
inotify would not suffice), and into what seems to me to be real world
usefulness.
-serge
10:15 a.m.
On Friday 21 January 2005 10:50, Serge Hallyn wrote:
Perhaps we should print out current->cap_effective? Or is that
overkill? Or perhaps an actual "security_identify_process(task, buf,
len)" hook would be useful, where commoncap could print out the
capabilities, and selinux could print out the context. Maybe that's
closer to debug info...
Based on previous discussions, I think this would be required for LSPP. If we
are going for LSPP after meeting CAPP, it wouldn't be bad to start getting
some things in place.
It sounds like he's worried about the 7 line audit_log_format
line he
has, but I think that's all good info.
I think I'd like to make a change to the way that the kernel sends netlink
packets. It would be far more efficient for log_end to send multiple records
in 1 packet instead of 7 separate packets. Especially if the admin has
configured for full sync writing.
Are we satisfied with saying that 'mount' could be modified
in
userspace to do the right thing in recreating watch entries?
I don't think we can/should touch mount.
Perhaps we could even use inotify + a userspace daemon for the mkdir
/etc case, to create new audit entries based on some config file.
The audit daemon could be made to handle this. We just select on 2 different
descriptors & process accordingly. That is, if we need to do this...
-Steve
7:19 p.m.
--- Steve Grubb <sgrubb(a)redhat.com> wrote:
Based on previous discussions, I think this would be
required for LSPP. If we
are going for LSPP after meeting CAPP, it wouldn't
be bad to start getting
some things in place.
Capabilties are fun in a CAPP environment, too.
The Irix CAPP system (for example) uses
capabilities and yes, they go in the audit trail
along with an indication of which capabilities were
required to perform the action, if any.
This is probably a bit late in the discussion,
but have y'all considered using a tokenized audit
record format? If you did you wouldn't have to
care if any given bit of information was there
just yet, or allocate a place for things that
might or might not be there someday. Both Solaris
and Irix use tokenized schemes to effect.
=====
Casey Schaufler
casey(a)schaufler-ca.com
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
7:33 p.m.
* Casey Schaufler (casey(a)schaufler-ca.com) wrote:
This is probably a bit late in the discussion,
but have y'all considered using a tokenized audit
record format? If you did you wouldn't have to
care if any given bit of information was there
just yet, or allocate a place for things that
might or might not be there someday. Both Solaris
and Irix use tokenized schemes to effect.
You mean BSM format? Yes, I think Serge and I talked about it briefly
a few months ago. The current method is tokenized and reasonably
extensible. It's not quite record+tokens like BSM, but there's an initial
record that tells you how many ancillary records (items) to expect.
And each record is made up primarily of token=value pairs. I think
we should provide what makes sense, and do any BSM type translation
in userspace. But having _some_ BSM compatibility would be wise, since
that's what many tools deal with.
thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
9:49 p.m.
--- Chris Wright <chrisw(a)osdl.org> wrote:
You mean BSM format?
BSM is one example. Irix is another. They're
both based on a proposal presented to the POSIX
group by one W. Olin Sibert.
Yes, I think Serge and I
talked about it briefly
a few months ago. The current method is tokenized
and reasonably
extensible. It's not quite record+tokens like BSM,
but there's an initial
record that tells you how many ancillary records
(items) to expect.
This self describing behavior is what's important.
It allows you to throw in additional process and
file attributes (e.g. MAC labels, ACLs) as
necessary.
And each record is made up primarily of token=value
pairs.
Very good. If you document the legitimate tokens
and they kind of information in the value you're
a long way toward a useful audit system.
I think
we should provide what makes sense, and do any BSM
type translation
in userspace.
A reasonable option. That's how SGI dealt with
a major overhaul to the audit format in Irix6.5
But having _some_ BSM compatibility
would be wise, since
that's what many tools deal with.
At least a description of what's in the records
and tokens to make it easy for an individual who
is inclined to attempt such a translation is in
order.
=====
Casey Schaufler
casey(a)schaufler-ca.com
__________________________________
Do you Yahoo!?
Yahoo! Mail - Helps protect you from nasty viruses.
http://promotions.yahoo.com/new_mail
9:51 a.m.
On Friday 21 January 2005 20:33, Chris Wright wrote:
I think we should provide what makes sense, and do any BSM type
translation in userspace. But having _some_ BSM compatibility
would be wise, since that's what many tools deal with.
I'd be happy to merge this into auditd. Send the patch to me or this mail
list.
-Steve Grubb
9:43 a.m.
On Friday 21 January 2005 20:19, Casey Schaufler wrote:
The Irix CAPP system (for example) uses
capabilities and yes, they go in the audit trail
along with an indication of which capabilities were
required to perform the action, if any.
Which capabilities? The capabilities of the process or the capability required
to successfully make the syscall? This would likely add a lot of text to the
message the kernel sends. I would have to say we can't do this unless there
is a certification requirement that we are trying to meet. Even then, maybe
something that's a bitmap might be all we can do.
This is probably a bit late in the discussion,
but have y'all considered using a tokenized audit
record format?
Yes. The audit program has a format_type configuration option so these can be
written. Send the patch to me or this mail list against the latest audit
daemon code.
-Steve Grubb
10:29 a.m.
--- Steve Grubb <sgrubb(a)redhat.com> wrote:
On Friday 21 January 2005 20:19, Casey Schaufler
wrote:
> The Irix CAPP system (for example) uses
> capabilities and yes, they go in the audit trail
> along with an indication of which capabilities
were
> required to perform the action, if any.
Which capabilities?
- The process capability set
- The set of capabilties that were
actually required
- In Irix you can get privilege by
either having the capabilty or by
being root. If you got privilege
not because you have the capability
but because you're root that is
indicated as well.
- If you don't get access the capabilty
that was checked that failed is noted.
The capabilities of the process
or the capability required
to successfully make the syscall? This would likely
add a lot of text to the
message the kernel sends.
Yes, it does. On the other hand, it allows you
to identify and filter based on the capability
involved. This is very important in an LSPP
system, where it is very important to keep an
eye on MAC violations.
I would have to say we
can't do this unless there
is a certification requirement that we are trying to
meet. Even then, maybe
something that's a bitmap might be all we can do.
A bitmap would suffice, although it might not be
very convinient.
> This is probably a bit late in the discussion,
> but have y'all considered using a tokenized audit
> record format?
Yes. The audit program has a format_type
configuration option so these can be
written. Send the patch to me or this mail list
against the latest audit
daemon code.
Hum. I'll have to see what I can do.
=====
Casey Schaufler
casey(a)schaufler-ca.com
__________________________________
Do you Yahoo!?
Yahoo! Mail - Easier than ever with enhanced search. Learn more.
http://info.mail.yahoo.com/mail_250
10:48 a.m.
On Monday 24 January 2005 11:29, Casey Schaufler wrote:
> Which capabilities?
- The process capability set
- The set of capabilties that were
actually required
Both? The capabilities required should be cast in concrete and not
configurable. Not sure what value this adds other than a convenience.
- In Irix you can get privilege by
either having the capabilty or by
being root. If you got privilege
not because you have the capability
but because you're root that is
indicated as well.
In linux you can be root and not able to add capabilities or lose capabilities
since you gave up that capability. So, I'm not sure if this is useful in this
situation.
> Yes. The audit program has a format_type
> configuration option so these can be
> written. Send the patch to me or this mail list
> against the latest audit
> daemon code.
Hum. I'll have to see what I can do.
Just write a function similar to format_raw in lib/libaudit.c. Around line 199
in src/auditd-event.c is a switch statement & LF_RAW case. Just add another
case to call your formatting function. The formatting function should malloc
& write to a buffer that the caller will free later. That's all there is to
it.
-Steve
10:57 a.m.
--- Steve Grubb <sgrubb(a)redhat.com> wrote:
On Monday 24 January 2005 11:29, Casey Schaufler
wrote:
> > Which capabilities?
>
> � � - The process capability set
> � � - The set of capabilties that were
> � � � actually required
Both? The capabilities required should be cast in
concrete and not
configurable. Not sure what value this adds other
than a convenience.
If I have 6 capabilities but only need one
of them to perform an action the process list
does not identify the policy that is being
overridden. If I need 2 capabilities but only
have one, the one that I don't have but needed
needs to be pointed out. The capabilities
required to perform an action will not be
sent in concrete. For example, accessing
/a/file may require different capabilities
depending on the mode of /a.
In linux you can be root and not able to add
capabilities or lose capabilities
since you gave up that capability. So, I'm not sure
if this is useful in this
situation.
You're probably right.
> > Yes. The audit program has a format_type
> > configuration option so these can be
> > written. Send the patch to me or this mail list
> > against the latest audit
> > daemon code.
>
> Hum. I'll have to see what I can do.
Just write a function similar to format_raw in
lib/libaudit.c. Around line 199
in src/auditd-event.c is a switch statement & LF_RAW
case. Just add another
case to call your formatting function. The
formatting function should malloc
& write to a buffer that the caller will free later.
That's all there is to
it.
Thank you.
=====
Casey Schaufler
casey(a)schaufler-ca.com
__________________________________
Do you Yahoo!?
Meet the all-new My Yahoo! - Try it today!
http://my.yahoo.com
12:29 p.m.
On Monday 24 January 2005 11:57, Casey Schaufler wrote:
If I have 6 capabilities but only need one
of them to perform an action the process list
does not identify the policy that is being
overridden.
Maybe this is a wording issue. In Linux, you start with capabilities and lose
them. You cannot override.
If I need 2 capabilities but only
have one, the one that I don't have but needed
needs to be pointed out.
I can see this being useful when writing software, but production systems
should have the capabilities set correctly at installation.
The capabilities required to perform an action will not
be sent in concrete. For example, accessing
/a/file may require different capabilities depending on
the mode of /a.
We are talking about posix capabilities, right? They are bound to a process
and enforced on a syscall by the kernel. That *is* cast in concrete unless
you hack the kernel sources.
-Steve
12:40 p.m.
* Steve Grubb (sgrubb(a)redhat.com) wrote:
On Monday 24 January 2005 11:57, Casey Schaufler wrote:
> If I have 6 capabilities but only need one
> of them to perform an action the process list
> does not identify the policy that is being
> overridden.
Maybe this is a wording issue. In Linux, you start with capabilities and lose
them. You cannot override.
Yeah, that's _mostly_ true. You have multiple sets. The effective set
is what is checked against. But the permitted set may be larger than the
effective set, in which case you could raise caps if you've momentarily
dropped one. Granted, not much of this is ever used.
> If I need 2 capabilities but only
> have one, the one that I don't have but needed
> needs to be pointed out.
I can see this being useful when writing software, but production systems
should have the capabilities set correctly at installation.
Yes, it's critical during developement and QA. Of course, you can
always get something to say directly...$pid wanted $cap. SELinux does
this now, for example. Didn't think it was needed for something like
CAPP compliant audit records though.
> The capabilities required to perform an action will not
> be sent in concrete. For example, accessing
> /a/file may require different capabilities depending on
> the mode of /a.
We are talking about posix capabilities, right? They are bound to a process
and enforced on a syscall by the kernel. That *is* cast in concrete unless
you hack the kernel sources.
Well, something like chmod -w file, will make a difference. I assume
that's what Casey's getting at.
thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
1:26 p.m.
--- Steve Grubb <sgrubb(a)redhat.com> wrote:
On Monday 24 January 2005 11:57, Casey Schaufler
wrote:
> If I have 6 capabilities but only need one
> of them to perform an action the process list
> does not identify the policy that is being
> overridden.
Maybe this is a wording issue. In Linux, you start
with capabilities and lose
them. You cannot override.
A posix capability gives the process the privilege
to override a system policy. A process with
CAP_DAC_READ in its effective set can override
the system DAC policy.
> If I need 2 capabilities but only
> have one, the one that I don't have but needed
> needs to be pointed out.
I can see this being useful when writing software,
but production systems
should have the capabilities set correctly at
installation.
If everything could be counted on to work just
right then we wouldn't need an audit trail.
> The capabilities required to perform an action
will not
> be sent in concrete. For example, accessing
> /a/file may require different capabilities
depending on
> the mode of /a.
We are talking about posix capabilities, right?
Oh my, yes.
They are bound to a process
and enforced on a syscall by the kernel. That *is*
cast in concrete unless
you hack the kernel sources.
Yes. A syscall (e.g. open) may require more
than one capability, depending on the objects
involved and their security attributes. Or they
may require none. Whatever the case, the audit
record needs to indicate which of three statements
are true:
- The action succeeded without use of privilege
- The action succeeded, but only because it had
some set of capabilities.
- The action failed, but would have succeeded
had it had some set of capabilities.
In either of the last two cases the capabilities
that were checked must be reported, at least
according to the evaluation team I dealt with.
Note that "the action failed, but not because
of the absence of capabilities" is not on the list.
This is the case that does not have to be audited.
=====
Casey Schaufler
casey(a)schaufler-ca.com
__________________________________
Do you Yahoo!?
Yahoo! Mail - now with 250MB free storage. Learn more.
http://info.mail.yahoo.com/mail_250
10:37 a.m.
Serge Hallyn wrote:
Perhaps we should print out current->cap_effective? Or is that
overkill? Or perhaps an actual "security_identify_process(task, buf,
len)" hook would be useful, where commoncap could print out the
capabilities, and selinux could print out the context. Maybe that's
closer to debug info...
This hook, and a similar security_identify_inode(...), hook will be necessary
for an LSM to go through a LSPP evaluation. The label information is required
to be included in the audit record for all subjects/objects/information involved
in the event. I have a quick-and-dirty patch that implemented this
functionality. Note that this patch uses pre-allocated 1K buffers (limits info
and sucks up a lot of memory). A proper memory allocation scheme needs to be
worked up and the patch probably needs to be rebased to newer code. I planned
on getting back to this in the near future. If someone else is working on this
functionality, please let me know, otherwise I can bump this up on my TODO list.
This patch also includes uid/gid/mode for filesystem objects. I felt that this
was a needed addition to determine the cause of filesystem related denials. Do
others agree with this addition to the records, and is there anything else that
we could possibly want?
--
Darrel
11:15 a.m.
[much easier to comment on patches if they are inline, and shorter lines
to keep linewrap down]
* Darrel Goeddel (dgoeddel(a)trustedcs.com) wrote:
Serge Hallyn wrote:
> Perhaps we should print out current->cap_effective? Or is that
> overkill? Or perhaps an actual "security_identify_process(task, buf,
> len)" hook would be useful, where commoncap could print out the
> capabilities, and selinux could print out the context. Maybe that's
> closer to debug info...
>
This hook, and a similar security_identify_inode(...), hook will be necessary
for an LSM to go through a LSPP evaluation. The label information is required
to be included in the audit record for all subjects/objects/information involved
in the event. I have a quick-and-dirty patch that implemented this
functionality. Note that this patch uses pre-allocated 1K buffers (limits info
and sucks up a lot of memory). A proper memory allocation scheme needs to be
worked up and the patch probably needs to be rebased to newer code. I planned
on getting back to this in the near future. If someone else is working on this
functionality, please let me know, otherwise I can bump this up on my TODO list.
This patch also includes uid/gid/mode for filesystem objects. I felt that this
was a needed addition to determine the cause of filesystem related denials. Do
others agree with this addition to the records, and is there anything else that
we could possibly want?
This would be redundant to the audit info that Tim's trying to push out.
Security label should stand alone, and be a simple string.
- nd->dentry->d_inode->i_ino,
- nd->dentry->d_inode->i_rdev);
+ audit_inode(name, nd->dentry->d_inode);
Makes sense. But this is only for path lookup. Doesn't account, for
example, for the audit msg partway through failed path resolution --
failed for security reason, for example.
return retval;
}
Index: include/linux/audit.h
===================================================================
RCS file: /source/cvsroots/fedora-cd/fedora-cd/src/linux-2.6/include/linux/audit.h,v
retrieving revision 1.1.1.1
diff -u -p -r1.1.1.1 audit.h
--- include/linux/audit.h 26 May 2004 18:05:58 -0000 1.1.1.1
+++ include/linux/audit.h 12 Jan 2005 19:48:40 -0000
@@ -147,7 +147,9 @@ extern void audit_syscall_entry(struct t
extern void audit_syscall_exit(struct task_struct *task, int return_code);
extern void audit_getname(const char *name);
extern void audit_putname(const char *name);
-extern void audit_inode(const char *name, unsigned long ino, dev_t rdev);
+
+struct inode;
+extern void audit_inode(const char *name, struct inode *inode);
/* Private API (for audit.c only) */
extern int audit_receive_filter(int type, int pid, int uid, int seq,
@@ -162,7 +164,7 @@ extern int audit_set_loginuid(struct au
#define audit_syscall_exit(t,r) do { ; } while (0)
#define audit_getname(n) do { ; } while (0)
#define audit_putname(n) do { ; } while (0)
-#define audit_inode(n,i,d) do { ; } while (0)
+#define audit_inode(n,i) do { ; } while (0)
#endif
#ifdef CONFIG_AUDIT
Index: include/linux/security.h
===================================================================
RCS file: /source/cvsroots/fedora-cd/fedora-cd/src/linux-2.6/include/linux/security.h,v
retrieving revision 1.35
diff -u -p -r1.35 security.h
--- include/linux/security.h 11 Jan 2005 19:10:15 -0000 1.35
+++ include/linux/security.h 12 Jan 2005 19:48:40 -0000
@@ -413,6 +413,11 @@ struct open_request;
* is specified by @buffer_size. @buffer may be NULL to request
* the size of the buffer required.
* Returns number of bytes used/required on success.
+ * @inode_audit_augment:
+ * Copy a NULL terminated string representing @inode's security relevant
+ * data into @buffer. @buffer_size is the size of buffer that is being
+ * written to. You only have this much space and this call can not return
+ * an error, so manage the space wisely...
*
* Security hooks for file operations
*
@@ -632,6 +637,11 @@ struct open_request;
* security attributes, e.g. for /proc/pid inodes.
* @p contains the task_struct for the task.
* @inode contains the inode structure for the inode.
+ * @task_audit_augment:
+ * Copy a NULL terminated string representing @p's security relevant
+ * data into @buffer. @buffer_size is the size of buffer that is being
+ * written to. You only have this much space and this call can not return
+ * an error, so manage the space wisely...
This should simply get back a char*, and the caller is responsible for
freeing, or something like that. Also, this is needed for _every_ label,
not just inode and task. SELinux already has this function internally,
see getprocattr->security_sid_to_context. Perhaps a better solution is
to make the name be part of a label.
thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
11:57 a.m.
Hello,
Sorry for my recent inactivity, I've been consumed with fixing up all
the memory leaks / removing unnecessary code, adding the watch
reference counting, etc.
Thanks Chris and David for all the great feedback.
Anyway, if we want to make this thing dynamic so that we can add watch
points to paths that partially exist or do not exist at all and be
able to remap on new mounts, it's going to take quite a rework and the
reintroduction of something like Serge's mapnode data structure. Do
we want to shift directions again? All this oscillating between
requirements is starting to give me gray hair and I'm only 23 :( JK,
but seriously, can we converge on something :)?
Back to the grind stone.
--
- Timothy R. Chavez
12:29 p.m.
* Timothy R. Chavez (chavezt(a)gmail.com) wrote:
Anyway, if we want to make this thing dynamic so that we can add
watch
points to paths that partially exist or do not exist at all and be
able to remap on new mounts, it's going to take quite a rework and the
reintroduction of something like Serge's mapnode data structure. Do
we want to shift directions again? All this oscillating between
requirements is starting to give me gray hair and I'm only 23 :( JK,
but seriously, can we converge on something :)?
There's two primary issues.
1) Make sure it satisfies basic CAPP requirements (I expect the dynamic
issue could be handled w/in CAPP by simply documenting for the admin
that mounts after audit is started aren't allowed). Of course, as
mentioned earlier, while we're here, might as well look out for LSPP,
but the audit requirements aren't that much different to my recollection,
just need to spit out labels...
2) Make the patch sane and mergeable. This could mean a bit of
oscialltion until the cleanest approach falls out. And may mean making
things sane compared with CAPP.
Now for updates, I think you'll need to keep watch of the whole tree,
mount issues aside. For example, I believe that right now the following
could fall off of the radar:
# mv /etc /tmp
# mkdir /etc
# cp /tmp/evil_shadow /etc/shadow
I think this would kill /etc dir watchpoints, and /etc/shadow would no
longer be watched, while /tmp/etc/shadow is diligently watched.
thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
1:41 p.m.
On Fri, Jan 21, 2005 at 10:29:47AM -0800, Chris Wright wrote:
Now for updates, I think you'll need to keep watch of the whole
tree,
mount issues aside. For example, I believe that right now the following
could fall off of the radar:
# mv /etc /tmp
# mkdir /etc
# cp /tmp/evil_shadow /etc/shadow
I think this would kill /etc dir watchpoints, and /etc/shadow would no
longer be watched, while /tmp/etc/shadow is diligently watched.
This type of thing is not a concern for CAPP and LSPP, since
administrators are still assumed to be trustworthy, and ordinary users
can't do that kind of thing. I'm not convinced that it's a real concern
in practical use either - an audit subsystem that could cope with
malicious administrators reliably would need to be designed differently.
I guess it would be possible to set up a watch list on "/" to monitor
renames/recreation of /etc though, which would at least give admins the
chance to notice this kind of thing happening.
-Klaus
1:49 p.m.
* Klaus Weidner (klaus(a)atsec.com) wrote:
This type of thing is not a concern for CAPP and LSPP, since
administrators are still assumed to be trustworthy, and ordinary users
can't do that kind of thing. I'm not convinced that it's a real concern
in practical use either - an audit subsystem that could cope with
malicious administrators reliably would need to be designed differently.
Yes, that's the same conversation I was having with Tim. That will take
any mount issues off the table, as they are identical.
I guess it would be possible to set up a watch list on "/"
to monitor
renames/recreation of /etc though, which would at least give admins the
chance to notice this kind of thing happening.
Right, that's what I meant by watching the whole tree.
thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
2:05 p.m.
On Fri, 2005-01-21 at 11:57 -0600, Timothy R. Chavez wrote:
Hello,
Sorry for my recent inactivity, I've been consumed with fixing up all
the memory leaks / removing unnecessary code, adding the watch
reference counting, etc.
Thanks Chris and David for all the great feedback.
Anyway, if we want to make this thing dynamic so that we can add watch
points to paths that partially exist or do not exist at all and be
able to remap on new mounts, it's going to take quite a rework and the
reintroduction of something like Serge's mapnode data structure.
No, I think we're talking about a user-space solution to the more
dynamic stuff. That shouldn't affect your kernel patch at all, right?\
I don't think doing it in the kernel would be upstreamable.
--
Serge Hallyn <serue(a)us.ibm.com>
7:12 p.m.
--- Darrel Goeddel <dgoeddel(a)trustedcs.com> wrote:
This patch also includes uid/gid/mode for filesystem
objects. I felt that this
was a needed addition to determine the cause of
filesystem related denials. Do
others agree with this addition to the records, and
is there anything else that
we could possibly want?
ACL?
=====
Casey Schaufler
casey(a)schaufler-ca.com
__________________________________
Do you Yahoo!?
Read only the mail you want - Yahoo! Mail SpamGuard.
http://promotions.yahoo.com/new_mail
10:48 a.m.
* Serge Hallyn (serue(a)us.ibm.com) wrote:
On Thu, 2005-01-20 at 19:20 -0800, Chris Wright wrote:
> > * Add RCU locking in the appropriate places to make SMP-safe
>
> Is RCU a requirement, or just some real locking?
rwlocking should suffice for now, but eventually a spinlock to prevent
concurrent writers and rcu to prevent deletion of a watch entry while
another process is using it seems ideal.
Yeah, guess that's a job for benchmarking.
> Seems intuitively useful to at least be able to watch a file
regardless
> of who touched it, or what syscall was used. I think you'd especially
> want to know if you had some non uid=0 process that wrote to a sensitive
> file abusing it's CAP_DAC_OVERRIDE privilege for example.
Perhaps we should print out current->cap_effective? Or is that
overkill? Or perhaps an actual "security_identify_process(task, buf,
len)" hook would be useful, where commoncap could print out the
capabilities, and selinux could print out the context. Maybe that's
closer to debug info...
I agree with Steve, I think that LSPP would require security labels in
audit message.
> > * Add/remove unnecessary information about the file or
directory being
> > collected in the audit context. Input on this?
>
> I missed which parts are unnecessary?
It sounds like he's worried about the 7 line audit_log_format line he
has, but I think that's all good info.
I think you'll get interesting output with hardlinks. As in the path
used to establish the watchpoint to the inode, not the path used to
access the inode.
How do people feel about the general approach and limitations? For
instance, you can't ask to watch /etc/passwd if /etc does not yet
exist, or, if you ask to watch /etc/passwd, then mount another fs
over /etc, you quietly lose that watch entry.
Yes, so you'd either have to maintain watchlists all the way back to /,
and rebuild or keep this type of updating done in userspace. The latter
will be lossy. Also, you don't quite lose the watch entry, you should
keep it for the underlying /etc/passwd, which some apps may be using.
For example, one method of containment is to do bind mounts into a
private namespace. So mount --bind /dev/null /etc/passwd for some
contained process, access to /etc/passwd is pretty unintersting unless
it's the real underlying inode.
(Tim: please correct me
if I'm wrong) The alternative, however, is to deal with deeper
pathnames in the kernel, which is always frowned upon. Are we satisfied
with saying that 'mount' could be modified in userspace to do the right
thing in recreating watch entries?
I don't think we want to dig into pathnames. Mount could be modified,
but it'd have to be after the mount succeeded, so might as well use
notification.
Perhaps we could even use inotify +
a userspace daemon for the mkdir /etc case, to create new audit entries
based on some config file. This goes beyond CAPP requirements (else
inotify would not suffice), and into what seems to me to be real world
usefulness.
Speaking of inotify, what happened to trying to have some similar
mechanism? It'd be nice for audit to open an event channel that's fed
by a common mechanism to inotify.
thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
7271
days inactive
7276
days old
linux-audit@lists.linux-audit.osci.io
30 comments
8 participants
participants (8)
-
Casey Schaufler -
Chris Wright -
Darrel Goeddel -
David Woodhouse -
Klaus Weidner -
Serge Hallyn -
Steve Grubb -
Timothy R. Chavez