10:42 a.m.
Hello,
New patch.
DONE:
- Prelim userspace patch to audit-0.6.2 (I will port this to 0.6.3
soon) to compliment Patch #4 (unavailable for public release at this
time). More work needs to be done in this area at a later date
(cleanup, man page, etc).
- Support for filtering out watches that are accessed in a way we do
not care about during syscall execution (ie: we only want to receive
audit records for /etc/passwd if we MAY_WRITE on it)
- Support for enabling / disabling filesystem auditing from userspace
(ie: auditctl)
- Refined logic that asserts priority. In general, objects being
watched will never be overwritten with a new watch. If the object is
unwatched and another watch is available, it will take on that watch.
- Added the notion of a "valid" and "invalid" watchlist entry.
- More structure to the overall system
* Refined core structs
* Added more helper functions
* Reduced redundant code
- Put protections around user space input.
- Correctly handle the filterkey field of the user space message
* Also allows for sending the same struct back to userspace
- Hooks in vfs_read/write/unlink (please look closely here). The rule
of thumb I went off of is: I can call my hook iff I have an inode and
I'm NOT hooking lookup_hash *nudge Stephen* :)
- Cleanup of some of the public functions / macro pairs.
- Some minor odds and ends
WHAT'S LEFT:
- Final feature to list all the current (valid) watches in the system
- Fix bug introduced by new logic. We are not able to print all
watched components in a path in a specific scenario due to the added
logic.
- Change wentry->w_watched to wentry->w_valid..... I found out the
hard way that wentry->w_watch and wentry->w_watched are too similar
:-)
- Write prelim design document
- Comment my code better
- Fix any remaining Patch #4 bugs
- Fix the inode bug in original code where the reported inode is
incorrect for unlink()s (it's the parent's inode)
- Oh and cleanup some more redundant code with watch removal from a watchlist
I hope Patch #5 is quick (by the end of this week) and will be the one
we bring to Al Viro next week? If you could please give this a quick
look over and raise flags / issues / nits, I'd really really
appreciate it. The positioning of my new hooks could be bad, please
let me know. I'm on 3 hours of sleep.
Three hooks for dynamically assigning watches:
d_splice_alias, d_move, d_instantiate
Five hooks for dynamically adding watches to our context:
permission, exec_permission_lite, vfs_read, vfs_write, vfs_unlink
I'm sending this to the internal list today to get some more eyes to
review (I hope)
--
- Timothy R. Chavez
2:07 p.m.
On Tue, 2005-02-22 at 10:42 -0600, Timothy R. Chavez wrote:
Three hooks for dynamically assigning watches:
d_splice_alias, d_move, d_instantiate
Five hooks for dynamically adding watches to our context:
permission, exec_permission_lite, vfs_read, vfs_write, vfs_unlink
I'm a little unclear on what the hook call in vfs_unlink is buying you
if it is only passing the dir (not the dentry). vfs_unlink already
calls may_delete() and ultimately passes the dir to a permission() call
to check write and search access to the parent directory, so your hook
in permission() will cover the attempt to access it. Don't you want to
pass the dentry here instead? And won't there be similar issues for
vfs_rmdir?
--
Stephen Smalley <sds(a)tycho.nsa.gov>
National Security Agency
2:57 p.m.
On Tue, 22 Feb 2005 15:07:59 -0500, Stephen Smalley <sds(a)tycho.nsa.gov> wrote:
On Tue, 2005-02-22 at 10:42 -0600, Timothy R. Chavez wrote:
> Three hooks for dynamically assigning watches:
> d_splice_alias, d_move, d_instantiate
>
> Five hooks for dynamically adding watches to our context:
> permission, exec_permission_lite, vfs_read, vfs_write, vfs_unlink
I'm a little unclear on what the hook call in vfs_unlink is buying you
if it is only passing the dir (not the dentry). vfs_unlink already
calls may_delete() and ultimately passes the dir to a permission() call
to check write and search access to the parent directory, so your hook
in permission() will cover the attempt to access it. Don't you want to
pass the dentry here instead? And won't there be similar issues for
vfs_rmdir?
Right, i need to pass the dentry->d_inode, my mistake. Thanks
--
Stephen Smalley <sds(a)tycho.nsa.gov>
National Security Agency
--
- Timothy R. Chavez
7242
days inactive
7242
days old
linux-audit@lists.linux-audit.osci.io
2 comments
2 participants
participants (2)
-
Stephen Smalley -
Timothy R. Chavez