3:43 p.m.
audit: add additional audit info (read/write length & rng name) for RNG devices
Add /dev/[u]random auditing
Patch to enhance auditing of user visible random number generators. Allows us to
determine how many bytes of random data were obtained on each read from an RNG
device
Signed-off-by: Neil Horman <nhorman(a)tuxdriver.com>
Signed-off-by: Eric Paris <eparis(a)redhat.com>
---
drivers/char/random.c | 18 +++++++++++++++---
include/linux/audit.h | 11 +++++++++++
kernel/auditsc.c | 29 +++++++++++++++++++++++++++++
3 files changed, 55 insertions(+), 3 deletions(-)
diff --git a/drivers/char/random.c b/drivers/char/random.c
index 5a1aa64..94ee4a6 100644
--- a/drivers/char/random.c
+++ b/drivers/char/random.c
@@ -241,6 +241,7 @@
#include <linux/percpu.h>
#include <linux/cryptohash.h>
#include <linux/fips.h>
+#include <linux/audit.h>
#ifdef CONFIG_GENERIC_HARDIRQS
# include <linux/irq.h>
@@ -1000,7 +1001,7 @@ random_read(struct file *file, char __user *buf, size_t nbytes,
loff_t *ppos)
ssize_t n, retval = 0, count = 0;
if (nbytes == 0)
- return 0;
+ goto out;
while (nbytes > 0) {
n = nbytes;
@@ -1047,13 +1048,22 @@ random_read(struct file *file, char __user *buf, size_t nbytes,
loff_t *ppos)
/* like a named pipe */
}
+out:
+ audit_rng("random", count);
return (count ? count : retval);
}
static ssize_t
urandom_read(struct file *file, char __user *buf, size_t nbytes, loff_t *ppos)
{
- return extract_entropy_user(&nonblocking_pool, buf, nbytes);
+ ssize_t count;
+
+ count = extract_entropy_user(&nonblocking_pool, buf, nbytes);
+
+ if (count >= 0)
+ audit_rng("urandom", count);
+
+ return count;
}
static unsigned int
@@ -1101,10 +1111,12 @@ static ssize_t random_write(struct file *file, const char __user
*buffer,
ret = write_pool(&blocking_pool, buffer, count);
if (ret)
return ret;
+ audit_rng("random", count);
+
ret = write_pool(&nonblocking_pool, buffer, count);
if (ret)
return ret;
-
+ audit_rng("urandom", count);
return (ssize_t)count;
}
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 8b5c062..2f90d9e 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -123,6 +123,8 @@
#define AUDIT_MAC_UNLBL_STCADD 1416 /* NetLabel: add a static label */
#define AUDIT_MAC_UNLBL_STCDEL 1417 /* NetLabel: del a static label */
+#define AUDIT_RNG 1601 /* usage of /dev/random and /dev/urandom */
+
#define AUDIT_FIRST_KERN_ANOM_MSG 1700
#define AUDIT_LAST_KERN_ANOM_MSG 1799
#define AUDIT_ANOM_PROMISCUOUS 1700 /* Device changed promiscuous mode */
@@ -428,6 +430,7 @@ extern void __audit_inode(const char *name, const struct dentry
*dentry);
extern void __audit_inode_child(const struct dentry *dentry,
const struct inode *parent);
extern void __audit_ptrace(struct task_struct *t);
+extern int __audit_rng(const char *name, size_t len);
static inline int audit_dummy_context(void)
{
@@ -456,6 +459,13 @@ static inline void audit_ptrace(struct task_struct *t)
__audit_ptrace(t);
}
+static inline int audit_rng(const char *name, size_t len)
+{
+ if (likely(audit_dummy_context()))
+ return 0;
+ return __audit_rng(name, len);
+}
+
/* Private API (for audit.c only) */
extern unsigned int audit_serial(void);
extern int auditsc_get_stamp(struct audit_context *ctx,
@@ -574,6 +584,7 @@ extern int audit_signals;
#define audit_log_capset(pid, ncr, ocr) ((void)0)
#define audit_mmap_fd(fd, flags) ((void)0)
#define audit_ptrace(t) ((void)0)
+#define audit_rng(c, l) (0)
#define audit_n_rules 0
#define audit_signals 0
#endif
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index e96c30e..5500adf 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -165,6 +165,12 @@ struct audit_aux_data_capset {
struct audit_cap_data cap;
};
+struct audit_aux_data_rng {
+ struct audit_aux_data d;
+ const char *name;
+ size_t len;
+};
+
struct audit_tree_refs {
struct audit_tree_refs *next;
struct audit_chunk *c[31];
@@ -1507,6 +1513,13 @@ static void audit_log_exit(struct audit_context *context, struct
task_struct *ts
audit_log_cap(ab, "new_pe", &axs->new_pcap.effective);
break; }
+ case AUDIT_RNG: {
+ struct audit_aux_data_rng *axr = (void *)aux;
+ audit_log_format(ab, "name=");
+ audit_log_string(ab, axr->name);
+ audit_log_format(ab, " len=%zu", axr->len);
+ break; }
+
}
audit_log_end(ab);
}
@@ -2312,6 +2325,22 @@ int audit_bprm(struct linux_binprm *bprm)
return 0;
}
+int __audit_rng(const char *name, size_t len)
+{
+ struct audit_aux_data_rng *ax;
+ struct audit_context *context = current->audit_context;
+
+ ax = kmalloc(sizeof(*ax), GFP_KERNEL);
+ if (!ax)
+ return -ENOMEM;
+
+ ax->name = name;
+ ax->len = len;
+ ax->d.type = AUDIT_RNG;
+ ax->d.next = context->aux;
+ context->aux = (void *)ax;
+ return 0;
+}
/**
* audit_socketcall - record audit data for sys_socketcall
3:43 p.m.
New subject: [PATCH 2/3] Audit: collect inode information during audit_rng call
audit_rng should collect information about the inode used to add/remove
random data.
Signed-off-by: Eric Paris <eparis(a)redhat.com>
---
drivers/char/random.c | 8 ++++----
include/linux/audit.h | 8 ++++----
kernel/auditsc.c | 4 +++-
3 files changed, 11 insertions(+), 9 deletions(-)
diff --git a/drivers/char/random.c b/drivers/char/random.c
index 94ee4a6..ed1099a 100644
--- a/drivers/char/random.c
+++ b/drivers/char/random.c
@@ -1049,7 +1049,7 @@ random_read(struct file *file, char __user *buf, size_t nbytes,
loff_t *ppos)
}
out:
- audit_rng("random", count);
+ audit_rng(file->f_path.dentry, "random", count);
return (count ? count : retval);
}
@@ -1061,7 +1061,7 @@ urandom_read(struct file *file, char __user *buf, size_t nbytes,
loff_t *ppos)
count = extract_entropy_user(&nonblocking_pool, buf, nbytes);
if (count >= 0)
- audit_rng("urandom", count);
+ audit_rng(file->f_path.dentry, "urandom", count);
return count;
}
@@ -1111,12 +1111,12 @@ static ssize_t random_write(struct file *file, const char __user
*buffer,
ret = write_pool(&blocking_pool, buffer, count);
if (ret)
return ret;
- audit_rng("random", count);
+ audit_rng(file->f_path.dentry, "random", count);
ret = write_pool(&nonblocking_pool, buffer, count);
if (ret)
return ret;
- audit_rng("urandom", count);
+ audit_rng(file->f_path.dentry, "urandom", count);
return (ssize_t)count;
}
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 2f90d9e..ba47df6 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -430,7 +430,7 @@ extern void __audit_inode(const char *name, const struct dentry
*dentry);
extern void __audit_inode_child(const struct dentry *dentry,
const struct inode *parent);
extern void __audit_ptrace(struct task_struct *t);
-extern int __audit_rng(const char *name, size_t len);
+extern int __audit_rng(struct dentry *dentry, const char *name, size_t len);
static inline int audit_dummy_context(void)
{
@@ -459,11 +459,11 @@ static inline void audit_ptrace(struct task_struct *t)
__audit_ptrace(t);
}
-static inline int audit_rng(const char *name, size_t len)
+static inline int audit_rng(struct dentry *dentry, const char *name, size_t len)
{
if (likely(audit_dummy_context()))
return 0;
- return __audit_rng(name, len);
+ return __audit_rng(dentry, name, len);
}
/* Private API (for audit.c only) */
@@ -584,7 +584,7 @@ extern int audit_signals;
#define audit_log_capset(pid, ncr, ocr) ((void)0)
#define audit_mmap_fd(fd, flags) ((void)0)
#define audit_ptrace(t) ((void)0)
-#define audit_rng(c, l) (0)
+#define audit_rng(d, c, l) (0)
#define audit_n_rules 0
#define audit_signals 0
#endif
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 5500adf..0880546 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -2325,11 +2325,13 @@ int audit_bprm(struct linux_binprm *bprm)
return 0;
}
-int __audit_rng(const char *name, size_t len)
+int __audit_rng(struct dentry *dentry, const char *name, size_t len)
{
struct audit_aux_data_rng *ax;
struct audit_context *context = current->audit_context;
+ audit_inode(NULL, dentry);
+
ax = kmalloc(sizeof(*ax), GFP_KERNEL);
if (!ax)
return -ENOMEM;
3:44 p.m.
New subject: [PATCH 3/3] audit: check current inode and containing object when filtering on major and minor
The audit system has the ability to filter on the major and minor number of
the device containing the inode being operated upon. Lets say that
/dev/sda1 has major,minor 8,1 and that we mount /dev/sda1 on /boot. Now lets
say we add a watch with a filter on 8,1. If we proceed to open an inode
inside /boot, such as /vboot/vmlinuz, we will match the major,minor filter.
Lets instead assume that one were to use a tool like debugfs and were to
open /dev/sda1 directly and to modify it's contents. We might hope that
this would also be logged, but it isn't. The rules will check the
major,minor of the device containing /dev/sda1. In other words the rule
would match on the major/minor of the tmpfs mounted at /dev.
I believe these rules should trigger on either device. The man page is
devoid of useful information about the intended semantics. It only seems
logical that if you want to know everything that happened on a major,minor
that would include things that happened to the device itself...
Signed-off-by: Eric Paris <eparis(a)redhat.com>
---
kernel/auditsc.c | 24 ++++++++++++++----------
1 files changed, 14 insertions(+), 10 deletions(-)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 0880546..93d5feb 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -538,12 +538,14 @@ static int audit_filter_rules(struct task_struct *tsk,
}
break;
case AUDIT_DEVMAJOR:
- if (name)
- result = audit_comparator(MAJOR(name->dev),
- f->op, f->val);
- else if (ctx) {
+ if (name) {
+ if (audit_comparator(MAJOR(name->dev), f->op, f->val) ||
+ audit_comparator(MAJOR(name->rdev), f->op, f->val))
+ ++result;
+ } else if (ctx) {
list_for_each_entry(n, &ctx->names_list, list) {
- if (audit_comparator(MAJOR(n->dev), f->op, f->val)) {
+ if (audit_comparator(MAJOR(n->dev), f->op, f->val) ||
+ audit_comparator(MAJOR(n->rdev), f->op, f->val)) {
++result;
break;
}
@@ -551,12 +553,14 @@ static int audit_filter_rules(struct task_struct *tsk,
}
break;
case AUDIT_DEVMINOR:
- if (name)
- result = audit_comparator(MINOR(name->dev),
- f->op, f->val);
- else if (ctx) {
+ if (name) {
+ if (audit_comparator(MINOR(name->dev), f->op, f->val) ||
+ audit_comparator(MINOR(name->rdev), f->op, f->val))
+ ++result;
+ } else if (ctx) {
list_for_each_entry(n, &ctx->names_list, list) {
- if (audit_comparator(MINOR(n->dev), f->op, f->val)) {
+ if (audit_comparator(MINOR(n->dev), f->op, f->val) ||
+ audit_comparator(MINOR(n->rdev), f->op, f->val)) {
++result;
break;
}
5126
days inactive
5126
days old
linux-audit@lists.linux-audit.osci.io
2 comments
1 participants
participants (1)
-
Eric Paris