RHEL4 update 2 is at 2.6.9-22.EL -----Original Message----- From: linux-audit-bounces(a)redhat.com [mailto:linux-audit-bounces@redhat.com] On Behalf Of linux-audit-request(a)redhat.com Sent: Thursday, March 30, 2006 3:57 AM To: linux-audit(a)redhat.com Subject: Linux-audit Digest, Vol 18, Issue 31 Send Linux-audit mailing list submissions to linux-audit(a)redhat.com To subscribe or unsubscribe via the World Wide Web, visit https://www.redhat.com/mailman/listinfo/linux-audit or, via email, send a message with subject or body 'help' to linux-audit-request(a)redhat.com You can reach the person managing the list at linux-audit-owner(a)redhat.com When replying, please edit your Subject line so it is more specific than "Re: Contents of Linux-audit digest..." Today's Topics: 1. Re: Error on stop (Steve Grubb) 2. [PATCH] change lspp inode auditing (Steve Grubb) 3. Re: [PATCH] change lspp inode auditing (Stephen Smalley) 4. Re: [PATCH] change lspp inode auditing (Steve Grubb) 5. Re: [PATCH] change lspp inode auditing (Serge E. Hallyn) 6. Re: [PATCH] change lspp inode auditing (Valdis.Kletnieks(a)vt.edu) 7. Re: [PATCH] change lspp inode auditing (Steve Grubb) 8. auditctl -l bug? (Michael C Thompson) 9. moving audit_free() up into do_exit() (Alexander Viro) 10. Re: moving audit_free() up into do_exit() (Steve Grubb) 11. Re: moving audit_free() up into do_exit() (Alexander Viro) 12. Re: moving audit_free() up into do_exit() (Alexander Viro) ---------------------------------------------------------------------- Message: 1 Date: Tue, 28 Mar 2006 19:31:30 -0500 From: Steve Grubb <sgrubb(a)redhat.comSubject: Re: Error on stop To: linux-audit(a)redhat.com Message-ID: <200603281931.30320.sgrubb(a)redhat.comContent-Type: text/plain; charset="utf-8" On Tuesday 28 March 2006 18:23, Mont Rothstein wrote: is do I 18:17:57 I think you need to be on the 2.6.9-.16.EL kernel at a minimum. Offhand I don't remember what's the current RHEL4 kernel, but you need to upgrade kernels for it to work right. -Steve ------------------------------ Message: 2 Date: Wed, 29 Mar 2006 13:28:42 -0500 From: Steve Grubb <sgrubb(a)redhat.comSubject: [PATCH] change lspp inode auditing To: linux-audit(a)redhat.com Cc: redhat-lspp(a)redhat.com Message-ID: <200603291328.42394.sgrubb(a)redhat.comContent-Type: text/plain; charset="us-ascii" Hi, This is a first draft patch to change the auditing of inodes for lspp. Previously, we were gathering the context instead of the sid. Now in this patch, we gather just the sid and convert to context only if an audit event is being output. This patch makes no effort to account for policy_load. It also inserts some functions that are likely going upstream via Se Linux kernel people. So, that will need to be resolved before this patch is final. In any event its good enough to test with. This patch brings the performance hit from 146% down to 11%. We need a similar patch for IPC syscall auditing. -Steve diff -urp linux-2.6.16.x86_64.orig/include/linux/selinux.h linux-2.6.16.x86_64/include/linux/selinux.h --- linux-2.6.16.x86_64.orig/include/linux/selinux.h 2006-03-29 10:40:42.000000000 -0500 +++ linux-2.6.16.x86_64/include/linux/selinux.h 2006-03-29 10:27:06.000000000 -0500 @@ -13,6 +13,8 @@ #ifndef _LINUX_SELINUX_H #define _LINUX_SELINUX_H +#include <linux/fs.h+ struct selinux_audit_rule; struct audit_context; @@ -76,6 +78,26 @@ void selinux_audit_set_callback(int (*ca */ void selinux_task_ctxid(struct task_struct *tsk, u32 *ctxid); +/** + * selinux_ctxid_to_string - map a security context ID to a string + * @ctxid: security context ID to be converted. + * @ctx: address of context string to be returned + * @ctxlen: length of returned context string. + * + * Returns 0 if successful, -errno if not. On success, the context + * string will be allocated internally, and the caller must call + * kfree() on it after use. + */ +int selinux_ctxid_to_string(u32 ctxid, char **ctx, u32 *ctxlen); + +/** + * selinux_get_inode_sid - get the inode's security context ID + * @inode: inode structure to get the sid from. + * + * Returns the sid if successful and 0 if unset + */ +u32 selinux_get_inode_sid(const struct inode *inode); + #else static inline int selinux_audit_rule_init(u32 field, u32 op, @@ -107,6 +129,18 @@ static inline void selinux_task_ctxid(st *ctxid = 0; } +static inline int selinux_ctxid_to_string(u32 ctxid, char **ctx, u32 *ctxlen) +{ + *ctx = NULL; + *ctxlen = 0; + return 0; +} + +static inline u32 selinux_get_inode_sid(const struct inode *inode) +{ + return 0; +} + #endif /* CONFIG_SECURITY_SELINUX */ #endif /* _LINUX_SELINUX_H */ diff -urp linux-2.6.16.x86_64.orig/kernel/auditsc.c linux-2.6.16.x86_64/kernel/auditsc.c --- linux-2.6.16.x86_64.orig/kernel/auditsc.c 2006-03-29 10:40:48.000000000 -0500 +++ linux-2.6.16.x86_64/kernel/auditsc.c 2006-03-29 10:26:45.000000000 -0500 @@ -90,7 +90,7 @@ struct audit_names { uid_t uid; gid_t gid; dev_t rdev; - char *ctx; + u32 osid; }; struct audit_aux_data { @@ -435,9 +435,6 @@ static inline void audit_free_names(stru #endif for (i = 0; i < context->name_count; i++) { - char *p = context->names[i].ctx; - context->names[i].ctx = NULL; - kfree(p); if (context->names[i].name) __putname(context->names[i].name); } @@ -729,9 +726,24 @@ static void audit_log_exit(struct audit_ context->names[i].gid, MAJOR(context->names[i].rdev), MINOR(context->names[i].rdev)); - if (context->names[i].ctx) { - audit_log_format(ab, " obj=%s", - context->names[i].ctx); + if (context->names[i].osid != 0) { + char *ctx = NULL; + int len = 0; + if (selinux_ctxid_to_string( + context->names[i].osid, &ctx, &len) == 0) { + ctx = kmalloc(len, gfp_mask); + if (ctx) { + selinux_ctxid_to_string( + context->names[i].osid, + &ctx, &len); + } + } + if (ctx) + audit_log_format(ab, " obj=%s", ctx); + else + audit_log_format(ab, " obj=%u", + context->names[i].osid); + kfree(ctx); } audit_log_end(ab); @@ -983,37 +995,10 @@ void audit_putname(const char *name) void audit_inode_context(int idx, const struct inode *inode) { struct audit_context *context = current->audit_context; - const char *suffix = security_inode_xattr_getsuffix(); - char *ctx = NULL; - int len = 0; - - if (!suffix) - goto ret; - - len = security_inode_getsecurity(inode, suffix, NULL, 0, 0); - if (len == -EOPNOTSUPP) - goto ret; - if (len < 0) - goto error_path; - - ctx = kmalloc(len, GFP_KERNEL); - if (!ctx) - goto error_path; - - len = security_inode_getsecurity(inode, suffix, ctx, len, 0); - if (len < 0) - goto error_path; - - kfree(context->names[idx].ctx); - context->names[idx].ctx = ctx; - goto ret; - -error_path: - if (ctx) - kfree(ctx); - audit_panic("error in audit_inode_context"); -ret: - return; + if (security_inode_xattr_getsuffix()) + context->names[idx].osid = selinux_get_inode_sid(inode); + else + context->names[idx].osid = 0; } diff -urp linux-2.6.16.x86_64.orig/security/selinux/exports.c linux-2.6.16.x86_64/security/selinux/exports.c --- linux-2.6.16.x86_64.orig/security/selinux/exports.c 2006-03-29 10:40:51.000000000 -0500 +++ linux-2.6.16.x86_64/security/selinux/exports.c 2006-03-29 10:26:45.000000000 -0500 @@ -26,3 +26,24 @@ void selinux_task_ctxid(struct task_stru else *ctxid = 0; } + +extern int ss_initialized; + +int selinux_ctxid_to_string(u32 ctxid, char **ctx, u32 *ctxlen) +{ + if (ss_initialized) + return security_sid_to_context(ctxid, ctx, ctxlen); + else { + *ctx = NULL; + *ctxlen = 0; + } + + return 0; +} + +u32 selinux_get_inode_sid(const struct inode *inode) +{ + struct inode_security_struct *isec = inode->i_security; + return isec->sid; +} + ------------------------------ Message: 3 Date: Wed, 29 Mar 2006 14:01:22 -0500 From: Stephen Smalley <sds(a)tycho.nsa.govSubject: Re: [PATCH] change lspp inode auditing To: Steve Grubb <sgrubb(a)redhat.comCc: redhat-lspp(a)redhat.com, linux-audit(a)redhat.com, James Morris <jmorris(a)namei.orgMessage-ID: <1143658882.24555.59.camel(a)moss-spartans.epoch.ncsc.milContent-Type: text/plain On Wed, 2006-03-29 at 13:28 -0500, Steve Grubb wrote: lspp. this patch, is being also inserts people. So, event its Not that I disagree with this change in approach, but I think that when it has come up in the past, there has been concern expressed about the fact that we could end up not being able to generate the context from the SID when the audit record is being emitted (due to OOM condition), and the operation has already occurred at that point. Of course, there are also other potential failure cases at the point, so I'm not sure it is crucial, as long as audit_panic is called as appropriate. Just wanted to make sure that this point was understood by everyone. But I agree that pre-allocating the contexts is insane. linux-2.6.16.x86_64/include/linux/selinux.h 10:40:42.000000000 -0500 10:27:06.000000000 -0500 Just put an empty decl for struct inode here, to avoid header inter-dependencies: struct inode; string context Didn't Tim's patch for saving and auditing the netlink sender SID/context have a similar interface, based on James' proposed API for iptables? Just need to make sure that we settle on a single interface used by them all. From later comments below, I think we'll want a gfp_mask provided and I'm not sure we need the *ctxlen at all, as SELinux handles the allocation internally. I'd favor returning an int (0 == success, -errno for failure) and providing the SID via pointer arg like other interfaces. Or if there are no possible error cases, make it void, but still supply the SID via argument. linux-2.6.16.x86_64/kernel/auditsc.c 10:40:48.000000000 -0500 10:26:45.000000000 -0500 MINOR(context->names[i].rdev)); 0) { Unless I'm confused (quite possible ;), the above sequence shouldn't be necessary and will actually leak the allocated buffer because SELinux will overwrite the pointer with its own. The SELinux internal functions (e.g. security_sid_to_context) handle the allocation of a context buffer to the right size and set *ctx to it, so the caller never needs to play this game. Some of the hook interfaces unfortunately require the caller to guess and provide a buffer that they allocate, but I don't think we want to continue that trend. SELinux should just set *ctx to the context buffer it allocates and you are done. You should likely pass the gfp_mask down into the SELinux interface and propagate it down to the internal code so that we can conform with whatever the caller needs. linux-2.6.16.x86_64/security/selinux/exports.c 2006-03-29 10:40:51.000000000 -0500 10:26:45.000000000 -0500 I think you need to check for selinux_enabled here, c.f. Darrel's patches for audit-by-context. Keep in mind that SELinux can be runtime disabled by init (if SELINUX=disabled in /etc/selinux/config). -- Stephen Smalley National Security Agency ------------------------------ Message: 4 Date: Wed, 29 Mar 2006 14:15:33 -0500 From: Steve Grubb <sgrubb(a)redhat.comSubject: Re: [PATCH] change lspp inode auditing To: sds(a)tycho.nsa.gov Cc: redhat-lspp(a)redhat.com, linux-audit(a)redhat.com, James Morris <jmorris(a)namei.orgMessage-ID: <200603291415.33608.sgrubb(a)redhat.comContent-Type: text/plain; charset="utf-8" On Wednesday 29 March 2006 14:01, Stephen Smalley wrote: a >> similar patch for IPC syscall auditing. > Not that I disagree with this change in approach, but I think that when the condition), In that case, the patch writes out the sid number. Given a sid, is there a way to find it in the policy on disk? If not, that might be useful to have. so I'm If we record the sid number, do we really need to call audit_panic? string context call > > + *     kfree() on it after use. > > + */ > > +int selinux_ctxid_to_string(u32 ctxid, char **ctx, u32 *ctxlen); > Didn't Tim's patch for saving and auditing the netlink sender > SID/context have a similar interface, based on James' proposed API for Yes, I copy and pasted and changed the name based on a suggestion from Darrel. What is the status of that API? Did it go into 2.6.17 tree? I'd like to code to that API if it were available. (selinux_ctxid_to_string( > +                             context->nam es[i].osid, &ctx, &len) == 0) { kmalloc(len, gfp_mask); { > +                                      selinux_ctxid_to_string(      context->names[i].osid, > +                                              &ctx, &len); > > +                             } > > +                     } > Unless I'm confused (quite possible ;), the above sequence shouldn't be OK, will look into this. and continue Agreed, that was messy. I'll make changes as you suggested and we can try this again. Is there a place I can grab James' iptables SE Linux interface to patch the lspp kernel with? I'd like to use that if its accepted/done. It'll make merging Tim's patch easier. -Steve ------------------------------ Message: 5 Date: Wed, 29 Mar 2006 13:18:35 -0600 From: "Serge E. Hallyn" <serue(a)us.ibm.comSubject: Re: [PATCH] change lspp inode auditing To: Stephen Smalley <sds(a)tycho.nsa.govCc: redhat-lspp(a)redhat.com, James Morris <jmorris(a)namei.org&gt;, linux-audit(a)redhat.com Message-ID: <20060329191835.GB30125(a)sergelap.austin.ibm.comContent-Type: text/plain; charset=us-ascii Quoting Stephen Smalley (sds(a)tycho.nsa.gov): lspp. in this patch, event is being > also inserts > people. So, > event its from when the condition), there it I Maybe this is a silly idea... but what about just somehow hashing on (sid,policy_version), where uint policy_version is incremented on each selinux policy load? The audit code would fill in an entry for au_ctx_hash(sid,policy_version), if it isn't already filled in, when the context would previously have been preallocated. But it stores (sid, policy_version) in the audit record, and grabs the value from the table when it's time to actually log the entry, i.e. where Steve's current patch fills in the string. I guess whether this is worth it depends on how likely we are to lose information with this current patch on a live system. Anyway, just a thought. -serge ------------------------------ Message: 6 Date: Wed, 29 Mar 2006 14:34:19 -0500 From: Valdis.Kletnieks(a)vt.edu Subject: Re: [PATCH] change lspp inode auditing To: Steve Grubb <sgrubb(a)redhat.comCc: redhat-lspp(a)redhat.com, linux-audit(a)redhat.com, James Morris <jmorris(a)namei.orgMessage-ID: <200603291934.k2TJYJNu029217(a)turing-police.cc.vt.eduContent-Type: text/plain; charset="iso-8859-1" On Wed, 29 Mar 2006 14:15:33 EST, Steve Grubb said: need a > >> similar patch for IPC syscall auditing. > > > Not that I disagree with this change in approach, but I think that when > the from condition), > > > In that case, the patch writes out the sid number. Given a sid, is there a way have. The problem is that by the time you go to snarf it out of the policy on disk, it may no longer match the policy in effect at the time of the record generation. The hole probably isn't *that* bad if auditd is doing the grovelling. It's almost certainly an issue if ausearch is doing the correlation after the fact....