From c2f0c7c356dc9ae15419f00c725a2fcc58eeff58 Mon Sep 17 00:00:00 2001 From: Steve Grubb Date: Fri, 6 May 2005 12:38:39 +0100 Subject: The attached patch addresses the problem with getting the audit daemon shutdown credential information. It creates a new message type AUDIT_TERM_INFO, which is used by the audit daemon to query who issued the shutdown. It requires the placement of a hook function that gathers the information. The hook is after the DAC & MAC checks and before the function returns. Racing threads could overwrite the uid & pid - but they would have to be root and have policy that allows signalling the audit daemon. That should be a manageable risk. The userspace component will be released later in audit 0.7.2. When it receives the TERM signal, it queries the kernel for shutdown information. When it receives it, it writes the message and exits. The message looks like this: type=DAEMON msg=auditd(1114551182.000) auditd normal halt, sending pid=2650 uid=525, auditd pid=1685 Signed-off-by: Steve Grubb Signed-off-by: David Woodhouse --- include/linux/audit.h | 25 +++++++++++++++++-------- 1 file changed, 17 insertions(+), 8 deletions(-) (limited to 'include') diff --git a/include/linux/audit.h b/include/linux/audit.h index 19f04b049798..baa80760824c 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -28,14 +28,16 @@ #include /* Request and reply types */ -#define AUDIT_GET 1000 /* Get status */ -#define AUDIT_SET 1001 /* Set status (enable/disable/auditd) */ -#define AUDIT_LIST 1002 /* List filtering rules */ -#define AUDIT_ADD 1003 /* Add filtering rule */ -#define AUDIT_DEL 1004 /* Delete filtering rule */ -#define AUDIT_USER 1005 /* Send a message from user-space */ -#define AUDIT_LOGIN 1006 /* Define the login id and informaiton */ -#define AUDIT_KERNEL 2000 /* Asynchronous audit record. NOT A REQUEST. */ +#define AUDIT_GET 1000 /* Get status */ +#define AUDIT_SET 1001 /* Set status (enable/disable/auditd) */ +#define AUDIT_LIST 1002 /* List filtering rules */ +#define AUDIT_ADD 1003 /* Add filtering rule */ +#define AUDIT_DEL 1004 /* Delete filtering rule */ +#define AUDIT_USER 1005 /* Send a message from user-space */ +#define AUDIT_LOGIN 1006 /* Define the login id and information */ +#define AUDIT_SIGNAL_INFO 1010 /* Get information about sender of signal*/ + +#define AUDIT_KERNEL 2000 /* Asynchronous audit record. NOT A REQUEST. */ /* Rule flags */ #define AUDIT_PER_TASK 0x01 /* Apply rule at task creation (not syscall) */ @@ -161,6 +163,11 @@ struct audit_rule { /* for AUDIT_LIST, AUDIT_ADD, and AUDIT_DEL */ #ifdef __KERNEL__ +struct audit_sig_info { + uid_t uid; + pid_t pid; +}; + struct audit_buffer; struct audit_context; struct inode; @@ -190,6 +197,7 @@ extern void audit_get_stamp(struct audit_context *ctx, extern int audit_set_loginuid(struct task_struct *task, uid_t loginuid); extern uid_t audit_get_loginuid(struct audit_context *ctx); extern int audit_ipc_perms(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode); +extern void audit_signal_info(int sig, struct task_struct *t); #else #define audit_alloc(t) ({ 0; }) #define audit_free(t) do { ; } while (0) @@ -200,6 +208,7 @@ extern int audit_ipc_perms(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mo #define audit_inode(n,i) do { ; } while (0) #define audit_get_loginuid(c) ({ -1; }) #define audit_ipc_perms(q,u,g,m) ({ 0; }) +#define audit_signal_info(s,t) do { ; } while (0) #endif #ifdef CONFIG_AUDIT -- cgit v1.2.3 From ea9c102cb0a7969df5733d34f26e0b12c8a3c889 Mon Sep 17 00:00:00 2001 From: David Woodhouse Date: Sun, 8 May 2005 15:56:09 +0100 Subject: Add CONFIG_AUDITSC and CONFIG_SECCOMP support for ppc32 Signed-off-by: David Woodhouse --- arch/ppc/Kconfig | 17 +++++++++++++++++ arch/ppc/kernel/entry.S | 16 +++++++++------- arch/ppc/kernel/ppc_ksyms.c | 2 -- arch/ppc/kernel/ptrace.c | 40 ++++++++++++++++++++++++++++++++++++---- include/asm-ppc/thread_info.h | 7 +++++++ init/Kconfig | 2 +- 6 files changed, 70 insertions(+), 14 deletions(-) (limited to 'include') diff --git a/arch/ppc/Kconfig b/arch/ppc/Kconfig index 600f23d7fd33..cd752a3cf3bd 100644 --- a/arch/ppc/Kconfig +++ b/arch/ppc/Kconfig @@ -1083,6 +1083,23 @@ source "drivers/zorro/Kconfig" source kernel/power/Kconfig +config SECCOMP + bool "Enable seccomp to safely compute untrusted bytecode" + depends on PROC_FS + default y + help + This kernel feature is useful for number crunching applications + that may need to compute untrusted bytecode during their + execution. By using pipes or other transports made available to + the process as file descriptors supporting the read/write + syscalls, it's possible to isolate those applications in + their own address space using seccomp. Once seccomp is + enabled via /proc//seccomp, it cannot be disabled + and the task is only allowed to execute a few safe syscalls + defined by each seccomp mode. + + If unsure, say Y. Only embedded should say N here. + endmenu config ISA_DMA_API diff --git a/arch/ppc/kernel/entry.S b/arch/ppc/kernel/entry.S index 5f075dbc4ee7..661523707e8c 100644 --- a/arch/ppc/kernel/entry.S +++ b/arch/ppc/kernel/entry.S @@ -202,7 +202,7 @@ _GLOBAL(DoSyscall) rlwinm r11,r11,0,~_TIFL_FORCE_NOERROR stw r11,TI_LOCAL_FLAGS(r10) lwz r11,TI_FLAGS(r10) - andi. r11,r11,_TIF_SYSCALL_TRACE + andi. r11,r11,_TIF_SYSCALL_T_OR_A bne- syscall_dotrace syscall_dotrace_cont: cmplwi 0,r0,NR_syscalls @@ -237,7 +237,7 @@ ret_from_syscall: SYNC MTMSRD(r10) lwz r9,TI_FLAGS(r12) - andi. r0,r9,(_TIF_SYSCALL_TRACE|_TIF_SIGPENDING|_TIF_NEED_RESCHED) + andi. r0,r9,(_TIF_SYSCALL_T_OR_A|_TIF_SIGPENDING|_TIF_NEED_RESCHED) bne- syscall_exit_work syscall_exit_cont: #if defined(CONFIG_4xx) || defined(CONFIG_BOOKE) @@ -277,7 +277,8 @@ syscall_dotrace: SAVE_NVGPRS(r1) li r0,0xc00 stw r0,TRAP(r1) - bl do_syscall_trace + addi r3,r1,STACK_FRAME_OVERHEAD + bl do_syscall_trace_enter lwz r0,GPR0(r1) /* Restore original registers */ lwz r3,GPR3(r1) lwz r4,GPR4(r1) @@ -291,7 +292,7 @@ syscall_dotrace: syscall_exit_work: stw r6,RESULT(r1) /* Save result */ stw r3,GPR3(r1) /* Update return value */ - andi. r0,r9,_TIF_SYSCALL_TRACE + andi. r0,r9,_TIF_SYSCALL_T_OR_A beq 5f ori r10,r10,MSR_EE SYNC @@ -303,7 +304,8 @@ syscall_exit_work: li r4,0xc00 stw r4,TRAP(r1) 4: - bl do_syscall_trace + addi r3,r1,STACK_FRAME_OVERHEAD + bl do_syscall_trace_leave REST_NVGPRS(r1) 2: lwz r3,GPR3(r1) @@ -627,8 +629,8 @@ sigreturn_exit: subi r1,r3,STACK_FRAME_OVERHEAD rlwinm r12,r1,0,0,18 /* current_thread_info() */ lwz r9,TI_FLAGS(r12) - andi. r0,r9,_TIF_SYSCALL_TRACE - bnel- do_syscall_trace + andi. r0,r9,_TIF_SYSCALL_T_OR_A + bnel- do_syscall_trace_leave /* fall through */ .globl ret_from_except_full diff --git a/arch/ppc/kernel/ppc_ksyms.c b/arch/ppc/kernel/ppc_ksyms.c index 2ccb58fe4fc3..d59ad07de8e7 100644 --- a/arch/ppc/kernel/ppc_ksyms.c +++ b/arch/ppc/kernel/ppc_ksyms.c @@ -55,7 +55,6 @@ #define EXPORT_SYMTAB_STROPS extern void transfer_to_handler(void); -extern void do_syscall_trace(void); extern void do_IRQ(struct pt_regs *regs); extern void MachineCheckException(struct pt_regs *regs); extern void AlignmentException(struct pt_regs *regs); @@ -74,7 +73,6 @@ extern unsigned long mm_ptov (unsigned long paddr); EXPORT_SYMBOL(clear_pages); EXPORT_SYMBOL(clear_user_page); EXPORT_SYMBOL(do_signal); -EXPORT_SYMBOL(do_syscall_trace); EXPORT_SYMBOL(transfer_to_handler); EXPORT_SYMBOL(do_IRQ); EXPORT_SYMBOL(MachineCheckException); diff --git a/arch/ppc/kernel/ptrace.c b/arch/ppc/kernel/ptrace.c index 59d59a8dc249..e7aee4108dea 100644 --- a/arch/ppc/kernel/ptrace.c +++ b/arch/ppc/kernel/ptrace.c @@ -27,6 +27,9 @@ #include #include #include +#include +#include +#include #include #include @@ -455,11 +458,10 @@ out: return ret; } -void do_syscall_trace(void) +static void do_syscall_trace(void) { - if (!test_thread_flag(TIF_SYSCALL_TRACE) - || !(current->ptrace & PT_PTRACED)) - return; + /* the 0x80 provides a way for the tracing parent to distinguish + between a syscall stop and SIGTRAP delivery */ ptrace_notify(SIGTRAP | ((current->ptrace & PT_TRACESYSGOOD) ? 0x80 : 0)); @@ -473,3 +475,33 @@ void do_syscall_trace(void) current->exit_code = 0; } } + +void do_syscall_trace_enter(struct pt_regs *regs) +{ + if (test_thread_flag(TIF_SYSCALL_TRACE) + && (current->ptrace & PT_PTRACED)) + do_syscall_trace(); + + if (unlikely(current->audit_context)) + audit_syscall_entry(current, AUDIT_ARCH_PPC, + regs->gpr[0], + regs->gpr[3], regs->gpr[4], + regs->gpr[5], regs->gpr[6]); +} + +void do_syscall_trace_leave(struct pt_regs *regs) +{ + secure_computing(regs->gpr[0]); + + if (unlikely(current->audit_context)) + audit_syscall_exit(current, + (regs->ccr&0x1000)?AUDITSC_FAILURE:AUDITSC_SUCCESS, + regs->result); + + if ((test_thread_flag(TIF_SYSCALL_TRACE)) + && (current->ptrace & PT_PTRACED)) + do_syscall_trace(); +} + +EXPORT_SYMBOL(do_syscall_trace_enter); +EXPORT_SYMBOL(do_syscall_trace_leave); diff --git a/include/asm-ppc/thread_info.h b/include/asm-ppc/thread_info.h index f7f01524e8a8..e3b5284a6f91 100644 --- a/include/asm-ppc/thread_info.h +++ b/include/asm-ppc/thread_info.h @@ -77,12 +77,19 @@ static inline struct thread_info *current_thread_info(void) #define TIF_POLLING_NRFLAG 4 /* true if poll_idle() is polling TIF_NEED_RESCHED */ #define TIF_MEMDIE 5 +#define TIF_SYSCALL_AUDIT 6 /* syscall auditing active */ +#define TIF_SECCOMP 7 /* secure computing */ + /* as above, but as bit values */ #define _TIF_SYSCALL_TRACE (1< Date: Wed, 11 May 2005 10:54:05 +0100 Subject: Move ifdef CONFIG_AUDITSYSCALL to header Remove code conditionally dependent on CONFIG_AUDITSYSCALL from audit.c. Move these dependencies to audit.h with the rest. Signed-off-by: Chris Wright Signed-off-by: David Woodhouse --- include/linux/audit.h | 4 +++- kernel/audit.c | 12 ++---------- kernel/auditsc.c | 7 +++---- 3 files changed, 8 insertions(+), 15 deletions(-) (limited to 'include') diff --git a/include/linux/audit.h b/include/linux/audit.h index baa80760824c..58c5589b531f 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -192,7 +192,7 @@ extern void audit_inode(const char *name, const struct inode *inode); /* Private API (for audit.c only) */ extern int audit_receive_filter(int type, int pid, int uid, int seq, void *data, uid_t loginuid); -extern void audit_get_stamp(struct audit_context *ctx, +extern int audit_get_stamp(struct audit_context *ctx, struct timespec *t, unsigned int *serial); extern int audit_set_loginuid(struct task_struct *task, uid_t loginuid); extern uid_t audit_get_loginuid(struct audit_context *ctx); @@ -206,6 +206,8 @@ extern void audit_signal_info(int sig, struct task_struct *t); #define audit_getname(n) do { ; } while (0) #define audit_putname(n) do { ; } while (0) #define audit_inode(n,i) do { ; } while (0) +#define audit_receive_filter(t,p,u,s,d,l) ({ -EOPNOTSUPP; }) +#define audit_get_stamp(c,t,s) ({ 0; }) #define audit_get_loginuid(c) ({ -1; }) #define audit_ipc_perms(q,u,g,m) ({ 0; }) #define audit_signal_info(s,t) do { ; } while (0) diff --git a/kernel/audit.c b/kernel/audit.c index dc4aba21f30a..c18b769e23a2 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -416,12 +416,8 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) return -EINVAL; /* fallthrough */ case AUDIT_LIST: -#ifdef CONFIG_AUDITSYSCALL err = audit_receive_filter(nlh->nlmsg_type, NETLINK_CB(skb).pid, uid, seq, data, loginuid); -#else - err = -EOPNOTSUPP; -#endif break; case AUDIT_SIGNAL_INFO: sig_data.uid = audit_sig_uid; @@ -636,15 +632,11 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx) return NULL; } -#ifdef CONFIG_AUDITSYSCALL - if (ab->ctx) - audit_get_stamp(ab->ctx, &t, &serial); - else -#endif - { + if (!audit_get_stamp(ab->ctx, &t, &serial)) { t = CURRENT_TIME; serial = 0; } + audit_log_format(ab, "audit(%lu.%03lu:%u): ", t.tv_sec, t.tv_nsec/1000000, serial); return ab; diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 680bb928343b..94338abf76f5 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -992,7 +992,7 @@ void audit_inode(const char *name, const struct inode *inode) context->names[idx].rdev = inode->i_rdev; } -void audit_get_stamp(struct audit_context *ctx, +int audit_get_stamp(struct audit_context *ctx, struct timespec *t, unsigned int *serial) { if (ctx) { @@ -1000,10 +1000,9 @@ void audit_get_stamp(struct audit_context *ctx, t->tv_nsec = ctx->ctime.tv_nsec; *serial = ctx->serial; ctx->auditable = 1; - } else { - *t = CURRENT_TIME; - *serial = 0; + return 1; } + return 0; } extern int audit_set_type(struct audit_buffer *ab, int type); -- cgit v1.2.3 From c1b773d87eadc3972d697444127e89a7291769a2 Mon Sep 17 00:00:00 2001 From: Chris Wright Date: Wed, 11 May 2005 10:55:10 +0100 Subject: Add audit_log_type Add audit_log_type to allow callers to specify type and pid when logging. Convert audit_log to wrapper around audit_log_type. Could have converted all audit_log callers directly, but common case is default of type AUDIT_KERNEL and pid 0. Update audit_log_start to take type and pid values when creating a new audit_buffer. Move sequences that did audit_log_start, audit_log_format, audit_set_type, audit_log_end, to simply call audit_log_type directly. This obsoletes audit_set_type and audit_set_pid, so remove them. Signed-off-by: Chris Wright Signed-off-by: David Woodhouse --- include/linux/audit.h | 16 ++++++++++------ kernel/audit.c | 48 +++++++++++++++--------------------------------- kernel/auditsc.c | 23 +++++++---------------- security/selinux/avc.c | 2 +- 4 files changed, 33 insertions(+), 56 deletions(-) (limited to 'include') diff --git a/include/linux/audit.h b/include/linux/audit.h index 58c5589b531f..405332ebf3c6 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -216,11 +216,14 @@ extern void audit_signal_info(int sig, struct task_struct *t); #ifdef CONFIG_AUDIT /* These are defined in audit.c */ /* Public API */ -extern void audit_log(struct audit_context *ctx, - const char *fmt, ...) - __attribute__((format(printf,2,3))); +#define audit_log(ctx, fmt, args...) \ + audit_log_type(ctx, AUDIT_KERNEL, 0, fmt, ##args) +extern void audit_log_type(struct audit_context *ctx, int type, + int pid, const char *fmt, ...) + __attribute__((format(printf,4,5))); -extern struct audit_buffer *audit_log_start(struct audit_context *ctx); +extern struct audit_buffer *audit_log_start(struct audit_context *ctx, int type, + int pid); extern void audit_log_format(struct audit_buffer *ab, const char *fmt, ...) __attribute__((format(printf,2,3))); @@ -240,8 +243,9 @@ extern void audit_send_reply(int pid, int seq, int type, void *payload, int size); extern void audit_log_lost(const char *message); #else -#define audit_log(t,f,...) do { ; } while (0) -#define audit_log_start(t) ({ NULL; }) +#define audit_log(c,f,...) do { ; } while (0) +#define audit_log_type(c,t,p,f,...) do { ; } while (0) +#define audit_log_start(c,t,p) ({ NULL; }) #define audit_log_vformat(b,f,a) do { ; } while (0) #define audit_log_format(b,f,...) do { ; } while (0) #define audit_log_end(b) do { ; } while (0) diff --git a/kernel/audit.c b/kernel/audit.c index c18b769e23a2..060b554f481e 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -140,18 +140,6 @@ struct audit_buffer { struct audit_context *ctx; /* NULL or associated context */ }; -void audit_set_type(struct audit_buffer *ab, int type) -{ - struct nlmsghdr *nlh = (struct nlmsghdr *)ab->skb->data; - nlh->nlmsg_type = type; -} - -static void audit_set_pid(struct audit_buffer *ab, pid_t pid) -{ - struct nlmsghdr *nlh = (struct nlmsghdr *)ab->skb->data; - nlh->nlmsg_pid = pid; -} - struct audit_entry { struct list_head list; struct audit_rule rule; @@ -344,7 +332,6 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) void *data; struct audit_status *status_get, status_set; int err; - struct audit_buffer *ab; u16 msg_type = nlh->nlmsg_type; uid_t loginuid; /* loginuid of sender */ struct audit_sig_info sig_data; @@ -396,19 +383,13 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) loginuid); break; case AUDIT_USER: - ab = audit_log_start(NULL); - if (!ab) - break; /* audit_panic has been called */ - audit_log_format(ab, + audit_log_type(NULL, AUDIT_USER, pid, "user pid=%d uid=%d length=%d loginuid=%u" " msg='%.1024s'", pid, uid, (int)(nlh->nlmsg_len - ((char *)data - (char *)nlh)), loginuid, (char *)data); - audit_set_type(ab, AUDIT_USER); - audit_set_pid(ab, pid); - audit_log_end(ab); break; case AUDIT_ADD: case AUDIT_DEL: @@ -560,12 +541,10 @@ static void audit_buffer_free(struct audit_buffer *ab) spin_unlock_irqrestore(&audit_freelist_lock, flags); } -static struct audit_buffer * audit_buffer_alloc(struct audit_context *ctx, - int gfp_mask) +static struct audit_buffer * audit_buffer_alloc(int gfp_mask) { unsigned long flags; struct audit_buffer *ab = NULL; - struct nlmsghdr *nlh; spin_lock_irqsave(&audit_freelist_lock, flags); if (!list_empty(&audit_freelist)) { @@ -587,12 +566,6 @@ static struct audit_buffer * audit_buffer_alloc(struct audit_context *ctx, if (!ab->skb) goto err; - ab->ctx = ctx; - nlh = (struct nlmsghdr *)skb_put(ab->skb, NLMSG_SPACE(0)); - nlh->nlmsg_type = AUDIT_KERNEL; - nlh->nlmsg_flags = 0; - nlh->nlmsg_pid = 0; - nlh->nlmsg_seq = 0; return ab; err: audit_buffer_free(ab); @@ -605,11 +578,12 @@ err: * syscall, then the syscall is marked as auditable and an audit record * will be written at syscall exit. If there is no associated task, tsk * should be NULL. */ -struct audit_buffer *audit_log_start(struct audit_context *ctx) +struct audit_buffer *audit_log_start(struct audit_context *ctx, int type, int pid) { struct audit_buffer *ab = NULL; struct timespec t; unsigned int serial; + struct nlmsghdr *nlh; if (!audit_initialized) return NULL; @@ -626,12 +600,19 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx) return NULL; } - ab = audit_buffer_alloc(ctx, GFP_ATOMIC); + ab = audit_buffer_alloc(GFP_ATOMIC); if (!ab) { audit_log_lost("out of memory in audit_log_start"); return NULL; } + ab->ctx = ctx; + nlh = (struct nlmsghdr *)skb_put(ab->skb, NLMSG_SPACE(0)); + nlh->nlmsg_type = type; + nlh->nlmsg_flags = 0; + nlh->nlmsg_pid = pid; + nlh->nlmsg_seq = 0; + if (!audit_get_stamp(ab->ctx, &t, &serial)) { t = CURRENT_TIME; serial = 0; @@ -828,12 +809,13 @@ void audit_log_end(struct audit_buffer *ab) /* Log an audit record. This is a convenience function that calls * audit_log_start, audit_log_vformat, and audit_log_end. It may be * called in any context. */ -void audit_log(struct audit_context *ctx, const char *fmt, ...) +void audit_log_type(struct audit_context *ctx, int type, int pid, + const char *fmt, ...) { struct audit_buffer *ab; va_list args; - ab = audit_log_start(ctx); + ab = audit_log_start(ctx, type, pid); if (ab) { va_start(args, fmt); audit_log_vformat(ab, fmt, args); diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 94338abf76f5..d089263253a7 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -648,7 +648,7 @@ static void audit_log_exit(struct audit_context *context) int i; struct audit_buffer *ab; - ab = audit_log_start(context); + ab = audit_log_start(context, AUDIT_KERNEL, 0); if (!ab) return; /* audit_panic has been called */ audit_log_format(ab, "syscall=%d", context->major); @@ -680,7 +680,7 @@ static void audit_log_exit(struct audit_context *context) while (context->aux) { struct audit_aux_data *aux; - ab = audit_log_start(context); + ab = audit_log_start(context, AUDIT_KERNEL, 0); if (!ab) continue; /* audit_panic has been called */ @@ -701,7 +701,7 @@ static void audit_log_exit(struct audit_context *context) } for (i = 0; i < context->name_count; i++) { - ab = audit_log_start(context); + ab = audit_log_start(context, AUDIT_KERNEL, 0); if (!ab) continue; /* audit_panic has been called */ audit_log_format(ab, "item=%d", i); @@ -1005,22 +1005,13 @@ int audit_get_stamp(struct audit_context *ctx, return 0; } -extern int audit_set_type(struct audit_buffer *ab, int type); - int audit_set_loginuid(struct task_struct *task, uid_t loginuid) { if (task->audit_context) { - struct audit_buffer *ab; - - ab = audit_log_start(NULL); - if (ab) { - audit_log_format(ab, "login pid=%d uid=%u " - "old loginuid=%u new loginuid=%u", - task->pid, task->uid, - task->audit_context->loginuid, loginuid); - audit_set_type(ab, AUDIT_LOGIN); - audit_log_end(ab); - } + audit_log_type(NULL, AUDIT_LOGIN, 0, + "login pid=%d uid=%u old loginuid=%u new loginuid=%u", + task->pid, task->uid, task->audit_context->loginuid, + loginuid); task->audit_context->loginuid = loginuid; } return 0; diff --git a/security/selinux/avc.c b/security/selinux/avc.c index 85a6f66a873f..9e71a1bbe011 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -549,7 +549,7 @@ void avc_audit(u32 ssid, u32 tsid, return; } - ab = audit_log_start(current->audit_context); + ab = audit_log_start(current->audit_context, AUDIT_KERNEL, 0); if (!ab) return; /* audit_panic has been called */ audit_log_format(ab, "avc: %s ", denied ? "denied" : "granted"); -- cgit v1.2.3 From add671412021b68c3b4f2882b0d10a56e2dcdabe Mon Sep 17 00:00:00 2001 From: David Woodhouse Date: Wed, 11 May 2005 11:36:21 +0100 Subject: Add missing asm-ppc/seccomp.h. Must learn to use git properly. Signed-off-by: David Woodhouse --- include/asm-ppc/seccomp.h | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 include/asm-ppc/seccomp.h (limited to 'include') diff --git a/include/asm-ppc/seccomp.h b/include/asm-ppc/seccomp.h new file mode 100644 index 000000000000..666c4da96d87 --- /dev/null +++ b/include/asm-ppc/seccomp.h @@ -0,0 +1,10 @@ +#ifndef _ASM_SECCOMP_H + +#include + +#define __NR_seccomp_read __NR_read +#define __NR_seccomp_write __NR_write +#define __NR_seccomp_exit __NR_exit +#define __NR_seccomp_sigreturn __NR_rt_sigreturn + +#endif /* _ASM_SECCOMP_H */ -- cgit v1.2.3 From c04049939f88b29e235d2da217bce6e8ead44f32 Mon Sep 17 00:00:00 2001 From: Steve Grubb Date: Fri, 13 May 2005 18:17:42 +0100 Subject: AUDIT: Add message types to audit records This patch adds more messages types to the audit subsystem so that audit analysis is quicker, intuitive, and more useful. Signed-off-by: Steve Grubb --- I forgot one type in the big patch. I need to add one for user space originating SE Linux avc messages. This is used by dbus and nscd. -Steve --- Updated to 2.6.12-rc4-mm1. -dwmw2 Signed-off-by: David Woodhouse --- include/linux/audit.h | 66 ++++++++++++++++++++++++++--------- kernel/audit.c | 78 +++++++++++++++++++++++++++++------------- kernel/auditsc.c | 42 ++++++++++++++--------- security/selinux/avc.c | 4 +-- security/selinux/hooks.c | 2 +- security/selinux/nlmsgtab.c | 8 +++++ security/selinux/ss/services.c | 4 +-- 7 files changed, 143 insertions(+), 61 deletions(-) (limited to 'include') diff --git a/include/linux/audit.h b/include/linux/audit.h index 405332ebf3c6..1a15ba38c660 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -27,15 +27,53 @@ #include #include -/* Request and reply types */ +/* The netlink messages for the audit system is divided into blocks: + * 1000 - 1099 are for commanding the audit system + * 1100 - 1199 user space trusted application messages + * 1200 - 1299 messages internal to the audit daemon + * 1300 - 1399 audit event messages + * 1400 - 1499 SE Linux use + * 1500 - 1999 future use + * 2000 is for otherwise unclassified kernel audit messages + * + * Messages from 1000-1199 are bi-directional. 1200-1299 are exclusively user + * space. Anything over that is kernel --> user space communication. + */ #define AUDIT_GET 1000 /* Get status */ #define AUDIT_SET 1001 /* Set status (enable/disable/auditd) */ -#define AUDIT_LIST 1002 /* List filtering rules */ -#define AUDIT_ADD 1003 /* Add filtering rule */ -#define AUDIT_DEL 1004 /* Delete filtering rule */ -#define AUDIT_USER 1005 /* Send a message from user-space */ +#define AUDIT_LIST 1002 /* List syscall filtering rules */ +#define AUDIT_ADD 1003 /* Add syscall filtering rule */ +#define AUDIT_DEL 1004 /* Delete syscall filtering rule */ +#define AUDIT_USER 1005 /* Message from userspace -- deprecated */ #define AUDIT_LOGIN 1006 /* Define the login id and information */ -#define AUDIT_SIGNAL_INFO 1010 /* Get information about sender of signal*/ +#define AUDIT_WATCH_INS 1007 /* Insert file/dir watch entry */ +#define AUDIT_WATCH_REM 1008 /* Remove file/dir watch entry */ +#define AUDIT_WATCH_LIST 1009 /* List all file/dir watches */ +#define AUDIT_SIGNAL_INFO 1010 /* Get info about sender of signal to auditd */ + +#define AUDIT_USER_AUTH 1100 /* User space authentication */ +#define AUDIT_USER_ACCT 1101 /* User space acct change */ +#define AUDIT_USER_MGMT 1102 /* User space acct management */ +#define AUDIT_CRED_ACQ 1103 /* User space credential acquired */ +#define AUDIT_CRED_DISP 1104 /* User space credential disposed */ +#define AUDIT_USER_START 1105 /* User space session start */ +#define AUDIT_USER_END 1106 /* User space session end */ +#define AUDIT_USER_AVC 1107 /* User space avc message */ + +#define AUDIT_DAEMON_START 1200 /* Daemon startup record */ +#define AUDIT_DAEMON_END 1201 /* Daemon normal stop record */ +#define AUDIT_DAEMON_ABORT 1202 /* Daemon error stop record */ +#define AUDIT_DAEMON_CONFIG 1203 /* Daemon config change */ + +#define AUDIT_SYSCALL 1300 /* Syscall event */ +#define AUDIT_FS_WATCH 1301 /* Filesystem watch event */ +#define AUDIT_PATH 1302 /* Filname path information */ +#define AUDIT_IPC 1303 /* IPC record */ +#define AUDIT_SOCKET 1304 /* Socket record */ +#define AUDIT_CONFIG_CHANGE 1305 /* Audit system configuration change */ + +#define AUDIT_AVC 1400 /* SE Linux avc denial or grant */ +#define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */ #define AUDIT_KERNEL 2000 /* Asynchronous audit record. NOT A REQUEST. */ @@ -216,14 +254,11 @@ extern void audit_signal_info(int sig, struct task_struct *t); #ifdef CONFIG_AUDIT /* These are defined in audit.c */ /* Public API */ -#define audit_log(ctx, fmt, args...) \ - audit_log_type(ctx, AUDIT_KERNEL, 0, fmt, ##args) -extern void audit_log_type(struct audit_context *ctx, int type, - int pid, const char *fmt, ...) - __attribute__((format(printf,4,5))); +extern void audit_log(struct audit_context *ctx, int type, + const char *fmt, ...) + __attribute__((format(printf,3,4))); -extern struct audit_buffer *audit_log_start(struct audit_context *ctx, int type, - int pid); +extern struct audit_buffer *audit_log_start(struct audit_context *ctx,int type); extern void audit_log_format(struct audit_buffer *ab, const char *fmt, ...) __attribute__((format(printf,2,3))); @@ -243,9 +278,8 @@ extern void audit_send_reply(int pid, int seq, int type, void *payload, int size); extern void audit_log_lost(const char *message); #else -#define audit_log(c,f,...) do { ; } while (0) -#define audit_log_type(c,t,p,f,...) do { ; } while (0) -#define audit_log_start(c,t,p) ({ NULL; }) +#define audit_log(c,t,f,...) do { ; } while (0) +#define audit_log_start(c,t) ({ NULL; }) #define audit_log_vformat(b,f,a) do { ; } while (0) #define audit_log_format(b,f,...) do { ; } while (0) #define audit_log_end(b) do { ; } while (0) diff --git a/kernel/audit.c b/kernel/audit.c index 187164572bd0..4e940c05ede8 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -140,6 +140,12 @@ struct audit_buffer { struct audit_context *ctx; /* NULL or associated context */ }; +static void audit_set_pid(struct audit_buffer *ab, pid_t pid) +{ + struct nlmsghdr *nlh = (struct nlmsghdr *)ab->skb->data; + nlh->nlmsg_pid = pid; +} + struct audit_entry { struct list_head list; struct audit_rule rule; @@ -233,7 +239,8 @@ static int audit_set_rate_limit(int limit, uid_t loginuid) { int old = audit_rate_limit; audit_rate_limit = limit; - audit_log(NULL, "audit_rate_limit=%d old=%d by auid %u", + audit_log(NULL, AUDIT_CONFIG_CHANGE, + "audit_rate_limit=%d old=%d by auid %u", audit_rate_limit, old, loginuid); return old; } @@ -242,7 +249,8 @@ static int audit_set_backlog_limit(int limit, uid_t loginuid) { int old = audit_backlog_limit; audit_backlog_limit = limit; - audit_log(NULL, "audit_backlog_limit=%d old=%d by auid %u", + audit_log(NULL, AUDIT_CONFIG_CHANGE, + "audit_backlog_limit=%d old=%d by auid %u", audit_backlog_limit, old, loginuid); return old; } @@ -253,8 +261,9 @@ static int audit_set_enabled(int state, uid_t loginuid) if (state != 0 && state != 1) return -EINVAL; audit_enabled = state; - audit_log(NULL, "audit_enabled=%d old=%d by auid %u", - audit_enabled, old, loginuid); + audit_log(NULL, AUDIT_CONFIG_CHANGE, + "audit_enabled=%d old=%d by auid %u", + audit_enabled, old, loginuid); return old; } @@ -266,8 +275,9 @@ static int audit_set_failure(int state, uid_t loginuid) && state != AUDIT_FAIL_PANIC) return -EINVAL; audit_failure = state; - audit_log(NULL, "audit_failure=%d old=%d by auid %u", - audit_failure, old, loginuid); + audit_log(NULL, AUDIT_CONFIG_CHANGE, + "audit_failure=%d old=%d by auid %u", + audit_failure, old, loginuid); return old; } @@ -316,6 +326,14 @@ static int audit_netlink_ok(kernel_cap_t eff_cap, u16 msg_type) err = -EPERM; break; case AUDIT_USER: + case AUDIT_USER_AUTH: + case AUDIT_USER_ACCT: + case AUDIT_USER_MGMT: + case AUDIT_CRED_ACQ: + case AUDIT_CRED_DISP: + case AUDIT_USER_START: + case AUDIT_USER_END: + case AUDIT_USER_AVC: if (!cap_raised(eff_cap, CAP_AUDIT_WRITE)) err = -EPERM; break; @@ -332,6 +350,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) void *data; struct audit_status *status_get, status_set; int err; + struct audit_buffer *ab; u16 msg_type = nlh->nlmsg_type; uid_t loginuid; /* loginuid of sender */ struct audit_sig_info sig_data; @@ -373,7 +392,8 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) if (status_get->mask & AUDIT_STATUS_PID) { int old = audit_pid; audit_pid = status_get->pid; - audit_log(NULL, "audit_pid=%d old=%d by auid %u", + audit_log(NULL, AUDIT_CONFIG_CHANGE, + "audit_pid=%d old=%d by auid %u", audit_pid, old, loginuid); } if (status_get->mask & AUDIT_STATUS_RATE_LIMIT) @@ -383,13 +403,26 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) loginuid); break; case AUDIT_USER: - audit_log_type(NULL, AUDIT_USER, pid, + case AUDIT_USER_AUTH: + case AUDIT_USER_ACCT: + case AUDIT_USER_MGMT: + case AUDIT_CRED_ACQ: + case AUDIT_CRED_DISP: + case AUDIT_USER_START: + case AUDIT_USER_END: + case AUDIT_USER_AVC: + ab = audit_log_start(NULL, msg_type); + if (!ab) + break; /* audit_panic has been called */ + audit_log_format(ab, "user pid=%d uid=%d length=%d loginuid=%u" " msg='%.1024s'", pid, uid, (int)(nlh->nlmsg_len - ((char *)data - (char *)nlh)), loginuid, (char *)data); + audit_set_pid(ab, pid); + audit_log_end(ab); break; case AUDIT_ADD: case AUDIT_DEL: @@ -504,7 +537,7 @@ static int __init audit_init(void) audit_initialized = 1; audit_enabled = audit_default; - audit_log(NULL, "initialized"); + audit_log(NULL, AUDIT_KERNEL, "initialized"); return 0; } __initcall(audit_init); @@ -541,10 +574,12 @@ static void audit_buffer_free(struct audit_buffer *ab) spin_unlock_irqrestore(&audit_freelist_lock, flags); } -static struct audit_buffer * audit_buffer_alloc(int gfp_mask) +static struct audit_buffer * audit_buffer_alloc(struct audit_context *ctx, + int gfp_mask, int type) { unsigned long flags; struct audit_buffer *ab = NULL; + struct nlmsghdr *nlh; spin_lock_irqsave(&audit_freelist_lock, flags); if (!list_empty(&audit_freelist)) { @@ -566,6 +601,12 @@ static struct audit_buffer * audit_buffer_alloc(int gfp_mask) if (!ab->skb) goto err; + ab->ctx = ctx; + nlh = (struct nlmsghdr *)skb_put(ab->skb, NLMSG_SPACE(0)); + nlh->nlmsg_type = type; + nlh->nlmsg_flags = 0; + nlh->nlmsg_pid = 0; + nlh->nlmsg_seq = 0; return ab; err: audit_buffer_free(ab); @@ -578,12 +619,11 @@ err: * syscall, then the syscall is marked as auditable and an audit record * will be written at syscall exit. If there is no associated task, tsk * should be NULL. */ -struct audit_buffer *audit_log_start(struct audit_context *ctx, int type, int pid) +struct audit_buffer *audit_log_start(struct audit_context *ctx, int type) { struct audit_buffer *ab = NULL; struct timespec t; unsigned int serial; - struct nlmsghdr *nlh; if (!audit_initialized) return NULL; @@ -600,19 +640,12 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, int type, int pi return NULL; } - ab = audit_buffer_alloc(GFP_ATOMIC); + ab = audit_buffer_alloc(ctx, GFP_ATOMIC, type); if (!ab) { audit_log_lost("out of memory in audit_log_start"); return NULL; } - ab->ctx = ctx; - nlh = (struct nlmsghdr *)skb_put(ab->skb, NLMSG_SPACE(0)); - nlh->nlmsg_type = type; - nlh->nlmsg_flags = 0; - nlh->nlmsg_pid = pid; - nlh->nlmsg_seq = 0; - if (!audit_get_stamp(ab->ctx, &t, &serial)) { t = CURRENT_TIME; serial = 0; @@ -809,13 +842,12 @@ void audit_log_end(struct audit_buffer *ab) /* Log an audit record. This is a convenience function that calls * audit_log_start, audit_log_vformat, and audit_log_end. It may be * called in any context. */ -void audit_log_type(struct audit_context *ctx, int type, int pid, - const char *fmt, ...) +void audit_log(struct audit_context *ctx, int type, const char *fmt, ...) { struct audit_buffer *ab; va_list args; - ab = audit_log_start(ctx, type, pid); + ab = audit_log_start(ctx, type); if (ab) { va_start(args, fmt); audit_log_vformat(ab, fmt, args); diff --git a/kernel/auditsc.c b/kernel/auditsc.c index d089263253a7..1b7c91f9d5ff 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -286,7 +286,8 @@ int audit_receive_filter(int type, int pid, int uid, int seq, void *data, err = audit_add_rule(entry, &audit_entlist); if (!err && (flags & AUDIT_AT_EXIT)) err = audit_add_rule(entry, &audit_extlist); - audit_log(NULL, "auid %u added an audit rule\n", loginuid); + audit_log(NULL, AUDIT_CONFIG_CHANGE, + "auid %u added an audit rule\n", loginuid); break; case AUDIT_DEL: flags =((struct audit_rule *)data)->flags; @@ -296,7 +297,8 @@ int audit_receive_filter(int type, int pid, int uid, int seq, void *data, err = audit_del_rule(data, &audit_entlist); if (!err && (flags & AUDIT_AT_EXIT)) err = audit_del_rule(data, &audit_extlist); - audit_log(NULL, "auid %u removed an audit rule\n", loginuid); + audit_log(NULL, AUDIT_CONFIG_CHANGE, + "auid %u removed an audit rule\n", loginuid); break; default: return -EINVAL; @@ -648,7 +650,7 @@ static void audit_log_exit(struct audit_context *context) int i; struct audit_buffer *ab; - ab = audit_log_start(context, AUDIT_KERNEL, 0); + ab = audit_log_start(context, AUDIT_SYSCALL); if (!ab) return; /* audit_panic has been called */ audit_log_format(ab, "syscall=%d", context->major); @@ -680,28 +682,28 @@ static void audit_log_exit(struct audit_context *context) while (context->aux) { struct audit_aux_data *aux; - ab = audit_log_start(context, AUDIT_KERNEL, 0); + aux = context->aux; + + ab = audit_log_start(context, aux->type); if (!ab) continue; /* audit_panic has been called */ - aux = context->aux; - context->aux = aux->next; - - audit_log_format(ab, "auxitem=%d", aux->type); switch (aux->type) { - case AUDIT_AUX_IPCPERM: { + case AUDIT_IPC: { struct audit_aux_data_ipcctl *axi = (void *)aux; audit_log_format(ab, - " qbytes=%lx uid=%d gid=%d mode=%x", + " qbytes=%lx iuid=%d igid=%d mode=%x", axi->qbytes, axi->uid, axi->gid, axi->mode); } } audit_log_end(ab); + + context->aux = aux->next; kfree(aux); } for (i = 0; i < context->name_count; i++) { - ab = audit_log_start(context, AUDIT_KERNEL, 0); + ab = audit_log_start(context, AUDIT_PATH); if (!ab) continue; /* audit_panic has been called */ audit_log_format(ab, "item=%d", i); @@ -711,7 +713,7 @@ static void audit_log_exit(struct audit_context *context) } if (context->names[i].ino != (unsigned long)-1) audit_log_format(ab, " inode=%lu dev=%02x:%02x mode=%#o" - " uid=%d gid=%d rdev=%02x:%02x", + " ouid=%d ogid=%d rdev=%02x:%02x", context->names[i].ino, MAJOR(context->names[i].dev), MINOR(context->names[i].dev), @@ -1008,10 +1010,16 @@ int audit_get_stamp(struct audit_context *ctx, int audit_set_loginuid(struct task_struct *task, uid_t loginuid) { if (task->audit_context) { - audit_log_type(NULL, AUDIT_LOGIN, 0, - "login pid=%d uid=%u old loginuid=%u new loginuid=%u", - task->pid, task->uid, task->audit_context->loginuid, - loginuid); + struct audit_buffer *ab; + + ab = audit_log_start(NULL, AUDIT_LOGIN); + if (ab) { + audit_log_format(ab, "login pid=%d uid=%u " + "old loginuid=%u new loginuid=%u", + task->pid, task->uid, + task->audit_context->loginuid, loginuid); + audit_log_end(ab); + } task->audit_context->loginuid = loginuid; } return 0; @@ -1039,7 +1047,7 @@ int audit_ipc_perms(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode) ax->gid = gid; ax->mode = mode; - ax->d.type = AUDIT_AUX_IPCPERM; + ax->d.type = AUDIT_IPC; ax->d.next = context->aux; context->aux = (void *)ax; return 0; diff --git a/security/selinux/avc.c b/security/selinux/avc.c index 9e71a1bbe011..042f91e9f9d2 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -242,7 +242,7 @@ void __init avc_init(void) avc_node_cachep = kmem_cache_create("avc_node", sizeof(struct avc_node), 0, SLAB_PANIC, NULL, NULL); - audit_log(current->audit_context, "AVC INITIALIZED\n"); + audit_log(current->audit_context, AUDIT_KERNEL, "AVC INITIALIZED\n"); } int avc_get_hash_stats(char *page) @@ -549,7 +549,7 @@ void avc_audit(u32 ssid, u32 tsid, return; } - ab = audit_log_start(current->audit_context, AUDIT_KERNEL, 0); + ab = audit_log_start(current->audit_context, AUDIT_AVC); if (!ab) return; /* audit_panic has been called */ audit_log_format(ab, "avc: %s ", denied ? "denied" : "granted"); diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index aae1e794fe48..db845cbd5841 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -3419,7 +3419,7 @@ static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb) err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm); if (err) { if (err == -EINVAL) { - audit_log(current->audit_context, + audit_log(current->audit_context, AUDIT_SELINUX_ERR, "SELinux: unrecognized netlink message" " type=%hu for sclass=%hu\n", nlh->nlmsg_type, isec->sclass); diff --git a/security/selinux/nlmsgtab.c b/security/selinux/nlmsgtab.c index deac14367d43..67e77acc4795 100644 --- a/security/selinux/nlmsgtab.c +++ b/security/selinux/nlmsgtab.c @@ -98,6 +98,14 @@ static struct nlmsg_perm nlmsg_audit_perms[] = { AUDIT_DEL, NETLINK_AUDIT_SOCKET__NLMSG_WRITE }, { AUDIT_USER, NETLINK_AUDIT_SOCKET__NLMSG_RELAY }, { AUDIT_SIGNAL_INFO, NETLINK_AUDIT_SOCKET__NLMSG_READ }, + { AUDIT_USER_AUTH, NETLINK_AUDIT_SOCKET__NLMSG_RELAY }, + { AUDIT_USER_ACCT, NETLINK_AUDIT_SOCKET__NLMSG_RELAY }, + { AUDIT_USER_MGMT, NETLINK_AUDIT_SOCKET__NLMSG_RELAY }, + { AUDIT_CRED_ACQ, NETLINK_AUDIT_SOCKET__NLMSG_RELAY }, + { AUDIT_CRED_DISP, NETLINK_AUDIT_SOCKET__NLMSG_RELAY }, + { AUDIT_USER_START, NETLINK_AUDIT_SOCKET__NLMSG_RELAY }, + { AUDIT_USER_END, NETLINK_AUDIT_SOCKET__NLMSG_RELAY }, + { AUDIT_USER_AVC, NETLINK_AUDIT_SOCKET__NLMSG_RELAY }, }; diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 5a820cf88c9c..07fdf6ee6148 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -365,7 +365,7 @@ static int security_validtrans_handle_fail(struct context *ocontext, goto out; if (context_struct_to_string(tcontext, &t, &tlen) < 0) goto out; - audit_log(current->audit_context, + audit_log(current->audit_context, AUDIT_SELINUX_ERR, "security_validate_transition: denied for" " oldcontext=%s newcontext=%s taskcontext=%s tclass=%s", o, n, t, policydb.p_class_val_to_name[tclass-1]); @@ -742,7 +742,7 @@ static int compute_sid_handle_invalid_context( goto out; if (context_struct_to_string(newcontext, &n, &nlen) < 0) goto out; - audit_log(current->audit_context, + audit_log(current->audit_context, AUDIT_SELINUX_ERR, "security_compute_sid: invalid context %s" " for scontext=%s" " tcontext=%s" -- cgit v1.2.3 From 23f32d18aa589e228c5a9e12e0d0c67c9b5bcdce Mon Sep 17 00:00:00 2001 From: Steve Grubb Date: Fri, 13 May 2005 18:35:15 +0100 Subject: AUDIT: Fix some spelling errors I'm going through the kernel code and have a patch that corrects several spelling errors in comments. From: Steve Grubb Signed-off-by: David Woodhouse --- include/linux/audit.h | 2 +- kernel/audit.c | 4 ++-- kernel/auditsc.c | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) (limited to 'include') diff --git a/include/linux/audit.h b/include/linux/audit.h index 1a15ba38c660..51e5879af7fc 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -181,7 +181,7 @@ struct audit_message { struct audit_status { __u32 mask; /* Bit mask for valid entries */ - __u32 enabled; /* 1 = enabled, 0 = disbaled */ + __u32 enabled; /* 1 = enabled, 0 = disabled */ __u32 failure; /* Failure-to-log action */ __u32 pid; /* pid of auditd process */ __u32 rate_limit; /* messages rate limit (per second) */ diff --git a/kernel/audit.c b/kernel/audit.c index 4e940c05ede8..74779d3769fa 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -116,7 +116,7 @@ static LIST_HEAD(audit_entlist); static LIST_HEAD(audit_extlist); /* The netlink socket is only to be read by 1 CPU, which lets us assume - * that list additions and deletions never happen simultaneiously in + * that list additions and deletions never happen simultaneously in * auditsc.c */ static DECLARE_MUTEX(audit_netlink_sem); @@ -775,7 +775,7 @@ void audit_log_d_path(struct audit_buffer *ab, const char *prefix, } } -/* Remove queued messages from the audit_txlist and send them to userspace. */ +/* Remove queued messages from the audit_txlist and send them to user space. */ static void audit_tasklet_handler(unsigned long arg) { LIST_HEAD(list); diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 1b7c91f9d5ff..773d28a3f701 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -444,7 +444,7 @@ static enum audit_state audit_filter_task(struct task_struct *tsk) /* At syscall entry and exit time, this filter is called if the * audit_state is not low enough that auditing cannot take place, but is - * also not high enough that we already know we have to write and audit + * also not high enough that we already know we have to write an audit * record (i.e., the state is AUDIT_SETUP_CONTEXT or AUDIT_BUILD_CONTEXT). */ static enum audit_state audit_filter_syscall(struct task_struct *tsk, @@ -750,7 +750,7 @@ void audit_free(struct task_struct *tsk) /* Compute a serial number for the audit record. Audit records are * written to user-space as soon as they are generated, so a complete * audit record may be written in several pieces. The timestamp of the - * record and this serial number are used by the user-space daemon to + * record and this serial number are used by the user-space tools to * determine which pieces belong to the same audit record. The * (timestamp,serial) tuple is unique for each syscall and is live from * syscall entry to syscall exit. -- cgit v1.2.3 From 3ec3b2fba526ead2fa3f3d7c91924f39a0733749 Mon Sep 17 00:00:00 2001 From: David Woodhouse Date: Tue, 17 May 2005 12:08:48 +0100 Subject: AUDIT: Capture sys_socketcall arguments and sockaddrs Signed-off-by: David Woodhouse --- include/linux/audit.h | 7 ++++- kernel/auditsc.c | 73 +++++++++++++++++++++++++++++++++++++++++++++++++-- net/socket.c | 9 +++++-- 3 files changed, 84 insertions(+), 5 deletions(-) (limited to 'include') diff --git a/include/linux/audit.h b/include/linux/audit.h index 51e5879af7fc..2f5dc60f8bbd 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -69,8 +69,9 @@ #define AUDIT_FS_WATCH 1301 /* Filesystem watch event */ #define AUDIT_PATH 1302 /* Filname path information */ #define AUDIT_IPC 1303 /* IPC record */ -#define AUDIT_SOCKET 1304 /* Socket record */ +#define AUDIT_SOCKETCALL 1304 /* sys_socketcall arguments */ #define AUDIT_CONFIG_CHANGE 1305 /* Audit system configuration change */ +#define AUDIT_SOCKADDR 1306 /* sockaddr copied as syscall arg */ #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */ #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */ @@ -235,6 +236,8 @@ extern int audit_get_stamp(struct audit_context *ctx, extern int audit_set_loginuid(struct task_struct *task, uid_t loginuid); extern uid_t audit_get_loginuid(struct audit_context *ctx); extern int audit_ipc_perms(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode); +extern int audit_socketcall(int nargs, unsigned long *args); +extern int audit_sockaddr(int len, void *addr); extern void audit_signal_info(int sig, struct task_struct *t); #else #define audit_alloc(t) ({ 0; }) @@ -248,6 +251,8 @@ extern void audit_signal_info(int sig, struct task_struct *t); #define audit_get_stamp(c,t,s) ({ 0; }) #define audit_get_loginuid(c) ({ -1; }) #define audit_ipc_perms(q,u,g,m) ({ 0; }) +#define audit_socketcall(n,a) ({ 0; }) +#define audit_sockaddr(len, addr) ({ 0; }) #define audit_signal_info(s,t) do { ; } while (0) #endif diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 773d28a3f701..818778d5b6ad 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -34,7 +34,7 @@ #include #include #include - +#include #include #include #include @@ -112,6 +112,18 @@ struct audit_aux_data_ipcctl { mode_t mode; }; +struct audit_aux_data_socketcall { + struct audit_aux_data d; + int nargs; + unsigned long args[0]; +}; + +struct audit_aux_data_sockaddr { + struct audit_aux_data d; + int len; + char a[0]; +}; + /* The per-task audit context. */ struct audit_context { @@ -694,7 +706,22 @@ static void audit_log_exit(struct audit_context *context) audit_log_format(ab, " qbytes=%lx iuid=%d igid=%d mode=%x", axi->qbytes, axi->uid, axi->gid, axi->mode); - } + break; } + + case AUDIT_SOCKETCALL: { + int i; + struct audit_aux_data_socketcall *axs = (void *)aux; + audit_log_format(ab, "nargs=%d", axs->nargs); + for (i=0; inargs; i++) + audit_log_format(ab, " a%d=%lx", i, axs->args[i]); + break; } + + case AUDIT_SOCKADDR: { + struct audit_aux_data_sockaddr *axs = (void *)aux; + + audit_log_format(ab, "saddr="); + audit_log_hex(ab, axs->a, axs->len); + break; } } audit_log_end(ab); @@ -1053,6 +1080,48 @@ int audit_ipc_perms(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode) return 0; } +int audit_socketcall(int nargs, unsigned long *args) +{ + struct audit_aux_data_socketcall *ax; + struct audit_context *context = current->audit_context; + + if (likely(!context)) + return 0; + + ax = kmalloc(sizeof(*ax) + nargs * sizeof(unsigned long), GFP_KERNEL); + if (!ax) + return -ENOMEM; + + ax->nargs = nargs; + memcpy(ax->args, args, nargs * sizeof(unsigned long)); + + ax->d.type = AUDIT_SOCKETCALL; + ax->d.next = context->aux; + context->aux = (void *)ax; + return 0; +} + +int audit_sockaddr(int len, void *a) +{ + struct audit_aux_data_sockaddr *ax; + struct audit_context *context = current->audit_context; + + if (likely(!context)) + return 0; + + ax = kmalloc(sizeof(*ax) + len, GFP_KERNEL); + if (!ax) + return -ENOMEM; + + ax->len = len; + memcpy(ax->a, a, len); + + ax->d.type = AUDIT_SOCKADDR; + ax->d.next = context->aux; + context->aux = (void *)ax; + return 0; +} + void audit_signal_info(int sig, struct task_struct *t) { extern pid_t audit_sig_pid; diff --git a/net/socket.c b/net/socket.c index cec0cb38b9ce..6b7c3b51a7c1 100644 --- a/net/socket.c +++ b/net/socket.c @@ -81,6 +81,7 @@ #include #include #include +#include #ifdef CONFIG_NET_RADIO #include /* Note : will define WIRELESS_EXT */ @@ -226,7 +227,7 @@ int move_addr_to_kernel(void __user *uaddr, int ulen, void *kaddr) return 0; if(copy_from_user(kaddr,uaddr,ulen)) return -EFAULT; - return 0; + return audit_sockaddr(ulen, kaddr); } /** @@ -1906,7 +1907,11 @@ asmlinkage long sys_socketcall(int call, unsigned long __user *args) /* copy_from_user should be SMP safe. */ if (copy_from_user(a, args, nargs[call])) return -EFAULT; - + + err = audit_socketcall(nargs[call]/sizeof(unsigned long), args); + if (err) + return err; + a0=a[0]; a1=a[1]; -- cgit v1.2.3 From 209aba03243ee42a22f8df8d08aa9963f62aec64 Mon Sep 17 00:00:00 2001 From: David Woodhouse Date: Wed, 18 May 2005 10:21:07 +0100 Subject: AUDIT: Treat all user messages identically. It's silly to have to add explicit entries for new userspace messages as we invent them. Just treat all messages in the user range the same. Signed-off-by: David Woodhouse --- include/linux/audit.h | 17 ++--------------- kernel/audit.c | 20 ++------------------ security/selinux/nlmsgtab.c | 17 +++++++---------- 3 files changed, 11 insertions(+), 43 deletions(-) (limited to 'include') diff --git a/include/linux/audit.h b/include/linux/audit.h index 2f5dc60f8bbd..17ea5d522d81 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -51,14 +51,8 @@ #define AUDIT_WATCH_LIST 1009 /* List all file/dir watches */ #define AUDIT_SIGNAL_INFO 1010 /* Get info about sender of signal to auditd */ -#define AUDIT_USER_AUTH 1100 /* User space authentication */ -#define AUDIT_USER_ACCT 1101 /* User space acct change */ -#define AUDIT_USER_MGMT 1102 /* User space acct management */ -#define AUDIT_CRED_ACQ 1103 /* User space credential acquired */ -#define AUDIT_CRED_DISP 1104 /* User space credential disposed */ -#define AUDIT_USER_START 1105 /* User space session start */ -#define AUDIT_USER_END 1106 /* User space session end */ -#define AUDIT_USER_AVC 1107 /* User space avc message */ +#define AUDIT_FIRST_USER_MSG 1100 /* Userspace messages uninteresting to kernel */ +#define AUDIT_LAST_USER_MSG 1199 #define AUDIT_DAEMON_START 1200 /* Daemon startup record */ #define AUDIT_DAEMON_END 1201 /* Daemon normal stop record */ @@ -173,13 +167,6 @@ #define AUDIT_ARCH_V850 (EM_V850|__AUDIT_ARCH_LE) #define AUDIT_ARCH_X86_64 (EM_X86_64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE) -#ifndef __KERNEL__ -struct audit_message { - struct nlmsghdr nlh; - char data[1200]; -}; -#endif - struct audit_status { __u32 mask; /* Bit mask for valid entries */ __u32 enabled; /* 1 = enabled, 0 = disabled */ diff --git a/kernel/audit.c b/kernel/audit.c index a0e33b6897d7..e6d88635032c 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -325,15 +325,7 @@ static int audit_netlink_ok(kernel_cap_t eff_cap, u16 msg_type) if (!cap_raised(eff_cap, CAP_AUDIT_CONTROL)) err = -EPERM; break; - case AUDIT_USER: - case AUDIT_USER_AUTH: - case AUDIT_USER_ACCT: - case AUDIT_USER_MGMT: - case AUDIT_CRED_ACQ: - case AUDIT_CRED_DISP: - case AUDIT_USER_START: - case AUDIT_USER_END: - case AUDIT_USER_AVC: + case AUDIT_FIRST_USER_MSG...AUDIT_LAST_USER_MSG: if (!cap_raised(eff_cap, CAP_AUDIT_WRITE)) err = -EPERM; break; @@ -402,15 +394,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) audit_set_backlog_limit(status_get->backlog_limit, loginuid); break; - case AUDIT_USER: - case AUDIT_USER_AUTH: - case AUDIT_USER_ACCT: - case AUDIT_USER_MGMT: - case AUDIT_CRED_ACQ: - case AUDIT_CRED_DISP: - case AUDIT_USER_START: - case AUDIT_USER_END: - case AUDIT_USER_AVC: + case AUDIT_FIRST_USER_MSG...AUDIT_LAST_USER_MSG: ab = audit_log_start(NULL, msg_type); if (!ab) break; /* audit_panic has been called */ diff --git a/security/selinux/nlmsgtab.c b/security/selinux/nlmsgtab.c index 67e77acc4795..f0fb6d76f7c5 100644 --- a/security/selinux/nlmsgtab.c +++ b/security/selinux/nlmsgtab.c @@ -98,14 +98,6 @@ static struct nlmsg_perm nlmsg_audit_perms[] = { AUDIT_DEL, NETLINK_AUDIT_SOCKET__NLMSG_WRITE }, { AUDIT_USER, NETLINK_AUDIT_SOCKET__NLMSG_RELAY }, { AUDIT_SIGNAL_INFO, NETLINK_AUDIT_SOCKET__NLMSG_READ }, - { AUDIT_USER_AUTH, NETLINK_AUDIT_SOCKET__NLMSG_RELAY }, - { AUDIT_USER_ACCT, NETLINK_AUDIT_SOCKET__NLMSG_RELAY }, - { AUDIT_USER_MGMT, NETLINK_AUDIT_SOCKET__NLMSG_RELAY }, - { AUDIT_CRED_ACQ, NETLINK_AUDIT_SOCKET__NLMSG_RELAY }, - { AUDIT_CRED_DISP, NETLINK_AUDIT_SOCKET__NLMSG_RELAY }, - { AUDIT_USER_START, NETLINK_AUDIT_SOCKET__NLMSG_RELAY }, - { AUDIT_USER_END, NETLINK_AUDIT_SOCKET__NLMSG_RELAY }, - { AUDIT_USER_AVC, NETLINK_AUDIT_SOCKET__NLMSG_RELAY }, }; @@ -150,8 +142,13 @@ int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm) break; case SECCLASS_NETLINK_AUDIT_SOCKET: - err = nlmsg_perm(nlmsg_type, perm, nlmsg_audit_perms, - sizeof(nlmsg_audit_perms)); + if (nlmsg_type >= AUDIT_FIRST_USER_MSG && + nlmsg_type <= AUDIT_LAST_USER_MSG) { + *perm = NETLINK_AUDIT_SOCKET__NLMSG_RELAY; + } else { + err = nlmsg_perm(nlmsg_type, perm, nlmsg_audit_perms, + sizeof(nlmsg_audit_perms)); + } break; /* No messaging from userspace, or class unknown/unhandled */ -- cgit v1.2.3 From 011161051bbc25f7f8b7df059dbd934c534443f0 Mon Sep 17 00:00:00 2001 From: Stephen Smalley Date: Sat, 21 May 2005 00:15:52 +0100 Subject: AUDIT: Avoid sleeping function in SElinux AVC audit. This patch changes the SELinux AVC to defer logging of paths to the audit framework upon syscall exit, by saving a reference to the (dentry,vfsmount) pair in an auxiliary audit item on the current audit context for processing by audit_log_exit. Signed-off-by: Stephen Smalley Signed-off-by: David Woodhouse --- include/linux/audit.h | 3 +++ kernel/auditsc.c | 40 ++++++++++++++++++++++++++++++++++++++++ security/selinux/avc.c | 17 ++++++++--------- 3 files changed, 51 insertions(+), 9 deletions(-) (limited to 'include') diff --git a/include/linux/audit.h b/include/linux/audit.h index 17ea5d522d81..4b7caf0c6e10 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -69,6 +69,7 @@ #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */ #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */ +#define AUDIT_AVC_PATH 1402 /* dentry, vfsmount pair from avc */ #define AUDIT_KERNEL 2000 /* Asynchronous audit record. NOT A REQUEST. */ @@ -225,6 +226,7 @@ extern uid_t audit_get_loginuid(struct audit_context *ctx); extern int audit_ipc_perms(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode); extern int audit_socketcall(int nargs, unsigned long *args); extern int audit_sockaddr(int len, void *addr); +extern int audit_avc_path(struct dentry *dentry, struct vfsmount *mnt); extern void audit_signal_info(int sig, struct task_struct *t); #else #define audit_alloc(t) ({ 0; }) @@ -240,6 +242,7 @@ extern void audit_signal_info(int sig, struct task_struct *t); #define audit_ipc_perms(q,u,g,m) ({ 0; }) #define audit_socketcall(n,a) ({ 0; }) #define audit_sockaddr(len, addr) ({ 0; }) +#define audit_avc_path(dentry, mnt) ({ 0; }) #define audit_signal_info(s,t) do { ; } while (0) #endif diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 78d7a13fc86f..8dc5b2767145 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -34,6 +34,7 @@ #include #include #include +#include #include #include #include @@ -124,6 +125,11 @@ struct audit_aux_data_sockaddr { char a[0]; }; +struct audit_aux_data_path { + struct audit_aux_data d; + struct dentry *dentry; + struct vfsmount *mnt; +}; /* The per-task audit context. */ struct audit_context { @@ -553,6 +559,11 @@ static inline void audit_free_aux(struct audit_context *context) struct audit_aux_data *aux; while ((aux = context->aux)) { + if (aux->type == AUDIT_AVC_PATH) { + struct audit_aux_data_path *axi = (void *)aux; + dput(axi->dentry); + mntput(axi->mnt); + } context->aux = aux->next; kfree(aux); } @@ -724,6 +735,14 @@ static void audit_log_exit(struct audit_context *context) audit_log_format(ab, "saddr="); audit_log_hex(ab, axs->a, axs->len); break; } + + case AUDIT_AVC_PATH: { + struct audit_aux_data_path *axi = (void *)aux; + audit_log_d_path(ab, "path=", axi->dentry, axi->mnt); + dput(axi->dentry); + mntput(axi->mnt); + break; } + } audit_log_end(ab); @@ -1124,6 +1143,27 @@ int audit_sockaddr(int len, void *a) return 0; } +int audit_avc_path(struct dentry *dentry, struct vfsmount *mnt) +{ + struct audit_aux_data_path *ax; + struct audit_context *context = current->audit_context; + + if (likely(!context)) + return 0; + + ax = kmalloc(sizeof(*ax), GFP_ATOMIC); + if (!ax) + return -ENOMEM; + + ax->dentry = dget(dentry); + ax->mnt = mntget(mnt); + + ax->d.type = AUDIT_AVC_PATH; + ax->d.next = context->aux; + context->aux = (void *)ax; + return 0; +} + void audit_signal_info(int sig, struct task_struct *t) { extern pid_t audit_sig_pid; diff --git a/security/selinux/avc.c b/security/selinux/avc.c index 62b963aca275..0fbc3e98c5ea 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -573,13 +573,10 @@ void avc_audit(u32 ssid, u32 tsid, case AVC_AUDIT_DATA_FS: if (a->u.fs.dentry) { struct dentry *dentry = a->u.fs.dentry; - if (a->u.fs.mnt) { - audit_log_d_path(ab, "path=", dentry, - a->u.fs.mnt); - } else { - audit_log_format(ab, " name=%s", - dentry->d_name.name); - } + if (a->u.fs.mnt) + audit_avc_path(dentry, a->u.fs.mnt); + audit_log_format(ab, " name=%s", + dentry->d_name.name); inode = dentry->d_inode; } else if (a->u.fs.inode) { struct dentry *dentry; @@ -630,8 +627,10 @@ void avc_audit(u32 ssid, u32 tsid, case AF_UNIX: u = unix_sk(sk); if (u->dentry) { - audit_log_d_path(ab, "path=", - u->dentry, u->mnt); + audit_avc_path(u->dentry, u->mnt); + audit_log_format(ab, " name=%s", + u->dentry->d_name.name); + break; } if (!u->addr) -- cgit v1.2.3 From bfb4496e7239c9132d732a65cdcf3d6a7431ad1a Mon Sep 17 00:00:00 2001 From: David Woodhouse Date: Sat, 21 May 2005 21:08:09 +0100 Subject: AUDIT: Assign serial number to non-syscall messages Move audit_serial() into audit.c and use it to generate serial numbers on messages even when there is no audit context from syscall auditing. This allows us to disambiguate audit records when more than one is generated in the same millisecond. Based on a patch by Steve Grubb after he observed the problem. Signed-off-by: David Woodhouse --- include/linux/audit.h | 7 ++++--- kernel/audit.c | 46 ++++++++++++++++++++++++++++++++++++++++++---- kernel/auditsc.c | 46 ++++++---------------------------------------- 3 files changed, 52 insertions(+), 47 deletions(-) (limited to 'include') diff --git a/include/linux/audit.h b/include/linux/audit.h index 4b7caf0c6e10..3278ddf41ce6 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -219,8 +219,9 @@ extern void audit_inode(const char *name, const struct inode *inode); /* Private API (for audit.c only) */ extern int audit_receive_filter(int type, int pid, int uid, int seq, void *data, uid_t loginuid); -extern int audit_get_stamp(struct audit_context *ctx, - struct timespec *t, unsigned int *serial); +extern unsigned int audit_serial(void); +extern void auditsc_get_stamp(struct audit_context *ctx, + struct timespec *t, unsigned int *serial); extern int audit_set_loginuid(struct task_struct *task, uid_t loginuid); extern uid_t audit_get_loginuid(struct audit_context *ctx); extern int audit_ipc_perms(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode); @@ -237,7 +238,7 @@ extern void audit_signal_info(int sig, struct task_struct *t); #define audit_putname(n) do { ; } while (0) #define audit_inode(n,i) do { ; } while (0) #define audit_receive_filter(t,p,u,s,d,l) ({ -EOPNOTSUPP; }) -#define audit_get_stamp(c,t,s) ({ 0; }) +#define auditsc_get_stamp(c,t,s) do { BUG(); } while (0) #define audit_get_loginuid(c) ({ -1; }) #define audit_ipc_perms(q,u,g,m) ({ 0; }) #define audit_socketcall(n,a) ({ 0; }) diff --git a/kernel/audit.c b/kernel/audit.c index f0a003acf621..35306f4369e7 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -597,6 +597,47 @@ err: return NULL; } +/* Compute a serial number for the audit record. Audit records are + * written to user-space as soon as they are generated, so a complete + * audit record may be written in several pieces. The timestamp of the + * record and this serial number are used by the user-space tools to + * determine which pieces belong to the same audit record. The + * (timestamp,serial) tuple is unique for each syscall and is live from + * syscall entry to syscall exit. + * + * Atomic values are only guaranteed to be 24-bit, so we count down. + * + * NOTE: Another possibility is to store the formatted records off the + * audit context (for those records that have a context), and emit them + * all at syscall exit. However, this could delay the reporting of + * significant errors until syscall exit (or never, if the system + * halts). */ +unsigned int audit_serial(void) +{ + static atomic_t serial = ATOMIC_INIT(0xffffff); + unsigned int a, b; + + do { + a = atomic_read(&serial); + if (atomic_dec_and_test(&serial)) + atomic_set(&serial, 0xffffff); + b = atomic_read(&serial); + } while (b != a - 1); + + return 0xffffff - b; +} + +static inline void audit_get_stamp(struct audit_context *ctx, + struct timespec *t, unsigned int *serial) +{ + if (ctx) + auditsc_get_stamp(ctx, t, serial); + else { + *t = CURRENT_TIME; + *serial = audit_serial(); + } +} + /* Obtain an audit buffer. This routine does locking to obtain the * audit buffer, but then no locking is required for calls to * audit_log_*format. If the tsk is a task that is currently in a @@ -630,10 +671,7 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, int type) return NULL; } - if (!audit_get_stamp(ab->ctx, &t, &serial)) { - t = CURRENT_TIME; - serial = 0; - } + audit_get_stamp(ab->ctx, &t, &serial); audit_log_format(ab, "audit(%lu.%03lu:%u): ", t.tv_sec, t.tv_nsec/1000000, serial); diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 4193811d4fe1..74c2ae804ca8 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -795,36 +795,6 @@ void audit_free(struct task_struct *tsk) audit_free_context(context); } -/* Compute a serial number for the audit record. Audit records are - * written to user-space as soon as they are generated, so a complete - * audit record may be written in several pieces. The timestamp of the - * record and this serial number are used by the user-space tools to - * determine which pieces belong to the same audit record. The - * (timestamp,serial) tuple is unique for each syscall and is live from - * syscall entry to syscall exit. - * - * Atomic values are only guaranteed to be 24-bit, so we count down. - * - * NOTE: Another possibility is to store the formatted records off the - * audit context (for those records that have a context), and emit them - * all at syscall exit. However, this could delay the reporting of - * significant errors until syscall exit (or never, if the system - * halts). */ -static inline unsigned int audit_serial(void) -{ - static atomic_t serial = ATOMIC_INIT(0xffffff); - unsigned int a, b; - - do { - a = atomic_read(&serial); - if (atomic_dec_and_test(&serial)) - atomic_set(&serial, 0xffffff); - b = atomic_read(&serial); - } while (b != a - 1); - - return 0xffffff - b; -} - /* Fill in audit context at syscall entry. This only happens if the * audit context was created when the task was created and the state or * filters demand the audit context be built. If the state from the @@ -1042,17 +1012,13 @@ void audit_inode(const char *name, const struct inode *inode) context->names[idx].rdev = inode->i_rdev; } -int audit_get_stamp(struct audit_context *ctx, - struct timespec *t, unsigned int *serial) +void auditsc_get_stamp(struct audit_context *ctx, + struct timespec *t, unsigned int *serial) { - if (ctx) { - t->tv_sec = ctx->ctime.tv_sec; - t->tv_nsec = ctx->ctime.tv_nsec; - *serial = ctx->serial; - ctx->auditable = 1; - return 1; - } - return 0; + t->tv_sec = ctx->ctime.tv_sec; + t->tv_nsec = ctx->ctime.tv_nsec; + *serial = ctx->serial; + ctx->auditable = 1; } int audit_set_loginuid(struct task_struct *task, uid_t loginuid) -- cgit v1.2.3 From 8f37d47c9bf74cb48692691086b482e315d07f40 Mon Sep 17 00:00:00 2001 From: David Woodhouse Date: Fri, 27 May 2005 12:17:28 +0100 Subject: AUDIT: Record working directory when syscall arguments are pathnames Signed-off-by: David Woodhouse --- include/linux/audit.h | 3 ++- kernel/auditsc.c | 23 +++++++++++++++++++++++ 2 files changed, 25 insertions(+), 1 deletion(-) (limited to 'include') diff --git a/include/linux/audit.h b/include/linux/audit.h index 3278ddf41ce6..bf2ad3ba72eb 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -61,11 +61,12 @@ #define AUDIT_SYSCALL 1300 /* Syscall event */ #define AUDIT_FS_WATCH 1301 /* Filesystem watch event */ -#define AUDIT_PATH 1302 /* Filname path information */ +#define AUDIT_PATH 1302 /* Filename path information */ #define AUDIT_IPC 1303 /* IPC record */ #define AUDIT_SOCKETCALL 1304 /* sys_socketcall arguments */ #define AUDIT_CONFIG_CHANGE 1305 /* Audit system configuration change */ #define AUDIT_SOCKADDR 1306 /* sockaddr copied as syscall arg */ +#define AUDIT_CWD 1307 /* Current working directory */ #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */ #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */ diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 7556c479d5af..e75f84e1a1a0 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -145,6 +145,8 @@ struct audit_context { int auditable; /* 1 if record should be written */ int name_count; struct audit_names names[AUDIT_NAMES]; + struct dentry * pwd; + struct vfsmount * pwdmnt; struct audit_context *previous; /* For nested syscalls */ struct audit_aux_data *aux; @@ -552,6 +554,12 @@ static inline void audit_free_names(struct audit_context *context) if (context->names[i].name) __putname(context->names[i].name); context->name_count = 0; + if (context->pwd) + dput(context->pwd); + if (context->pwdmnt) + mntput(context->pwdmnt); + context->pwd = NULL; + context->pwdmnt = NULL; } static inline void audit_free_aux(struct audit_context *context) @@ -745,10 +753,18 @@ static void audit_log_exit(struct audit_context *context) audit_log_end(ab); } + if (context->pwd && context->pwdmnt) { + ab = audit_log_start(context, AUDIT_CWD); + if (ab) { + audit_log_d_path(ab, "cwd=", context->pwd, context->pwdmnt); + audit_log_end(ab); + } + } for (i = 0; i < context->name_count; i++) { ab = audit_log_start(context, AUDIT_PATH); if (!ab) continue; /* audit_panic has been called */ + audit_log_format(ab, "item=%d", i); if (context->names[i].name) { audit_log_format(ab, " name="); @@ -929,6 +945,13 @@ void audit_getname(const char *name) context->names[context->name_count].name = name; context->names[context->name_count].ino = (unsigned long)-1; ++context->name_count; + if (!context->pwd) { + read_lock(¤t->fs->lock); + context->pwd = dget(current->fs->pwd); + context->pwdmnt = mntget(current->fs->pwdmnt); + read_unlock(¤t->fs->lock); + } + } /* Intercept a putname request. Called from -- cgit v1.2.3