2005-04-29 19:23:29 +04:00
/* auditsc.c -- System-call auditing support
2005-04-17 02:20:36 +04:00
* Handles all system - call specific auditing features .
*
* Copyright 2003 - 2004 Red Hat Inc . , Durham , North Carolina .
2005-11-03 19:00:25 +03:00
* Copyright 2005 Hewlett - Packard Development Company , L . P .
2006-05-25 01:09:55 +04:00
* Copyright ( C ) 2005 , 2006 IBM Corporation
2005-04-17 02:20:36 +04:00
* All Rights Reserved .
*
* This program is free software ; you can redistribute it and / or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation ; either version 2 of the License , or
* ( at your option ) any later version .
*
* This program is distributed in the hope that it will be useful ,
* but WITHOUT ANY WARRANTY ; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
* GNU General Public License for more details .
*
* You should have received a copy of the GNU General Public License
* along with this program ; if not , write to the Free Software
* Foundation , Inc . , 59 Temple Place , Suite 330 , Boston , MA 02111 - 1307 USA
*
* Written by Rickard E . ( Rik ) Faith < faith @ redhat . com >
*
* Many of the ideas implemented here are from Stephen C . Tweedie ,
* especially the idea of avoiding a copy by using getname .
*
* The method for actual interception of syscall entry and exit ( not in
* this file - - see entry . S ) is based on a GPL ' d patch written by
* okir @ suse . de and Copyright 2003 SuSE Linux AG .
*
2006-05-25 01:09:55 +04:00
* POSIX message queue support added by George Wilson < ltcgcw @ us . ibm . com > ,
* 2006.
*
[PATCH] Filter rule comparators
Currently, audit only supports the "=" and "!=" operators in the -F
filter rules.
This patch reworks the support for "=" and "!=", and adds support
for ">", ">=", "<", and "<=".
This turned out to be a pretty clean, and simply process. I ended up
using the high order bits of the "field", as suggested by Steve and Amy.
This allowed for no changes whatsoever to the netlink communications.
See the documentation within the patch in the include/linux/audit.h
area, where there is a table that explains the reasoning of the bitmask
assignments clearly.
The patch adds a new function, audit_comparator(left, op, right).
This function will perform the specified comparison (op, which defaults
to "==" for backward compatibility) between two values (left and right).
If the negate bit is on, it will negate whatever that result was. This
value is returned.
Signed-off-by: Dustin Kirkland <dustin.kirkland@us.ibm.com>
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
2005-11-03 18:41:46 +03:00
* The support of additional filter rules compares ( > , < , > = , < = ) was
* added by Dustin Kirkland < dustin . kirkland @ us . ibm . com > , 2005.
*
2005-11-03 19:00:25 +03:00
* Modified by Amy Griffis < amy . griffis @ hp . com > to collect additional
* filesystem information .
2005-11-03 20:15:16 +03:00
*
* Subject and object context labeling support added by < danjones @ us . ibm . com >
* and < dustin . kirkland @ us . ibm . com > for LSPP certification compliance .
2005-04-17 02:20:36 +04:00
*/
2014-01-28 02:38:42 +04:00
# define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
2005-04-17 02:20:36 +04:00
# include <linux/init.h>
# include <asm/types.h>
2011-07-27 03:09:06 +04:00
# include <linux/atomic.h>
2005-11-03 19:00:25 +03:00
# include <linux/fs.h>
# include <linux/namei.h>
2005-04-17 02:20:36 +04:00
# include <linux/mm.h>
2011-05-23 22:51:41 +04:00
# include <linux/export.h>
include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h
percpu.h is included by sched.h and module.h and thus ends up being
included when building most .c files. percpu.h includes slab.h which
in turn includes gfp.h making everything defined by the two files
universally available and complicating inclusion dependencies.
percpu.h -> slab.h dependency is about to be removed. Prepare for
this change by updating users of gfp and slab facilities include those
headers directly instead of assuming availability. As this conversion
needs to touch large number of source files, the following script is
used as the basis of conversion.
http://userweb.kernel.org/~tj/misc/slabh-sweep.py
The script does the followings.
* Scan files for gfp and slab usages and update includes such that
only the necessary includes are there. ie. if only gfp is used,
gfp.h, if slab is used, slab.h.
* When the script inserts a new include, it looks at the include
blocks and try to put the new include such that its order conforms
to its surrounding. It's put in the include block which contains
core kernel includes, in the same order that the rest are ordered -
alphabetical, Christmas tree, rev-Xmas-tree or at the end if there
doesn't seem to be any matching order.
* If the script can't find a place to put a new include (mostly
because the file doesn't have fitting include block), it prints out
an error message indicating which .h file needs to be added to the
file.
The conversion was done in the following steps.
1. The initial automatic conversion of all .c files updated slightly
over 4000 files, deleting around 700 includes and adding ~480 gfp.h
and ~3000 slab.h inclusions. The script emitted errors for ~400
files.
2. Each error was manually checked. Some didn't need the inclusion,
some needed manual addition while adding it to implementation .h or
embedding .c file was more appropriate for others. This step added
inclusions to around 150 files.
3. The script was run again and the output was compared to the edits
from #2 to make sure no file was left behind.
4. Several build tests were done and a couple of problems were fixed.
e.g. lib/decompress_*.c used malloc/free() wrappers around slab
APIs requiring slab.h to be added manually.
5. The script was run on all .h files but without automatically
editing them as sprinkling gfp.h and slab.h inclusions around .h
files could easily lead to inclusion dependency hell. Most gfp.h
inclusion directives were ignored as stuff from gfp.h was usually
wildly available and often used in preprocessor macros. Each
slab.h inclusion directive was examined and added manually as
necessary.
6. percpu.h was updated not to include slab.h.
7. Build test were done on the following configurations and failures
were fixed. CONFIG_GCOV_KERNEL was turned off for all tests (as my
distributed build env didn't work with gcov compiles) and a few
more options had to be turned off depending on archs to make things
build (like ipr on powerpc/64 which failed due to missing writeq).
* x86 and x86_64 UP and SMP allmodconfig and a custom test config.
* powerpc and powerpc64 SMP allmodconfig
* sparc and sparc64 SMP allmodconfig
* ia64 SMP allmodconfig
* s390 SMP allmodconfig
* alpha SMP allmodconfig
* um on x86_64 SMP allmodconfig
8. percpu.h modifications were reverted so that it could be applied as
a separate patch and serve as bisection point.
Given the fact that I had only a couple of failures from tests on step
6, I'm fairly confident about the coverage of this conversion patch.
If there is a breakage, it's likely to be something in one of the arch
headers which should be easily discoverable easily on most builds of
the specific arch.
Signed-off-by: Tejun Heo <tj@kernel.org>
Guess-its-ok-by: Christoph Lameter <cl@linux-foundation.org>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Lee Schermerhorn <Lee.Schermerhorn@hp.com>
2010-03-24 11:04:11 +03:00
# include <linux/slab.h>
2005-05-21 03:15:52 +04:00
# include <linux/mount.h>
2005-05-17 15:08:48 +04:00
# include <linux/socket.h>
2006-05-25 01:09:55 +04:00
# include <linux/mqueue.h>
2005-04-17 02:20:36 +04:00
# include <linux/audit.h>
# include <linux/personality.h>
# include <linux/time.h>
2005-06-24 17:14:05 +04:00
# include <linux/netlink.h>
2005-07-14 01:47:07 +04:00
# include <linux/compiler.h>
2005-04-17 02:20:36 +04:00
# include <asm/unistd.h>
2005-11-03 20:15:16 +03:00
# include <linux/security.h>
2005-12-15 21:33:52 +03:00
# include <linux/list.h>
2006-04-26 22:04:08 +04:00
# include <linux/binfmts.h>
2006-10-20 00:08:53 +04:00
# include <linux/highmem.h>
2006-05-06 16:22:52 +04:00
# include <linux/syscalls.h>
2014-01-30 01:17:58 +04:00
# include <asm/syscall.h>
2008-11-11 13:48:14 +03:00
# include <linux/capability.h>
2009-03-30 03:50:06 +04:00
# include <linux/fs_struct.h>
2012-04-13 01:47:58 +04:00
# include <linux/compat.h>
audit: Audit proc/<pid>/cmdline aka proctitle
During an audit event, cache and print the value of the process's
proctitle value (proc/<pid>/cmdline). This is useful in situations
where processes are started via fork'd virtual machines where the
comm field is incorrect. Often times, setting the comm field still
is insufficient as the comm width is not very wide and most
virtual machine "package names" do not fit. Also, during execution,
many threads have their comm field set as well. By tying it back to
the global cmdline value for the process, audit records will be more
complete in systems with these properties. An example of where this
is useful and applicable is in the realm of Android. With Android,
their is no fork/exec for VM instances. The bare, preloaded Dalvik
VM listens for a fork and specialize request. When this request comes
in, the VM forks, and the loads the specific application (specializing).
This was done to take advantage of COW and to not require a load of
basic packages by the VM on very app spawn. When this spawn occurs,
the package name is set via setproctitle() and shows up in procfs.
Many of these package names are longer then 16 bytes, the historical
width of task->comm. Having the cmdline in the audit records will
couple the application back to the record directly. Also, on my
Debian development box, some audit records were more useful then
what was printed under comm.
The cached proctitle is tied to the life-cycle of the audit_context
structure and is built on demand.
Proctitle is controllable by userspace, and thus should not be trusted.
It is meant as an aid to assist in debugging. The proctitle event is
emitted during syscall audits, and can be filtered with auditctl.
Example:
type=AVC msg=audit(1391217013.924:386): avc: denied { getattr } for pid=1971 comm="mkdir" name="/" dev="selinuxfs" ino=1 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c255 tcontext=system_u:object_r:security_t:s0 tclass=filesystem
type=SYSCALL msg=audit(1391217013.924:386): arch=c000003e syscall=137 success=yes exit=0 a0=7f019dfc8bd7 a1=7fffa6aed2c0 a2=fffffffffff4bd25 a3=7fffa6aed050 items=0 ppid=1967 pid=1971 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mkdir" exe="/bin/mkdir" subj=system_u:system_r:consolekit_t:s0-s0:c0.c255 key=(null)
type=UNKNOWN[1327] msg=audit(1391217013.924:386): proctitle=6D6B646972002D70002F7661722F72756E2F636F6E736F6C65
Acked-by: Steve Grubb <sgrubb@redhat.com> (wrt record formating)
Signed-off-by: William Roberts <wroberts@tresys.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
2014-02-11 22:12:01 +04:00
# include <linux/ctype.h>
2014-12-30 17:26:21 +03:00
# include <linux/string.h>
audit: fix a double fetch in audit_log_single_execve_arg()
There is a double fetch problem in audit_log_single_execve_arg()
where we first check the execve(2) argumnets for any "bad" characters
which would require hex encoding and then re-fetch the arguments for
logging in the audit record[1]. Of course this leaves a window of
opportunity for an unsavory application to munge with the data.
This patch reworks things by only fetching the argument data once[2]
into a buffer where it is scanned and logged into the audit
records(s). In addition to fixing the double fetch, this patch
improves on the original code in a few other ways: better handling
of large arguments which require encoding, stricter record length
checking, and some performance improvements (completely unverified,
but we got rid of some strlen() calls, that's got to be a good
thing).
As part of the development of this patch, I've also created a basic
regression test for the audit-testsuite, the test can be tracked on
GitHub at the following link:
* https://github.com/linux-audit/audit-testsuite/issues/25
[1] If you pay careful attention, there is actually a triple fetch
problem due to a strnlen_user() call at the top of the function.
[2] This is a tiny white lie, we do make a call to strnlen_user()
prior to fetching the argument data. I don't like it, but due to the
way the audit record is structured we really have no choice unless we
copy the entire argument at once (which would require a rather
wasteful allocation). The good news is that with this patch the
kernel no longer relies on this strnlen_user() value for anything
beyond recording it in the log, we also update it with a trustworthy
value whenever possible.
Reported-by: Pengfei Wang <wpengfeinudt@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2016-07-20 00:42:57 +03:00
# include <linux/uaccess.h>
2017-03-14 14:31:02 +03:00
# include <linux/fsnotify_backend.h>
2014-12-30 17:26:21 +03:00
# include <uapi/linux/limits.h>
2005-04-17 02:20:36 +04:00
2005-12-15 21:33:52 +03:00
# include "audit.h"
2005-04-17 02:20:36 +04:00
2012-01-03 23:23:06 +04:00
/* flags stating the success for a syscall */
# define AUDITSC_INVALID 0
# define AUDITSC_SUCCESS 1
# define AUDITSC_FAILURE 2
audit: fix a double fetch in audit_log_single_execve_arg()
There is a double fetch problem in audit_log_single_execve_arg()
where we first check the execve(2) argumnets for any "bad" characters
which would require hex encoding and then re-fetch the arguments for
logging in the audit record[1]. Of course this leaves a window of
opportunity for an unsavory application to munge with the data.
This patch reworks things by only fetching the argument data once[2]
into a buffer where it is scanned and logged into the audit
records(s). In addition to fixing the double fetch, this patch
improves on the original code in a few other ways: better handling
of large arguments which require encoding, stricter record length
checking, and some performance improvements (completely unverified,
but we got rid of some strlen() calls, that's got to be a good
thing).
As part of the development of this patch, I've also created a basic
regression test for the audit-testsuite, the test can be tracked on
GitHub at the following link:
* https://github.com/linux-audit/audit-testsuite/issues/25
[1] If you pay careful attention, there is actually a triple fetch
problem due to a strnlen_user() call at the top of the function.
[2] This is a tiny white lie, we do make a call to strnlen_user()
prior to fetching the argument data. I don't like it, but due to the
way the audit record is structured we really have no choice unless we
copy the entire argument at once (which would require a rather
wasteful allocation). The good news is that with this patch the
kernel no longer relies on this strnlen_user() value for anything
beyond recording it in the log, we also update it with a trustworthy
value whenever possible.
Reported-by: Pengfei Wang <wpengfeinudt@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2016-07-20 00:42:57 +03:00
/* no execve audit message should be longer than this (userspace limits),
* see the note near the top of audit_log_execve_info ( ) about this value */
2008-01-07 22:31:58 +03:00
# define MAX_EXECVE_AUDIT_LEN 7500
audit: Audit proc/<pid>/cmdline aka proctitle
During an audit event, cache and print the value of the process's
proctitle value (proc/<pid>/cmdline). This is useful in situations
where processes are started via fork'd virtual machines where the
comm field is incorrect. Often times, setting the comm field still
is insufficient as the comm width is not very wide and most
virtual machine "package names" do not fit. Also, during execution,
many threads have their comm field set as well. By tying it back to
the global cmdline value for the process, audit records will be more
complete in systems with these properties. An example of where this
is useful and applicable is in the realm of Android. With Android,
their is no fork/exec for VM instances. The bare, preloaded Dalvik
VM listens for a fork and specialize request. When this request comes
in, the VM forks, and the loads the specific application (specializing).
This was done to take advantage of COW and to not require a load of
basic packages by the VM on very app spawn. When this spawn occurs,
the package name is set via setproctitle() and shows up in procfs.
Many of these package names are longer then 16 bytes, the historical
width of task->comm. Having the cmdline in the audit records will
couple the application back to the record directly. Also, on my
Debian development box, some audit records were more useful then
what was printed under comm.
The cached proctitle is tied to the life-cycle of the audit_context
structure and is built on demand.
Proctitle is controllable by userspace, and thus should not be trusted.
It is meant as an aid to assist in debugging. The proctitle event is
emitted during syscall audits, and can be filtered with auditctl.
Example:
type=AVC msg=audit(1391217013.924:386): avc: denied { getattr } for pid=1971 comm="mkdir" name="/" dev="selinuxfs" ino=1 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c255 tcontext=system_u:object_r:security_t:s0 tclass=filesystem
type=SYSCALL msg=audit(1391217013.924:386): arch=c000003e syscall=137 success=yes exit=0 a0=7f019dfc8bd7 a1=7fffa6aed2c0 a2=fffffffffff4bd25 a3=7fffa6aed050 items=0 ppid=1967 pid=1971 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mkdir" exe="/bin/mkdir" subj=system_u:system_r:consolekit_t:s0-s0:c0.c255 key=(null)
type=UNKNOWN[1327] msg=audit(1391217013.924:386): proctitle=6D6B646972002D70002F7661722F72756E2F636F6E736F6C65
Acked-by: Steve Grubb <sgrubb@redhat.com> (wrt record formating)
Signed-off-by: William Roberts <wroberts@tresys.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
2014-02-11 22:12:01 +04:00
/* max length to print of cmdline/proctitle value during audit */
# define MAX_PROCTITLE_AUDIT_LEN 128
2006-07-10 16:29:24 +04:00
/* number of audit rules */
int audit_n_rules ;
2007-03-30 02:01:04 +04:00
/* determines whether we collect data for signals sent */
int audit_signals ;
2005-04-17 02:20:36 +04:00
struct audit_aux_data {
struct audit_aux_data * next ;
int type ;
} ;
# define AUDIT_AUX_IPCPERM 0
2007-03-30 02:01:04 +04:00
/* Number of target pids per aux struct. */
# define AUDIT_AUX_PIDS 16
struct audit_aux_data_pids {
struct audit_aux_data d ;
pid_t target_pid [ AUDIT_AUX_PIDS ] ;
2012-09-11 09:39:43 +04:00
kuid_t target_auid [ AUDIT_AUX_PIDS ] ;
2012-02-08 04:53:48 +04:00
kuid_t target_uid [ AUDIT_AUX_PIDS ] ;
2008-01-08 18:06:53 +03:00
unsigned int target_sessionid [ AUDIT_AUX_PIDS ] ;
2007-03-30 02:01:04 +04:00
u32 target_sid [ AUDIT_AUX_PIDS ] ;
2008-01-07 21:40:17 +03:00
char target_comm [ AUDIT_AUX_PIDS ] [ TASK_COMM_LEN ] ;
2007-03-30 02:01:04 +04:00
int pid_count ;
} ;
2008-11-11 13:48:18 +03:00
struct audit_aux_data_bprm_fcaps {
struct audit_aux_data d ;
struct audit_cap_data fcap ;
unsigned int fcap_ver ;
struct audit_cap_data old_pcap ;
struct audit_cap_data new_pcap ;
} ;
[PATCH] audit: watching subtrees
New kind of audit rule predicates: "object is visible in given subtree".
The part that can be sanely implemented, that is. Limitations:
* if you have hardlink from outside of tree, you'd better watch
it too (or just watch the object itself, obviously)
* if you mount something under a watched tree, tell audit
that new chunk should be added to watched subtrees
* if you umount something in a watched tree and it's still mounted
elsewhere, you will get matches on events happening there. New command
tells audit to recalculate the trees, trimming such sources of false
positives.
Note that it's _not_ about path - if something mounted in several places
(multiple mount, bindings, different namespaces, etc.), the match does
_not_ depend on which one we are using for access.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2007-07-22 16:04:18 +04:00
struct audit_tree_refs {
struct audit_tree_refs * next ;
struct audit_chunk * c [ 31 ] ;
} ;
2006-09-01 03:26:40 +04:00
static int audit_match_perm ( struct audit_context * ctx , int mask )
{
2008-08-18 20:45:51 +04:00
unsigned n ;
2008-08-02 06:56:37 +04:00
if ( unlikely ( ! ctx ) )
return 0 ;
2008-08-18 20:45:51 +04:00
n = ctx - > major ;
2008-10-13 13:40:53 +04:00
2006-09-01 03:26:40 +04:00
switch ( audit_classify_syscall ( ctx - > arch , n ) ) {
case 0 : /* native */
if ( ( mask & AUDIT_PERM_WRITE ) & &
audit_match_class ( AUDIT_CLASS_WRITE , n ) )
return 1 ;
if ( ( mask & AUDIT_PERM_READ ) & &
audit_match_class ( AUDIT_CLASS_READ , n ) )
return 1 ;
if ( ( mask & AUDIT_PERM_ATTR ) & &
audit_match_class ( AUDIT_CLASS_CHATTR , n ) )
return 1 ;
return 0 ;
case 1 : /* 32bit on biarch */
if ( ( mask & AUDIT_PERM_WRITE ) & &
audit_match_class ( AUDIT_CLASS_WRITE_32 , n ) )
return 1 ;
if ( ( mask & AUDIT_PERM_READ ) & &
audit_match_class ( AUDIT_CLASS_READ_32 , n ) )
return 1 ;
if ( ( mask & AUDIT_PERM_ATTR ) & &
audit_match_class ( AUDIT_CLASS_CHATTR_32 , n ) )
return 1 ;
return 0 ;
case 2 : /* open */
return mask & ACC_MODE ( ctx - > argv [ 1 ] ) ;
case 3 : /* openat */
return mask & ACC_MODE ( ctx - > argv [ 2 ] ) ;
case 4 : /* socketcall */
return ( ( mask & AUDIT_PERM_WRITE ) & & ctx - > argv [ 0 ] = = SYS_BIND ) ;
case 5 : /* execve */
return mask & AUDIT_PERM_EXEC ;
default :
return 0 ;
}
}
2012-01-03 23:23:05 +04:00
static int audit_match_filetype ( struct audit_context * ctx , int val )
2008-04-28 12:15:49 +04:00
{
2012-01-03 23:23:05 +04:00
struct audit_names * n ;
2012-01-03 23:23:05 +04:00
umode_t mode = ( umode_t ) val ;
2008-08-02 06:56:37 +04:00
if ( unlikely ( ! ctx ) )
return 0 ;
2012-01-03 23:23:05 +04:00
list_for_each_entry ( n , & ctx - > names_list , list ) {
2015-08-06 06:48:20 +03:00
if ( ( n - > ino ! = AUDIT_INO_UNSET ) & &
2012-01-03 23:23:05 +04:00
( ( n - > mode & S_IFMT ) = = mode ) )
2012-01-03 23:23:05 +04:00
return 1 ;
}
2012-01-03 23:23:05 +04:00
2012-01-03 23:23:05 +04:00
return 0 ;
2008-04-28 12:15:49 +04:00
}
[PATCH] audit: watching subtrees
New kind of audit rule predicates: "object is visible in given subtree".
The part that can be sanely implemented, that is. Limitations:
* if you have hardlink from outside of tree, you'd better watch
it too (or just watch the object itself, obviously)
* if you mount something under a watched tree, tell audit
that new chunk should be added to watched subtrees
* if you umount something in a watched tree and it's still mounted
elsewhere, you will get matches on events happening there. New command
tells audit to recalculate the trees, trimming such sources of false
positives.
Note that it's _not_ about path - if something mounted in several places
(multiple mount, bindings, different namespaces, etc.), the match does
_not_ depend on which one we are using for access.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2007-07-22 16:04:18 +04:00
/*
* We keep a linked list of fixed - sized ( 31 pointer ) arrays of audit_chunk * ;
* - > first_trees points to its beginning , - > trees - to the current end of data .
* - > tree_count is the number of free entries in array pointed to by - > trees .
* Original condition is ( NULL , NULL , 0 ) ; as soon as it grows we never revert to NULL ,
* " empty " becomes ( p , p , 31 ) afterwards . We don ' t shrink the list ( and seriously ,
* it ' s going to remain 1 - element for almost any setup ) until we free context itself .
* References in it _are_ dropped - at the same time we free / drop aux stuff .
*/
2009-01-27 02:09:45 +03:00
static void audit_set_auditable ( struct audit_context * ctx )
{
if ( ! ctx - > prio ) {
ctx - > prio = 1 ;
ctx - > current_state = AUDIT_RECORD_CONTEXT ;
}
}
[PATCH] audit: watching subtrees
New kind of audit rule predicates: "object is visible in given subtree".
The part that can be sanely implemented, that is. Limitations:
* if you have hardlink from outside of tree, you'd better watch
it too (or just watch the object itself, obviously)
* if you mount something under a watched tree, tell audit
that new chunk should be added to watched subtrees
* if you umount something in a watched tree and it's still mounted
elsewhere, you will get matches on events happening there. New command
tells audit to recalculate the trees, trimming such sources of false
positives.
Note that it's _not_ about path - if something mounted in several places
(multiple mount, bindings, different namespaces, etc.), the match does
_not_ depend on which one we are using for access.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2007-07-22 16:04:18 +04:00
static int put_tree_ref ( struct audit_context * ctx , struct audit_chunk * chunk )
{
struct audit_tree_refs * p = ctx - > trees ;
int left = ctx - > tree_count ;
if ( likely ( left ) ) {
p - > c [ - - left ] = chunk ;
ctx - > tree_count = left ;
return 1 ;
}
if ( ! p )
return 0 ;
p = p - > next ;
if ( p ) {
p - > c [ 30 ] = chunk ;
ctx - > trees = p ;
ctx - > tree_count = 30 ;
return 1 ;
}
return 0 ;
}
static int grow_tree_refs ( struct audit_context * ctx )
{
struct audit_tree_refs * p = ctx - > trees ;
ctx - > trees = kzalloc ( sizeof ( struct audit_tree_refs ) , GFP_KERNEL ) ;
if ( ! ctx - > trees ) {
ctx - > trees = p ;
return 0 ;
}
if ( p )
p - > next = ctx - > trees ;
else
ctx - > first_trees = ctx - > trees ;
ctx - > tree_count = 31 ;
return 1 ;
}
static void unroll_tree_refs ( struct audit_context * ctx ,
struct audit_tree_refs * p , int count )
{
struct audit_tree_refs * q ;
int n ;
if ( ! p ) {
/* we started with empty chain */
p = ctx - > first_trees ;
count = 31 ;
/* if the very first allocation has failed, nothing to do */
if ( ! p )
return ;
}
n = count ;
for ( q = p ; q ! = ctx - > trees ; q = q - > next , n = 31 ) {
while ( n - - ) {
audit_put_chunk ( q - > c [ n ] ) ;
q - > c [ n ] = NULL ;
}
}
while ( n - - > ctx - > tree_count ) {
audit_put_chunk ( q - > c [ n ] ) ;
q - > c [ n ] = NULL ;
}
ctx - > trees = p ;
ctx - > tree_count = count ;
}
static void free_tree_refs ( struct audit_context * ctx )
{
struct audit_tree_refs * p , * q ;
for ( p = ctx - > first_trees ; p ; p = q ) {
q = p - > next ;
kfree ( p ) ;
}
}
static int match_tree_refs ( struct audit_context * ctx , struct audit_tree * tree )
{
struct audit_tree_refs * p ;
int n ;
if ( ! tree )
return 0 ;
/* full ones */
for ( p = ctx - > first_trees ; p ! = ctx - > trees ; p = p - > next ) {
for ( n = 0 ; n < 31 ; n + + )
if ( audit_tree_match ( p - > c [ n ] , tree ) )
return 1 ;
}
/* partial */
if ( p ) {
for ( n = ctx - > tree_count ; n < 31 ; n + + )
if ( audit_tree_match ( p - > c [ n ] , tree ) )
return 1 ;
}
return 0 ;
}
2012-09-11 13:18:08 +04:00
static int audit_compare_uid ( kuid_t uid ,
struct audit_names * name ,
struct audit_field * f ,
struct audit_context * ctx )
2012-01-03 23:23:08 +04:00
{
struct audit_names * n ;
int rc ;
2012-09-11 13:18:08 +04:00
2012-01-03 23:23:08 +04:00
if ( name ) {
2012-09-11 13:18:08 +04:00
rc = audit_uid_comparator ( uid , f - > op , name - > uid ) ;
2012-01-03 23:23:08 +04:00
if ( rc )
return rc ;
}
2012-09-11 13:18:08 +04:00
2012-01-03 23:23:08 +04:00
if ( ctx ) {
list_for_each_entry ( n , & ctx - > names_list , list ) {
2012-09-11 13:18:08 +04:00
rc = audit_uid_comparator ( uid , f - > op , n - > uid ) ;
if ( rc )
return rc ;
}
}
return 0 ;
}
2012-01-03 23:23:08 +04:00
2012-09-11 13:18:08 +04:00
static int audit_compare_gid ( kgid_t gid ,
struct audit_names * name ,
struct audit_field * f ,
struct audit_context * ctx )
{
struct audit_names * n ;
int rc ;
if ( name ) {
rc = audit_gid_comparator ( gid , f - > op , name - > gid ) ;
if ( rc )
return rc ;
}
if ( ctx ) {
list_for_each_entry ( n , & ctx - > names_list , list ) {
rc = audit_gid_comparator ( gid , f - > op , n - > gid ) ;
2012-01-03 23:23:08 +04:00
if ( rc )
return rc ;
}
}
return 0 ;
}
2012-01-03 23:23:08 +04:00
static int audit_field_compare ( struct task_struct * tsk ,
const struct cred * cred ,
struct audit_field * f ,
struct audit_context * ctx ,
struct audit_names * name )
{
switch ( f - > val ) {
2011-12-14 04:17:51 +04:00
/* process to file object comparisons */
2012-01-03 23:23:08 +04:00
case AUDIT_COMPARE_UID_TO_OBJ_UID :
2012-09-11 13:18:08 +04:00
return audit_compare_uid ( cred - > uid , name , f , ctx ) ;
2012-01-03 23:23:08 +04:00
case AUDIT_COMPARE_GID_TO_OBJ_GID :
2012-09-11 13:18:08 +04:00
return audit_compare_gid ( cred - > gid , name , f , ctx ) ;
2011-12-14 04:17:51 +04:00
case AUDIT_COMPARE_EUID_TO_OBJ_UID :
2012-09-11 13:18:08 +04:00
return audit_compare_uid ( cred - > euid , name , f , ctx ) ;
2011-12-14 04:17:51 +04:00
case AUDIT_COMPARE_EGID_TO_OBJ_GID :
2012-09-11 13:18:08 +04:00
return audit_compare_gid ( cred - > egid , name , f , ctx ) ;
2011-12-14 04:17:51 +04:00
case AUDIT_COMPARE_AUID_TO_OBJ_UID :
2018-05-16 14:55:46 +03:00
return audit_compare_uid ( audit_get_loginuid ( tsk ) , name , f , ctx ) ;
2011-12-14 04:17:51 +04:00
case AUDIT_COMPARE_SUID_TO_OBJ_UID :
2012-09-11 13:18:08 +04:00
return audit_compare_uid ( cred - > suid , name , f , ctx ) ;
2011-12-14 04:17:51 +04:00
case AUDIT_COMPARE_SGID_TO_OBJ_GID :
2012-09-11 13:18:08 +04:00
return audit_compare_gid ( cred - > sgid , name , f , ctx ) ;
2011-12-14 04:17:51 +04:00
case AUDIT_COMPARE_FSUID_TO_OBJ_UID :
2012-09-11 13:18:08 +04:00
return audit_compare_uid ( cred - > fsuid , name , f , ctx ) ;
2011-12-14 04:17:51 +04:00
case AUDIT_COMPARE_FSGID_TO_OBJ_GID :
2012-09-11 13:18:08 +04:00
return audit_compare_gid ( cred - > fsgid , name , f , ctx ) ;
2012-01-05 00:24:31 +04:00
/* uid comparisons */
case AUDIT_COMPARE_UID_TO_AUID :
2018-05-16 14:55:46 +03:00
return audit_uid_comparator ( cred - > uid , f - > op ,
audit_get_loginuid ( tsk ) ) ;
2012-01-05 00:24:31 +04:00
case AUDIT_COMPARE_UID_TO_EUID :
2012-09-11 13:18:08 +04:00
return audit_uid_comparator ( cred - > uid , f - > op , cred - > euid ) ;
2012-01-05 00:24:31 +04:00
case AUDIT_COMPARE_UID_TO_SUID :
2012-09-11 13:18:08 +04:00
return audit_uid_comparator ( cred - > uid , f - > op , cred - > suid ) ;
2012-01-05 00:24:31 +04:00
case AUDIT_COMPARE_UID_TO_FSUID :
2012-09-11 13:18:08 +04:00
return audit_uid_comparator ( cred - > uid , f - > op , cred - > fsuid ) ;
2012-01-05 00:24:31 +04:00
/* auid comparisons */
case AUDIT_COMPARE_AUID_TO_EUID :
2018-05-16 14:55:46 +03:00
return audit_uid_comparator ( audit_get_loginuid ( tsk ) , f - > op ,
cred - > euid ) ;
2012-01-05 00:24:31 +04:00
case AUDIT_COMPARE_AUID_TO_SUID :
2018-05-16 14:55:46 +03:00
return audit_uid_comparator ( audit_get_loginuid ( tsk ) , f - > op ,
cred - > suid ) ;
2012-01-05 00:24:31 +04:00
case AUDIT_COMPARE_AUID_TO_FSUID :
2018-05-16 14:55:46 +03:00
return audit_uid_comparator ( audit_get_loginuid ( tsk ) , f - > op ,
cred - > fsuid ) ;
2012-01-05 00:24:31 +04:00
/* euid comparisons */
case AUDIT_COMPARE_EUID_TO_SUID :
2012-09-11 13:18:08 +04:00
return audit_uid_comparator ( cred - > euid , f - > op , cred - > suid ) ;
2012-01-05 00:24:31 +04:00
case AUDIT_COMPARE_EUID_TO_FSUID :
2012-09-11 13:18:08 +04:00
return audit_uid_comparator ( cred - > euid , f - > op , cred - > fsuid ) ;
2012-01-05 00:24:31 +04:00
/* suid comparisons */
case AUDIT_COMPARE_SUID_TO_FSUID :
2012-09-11 13:18:08 +04:00
return audit_uid_comparator ( cred - > suid , f - > op , cred - > fsuid ) ;
2012-01-05 00:24:31 +04:00
/* gid comparisons */
case AUDIT_COMPARE_GID_TO_EGID :
2012-09-11 13:18:08 +04:00
return audit_gid_comparator ( cred - > gid , f - > op , cred - > egid ) ;
2012-01-05 00:24:31 +04:00
case AUDIT_COMPARE_GID_TO_SGID :
2012-09-11 13:18:08 +04:00
return audit_gid_comparator ( cred - > gid , f - > op , cred - > sgid ) ;
2012-01-05 00:24:31 +04:00
case AUDIT_COMPARE_GID_TO_FSGID :
2012-09-11 13:18:08 +04:00
return audit_gid_comparator ( cred - > gid , f - > op , cred - > fsgid ) ;
2012-01-05 00:24:31 +04:00
/* egid comparisons */
case AUDIT_COMPARE_EGID_TO_SGID :
2012-09-11 13:18:08 +04:00
return audit_gid_comparator ( cred - > egid , f - > op , cred - > sgid ) ;
2012-01-05 00:24:31 +04:00
case AUDIT_COMPARE_EGID_TO_FSGID :
2012-09-11 13:18:08 +04:00
return audit_gid_comparator ( cred - > egid , f - > op , cred - > fsgid ) ;
2012-01-05 00:24:31 +04:00
/* sgid comparison */
case AUDIT_COMPARE_SGID_TO_FSGID :
2012-09-11 13:18:08 +04:00
return audit_gid_comparator ( cred - > sgid , f - > op , cred - > fsgid ) ;
2012-01-03 23:23:08 +04:00
default :
WARN ( 1 , " Missing AUDIT_COMPARE define. Report as a bug \n " ) ;
return 0 ;
}
return 0 ;
}
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2006-04-08 00:55:56 +04:00
/* Determine if any context name data matches a rule's watch data */
2005-04-17 02:20:36 +04:00
/* Compare a task_struct with an audit_rule. Return 1 on match, 0
2011-04-27 17:10:49 +04:00
* otherwise .
*
* If task_creation is true , this is an explicit indication that we are
* filtering a task rule at task creation time . This and tsk = = current are
* the only situations where tsk - > cred may be accessed without an rcu read lock .
*/
2005-04-17 02:20:36 +04:00
static int audit_filter_rules ( struct task_struct * tsk ,
2006-02-07 20:05:27 +03:00
struct audit_krule * rule ,
2005-04-17 02:20:36 +04:00
struct audit_context * ctx ,
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2006-04-08 00:55:56 +04:00
struct audit_names * name ,
2011-04-27 17:10:49 +04:00
enum audit_state * state ,
bool task_creation )
2005-04-17 02:20:36 +04:00
{
2011-04-27 17:10:49 +04:00
const struct cred * cred ;
2012-01-03 23:23:05 +04:00
int i , need_sid = 1 ;
2006-03-11 03:14:06 +03:00
u32 sid ;
2016-11-21 00:47:55 +03:00
unsigned int sessionid ;
2006-03-11 03:14:06 +03:00
2011-04-27 17:10:49 +04:00
cred = rcu_dereference_check ( tsk - > cred , tsk = = current | | task_creation ) ;
2005-04-17 02:20:36 +04:00
for ( i = 0 ; i < rule - > field_count ; i + + ) {
2006-02-07 20:05:27 +03:00
struct audit_field * f = & rule - > fields [ i ] ;
2012-01-03 23:23:05 +04:00
struct audit_names * n ;
2005-04-17 02:20:36 +04:00
int result = 0 ;
2013-12-11 22:52:26 +04:00
pid_t pid ;
2005-04-17 02:20:36 +04:00
2006-02-07 20:05:27 +03:00
switch ( f - > type ) {
2005-04-17 02:20:36 +04:00
case AUDIT_PID :
2016-08-31 00:19:13 +03:00
pid = task_tgid_nr ( tsk ) ;
2013-12-11 22:52:26 +04:00
result = audit_comparator ( pid , f - > op , f - > val ) ;
2005-04-17 02:20:36 +04:00
break ;
2006-05-06 16:26:27 +04:00
case AUDIT_PPID :
2006-09-29 08:08:50 +04:00
if ( ctx ) {
if ( ! ctx - > ppid )
2013-12-11 07:10:41 +04:00
ctx - > ppid = task_ppid_nr ( tsk ) ;
2006-05-06 16:26:27 +04:00
result = audit_comparator ( ctx - > ppid , f - > op , f - > val ) ;
2006-09-29 08:08:50 +04:00
}
2006-05-06 16:26:27 +04:00
break ;
2015-08-05 23:29:37 +03:00
case AUDIT_EXE :
result = audit_exe_compare ( tsk , rule - > exe ) ;
2018-04-09 11:00:06 +03:00
if ( f - > op = = Audit_not_equal )
result = ! result ;
2015-08-05 23:29:37 +03:00
break ;
2005-04-17 02:20:36 +04:00
case AUDIT_UID :
2012-09-11 13:18:08 +04:00
result = audit_uid_comparator ( cred - > uid , f - > op , f - > uid ) ;
2005-04-17 02:20:36 +04:00
break ;
case AUDIT_EUID :
2012-09-11 13:18:08 +04:00
result = audit_uid_comparator ( cred - > euid , f - > op , f - > uid ) ;
2005-04-17 02:20:36 +04:00
break ;
case AUDIT_SUID :
2012-09-11 13:18:08 +04:00
result = audit_uid_comparator ( cred - > suid , f - > op , f - > uid ) ;
2005-04-17 02:20:36 +04:00
break ;
case AUDIT_FSUID :
2012-09-11 13:18:08 +04:00
result = audit_uid_comparator ( cred - > fsuid , f - > op , f - > uid ) ;
2005-04-17 02:20:36 +04:00
break ;
case AUDIT_GID :
2012-09-11 13:18:08 +04:00
result = audit_gid_comparator ( cred - > gid , f - > op , f - > gid ) ;
2011-12-14 00:09:08 +04:00
if ( f - > op = = Audit_equal ) {
if ( ! result )
2018-06-05 12:00:10 +03:00
result = groups_search ( cred - > group_info , f - > gid ) ;
2011-12-14 00:09:08 +04:00
} else if ( f - > op = = Audit_not_equal ) {
if ( result )
2018-06-05 12:00:10 +03:00
result = ! groups_search ( cred - > group_info , f - > gid ) ;
2011-12-14 00:09:08 +04:00
}
2005-04-17 02:20:36 +04:00
break ;
case AUDIT_EGID :
2012-09-11 13:18:08 +04:00
result = audit_gid_comparator ( cred - > egid , f - > op , f - > gid ) ;
2011-12-14 00:09:08 +04:00
if ( f - > op = = Audit_equal ) {
if ( ! result )
2018-06-05 12:00:10 +03:00
result = groups_search ( cred - > group_info , f - > gid ) ;
2011-12-14 00:09:08 +04:00
} else if ( f - > op = = Audit_not_equal ) {
if ( result )
2018-06-05 12:00:10 +03:00
result = ! groups_search ( cred - > group_info , f - > gid ) ;
2011-12-14 00:09:08 +04:00
}
2005-04-17 02:20:36 +04:00
break ;
case AUDIT_SGID :
2012-09-11 13:18:08 +04:00
result = audit_gid_comparator ( cred - > sgid , f - > op , f - > gid ) ;
2005-04-17 02:20:36 +04:00
break ;
case AUDIT_FSGID :
2012-09-11 13:18:08 +04:00
result = audit_gid_comparator ( cred - > fsgid , f - > op , f - > gid ) ;
2005-04-17 02:20:36 +04:00
break ;
2016-11-21 00:47:55 +03:00
case AUDIT_SESSIONID :
2018-05-17 18:31:14 +03:00
sessionid = audit_get_sessionid ( tsk ) ;
2016-11-21 00:47:55 +03:00
result = audit_comparator ( sessionid , f - > op , f - > val ) ;
break ;
2005-04-17 02:20:36 +04:00
case AUDIT_PERS :
2006-02-07 20:05:27 +03:00
result = audit_comparator ( tsk - > personality , f - > op , f - > val ) ;
2005-04-17 02:20:36 +04:00
break ;
2005-04-29 19:08:28 +04:00
case AUDIT_ARCH :
2007-10-18 14:06:09 +04:00
if ( ctx )
2006-02-07 20:05:27 +03:00
result = audit_comparator ( ctx - > arch , f - > op , f - > val ) ;
2005-04-29 19:08:28 +04:00
break ;
2005-04-17 02:20:36 +04:00
case AUDIT_EXIT :
if ( ctx & & ctx - > return_valid )
2006-02-07 20:05:27 +03:00
result = audit_comparator ( ctx - > return_code , f - > op , f - > val ) ;
2005-04-17 02:20:36 +04:00
break ;
case AUDIT_SUCCESS :
2005-08-27 13:25:43 +04:00
if ( ctx & & ctx - > return_valid ) {
2006-02-07 20:05:27 +03:00
if ( f - > val )
result = audit_comparator ( ctx - > return_valid , f - > op , AUDITSC_SUCCESS ) ;
2005-08-27 13:25:43 +04:00
else
2006-02-07 20:05:27 +03:00
result = audit_comparator ( ctx - > return_valid , f - > op , AUDITSC_FAILURE ) ;
2005-08-27 13:25:43 +04:00
}
2005-04-17 02:20:36 +04:00
break ;
case AUDIT_DEVMAJOR :
2012-01-03 23:23:05 +04:00
if ( name ) {
if ( audit_comparator ( MAJOR ( name - > dev ) , f - > op , f - > val ) | |
audit_comparator ( MAJOR ( name - > rdev ) , f - > op , f - > val ) )
+ + result ;
} else if ( ctx ) {
2012-01-03 23:23:05 +04:00
list_for_each_entry ( n , & ctx - > names_list , list ) {
2012-01-03 23:23:05 +04:00
if ( audit_comparator ( MAJOR ( n - > dev ) , f - > op , f - > val ) | |
audit_comparator ( MAJOR ( n - > rdev ) , f - > op , f - > val ) ) {
2005-04-17 02:20:36 +04:00
+ + result ;
break ;
}
}
}
break ;
case AUDIT_DEVMINOR :
2012-01-03 23:23:05 +04:00
if ( name ) {
if ( audit_comparator ( MINOR ( name - > dev ) , f - > op , f - > val ) | |
audit_comparator ( MINOR ( name - > rdev ) , f - > op , f - > val ) )
+ + result ;
} else if ( ctx ) {
2012-01-03 23:23:05 +04:00
list_for_each_entry ( n , & ctx - > names_list , list ) {
2012-01-03 23:23:05 +04:00
if ( audit_comparator ( MINOR ( n - > dev ) , f - > op , f - > val ) | |
audit_comparator ( MINOR ( n - > rdev ) , f - > op , f - > val ) ) {
2005-04-17 02:20:36 +04:00
+ + result ;
break ;
}
}
}
break ;
case AUDIT_INODE :
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2006-04-08 00:55:56 +04:00
if ( name )
2013-07-04 20:56:11 +04:00
result = audit_comparator ( name - > ino , f - > op , f - > val ) ;
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2006-04-08 00:55:56 +04:00
else if ( ctx ) {
2012-01-03 23:23:05 +04:00
list_for_each_entry ( n , & ctx - > names_list , list ) {
if ( audit_comparator ( n - > ino , f - > op , f - > val ) ) {
2005-04-17 02:20:36 +04:00
+ + result ;
break ;
}
}
}
break ;
2012-01-03 23:23:07 +04:00
case AUDIT_OBJ_UID :
if ( name ) {
2012-09-11 13:18:08 +04:00
result = audit_uid_comparator ( name - > uid , f - > op , f - > uid ) ;
2012-01-03 23:23:07 +04:00
} else if ( ctx ) {
list_for_each_entry ( n , & ctx - > names_list , list ) {
2012-09-11 13:18:08 +04:00
if ( audit_uid_comparator ( n - > uid , f - > op , f - > uid ) ) {
2012-01-03 23:23:07 +04:00
+ + result ;
break ;
}
}
}
break ;
2012-01-03 23:23:07 +04:00
case AUDIT_OBJ_GID :
if ( name ) {
2012-09-11 13:18:08 +04:00
result = audit_gid_comparator ( name - > gid , f - > op , f - > gid ) ;
2012-01-03 23:23:07 +04:00
} else if ( ctx ) {
list_for_each_entry ( n , & ctx - > names_list , list ) {
2012-09-11 13:18:08 +04:00
if ( audit_gid_comparator ( n - > gid , f - > op , f - > gid ) ) {
2012-01-03 23:23:07 +04:00
+ + result ;
break ;
}
}
}
break ;
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2006-04-08 00:55:56 +04:00
case AUDIT_WATCH :
2009-12-18 04:12:04 +03:00
if ( name )
result = audit_watch_compare ( rule - > watch , name - > ino , name - > dev ) ;
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2006-04-08 00:55:56 +04:00
break ;
[PATCH] audit: watching subtrees
New kind of audit rule predicates: "object is visible in given subtree".
The part that can be sanely implemented, that is. Limitations:
* if you have hardlink from outside of tree, you'd better watch
it too (or just watch the object itself, obviously)
* if you mount something under a watched tree, tell audit
that new chunk should be added to watched subtrees
* if you umount something in a watched tree and it's still mounted
elsewhere, you will get matches on events happening there. New command
tells audit to recalculate the trees, trimming such sources of false
positives.
Note that it's _not_ about path - if something mounted in several places
(multiple mount, bindings, different namespaces, etc.), the match does
_not_ depend on which one we are using for access.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2007-07-22 16:04:18 +04:00
case AUDIT_DIR :
if ( ctx )
result = match_tree_refs ( ctx , rule - > tree ) ;
break ;
2005-04-17 02:20:36 +04:00
case AUDIT_LOGINUID :
2018-05-16 14:55:46 +03:00
result = audit_uid_comparator ( audit_get_loginuid ( tsk ) ,
f - > op , f - > uid ) ;
2005-04-17 02:20:36 +04:00
break ;
2013-04-09 13:22:10 +04:00
case AUDIT_LOGINUID_SET :
result = audit_comparator ( audit_loginuid_set ( tsk ) , f - > op , f - > val ) ;
break ;
2006-06-30 01:56:39 +04:00
case AUDIT_SUBJ_USER :
case AUDIT_SUBJ_ROLE :
case AUDIT_SUBJ_TYPE :
case AUDIT_SUBJ_SEN :
case AUDIT_SUBJ_CLR :
2006-03-11 03:14:06 +03:00
/* NOTE: this may return negative values indicating
a temporary error . We simply treat this as a
match for now to avoid losing information that
may be wanted . An error message will also be
logged upon error */
2008-04-19 03:59:43 +04:00
if ( f - > lsm_rule ) {
2006-04-11 16:50:56 +04:00
if ( need_sid ) {
Audit: use new LSM hooks instead of SELinux exports
Stop using the following exported SELinux interfaces:
selinux_get_inode_sid(inode, sid)
selinux_get_ipc_sid(ipcp, sid)
selinux_get_task_sid(tsk, sid)
selinux_sid_to_string(sid, ctx, len)
kfree(ctx)
and use following generic LSM equivalents respectively:
security_inode_getsecid(inode, secid)
security_ipc_getsecid*(ipcp, secid)
security_task_getsecid(tsk, secid)
security_sid_to_secctx(sid, ctx, len)
security_release_secctx(ctx, len)
Call security_release_secctx only if security_secid_to_secctx
succeeded.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Ahmed S. Darwish <darwish.07@gmail.com>
Acked-by: James Morris <jmorris@namei.org>
Reviewed-by: Paul Moore <paul.moore@hp.com>
2008-03-01 22:54:38 +03:00
security_task_getsecid ( tsk , & sid ) ;
2006-04-11 16:50:56 +04:00
need_sid = 0 ;
}
2008-03-01 23:01:11 +03:00
result = security_audit_rule_match ( sid , f - > type ,
2019-01-31 19:52:11 +03:00
f - > op ,
f - > lsm_rule ) ;
2006-04-11 16:50:56 +04:00
}
2006-03-11 03:14:06 +03:00
break ;
2006-06-30 01:57:08 +04:00
case AUDIT_OBJ_USER :
case AUDIT_OBJ_ROLE :
case AUDIT_OBJ_TYPE :
case AUDIT_OBJ_LEV_LOW :
case AUDIT_OBJ_LEV_HIGH :
/* The above note for AUDIT_SUBJ_USER...AUDIT_SUBJ_CLR
also applies here */
2008-04-19 03:59:43 +04:00
if ( f - > lsm_rule ) {
2006-06-30 01:57:08 +04:00
/* Find files that match */
if ( name ) {
2008-03-01 23:01:11 +03:00
result = security_audit_rule_match (
2019-01-31 19:52:11 +03:00
name - > osid ,
f - > type ,
f - > op ,
f - > lsm_rule ) ;
2006-06-30 01:57:08 +04:00
} else if ( ctx ) {
2012-01-03 23:23:05 +04:00
list_for_each_entry ( n , & ctx - > names_list , list ) {
2019-01-31 19:52:11 +03:00
if ( security_audit_rule_match (
n - > osid ,
f - > type ,
f - > op ,
f - > lsm_rule ) ) {
2006-06-30 01:57:08 +04:00
+ + result ;
break ;
}
}
}
/* Find ipc objects that match */
2008-12-10 11:40:06 +03:00
if ( ! ctx | | ctx - > type ! = AUDIT_IPC )
break ;
if ( security_audit_rule_match ( ctx - > ipc . osid ,
f - > type , f - > op ,
2019-01-31 19:52:11 +03:00
f - > lsm_rule ) )
2008-12-10 11:40:06 +03:00
+ + result ;
2006-06-30 01:57:08 +04:00
}
break ;
2005-04-17 02:20:36 +04:00
case AUDIT_ARG0 :
case AUDIT_ARG1 :
case AUDIT_ARG2 :
case AUDIT_ARG3 :
if ( ctx )
2006-02-07 20:05:27 +03:00
result = audit_comparator ( ctx - > argv [ f - > type - AUDIT_ARG0 ] , f - > op , f - > val ) ;
2005-04-17 02:20:36 +04:00
break ;
2006-06-15 02:45:21 +04:00
case AUDIT_FILTERKEY :
/* ignore this field for filtering */
result = 1 ;
break ;
2006-09-01 03:26:40 +04:00
case AUDIT_PERM :
result = audit_match_perm ( ctx , f - > val ) ;
break ;
2008-04-28 12:15:49 +04:00
case AUDIT_FILETYPE :
result = audit_match_filetype ( ctx , f - > val ) ;
break ;
2012-01-03 23:23:08 +04:00
case AUDIT_FIELD_COMPARE :
result = audit_field_compare ( tsk , cred , f , ctx , name ) ;
break ;
2005-04-17 02:20:36 +04:00
}
2011-04-27 17:10:49 +04:00
if ( ! result )
2005-04-17 02:20:36 +04:00
return 0 ;
}
2008-12-15 07:45:27 +03:00
if ( ctx ) {
if ( rule - > prio < = ctx - > prio )
return 0 ;
if ( rule - > filterkey ) {
kfree ( ctx - > filterkey ) ;
ctx - > filterkey = kstrdup ( rule - > filterkey , GFP_ATOMIC ) ;
}
ctx - > prio = rule - > prio ;
}
2005-04-17 02:20:36 +04:00
switch ( rule - > action ) {
2016-06-17 00:08:19 +03:00
case AUDIT_NEVER :
* state = AUDIT_DISABLED ;
break ;
case AUDIT_ALWAYS :
* state = AUDIT_RECORD_CONTEXT ;
break ;
2005-04-17 02:20:36 +04:00
}
return 1 ;
}
/* At process creation time, we can determine if system-call auditing is
* completely disabled for this task . Since we only have the task
* structure at this point , we can only check uid and gid .
*/
2008-12-16 11:51:22 +03:00
static enum audit_state audit_filter_task ( struct task_struct * tsk , char * * key )
2005-04-17 02:20:36 +04:00
{
struct audit_entry * e ;
enum audit_state state ;
rcu_read_lock ( ) ;
2005-06-19 22:35:50 +04:00
list_for_each_entry_rcu ( e , & audit_filter_list [ AUDIT_FILTER_TASK ] , list ) {
2011-04-27 17:10:49 +04:00
if ( audit_filter_rules ( tsk , & e - > rule , NULL , NULL ,
& state , true ) ) {
2008-12-16 11:51:22 +03:00
if ( state = = AUDIT_RECORD_CONTEXT )
* key = kstrdup ( e - > rule . filterkey , GFP_ATOMIC ) ;
2005-04-17 02:20:36 +04:00
rcu_read_unlock ( ) ;
return state ;
}
}
rcu_read_unlock ( ) ;
return AUDIT_BUILD_CONTEXT ;
}
2014-05-29 07:09:58 +04:00
static int audit_in_mask ( const struct audit_krule * rule , unsigned long val )
{
int word , bit ;
if ( val > 0xffffffff )
return false ;
word = AUDIT_WORD ( val ) ;
if ( word > = AUDIT_BITMASK_SIZE )
return false ;
bit = AUDIT_BIT ( val ) ;
return rule - > mask [ word ] & bit ;
}
2005-04-17 02:20:36 +04:00
/* At syscall entry and exit time, this filter is called if the
* audit_state is not low enough that auditing cannot take place , but is
2005-05-13 21:35:15 +04:00
* also not high enough that we already know we have to write an audit
2005-09-13 23:47:11 +04:00
* record ( i . e . , the state is AUDIT_SETUP_CONTEXT or AUDIT_BUILD_CONTEXT ) .
2005-04-17 02:20:36 +04:00
*/
static enum audit_state audit_filter_syscall ( struct task_struct * tsk ,
struct audit_context * ctx ,
struct list_head * list )
{
struct audit_entry * e ;
2005-08-17 17:49:57 +04:00
enum audit_state state ;
2005-04-17 02:20:36 +04:00
audit: fix auditd/kernel connection state tracking
What started as a rather straightforward race condition reported by
Dmitry using the syzkaller fuzzer ended up revealing some major
problems with how the audit subsystem managed its netlink sockets and
its connection with the userspace audit daemon. Fixing this properly
had quite the cascading effect and what we are left with is this rather
large and complicated patch. My initial goal was to try and decompose
this patch into multiple smaller patches, but the way these changes
are intertwined makes it difficult to split these changes into
meaningful pieces that don't break or somehow make things worse for
the intermediate states.
The patch makes a number of changes, but the most significant are
highlighted below:
* The auditd tracking variables, e.g. audit_sock, are now gone and
replaced by a RCU/spin_lock protected variable auditd_conn which is
a structure containing all of the auditd tracking information.
* We no longer track the auditd sock directly, instead we track it
via the network namespace in which it resides and we use the audit
socket associated with that namespace. In spirit, this is what the
code was trying to do prior to this patch (at least I think that is
what the original authors intended), but it was done rather poorly
and added a layer of obfuscation that only masked the underlying
problems.
* Big backlog queue cleanup, again. In v4.10 we made some pretty big
changes to how the audit backlog queues work, here we haven't changed
the queue design so much as cleaned up the implementation. Brought
about by the locking changes, we've simplified kauditd_thread() quite
a bit by consolidating the queue handling into a new helper function,
kauditd_send_queue(), which allows us to eliminate a lot of very
similar code and makes the looping logic in kauditd_thread() clearer.
* All netlink messages sent to auditd are now sent via
auditd_send_unicast_skb(). Other than just making sense, this makes
the lock handling easier.
* Change the audit_log_start() sleep behavior so that we never sleep
on auditd events (unchanged) or if the caller is holding the
audit_cmd_mutex (changed). Previously we didn't sleep if the caller
was auditd or if the message type fell between a certain range; the
type check was a poor effort of doing what the cmd_mutex check now
does. Richard Guy Briggs originally proposed not sleeping the
cmd_mutex owner several years ago but his patch wasn't acceptable
at the time. At least the idea lives on here.
* A problem with the lost record counter has been resolved. Steve
Grubb and I both happened to notice this problem and according to
some quick testing by Steve, this problem goes back quite some time.
It's largely a harmless problem, although it may have left some
careful sysadmins quite puzzled.
Cc: <stable@vger.kernel.org> # 4.10.x-
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2017-03-21 18:26:35 +03:00
if ( auditd_test_task ( tsk ) )
2005-06-20 19:07:33 +04:00
return AUDIT_DISABLED ;
2005-04-17 02:20:36 +04:00
rcu_read_lock ( ) ;
2005-08-17 17:49:57 +04:00
if ( ! list_empty ( list ) ) {
[PATCH] Filter rule comparators
Currently, audit only supports the "=" and "!=" operators in the -F
filter rules.
This patch reworks the support for "=" and "!=", and adds support
for ">", ">=", "<", and "<=".
This turned out to be a pretty clean, and simply process. I ended up
using the high order bits of the "field", as suggested by Steve and Amy.
This allowed for no changes whatsoever to the netlink communications.
See the documentation within the patch in the include/linux/audit.h
area, where there is a table that explains the reasoning of the bitmask
assignments clearly.
The patch adds a new function, audit_comparator(left, op, right).
This function will perform the specified comparison (op, which defaults
to "==" for backward compatibility) between two values (left and right).
If the negate bit is on, it will negate whatever that result was. This
value is returned.
Signed-off-by: Dustin Kirkland <dustin.kirkland@us.ibm.com>
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
2005-11-03 18:41:46 +03:00
list_for_each_entry_rcu ( e , list , list ) {
2014-05-29 07:09:58 +04:00
if ( audit_in_mask ( & e - > rule , ctx - > major ) & &
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2006-04-08 00:55:56 +04:00
audit_filter_rules ( tsk , & e - > rule , ctx , NULL ,
2011-04-27 17:10:49 +04:00
& state , false ) ) {
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2006-04-08 00:55:56 +04:00
rcu_read_unlock ( ) ;
2008-12-15 07:45:27 +03:00
ctx - > current_state = state ;
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2006-04-08 00:55:56 +04:00
return state ;
}
}
}
rcu_read_unlock ( ) ;
return AUDIT_BUILD_CONTEXT ;
}
2012-01-03 23:23:05 +04:00
/*
* Given an audit_name check the inode hash table to see if they match .
* Called holding the rcu read lock to protect the use of audit_inode_hash
*/
static int audit_filter_inode_name ( struct task_struct * tsk ,
struct audit_names * n ,
struct audit_context * ctx ) {
int h = audit_hash_ino ( ( u32 ) n - > ino ) ;
struct list_head * list = & audit_inode_hash [ h ] ;
struct audit_entry * e ;
enum audit_state state ;
if ( list_empty ( list ) )
return 0 ;
list_for_each_entry_rcu ( e , list , list ) {
2014-05-29 07:09:58 +04:00
if ( audit_in_mask ( & e - > rule , ctx - > major ) & &
2012-01-03 23:23:05 +04:00
audit_filter_rules ( tsk , & e - > rule , ctx , n , & state , false ) ) {
ctx - > current_state = state ;
return 1 ;
}
}
return 0 ;
}
/* At syscall exit time, this filter is called if any audit_names have been
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2006-04-08 00:55:56 +04:00
* collected during syscall processing . We only check rules in sublists at hash
2012-01-03 23:23:05 +04:00
* buckets applicable to the inode numbers in audit_names .
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2006-04-08 00:55:56 +04:00
* Regarding audit_state , same rules apply as for audit_filter_syscall ( ) .
*/
2008-12-15 07:45:27 +03:00
void audit_filter_inodes ( struct task_struct * tsk , struct audit_context * ctx )
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2006-04-08 00:55:56 +04:00
{
2012-01-03 23:23:05 +04:00
struct audit_names * n ;
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2006-04-08 00:55:56 +04:00
audit: fix auditd/kernel connection state tracking
What started as a rather straightforward race condition reported by
Dmitry using the syzkaller fuzzer ended up revealing some major
problems with how the audit subsystem managed its netlink sockets and
its connection with the userspace audit daemon. Fixing this properly
had quite the cascading effect and what we are left with is this rather
large and complicated patch. My initial goal was to try and decompose
this patch into multiple smaller patches, but the way these changes
are intertwined makes it difficult to split these changes into
meaningful pieces that don't break or somehow make things worse for
the intermediate states.
The patch makes a number of changes, but the most significant are
highlighted below:
* The auditd tracking variables, e.g. audit_sock, are now gone and
replaced by a RCU/spin_lock protected variable auditd_conn which is
a structure containing all of the auditd tracking information.
* We no longer track the auditd sock directly, instead we track it
via the network namespace in which it resides and we use the audit
socket associated with that namespace. In spirit, this is what the
code was trying to do prior to this patch (at least I think that is
what the original authors intended), but it was done rather poorly
and added a layer of obfuscation that only masked the underlying
problems.
* Big backlog queue cleanup, again. In v4.10 we made some pretty big
changes to how the audit backlog queues work, here we haven't changed
the queue design so much as cleaned up the implementation. Brought
about by the locking changes, we've simplified kauditd_thread() quite
a bit by consolidating the queue handling into a new helper function,
kauditd_send_queue(), which allows us to eliminate a lot of very
similar code and makes the looping logic in kauditd_thread() clearer.
* All netlink messages sent to auditd are now sent via
auditd_send_unicast_skb(). Other than just making sense, this makes
the lock handling easier.
* Change the audit_log_start() sleep behavior so that we never sleep
on auditd events (unchanged) or if the caller is holding the
audit_cmd_mutex (changed). Previously we didn't sleep if the caller
was auditd or if the message type fell between a certain range; the
type check was a poor effort of doing what the cmd_mutex check now
does. Richard Guy Briggs originally proposed not sleeping the
cmd_mutex owner several years ago but his patch wasn't acceptable
at the time. At least the idea lives on here.
* A problem with the lost record counter has been resolved. Steve
Grubb and I both happened to notice this problem and according to
some quick testing by Steve, this problem goes back quite some time.
It's largely a harmless problem, although it may have left some
careful sysadmins quite puzzled.
Cc: <stable@vger.kernel.org> # 4.10.x-
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2017-03-21 18:26:35 +03:00
if ( auditd_test_task ( tsk ) )
2008-12-15 07:45:27 +03:00
return ;
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2006-04-08 00:55:56 +04:00
rcu_read_lock ( ) ;
2012-01-03 23:23:05 +04:00
list_for_each_entry ( n , & ctx - > names_list , list ) {
if ( audit_filter_inode_name ( tsk , n , ctx ) )
break ;
2005-06-19 22:35:50 +04:00
}
rcu_read_unlock ( ) ;
}
audit: Audit proc/<pid>/cmdline aka proctitle
During an audit event, cache and print the value of the process's
proctitle value (proc/<pid>/cmdline). This is useful in situations
where processes are started via fork'd virtual machines where the
comm field is incorrect. Often times, setting the comm field still
is insufficient as the comm width is not very wide and most
virtual machine "package names" do not fit. Also, during execution,
many threads have their comm field set as well. By tying it back to
the global cmdline value for the process, audit records will be more
complete in systems with these properties. An example of where this
is useful and applicable is in the realm of Android. With Android,
their is no fork/exec for VM instances. The bare, preloaded Dalvik
VM listens for a fork and specialize request. When this request comes
in, the VM forks, and the loads the specific application (specializing).
This was done to take advantage of COW and to not require a load of
basic packages by the VM on very app spawn. When this spawn occurs,
the package name is set via setproctitle() and shows up in procfs.
Many of these package names are longer then 16 bytes, the historical
width of task->comm. Having the cmdline in the audit records will
couple the application back to the record directly. Also, on my
Debian development box, some audit records were more useful then
what was printed under comm.
The cached proctitle is tied to the life-cycle of the audit_context
structure and is built on demand.
Proctitle is controllable by userspace, and thus should not be trusted.
It is meant as an aid to assist in debugging. The proctitle event is
emitted during syscall audits, and can be filtered with auditctl.
Example:
type=AVC msg=audit(1391217013.924:386): avc: denied { getattr } for pid=1971 comm="mkdir" name="/" dev="selinuxfs" ino=1 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c255 tcontext=system_u:object_r:security_t:s0 tclass=filesystem
type=SYSCALL msg=audit(1391217013.924:386): arch=c000003e syscall=137 success=yes exit=0 a0=7f019dfc8bd7 a1=7fffa6aed2c0 a2=fffffffffff4bd25 a3=7fffa6aed050 items=0 ppid=1967 pid=1971 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mkdir" exe="/bin/mkdir" subj=system_u:system_r:consolekit_t:s0-s0:c0.c255 key=(null)
type=UNKNOWN[1327] msg=audit(1391217013.924:386): proctitle=6D6B646972002D70002F7661722F72756E2F636F6E736F6C65
Acked-by: Steve Grubb <sgrubb@redhat.com> (wrt record formating)
Signed-off-by: William Roberts <wroberts@tresys.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
2014-02-11 22:12:01 +04:00
static inline void audit_proctitle_free ( struct audit_context * context )
{
kfree ( context - > proctitle . value ) ;
context - > proctitle . value = NULL ;
context - > proctitle . len = 0 ;
}
2005-04-17 02:20:36 +04:00
static inline void audit_free_names ( struct audit_context * context )
{
2012-01-03 23:23:05 +04:00
struct audit_names * n , * next ;
2005-04-17 02:20:36 +04:00
2012-01-03 23:23:05 +04:00
list_for_each_entry_safe ( n , next , & context - > names_list , list ) {
list_del ( & n - > list ) ;
2015-01-22 08:00:23 +03:00
if ( n - > name )
putname ( n - > name ) ;
2012-01-03 23:23:05 +04:00
if ( n - > should_free )
kfree ( n ) ;
2005-11-03 20:15:16 +03:00
}
2005-04-17 02:20:36 +04:00
context - > name_count = 0 ;
2008-02-15 06:38:33 +03:00
path_put ( & context - > pwd ) ;
context - > pwd . dentry = NULL ;
context - > pwd . mnt = NULL ;
2005-04-17 02:20:36 +04:00
}
static inline void audit_free_aux ( struct audit_context * context )
{
struct audit_aux_data * aux ;
while ( ( aux = context - > aux ) ) {
context - > aux = aux - > next ;
kfree ( aux ) ;
}
2007-03-30 02:01:04 +04:00
while ( ( aux = context - > aux_pids ) ) {
context - > aux_pids = aux - > next ;
kfree ( aux ) ;
}
2005-04-17 02:20:36 +04:00
}
static inline struct audit_context * audit_alloc_context ( enum audit_state state )
{
struct audit_context * context ;
2013-04-07 14:14:18 +04:00
context = kzalloc ( sizeof ( * context ) , GFP_KERNEL ) ;
if ( ! context )
2005-04-17 02:20:36 +04:00
return NULL ;
2013-04-09 01:43:41 +04:00
context - > state = state ;
context - > prio = state = = AUDIT_RECORD_CONTEXT ? ~ 0ULL : 0 ;
2009-06-24 08:02:38 +04:00
INIT_LIST_HEAD ( & context - > killed_trees ) ;
2012-01-03 23:23:05 +04:00
INIT_LIST_HEAD ( & context - > names_list ) ;
2005-04-17 02:20:36 +04:00
return context ;
}
2005-09-13 23:47:11 +04:00
/**
* audit_alloc - allocate an audit context block for a task
* @ tsk : task
*
* Filter on the task information and allocate a per - task audit context
2005-04-17 02:20:36 +04:00
* if necessary . Doing so turns on system call auditing for the
* specified task . This is called from copy_process , so no lock is
2005-09-13 23:47:11 +04:00
* needed .
*/
2005-04-17 02:20:36 +04:00
int audit_alloc ( struct task_struct * tsk )
{
struct audit_context * context ;
enum audit_state state ;
2008-12-16 11:51:22 +03:00
char * key = NULL ;
2005-04-17 02:20:36 +04:00
2008-01-09 01:38:31 +03:00
if ( likely ( ! audit_ever_enabled ) )
2005-04-17 02:20:36 +04:00
return 0 ; /* Return if not auditing. */
2008-12-16 11:51:22 +03:00
state = audit_filter_task ( tsk , & key ) ;
2013-09-15 21:11:09 +04:00
if ( state = = AUDIT_DISABLED ) {
clear_tsk_thread_flag ( tsk , TIF_SYSCALL_AUDIT ) ;
2005-04-17 02:20:36 +04:00
return 0 ;
2013-09-15 21:11:09 +04:00
}
2005-04-17 02:20:36 +04:00
if ( ! ( context = audit_alloc_context ( state ) ) ) {
2008-12-16 11:51:22 +03:00
kfree ( key ) ;
2005-04-17 02:20:36 +04:00
audit_log_lost ( " out of memory in audit_alloc " ) ;
return - ENOMEM ;
}
2008-12-16 11:51:22 +03:00
context - > filterkey = key ;
2005-04-17 02:20:36 +04:00
2018-05-13 04:58:21 +03:00
audit_set_context ( tsk , context ) ;
2005-04-17 02:20:36 +04:00
set_tsk_thread_flag ( tsk , TIF_SYSCALL_AUDIT ) ;
return 0 ;
}
static inline void audit_free_context ( struct audit_context * context )
{
2012-10-20 23:07:18 +04:00
audit_free_names ( context ) ;
unroll_tree_refs ( context , NULL , 0 ) ;
free_tree_refs ( context ) ;
audit_free_aux ( context ) ;
kfree ( context - > filterkey ) ;
kfree ( context - > sockaddr ) ;
audit: Audit proc/<pid>/cmdline aka proctitle
During an audit event, cache and print the value of the process's
proctitle value (proc/<pid>/cmdline). This is useful in situations
where processes are started via fork'd virtual machines where the
comm field is incorrect. Often times, setting the comm field still
is insufficient as the comm width is not very wide and most
virtual machine "package names" do not fit. Also, during execution,
many threads have their comm field set as well. By tying it back to
the global cmdline value for the process, audit records will be more
complete in systems with these properties. An example of where this
is useful and applicable is in the realm of Android. With Android,
their is no fork/exec for VM instances. The bare, preloaded Dalvik
VM listens for a fork and specialize request. When this request comes
in, the VM forks, and the loads the specific application (specializing).
This was done to take advantage of COW and to not require a load of
basic packages by the VM on very app spawn. When this spawn occurs,
the package name is set via setproctitle() and shows up in procfs.
Many of these package names are longer then 16 bytes, the historical
width of task->comm. Having the cmdline in the audit records will
couple the application back to the record directly. Also, on my
Debian development box, some audit records were more useful then
what was printed under comm.
The cached proctitle is tied to the life-cycle of the audit_context
structure and is built on demand.
Proctitle is controllable by userspace, and thus should not be trusted.
It is meant as an aid to assist in debugging. The proctitle event is
emitted during syscall audits, and can be filtered with auditctl.
Example:
type=AVC msg=audit(1391217013.924:386): avc: denied { getattr } for pid=1971 comm="mkdir" name="/" dev="selinuxfs" ino=1 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c255 tcontext=system_u:object_r:security_t:s0 tclass=filesystem
type=SYSCALL msg=audit(1391217013.924:386): arch=c000003e syscall=137 success=yes exit=0 a0=7f019dfc8bd7 a1=7fffa6aed2c0 a2=fffffffffff4bd25 a3=7fffa6aed050 items=0 ppid=1967 pid=1971 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mkdir" exe="/bin/mkdir" subj=system_u:system_r:consolekit_t:s0-s0:c0.c255 key=(null)
type=UNKNOWN[1327] msg=audit(1391217013.924:386): proctitle=6D6B646972002D70002F7661722F72756E2F636F6E736F6C65
Acked-by: Steve Grubb <sgrubb@redhat.com> (wrt record formating)
Signed-off-by: William Roberts <wroberts@tresys.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
2014-02-11 22:12:01 +04:00
audit_proctitle_free ( context ) ;
2012-10-20 23:07:18 +04:00
kfree ( context ) ;
2005-04-17 02:20:36 +04:00
}
2007-03-30 02:01:04 +04:00
static int audit_log_pid_context ( struct audit_context * context , pid_t pid ,
2012-02-08 04:53:48 +04:00
kuid_t auid , kuid_t uid , unsigned int sessionid ,
2008-01-08 18:06:53 +03:00
u32 sid , char * comm )
2007-03-30 02:01:04 +04:00
{
struct audit_buffer * ab ;
Audit: use new LSM hooks instead of SELinux exports
Stop using the following exported SELinux interfaces:
selinux_get_inode_sid(inode, sid)
selinux_get_ipc_sid(ipcp, sid)
selinux_get_task_sid(tsk, sid)
selinux_sid_to_string(sid, ctx, len)
kfree(ctx)
and use following generic LSM equivalents respectively:
security_inode_getsecid(inode, secid)
security_ipc_getsecid*(ipcp, secid)
security_task_getsecid(tsk, secid)
security_sid_to_secctx(sid, ctx, len)
security_release_secctx(ctx, len)
Call security_release_secctx only if security_secid_to_secctx
succeeded.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Ahmed S. Darwish <darwish.07@gmail.com>
Acked-by: James Morris <jmorris@namei.org>
Reviewed-by: Paul Moore <paul.moore@hp.com>
2008-03-01 22:54:38 +03:00
char * ctx = NULL ;
2007-03-30 02:01:04 +04:00
u32 len ;
int rc = 0 ;
ab = audit_log_start ( context , GFP_KERNEL , AUDIT_OBJ_PID ) ;
if ( ! ab )
2008-01-07 22:01:18 +03:00
return rc ;
2007-03-30 02:01:04 +04:00
2012-09-11 09:39:43 +04:00
audit_log_format ( ab , " opid=%d oauid=%d ouid=%d oses=%d " , pid ,
from_kuid ( & init_user_ns , auid ) ,
2012-02-08 04:53:48 +04:00
from_kuid ( & init_user_ns , uid ) , sessionid ) ;
2012-10-23 16:58:35 +04:00
if ( sid ) {
if ( security_secid_to_secctx ( sid , & ctx , & len ) ) {
audit_log_format ( ab , " obj=(none) " ) ;
rc = 1 ;
} else {
audit_log_format ( ab , " obj=%s " , ctx ) ;
security_release_secctx ( ctx , len ) ;
}
Audit: use new LSM hooks instead of SELinux exports
Stop using the following exported SELinux interfaces:
selinux_get_inode_sid(inode, sid)
selinux_get_ipc_sid(ipcp, sid)
selinux_get_task_sid(tsk, sid)
selinux_sid_to_string(sid, ctx, len)
kfree(ctx)
and use following generic LSM equivalents respectively:
security_inode_getsecid(inode, secid)
security_ipc_getsecid*(ipcp, secid)
security_task_getsecid(tsk, secid)
security_sid_to_secctx(sid, ctx, len)
security_release_secctx(ctx, len)
Call security_release_secctx only if security_secid_to_secctx
succeeded.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Ahmed S. Darwish <darwish.07@gmail.com>
Acked-by: James Morris <jmorris@namei.org>
Reviewed-by: Paul Moore <paul.moore@hp.com>
2008-03-01 22:54:38 +03:00
}
2008-01-07 21:40:17 +03:00
audit_log_format ( ab , " ocomm= " ) ;
audit_log_untrustedstring ( ab , comm ) ;
2007-03-30 02:01:04 +04:00
audit_log_end ( ab ) ;
return rc ;
}
audit: fix a double fetch in audit_log_single_execve_arg()
There is a double fetch problem in audit_log_single_execve_arg()
where we first check the execve(2) argumnets for any "bad" characters
which would require hex encoding and then re-fetch the arguments for
logging in the audit record[1]. Of course this leaves a window of
opportunity for an unsavory application to munge with the data.
This patch reworks things by only fetching the argument data once[2]
into a buffer where it is scanned and logged into the audit
records(s). In addition to fixing the double fetch, this patch
improves on the original code in a few other ways: better handling
of large arguments which require encoding, stricter record length
checking, and some performance improvements (completely unverified,
but we got rid of some strlen() calls, that's got to be a good
thing).
As part of the development of this patch, I've also created a basic
regression test for the audit-testsuite, the test can be tracked on
GitHub at the following link:
* https://github.com/linux-audit/audit-testsuite/issues/25
[1] If you pay careful attention, there is actually a triple fetch
problem due to a strnlen_user() call at the top of the function.
[2] This is a tiny white lie, we do make a call to strnlen_user()
prior to fetching the argument data. I don't like it, but due to the
way the audit record is structured we really have no choice unless we
copy the entire argument at once (which would require a rather
wasteful allocation). The good news is that with this patch the
kernel no longer relies on this strnlen_user() value for anything
beyond recording it in the log, we also update it with a trustworthy
value whenever possible.
Reported-by: Pengfei Wang <wpengfeinudt@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2016-07-20 00:42:57 +03:00
static void audit_log_execve_info ( struct audit_context * context ,
struct audit_buffer * * ab )
2007-07-19 12:48:15 +04:00
{
audit: fix a double fetch in audit_log_single_execve_arg()
There is a double fetch problem in audit_log_single_execve_arg()
where we first check the execve(2) argumnets for any "bad" characters
which would require hex encoding and then re-fetch the arguments for
logging in the audit record[1]. Of course this leaves a window of
opportunity for an unsavory application to munge with the data.
This patch reworks things by only fetching the argument data once[2]
into a buffer where it is scanned and logged into the audit
records(s). In addition to fixing the double fetch, this patch
improves on the original code in a few other ways: better handling
of large arguments which require encoding, stricter record length
checking, and some performance improvements (completely unverified,
but we got rid of some strlen() calls, that's got to be a good
thing).
As part of the development of this patch, I've also created a basic
regression test for the audit-testsuite, the test can be tracked on
GitHub at the following link:
* https://github.com/linux-audit/audit-testsuite/issues/25
[1] If you pay careful attention, there is actually a triple fetch
problem due to a strnlen_user() call at the top of the function.
[2] This is a tiny white lie, we do make a call to strnlen_user()
prior to fetching the argument data. I don't like it, but due to the
way the audit record is structured we really have no choice unless we
copy the entire argument at once (which would require a rather
wasteful allocation). The good news is that with this patch the
kernel no longer relies on this strnlen_user() value for anything
beyond recording it in the log, we also update it with a trustworthy
value whenever possible.
Reported-by: Pengfei Wang <wpengfeinudt@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2016-07-20 00:42:57 +03:00
long len_max ;
long len_rem ;
long len_full ;
long len_buf ;
2016-11-10 09:39:49 +03:00
long len_abuf = 0 ;
audit: fix a double fetch in audit_log_single_execve_arg()
There is a double fetch problem in audit_log_single_execve_arg()
where we first check the execve(2) argumnets for any "bad" characters
which would require hex encoding and then re-fetch the arguments for
logging in the audit record[1]. Of course this leaves a window of
opportunity for an unsavory application to munge with the data.
This patch reworks things by only fetching the argument data once[2]
into a buffer where it is scanned and logged into the audit
records(s). In addition to fixing the double fetch, this patch
improves on the original code in a few other ways: better handling
of large arguments which require encoding, stricter record length
checking, and some performance improvements (completely unverified,
but we got rid of some strlen() calls, that's got to be a good
thing).
As part of the development of this patch, I've also created a basic
regression test for the audit-testsuite, the test can be tracked on
GitHub at the following link:
* https://github.com/linux-audit/audit-testsuite/issues/25
[1] If you pay careful attention, there is actually a triple fetch
problem due to a strnlen_user() call at the top of the function.
[2] This is a tiny white lie, we do make a call to strnlen_user()
prior to fetching the argument data. I don't like it, but due to the
way the audit record is structured we really have no choice unless we
copy the entire argument at once (which would require a rather
wasteful allocation). The good news is that with this patch the
kernel no longer relies on this strnlen_user() value for anything
beyond recording it in the log, we also update it with a trustworthy
value whenever possible.
Reported-by: Pengfei Wang <wpengfeinudt@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2016-07-20 00:42:57 +03:00
long len_tmp ;
bool require_data ;
bool encode ;
unsigned int iter ;
unsigned int arg ;
char * buf_head ;
char * buf ;
const char __user * p = ( const char __user * ) current - > mm - > arg_start ;
/* NOTE: this buffer needs to be large enough to hold all the non-arg
* data we put in the audit record for this argument ( see the
* code below ) . . . at this point in time 96 is plenty */
char abuf [ 96 ] ;
/* NOTE: we set MAX_EXECVE_AUDIT_LEN to a rather arbitrary limit, the
* current value of 7500 is not as important as the fact that it
* is less than 8 k , a setting of 7500 gives us plenty of wiggle
* room if we go over a little bit in the logging below */
WARN_ON_ONCE ( MAX_EXECVE_AUDIT_LEN > 7500 ) ;
len_max = MAX_EXECVE_AUDIT_LEN ;
/* scratch buffer to hold the userspace args */
buf_head = kmalloc ( MAX_EXECVE_AUDIT_LEN + 1 , GFP_KERNEL ) ;
if ( ! buf_head ) {
audit_panic ( " out of memory for argv string " ) ;
return ;
2008-01-07 22:31:58 +03:00
}
audit: fix a double fetch in audit_log_single_execve_arg()
There is a double fetch problem in audit_log_single_execve_arg()
where we first check the execve(2) argumnets for any "bad" characters
which would require hex encoding and then re-fetch the arguments for
logging in the audit record[1]. Of course this leaves a window of
opportunity for an unsavory application to munge with the data.
This patch reworks things by only fetching the argument data once[2]
into a buffer where it is scanned and logged into the audit
records(s). In addition to fixing the double fetch, this patch
improves on the original code in a few other ways: better handling
of large arguments which require encoding, stricter record length
checking, and some performance improvements (completely unverified,
but we got rid of some strlen() calls, that's got to be a good
thing).
As part of the development of this patch, I've also created a basic
regression test for the audit-testsuite, the test can be tracked on
GitHub at the following link:
* https://github.com/linux-audit/audit-testsuite/issues/25
[1] If you pay careful attention, there is actually a triple fetch
problem due to a strnlen_user() call at the top of the function.
[2] This is a tiny white lie, we do make a call to strnlen_user()
prior to fetching the argument data. I don't like it, but due to the
way the audit record is structured we really have no choice unless we
copy the entire argument at once (which would require a rather
wasteful allocation). The good news is that with this patch the
kernel no longer relies on this strnlen_user() value for anything
beyond recording it in the log, we also update it with a trustworthy
value whenever possible.
Reported-by: Pengfei Wang <wpengfeinudt@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2016-07-20 00:42:57 +03:00
buf = buf_head ;
2007-07-28 02:55:18 +04:00
audit: fix a double fetch in audit_log_single_execve_arg()
There is a double fetch problem in audit_log_single_execve_arg()
where we first check the execve(2) argumnets for any "bad" characters
which would require hex encoding and then re-fetch the arguments for
logging in the audit record[1]. Of course this leaves a window of
opportunity for an unsavory application to munge with the data.
This patch reworks things by only fetching the argument data once[2]
into a buffer where it is scanned and logged into the audit
records(s). In addition to fixing the double fetch, this patch
improves on the original code in a few other ways: better handling
of large arguments which require encoding, stricter record length
checking, and some performance improvements (completely unverified,
but we got rid of some strlen() calls, that's got to be a good
thing).
As part of the development of this patch, I've also created a basic
regression test for the audit-testsuite, the test can be tracked on
GitHub at the following link:
* https://github.com/linux-audit/audit-testsuite/issues/25
[1] If you pay careful attention, there is actually a triple fetch
problem due to a strnlen_user() call at the top of the function.
[2] This is a tiny white lie, we do make a call to strnlen_user()
prior to fetching the argument data. I don't like it, but due to the
way the audit record is structured we really have no choice unless we
copy the entire argument at once (which would require a rather
wasteful allocation). The good news is that with this patch the
kernel no longer relies on this strnlen_user() value for anything
beyond recording it in the log, we also update it with a trustworthy
value whenever possible.
Reported-by: Pengfei Wang <wpengfeinudt@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2016-07-20 00:42:57 +03:00
audit_log_format ( * ab , " argc=%d " , context - > execve . argc ) ;
2007-07-28 02:55:18 +04:00
audit: fix a double fetch in audit_log_single_execve_arg()
There is a double fetch problem in audit_log_single_execve_arg()
where we first check the execve(2) argumnets for any "bad" characters
which would require hex encoding and then re-fetch the arguments for
logging in the audit record[1]. Of course this leaves a window of
opportunity for an unsavory application to munge with the data.
This patch reworks things by only fetching the argument data once[2]
into a buffer where it is scanned and logged into the audit
records(s). In addition to fixing the double fetch, this patch
improves on the original code in a few other ways: better handling
of large arguments which require encoding, stricter record length
checking, and some performance improvements (completely unverified,
but we got rid of some strlen() calls, that's got to be a good
thing).
As part of the development of this patch, I've also created a basic
regression test for the audit-testsuite, the test can be tracked on
GitHub at the following link:
* https://github.com/linux-audit/audit-testsuite/issues/25
[1] If you pay careful attention, there is actually a triple fetch
problem due to a strnlen_user() call at the top of the function.
[2] This is a tiny white lie, we do make a call to strnlen_user()
prior to fetching the argument data. I don't like it, but due to the
way the audit record is structured we really have no choice unless we
copy the entire argument at once (which would require a rather
wasteful allocation). The good news is that with this patch the
kernel no longer relies on this strnlen_user() value for anything
beyond recording it in the log, we also update it with a trustworthy
value whenever possible.
Reported-by: Pengfei Wang <wpengfeinudt@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2016-07-20 00:42:57 +03:00
len_rem = len_max ;
len_buf = 0 ;
len_full = 0 ;
require_data = true ;
encode = false ;
iter = 0 ;
arg = 0 ;
2008-01-07 22:31:58 +03:00
do {
audit: fix a double fetch in audit_log_single_execve_arg()
There is a double fetch problem in audit_log_single_execve_arg()
where we first check the execve(2) argumnets for any "bad" characters
which would require hex encoding and then re-fetch the arguments for
logging in the audit record[1]. Of course this leaves a window of
opportunity for an unsavory application to munge with the data.
This patch reworks things by only fetching the argument data once[2]
into a buffer where it is scanned and logged into the audit
records(s). In addition to fixing the double fetch, this patch
improves on the original code in a few other ways: better handling
of large arguments which require encoding, stricter record length
checking, and some performance improvements (completely unverified,
but we got rid of some strlen() calls, that's got to be a good
thing).
As part of the development of this patch, I've also created a basic
regression test for the audit-testsuite, the test can be tracked on
GitHub at the following link:
* https://github.com/linux-audit/audit-testsuite/issues/25
[1] If you pay careful attention, there is actually a triple fetch
problem due to a strnlen_user() call at the top of the function.
[2] This is a tiny white lie, we do make a call to strnlen_user()
prior to fetching the argument data. I don't like it, but due to the
way the audit record is structured we really have no choice unless we
copy the entire argument at once (which would require a rather
wasteful allocation). The good news is that with this patch the
kernel no longer relies on this strnlen_user() value for anything
beyond recording it in the log, we also update it with a trustworthy
value whenever possible.
Reported-by: Pengfei Wang <wpengfeinudt@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2016-07-20 00:42:57 +03:00
/* NOTE: we don't ever want to trust this value for anything
* serious , but the audit record format insists we
* provide an argument length for really long arguments ,
* e . g . > MAX_EXECVE_AUDIT_LEN , so we have no choice but
* to use strncpy_from_user ( ) to obtain this value for
* recording in the log , although we don ' t use it
* anywhere here to avoid a double - fetch problem */
if ( len_full = = 0 )
len_full = strnlen_user ( p , MAX_ARG_STRLEN ) - 1 ;
/* read more data from userspace */
if ( require_data ) {
/* can we make more room in the buffer? */
if ( buf ! = buf_head ) {
memmove ( buf_head , buf , len_buf ) ;
buf = buf_head ;
}
/* fetch as much as we can of the argument */
len_tmp = strncpy_from_user ( & buf_head [ len_buf ] , p ,
len_max - len_buf ) ;
if ( len_tmp = = - EFAULT ) {
/* unable to copy from userspace */
send_sig ( SIGKILL , current , 0 ) ;
goto out ;
} else if ( len_tmp = = ( len_max - len_buf ) ) {
/* buffer is not large enough */
require_data = true ;
/* NOTE: if we are going to span multiple
* buffers force the encoding so we stand
* a chance at a sane len_full value and
* consistent record encoding */
encode = true ;
len_full = len_full * 2 ;
p + = len_tmp ;
} else {
require_data = false ;
if ( ! encode )
encode = audit_string_contains_control (
buf , len_tmp ) ;
/* try to use a trusted value for len_full */
if ( len_full < len_max )
len_full = ( encode ?
len_tmp * 2 : len_tmp ) ;
p + = len_tmp + 1 ;
}
len_buf + = len_tmp ;
buf_head [ len_buf ] = ' \0 ' ;
2007-07-19 12:48:15 +04:00
audit: fix a double fetch in audit_log_single_execve_arg()
There is a double fetch problem in audit_log_single_execve_arg()
where we first check the execve(2) argumnets for any "bad" characters
which would require hex encoding and then re-fetch the arguments for
logging in the audit record[1]. Of course this leaves a window of
opportunity for an unsavory application to munge with the data.
This patch reworks things by only fetching the argument data once[2]
into a buffer where it is scanned and logged into the audit
records(s). In addition to fixing the double fetch, this patch
improves on the original code in a few other ways: better handling
of large arguments which require encoding, stricter record length
checking, and some performance improvements (completely unverified,
but we got rid of some strlen() calls, that's got to be a good
thing).
As part of the development of this patch, I've also created a basic
regression test for the audit-testsuite, the test can be tracked on
GitHub at the following link:
* https://github.com/linux-audit/audit-testsuite/issues/25
[1] If you pay careful attention, there is actually a triple fetch
problem due to a strnlen_user() call at the top of the function.
[2] This is a tiny white lie, we do make a call to strnlen_user()
prior to fetching the argument data. I don't like it, but due to the
way the audit record is structured we really have no choice unless we
copy the entire argument at once (which would require a rather
wasteful allocation). The good news is that with this patch the
kernel no longer relies on this strnlen_user() value for anything
beyond recording it in the log, we also update it with a trustworthy
value whenever possible.
Reported-by: Pengfei Wang <wpengfeinudt@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2016-07-20 00:42:57 +03:00
/* length of the buffer in the audit record? */
len_abuf = ( encode ? len_buf * 2 : len_buf + 2 ) ;
2007-07-19 12:48:15 +04:00
}
2008-01-07 22:31:58 +03:00
audit: fix a double fetch in audit_log_single_execve_arg()
There is a double fetch problem in audit_log_single_execve_arg()
where we first check the execve(2) argumnets for any "bad" characters
which would require hex encoding and then re-fetch the arguments for
logging in the audit record[1]. Of course this leaves a window of
opportunity for an unsavory application to munge with the data.
This patch reworks things by only fetching the argument data once[2]
into a buffer where it is scanned and logged into the audit
records(s). In addition to fixing the double fetch, this patch
improves on the original code in a few other ways: better handling
of large arguments which require encoding, stricter record length
checking, and some performance improvements (completely unverified,
but we got rid of some strlen() calls, that's got to be a good
thing).
As part of the development of this patch, I've also created a basic
regression test for the audit-testsuite, the test can be tracked on
GitHub at the following link:
* https://github.com/linux-audit/audit-testsuite/issues/25
[1] If you pay careful attention, there is actually a triple fetch
problem due to a strnlen_user() call at the top of the function.
[2] This is a tiny white lie, we do make a call to strnlen_user()
prior to fetching the argument data. I don't like it, but due to the
way the audit record is structured we really have no choice unless we
copy the entire argument at once (which would require a rather
wasteful allocation). The good news is that with this patch the
kernel no longer relies on this strnlen_user() value for anything
beyond recording it in the log, we also update it with a trustworthy
value whenever possible.
Reported-by: Pengfei Wang <wpengfeinudt@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2016-07-20 00:42:57 +03:00
/* write as much as we can to the audit log */
2018-10-10 23:22:57 +03:00
if ( len_buf > = 0 ) {
audit: fix a double fetch in audit_log_single_execve_arg()
There is a double fetch problem in audit_log_single_execve_arg()
where we first check the execve(2) argumnets for any "bad" characters
which would require hex encoding and then re-fetch the arguments for
logging in the audit record[1]. Of course this leaves a window of
opportunity for an unsavory application to munge with the data.
This patch reworks things by only fetching the argument data once[2]
into a buffer where it is scanned and logged into the audit
records(s). In addition to fixing the double fetch, this patch
improves on the original code in a few other ways: better handling
of large arguments which require encoding, stricter record length
checking, and some performance improvements (completely unverified,
but we got rid of some strlen() calls, that's got to be a good
thing).
As part of the development of this patch, I've also created a basic
regression test for the audit-testsuite, the test can be tracked on
GitHub at the following link:
* https://github.com/linux-audit/audit-testsuite/issues/25
[1] If you pay careful attention, there is actually a triple fetch
problem due to a strnlen_user() call at the top of the function.
[2] This is a tiny white lie, we do make a call to strnlen_user()
prior to fetching the argument data. I don't like it, but due to the
way the audit record is structured we really have no choice unless we
copy the entire argument at once (which would require a rather
wasteful allocation). The good news is that with this patch the
kernel no longer relies on this strnlen_user() value for anything
beyond recording it in the log, we also update it with a trustworthy
value whenever possible.
Reported-by: Pengfei Wang <wpengfeinudt@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2016-07-20 00:42:57 +03:00
/* NOTE: some magic numbers here - basically if we
* can ' t fit a reasonable amount of data into the
* existing audit buffer , flush it and start with
* a new buffer */
if ( ( sizeof ( abuf ) + 8 ) > len_rem ) {
len_rem = len_max ;
audit_log_end ( * ab ) ;
* ab = audit_log_start ( context ,
GFP_KERNEL , AUDIT_EXECVE ) ;
if ( ! * ab )
goto out ;
}
2007-07-19 12:48:15 +04:00
audit: fix a double fetch in audit_log_single_execve_arg()
There is a double fetch problem in audit_log_single_execve_arg()
where we first check the execve(2) argumnets for any "bad" characters
which would require hex encoding and then re-fetch the arguments for
logging in the audit record[1]. Of course this leaves a window of
opportunity for an unsavory application to munge with the data.
This patch reworks things by only fetching the argument data once[2]
into a buffer where it is scanned and logged into the audit
records(s). In addition to fixing the double fetch, this patch
improves on the original code in a few other ways: better handling
of large arguments which require encoding, stricter record length
checking, and some performance improvements (completely unverified,
but we got rid of some strlen() calls, that's got to be a good
thing).
As part of the development of this patch, I've also created a basic
regression test for the audit-testsuite, the test can be tracked on
GitHub at the following link:
* https://github.com/linux-audit/audit-testsuite/issues/25
[1] If you pay careful attention, there is actually a triple fetch
problem due to a strnlen_user() call at the top of the function.
[2] This is a tiny white lie, we do make a call to strnlen_user()
prior to fetching the argument data. I don't like it, but due to the
way the audit record is structured we really have no choice unless we
copy the entire argument at once (which would require a rather
wasteful allocation). The good news is that with this patch the
kernel no longer relies on this strnlen_user() value for anything
beyond recording it in the log, we also update it with a trustworthy
value whenever possible.
Reported-by: Pengfei Wang <wpengfeinudt@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2016-07-20 00:42:57 +03:00
/* create the non-arg portion of the arg record */
len_tmp = 0 ;
if ( require_data | | ( iter > 0 ) | |
( ( len_abuf + sizeof ( abuf ) ) > len_rem ) ) {
if ( iter = = 0 ) {
len_tmp + = snprintf ( & abuf [ len_tmp ] ,
sizeof ( abuf ) - len_tmp ,
" a%d_len=%lu " ,
arg , len_full ) ;
}
len_tmp + = snprintf ( & abuf [ len_tmp ] ,
sizeof ( abuf ) - len_tmp ,
" a%d[%d]= " , arg , iter + + ) ;
} else
len_tmp + = snprintf ( & abuf [ len_tmp ] ,
sizeof ( abuf ) - len_tmp ,
" a%d= " , arg ) ;
WARN_ON ( len_tmp > = sizeof ( abuf ) ) ;
abuf [ sizeof ( abuf ) - 1 ] = ' \0 ' ;
/* log the arg in the audit record */
audit_log_format ( * ab , " %s " , abuf ) ;
len_rem - = len_tmp ;
len_tmp = len_buf ;
if ( encode ) {
if ( len_abuf > len_rem )
len_tmp = len_rem / 2 ; /* encoding */
audit_log_n_hex ( * ab , buf , len_tmp ) ;
len_rem - = len_tmp * 2 ;
len_abuf - = len_tmp * 2 ;
} else {
if ( len_abuf > len_rem )
len_tmp = len_rem - 2 ; /* quotes */
audit_log_n_string ( * ab , buf , len_tmp ) ;
len_rem - = len_tmp + 2 ;
/* don't subtract the "2" because we still need
* to add quotes to the remaining string */
len_abuf - = len_tmp ;
}
len_buf - = len_tmp ;
buf + = len_tmp ;
}
2007-07-19 12:48:15 +04:00
audit: fix a double fetch in audit_log_single_execve_arg()
There is a double fetch problem in audit_log_single_execve_arg()
where we first check the execve(2) argumnets for any "bad" characters
which would require hex encoding and then re-fetch the arguments for
logging in the audit record[1]. Of course this leaves a window of
opportunity for an unsavory application to munge with the data.
This patch reworks things by only fetching the argument data once[2]
into a buffer where it is scanned and logged into the audit
records(s). In addition to fixing the double fetch, this patch
improves on the original code in a few other ways: better handling
of large arguments which require encoding, stricter record length
checking, and some performance improvements (completely unverified,
but we got rid of some strlen() calls, that's got to be a good
thing).
As part of the development of this patch, I've also created a basic
regression test for the audit-testsuite, the test can be tracked on
GitHub at the following link:
* https://github.com/linux-audit/audit-testsuite/issues/25
[1] If you pay careful attention, there is actually a triple fetch
problem due to a strnlen_user() call at the top of the function.
[2] This is a tiny white lie, we do make a call to strnlen_user()
prior to fetching the argument data. I don't like it, but due to the
way the audit record is structured we really have no choice unless we
copy the entire argument at once (which would require a rather
wasteful allocation). The good news is that with this patch the
kernel no longer relies on this strnlen_user() value for anything
beyond recording it in the log, we also update it with a trustworthy
value whenever possible.
Reported-by: Pengfei Wang <wpengfeinudt@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2016-07-20 00:42:57 +03:00
/* ready to move to the next argument? */
if ( ( len_buf = = 0 ) & & ! require_data ) {
arg + + ;
iter = 0 ;
len_full = 0 ;
require_data = true ;
encode = false ;
}
} while ( arg < context - > execve . argc ) ;
2008-01-07 22:31:58 +03:00
audit: fix a double fetch in audit_log_single_execve_arg()
There is a double fetch problem in audit_log_single_execve_arg()
where we first check the execve(2) argumnets for any "bad" characters
which would require hex encoding and then re-fetch the arguments for
logging in the audit record[1]. Of course this leaves a window of
opportunity for an unsavory application to munge with the data.
This patch reworks things by only fetching the argument data once[2]
into a buffer where it is scanned and logged into the audit
records(s). In addition to fixing the double fetch, this patch
improves on the original code in a few other ways: better handling
of large arguments which require encoding, stricter record length
checking, and some performance improvements (completely unverified,
but we got rid of some strlen() calls, that's got to be a good
thing).
As part of the development of this patch, I've also created a basic
regression test for the audit-testsuite, the test can be tracked on
GitHub at the following link:
* https://github.com/linux-audit/audit-testsuite/issues/25
[1] If you pay careful attention, there is actually a triple fetch
problem due to a strnlen_user() call at the top of the function.
[2] This is a tiny white lie, we do make a call to strnlen_user()
prior to fetching the argument data. I don't like it, but due to the
way the audit record is structured we really have no choice unless we
copy the entire argument at once (which would require a rather
wasteful allocation). The good news is that with this patch the
kernel no longer relies on this strnlen_user() value for anything
beyond recording it in the log, we also update it with a trustworthy
value whenever possible.
Reported-by: Pengfei Wang <wpengfeinudt@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2016-07-20 00:42:57 +03:00
/* NOTE: the caller handles the final audit_log_end() call */
2008-01-07 22:31:58 +03:00
audit: fix a double fetch in audit_log_single_execve_arg()
There is a double fetch problem in audit_log_single_execve_arg()
where we first check the execve(2) argumnets for any "bad" characters
which would require hex encoding and then re-fetch the arguments for
logging in the audit record[1]. Of course this leaves a window of
opportunity for an unsavory application to munge with the data.
This patch reworks things by only fetching the argument data once[2]
into a buffer where it is scanned and logged into the audit
records(s). In addition to fixing the double fetch, this patch
improves on the original code in a few other ways: better handling
of large arguments which require encoding, stricter record length
checking, and some performance improvements (completely unverified,
but we got rid of some strlen() calls, that's got to be a good
thing).
As part of the development of this patch, I've also created a basic
regression test for the audit-testsuite, the test can be tracked on
GitHub at the following link:
* https://github.com/linux-audit/audit-testsuite/issues/25
[1] If you pay careful attention, there is actually a triple fetch
problem due to a strnlen_user() call at the top of the function.
[2] This is a tiny white lie, we do make a call to strnlen_user()
prior to fetching the argument data. I don't like it, but due to the
way the audit record is structured we really have no choice unless we
copy the entire argument at once (which would require a rather
wasteful allocation). The good news is that with this patch the
kernel no longer relies on this strnlen_user() value for anything
beyond recording it in the log, we also update it with a trustworthy
value whenever possible.
Reported-by: Pengfei Wang <wpengfeinudt@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2016-07-20 00:42:57 +03:00
out :
kfree ( buf_head ) ;
2007-07-19 12:48:15 +04:00
}
2019-02-02 06:45:17 +03:00
void audit_log_cap ( struct audit_buffer * ab , char * prefix , kernel_cap_t * cap )
{
int i ;
if ( cap_isclear ( * cap ) ) {
audit_log_format ( ab , " %s=0 " , prefix ) ;
return ;
}
audit_log_format ( ab , " %s= " , prefix ) ;
CAP_FOR_EACH_U32 ( i )
audit_log_format ( ab , " %08x " , cap - > cap [ CAP_LAST_U32 - i ] ) ;
}
static void audit_log_fcaps ( struct audit_buffer * ab , struct audit_names * name )
{
if ( name - > fcap_ver = = - 1 ) {
audit_log_format ( ab , " cap_fe=? cap_fver=? cap_fp=? cap_fi=? " ) ;
return ;
}
audit_log_cap ( ab , " cap_fp " , & name - > fcap . permitted ) ;
audit_log_cap ( ab , " cap_fi " , & name - > fcap . inheritable ) ;
audit_log_format ( ab , " cap_fe=%d cap_fver=%x cap_frootid=%d " ,
name - > fcap . fE , name - > fcap_ver ,
from_kuid ( & init_user_ns , name - > fcap . rootid ) ) ;
}
2008-12-10 11:40:06 +03:00
static void show_special ( struct audit_context * context , int * call_panic )
2008-12-10 11:16:51 +03:00
{
struct audit_buffer * ab ;
int i ;
ab = audit_log_start ( context , GFP_KERNEL , context - > type ) ;
if ( ! ab )
return ;
switch ( context - > type ) {
case AUDIT_SOCKETCALL : {
int nargs = context - > socketcall . nargs ;
audit_log_format ( ab , " nargs=%d " , nargs ) ;
for ( i = 0 ; i < nargs ; i + + )
audit_log_format ( ab , " a%d=%lx " , i ,
context - > socketcall . args [ i ] ) ;
break ; }
2008-12-10 11:40:06 +03:00
case AUDIT_IPC : {
u32 osid = context - > ipc . osid ;
2011-07-27 22:03:22 +04:00
audit_log_format ( ab , " ouid=%u ogid=%u mode=%#ho " ,
2012-02-08 04:53:48 +04:00
from_kuid ( & init_user_ns , context - > ipc . uid ) ,
from_kgid ( & init_user_ns , context - > ipc . gid ) ,
context - > ipc . mode ) ;
2008-12-10 11:40:06 +03:00
if ( osid ) {
char * ctx = NULL ;
u32 len ;
if ( security_secid_to_secctx ( osid , & ctx , & len ) ) {
audit_log_format ( ab , " osid=%u " , osid ) ;
* call_panic = 1 ;
} else {
audit_log_format ( ab , " obj=%s " , ctx ) ;
security_release_secctx ( ctx , len ) ;
}
}
2008-12-10 11:47:15 +03:00
if ( context - > ipc . has_perm ) {
audit_log_end ( ab ) ;
ab = audit_log_start ( context , GFP_KERNEL ,
AUDIT_IPC_SET_PERM ) ;
2013-01-12 02:32:07 +04:00
if ( unlikely ( ! ab ) )
return ;
2008-12-10 11:47:15 +03:00
audit_log_format ( ab ,
2011-07-27 22:03:22 +04:00
" qbytes=%lx ouid=%u ogid=%u mode=%#ho " ,
2008-12-10 11:47:15 +03:00
context - > ipc . qbytes ,
context - > ipc . perm_uid ,
context - > ipc . perm_gid ,
context - > ipc . perm_mode ) ;
}
2008-12-10 11:40:06 +03:00
break ; }
2017-02-14 00:21:25 +03:00
case AUDIT_MQ_OPEN :
2008-12-14 12:02:26 +03:00
audit_log_format ( ab ,
2011-07-26 13:26:10 +04:00
" oflag=0x%x mode=%#ho mq_flags=0x%lx mq_maxmsg=%ld "
2008-12-14 12:02:26 +03:00
" mq_msgsize=%ld mq_curmsgs=%ld " ,
context - > mq_open . oflag , context - > mq_open . mode ,
context - > mq_open . attr . mq_flags ,
context - > mq_open . attr . mq_maxmsg ,
context - > mq_open . attr . mq_msgsize ,
context - > mq_open . attr . mq_curmsgs ) ;
2017-02-14 00:21:25 +03:00
break ;
case AUDIT_MQ_SENDRECV :
2008-12-14 11:46:48 +03:00
audit_log_format ( ab ,
" mqdes=%d msg_len=%zd msg_prio=%u "
2017-08-03 05:51:11 +03:00
" abs_timeout_sec=%lld abs_timeout_nsec=%ld " ,
2008-12-14 11:46:48 +03:00
context - > mq_sendrecv . mqdes ,
context - > mq_sendrecv . msg_len ,
context - > mq_sendrecv . msg_prio ,
2017-08-03 05:51:11 +03:00
( long long ) context - > mq_sendrecv . abs_timeout . tv_sec ,
2008-12-14 11:46:48 +03:00
context - > mq_sendrecv . abs_timeout . tv_nsec ) ;
2017-02-14 00:21:25 +03:00
break ;
case AUDIT_MQ_NOTIFY :
2008-12-10 15:16:12 +03:00
audit_log_format ( ab , " mqdes=%d sigev_signo=%d " ,
context - > mq_notify . mqdes ,
context - > mq_notify . sigev_signo ) ;
2017-02-14 00:21:25 +03:00
break ;
2008-12-10 14:58:59 +03:00
case AUDIT_MQ_GETSETATTR : {
struct mq_attr * attr = & context - > mq_getsetattr . mqstat ;
audit_log_format ( ab ,
" mqdes=%d mq_flags=0x%lx mq_maxmsg=%ld mq_msgsize=%ld "
" mq_curmsgs=%ld " ,
context - > mq_getsetattr . mqdes ,
attr - > mq_flags , attr - > mq_maxmsg ,
attr - > mq_msgsize , attr - > mq_curmsgs ) ;
break ; }
2017-02-14 00:21:25 +03:00
case AUDIT_CAPSET :
2009-01-04 22:52:57 +03:00
audit_log_format ( ab , " pid=%d " , context - > capset . pid ) ;
audit_log_cap ( ab , " cap_pi " , & context - > capset . cap . inheritable ) ;
audit_log_cap ( ab , " cap_pp " , & context - > capset . cap . permitted ) ;
audit_log_cap ( ab , " cap_pe " , & context - > capset . cap . effective ) ;
audit: add ambient capabilities to CAPSET and BPRM_FCAPS records
Capabilities were augmented to include ambient capabilities in v4.3
commit 58319057b784 ("capabilities: ambient capabilities").
Add ambient capabilities to the audit BPRM_FCAPS and CAPSET records.
The record contains fields "old_pp", "old_pi", "old_pe", "new_pp",
"new_pi", "new_pe" so in keeping with the previous record
normalizations, change the "new_*" variants to simply drop the "new_"
prefix.
A sample of the replaced BPRM_FCAPS record:
RAW: type=BPRM_FCAPS msg=audit(1491468034.252:237): fver=2
fp=0000000000200000 fi=0000000000000000 fe=1 old_pp=0000000000000000
old_pi=0000000000000000 old_pe=0000000000000000 old_pa=0000000000000000
pp=0000000000200000 pi=0000000000000000 pe=0000000000200000
pa=0000000000000000
INTERPRET: type=BPRM_FCAPS msg=audit(04/06/2017 04:40:34.252:237):
fver=2 fp=sys_admin fi=none fe=chown old_pp=none old_pi=none
old_pe=none old_pa=none pp=sys_admin pi=none pe=sys_admin pa=none
A sample of the replaced CAPSET record:
RAW: type=CAPSET msg=audit(1491469502.371:242): pid=833
cap_pi=0000003fffffffff cap_pp=0000003fffffffff cap_pe=0000003fffffffff
cap_pa=0000000000000000
INTERPRET: type=CAPSET msg=audit(04/06/2017 05:05:02.371:242) : pid=833
cap_pi=chown,dac_override,dac_read_search,fowner,fsetid,kill,
setgid,setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,
net_admin,net_raw,ipc_lock,ipc_owner,sys_module,sys_rawio,sys_chroot,
sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,sys_time,
sys_tty_config,mknod,lease,audit_write,audit_control,setfcap,
mac_override,mac_admin,syslog,wake_alarm,block_suspend,audit_read
cap_pp=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,
setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,
net_admin,net_raw,ipc_lock,ipc_owner,sys_module,sys_rawio,sys_chroot,
sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,
sys_time,sys_tty_config,mknod,lease,audit_write,audit_control,setfcap,
mac_override,mac_admin,syslog,wake_alarm,block_suspend,audit_read
cap_pe=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,
setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,
net_admin,net_raw,ipc_lock,ipc_owner,sys_module,sys_rawio,sys_chroot,
sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,
sys_time,sys_tty_config,mknod,lease,audit_write,audit_control,setfcap,
mac_override,mac_admin,syslog,wake_alarm,block_suspend,audit_read
cap_pa=none
See: https://github.com/linux-audit/audit-kernel/issues/40
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
Acked-by: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2017-04-07 17:17:27 +03:00
audit_log_cap ( ab , " cap_pa " , & context - > capset . cap . ambient ) ;
2017-02-14 00:21:25 +03:00
break ;
case AUDIT_MMAP :
2010-10-30 10:54:44 +04:00
audit_log_format ( ab , " fd=%d flags=0x%x " , context - > mmap . fd ,
context - > mmap . flags ) ;
2017-02-14 00:21:25 +03:00
break ;
case AUDIT_EXECVE :
2013-10-31 01:56:13 +04:00
audit_log_execve_info ( context , & ab ) ;
2017-02-14 00:21:25 +03:00
break ;
2017-02-04 21:10:38 +03:00
case AUDIT_KERN_MODULE :
audit_log_format ( ab , " name= " ) ;
2018-07-25 05:26:19 +03:00
if ( context - > module . name ) {
audit_log_untrustedstring ( ab , context - > module . name ) ;
kfree ( context - > module . name ) ;
} else
audit_log_format ( ab , " (null) " ) ;
2017-02-04 21:10:38 +03:00
break ;
2008-12-10 11:16:51 +03:00
}
audit_log_end ( ab ) ;
}
audit: Audit proc/<pid>/cmdline aka proctitle
During an audit event, cache and print the value of the process's
proctitle value (proc/<pid>/cmdline). This is useful in situations
where processes are started via fork'd virtual machines where the
comm field is incorrect. Often times, setting the comm field still
is insufficient as the comm width is not very wide and most
virtual machine "package names" do not fit. Also, during execution,
many threads have their comm field set as well. By tying it back to
the global cmdline value for the process, audit records will be more
complete in systems with these properties. An example of where this
is useful and applicable is in the realm of Android. With Android,
their is no fork/exec for VM instances. The bare, preloaded Dalvik
VM listens for a fork and specialize request. When this request comes
in, the VM forks, and the loads the specific application (specializing).
This was done to take advantage of COW and to not require a load of
basic packages by the VM on very app spawn. When this spawn occurs,
the package name is set via setproctitle() and shows up in procfs.
Many of these package names are longer then 16 bytes, the historical
width of task->comm. Having the cmdline in the audit records will
couple the application back to the record directly. Also, on my
Debian development box, some audit records were more useful then
what was printed under comm.
The cached proctitle is tied to the life-cycle of the audit_context
structure and is built on demand.
Proctitle is controllable by userspace, and thus should not be trusted.
It is meant as an aid to assist in debugging. The proctitle event is
emitted during syscall audits, and can be filtered with auditctl.
Example:
type=AVC msg=audit(1391217013.924:386): avc: denied { getattr } for pid=1971 comm="mkdir" name="/" dev="selinuxfs" ino=1 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c255 tcontext=system_u:object_r:security_t:s0 tclass=filesystem
type=SYSCALL msg=audit(1391217013.924:386): arch=c000003e syscall=137 success=yes exit=0 a0=7f019dfc8bd7 a1=7fffa6aed2c0 a2=fffffffffff4bd25 a3=7fffa6aed050 items=0 ppid=1967 pid=1971 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mkdir" exe="/bin/mkdir" subj=system_u:system_r:consolekit_t:s0-s0:c0.c255 key=(null)
type=UNKNOWN[1327] msg=audit(1391217013.924:386): proctitle=6D6B646972002D70002F7661722F72756E2F636F6E736F6C65
Acked-by: Steve Grubb <sgrubb@redhat.com> (wrt record formating)
Signed-off-by: William Roberts <wroberts@tresys.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
2014-02-11 22:12:01 +04:00
static inline int audit_proctitle_rtrim ( char * proctitle , int len )
{
char * end = proctitle + len - 1 ;
while ( end > proctitle & & ! isprint ( * end ) )
end - - ;
/* catch the case where proctitle is only 1 non-print character */
len = end - proctitle + 1 ;
len - = isprint ( proctitle [ len - 1 ] ) = = 0 ;
return len ;
}
2019-02-02 06:45:17 +03:00
/*
* audit_log_name - produce AUDIT_PATH record from struct audit_names
* @ context : audit_context for the task
* @ n : audit_names structure with reportable details
* @ path : optional path to report instead of audit_names - > name
* @ record_num : record number to report when handling a list of names
* @ call_panic : optional pointer to int that will be updated if secid fails
*/
static void audit_log_name ( struct audit_context * context , struct audit_names * n ,
const struct path * path , int record_num , int * call_panic )
{
struct audit_buffer * ab ;
ab = audit_log_start ( context , GFP_KERNEL , AUDIT_PATH ) ;
if ( ! ab )
return ;
audit_log_format ( ab , " item=%d " , record_num ) ;
if ( path )
audit_log_d_path ( ab , " name= " , path ) ;
else if ( n - > name ) {
switch ( n - > name_len ) {
case AUDIT_NAME_FULL :
/* log the full path */
audit_log_format ( ab , " name= " ) ;
audit_log_untrustedstring ( ab , n - > name - > name ) ;
break ;
case 0 :
/* name was specified as a relative path and the
* directory component is the cwd
*/
audit_log_d_path ( ab , " name= " , & context - > pwd ) ;
break ;
default :
/* log the name's directory component */
audit_log_format ( ab , " name= " ) ;
audit_log_n_untrustedstring ( ab , n - > name - > name ,
n - > name_len ) ;
}
} else
audit_log_format ( ab , " name=(null) " ) ;
if ( n - > ino ! = AUDIT_INO_UNSET )
audit_log_format ( ab , " inode=%lu dev=%02x:%02x mode=%#ho ouid=%u ogid=%u rdev=%02x:%02x " ,
n - > ino ,
MAJOR ( n - > dev ) ,
MINOR ( n - > dev ) ,
n - > mode ,
from_kuid ( & init_user_ns , n - > uid ) ,
from_kgid ( & init_user_ns , n - > gid ) ,
MAJOR ( n - > rdev ) ,
MINOR ( n - > rdev ) ) ;
if ( n - > osid ! = 0 ) {
char * ctx = NULL ;
u32 len ;
if ( security_secid_to_secctx (
n - > osid , & ctx , & len ) ) {
audit_log_format ( ab , " osid=%u " , n - > osid ) ;
if ( call_panic )
* call_panic = 2 ;
} else {
audit_log_format ( ab , " obj=%s " , ctx ) ;
security_release_secctx ( ctx , len ) ;
}
}
/* log the audit_names record type */
switch ( n - > type ) {
case AUDIT_TYPE_NORMAL :
audit_log_format ( ab , " nametype=NORMAL " ) ;
break ;
case AUDIT_TYPE_PARENT :
audit_log_format ( ab , " nametype=PARENT " ) ;
break ;
case AUDIT_TYPE_CHILD_DELETE :
audit_log_format ( ab , " nametype=DELETE " ) ;
break ;
case AUDIT_TYPE_CHILD_CREATE :
audit_log_format ( ab , " nametype=CREATE " ) ;
break ;
default :
audit_log_format ( ab , " nametype=UNKNOWN " ) ;
break ;
}
audit_log_fcaps ( ab , n ) ;
audit_log_end ( ab ) ;
}
2018-11-27 02:40:07 +03:00
static void audit_log_proctitle ( void )
audit: Audit proc/<pid>/cmdline aka proctitle
During an audit event, cache and print the value of the process's
proctitle value (proc/<pid>/cmdline). This is useful in situations
where processes are started via fork'd virtual machines where the
comm field is incorrect. Often times, setting the comm field still
is insufficient as the comm width is not very wide and most
virtual machine "package names" do not fit. Also, during execution,
many threads have their comm field set as well. By tying it back to
the global cmdline value for the process, audit records will be more
complete in systems with these properties. An example of where this
is useful and applicable is in the realm of Android. With Android,
their is no fork/exec for VM instances. The bare, preloaded Dalvik
VM listens for a fork and specialize request. When this request comes
in, the VM forks, and the loads the specific application (specializing).
This was done to take advantage of COW and to not require a load of
basic packages by the VM on very app spawn. When this spawn occurs,
the package name is set via setproctitle() and shows up in procfs.
Many of these package names are longer then 16 bytes, the historical
width of task->comm. Having the cmdline in the audit records will
couple the application back to the record directly. Also, on my
Debian development box, some audit records were more useful then
what was printed under comm.
The cached proctitle is tied to the life-cycle of the audit_context
structure and is built on demand.
Proctitle is controllable by userspace, and thus should not be trusted.
It is meant as an aid to assist in debugging. The proctitle event is
emitted during syscall audits, and can be filtered with auditctl.
Example:
type=AVC msg=audit(1391217013.924:386): avc: denied { getattr } for pid=1971 comm="mkdir" name="/" dev="selinuxfs" ino=1 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c255 tcontext=system_u:object_r:security_t:s0 tclass=filesystem
type=SYSCALL msg=audit(1391217013.924:386): arch=c000003e syscall=137 success=yes exit=0 a0=7f019dfc8bd7 a1=7fffa6aed2c0 a2=fffffffffff4bd25 a3=7fffa6aed050 items=0 ppid=1967 pid=1971 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mkdir" exe="/bin/mkdir" subj=system_u:system_r:consolekit_t:s0-s0:c0.c255 key=(null)
type=UNKNOWN[1327] msg=audit(1391217013.924:386): proctitle=6D6B646972002D70002F7661722F72756E2F636F6E736F6C65
Acked-by: Steve Grubb <sgrubb@redhat.com> (wrt record formating)
Signed-off-by: William Roberts <wroberts@tresys.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
2014-02-11 22:12:01 +04:00
{
int res ;
char * buf ;
char * msg = " (null) " ;
int len = strlen ( msg ) ;
2018-11-27 02:40:07 +03:00
struct audit_context * context = audit_context ( ) ;
audit: Audit proc/<pid>/cmdline aka proctitle
During an audit event, cache and print the value of the process's
proctitle value (proc/<pid>/cmdline). This is useful in situations
where processes are started via fork'd virtual machines where the
comm field is incorrect. Often times, setting the comm field still
is insufficient as the comm width is not very wide and most
virtual machine "package names" do not fit. Also, during execution,
many threads have their comm field set as well. By tying it back to
the global cmdline value for the process, audit records will be more
complete in systems with these properties. An example of where this
is useful and applicable is in the realm of Android. With Android,
their is no fork/exec for VM instances. The bare, preloaded Dalvik
VM listens for a fork and specialize request. When this request comes
in, the VM forks, and the loads the specific application (specializing).
This was done to take advantage of COW and to not require a load of
basic packages by the VM on very app spawn. When this spawn occurs,
the package name is set via setproctitle() and shows up in procfs.
Many of these package names are longer then 16 bytes, the historical
width of task->comm. Having the cmdline in the audit records will
couple the application back to the record directly. Also, on my
Debian development box, some audit records were more useful then
what was printed under comm.
The cached proctitle is tied to the life-cycle of the audit_context
structure and is built on demand.
Proctitle is controllable by userspace, and thus should not be trusted.
It is meant as an aid to assist in debugging. The proctitle event is
emitted during syscall audits, and can be filtered with auditctl.
Example:
type=AVC msg=audit(1391217013.924:386): avc: denied { getattr } for pid=1971 comm="mkdir" name="/" dev="selinuxfs" ino=1 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c255 tcontext=system_u:object_r:security_t:s0 tclass=filesystem
type=SYSCALL msg=audit(1391217013.924:386): arch=c000003e syscall=137 success=yes exit=0 a0=7f019dfc8bd7 a1=7fffa6aed2c0 a2=fffffffffff4bd25 a3=7fffa6aed050 items=0 ppid=1967 pid=1971 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mkdir" exe="/bin/mkdir" subj=system_u:system_r:consolekit_t:s0-s0:c0.c255 key=(null)
type=UNKNOWN[1327] msg=audit(1391217013.924:386): proctitle=6D6B646972002D70002F7661722F72756E2F636F6E736F6C65
Acked-by: Steve Grubb <sgrubb@redhat.com> (wrt record formating)
Signed-off-by: William Roberts <wroberts@tresys.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
2014-02-11 22:12:01 +04:00
struct audit_buffer * ab ;
2018-11-27 02:40:07 +03:00
if ( ! context | | context - > dummy )
return ;
audit: Audit proc/<pid>/cmdline aka proctitle
During an audit event, cache and print the value of the process's
proctitle value (proc/<pid>/cmdline). This is useful in situations
where processes are started via fork'd virtual machines where the
comm field is incorrect. Often times, setting the comm field still
is insufficient as the comm width is not very wide and most
virtual machine "package names" do not fit. Also, during execution,
many threads have their comm field set as well. By tying it back to
the global cmdline value for the process, audit records will be more
complete in systems with these properties. An example of where this
is useful and applicable is in the realm of Android. With Android,
their is no fork/exec for VM instances. The bare, preloaded Dalvik
VM listens for a fork and specialize request. When this request comes
in, the VM forks, and the loads the specific application (specializing).
This was done to take advantage of COW and to not require a load of
basic packages by the VM on very app spawn. When this spawn occurs,
the package name is set via setproctitle() and shows up in procfs.
Many of these package names are longer then 16 bytes, the historical
width of task->comm. Having the cmdline in the audit records will
couple the application back to the record directly. Also, on my
Debian development box, some audit records were more useful then
what was printed under comm.
The cached proctitle is tied to the life-cycle of the audit_context
structure and is built on demand.
Proctitle is controllable by userspace, and thus should not be trusted.
It is meant as an aid to assist in debugging. The proctitle event is
emitted during syscall audits, and can be filtered with auditctl.
Example:
type=AVC msg=audit(1391217013.924:386): avc: denied { getattr } for pid=1971 comm="mkdir" name="/" dev="selinuxfs" ino=1 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c255 tcontext=system_u:object_r:security_t:s0 tclass=filesystem
type=SYSCALL msg=audit(1391217013.924:386): arch=c000003e syscall=137 success=yes exit=0 a0=7f019dfc8bd7 a1=7fffa6aed2c0 a2=fffffffffff4bd25 a3=7fffa6aed050 items=0 ppid=1967 pid=1971 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mkdir" exe="/bin/mkdir" subj=system_u:system_r:consolekit_t:s0-s0:c0.c255 key=(null)
type=UNKNOWN[1327] msg=audit(1391217013.924:386): proctitle=6D6B646972002D70002F7661722F72756E2F636F6E736F6C65
Acked-by: Steve Grubb <sgrubb@redhat.com> (wrt record formating)
Signed-off-by: William Roberts <wroberts@tresys.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
2014-02-11 22:12:01 +04:00
ab = audit_log_start ( context , GFP_KERNEL , AUDIT_PROCTITLE ) ;
if ( ! ab )
return ; /* audit_panic or being filtered */
audit_log_format ( ab , " proctitle= " ) ;
/* Not cached */
if ( ! context - > proctitle . value ) {
buf = kmalloc ( MAX_PROCTITLE_AUDIT_LEN , GFP_KERNEL ) ;
if ( ! buf )
goto out ;
/* Historically called this from procfs naming */
2018-11-27 02:40:07 +03:00
res = get_cmdline ( current , buf , MAX_PROCTITLE_AUDIT_LEN ) ;
audit: Audit proc/<pid>/cmdline aka proctitle
During an audit event, cache and print the value of the process's
proctitle value (proc/<pid>/cmdline). This is useful in situations
where processes are started via fork'd virtual machines where the
comm field is incorrect. Often times, setting the comm field still
is insufficient as the comm width is not very wide and most
virtual machine "package names" do not fit. Also, during execution,
many threads have their comm field set as well. By tying it back to
the global cmdline value for the process, audit records will be more
complete in systems with these properties. An example of where this
is useful and applicable is in the realm of Android. With Android,
their is no fork/exec for VM instances. The bare, preloaded Dalvik
VM listens for a fork and specialize request. When this request comes
in, the VM forks, and the loads the specific application (specializing).
This was done to take advantage of COW and to not require a load of
basic packages by the VM on very app spawn. When this spawn occurs,
the package name is set via setproctitle() and shows up in procfs.
Many of these package names are longer then 16 bytes, the historical
width of task->comm. Having the cmdline in the audit records will
couple the application back to the record directly. Also, on my
Debian development box, some audit records were more useful then
what was printed under comm.
The cached proctitle is tied to the life-cycle of the audit_context
structure and is built on demand.
Proctitle is controllable by userspace, and thus should not be trusted.
It is meant as an aid to assist in debugging. The proctitle event is
emitted during syscall audits, and can be filtered with auditctl.
Example:
type=AVC msg=audit(1391217013.924:386): avc: denied { getattr } for pid=1971 comm="mkdir" name="/" dev="selinuxfs" ino=1 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c255 tcontext=system_u:object_r:security_t:s0 tclass=filesystem
type=SYSCALL msg=audit(1391217013.924:386): arch=c000003e syscall=137 success=yes exit=0 a0=7f019dfc8bd7 a1=7fffa6aed2c0 a2=fffffffffff4bd25 a3=7fffa6aed050 items=0 ppid=1967 pid=1971 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mkdir" exe="/bin/mkdir" subj=system_u:system_r:consolekit_t:s0-s0:c0.c255 key=(null)
type=UNKNOWN[1327] msg=audit(1391217013.924:386): proctitle=6D6B646972002D70002F7661722F72756E2F636F6E736F6C65
Acked-by: Steve Grubb <sgrubb@redhat.com> (wrt record formating)
Signed-off-by: William Roberts <wroberts@tresys.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
2014-02-11 22:12:01 +04:00
if ( res = = 0 ) {
kfree ( buf ) ;
goto out ;
}
res = audit_proctitle_rtrim ( buf , res ) ;
if ( res = = 0 ) {
kfree ( buf ) ;
goto out ;
}
context - > proctitle . value = buf ;
context - > proctitle . len = res ;
}
msg = context - > proctitle . value ;
len = context - > proctitle . len ;
out :
audit_log_n_untrustedstring ( ab , msg , len ) ;
audit_log_end ( ab ) ;
}
2018-11-27 02:40:07 +03:00
static void audit_log_exit ( void )
2005-04-17 02:20:36 +04:00
{
2006-04-01 00:22:49 +04:00
int i , call_panic = 0 ;
2018-11-27 02:40:07 +03:00
struct audit_context * context = audit_context ( ) ;
2005-04-17 02:20:36 +04:00
struct audit_buffer * ab ;
2005-05-26 15:04:57 +04:00
struct audit_aux_data * aux ;
2012-01-03 23:23:05 +04:00
struct audit_names * n ;
2005-04-17 02:20:36 +04:00
2018-11-27 02:40:07 +03:00
context - > personality = current - > personality ;
2006-03-30 05:17:10 +04:00
ab = audit_log_start ( context , GFP_KERNEL , AUDIT_SYSCALL ) ;
2005-04-17 02:20:36 +04:00
if ( ! ab )
return ; /* audit_panic has been called */
2005-05-24 00:35:28 +04:00
audit_log_format ( ab , " arch=%x syscall=%d " ,
context - > arch , context - > major ) ;
2005-04-17 02:20:36 +04:00
if ( context - > personality ! = PER_LINUX )
audit_log_format ( ab , " per=%lx " , context - > personality ) ;
if ( context - > return_valid )
2007-10-18 14:06:09 +04:00
audit_log_format ( ab , " success=%s exit=%ld " ,
2005-04-29 19:08:28 +04:00
( context - > return_valid = = AUDITSC_SUCCESS ) ? " yes " : " no " ,
context - > return_code ) ;
2006-09-29 13:01:41 +04:00
2005-04-17 02:20:36 +04:00
audit_log_format ( ab ,
2012-06-14 21:04:35 +04:00
" a0=%lx a1=%lx a2=%lx a3=%lx items=%d " ,
context - > argv [ 0 ] ,
context - > argv [ 1 ] ,
context - > argv [ 2 ] ,
context - > argv [ 3 ] ,
context - > name_count ) ;
2006-09-29 13:01:41 +04:00
2018-11-27 02:40:07 +03:00
audit_log_task_info ( ab ) ;
2009-06-11 22:31:37 +04:00
audit_log_key ( ab , context - > filterkey ) ;
2005-04-17 02:20:36 +04:00
audit_log_end ( ab ) ;
2005-05-26 15:04:57 +04:00
for ( aux = context - > aux ; aux ; aux = aux - > next ) {
2005-05-13 21:17:42 +04:00
2006-03-30 05:17:10 +04:00
ab = audit_log_start ( context , GFP_KERNEL , aux - > type ) ;
2005-04-17 02:20:36 +04:00
if ( ! ab )
continue ; /* audit_panic has been called */
switch ( aux - > type ) {
2006-05-25 01:09:55 +04:00
2008-11-11 13:48:18 +03:00
case AUDIT_BPRM_FCAPS : {
struct audit_aux_data_bprm_fcaps * axs = ( void * ) aux ;
audit_log_format ( ab , " fver=%x " , axs - > fcap_ver ) ;
audit_log_cap ( ab , " fp " , & axs - > fcap . permitted ) ;
audit_log_cap ( ab , " fi " , & axs - > fcap . inheritable ) ;
audit_log_format ( ab , " fe=%d " , axs - > fcap . fE ) ;
audit_log_cap ( ab , " old_pp " , & axs - > old_pcap . permitted ) ;
audit_log_cap ( ab , " old_pi " , & axs - > old_pcap . inheritable ) ;
audit_log_cap ( ab , " old_pe " , & axs - > old_pcap . effective ) ;
audit: add ambient capabilities to CAPSET and BPRM_FCAPS records
Capabilities were augmented to include ambient capabilities in v4.3
commit 58319057b784 ("capabilities: ambient capabilities").
Add ambient capabilities to the audit BPRM_FCAPS and CAPSET records.
The record contains fields "old_pp", "old_pi", "old_pe", "new_pp",
"new_pi", "new_pe" so in keeping with the previous record
normalizations, change the "new_*" variants to simply drop the "new_"
prefix.
A sample of the replaced BPRM_FCAPS record:
RAW: type=BPRM_FCAPS msg=audit(1491468034.252:237): fver=2
fp=0000000000200000 fi=0000000000000000 fe=1 old_pp=0000000000000000
old_pi=0000000000000000 old_pe=0000000000000000 old_pa=0000000000000000
pp=0000000000200000 pi=0000000000000000 pe=0000000000200000
pa=0000000000000000
INTERPRET: type=BPRM_FCAPS msg=audit(04/06/2017 04:40:34.252:237):
fver=2 fp=sys_admin fi=none fe=chown old_pp=none old_pi=none
old_pe=none old_pa=none pp=sys_admin pi=none pe=sys_admin pa=none
A sample of the replaced CAPSET record:
RAW: type=CAPSET msg=audit(1491469502.371:242): pid=833
cap_pi=0000003fffffffff cap_pp=0000003fffffffff cap_pe=0000003fffffffff
cap_pa=0000000000000000
INTERPRET: type=CAPSET msg=audit(04/06/2017 05:05:02.371:242) : pid=833
cap_pi=chown,dac_override,dac_read_search,fowner,fsetid,kill,
setgid,setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,
net_admin,net_raw,ipc_lock,ipc_owner,sys_module,sys_rawio,sys_chroot,
sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,sys_time,
sys_tty_config,mknod,lease,audit_write,audit_control,setfcap,
mac_override,mac_admin,syslog,wake_alarm,block_suspend,audit_read
cap_pp=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,
setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,
net_admin,net_raw,ipc_lock,ipc_owner,sys_module,sys_rawio,sys_chroot,
sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,
sys_time,sys_tty_config,mknod,lease,audit_write,audit_control,setfcap,
mac_override,mac_admin,syslog,wake_alarm,block_suspend,audit_read
cap_pe=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,
setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,
net_admin,net_raw,ipc_lock,ipc_owner,sys_module,sys_rawio,sys_chroot,
sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,
sys_time,sys_tty_config,mknod,lease,audit_write,audit_control,setfcap,
mac_override,mac_admin,syslog,wake_alarm,block_suspend,audit_read
cap_pa=none
See: https://github.com/linux-audit/audit-kernel/issues/40
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
Acked-by: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2017-04-07 17:17:27 +03:00
audit_log_cap ( ab , " old_pa " , & axs - > old_pcap . ambient ) ;
audit_log_cap ( ab , " pp " , & axs - > new_pcap . permitted ) ;
audit_log_cap ( ab , " pi " , & axs - > new_pcap . inheritable ) ;
audit_log_cap ( ab , " pe " , & axs - > new_pcap . effective ) ;
audit_log_cap ( ab , " pa " , & axs - > new_pcap . ambient ) ;
2019-01-24 05:36:25 +03:00
audit_log_format ( ab , " frootid=%d " ,
from_kuid ( & init_user_ns ,
axs - > fcap . rootid ) ) ;
2008-11-11 13:48:18 +03:00
break ; }
2005-04-17 02:20:36 +04:00
}
audit_log_end ( ab ) ;
}
2008-12-10 11:16:51 +03:00
if ( context - > type )
2008-12-10 11:40:06 +03:00
show_special ( context , & call_panic ) ;
2008-12-10 11:16:51 +03:00
2008-12-14 12:57:47 +03:00
if ( context - > fds [ 0 ] > = 0 ) {
ab = audit_log_start ( context , GFP_KERNEL , AUDIT_FD_PAIR ) ;
if ( ab ) {
audit_log_format ( ab , " fd0=%d fd1=%d " ,
context - > fds [ 0 ] , context - > fds [ 1 ] ) ;
audit_log_end ( ab ) ;
}
}
2008-12-10 03:50:34 +03:00
if ( context - > sockaddr_len ) {
ab = audit_log_start ( context , GFP_KERNEL , AUDIT_SOCKADDR ) ;
if ( ab ) {
audit_log_format ( ab , " saddr= " ) ;
audit_log_n_hex ( ab , ( void * ) context - > sockaddr ,
context - > sockaddr_len ) ;
audit_log_end ( ab ) ;
}
}
2007-03-30 02:01:04 +04:00
for ( aux = context - > aux_pids ; aux ; aux = aux - > next ) {
struct audit_aux_data_pids * axs = ( void * ) aux ;
for ( i = 0 ; i < axs - > pid_count ; i + + )
if ( audit_log_pid_context ( context , axs - > target_pid [ i ] ,
2008-01-07 21:40:17 +03:00
axs - > target_auid [ i ] ,
axs - > target_uid [ i ] ,
2008-01-08 18:06:53 +03:00
axs - > target_sessionid [ i ] ,
2008-01-07 21:40:17 +03:00
axs - > target_sid [ i ] ,
axs - > target_comm [ i ] ) )
2007-03-30 02:01:04 +04:00
call_panic = 1 ;
2007-03-20 20:58:35 +03:00
}
2007-03-30 02:01:04 +04:00
if ( context - > target_pid & &
audit_log_pid_context ( context , context - > target_pid ,
2008-01-07 21:40:17 +03:00
context - > target_auid , context - > target_uid ,
2008-01-08 18:06:53 +03:00
context - > target_sessionid ,
2008-01-07 21:40:17 +03:00
context - > target_sid , context - > target_comm ) )
2007-03-30 02:01:04 +04:00
call_panic = 1 ;
2008-02-15 06:38:33 +03:00
if ( context - > pwd . dentry & & context - > pwd . mnt ) {
2006-03-30 05:17:10 +04:00
ab = audit_log_start ( context , GFP_KERNEL , AUDIT_CWD ) ;
2005-05-27 15:17:28 +04:00
if ( ab ) {
2016-07-14 17:59:19 +03:00
audit_log_d_path ( ab , " cwd= " , & context - > pwd ) ;
2005-05-27 15:17:28 +04:00
audit_log_end ( ab ) ;
}
}
2005-11-03 19:00:25 +03:00
2012-01-03 23:23:05 +04:00
i = 0 ;
2013-07-09 02:59:36 +04:00
list_for_each_entry ( n , & context - > names_list , list ) {
if ( n - > hidden )
continue ;
2013-04-30 23:30:32 +04:00
audit_log_name ( context , n , NULL , i + + , & call_panic ) ;
2013-07-09 02:59:36 +04:00
}
2008-01-07 21:49:15 +03:00
2018-11-27 02:40:07 +03:00
audit_log_proctitle ( ) ;
audit: Audit proc/<pid>/cmdline aka proctitle
During an audit event, cache and print the value of the process's
proctitle value (proc/<pid>/cmdline). This is useful in situations
where processes are started via fork'd virtual machines where the
comm field is incorrect. Often times, setting the comm field still
is insufficient as the comm width is not very wide and most
virtual machine "package names" do not fit. Also, during execution,
many threads have their comm field set as well. By tying it back to
the global cmdline value for the process, audit records will be more
complete in systems with these properties. An example of where this
is useful and applicable is in the realm of Android. With Android,
their is no fork/exec for VM instances. The bare, preloaded Dalvik
VM listens for a fork and specialize request. When this request comes
in, the VM forks, and the loads the specific application (specializing).
This was done to take advantage of COW and to not require a load of
basic packages by the VM on very app spawn. When this spawn occurs,
the package name is set via setproctitle() and shows up in procfs.
Many of these package names are longer then 16 bytes, the historical
width of task->comm. Having the cmdline in the audit records will
couple the application back to the record directly. Also, on my
Debian development box, some audit records were more useful then
what was printed under comm.
The cached proctitle is tied to the life-cycle of the audit_context
structure and is built on demand.
Proctitle is controllable by userspace, and thus should not be trusted.
It is meant as an aid to assist in debugging. The proctitle event is
emitted during syscall audits, and can be filtered with auditctl.
Example:
type=AVC msg=audit(1391217013.924:386): avc: denied { getattr } for pid=1971 comm="mkdir" name="/" dev="selinuxfs" ino=1 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c255 tcontext=system_u:object_r:security_t:s0 tclass=filesystem
type=SYSCALL msg=audit(1391217013.924:386): arch=c000003e syscall=137 success=yes exit=0 a0=7f019dfc8bd7 a1=7fffa6aed2c0 a2=fffffffffff4bd25 a3=7fffa6aed050 items=0 ppid=1967 pid=1971 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mkdir" exe="/bin/mkdir" subj=system_u:system_r:consolekit_t:s0-s0:c0.c255 key=(null)
type=UNKNOWN[1327] msg=audit(1391217013.924:386): proctitle=6D6B646972002D70002F7661722F72756E2F636F6E736F6C65
Acked-by: Steve Grubb <sgrubb@redhat.com> (wrt record formating)
Signed-off-by: William Roberts <wroberts@tresys.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
2014-02-11 22:12:01 +04:00
2008-01-07 21:49:15 +03:00
/* Send end of event record to help user space know we are finished */
ab = audit_log_start ( context , GFP_KERNEL , AUDIT_EOE ) ;
if ( ab )
audit_log_end ( ab ) ;
2006-04-01 00:22:49 +04:00
if ( call_panic )
audit_panic ( " error converting sid to string " ) ;
2005-04-17 02:20:36 +04:00
}
2005-09-13 23:47:11 +04:00
/**
2017-08-07 16:44:24 +03:00
* __audit_free - free a per - task audit context
2005-09-13 23:47:11 +04:00
* @ tsk : task whose audit context block to free
*
2006-03-30 05:30:19 +04:00
* Called from copy_process and do_exit
2005-09-13 23:47:11 +04:00
*/
2012-01-03 23:23:07 +04:00
void __audit_free ( struct task_struct * tsk )
2005-04-17 02:20:36 +04:00
{
2018-11-27 02:40:07 +03:00
struct audit_context * context = tsk - > audit_context ;
2005-04-17 02:20:36 +04:00
2012-01-03 23:23:06 +04:00
if ( ! context )
2005-04-17 02:20:36 +04:00
return ;
2018-12-11 01:17:50 +03:00
if ( ! list_empty ( & context - > killed_trees ) )
audit_kill_trees ( context ) ;
2018-11-27 02:40:07 +03:00
/* We are called either by do_exit() or the fork() error handling code;
* in the former case tsk = = current and in the latter tsk is a
* random task_struct that doesn ' t doesn ' t have any meaningful data we
* need to log via audit_log_exit ( ) .
*/
if ( tsk = = current & & ! context - > dummy & & context - > in_syscall ) {
context - > return_valid = 0 ;
context - > return_code = 0 ;
audit_filter_syscall ( tsk , context ,
& audit_filter_list [ AUDIT_FILTER_EXIT ] ) ;
audit_filter_inodes ( tsk , context ) ;
if ( context - > current_state = = AUDIT_RECORD_CONTEXT )
audit_log_exit ( ) ;
}
audit_set_context ( tsk , NULL ) ;
2005-04-17 02:20:36 +04:00
audit_free_context ( context ) ;
}
2005-09-13 23:47:11 +04:00
/**
2017-08-07 16:44:24 +03:00
* __audit_syscall_entry - fill in an audit record at syscall entry
2005-09-13 23:47:11 +04:00
* @ major : major syscall type ( function )
* @ a1 : additional syscall register 1
* @ a2 : additional syscall register 2
* @ a3 : additional syscall register 3
* @ a4 : additional syscall register 4
*
* Fill in audit context at syscall entry . This only happens if the
2005-04-17 02:20:36 +04:00
* audit context was created when the task was created and the state or
* filters demand the audit context be built . If the state from the
* per - task filter or from the per - syscall filter is AUDIT_RECORD_CONTEXT ,
* then the record will be written at syscall exit time ( otherwise , it
* will only be written if another part of the kernel requests that it
2005-09-13 23:47:11 +04:00
* be written ) .
*/
2014-03-04 19:38:06 +04:00
void __audit_syscall_entry ( int major , unsigned long a1 , unsigned long a2 ,
unsigned long a3 , unsigned long a4 )
2005-04-17 02:20:36 +04:00
{
2018-05-13 04:58:20 +03:00
struct audit_context * context = audit_context ( ) ;
2005-04-17 02:20:36 +04:00
enum audit_state state ;
2018-02-15 05:47:44 +03:00
if ( ! audit_enabled | | ! context )
2008-06-24 02:37:04 +04:00
return ;
2005-04-17 02:20:36 +04:00
BUG_ON ( context - > in_syscall | | context - > name_count ) ;
state = context - > state ;
2018-02-15 05:47:43 +03:00
if ( state = = AUDIT_DISABLED )
return ;
2006-08-03 18:59:26 +04:00
context - > dummy = ! audit_n_rules ;
2008-12-15 07:45:27 +03:00
if ( ! context - > dummy & & state = = AUDIT_BUILD_CONTEXT ) {
context - > prio = 0 ;
2018-05-13 04:58:20 +03:00
if ( auditd_test_task ( current ) )
2018-02-15 05:47:43 +03:00
return ;
2008-12-15 07:45:27 +03:00
}
2005-04-17 02:20:36 +04:00
2018-02-15 05:47:43 +03:00
context - > arch = syscall_get_arch ( ) ;
context - > major = major ;
context - > argv [ 0 ] = a1 ;
context - > argv [ 1 ] = a2 ;
context - > argv [ 2 ] = a3 ;
context - > argv [ 3 ] = a4 ;
2005-07-18 22:24:46 +04:00
context - > serial = 0 ;
2005-04-17 02:20:36 +04:00
context - > in_syscall = 1 ;
2008-12-15 07:45:27 +03:00
context - > current_state = state ;
2006-09-29 08:08:50 +04:00
context - > ppid = 0 ;
2018-07-17 21:45:08 +03:00
ktime_get_coarse_real_ts64 ( & context - > ctime ) ;
2005-04-17 02:20:36 +04:00
}
2005-09-13 23:47:11 +04:00
/**
2017-08-07 16:44:24 +03:00
* __audit_syscall_exit - deallocate audit context after a system call
2012-01-21 23:02:24 +04:00
* @ success : success value of the syscall
* @ return_code : return value of the syscall
2005-09-13 23:47:11 +04:00
*
* Tear down after system call . If the audit context has been marked as
2005-04-17 02:20:36 +04:00
* auditable ( either because of the AUDIT_RECORD_CONTEXT state from
2012-01-21 23:02:24 +04:00
* filtering , or because some other part of the kernel wrote an audit
2005-04-17 02:20:36 +04:00
* message ) , then write out the syscall information . In call cases ,
2005-09-13 23:47:11 +04:00
* free the names stored from getname ( ) .
*/
2012-01-03 23:23:06 +04:00
void __audit_syscall_exit ( int success , long return_code )
2005-04-17 02:20:36 +04:00
{
struct audit_context * context ;
2018-11-27 02:40:07 +03:00
context = audit_context ( ) ;
2012-01-03 23:23:06 +04:00
if ( ! context )
2006-03-30 05:26:24 +04:00
return ;
2005-04-17 02:20:36 +04:00
2018-12-11 01:17:50 +03:00
if ( ! list_empty ( & context - > killed_trees ) )
audit_kill_trees ( context ) ;
2018-11-27 02:40:07 +03:00
if ( ! context - > dummy & & context - > in_syscall ) {
if ( success )
context - > return_valid = AUDITSC_SUCCESS ;
else
context - > return_valid = AUDITSC_FAILURE ;
/*
* we need to fix up the return code in the audit logs if the
* actual return codes are later going to be fixed up by the
* arch specific signal handlers
*
* This is actually a test for :
* ( rc = = ERESTARTSYS ) | | ( rc = = ERESTARTNOINTR ) | |
* ( rc = = ERESTARTNOHAND ) | | ( rc = = ERESTART_RESTARTBLOCK )
*
* but is faster than a bunch of | |
*/
if ( unlikely ( return_code < = - ERESTARTSYS ) & &
( return_code > = - ERESTART_RESTARTBLOCK ) & &
( return_code ! = - ENOIOCTLCMD ) )
context - > return_code = - EINTR ;
else
context - > return_code = return_code ;
audit_filter_syscall ( current , context ,
& audit_filter_list [ AUDIT_FILTER_EXIT ] ) ;
audit_filter_inodes ( current , context ) ;
if ( context - > current_state = = AUDIT_RECORD_CONTEXT )
audit_log_exit ( ) ;
}
2005-04-17 02:20:36 +04:00
context - > in_syscall = 0 ;
2008-12-15 07:45:27 +03:00
context - > prio = context - > state = = AUDIT_RECORD_CONTEXT ? ~ 0ULL : 0 ;
2005-04-29 19:08:28 +04:00
2012-10-20 23:07:18 +04:00
audit_free_names ( context ) ;
unroll_tree_refs ( context , NULL , 0 ) ;
audit_free_aux ( context ) ;
context - > aux = NULL ;
context - > aux_pids = NULL ;
context - > target_pid = 0 ;
context - > target_sid = 0 ;
context - > sockaddr_len = 0 ;
context - > type = 0 ;
context - > fds [ 0 ] = - 1 ;
if ( context - > state ! = AUDIT_RECORD_CONTEXT ) {
kfree ( context - > filterkey ) ;
context - > filterkey = NULL ;
2005-04-17 02:20:36 +04:00
}
}
[PATCH] audit: watching subtrees
New kind of audit rule predicates: "object is visible in given subtree".
The part that can be sanely implemented, that is. Limitations:
* if you have hardlink from outside of tree, you'd better watch
it too (or just watch the object itself, obviously)
* if you mount something under a watched tree, tell audit
that new chunk should be added to watched subtrees
* if you umount something in a watched tree and it's still mounted
elsewhere, you will get matches on events happening there. New command
tells audit to recalculate the trees, trimming such sources of false
positives.
Note that it's _not_ about path - if something mounted in several places
(multiple mount, bindings, different namespaces, etc.), the match does
_not_ depend on which one we are using for access.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2007-07-22 16:04:18 +04:00
static inline void handle_one ( const struct inode * inode )
{
struct audit_context * context ;
struct audit_tree_refs * p ;
struct audit_chunk * chunk ;
int count ;
2017-02-01 11:21:58 +03:00
if ( likely ( ! inode - > i_fsnotify_marks ) )
[PATCH] audit: watching subtrees
New kind of audit rule predicates: "object is visible in given subtree".
The part that can be sanely implemented, that is. Limitations:
* if you have hardlink from outside of tree, you'd better watch
it too (or just watch the object itself, obviously)
* if you mount something under a watched tree, tell audit
that new chunk should be added to watched subtrees
* if you umount something in a watched tree and it's still mounted
elsewhere, you will get matches on events happening there. New command
tells audit to recalculate the trees, trimming such sources of false
positives.
Note that it's _not_ about path - if something mounted in several places
(multiple mount, bindings, different namespaces, etc.), the match does
_not_ depend on which one we are using for access.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2007-07-22 16:04:18 +04:00
return ;
2018-05-13 04:58:20 +03:00
context = audit_context ( ) ;
[PATCH] audit: watching subtrees
New kind of audit rule predicates: "object is visible in given subtree".
The part that can be sanely implemented, that is. Limitations:
* if you have hardlink from outside of tree, you'd better watch
it too (or just watch the object itself, obviously)
* if you mount something under a watched tree, tell audit
that new chunk should be added to watched subtrees
* if you umount something in a watched tree and it's still mounted
elsewhere, you will get matches on events happening there. New command
tells audit to recalculate the trees, trimming such sources of false
positives.
Note that it's _not_ about path - if something mounted in several places
(multiple mount, bindings, different namespaces, etc.), the match does
_not_ depend on which one we are using for access.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2007-07-22 16:04:18 +04:00
p = context - > trees ;
count = context - > tree_count ;
rcu_read_lock ( ) ;
chunk = audit_tree_lookup ( inode ) ;
rcu_read_unlock ( ) ;
if ( ! chunk )
return ;
if ( likely ( put_tree_ref ( context , chunk ) ) )
return ;
if ( unlikely ( ! grow_tree_refs ( context ) ) ) {
2014-01-28 02:38:42 +04:00
pr_warn ( " out of memory, audit has lost a tree reference \n " ) ;
[PATCH] audit: watching subtrees
New kind of audit rule predicates: "object is visible in given subtree".
The part that can be sanely implemented, that is. Limitations:
* if you have hardlink from outside of tree, you'd better watch
it too (or just watch the object itself, obviously)
* if you mount something under a watched tree, tell audit
that new chunk should be added to watched subtrees
* if you umount something in a watched tree and it's still mounted
elsewhere, you will get matches on events happening there. New command
tells audit to recalculate the trees, trimming such sources of false
positives.
Note that it's _not_ about path - if something mounted in several places
(multiple mount, bindings, different namespaces, etc.), the match does
_not_ depend on which one we are using for access.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2007-07-22 16:04:18 +04:00
audit_set_auditable ( context ) ;
audit_put_chunk ( chunk ) ;
unroll_tree_refs ( context , p , count ) ;
return ;
}
put_tree_ref ( context , chunk ) ;
}
static void handle_path ( const struct dentry * dentry )
{
struct audit_context * context ;
struct audit_tree_refs * p ;
const struct dentry * d , * parent ;
struct audit_chunk * drop ;
unsigned long seq ;
int count ;
2018-05-13 04:58:20 +03:00
context = audit_context ( ) ;
[PATCH] audit: watching subtrees
New kind of audit rule predicates: "object is visible in given subtree".
The part that can be sanely implemented, that is. Limitations:
* if you have hardlink from outside of tree, you'd better watch
it too (or just watch the object itself, obviously)
* if you mount something under a watched tree, tell audit
that new chunk should be added to watched subtrees
* if you umount something in a watched tree and it's still mounted
elsewhere, you will get matches on events happening there. New command
tells audit to recalculate the trees, trimming such sources of false
positives.
Note that it's _not_ about path - if something mounted in several places
(multiple mount, bindings, different namespaces, etc.), the match does
_not_ depend on which one we are using for access.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2007-07-22 16:04:18 +04:00
p = context - > trees ;
count = context - > tree_count ;
retry :
drop = NULL ;
d = dentry ;
rcu_read_lock ( ) ;
seq = read_seqbegin ( & rename_lock ) ;
for ( ; ; ) {
2015-03-18 01:26:21 +03:00
struct inode * inode = d_backing_inode ( d ) ;
2017-02-01 11:21:58 +03:00
if ( inode & & unlikely ( inode - > i_fsnotify_marks ) ) {
[PATCH] audit: watching subtrees
New kind of audit rule predicates: "object is visible in given subtree".
The part that can be sanely implemented, that is. Limitations:
* if you have hardlink from outside of tree, you'd better watch
it too (or just watch the object itself, obviously)
* if you mount something under a watched tree, tell audit
that new chunk should be added to watched subtrees
* if you umount something in a watched tree and it's still mounted
elsewhere, you will get matches on events happening there. New command
tells audit to recalculate the trees, trimming such sources of false
positives.
Note that it's _not_ about path - if something mounted in several places
(multiple mount, bindings, different namespaces, etc.), the match does
_not_ depend on which one we are using for access.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2007-07-22 16:04:18 +04:00
struct audit_chunk * chunk ;
chunk = audit_tree_lookup ( inode ) ;
if ( chunk ) {
if ( unlikely ( ! put_tree_ref ( context , chunk ) ) ) {
drop = chunk ;
break ;
}
}
}
parent = d - > d_parent ;
if ( parent = = d )
break ;
d = parent ;
}
if ( unlikely ( read_seqretry ( & rename_lock , seq ) | | drop ) ) { /* in this order */
rcu_read_unlock ( ) ;
if ( ! drop ) {
/* just a race with rename */
unroll_tree_refs ( context , p , count ) ;
goto retry ;
}
audit_put_chunk ( drop ) ;
if ( grow_tree_refs ( context ) ) {
/* OK, got more space */
unroll_tree_refs ( context , p , count ) ;
goto retry ;
}
/* too bad */
2014-01-28 02:38:42 +04:00
pr_warn ( " out of memory, audit has lost a tree reference \n " ) ;
[PATCH] audit: watching subtrees
New kind of audit rule predicates: "object is visible in given subtree".
The part that can be sanely implemented, that is. Limitations:
* if you have hardlink from outside of tree, you'd better watch
it too (or just watch the object itself, obviously)
* if you mount something under a watched tree, tell audit
that new chunk should be added to watched subtrees
* if you umount something in a watched tree and it's still mounted
elsewhere, you will get matches on events happening there. New command
tells audit to recalculate the trees, trimming such sources of false
positives.
Note that it's _not_ about path - if something mounted in several places
(multiple mount, bindings, different namespaces, etc.), the match does
_not_ depend on which one we are using for access.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2007-07-22 16:04:18 +04:00
unroll_tree_refs ( context , p , count ) ;
audit_set_auditable ( context ) ;
return ;
}
rcu_read_unlock ( ) ;
}
2012-10-10 23:25:22 +04:00
static struct audit_names * audit_alloc_name ( struct audit_context * context ,
unsigned char type )
2012-01-03 23:23:05 +04:00
{
struct audit_names * aname ;
if ( context - > name_count < AUDIT_NAMES ) {
aname = & context - > preallocated_names [ context - > name_count ] ;
memset ( aname , 0 , sizeof ( * aname ) ) ;
} else {
aname = kzalloc ( sizeof ( * aname ) , GFP_NOFS ) ;
if ( ! aname )
return NULL ;
aname - > should_free = true ;
}
2015-08-06 06:48:20 +03:00
aname - > ino = AUDIT_INO_UNSET ;
2012-10-10 23:25:22 +04:00
aname - > type = type ;
2012-01-03 23:23:05 +04:00
list_add_tail ( & aname - > list , & context - > names_list ) ;
context - > name_count + + ;
return aname ;
}
2012-10-10 23:25:28 +04:00
/**
2017-08-07 16:44:24 +03:00
* __audit_reusename - fill out filename with info from existing entry
2012-10-10 23:25:28 +04:00
* @ uptr : userland ptr to pathname
*
* Search the audit_names list for the current audit context . If there is an
* existing entry with a matching " uptr " then return the filename
* associated with that audit_name . If not , return NULL .
*/
struct filename *
__audit_reusename ( const __user char * uptr )
{
2018-05-13 04:58:20 +03:00
struct audit_context * context = audit_context ( ) ;
2012-10-10 23:25:28 +04:00
struct audit_names * n ;
list_for_each_entry ( n , & context - > names_list , list ) {
if ( ! n - > name )
continue ;
2015-01-22 08:00:23 +03:00
if ( n - > name - > uptr = = uptr ) {
n - > name - > refcnt + + ;
2012-10-10 23:25:28 +04:00
return n - > name ;
2015-01-22 08:00:23 +03:00
}
2012-10-10 23:25:28 +04:00
}
return NULL ;
}
2005-09-13 23:47:11 +04:00
/**
2017-08-07 16:44:24 +03:00
* __audit_getname - add a name to the list
2005-09-13 23:47:11 +04:00
* @ name : name to add
*
* Add a name to the list of audit names for this context .
* Called from fs / namei . c : getname ( ) .
*/
2012-10-10 23:25:28 +04:00
void __audit_getname ( struct filename * name )
2005-04-17 02:20:36 +04:00
{
2018-05-13 04:58:20 +03:00
struct audit_context * context = audit_context ( ) ;
2012-01-03 23:23:05 +04:00
struct audit_names * n ;
2005-04-17 02:20:36 +04:00
2015-01-22 08:00:23 +03:00
if ( ! context - > in_syscall )
2005-04-17 02:20:36 +04:00
return ;
2012-10-10 23:25:28 +04:00
2012-10-10 23:25:22 +04:00
n = audit_alloc_name ( context , AUDIT_TYPE_UNKNOWN ) ;
2012-01-03 23:23:05 +04:00
if ( ! n )
return ;
n - > name = name ;
n - > name_len = AUDIT_NAME_FULL ;
2012-10-11 00:43:13 +04:00
name - > aname = n ;
2015-01-22 08:00:23 +03:00
name - > refcnt + + ;
2012-01-03 23:23:05 +04:00
2010-08-10 13:41:36 +04:00
if ( ! context - > pwd . dentry )
get_fs_pwd ( current - > fs , & context - > pwd ) ;
2005-04-17 02:20:36 +04:00
}
2019-02-02 06:45:17 +03:00
static inline int audit_copy_fcaps ( struct audit_names * name ,
const struct dentry * dentry )
{
struct cpu_vfs_cap_data caps ;
int rc ;
if ( ! dentry )
return 0 ;
rc = get_vfs_caps_from_disk ( dentry , & caps ) ;
if ( rc )
return rc ;
name - > fcap . permitted = caps . permitted ;
name - > fcap . inheritable = caps . inheritable ;
name - > fcap . fE = ! ! ( caps . magic_etc & VFS_CAP_FLAGS_EFFECTIVE ) ;
name - > fcap . rootid = caps . rootid ;
name - > fcap_ver = ( caps . magic_etc & VFS_CAP_REVISION_MASK ) > >
VFS_CAP_REVISION_SHIFT ;
return 0 ;
}
/* Copy inode data into an audit_names. */
void audit_copy_inode ( struct audit_names * name , const struct dentry * dentry ,
struct inode * inode , unsigned int flags )
{
name - > ino = inode - > i_ino ;
name - > dev = inode - > i_sb - > s_dev ;
name - > mode = inode - > i_mode ;
name - > uid = inode - > i_uid ;
name - > gid = inode - > i_gid ;
name - > rdev = inode - > i_rdev ;
security_inode_getsecid ( inode , & name - > osid ) ;
if ( flags & AUDIT_INODE_NOEVAL ) {
name - > fcap_ver = - 1 ;
return ;
}
audit_copy_fcaps ( name , dentry ) ;
}
2005-09-13 23:47:11 +04:00
/**
2012-10-10 23:25:23 +04:00
* __audit_inode - store the inode and device from a lookup
2005-09-13 23:47:11 +04:00
* @ name : name being audited
2007-10-22 07:59:53 +04:00
* @ dentry : dentry being audited
2013-07-09 02:59:36 +04:00
* @ flags : attributes for this particular entry
2005-09-13 23:47:11 +04:00
*/
2012-10-11 00:43:13 +04:00
void __audit_inode ( struct filename * name , const struct dentry * dentry ,
2013-07-09 02:59:36 +04:00
unsigned int flags )
2005-04-17 02:20:36 +04:00
{
2018-05-13 04:58:20 +03:00
struct audit_context * context = audit_context ( ) ;
2015-12-24 19:09:39 +03:00
struct inode * inode = d_backing_inode ( dentry ) ;
2012-01-03 23:23:05 +04:00
struct audit_names * n ;
2013-07-09 02:59:36 +04:00
bool parent = flags & AUDIT_INODE_PARENT ;
2019-01-23 21:34:59 +03:00
struct audit_entry * e ;
struct list_head * list = & audit_filter_list [ AUDIT_FILTER_FS ] ;
int i ;
2005-04-17 02:20:36 +04:00
if ( ! context - > in_syscall )
return ;
2012-01-03 23:23:05 +04:00
2019-01-23 21:34:59 +03:00
rcu_read_lock ( ) ;
if ( ! list_empty ( list ) ) {
list_for_each_entry_rcu ( e , list , list ) {
for ( i = 0 ; i < e - > rule . field_count ; i + + ) {
struct audit_field * f = & e - > rule . fields [ i ] ;
if ( f - > type = = AUDIT_FSTYPE
& & audit_comparator ( inode - > i_sb - > s_magic ,
f - > op , f - > val )
& & e - > rule . action = = AUDIT_NEVER ) {
rcu_read_unlock ( ) ;
return ;
}
}
}
}
rcu_read_unlock ( ) ;
2012-10-10 23:25:21 +04:00
if ( ! name )
goto out_alloc ;
2012-10-11 00:43:13 +04:00
/*
* If we have a pointer to an audit_names entry already , then we can
* just use it directly if the type is correct .
*/
n = name - > aname ;
if ( n ) {
if ( parent ) {
if ( n - > type = = AUDIT_TYPE_PARENT | |
n - > type = = AUDIT_TYPE_UNKNOWN )
goto out ;
} else {
if ( n - > type ! = AUDIT_TYPE_PARENT )
goto out ;
}
}
2012-01-03 23:23:05 +04:00
list_for_each_entry_reverse ( n , & context - > names_list , list ) {
2015-01-22 08:00:16 +03:00
if ( n - > ino ) {
/* valid inode number, use that for the comparison */
if ( n - > ino ! = inode - > i_ino | |
n - > dev ! = inode - > i_sb - > s_dev )
continue ;
} else if ( n - > name ) {
/* inode number has not been set, check the name */
if ( strcmp ( n - > name - > name , name - > name ) )
continue ;
} else
/* no inode and no name (?!) ... this is odd ... */
2012-10-10 23:25:23 +04:00
continue ;
/* match the correct record type */
if ( parent ) {
if ( n - > type = = AUDIT_TYPE_PARENT | |
n - > type = = AUDIT_TYPE_UNKNOWN )
goto out ;
} else {
if ( n - > type ! = AUDIT_TYPE_PARENT )
goto out ;
}
2005-04-17 02:20:36 +04:00
}
2012-01-03 23:23:05 +04:00
2012-10-10 23:25:21 +04:00
out_alloc :
2014-12-22 20:27:39 +03:00
/* unable to find an entry with both a matching name and type */
n = audit_alloc_name ( context , AUDIT_TYPE_UNKNOWN ) ;
2012-01-03 23:23:05 +04:00
if ( ! n )
return ;
2014-12-30 17:26:21 +03:00
if ( name ) {
2015-01-22 08:00:10 +03:00
n - > name = name ;
2015-01-22 08:00:23 +03:00
name - > refcnt + + ;
2014-12-30 17:26:21 +03:00
}
2014-12-22 20:27:39 +03:00
2012-01-03 23:23:05 +04:00
out :
2012-10-10 23:25:23 +04:00
if ( parent ) {
2012-10-10 23:25:28 +04:00
n - > name_len = n - > name ? parent_len ( n - > name - > name ) : AUDIT_NAME_FULL ;
2012-10-10 23:25:23 +04:00
n - > type = AUDIT_TYPE_PARENT ;
2013-07-09 02:59:36 +04:00
if ( flags & AUDIT_INODE_HIDDEN )
n - > hidden = true ;
2012-10-10 23:25:23 +04:00
} else {
n - > name_len = AUDIT_NAME_FULL ;
n - > type = AUDIT_TYPE_NORMAL ;
}
[PATCH] audit: watching subtrees
New kind of audit rule predicates: "object is visible in given subtree".
The part that can be sanely implemented, that is. Limitations:
* if you have hardlink from outside of tree, you'd better watch
it too (or just watch the object itself, obviously)
* if you mount something under a watched tree, tell audit
that new chunk should be added to watched subtrees
* if you umount something in a watched tree and it's still mounted
elsewhere, you will get matches on events happening there. New command
tells audit to recalculate the trees, trimming such sources of false
positives.
Note that it's _not_ about path - if something mounted in several places
(multiple mount, bindings, different namespaces, etc.), the match does
_not_ depend on which one we are using for access.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2007-07-22 16:04:18 +04:00
handle_path ( dentry ) ;
2019-01-23 21:35:00 +03:00
audit_copy_inode ( n , dentry , inode , flags & AUDIT_INODE_NOEVAL ) ;
2005-11-03 19:00:25 +03:00
}
2014-11-01 00:44:57 +03:00
void __audit_file ( const struct file * file )
{
__audit_inode ( NULL , file - > f_path . dentry , 0 ) ;
}
2005-11-03 19:00:25 +03:00
/**
2012-10-10 23:25:21 +04:00
* __audit_inode_child - collect inode info for created / removed objects
2006-07-13 21:16:39 +04:00
* @ parent : inode of dentry parent
2012-10-10 23:25:21 +04:00
* @ dentry : dentry being audited
2012-10-10 23:25:25 +04:00
* @ type : AUDIT_TYPE_ * value that we ' re looking for
2005-11-03 19:00:25 +03:00
*
* For syscalls that create or remove filesystem objects , audit_inode
* can only collect information for the filesystem object ' s parent .
* This call updates the audit context with the child ' s information .
* Syscalls that create a new filesystem object must be hooked after
* the object is created . Syscalls that remove a filesystem object
* must be hooked prior , in order to capture the target inode during
* unsuccessful attempts .
*/
2015-12-24 19:09:39 +03:00
void __audit_inode_child ( struct inode * parent ,
2012-10-10 23:25:25 +04:00
const struct dentry * dentry ,
const unsigned char type )
2005-11-03 19:00:25 +03:00
{
2018-05-13 04:58:20 +03:00
struct audit_context * context = audit_context ( ) ;
2015-12-24 19:09:39 +03:00
struct inode * inode = d_backing_inode ( dentry ) ;
2009-12-25 13:07:33 +03:00
const char * dname = dentry - > d_name . name ;
2012-10-10 23:25:25 +04:00
struct audit_names * n , * found_parent = NULL , * found_child = NULL ;
2017-08-23 14:03:39 +03:00
struct audit_entry * e ;
struct list_head * list = & audit_filter_list [ AUDIT_FILTER_FS ] ;
int i ;
2005-11-03 19:00:25 +03:00
if ( ! context - > in_syscall )
return ;
2017-08-23 14:03:39 +03:00
rcu_read_lock ( ) ;
if ( ! list_empty ( list ) ) {
list_for_each_entry_rcu ( e , list , list ) {
for ( i = 0 ; i < e - > rule . field_count ; i + + ) {
struct audit_field * f = & e - > rule . fields [ i ] ;
2019-01-23 21:34:59 +03:00
if ( f - > type = = AUDIT_FSTYPE
& & audit_comparator ( parent - > i_sb - > s_magic ,
f - > op , f - > val )
& & e - > rule . action = = AUDIT_NEVER ) {
rcu_read_unlock ( ) ;
return ;
2017-08-23 14:03:39 +03:00
}
}
}
}
rcu_read_unlock ( ) ;
[PATCH] audit: watching subtrees
New kind of audit rule predicates: "object is visible in given subtree".
The part that can be sanely implemented, that is. Limitations:
* if you have hardlink from outside of tree, you'd better watch
it too (or just watch the object itself, obviously)
* if you mount something under a watched tree, tell audit
that new chunk should be added to watched subtrees
* if you umount something in a watched tree and it's still mounted
elsewhere, you will get matches on events happening there. New command
tells audit to recalculate the trees, trimming such sources of false
positives.
Note that it's _not_ about path - if something mounted in several places
(multiple mount, bindings, different namespaces, etc.), the match does
_not_ depend on which one we are using for access.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2007-07-22 16:04:18 +04:00
if ( inode )
handle_one ( inode ) ;
2005-11-03 19:00:25 +03:00
2012-10-10 23:25:25 +04:00
/* look for a parent entry first */
2012-01-03 23:23:05 +04:00
list_for_each_entry ( n , & context - > names_list , list ) {
2015-01-22 08:00:16 +03:00
if ( ! n - > name | |
( n - > type ! = AUDIT_TYPE_PARENT & &
n - > type ! = AUDIT_TYPE_UNKNOWN ) )
2007-02-13 22:15:22 +03:00
continue ;
2015-01-22 08:00:16 +03:00
if ( n - > ino = = parent - > i_ino & & n - > dev = = parent - > i_sb - > s_dev & &
! audit_compare_dname_path ( dname ,
n - > name - > name , n - > name_len ) ) {
if ( n - > type = = AUDIT_TYPE_UNKNOWN )
n - > type = AUDIT_TYPE_PARENT ;
2012-10-10 23:25:25 +04:00
found_parent = n ;
break ;
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2006-04-08 00:55:56 +04:00
}
2007-02-13 22:15:22 +03:00
}
2005-11-03 19:00:25 +03:00
2012-10-10 23:25:25 +04:00
/* is there a matching child entry? */
2012-01-03 23:23:05 +04:00
list_for_each_entry ( n , & context - > names_list , list ) {
2012-10-10 23:25:25 +04:00
/* can only match entries that have a name */
2015-01-22 08:00:16 +03:00
if ( ! n - > name | |
( n - > type ! = type & & n - > type ! = AUDIT_TYPE_UNKNOWN ) )
2007-02-13 22:15:22 +03:00
continue ;
2012-10-10 23:25:28 +04:00
if ( ! strcmp ( dname , n - > name - > name ) | |
! audit_compare_dname_path ( dname , n - > name - > name ,
2012-10-10 23:25:25 +04:00
found_parent ?
found_parent - > name_len :
2012-10-10 23:25:25 +04:00
AUDIT_NAME_FULL ) ) {
2015-01-22 08:00:16 +03:00
if ( n - > type = = AUDIT_TYPE_UNKNOWN )
n - > type = type ;
2012-10-10 23:25:25 +04:00
found_child = n ;
break ;
2007-02-13 22:15:22 +03:00
}
2006-09-28 22:31:32 +04:00
}
2007-02-13 22:15:22 +03:00
if ( ! found_parent ) {
2012-10-10 23:25:25 +04:00
/* create a new, "anonymous" parent record */
n = audit_alloc_name ( context , AUDIT_TYPE_PARENT ) ;
2012-01-03 23:23:05 +04:00
if ( ! n )
2006-09-28 22:31:32 +04:00
return ;
2019-01-23 21:35:00 +03:00
audit_copy_inode ( n , NULL , parent , 0 ) ;
2006-07-13 21:16:39 +04:00
}
2007-02-13 22:15:22 +03:00
if ( ! found_child ) {
2012-10-10 23:25:25 +04:00
found_child = audit_alloc_name ( context , type ) ;
if ( ! found_child )
2007-02-13 22:15:22 +03:00
return ;
/* Re-use the name belonging to the slot for a matching parent
* directory . All names for this context are relinquished in
* audit_free_names ( ) */
if ( found_parent ) {
2012-10-10 23:25:25 +04:00
found_child - > name = found_parent - > name ;
found_child - > name_len = AUDIT_NAME_FULL ;
2015-01-22 08:00:23 +03:00
found_child - > name - > refcnt + + ;
2007-02-13 22:15:22 +03:00
}
}
2015-01-22 08:00:16 +03:00
2012-10-10 23:25:25 +04:00
if ( inode )
2019-01-23 21:35:00 +03:00
audit_copy_inode ( found_child , dentry , inode , 0 ) ;
2012-10-10 23:25:25 +04:00
else
2015-08-06 06:48:20 +03:00
found_child - > ino = AUDIT_INO_UNSET ;
2006-07-13 21:16:02 +04:00
}
2007-06-08 06:44:34 +04:00
EXPORT_SYMBOL_GPL ( __audit_inode_child ) ;
2006-07-13 21:16:02 +04:00
2005-09-13 23:47:11 +04:00
/**
* auditsc_get_stamp - get local copies of audit_context values
* @ ctx : audit_context for the task
2017-05-02 17:16:05 +03:00
* @ t : timespec64 to store time recorded in the audit_context
2005-09-13 23:47:11 +04:00
* @ serial : serial value that is recorded in the audit_context
*
* Also sets the context as auditable .
*/
2008-12-06 09:05:50 +03:00
int auditsc_get_stamp ( struct audit_context * ctx ,
2017-05-02 17:16:05 +03:00
struct timespec64 * t , unsigned int * serial )
2005-04-17 02:20:36 +04:00
{
2008-12-06 09:05:50 +03:00
if ( ! ctx - > in_syscall )
return 0 ;
2005-07-18 22:24:46 +04:00
if ( ! ctx - > serial )
ctx - > serial = audit_serial ( ) ;
2005-05-22 00:08:09 +04:00
t - > tv_sec = ctx - > ctime . tv_sec ;
t - > tv_nsec = ctx - > ctime . tv_nsec ;
* serial = ctx - > serial ;
2008-12-15 07:45:27 +03:00
if ( ! ctx - > prio ) {
ctx - > prio = 1 ;
ctx - > current_state = AUDIT_RECORD_CONTEXT ;
}
2008-12-06 09:05:50 +03:00
return 1 ;
2005-04-17 02:20:36 +04:00
}
2006-05-25 01:09:55 +04:00
/**
* __audit_mq_open - record audit data for a POSIX MQ open
* @ oflag : open flag
* @ mode : mode bits
2009-01-06 00:41:13 +03:00
* @ attr : queue attributes
2006-05-25 01:09:55 +04:00
*
*/
2011-07-26 13:26:10 +04:00
void __audit_mq_open ( int oflag , umode_t mode , struct mq_attr * attr )
2006-05-25 01:09:55 +04:00
{
2018-05-13 04:58:20 +03:00
struct audit_context * context = audit_context ( ) ;
2006-05-25 01:09:55 +04:00
2008-12-14 12:02:26 +03:00
if ( attr )
memcpy ( & context - > mq_open . attr , attr , sizeof ( struct mq_attr ) ) ;
else
memset ( & context - > mq_open . attr , 0 , sizeof ( struct mq_attr ) ) ;
2006-05-25 01:09:55 +04:00
2008-12-14 12:02:26 +03:00
context - > mq_open . oflag = oflag ;
context - > mq_open . mode = mode ;
2006-05-25 01:09:55 +04:00
2008-12-14 12:02:26 +03:00
context - > type = AUDIT_MQ_OPEN ;
2006-05-25 01:09:55 +04:00
}
/**
2008-12-14 11:46:48 +03:00
* __audit_mq_sendrecv - record audit data for a POSIX MQ timed send / receive
2006-05-25 01:09:55 +04:00
* @ mqdes : MQ descriptor
* @ msg_len : Message length
* @ msg_prio : Message priority
2008-12-14 11:46:48 +03:00
* @ abs_timeout : Message timeout in absolute time
2006-05-25 01:09:55 +04:00
*
*/
2008-12-14 11:46:48 +03:00
void __audit_mq_sendrecv ( mqd_t mqdes , size_t msg_len , unsigned int msg_prio ,
2017-08-03 05:51:11 +03:00
const struct timespec64 * abs_timeout )
2006-05-25 01:09:55 +04:00
{
2018-05-13 04:58:20 +03:00
struct audit_context * context = audit_context ( ) ;
2017-08-03 05:51:11 +03:00
struct timespec64 * p = & context - > mq_sendrecv . abs_timeout ;
2006-05-25 01:09:55 +04:00
2008-12-14 11:46:48 +03:00
if ( abs_timeout )
2017-08-03 05:51:11 +03:00
memcpy ( p , abs_timeout , sizeof ( * p ) ) ;
2008-12-14 11:46:48 +03:00
else
2017-08-03 05:51:11 +03:00
memset ( p , 0 , sizeof ( * p ) ) ;
2006-05-25 01:09:55 +04:00
2008-12-14 11:46:48 +03:00
context - > mq_sendrecv . mqdes = mqdes ;
context - > mq_sendrecv . msg_len = msg_len ;
context - > mq_sendrecv . msg_prio = msg_prio ;
2006-05-25 01:09:55 +04:00
2008-12-14 11:46:48 +03:00
context - > type = AUDIT_MQ_SENDRECV ;
2006-05-25 01:09:55 +04:00
}
/**
* __audit_mq_notify - record audit data for a POSIX MQ notify
* @ mqdes : MQ descriptor
2009-01-06 00:41:13 +03:00
* @ notification : Notification event
2006-05-25 01:09:55 +04:00
*
*/
2008-12-10 15:16:12 +03:00
void __audit_mq_notify ( mqd_t mqdes , const struct sigevent * notification )
2006-05-25 01:09:55 +04:00
{
2018-05-13 04:58:20 +03:00
struct audit_context * context = audit_context ( ) ;
2006-05-25 01:09:55 +04:00
2008-12-10 15:16:12 +03:00
if ( notification )
context - > mq_notify . sigev_signo = notification - > sigev_signo ;
else
context - > mq_notify . sigev_signo = 0 ;
2006-05-25 01:09:55 +04:00
2008-12-10 15:16:12 +03:00
context - > mq_notify . mqdes = mqdes ;
context - > type = AUDIT_MQ_NOTIFY ;
2006-05-25 01:09:55 +04:00
}
/**
* __audit_mq_getsetattr - record audit data for a POSIX MQ get / set attribute
* @ mqdes : MQ descriptor
* @ mqstat : MQ flags
*
*/
2008-12-10 14:58:59 +03:00
void __audit_mq_getsetattr ( mqd_t mqdes , struct mq_attr * mqstat )
2006-05-25 01:09:55 +04:00
{
2018-05-13 04:58:20 +03:00
struct audit_context * context = audit_context ( ) ;
2008-12-10 14:58:59 +03:00
context - > mq_getsetattr . mqdes = mqdes ;
context - > mq_getsetattr . mqstat = * mqstat ;
context - > type = AUDIT_MQ_GETSETATTR ;
2006-05-25 01:09:55 +04:00
}
2005-09-13 23:47:11 +04:00
/**
2017-08-07 16:44:24 +03:00
* __audit_ipc_obj - record audit data for ipc object
2006-04-03 01:07:33 +04:00
* @ ipcp : ipc permissions
*
*/
2008-12-10 11:40:06 +03:00
void __audit_ipc_obj ( struct kern_ipc_perm * ipcp )
2006-04-03 01:07:33 +04:00
{
2018-05-13 04:58:20 +03:00
struct audit_context * context = audit_context ( ) ;
2008-12-10 11:40:06 +03:00
context - > ipc . uid = ipcp - > uid ;
context - > ipc . gid = ipcp - > gid ;
context - > ipc . mode = ipcp - > mode ;
2008-12-10 11:47:15 +03:00
context - > ipc . has_perm = 0 ;
2008-12-10 11:40:06 +03:00
security_ipc_getsecid ( ipcp , & context - > ipc . osid ) ;
context - > type = AUDIT_IPC ;
2006-04-03 01:07:33 +04:00
}
/**
2017-08-07 16:44:24 +03:00
* __audit_ipc_set_perm - record audit data for new ipc permissions
2005-09-13 23:47:11 +04:00
* @ qbytes : msgq bytes
* @ uid : msgq user id
* @ gid : msgq group id
* @ mode : msgq mode ( permissions )
*
2008-12-10 11:47:15 +03:00
* Called only after audit_ipc_obj ( ) .
2005-09-13 23:47:11 +04:00
*/
2011-07-27 22:03:22 +04:00
void __audit_ipc_set_perm ( unsigned long qbytes , uid_t uid , gid_t gid , umode_t mode )
2005-04-17 02:20:36 +04:00
{
2018-05-13 04:58:20 +03:00
struct audit_context * context = audit_context ( ) ;
2005-04-17 02:20:36 +04:00
2008-12-10 11:47:15 +03:00
context - > ipc . qbytes = qbytes ;
context - > ipc . perm_uid = uid ;
context - > ipc . perm_gid = gid ;
context - > ipc . perm_mode = mode ;
context - > ipc . has_perm = 1 ;
2005-04-17 02:20:36 +04:00
}
2005-05-06 15:38:39 +04:00
2013-10-31 01:56:13 +04:00
void __audit_bprm ( struct linux_binprm * bprm )
2006-04-26 22:04:08 +04:00
{
2018-05-13 04:58:20 +03:00
struct audit_context * context = audit_context ( ) ;
2006-04-26 22:04:08 +04:00
2013-10-31 01:56:13 +04:00
context - > type = AUDIT_EXECVE ;
context - > execve . argc = bprm - > argc ;
2006-04-26 22:04:08 +04:00
}
2005-09-13 23:47:11 +04:00
/**
2017-08-07 16:44:24 +03:00
* __audit_socketcall - record audit data for sys_socketcall
2013-04-07 12:55:23 +04:00
* @ nargs : number of args , which should not be more than AUDITSC_ARGS .
2005-09-13 23:47:11 +04:00
* @ args : args array
*
*/
2013-04-07 12:55:23 +04:00
int __audit_socketcall ( int nargs , unsigned long * args )
2005-05-17 15:08:48 +04:00
{
2018-05-13 04:58:20 +03:00
struct audit_context * context = audit_context ( ) ;
2005-05-17 15:08:48 +04:00
2013-04-07 12:55:23 +04:00
if ( nargs < = 0 | | nargs > AUDITSC_ARGS | | ! args )
return - EINVAL ;
2008-12-10 11:16:51 +03:00
context - > type = AUDIT_SOCKETCALL ;
context - > socketcall . nargs = nargs ;
memcpy ( context - > socketcall . args , args , nargs * sizeof ( unsigned long ) ) ;
2013-04-07 12:55:23 +04:00
return 0 ;
2005-05-17 15:08:48 +04:00
}
2007-02-07 09:48:00 +03:00
/**
* __audit_fd_pair - record audit data for pipe and socketpair
* @ fd1 : the first file descriptor
* @ fd2 : the second file descriptor
*
*/
2008-12-14 12:57:47 +03:00
void __audit_fd_pair ( int fd1 , int fd2 )
2007-02-07 09:48:00 +03:00
{
2018-05-13 04:58:20 +03:00
struct audit_context * context = audit_context ( ) ;
2008-12-14 12:57:47 +03:00
context - > fds [ 0 ] = fd1 ;
context - > fds [ 1 ] = fd2 ;
2007-02-07 09:48:00 +03:00
}
2005-09-13 23:47:11 +04:00
/**
2017-08-07 16:44:24 +03:00
* __audit_sockaddr - record audit data for sys_bind , sys_connect , sys_sendto
2005-09-13 23:47:11 +04:00
* @ len : data length in user space
* @ a : data address in kernel space
*
* Returns 0 for success or NULL context or < 0 on error .
*/
2012-01-03 23:23:07 +04:00
int __audit_sockaddr ( int len , void * a )
2005-05-17 15:08:48 +04:00
{
2018-05-13 04:58:20 +03:00
struct audit_context * context = audit_context ( ) ;
2005-05-17 15:08:48 +04:00
2008-12-10 03:50:34 +03:00
if ( ! context - > sockaddr ) {
void * p = kmalloc ( sizeof ( struct sockaddr_storage ) , GFP_KERNEL ) ;
if ( ! p )
return - ENOMEM ;
context - > sockaddr = p ;
}
2005-05-17 15:08:48 +04:00
2008-12-10 03:50:34 +03:00
context - > sockaddr_len = len ;
memcpy ( context - > sockaddr , a , len ) ;
2005-05-17 15:08:48 +04:00
return 0 ;
}
2007-03-20 20:58:35 +03:00
void __audit_ptrace ( struct task_struct * t )
{
2018-05-13 04:58:20 +03:00
struct audit_context * context = audit_context ( ) ;
2007-03-20 20:58:35 +03:00
2016-08-31 00:19:13 +03:00
context - > target_pid = task_tgid_nr ( t ) ;
2008-01-07 21:40:17 +03:00
context - > target_auid = audit_get_loginuid ( t ) ;
2008-11-14 02:39:19 +03:00
context - > target_uid = task_uid ( t ) ;
2008-01-08 18:06:53 +03:00
context - > target_sessionid = audit_get_sessionid ( t ) ;
Audit: use new LSM hooks instead of SELinux exports
Stop using the following exported SELinux interfaces:
selinux_get_inode_sid(inode, sid)
selinux_get_ipc_sid(ipcp, sid)
selinux_get_task_sid(tsk, sid)
selinux_sid_to_string(sid, ctx, len)
kfree(ctx)
and use following generic LSM equivalents respectively:
security_inode_getsecid(inode, secid)
security_ipc_getsecid*(ipcp, secid)
security_task_getsecid(tsk, secid)
security_sid_to_secctx(sid, ctx, len)
security_release_secctx(ctx, len)
Call security_release_secctx only if security_secid_to_secctx
succeeded.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Ahmed S. Darwish <darwish.07@gmail.com>
Acked-by: James Morris <jmorris@namei.org>
Reviewed-by: Paul Moore <paul.moore@hp.com>
2008-03-01 22:54:38 +03:00
security_task_getsecid ( t , & context - > target_sid ) ;
2008-01-07 21:40:17 +03:00
memcpy ( context - > target_comm , t - > comm , TASK_COMM_LEN ) ;
2007-03-20 20:58:35 +03:00
}
2005-09-13 23:47:11 +04:00
/**
* audit_signal_info - record signal info for shutting down audit subsystem
* @ sig : signal value
* @ t : task being signaled
*
* If the audit subsystem is being terminated , record the task ( pid )
* and uid that is doing that .
*/
2017-03-27 21:30:06 +03:00
int audit_signal_info ( int sig , struct task_struct * t )
2005-05-06 15:38:39 +04:00
{
2007-03-30 02:01:04 +04:00
struct audit_aux_data_pids * axp ;
2018-05-13 04:58:20 +03:00
struct audit_context * ctx = audit_context ( ) ;
2018-05-16 14:55:46 +03:00
kuid_t uid = current_uid ( ) , auid , t_uid = task_uid ( t ) ;
2006-05-25 18:19:47 +04:00
2017-03-27 21:30:06 +03:00
if ( auditd_test_task ( t ) & &
( sig = = SIGTERM | | sig = = SIGHUP | |
sig = = SIGUSR1 | | sig = = SIGUSR2 ) ) {
2018-05-13 04:58:20 +03:00
audit_sig_pid = task_tgid_nr ( current ) ;
2018-05-16 14:55:46 +03:00
auid = audit_get_loginuid ( current ) ;
if ( uid_valid ( auid ) )
audit_sig_uid = auid ;
2017-03-27 21:30:06 +03:00
else
audit_sig_uid = uid ;
2018-05-13 04:58:20 +03:00
security_task_getsecid ( current , & audit_sig_sid ) ;
2005-05-06 15:38:39 +04:00
}
2007-03-30 02:01:04 +04:00
2017-03-27 21:30:06 +03:00
if ( ! audit_signals | | audit_dummy_context ( ) )
return 0 ;
2007-03-30 02:01:04 +04:00
/* optimize the common case by putting first signal recipient directly
* in audit_context */
if ( ! ctx - > target_pid ) {
2013-12-11 22:52:26 +04:00
ctx - > target_pid = task_tgid_nr ( t ) ;
2008-01-07 21:40:17 +03:00
ctx - > target_auid = audit_get_loginuid ( t ) ;
2008-11-14 02:39:19 +03:00
ctx - > target_uid = t_uid ;
2008-01-08 18:06:53 +03:00
ctx - > target_sessionid = audit_get_sessionid ( t ) ;
Audit: use new LSM hooks instead of SELinux exports
Stop using the following exported SELinux interfaces:
selinux_get_inode_sid(inode, sid)
selinux_get_ipc_sid(ipcp, sid)
selinux_get_task_sid(tsk, sid)
selinux_sid_to_string(sid, ctx, len)
kfree(ctx)
and use following generic LSM equivalents respectively:
security_inode_getsecid(inode, secid)
security_ipc_getsecid*(ipcp, secid)
security_task_getsecid(tsk, secid)
security_sid_to_secctx(sid, ctx, len)
security_release_secctx(ctx, len)
Call security_release_secctx only if security_secid_to_secctx
succeeded.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Ahmed S. Darwish <darwish.07@gmail.com>
Acked-by: James Morris <jmorris@namei.org>
Reviewed-by: Paul Moore <paul.moore@hp.com>
2008-03-01 22:54:38 +03:00
security_task_getsecid ( t , & ctx - > target_sid ) ;
2008-01-07 21:40:17 +03:00
memcpy ( ctx - > target_comm , t - > comm , TASK_COMM_LEN ) ;
2007-03-30 02:01:04 +04:00
return 0 ;
}
axp = ( void * ) ctx - > aux_pids ;
if ( ! axp | | axp - > pid_count = = AUDIT_AUX_PIDS ) {
axp = kzalloc ( sizeof ( * axp ) , GFP_ATOMIC ) ;
if ( ! axp )
return - ENOMEM ;
axp - > d . type = AUDIT_OBJ_PID ;
axp - > d . next = ctx - > aux_pids ;
ctx - > aux_pids = ( void * ) axp ;
}
2007-08-23 01:01:05 +04:00
BUG_ON ( axp - > pid_count > = AUDIT_AUX_PIDS ) ;
2007-03-30 02:01:04 +04:00
2013-12-11 22:52:26 +04:00
axp - > target_pid [ axp - > pid_count ] = task_tgid_nr ( t ) ;
2008-01-07 21:40:17 +03:00
axp - > target_auid [ axp - > pid_count ] = audit_get_loginuid ( t ) ;
2008-11-14 02:39:19 +03:00
axp - > target_uid [ axp - > pid_count ] = t_uid ;
2008-01-08 18:06:53 +03:00
axp - > target_sessionid [ axp - > pid_count ] = audit_get_sessionid ( t ) ;
Audit: use new LSM hooks instead of SELinux exports
Stop using the following exported SELinux interfaces:
selinux_get_inode_sid(inode, sid)
selinux_get_ipc_sid(ipcp, sid)
selinux_get_task_sid(tsk, sid)
selinux_sid_to_string(sid, ctx, len)
kfree(ctx)
and use following generic LSM equivalents respectively:
security_inode_getsecid(inode, secid)
security_ipc_getsecid*(ipcp, secid)
security_task_getsecid(tsk, secid)
security_sid_to_secctx(sid, ctx, len)
security_release_secctx(ctx, len)
Call security_release_secctx only if security_secid_to_secctx
succeeded.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Ahmed S. Darwish <darwish.07@gmail.com>
Acked-by: James Morris <jmorris@namei.org>
Reviewed-by: Paul Moore <paul.moore@hp.com>
2008-03-01 22:54:38 +03:00
security_task_getsecid ( t , & axp - > target_sid [ axp - > pid_count ] ) ;
2008-01-07 21:40:17 +03:00
memcpy ( axp - > target_comm [ axp - > pid_count ] , t - > comm , TASK_COMM_LEN ) ;
2007-03-30 02:01:04 +04:00
axp - > pid_count + + ;
return 0 ;
2005-05-06 15:38:39 +04:00
}
2007-04-19 18:28:21 +04:00
2008-11-11 13:48:18 +03:00
/**
* __audit_log_bprm_fcaps - store information about a loading bprm and relevant fcaps
CRED: Inaugurate COW credentials
Inaugurate copy-on-write credentials management. This uses RCU to manage the
credentials pointer in the task_struct with respect to accesses by other tasks.
A process may only modify its own credentials, and so does not need locking to
access or modify its own credentials.
A mutex (cred_replace_mutex) is added to the task_struct to control the effect
of PTRACE_ATTACHED on credential calculations, particularly with respect to
execve().
With this patch, the contents of an active credentials struct may not be
changed directly; rather a new set of credentials must be prepared, modified
and committed using something like the following sequence of events:
struct cred *new = prepare_creds();
int ret = blah(new);
if (ret < 0) {
abort_creds(new);
return ret;
}
return commit_creds(new);
There are some exceptions to this rule: the keyrings pointed to by the active
credentials may be instantiated - keyrings violate the COW rule as managing
COW keyrings is tricky, given that it is possible for a task to directly alter
the keys in a keyring in use by another task.
To help enforce this, various pointers to sets of credentials, such as those in
the task_struct, are declared const. The purpose of this is compile-time
discouragement of altering credentials through those pointers. Once a set of
credentials has been made public through one of these pointers, it may not be
modified, except under special circumstances:
(1) Its reference count may incremented and decremented.
(2) The keyrings to which it points may be modified, but not replaced.
The only safe way to modify anything else is to create a replacement and commit
using the functions described in Documentation/credentials.txt (which will be
added by a later patch).
This patch and the preceding patches have been tested with the LTP SELinux
testsuite.
This patch makes several logical sets of alteration:
(1) execve().
This now prepares and commits credentials in various places in the
security code rather than altering the current creds directly.
(2) Temporary credential overrides.
do_coredump() and sys_faccessat() now prepare their own credentials and
temporarily override the ones currently on the acting thread, whilst
preventing interference from other threads by holding cred_replace_mutex
on the thread being dumped.
This will be replaced in a future patch by something that hands down the
credentials directly to the functions being called, rather than altering
the task's objective credentials.
(3) LSM interface.
A number of functions have been changed, added or removed:
(*) security_capset_check(), ->capset_check()
(*) security_capset_set(), ->capset_set()
Removed in favour of security_capset().
(*) security_capset(), ->capset()
New. This is passed a pointer to the new creds, a pointer to the old
creds and the proposed capability sets. It should fill in the new
creds or return an error. All pointers, barring the pointer to the
new creds, are now const.
(*) security_bprm_apply_creds(), ->bprm_apply_creds()
Changed; now returns a value, which will cause the process to be
killed if it's an error.
(*) security_task_alloc(), ->task_alloc_security()
Removed in favour of security_prepare_creds().
(*) security_cred_free(), ->cred_free()
New. Free security data attached to cred->security.
(*) security_prepare_creds(), ->cred_prepare()
New. Duplicate any security data attached to cred->security.
(*) security_commit_creds(), ->cred_commit()
New. Apply any security effects for the upcoming installation of new
security by commit_creds().
(*) security_task_post_setuid(), ->task_post_setuid()
Removed in favour of security_task_fix_setuid().
(*) security_task_fix_setuid(), ->task_fix_setuid()
Fix up the proposed new credentials for setuid(). This is used by
cap_set_fix_setuid() to implicitly adjust capabilities in line with
setuid() changes. Changes are made to the new credentials, rather
than the task itself as in security_task_post_setuid().
(*) security_task_reparent_to_init(), ->task_reparent_to_init()
Removed. Instead the task being reparented to init is referred
directly to init's credentials.
NOTE! This results in the loss of some state: SELinux's osid no
longer records the sid of the thread that forked it.
(*) security_key_alloc(), ->key_alloc()
(*) security_key_permission(), ->key_permission()
Changed. These now take cred pointers rather than task pointers to
refer to the security context.
(4) sys_capset().
This has been simplified and uses less locking. The LSM functions it
calls have been merged.
(5) reparent_to_kthreadd().
This gives the current thread the same credentials as init by simply using
commit_thread() to point that way.
(6) __sigqueue_alloc() and switch_uid()
__sigqueue_alloc() can't stop the target task from changing its creds
beneath it, so this function gets a reference to the currently applicable
user_struct which it then passes into the sigqueue struct it returns if
successful.
switch_uid() is now called from commit_creds(), and possibly should be
folded into that. commit_creds() should take care of protecting
__sigqueue_alloc().
(7) [sg]et[ug]id() and co and [sg]et_current_groups.
The set functions now all use prepare_creds(), commit_creds() and
abort_creds() to build and check a new set of credentials before applying
it.
security_task_set[ug]id() is called inside the prepared section. This
guarantees that nothing else will affect the creds until we've finished.
The calling of set_dumpable() has been moved into commit_creds().
Much of the functionality of set_user() has been moved into
commit_creds().
The get functions all simply access the data directly.
(8) security_task_prctl() and cap_task_prctl().
security_task_prctl() has been modified to return -ENOSYS if it doesn't
want to handle a function, or otherwise return the return value directly
rather than through an argument.
Additionally, cap_task_prctl() now prepares a new set of credentials, even
if it doesn't end up using it.
(9) Keyrings.
A number of changes have been made to the keyrings code:
(a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have
all been dropped and built in to the credentials functions directly.
They may want separating out again later.
(b) key_alloc() and search_process_keyrings() now take a cred pointer
rather than a task pointer to specify the security context.
(c) copy_creds() gives a new thread within the same thread group a new
thread keyring if its parent had one, otherwise it discards the thread
keyring.
(d) The authorisation key now points directly to the credentials to extend
the search into rather pointing to the task that carries them.
(e) Installing thread, process or session keyrings causes a new set of
credentials to be created, even though it's not strictly necessary for
process or session keyrings (they're shared).
(10) Usermode helper.
The usermode helper code now carries a cred struct pointer in its
subprocess_info struct instead of a new session keyring pointer. This set
of credentials is derived from init_cred and installed on the new process
after it has been cloned.
call_usermodehelper_setup() allocates the new credentials and
call_usermodehelper_freeinfo() discards them if they haven't been used. A
special cred function (prepare_usermodeinfo_creds()) is provided
specifically for call_usermodehelper_setup() to call.
call_usermodehelper_setkeys() adjusts the credentials to sport the
supplied keyring as the new session keyring.
(11) SELinux.
SELinux has a number of changes, in addition to those to support the LSM
interface changes mentioned above:
(a) selinux_setprocattr() no longer does its check for whether the
current ptracer can access processes with the new SID inside the lock
that covers getting the ptracer's SID. Whilst this lock ensures that
the check is done with the ptracer pinned, the result is only valid
until the lock is released, so there's no point doing it inside the
lock.
(12) is_single_threaded().
This function has been extracted from selinux_setprocattr() and put into
a file of its own in the lib/ directory as join_session_keyring() now
wants to use it too.
The code in SELinux just checked to see whether a task shared mm_structs
with other tasks (CLONE_VM), but that isn't good enough. We really want
to know if they're part of the same thread group (CLONE_THREAD).
(13) nfsd.
The NFS server daemon now has to use the COW credentials to set the
credentials it is going to use. It really needs to pass the credentials
down to the functions it calls, but it can't do that until other patches
in this series have been applied.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: James Morris <jmorris@namei.org>
2008-11-14 02:39:23 +03:00
* @ bprm : pointer to the bprm being processed
* @ new : the proposed new credentials
* @ old : the old credentials
2008-11-11 13:48:18 +03:00
*
* Simply check if the proc already has the caps given by the file and if not
* store the priv escalation info for later auditing at the end of the syscall
*
* - Eric
*/
CRED: Inaugurate COW credentials
Inaugurate copy-on-write credentials management. This uses RCU to manage the
credentials pointer in the task_struct with respect to accesses by other tasks.
A process may only modify its own credentials, and so does not need locking to
access or modify its own credentials.
A mutex (cred_replace_mutex) is added to the task_struct to control the effect
of PTRACE_ATTACHED on credential calculations, particularly with respect to
execve().
With this patch, the contents of an active credentials struct may not be
changed directly; rather a new set of credentials must be prepared, modified
and committed using something like the following sequence of events:
struct cred *new = prepare_creds();
int ret = blah(new);
if (ret < 0) {
abort_creds(new);
return ret;
}
return commit_creds(new);
There are some exceptions to this rule: the keyrings pointed to by the active
credentials may be instantiated - keyrings violate the COW rule as managing
COW keyrings is tricky, given that it is possible for a task to directly alter
the keys in a keyring in use by another task.
To help enforce this, various pointers to sets of credentials, such as those in
the task_struct, are declared const. The purpose of this is compile-time
discouragement of altering credentials through those pointers. Once a set of
credentials has been made public through one of these pointers, it may not be
modified, except under special circumstances:
(1) Its reference count may incremented and decremented.
(2) The keyrings to which it points may be modified, but not replaced.
The only safe way to modify anything else is to create a replacement and commit
using the functions described in Documentation/credentials.txt (which will be
added by a later patch).
This patch and the preceding patches have been tested with the LTP SELinux
testsuite.
This patch makes several logical sets of alteration:
(1) execve().
This now prepares and commits credentials in various places in the
security code rather than altering the current creds directly.
(2) Temporary credential overrides.
do_coredump() and sys_faccessat() now prepare their own credentials and
temporarily override the ones currently on the acting thread, whilst
preventing interference from other threads by holding cred_replace_mutex
on the thread being dumped.
This will be replaced in a future patch by something that hands down the
credentials directly to the functions being called, rather than altering
the task's objective credentials.
(3) LSM interface.
A number of functions have been changed, added or removed:
(*) security_capset_check(), ->capset_check()
(*) security_capset_set(), ->capset_set()
Removed in favour of security_capset().
(*) security_capset(), ->capset()
New. This is passed a pointer to the new creds, a pointer to the old
creds and the proposed capability sets. It should fill in the new
creds or return an error. All pointers, barring the pointer to the
new creds, are now const.
(*) security_bprm_apply_creds(), ->bprm_apply_creds()
Changed; now returns a value, which will cause the process to be
killed if it's an error.
(*) security_task_alloc(), ->task_alloc_security()
Removed in favour of security_prepare_creds().
(*) security_cred_free(), ->cred_free()
New. Free security data attached to cred->security.
(*) security_prepare_creds(), ->cred_prepare()
New. Duplicate any security data attached to cred->security.
(*) security_commit_creds(), ->cred_commit()
New. Apply any security effects for the upcoming installation of new
security by commit_creds().
(*) security_task_post_setuid(), ->task_post_setuid()
Removed in favour of security_task_fix_setuid().
(*) security_task_fix_setuid(), ->task_fix_setuid()
Fix up the proposed new credentials for setuid(). This is used by
cap_set_fix_setuid() to implicitly adjust capabilities in line with
setuid() changes. Changes are made to the new credentials, rather
than the task itself as in security_task_post_setuid().
(*) security_task_reparent_to_init(), ->task_reparent_to_init()
Removed. Instead the task being reparented to init is referred
directly to init's credentials.
NOTE! This results in the loss of some state: SELinux's osid no
longer records the sid of the thread that forked it.
(*) security_key_alloc(), ->key_alloc()
(*) security_key_permission(), ->key_permission()
Changed. These now take cred pointers rather than task pointers to
refer to the security context.
(4) sys_capset().
This has been simplified and uses less locking. The LSM functions it
calls have been merged.
(5) reparent_to_kthreadd().
This gives the current thread the same credentials as init by simply using
commit_thread() to point that way.
(6) __sigqueue_alloc() and switch_uid()
__sigqueue_alloc() can't stop the target task from changing its creds
beneath it, so this function gets a reference to the currently applicable
user_struct which it then passes into the sigqueue struct it returns if
successful.
switch_uid() is now called from commit_creds(), and possibly should be
folded into that. commit_creds() should take care of protecting
__sigqueue_alloc().
(7) [sg]et[ug]id() and co and [sg]et_current_groups.
The set functions now all use prepare_creds(), commit_creds() and
abort_creds() to build and check a new set of credentials before applying
it.
security_task_set[ug]id() is called inside the prepared section. This
guarantees that nothing else will affect the creds until we've finished.
The calling of set_dumpable() has been moved into commit_creds().
Much of the functionality of set_user() has been moved into
commit_creds().
The get functions all simply access the data directly.
(8) security_task_prctl() and cap_task_prctl().
security_task_prctl() has been modified to return -ENOSYS if it doesn't
want to handle a function, or otherwise return the return value directly
rather than through an argument.
Additionally, cap_task_prctl() now prepares a new set of credentials, even
if it doesn't end up using it.
(9) Keyrings.
A number of changes have been made to the keyrings code:
(a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have
all been dropped and built in to the credentials functions directly.
They may want separating out again later.
(b) key_alloc() and search_process_keyrings() now take a cred pointer
rather than a task pointer to specify the security context.
(c) copy_creds() gives a new thread within the same thread group a new
thread keyring if its parent had one, otherwise it discards the thread
keyring.
(d) The authorisation key now points directly to the credentials to extend
the search into rather pointing to the task that carries them.
(e) Installing thread, process or session keyrings causes a new set of
credentials to be created, even though it's not strictly necessary for
process or session keyrings (they're shared).
(10) Usermode helper.
The usermode helper code now carries a cred struct pointer in its
subprocess_info struct instead of a new session keyring pointer. This set
of credentials is derived from init_cred and installed on the new process
after it has been cloned.
call_usermodehelper_setup() allocates the new credentials and
call_usermodehelper_freeinfo() discards them if they haven't been used. A
special cred function (prepare_usermodeinfo_creds()) is provided
specifically for call_usermodehelper_setup() to call.
call_usermodehelper_setkeys() adjusts the credentials to sport the
supplied keyring as the new session keyring.
(11) SELinux.
SELinux has a number of changes, in addition to those to support the LSM
interface changes mentioned above:
(a) selinux_setprocattr() no longer does its check for whether the
current ptracer can access processes with the new SID inside the lock
that covers getting the ptracer's SID. Whilst this lock ensures that
the check is done with the ptracer pinned, the result is only valid
until the lock is released, so there's no point doing it inside the
lock.
(12) is_single_threaded().
This function has been extracted from selinux_setprocattr() and put into
a file of its own in the lib/ directory as join_session_keyring() now
wants to use it too.
The code in SELinux just checked to see whether a task shared mm_structs
with other tasks (CLONE_VM), but that isn't good enough. We really want
to know if they're part of the same thread group (CLONE_THREAD).
(13) nfsd.
The NFS server daemon now has to use the COW credentials to set the
credentials it is going to use. It really needs to pass the credentials
down to the functions it calls, but it can't do that until other patches
in this series have been applied.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: James Morris <jmorris@namei.org>
2008-11-14 02:39:23 +03:00
int __audit_log_bprm_fcaps ( struct linux_binprm * bprm ,
const struct cred * new , const struct cred * old )
2008-11-11 13:48:18 +03:00
{
struct audit_aux_data_bprm_fcaps * ax ;
2018-05-13 04:58:20 +03:00
struct audit_context * context = audit_context ( ) ;
2008-11-11 13:48:18 +03:00
struct cpu_vfs_cap_data vcaps ;
ax = kmalloc ( sizeof ( * ax ) , GFP_KERNEL ) ;
if ( ! ax )
CRED: Inaugurate COW credentials
Inaugurate copy-on-write credentials management. This uses RCU to manage the
credentials pointer in the task_struct with respect to accesses by other tasks.
A process may only modify its own credentials, and so does not need locking to
access or modify its own credentials.
A mutex (cred_replace_mutex) is added to the task_struct to control the effect
of PTRACE_ATTACHED on credential calculations, particularly with respect to
execve().
With this patch, the contents of an active credentials struct may not be
changed directly; rather a new set of credentials must be prepared, modified
and committed using something like the following sequence of events:
struct cred *new = prepare_creds();
int ret = blah(new);
if (ret < 0) {
abort_creds(new);
return ret;
}
return commit_creds(new);
There are some exceptions to this rule: the keyrings pointed to by the active
credentials may be instantiated - keyrings violate the COW rule as managing
COW keyrings is tricky, given that it is possible for a task to directly alter
the keys in a keyring in use by another task.
To help enforce this, various pointers to sets of credentials, such as those in
the task_struct, are declared const. The purpose of this is compile-time
discouragement of altering credentials through those pointers. Once a set of
credentials has been made public through one of these pointers, it may not be
modified, except under special circumstances:
(1) Its reference count may incremented and decremented.
(2) The keyrings to which it points may be modified, but not replaced.
The only safe way to modify anything else is to create a replacement and commit
using the functions described in Documentation/credentials.txt (which will be
added by a later patch).
This patch and the preceding patches have been tested with the LTP SELinux
testsuite.
This patch makes several logical sets of alteration:
(1) execve().
This now prepares and commits credentials in various places in the
security code rather than altering the current creds directly.
(2) Temporary credential overrides.
do_coredump() and sys_faccessat() now prepare their own credentials and
temporarily override the ones currently on the acting thread, whilst
preventing interference from other threads by holding cred_replace_mutex
on the thread being dumped.
This will be replaced in a future patch by something that hands down the
credentials directly to the functions being called, rather than altering
the task's objective credentials.
(3) LSM interface.
A number of functions have been changed, added or removed:
(*) security_capset_check(), ->capset_check()
(*) security_capset_set(), ->capset_set()
Removed in favour of security_capset().
(*) security_capset(), ->capset()
New. This is passed a pointer to the new creds, a pointer to the old
creds and the proposed capability sets. It should fill in the new
creds or return an error. All pointers, barring the pointer to the
new creds, are now const.
(*) security_bprm_apply_creds(), ->bprm_apply_creds()
Changed; now returns a value, which will cause the process to be
killed if it's an error.
(*) security_task_alloc(), ->task_alloc_security()
Removed in favour of security_prepare_creds().
(*) security_cred_free(), ->cred_free()
New. Free security data attached to cred->security.
(*) security_prepare_creds(), ->cred_prepare()
New. Duplicate any security data attached to cred->security.
(*) security_commit_creds(), ->cred_commit()
New. Apply any security effects for the upcoming installation of new
security by commit_creds().
(*) security_task_post_setuid(), ->task_post_setuid()
Removed in favour of security_task_fix_setuid().
(*) security_task_fix_setuid(), ->task_fix_setuid()
Fix up the proposed new credentials for setuid(). This is used by
cap_set_fix_setuid() to implicitly adjust capabilities in line with
setuid() changes. Changes are made to the new credentials, rather
than the task itself as in security_task_post_setuid().
(*) security_task_reparent_to_init(), ->task_reparent_to_init()
Removed. Instead the task being reparented to init is referred
directly to init's credentials.
NOTE! This results in the loss of some state: SELinux's osid no
longer records the sid of the thread that forked it.
(*) security_key_alloc(), ->key_alloc()
(*) security_key_permission(), ->key_permission()
Changed. These now take cred pointers rather than task pointers to
refer to the security context.
(4) sys_capset().
This has been simplified and uses less locking. The LSM functions it
calls have been merged.
(5) reparent_to_kthreadd().
This gives the current thread the same credentials as init by simply using
commit_thread() to point that way.
(6) __sigqueue_alloc() and switch_uid()
__sigqueue_alloc() can't stop the target task from changing its creds
beneath it, so this function gets a reference to the currently applicable
user_struct which it then passes into the sigqueue struct it returns if
successful.
switch_uid() is now called from commit_creds(), and possibly should be
folded into that. commit_creds() should take care of protecting
__sigqueue_alloc().
(7) [sg]et[ug]id() and co and [sg]et_current_groups.
The set functions now all use prepare_creds(), commit_creds() and
abort_creds() to build and check a new set of credentials before applying
it.
security_task_set[ug]id() is called inside the prepared section. This
guarantees that nothing else will affect the creds until we've finished.
The calling of set_dumpable() has been moved into commit_creds().
Much of the functionality of set_user() has been moved into
commit_creds().
The get functions all simply access the data directly.
(8) security_task_prctl() and cap_task_prctl().
security_task_prctl() has been modified to return -ENOSYS if it doesn't
want to handle a function, or otherwise return the return value directly
rather than through an argument.
Additionally, cap_task_prctl() now prepares a new set of credentials, even
if it doesn't end up using it.
(9) Keyrings.
A number of changes have been made to the keyrings code:
(a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have
all been dropped and built in to the credentials functions directly.
They may want separating out again later.
(b) key_alloc() and search_process_keyrings() now take a cred pointer
rather than a task pointer to specify the security context.
(c) copy_creds() gives a new thread within the same thread group a new
thread keyring if its parent had one, otherwise it discards the thread
keyring.
(d) The authorisation key now points directly to the credentials to extend
the search into rather pointing to the task that carries them.
(e) Installing thread, process or session keyrings causes a new set of
credentials to be created, even though it's not strictly necessary for
process or session keyrings (they're shared).
(10) Usermode helper.
The usermode helper code now carries a cred struct pointer in its
subprocess_info struct instead of a new session keyring pointer. This set
of credentials is derived from init_cred and installed on the new process
after it has been cloned.
call_usermodehelper_setup() allocates the new credentials and
call_usermodehelper_freeinfo() discards them if they haven't been used. A
special cred function (prepare_usermodeinfo_creds()) is provided
specifically for call_usermodehelper_setup() to call.
call_usermodehelper_setkeys() adjusts the credentials to sport the
supplied keyring as the new session keyring.
(11) SELinux.
SELinux has a number of changes, in addition to those to support the LSM
interface changes mentioned above:
(a) selinux_setprocattr() no longer does its check for whether the
current ptracer can access processes with the new SID inside the lock
that covers getting the ptracer's SID. Whilst this lock ensures that
the check is done with the ptracer pinned, the result is only valid
until the lock is released, so there's no point doing it inside the
lock.
(12) is_single_threaded().
This function has been extracted from selinux_setprocattr() and put into
a file of its own in the lib/ directory as join_session_keyring() now
wants to use it too.
The code in SELinux just checked to see whether a task shared mm_structs
with other tasks (CLONE_VM), but that isn't good enough. We really want
to know if they're part of the same thread group (CLONE_THREAD).
(13) nfsd.
The NFS server daemon now has to use the COW credentials to set the
credentials it is going to use. It really needs to pass the credentials
down to the functions it calls, but it can't do that until other patches
in this series have been applied.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: James Morris <jmorris@namei.org>
2008-11-14 02:39:23 +03:00
return - ENOMEM ;
2008-11-11 13:48:18 +03:00
ax - > d . type = AUDIT_BPRM_FCAPS ;
ax - > d . next = context - > aux ;
context - > aux = ( void * ) ax ;
2014-12-28 17:27:07 +03:00
get_vfs_caps_from_disk ( bprm - > file - > f_path . dentry , & vcaps ) ;
2008-11-11 13:48:18 +03:00
ax - > fcap . permitted = vcaps . permitted ;
ax - > fcap . inheritable = vcaps . inheritable ;
ax - > fcap . fE = ! ! ( vcaps . magic_etc & VFS_CAP_FLAGS_EFFECTIVE ) ;
2019-01-24 05:36:25 +03:00
ax - > fcap . rootid = vcaps . rootid ;
2008-11-11 13:48:18 +03:00
ax - > fcap_ver = ( vcaps . magic_etc & VFS_CAP_REVISION_MASK ) > > VFS_CAP_REVISION_SHIFT ;
CRED: Inaugurate COW credentials
Inaugurate copy-on-write credentials management. This uses RCU to manage the
credentials pointer in the task_struct with respect to accesses by other tasks.
A process may only modify its own credentials, and so does not need locking to
access or modify its own credentials.
A mutex (cred_replace_mutex) is added to the task_struct to control the effect
of PTRACE_ATTACHED on credential calculations, particularly with respect to
execve().
With this patch, the contents of an active credentials struct may not be
changed directly; rather a new set of credentials must be prepared, modified
and committed using something like the following sequence of events:
struct cred *new = prepare_creds();
int ret = blah(new);
if (ret < 0) {
abort_creds(new);
return ret;
}
return commit_creds(new);
There are some exceptions to this rule: the keyrings pointed to by the active
credentials may be instantiated - keyrings violate the COW rule as managing
COW keyrings is tricky, given that it is possible for a task to directly alter
the keys in a keyring in use by another task.
To help enforce this, various pointers to sets of credentials, such as those in
the task_struct, are declared const. The purpose of this is compile-time
discouragement of altering credentials through those pointers. Once a set of
credentials has been made public through one of these pointers, it may not be
modified, except under special circumstances:
(1) Its reference count may incremented and decremented.
(2) The keyrings to which it points may be modified, but not replaced.
The only safe way to modify anything else is to create a replacement and commit
using the functions described in Documentation/credentials.txt (which will be
added by a later patch).
This patch and the preceding patches have been tested with the LTP SELinux
testsuite.
This patch makes several logical sets of alteration:
(1) execve().
This now prepares and commits credentials in various places in the
security code rather than altering the current creds directly.
(2) Temporary credential overrides.
do_coredump() and sys_faccessat() now prepare their own credentials and
temporarily override the ones currently on the acting thread, whilst
preventing interference from other threads by holding cred_replace_mutex
on the thread being dumped.
This will be replaced in a future patch by something that hands down the
credentials directly to the functions being called, rather than altering
the task's objective credentials.
(3) LSM interface.
A number of functions have been changed, added or removed:
(*) security_capset_check(), ->capset_check()
(*) security_capset_set(), ->capset_set()
Removed in favour of security_capset().
(*) security_capset(), ->capset()
New. This is passed a pointer to the new creds, a pointer to the old
creds and the proposed capability sets. It should fill in the new
creds or return an error. All pointers, barring the pointer to the
new creds, are now const.
(*) security_bprm_apply_creds(), ->bprm_apply_creds()
Changed; now returns a value, which will cause the process to be
killed if it's an error.
(*) security_task_alloc(), ->task_alloc_security()
Removed in favour of security_prepare_creds().
(*) security_cred_free(), ->cred_free()
New. Free security data attached to cred->security.
(*) security_prepare_creds(), ->cred_prepare()
New. Duplicate any security data attached to cred->security.
(*) security_commit_creds(), ->cred_commit()
New. Apply any security effects for the upcoming installation of new
security by commit_creds().
(*) security_task_post_setuid(), ->task_post_setuid()
Removed in favour of security_task_fix_setuid().
(*) security_task_fix_setuid(), ->task_fix_setuid()
Fix up the proposed new credentials for setuid(). This is used by
cap_set_fix_setuid() to implicitly adjust capabilities in line with
setuid() changes. Changes are made to the new credentials, rather
than the task itself as in security_task_post_setuid().
(*) security_task_reparent_to_init(), ->task_reparent_to_init()
Removed. Instead the task being reparented to init is referred
directly to init's credentials.
NOTE! This results in the loss of some state: SELinux's osid no
longer records the sid of the thread that forked it.
(*) security_key_alloc(), ->key_alloc()
(*) security_key_permission(), ->key_permission()
Changed. These now take cred pointers rather than task pointers to
refer to the security context.
(4) sys_capset().
This has been simplified and uses less locking. The LSM functions it
calls have been merged.
(5) reparent_to_kthreadd().
This gives the current thread the same credentials as init by simply using
commit_thread() to point that way.
(6) __sigqueue_alloc() and switch_uid()
__sigqueue_alloc() can't stop the target task from changing its creds
beneath it, so this function gets a reference to the currently applicable
user_struct which it then passes into the sigqueue struct it returns if
successful.
switch_uid() is now called from commit_creds(), and possibly should be
folded into that. commit_creds() should take care of protecting
__sigqueue_alloc().
(7) [sg]et[ug]id() and co and [sg]et_current_groups.
The set functions now all use prepare_creds(), commit_creds() and
abort_creds() to build and check a new set of credentials before applying
it.
security_task_set[ug]id() is called inside the prepared section. This
guarantees that nothing else will affect the creds until we've finished.
The calling of set_dumpable() has been moved into commit_creds().
Much of the functionality of set_user() has been moved into
commit_creds().
The get functions all simply access the data directly.
(8) security_task_prctl() and cap_task_prctl().
security_task_prctl() has been modified to return -ENOSYS if it doesn't
want to handle a function, or otherwise return the return value directly
rather than through an argument.
Additionally, cap_task_prctl() now prepares a new set of credentials, even
if it doesn't end up using it.
(9) Keyrings.
A number of changes have been made to the keyrings code:
(a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have
all been dropped and built in to the credentials functions directly.
They may want separating out again later.
(b) key_alloc() and search_process_keyrings() now take a cred pointer
rather than a task pointer to specify the security context.
(c) copy_creds() gives a new thread within the same thread group a new
thread keyring if its parent had one, otherwise it discards the thread
keyring.
(d) The authorisation key now points directly to the credentials to extend
the search into rather pointing to the task that carries them.
(e) Installing thread, process or session keyrings causes a new set of
credentials to be created, even though it's not strictly necessary for
process or session keyrings (they're shared).
(10) Usermode helper.
The usermode helper code now carries a cred struct pointer in its
subprocess_info struct instead of a new session keyring pointer. This set
of credentials is derived from init_cred and installed on the new process
after it has been cloned.
call_usermodehelper_setup() allocates the new credentials and
call_usermodehelper_freeinfo() discards them if they haven't been used. A
special cred function (prepare_usermodeinfo_creds()) is provided
specifically for call_usermodehelper_setup() to call.
call_usermodehelper_setkeys() adjusts the credentials to sport the
supplied keyring as the new session keyring.
(11) SELinux.
SELinux has a number of changes, in addition to those to support the LSM
interface changes mentioned above:
(a) selinux_setprocattr() no longer does its check for whether the
current ptracer can access processes with the new SID inside the lock
that covers getting the ptracer's SID. Whilst this lock ensures that
the check is done with the ptracer pinned, the result is only valid
until the lock is released, so there's no point doing it inside the
lock.
(12) is_single_threaded().
This function has been extracted from selinux_setprocattr() and put into
a file of its own in the lib/ directory as join_session_keyring() now
wants to use it too.
The code in SELinux just checked to see whether a task shared mm_structs
with other tasks (CLONE_VM), but that isn't good enough. We really want
to know if they're part of the same thread group (CLONE_THREAD).
(13) nfsd.
The NFS server daemon now has to use the COW credentials to set the
credentials it is going to use. It really needs to pass the credentials
down to the functions it calls, but it can't do that until other patches
in this series have been applied.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: James Morris <jmorris@namei.org>
2008-11-14 02:39:23 +03:00
ax - > old_pcap . permitted = old - > cap_permitted ;
ax - > old_pcap . inheritable = old - > cap_inheritable ;
ax - > old_pcap . effective = old - > cap_effective ;
audit: add ambient capabilities to CAPSET and BPRM_FCAPS records
Capabilities were augmented to include ambient capabilities in v4.3
commit 58319057b784 ("capabilities: ambient capabilities").
Add ambient capabilities to the audit BPRM_FCAPS and CAPSET records.
The record contains fields "old_pp", "old_pi", "old_pe", "new_pp",
"new_pi", "new_pe" so in keeping with the previous record
normalizations, change the "new_*" variants to simply drop the "new_"
prefix.
A sample of the replaced BPRM_FCAPS record:
RAW: type=BPRM_FCAPS msg=audit(1491468034.252:237): fver=2
fp=0000000000200000 fi=0000000000000000 fe=1 old_pp=0000000000000000
old_pi=0000000000000000 old_pe=0000000000000000 old_pa=0000000000000000
pp=0000000000200000 pi=0000000000000000 pe=0000000000200000
pa=0000000000000000
INTERPRET: type=BPRM_FCAPS msg=audit(04/06/2017 04:40:34.252:237):
fver=2 fp=sys_admin fi=none fe=chown old_pp=none old_pi=none
old_pe=none old_pa=none pp=sys_admin pi=none pe=sys_admin pa=none
A sample of the replaced CAPSET record:
RAW: type=CAPSET msg=audit(1491469502.371:242): pid=833
cap_pi=0000003fffffffff cap_pp=0000003fffffffff cap_pe=0000003fffffffff
cap_pa=0000000000000000
INTERPRET: type=CAPSET msg=audit(04/06/2017 05:05:02.371:242) : pid=833
cap_pi=chown,dac_override,dac_read_search,fowner,fsetid,kill,
setgid,setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,
net_admin,net_raw,ipc_lock,ipc_owner,sys_module,sys_rawio,sys_chroot,
sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,sys_time,
sys_tty_config,mknod,lease,audit_write,audit_control,setfcap,
mac_override,mac_admin,syslog,wake_alarm,block_suspend,audit_read
cap_pp=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,
setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,
net_admin,net_raw,ipc_lock,ipc_owner,sys_module,sys_rawio,sys_chroot,
sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,
sys_time,sys_tty_config,mknod,lease,audit_write,audit_control,setfcap,
mac_override,mac_admin,syslog,wake_alarm,block_suspend,audit_read
cap_pe=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,
setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,
net_admin,net_raw,ipc_lock,ipc_owner,sys_module,sys_rawio,sys_chroot,
sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,
sys_time,sys_tty_config,mknod,lease,audit_write,audit_control,setfcap,
mac_override,mac_admin,syslog,wake_alarm,block_suspend,audit_read
cap_pa=none
See: https://github.com/linux-audit/audit-kernel/issues/40
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
Acked-by: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2017-04-07 17:17:27 +03:00
ax - > old_pcap . ambient = old - > cap_ambient ;
2008-11-11 13:48:18 +03:00
CRED: Inaugurate COW credentials
Inaugurate copy-on-write credentials management. This uses RCU to manage the
credentials pointer in the task_struct with respect to accesses by other tasks.
A process may only modify its own credentials, and so does not need locking to
access or modify its own credentials.
A mutex (cred_replace_mutex) is added to the task_struct to control the effect
of PTRACE_ATTACHED on credential calculations, particularly with respect to
execve().
With this patch, the contents of an active credentials struct may not be
changed directly; rather a new set of credentials must be prepared, modified
and committed using something like the following sequence of events:
struct cred *new = prepare_creds();
int ret = blah(new);
if (ret < 0) {
abort_creds(new);
return ret;
}
return commit_creds(new);
There are some exceptions to this rule: the keyrings pointed to by the active
credentials may be instantiated - keyrings violate the COW rule as managing
COW keyrings is tricky, given that it is possible for a task to directly alter
the keys in a keyring in use by another task.
To help enforce this, various pointers to sets of credentials, such as those in
the task_struct, are declared const. The purpose of this is compile-time
discouragement of altering credentials through those pointers. Once a set of
credentials has been made public through one of these pointers, it may not be
modified, except under special circumstances:
(1) Its reference count may incremented and decremented.
(2) The keyrings to which it points may be modified, but not replaced.
The only safe way to modify anything else is to create a replacement and commit
using the functions described in Documentation/credentials.txt (which will be
added by a later patch).
This patch and the preceding patches have been tested with the LTP SELinux
testsuite.
This patch makes several logical sets of alteration:
(1) execve().
This now prepares and commits credentials in various places in the
security code rather than altering the current creds directly.
(2) Temporary credential overrides.
do_coredump() and sys_faccessat() now prepare their own credentials and
temporarily override the ones currently on the acting thread, whilst
preventing interference from other threads by holding cred_replace_mutex
on the thread being dumped.
This will be replaced in a future patch by something that hands down the
credentials directly to the functions being called, rather than altering
the task's objective credentials.
(3) LSM interface.
A number of functions have been changed, added or removed:
(*) security_capset_check(), ->capset_check()
(*) security_capset_set(), ->capset_set()
Removed in favour of security_capset().
(*) security_capset(), ->capset()
New. This is passed a pointer to the new creds, a pointer to the old
creds and the proposed capability sets. It should fill in the new
creds or return an error. All pointers, barring the pointer to the
new creds, are now const.
(*) security_bprm_apply_creds(), ->bprm_apply_creds()
Changed; now returns a value, which will cause the process to be
killed if it's an error.
(*) security_task_alloc(), ->task_alloc_security()
Removed in favour of security_prepare_creds().
(*) security_cred_free(), ->cred_free()
New. Free security data attached to cred->security.
(*) security_prepare_creds(), ->cred_prepare()
New. Duplicate any security data attached to cred->security.
(*) security_commit_creds(), ->cred_commit()
New. Apply any security effects for the upcoming installation of new
security by commit_creds().
(*) security_task_post_setuid(), ->task_post_setuid()
Removed in favour of security_task_fix_setuid().
(*) security_task_fix_setuid(), ->task_fix_setuid()
Fix up the proposed new credentials for setuid(). This is used by
cap_set_fix_setuid() to implicitly adjust capabilities in line with
setuid() changes. Changes are made to the new credentials, rather
than the task itself as in security_task_post_setuid().
(*) security_task_reparent_to_init(), ->task_reparent_to_init()
Removed. Instead the task being reparented to init is referred
directly to init's credentials.
NOTE! This results in the loss of some state: SELinux's osid no
longer records the sid of the thread that forked it.
(*) security_key_alloc(), ->key_alloc()
(*) security_key_permission(), ->key_permission()
Changed. These now take cred pointers rather than task pointers to
refer to the security context.
(4) sys_capset().
This has been simplified and uses less locking. The LSM functions it
calls have been merged.
(5) reparent_to_kthreadd().
This gives the current thread the same credentials as init by simply using
commit_thread() to point that way.
(6) __sigqueue_alloc() and switch_uid()
__sigqueue_alloc() can't stop the target task from changing its creds
beneath it, so this function gets a reference to the currently applicable
user_struct which it then passes into the sigqueue struct it returns if
successful.
switch_uid() is now called from commit_creds(), and possibly should be
folded into that. commit_creds() should take care of protecting
__sigqueue_alloc().
(7) [sg]et[ug]id() and co and [sg]et_current_groups.
The set functions now all use prepare_creds(), commit_creds() and
abort_creds() to build and check a new set of credentials before applying
it.
security_task_set[ug]id() is called inside the prepared section. This
guarantees that nothing else will affect the creds until we've finished.
The calling of set_dumpable() has been moved into commit_creds().
Much of the functionality of set_user() has been moved into
commit_creds().
The get functions all simply access the data directly.
(8) security_task_prctl() and cap_task_prctl().
security_task_prctl() has been modified to return -ENOSYS if it doesn't
want to handle a function, or otherwise return the return value directly
rather than through an argument.
Additionally, cap_task_prctl() now prepares a new set of credentials, even
if it doesn't end up using it.
(9) Keyrings.
A number of changes have been made to the keyrings code:
(a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have
all been dropped and built in to the credentials functions directly.
They may want separating out again later.
(b) key_alloc() and search_process_keyrings() now take a cred pointer
rather than a task pointer to specify the security context.
(c) copy_creds() gives a new thread within the same thread group a new
thread keyring if its parent had one, otherwise it discards the thread
keyring.
(d) The authorisation key now points directly to the credentials to extend
the search into rather pointing to the task that carries them.
(e) Installing thread, process or session keyrings causes a new set of
credentials to be created, even though it's not strictly necessary for
process or session keyrings (they're shared).
(10) Usermode helper.
The usermode helper code now carries a cred struct pointer in its
subprocess_info struct instead of a new session keyring pointer. This set
of credentials is derived from init_cred and installed on the new process
after it has been cloned.
call_usermodehelper_setup() allocates the new credentials and
call_usermodehelper_freeinfo() discards them if they haven't been used. A
special cred function (prepare_usermodeinfo_creds()) is provided
specifically for call_usermodehelper_setup() to call.
call_usermodehelper_setkeys() adjusts the credentials to sport the
supplied keyring as the new session keyring.
(11) SELinux.
SELinux has a number of changes, in addition to those to support the LSM
interface changes mentioned above:
(a) selinux_setprocattr() no longer does its check for whether the
current ptracer can access processes with the new SID inside the lock
that covers getting the ptracer's SID. Whilst this lock ensures that
the check is done with the ptracer pinned, the result is only valid
until the lock is released, so there's no point doing it inside the
lock.
(12) is_single_threaded().
This function has been extracted from selinux_setprocattr() and put into
a file of its own in the lib/ directory as join_session_keyring() now
wants to use it too.
The code in SELinux just checked to see whether a task shared mm_structs
with other tasks (CLONE_VM), but that isn't good enough. We really want
to know if they're part of the same thread group (CLONE_THREAD).
(13) nfsd.
The NFS server daemon now has to use the COW credentials to set the
credentials it is going to use. It really needs to pass the credentials
down to the functions it calls, but it can't do that until other patches
in this series have been applied.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: James Morris <jmorris@namei.org>
2008-11-14 02:39:23 +03:00
ax - > new_pcap . permitted = new - > cap_permitted ;
ax - > new_pcap . inheritable = new - > cap_inheritable ;
ax - > new_pcap . effective = new - > cap_effective ;
audit: add ambient capabilities to CAPSET and BPRM_FCAPS records
Capabilities were augmented to include ambient capabilities in v4.3
commit 58319057b784 ("capabilities: ambient capabilities").
Add ambient capabilities to the audit BPRM_FCAPS and CAPSET records.
The record contains fields "old_pp", "old_pi", "old_pe", "new_pp",
"new_pi", "new_pe" so in keeping with the previous record
normalizations, change the "new_*" variants to simply drop the "new_"
prefix.
A sample of the replaced BPRM_FCAPS record:
RAW: type=BPRM_FCAPS msg=audit(1491468034.252:237): fver=2
fp=0000000000200000 fi=0000000000000000 fe=1 old_pp=0000000000000000
old_pi=0000000000000000 old_pe=0000000000000000 old_pa=0000000000000000
pp=0000000000200000 pi=0000000000000000 pe=0000000000200000
pa=0000000000000000
INTERPRET: type=BPRM_FCAPS msg=audit(04/06/2017 04:40:34.252:237):
fver=2 fp=sys_admin fi=none fe=chown old_pp=none old_pi=none
old_pe=none old_pa=none pp=sys_admin pi=none pe=sys_admin pa=none
A sample of the replaced CAPSET record:
RAW: type=CAPSET msg=audit(1491469502.371:242): pid=833
cap_pi=0000003fffffffff cap_pp=0000003fffffffff cap_pe=0000003fffffffff
cap_pa=0000000000000000
INTERPRET: type=CAPSET msg=audit(04/06/2017 05:05:02.371:242) : pid=833
cap_pi=chown,dac_override,dac_read_search,fowner,fsetid,kill,
setgid,setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,
net_admin,net_raw,ipc_lock,ipc_owner,sys_module,sys_rawio,sys_chroot,
sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,sys_time,
sys_tty_config,mknod,lease,audit_write,audit_control,setfcap,
mac_override,mac_admin,syslog,wake_alarm,block_suspend,audit_read
cap_pp=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,
setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,
net_admin,net_raw,ipc_lock,ipc_owner,sys_module,sys_rawio,sys_chroot,
sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,
sys_time,sys_tty_config,mknod,lease,audit_write,audit_control,setfcap,
mac_override,mac_admin,syslog,wake_alarm,block_suspend,audit_read
cap_pe=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,
setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,
net_admin,net_raw,ipc_lock,ipc_owner,sys_module,sys_rawio,sys_chroot,
sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,
sys_time,sys_tty_config,mknod,lease,audit_write,audit_control,setfcap,
mac_override,mac_admin,syslog,wake_alarm,block_suspend,audit_read
cap_pa=none
See: https://github.com/linux-audit/audit-kernel/issues/40
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
Acked-by: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2017-04-07 17:17:27 +03:00
ax - > new_pcap . ambient = new - > cap_ambient ;
CRED: Inaugurate COW credentials
Inaugurate copy-on-write credentials management. This uses RCU to manage the
credentials pointer in the task_struct with respect to accesses by other tasks.
A process may only modify its own credentials, and so does not need locking to
access or modify its own credentials.
A mutex (cred_replace_mutex) is added to the task_struct to control the effect
of PTRACE_ATTACHED on credential calculations, particularly with respect to
execve().
With this patch, the contents of an active credentials struct may not be
changed directly; rather a new set of credentials must be prepared, modified
and committed using something like the following sequence of events:
struct cred *new = prepare_creds();
int ret = blah(new);
if (ret < 0) {
abort_creds(new);
return ret;
}
return commit_creds(new);
There are some exceptions to this rule: the keyrings pointed to by the active
credentials may be instantiated - keyrings violate the COW rule as managing
COW keyrings is tricky, given that it is possible for a task to directly alter
the keys in a keyring in use by another task.
To help enforce this, various pointers to sets of credentials, such as those in
the task_struct, are declared const. The purpose of this is compile-time
discouragement of altering credentials through those pointers. Once a set of
credentials has been made public through one of these pointers, it may not be
modified, except under special circumstances:
(1) Its reference count may incremented and decremented.
(2) The keyrings to which it points may be modified, but not replaced.
The only safe way to modify anything else is to create a replacement and commit
using the functions described in Documentation/credentials.txt (which will be
added by a later patch).
This patch and the preceding patches have been tested with the LTP SELinux
testsuite.
This patch makes several logical sets of alteration:
(1) execve().
This now prepares and commits credentials in various places in the
security code rather than altering the current creds directly.
(2) Temporary credential overrides.
do_coredump() and sys_faccessat() now prepare their own credentials and
temporarily override the ones currently on the acting thread, whilst
preventing interference from other threads by holding cred_replace_mutex
on the thread being dumped.
This will be replaced in a future patch by something that hands down the
credentials directly to the functions being called, rather than altering
the task's objective credentials.
(3) LSM interface.
A number of functions have been changed, added or removed:
(*) security_capset_check(), ->capset_check()
(*) security_capset_set(), ->capset_set()
Removed in favour of security_capset().
(*) security_capset(), ->capset()
New. This is passed a pointer to the new creds, a pointer to the old
creds and the proposed capability sets. It should fill in the new
creds or return an error. All pointers, barring the pointer to the
new creds, are now const.
(*) security_bprm_apply_creds(), ->bprm_apply_creds()
Changed; now returns a value, which will cause the process to be
killed if it's an error.
(*) security_task_alloc(), ->task_alloc_security()
Removed in favour of security_prepare_creds().
(*) security_cred_free(), ->cred_free()
New. Free security data attached to cred->security.
(*) security_prepare_creds(), ->cred_prepare()
New. Duplicate any security data attached to cred->security.
(*) security_commit_creds(), ->cred_commit()
New. Apply any security effects for the upcoming installation of new
security by commit_creds().
(*) security_task_post_setuid(), ->task_post_setuid()
Removed in favour of security_task_fix_setuid().
(*) security_task_fix_setuid(), ->task_fix_setuid()
Fix up the proposed new credentials for setuid(). This is used by
cap_set_fix_setuid() to implicitly adjust capabilities in line with
setuid() changes. Changes are made to the new credentials, rather
than the task itself as in security_task_post_setuid().
(*) security_task_reparent_to_init(), ->task_reparent_to_init()
Removed. Instead the task being reparented to init is referred
directly to init's credentials.
NOTE! This results in the loss of some state: SELinux's osid no
longer records the sid of the thread that forked it.
(*) security_key_alloc(), ->key_alloc()
(*) security_key_permission(), ->key_permission()
Changed. These now take cred pointers rather than task pointers to
refer to the security context.
(4) sys_capset().
This has been simplified and uses less locking. The LSM functions it
calls have been merged.
(5) reparent_to_kthreadd().
This gives the current thread the same credentials as init by simply using
commit_thread() to point that way.
(6) __sigqueue_alloc() and switch_uid()
__sigqueue_alloc() can't stop the target task from changing its creds
beneath it, so this function gets a reference to the currently applicable
user_struct which it then passes into the sigqueue struct it returns if
successful.
switch_uid() is now called from commit_creds(), and possibly should be
folded into that. commit_creds() should take care of protecting
__sigqueue_alloc().
(7) [sg]et[ug]id() and co and [sg]et_current_groups.
The set functions now all use prepare_creds(), commit_creds() and
abort_creds() to build and check a new set of credentials before applying
it.
security_task_set[ug]id() is called inside the prepared section. This
guarantees that nothing else will affect the creds until we've finished.
The calling of set_dumpable() has been moved into commit_creds().
Much of the functionality of set_user() has been moved into
commit_creds().
The get functions all simply access the data directly.
(8) security_task_prctl() and cap_task_prctl().
security_task_prctl() has been modified to return -ENOSYS if it doesn't
want to handle a function, or otherwise return the return value directly
rather than through an argument.
Additionally, cap_task_prctl() now prepares a new set of credentials, even
if it doesn't end up using it.
(9) Keyrings.
A number of changes have been made to the keyrings code:
(a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have
all been dropped and built in to the credentials functions directly.
They may want separating out again later.
(b) key_alloc() and search_process_keyrings() now take a cred pointer
rather than a task pointer to specify the security context.
(c) copy_creds() gives a new thread within the same thread group a new
thread keyring if its parent had one, otherwise it discards the thread
keyring.
(d) The authorisation key now points directly to the credentials to extend
the search into rather pointing to the task that carries them.
(e) Installing thread, process or session keyrings causes a new set of
credentials to be created, even though it's not strictly necessary for
process or session keyrings (they're shared).
(10) Usermode helper.
The usermode helper code now carries a cred struct pointer in its
subprocess_info struct instead of a new session keyring pointer. This set
of credentials is derived from init_cred and installed on the new process
after it has been cloned.
call_usermodehelper_setup() allocates the new credentials and
call_usermodehelper_freeinfo() discards them if they haven't been used. A
special cred function (prepare_usermodeinfo_creds()) is provided
specifically for call_usermodehelper_setup() to call.
call_usermodehelper_setkeys() adjusts the credentials to sport the
supplied keyring as the new session keyring.
(11) SELinux.
SELinux has a number of changes, in addition to those to support the LSM
interface changes mentioned above:
(a) selinux_setprocattr() no longer does its check for whether the
current ptracer can access processes with the new SID inside the lock
that covers getting the ptracer's SID. Whilst this lock ensures that
the check is done with the ptracer pinned, the result is only valid
until the lock is released, so there's no point doing it inside the
lock.
(12) is_single_threaded().
This function has been extracted from selinux_setprocattr() and put into
a file of its own in the lib/ directory as join_session_keyring() now
wants to use it too.
The code in SELinux just checked to see whether a task shared mm_structs
with other tasks (CLONE_VM), but that isn't good enough. We really want
to know if they're part of the same thread group (CLONE_THREAD).
(13) nfsd.
The NFS server daemon now has to use the COW credentials to set the
credentials it is going to use. It really needs to pass the credentials
down to the functions it calls, but it can't do that until other patches
in this series have been applied.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: James Morris <jmorris@namei.org>
2008-11-14 02:39:23 +03:00
return 0 ;
2008-11-11 13:48:18 +03:00
}
2008-11-11 13:48:22 +03:00
/**
* __audit_log_capset - store information about the arguments to the capset syscall
CRED: Inaugurate COW credentials
Inaugurate copy-on-write credentials management. This uses RCU to manage the
credentials pointer in the task_struct with respect to accesses by other tasks.
A process may only modify its own credentials, and so does not need locking to
access or modify its own credentials.
A mutex (cred_replace_mutex) is added to the task_struct to control the effect
of PTRACE_ATTACHED on credential calculations, particularly with respect to
execve().
With this patch, the contents of an active credentials struct may not be
changed directly; rather a new set of credentials must be prepared, modified
and committed using something like the following sequence of events:
struct cred *new = prepare_creds();
int ret = blah(new);
if (ret < 0) {
abort_creds(new);
return ret;
}
return commit_creds(new);
There are some exceptions to this rule: the keyrings pointed to by the active
credentials may be instantiated - keyrings violate the COW rule as managing
COW keyrings is tricky, given that it is possible for a task to directly alter
the keys in a keyring in use by another task.
To help enforce this, various pointers to sets of credentials, such as those in
the task_struct, are declared const. The purpose of this is compile-time
discouragement of altering credentials through those pointers. Once a set of
credentials has been made public through one of these pointers, it may not be
modified, except under special circumstances:
(1) Its reference count may incremented and decremented.
(2) The keyrings to which it points may be modified, but not replaced.
The only safe way to modify anything else is to create a replacement and commit
using the functions described in Documentation/credentials.txt (which will be
added by a later patch).
This patch and the preceding patches have been tested with the LTP SELinux
testsuite.
This patch makes several logical sets of alteration:
(1) execve().
This now prepares and commits credentials in various places in the
security code rather than altering the current creds directly.
(2) Temporary credential overrides.
do_coredump() and sys_faccessat() now prepare their own credentials and
temporarily override the ones currently on the acting thread, whilst
preventing interference from other threads by holding cred_replace_mutex
on the thread being dumped.
This will be replaced in a future patch by something that hands down the
credentials directly to the functions being called, rather than altering
the task's objective credentials.
(3) LSM interface.
A number of functions have been changed, added or removed:
(*) security_capset_check(), ->capset_check()
(*) security_capset_set(), ->capset_set()
Removed in favour of security_capset().
(*) security_capset(), ->capset()
New. This is passed a pointer to the new creds, a pointer to the old
creds and the proposed capability sets. It should fill in the new
creds or return an error. All pointers, barring the pointer to the
new creds, are now const.
(*) security_bprm_apply_creds(), ->bprm_apply_creds()
Changed; now returns a value, which will cause the process to be
killed if it's an error.
(*) security_task_alloc(), ->task_alloc_security()
Removed in favour of security_prepare_creds().
(*) security_cred_free(), ->cred_free()
New. Free security data attached to cred->security.
(*) security_prepare_creds(), ->cred_prepare()
New. Duplicate any security data attached to cred->security.
(*) security_commit_creds(), ->cred_commit()
New. Apply any security effects for the upcoming installation of new
security by commit_creds().
(*) security_task_post_setuid(), ->task_post_setuid()
Removed in favour of security_task_fix_setuid().
(*) security_task_fix_setuid(), ->task_fix_setuid()
Fix up the proposed new credentials for setuid(). This is used by
cap_set_fix_setuid() to implicitly adjust capabilities in line with
setuid() changes. Changes are made to the new credentials, rather
than the task itself as in security_task_post_setuid().
(*) security_task_reparent_to_init(), ->task_reparent_to_init()
Removed. Instead the task being reparented to init is referred
directly to init's credentials.
NOTE! This results in the loss of some state: SELinux's osid no
longer records the sid of the thread that forked it.
(*) security_key_alloc(), ->key_alloc()
(*) security_key_permission(), ->key_permission()
Changed. These now take cred pointers rather than task pointers to
refer to the security context.
(4) sys_capset().
This has been simplified and uses less locking. The LSM functions it
calls have been merged.
(5) reparent_to_kthreadd().
This gives the current thread the same credentials as init by simply using
commit_thread() to point that way.
(6) __sigqueue_alloc() and switch_uid()
__sigqueue_alloc() can't stop the target task from changing its creds
beneath it, so this function gets a reference to the currently applicable
user_struct which it then passes into the sigqueue struct it returns if
successful.
switch_uid() is now called from commit_creds(), and possibly should be
folded into that. commit_creds() should take care of protecting
__sigqueue_alloc().
(7) [sg]et[ug]id() and co and [sg]et_current_groups.
The set functions now all use prepare_creds(), commit_creds() and
abort_creds() to build and check a new set of credentials before applying
it.
security_task_set[ug]id() is called inside the prepared section. This
guarantees that nothing else will affect the creds until we've finished.
The calling of set_dumpable() has been moved into commit_creds().
Much of the functionality of set_user() has been moved into
commit_creds().
The get functions all simply access the data directly.
(8) security_task_prctl() and cap_task_prctl().
security_task_prctl() has been modified to return -ENOSYS if it doesn't
want to handle a function, or otherwise return the return value directly
rather than through an argument.
Additionally, cap_task_prctl() now prepares a new set of credentials, even
if it doesn't end up using it.
(9) Keyrings.
A number of changes have been made to the keyrings code:
(a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have
all been dropped and built in to the credentials functions directly.
They may want separating out again later.
(b) key_alloc() and search_process_keyrings() now take a cred pointer
rather than a task pointer to specify the security context.
(c) copy_creds() gives a new thread within the same thread group a new
thread keyring if its parent had one, otherwise it discards the thread
keyring.
(d) The authorisation key now points directly to the credentials to extend
the search into rather pointing to the task that carries them.
(e) Installing thread, process or session keyrings causes a new set of
credentials to be created, even though it's not strictly necessary for
process or session keyrings (they're shared).
(10) Usermode helper.
The usermode helper code now carries a cred struct pointer in its
subprocess_info struct instead of a new session keyring pointer. This set
of credentials is derived from init_cred and installed on the new process
after it has been cloned.
call_usermodehelper_setup() allocates the new credentials and
call_usermodehelper_freeinfo() discards them if they haven't been used. A
special cred function (prepare_usermodeinfo_creds()) is provided
specifically for call_usermodehelper_setup() to call.
call_usermodehelper_setkeys() adjusts the credentials to sport the
supplied keyring as the new session keyring.
(11) SELinux.
SELinux has a number of changes, in addition to those to support the LSM
interface changes mentioned above:
(a) selinux_setprocattr() no longer does its check for whether the
current ptracer can access processes with the new SID inside the lock
that covers getting the ptracer's SID. Whilst this lock ensures that
the check is done with the ptracer pinned, the result is only valid
until the lock is released, so there's no point doing it inside the
lock.
(12) is_single_threaded().
This function has been extracted from selinux_setprocattr() and put into
a file of its own in the lib/ directory as join_session_keyring() now
wants to use it too.
The code in SELinux just checked to see whether a task shared mm_structs
with other tasks (CLONE_VM), but that isn't good enough. We really want
to know if they're part of the same thread group (CLONE_THREAD).
(13) nfsd.
The NFS server daemon now has to use the COW credentials to set the
credentials it is going to use. It really needs to pass the credentials
down to the functions it calls, but it can't do that until other patches
in this series have been applied.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: James Morris <jmorris@namei.org>
2008-11-14 02:39:23 +03:00
* @ new : the new credentials
* @ old : the old ( current ) credentials
2008-11-11 13:48:22 +03:00
*
2014-09-08 20:27:23 +04:00
* Record the arguments userspace sent to sys_capset for later printing by the
2008-11-11 13:48:22 +03:00
* audit system if applicable
*/
2013-03-19 11:02:25 +04:00
void __audit_log_capset ( const struct cred * new , const struct cred * old )
2008-11-11 13:48:22 +03:00
{
2018-05-13 04:58:20 +03:00
struct audit_context * context = audit_context ( ) ;
2016-08-31 00:19:13 +03:00
context - > capset . pid = task_tgid_nr ( current ) ;
2009-01-04 22:52:57 +03:00
context - > capset . cap . effective = new - > cap_effective ;
context - > capset . cap . inheritable = new - > cap_effective ;
context - > capset . cap . permitted = new - > cap_permitted ;
audit: add ambient capabilities to CAPSET and BPRM_FCAPS records
Capabilities were augmented to include ambient capabilities in v4.3
commit 58319057b784 ("capabilities: ambient capabilities").
Add ambient capabilities to the audit BPRM_FCAPS and CAPSET records.
The record contains fields "old_pp", "old_pi", "old_pe", "new_pp",
"new_pi", "new_pe" so in keeping with the previous record
normalizations, change the "new_*" variants to simply drop the "new_"
prefix.
A sample of the replaced BPRM_FCAPS record:
RAW: type=BPRM_FCAPS msg=audit(1491468034.252:237): fver=2
fp=0000000000200000 fi=0000000000000000 fe=1 old_pp=0000000000000000
old_pi=0000000000000000 old_pe=0000000000000000 old_pa=0000000000000000
pp=0000000000200000 pi=0000000000000000 pe=0000000000200000
pa=0000000000000000
INTERPRET: type=BPRM_FCAPS msg=audit(04/06/2017 04:40:34.252:237):
fver=2 fp=sys_admin fi=none fe=chown old_pp=none old_pi=none
old_pe=none old_pa=none pp=sys_admin pi=none pe=sys_admin pa=none
A sample of the replaced CAPSET record:
RAW: type=CAPSET msg=audit(1491469502.371:242): pid=833
cap_pi=0000003fffffffff cap_pp=0000003fffffffff cap_pe=0000003fffffffff
cap_pa=0000000000000000
INTERPRET: type=CAPSET msg=audit(04/06/2017 05:05:02.371:242) : pid=833
cap_pi=chown,dac_override,dac_read_search,fowner,fsetid,kill,
setgid,setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,
net_admin,net_raw,ipc_lock,ipc_owner,sys_module,sys_rawio,sys_chroot,
sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,sys_time,
sys_tty_config,mknod,lease,audit_write,audit_control,setfcap,
mac_override,mac_admin,syslog,wake_alarm,block_suspend,audit_read
cap_pp=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,
setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,
net_admin,net_raw,ipc_lock,ipc_owner,sys_module,sys_rawio,sys_chroot,
sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,
sys_time,sys_tty_config,mknod,lease,audit_write,audit_control,setfcap,
mac_override,mac_admin,syslog,wake_alarm,block_suspend,audit_read
cap_pe=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,
setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,
net_admin,net_raw,ipc_lock,ipc_owner,sys_module,sys_rawio,sys_chroot,
sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,
sys_time,sys_tty_config,mknod,lease,audit_write,audit_control,setfcap,
mac_override,mac_admin,syslog,wake_alarm,block_suspend,audit_read
cap_pa=none
See: https://github.com/linux-audit/audit-kernel/issues/40
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
Acked-by: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2017-04-07 17:17:27 +03:00
context - > capset . cap . ambient = new - > cap_ambient ;
2009-01-04 22:52:57 +03:00
context - > type = AUDIT_CAPSET ;
2008-11-11 13:48:22 +03:00
}
2010-10-30 10:54:44 +04:00
void __audit_mmap_fd ( int fd , int flags )
{
2018-05-13 04:58:20 +03:00
struct audit_context * context = audit_context ( ) ;
2010-10-30 10:54:44 +04:00
context - > mmap . fd = fd ;
context - > mmap . flags = flags ;
context - > type = AUDIT_MMAP ;
}
2017-02-04 21:10:38 +03:00
void __audit_log_kern_module ( char * name )
{
2018-05-13 04:58:20 +03:00
struct audit_context * context = audit_context ( ) ;
2017-02-04 21:10:38 +03:00
2018-07-25 05:26:19 +03:00
context - > module . name = kstrdup ( name , GFP_KERNEL ) ;
if ( ! context - > module . name )
audit_log_lost ( " out of memory in __audit_log_kern_module " ) ;
2017-02-04 21:10:38 +03:00
context - > type = AUDIT_KERN_MODULE ;
}
2017-10-03 03:21:39 +03:00
void __audit_fanotify ( unsigned int response )
{
2018-05-13 04:58:20 +03:00
audit_log ( audit_context ( ) , GFP_KERNEL ,
2017-10-03 03:21:39 +03:00
AUDIT_FANOTIFY , " resp=%u " , response ) ;
}
2013-01-12 02:32:05 +04:00
static void audit_log_task ( struct audit_buffer * ab )
2012-01-03 23:23:05 +04:00
{
2012-02-08 04:53:48 +04:00
kuid_t auid , uid ;
kgid_t gid ;
2012-01-03 23:23:05 +04:00
unsigned int sessionid ;
2014-03-16 02:42:34 +04:00
char comm [ sizeof ( current - > comm ) ] ;
2012-01-03 23:23:05 +04:00
auid = audit_get_loginuid ( current ) ;
sessionid = audit_get_sessionid ( current ) ;
current_uid_gid ( & uid , & gid ) ;
audit_log_format ( ab , " auid=%u uid=%u gid=%u ses=%u " ,
2012-02-08 04:53:48 +04:00
from_kuid ( & init_user_ns , auid ) ,
from_kuid ( & init_user_ns , uid ) ,
from_kgid ( & init_user_ns , gid ) ,
sessionid ) ;
2012-01-03 23:23:05 +04:00
audit_log_task_context ( ab ) ;
2016-08-31 00:19:13 +03:00
audit_log_format ( ab , " pid=%d comm= " , task_tgid_nr ( current ) ) ;
2014-03-16 02:42:34 +04:00
audit_log_untrustedstring ( ab , get_task_comm ( comm , current ) ) ;
2015-02-23 05:20:00 +03:00
audit_log_d_path_exe ( ab , current - > mm ) ;
2013-01-12 02:32:05 +04:00
}
2007-04-19 18:28:21 +04:00
/**
* audit_core_dumps - record information about processes that end abnormally
2007-07-16 10:41:10 +04:00
* @ signr : signal value
2007-04-19 18:28:21 +04:00
*
* If a process ends with a core dump , something fishy is going on and we
* should record the event for investigation .
*/
void audit_core_dumps ( long signr )
{
struct audit_buffer * ab ;
if ( ! audit_enabled )
return ;
if ( signr = = SIGQUIT ) /* don't care for those */
return ;
2018-05-31 23:28:12 +03:00
ab = audit_log_start ( audit_context ( ) , GFP_KERNEL , AUDIT_ANOM_ABEND ) ;
2013-01-12 02:32:07 +04:00
if ( unlikely ( ! ab ) )
return ;
2013-11-08 08:27:39 +04:00
audit_log_task ( ab ) ;
2016-12-15 00:00:13 +03:00
audit_log_format ( ab , " sig=%ld res=1 " , signr ) ;
2012-01-03 23:23:05 +04:00
audit_log_end ( ab ) ;
}
2007-04-19 18:28:21 +04:00
2018-05-04 04:08:15 +03:00
/**
* audit_seccomp - record information about a seccomp action
* @ syscall : syscall number
* @ signr : signal value
* @ code : the seccomp action
*
* Record the information associated with a seccomp action . Event filtering for
* seccomp actions that are not to be logged is done in seccomp_log ( ) .
* Therefore , this function forces auditing independent of the audit_enabled
* and dummy context state because seccomp actions should be logged even when
* audit is not in use .
*/
void audit_seccomp ( unsigned long syscall , long signr , int code )
2012-01-03 23:23:05 +04:00
{
struct audit_buffer * ab ;
2018-05-31 23:27:24 +03:00
ab = audit_log_start ( audit_context ( ) , GFP_KERNEL , AUDIT_SECCOMP ) ;
2013-01-12 02:32:05 +04:00
if ( unlikely ( ! ab ) )
return ;
audit_log_task ( ab ) ;
2014-01-30 01:17:58 +04:00
audit_log_format ( ab , " sig=%ld arch=%x syscall=%ld compat=%d ip=0x%lx code=0x%x " ,
2016-03-23 00:24:58 +03:00
signr , syscall_get_arch ( ) , syscall ,
in_compat_syscall ( ) , KSTK_EIP ( current ) , code ) ;
2007-04-19 18:28:21 +04:00
audit_log_end ( ab ) ;
}
2009-06-24 08:02:38 +04:00
seccomp: Audit attempts to modify the actions_logged sysctl
The decision to log a seccomp action will always be subject to the
value of the kernel.seccomp.actions_logged sysctl, even for processes
that are being inspected via the audit subsystem, in an upcoming patch.
Therefore, we need to emit an audit record on attempts at writing to the
actions_logged sysctl when auditing is enabled.
This patch updates the write handler for the actions_logged sysctl to
emit an audit record on attempts to write to the sysctl. Successful
writes to the sysctl will result in a record that includes a normalized
list of logged actions in the "actions" field and a "res" field equal to
1. Unsuccessful writes to the sysctl will result in a record that
doesn't include the "actions" field and has a "res" field equal to 0.
Not all unsuccessful writes to the sysctl are audited. For example, an
audit record will not be emitted if an unprivileged process attempts to
open the sysctl file for reading since that access control check is not
part of the sysctl's write handler.
Below are some example audit records when writing various strings to the
actions_logged sysctl.
Writing "not-a-real-action", when the kernel.seccomp.actions_logged
sysctl previously was "kill_process kill_thread trap errno trace log",
emits this audit record:
type=CONFIG_CHANGE msg=audit(1525392371.454:120): op=seccomp-logging
actions=? old-actions=kill_process,kill_thread,trap,errno,trace,log
res=0
If you then write "kill_process kill_thread errno trace log", this audit
record is emitted:
type=CONFIG_CHANGE msg=audit(1525392401.645:126): op=seccomp-logging
actions=kill_process,kill_thread,errno,trace,log
old-actions=kill_process,kill_thread,trap,errno,trace,log res=1
If you then write "log log errno trace kill_process kill_thread", which
is unordered and contains the log action twice, it results in the same
actions value as the previous record:
type=CONFIG_CHANGE msg=audit(1525392436.354:132): op=seccomp-logging
actions=kill_process,kill_thread,errno,trace,log
old-actions=kill_process,kill_thread,errno,trace,log res=1
If you then write an empty string to the sysctl, this audit record is
emitted:
type=CONFIG_CHANGE msg=audit(1525392494.413:138): op=seccomp-logging
actions=(none) old-actions=kill_process,kill_thread,errno,trace,log
res=1
No audit records are generated when reading the actions_logged sysctl.
Suggested-by: Steve Grubb <sgrubb@redhat.com>
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2018-05-04 04:08:14 +03:00
void audit_seccomp_actions_logged ( const char * names , const char * old_names ,
int res )
{
struct audit_buffer * ab ;
if ( ! audit_enabled )
return ;
2018-05-16 14:55:45 +03:00
ab = audit_log_start ( audit_context ( ) , GFP_KERNEL ,
seccomp: Audit attempts to modify the actions_logged sysctl
The decision to log a seccomp action will always be subject to the
value of the kernel.seccomp.actions_logged sysctl, even for processes
that are being inspected via the audit subsystem, in an upcoming patch.
Therefore, we need to emit an audit record on attempts at writing to the
actions_logged sysctl when auditing is enabled.
This patch updates the write handler for the actions_logged sysctl to
emit an audit record on attempts to write to the sysctl. Successful
writes to the sysctl will result in a record that includes a normalized
list of logged actions in the "actions" field and a "res" field equal to
1. Unsuccessful writes to the sysctl will result in a record that
doesn't include the "actions" field and has a "res" field equal to 0.
Not all unsuccessful writes to the sysctl are audited. For example, an
audit record will not be emitted if an unprivileged process attempts to
open the sysctl file for reading since that access control check is not
part of the sysctl's write handler.
Below are some example audit records when writing various strings to the
actions_logged sysctl.
Writing "not-a-real-action", when the kernel.seccomp.actions_logged
sysctl previously was "kill_process kill_thread trap errno trace log",
emits this audit record:
type=CONFIG_CHANGE msg=audit(1525392371.454:120): op=seccomp-logging
actions=? old-actions=kill_process,kill_thread,trap,errno,trace,log
res=0
If you then write "kill_process kill_thread errno trace log", this audit
record is emitted:
type=CONFIG_CHANGE msg=audit(1525392401.645:126): op=seccomp-logging
actions=kill_process,kill_thread,errno,trace,log
old-actions=kill_process,kill_thread,trap,errno,trace,log res=1
If you then write "log log errno trace kill_process kill_thread", which
is unordered and contains the log action twice, it results in the same
actions value as the previous record:
type=CONFIG_CHANGE msg=audit(1525392436.354:132): op=seccomp-logging
actions=kill_process,kill_thread,errno,trace,log
old-actions=kill_process,kill_thread,errno,trace,log res=1
If you then write an empty string to the sysctl, this audit record is
emitted:
type=CONFIG_CHANGE msg=audit(1525392494.413:138): op=seccomp-logging
actions=(none) old-actions=kill_process,kill_thread,errno,trace,log
res=1
No audit records are generated when reading the actions_logged sysctl.
Suggested-by: Steve Grubb <sgrubb@redhat.com>
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2018-05-04 04:08:14 +03:00
AUDIT_CONFIG_CHANGE ) ;
if ( unlikely ( ! ab ) )
return ;
2018-08-03 00:56:50 +03:00
audit_log_format ( ab ,
" op=seccomp-logging actions=%s old-actions=%s res=%d " ,
names , old_names , res ) ;
seccomp: Audit attempts to modify the actions_logged sysctl
The decision to log a seccomp action will always be subject to the
value of the kernel.seccomp.actions_logged sysctl, even for processes
that are being inspected via the audit subsystem, in an upcoming patch.
Therefore, we need to emit an audit record on attempts at writing to the
actions_logged sysctl when auditing is enabled.
This patch updates the write handler for the actions_logged sysctl to
emit an audit record on attempts to write to the sysctl. Successful
writes to the sysctl will result in a record that includes a normalized
list of logged actions in the "actions" field and a "res" field equal to
1. Unsuccessful writes to the sysctl will result in a record that
doesn't include the "actions" field and has a "res" field equal to 0.
Not all unsuccessful writes to the sysctl are audited. For example, an
audit record will not be emitted if an unprivileged process attempts to
open the sysctl file for reading since that access control check is not
part of the sysctl's write handler.
Below are some example audit records when writing various strings to the
actions_logged sysctl.
Writing "not-a-real-action", when the kernel.seccomp.actions_logged
sysctl previously was "kill_process kill_thread trap errno trace log",
emits this audit record:
type=CONFIG_CHANGE msg=audit(1525392371.454:120): op=seccomp-logging
actions=? old-actions=kill_process,kill_thread,trap,errno,trace,log
res=0
If you then write "kill_process kill_thread errno trace log", this audit
record is emitted:
type=CONFIG_CHANGE msg=audit(1525392401.645:126): op=seccomp-logging
actions=kill_process,kill_thread,errno,trace,log
old-actions=kill_process,kill_thread,trap,errno,trace,log res=1
If you then write "log log errno trace kill_process kill_thread", which
is unordered and contains the log action twice, it results in the same
actions value as the previous record:
type=CONFIG_CHANGE msg=audit(1525392436.354:132): op=seccomp-logging
actions=kill_process,kill_thread,errno,trace,log
old-actions=kill_process,kill_thread,errno,trace,log res=1
If you then write an empty string to the sysctl, this audit record is
emitted:
type=CONFIG_CHANGE msg=audit(1525392494.413:138): op=seccomp-logging
actions=(none) old-actions=kill_process,kill_thread,errno,trace,log
res=1
No audit records are generated when reading the actions_logged sysctl.
Suggested-by: Steve Grubb <sgrubb@redhat.com>
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2018-05-04 04:08:14 +03:00
audit_log_end ( ab ) ;
}
2009-06-24 08:02:38 +04:00
struct list_head * audit_killed_trees ( void )
{
2018-05-13 04:58:20 +03:00
struct audit_context * ctx = audit_context ( ) ;
2009-06-24 08:02:38 +04:00
if ( likely ( ! ctx | | ! ctx - > in_syscall ) )
return NULL ;
return & ctx - > killed_trees ;
}