[patch 1/2] audit: let userspace fully control TTY input auditing

Remove the code that automatically disables TTY input auditing in processes that open TTYs when they have no other TTY open; this heuristic was intended to automatically handle daemons, but it has false positives (e.g. with sshd) that make it impossible to control TTY input auditing from a PAM module. With this patch, TTY input auditing is controlled from user-space only. On the other hand, not even for daemons does it make sense to audit "input" from PTY masters; this data was produced by a program writing to the PTY slave, and does not represent data entered by the user. Signed-off-by: Miloslav Trmac <mitr@redhat.com> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: David Woodhouse <dwmw2@infradead.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

[patch 1/2] audit: let userspace fully control TTY input auditing
Remove the code that automatically disables TTY input auditing in processes that open TTYs when they have no other TTY open; this heuristic was intended to automatically handle daemons, but it has false positives (e.g. with sshd) that make it impossible to control TTY input auditing from a PAM module. With this patch, TTY input auditing is controlled from user-space only. On the other hand, not even for daemons does it make sense to audit "input" from PTY masters; this data was produced by a program writing to the PTY slave, and does not represent data entered by the user. Signed-off-by: Miloslav Trmac <mitr@redhat.com> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: David Woodhouse <dwmw2@infradead.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Miloslav Trmac · Al Viro
1 parent 7719e437fa
Showing 3 changed files with 5 additions and 59 deletions Side-by-side Diff
drivers/char/tty_audit.c
drivers/char/tty_io.c
include/linux/tty.h
@@ -233,6 +233,10 @@
 	if (unlikely(size == 0))
 		return;
  
+	if (tty->driver->type == TTY_DRIVER_TYPE_PTY
+	    && tty->driver->subtype == PTY_TYPE_MASTER)
+		return;
+
 	buf = tty_audit_buf_get(tty);
 	if (!buf)
 		return;
@@ -294,55 +298,5 @@
 		mutex_unlock(&buf->mutex);
 		tty_audit_buf_put(buf);
 	}
-}
-
-/**
- *	tty_audit_opening	-	A TTY is being opened.
- *
- *	As a special hack, tasks that close all their TTYs and open new ones
- *	are assumed to be system daemons (e.g. getty) and auditing is
- *	automatically disabled for them.
- */
-void tty_audit_opening(void)
-{
-	int disable;
-
-	disable = 1;
-	spin_lock_irq(&current->sighand->siglock);
-	if (current->signal->audit_tty == 0)
-		disable = 0;
-	spin_unlock_irq(&current->sighand->siglock);
-	if (!disable)
-		return;
-
-	task_lock(current);
-	if (current->files) {
-		struct fdtable *fdt;
-		unsigned i;
-
-		/*
-		 * We don't take a ref to the file, so we must hold ->file_lock
-		 * instead.
-		 */
-		spin_lock(&current->files->file_lock);
-		fdt = files_fdtable(current->files);
-		for (i = 0; i < fdt->max_fds; i++) {
-			struct file *filp;
-
-			filp = fcheck_files(current->files, i);
-			if (filp && is_tty(filp)) {
-				disable = 0;
-				break;
-			}
-		}
-		spin_unlock(&current->files->file_lock);
-	}
-	task_unlock(current);
-	if (!disable)
-		return;
-
-	spin_lock_irq(&current->sighand->siglock);
-	current->signal->audit_tty = 0;
-	spin_unlock_irq(&current->sighand->siglock);
 }
@@ -2755,7 +2755,6 @@
 		__proc_set_tty(current, tty);
 	spin_unlock_irq(&current->sighand->siglock);
 	mutex_unlock(&tty_mutex);
-	tty_audit_opening();
 	return 0;
 }
  
  
@@ -2818,10 +2817,8 @@
  
 	check_tty_count(tty, "tty_open");
 	retval = ptm_driver->open(tty, filp);
-	if (!retval) {
-		tty_audit_opening();
+	if (!retval)
 		return 0;
-	}
 out1:
 	release_dev(filp);
 	return retval;
@@ -300,7 +300,6 @@
 extern void tty_vhangup(struct tty_struct * tty);
 extern void tty_unhangup(struct file *filp);
 extern int tty_hung_up_p(struct file * filp);
-extern int is_tty(struct file *filp);
 extern void do_SAK(struct tty_struct *tty);
 extern void __do_SAK(struct tty_struct *tty);
 extern void disassociate_ctty(int priv);
@@ -352,7 +351,6 @@
 extern void tty_audit_fork(struct signal_struct *sig);
 extern void tty_audit_push(struct tty_struct *tty);
 extern void tty_audit_push_task(struct task_struct *tsk, uid_t loginuid, u32 sessionid);
-extern void tty_audit_opening(void);
 #else
 static inline void tty_audit_add_data(struct tty_struct *tty,
 				      unsigned char *data, size_t size)
@@ -368,9 +366,6 @@
 {
 }
 static inline void tty_audit_push_task(struct task_struct *tsk, uid_t loginuid, u32 sessionid)
-{
-}
-static inline void tty_audit_opening(void)
 {
 }
 #endif
...	...	@@ -233,6 +233,10 @@
233	233	if (unlikely(size == 0))
234	234	return;
235	235
	236	+ if (tty->driver->type == TTY_DRIVER_TYPE_PTY
	237	+ && tty->driver->subtype == PTY_TYPE_MASTER)
	238	+ return;
	239	+
236	240	buf = tty_audit_buf_get(tty);
237	241	if (!buf)
238	242	return;
...	...	@@ -294,55 +298,5 @@
294	298	mutex_unlock(&buf->mutex);
295	299	tty_audit_buf_put(buf);
296	300	}
297		-}
298		-
299		-/**
300		- * tty_audit_opening - A TTY is being opened.
301		- *
302		- * As a special hack, tasks that close all their TTYs and open new ones
303		- * are assumed to be system daemons (e.g. getty) and auditing is
304		- * automatically disabled for them.
305		- */
306		-void tty_audit_opening(void)
307		-{
308		- int disable;
309		-
310		- disable = 1;
311		- spin_lock_irq(&current->sighand->siglock);
312		- if (current->signal->audit_tty == 0)
313		- disable = 0;
314		- spin_unlock_irq(&current->sighand->siglock);
315		- if (!disable)
316		- return;
317		-
318		- task_lock(current);
319		- if (current->files) {
320		- struct fdtable *fdt;
321		- unsigned i;
322		-
323		- /*
324		- * We don't take a ref to the file, so we must hold ->file_lock
325		- * instead.
326		- */
327		- spin_lock(&current->files->file_lock);
328		- fdt = files_fdtable(current->files);
329		- for (i = 0; i < fdt->max_fds; i++) {
330		- struct file *filp;
331		-
332		- filp = fcheck_files(current->files, i);
333		- if (filp && is_tty(filp)) {
334		- disable = 0;
335		- break;
336		- }
337		- }
338		- spin_unlock(&current->files->file_lock);
339		- }
340		- task_unlock(current);
341		- if (!disable)
342		- return;
343		-
344		- spin_lock_irq(&current->sighand->siglock);
345		- current->signal->audit_tty = 0;
346		- spin_unlock_irq(&current->sighand->siglock);
347	301	}
...	...	@@ -2755,7 +2755,6 @@
2755	2755	__proc_set_tty(current, tty);
2756	2756	spin_unlock_irq(&current->sighand->siglock);
2757	2757	mutex_unlock(&tty_mutex);
2758		- tty_audit_opening();
2759	2758	return 0;
2760	2759	}
2761	2760
2762	2761
...	...	@@ -2818,10 +2817,8 @@
2818	2817
2819	2818	check_tty_count(tty, "tty_open");
2820	2819	retval = ptm_driver->open(tty, filp);
2821		- if (!retval) {
2822		- tty_audit_opening();
	2820	+ if (!retval)
2823	2821	return 0;
2824		- }
2825	2822	out1:
2826	2823	release_dev(filp);
2827	2824	return retval;
...	...	@@ -300,7 +300,6 @@
300	300	extern void tty_vhangup(struct tty_struct * tty);
301	301	extern void tty_unhangup(struct file *filp);
302	302	extern int tty_hung_up_p(struct file * filp);
303		-extern int is_tty(struct file *filp);
304	303	extern void do_SAK(struct tty_struct *tty);
305	304	extern void __do_SAK(struct tty_struct *tty);
306	305	extern void disassociate_ctty(int priv);
...	...	@@ -352,7 +351,6 @@
352	351	extern void tty_audit_fork(struct signal_struct *sig);
353	352	extern void tty_audit_push(struct tty_struct *tty);
354	353	extern void tty_audit_push_task(struct task_struct *tsk, uid_t loginuid, u32 sessionid);
355		-extern void tty_audit_opening(void);
356	354	#else
357	355	static inline void tty_audit_add_data(struct tty_struct *tty,
358	356	unsigned char *data, size_t size)
...	...	@@ -368,9 +366,6 @@
368	366	{
369	367	}
370	368	static inline void tty_audit_push_task(struct task_struct *tsk, uid_t loginuid, u32 sessionid)
371		-{
372		-}
373		-static inline void tty_audit_opening(void)
374	369	{
375	370	}
376	371	#endif