02 Aug, 2010

2 commits

• 67012e820   AppArmor: basic auditing infrastructure. ... Browse Code »

  Update lsm_audit for AppArmor specific data, and add the core routines for
  AppArmor uses for auditing.

  Signed-off-by: John Johansen
  Signed-off-by: James Morris

  John Johansen

  2010-08-02 13:35:11 +0800  
• b782e0a68   SELinux: special dontaudit for access checks ... Browse Code »

  Currently there are a number of applications (nautilus being the main one) which
  calls access() on files in order to determine how they should be displayed. It
  is normal and expected that nautilus will want to see if files are executable
  or if they are really read/write-able. access() should return the real
  permission. SELinux policy checks are done in access() and can result in lots
  of AVC denials as policy denies RWX on files which DAC allows. Currently
  SELinux must dontaudit actual attempts to read/write/execute a file in
  order to silence these messages (and not flood the logs.) But dontaudit rules
  like that can hide real attacks. This patch addes a new common file
  permission audit_access. This permission is special in that it is meaningless
  and should never show up in an allow rule. Instead the only place this
  permission has meaning is in a dontaudit rule like so:

  dontaudit nautilus_t sbin_t:file audit_access

  With such a rule if nautilus just checks access() we will still get denied and
  thus userspace will still get the correct answer but we will not log the denial.
  If nautilus attempted to actually perform one of the forbidden actions
  (rather than just querying access(2) about it) we would still log a denial.
  This type of dontaudit rule should be used sparingly, as it could be a
  method for an attacker to probe the system permissions without detection.

  Signed-off-by: Eric Paris
  Acked-by: Stephen D. Smalley
  Signed-off-by: James Morris

  Eric Paris

  2010-08-02 13:35:07 +0800  

28 Apr, 2010

1 commit

• cb84aa9b4   LSM Audit: rename LSM_AUDIT_NO_AUDIT to LSM_AUDIT_DATA_NONE ... Browse Code »

  Most of the LSM common audit work uses LSM_AUDIT_DATA_* for the naming.
  This was not so for LSM_AUDIT_NO_AUDIT which means the generic initializer
  cannot be used. This patch just renames the flag so the generic
  initializer can be used.

  Signed-off-by: Eric Paris
  Signed-off-by: James Morris

  Eric Paris

  2010-04-28 06:51:12 +0800  

10 Nov, 2009

1 commit

• dd8dbf2e6   security: report the module name to security_module_request ... Browse Code »

  For SELinux to do better filtering in userspace we send the name of the
  module along with the AVC denial when a program is denied module_request.

  Example output:

  type=SYSCALL msg=audit(11/03/2009 10:59:43.510:9) : arch=x86_64 syscall=write success=yes exit=2 a0=3 a1=7fc28c0d56c0 a2=2 a3=7fffca0d7440 items=0 ppid=1727 pid=1729 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rpc.nfsd exe=/usr/sbin/rpc.nfsd subj=system_u:system_r:nfsd_t:s0 key=(null)
  type=AVC msg=audit(11/03/2009 10:59:43.510:9) : avc: denied { module_request } for pid=1729 comm=rpc.nfsd kmod="net-pf-10" scontext=system_u:system_r:nfsd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system

  Signed-off-by: Eric Paris
  Signed-off-by: James Morris

  Eric Paris

  2009-11-10 06:33:46 +0800  

17 Aug, 2009

1 commit

• 2bf496903   SELinux: Convert avc_audit to use lsm_audit.h ... Browse Code »

  Convert avc_audit in security/selinux/avc.c to use lsm_audit.h,
  for better maintainability.

  - changed selinux to use common_audit_data instead of
  avc_audit_data
  - eliminated code in avc.c and used code from lsm_audit.h instead.

  Had to add a LSM_AUDIT_NO_AUDIT to lsm_audit.h so that avc_audit
  can call common_lsm_audit and do the pre and post callbacks without
  doing the actual dump. This makes it so that the patched version
  behaves the same way as the unpatched version.

  Also added a denied field to the selinux_audit_data private space,
  once again to make it so that the patched version behaves like the
  unpatched.

  I've tested and confirmed that AVCs look the same before and after
  this patch.

  Signed-off-by: Thomas Liu
  Acked-by: Stephen Smalley
  Signed-off-by: James Morris

  Thomas Liu

  2009-08-17 06:37:18 +0800  

10 Jul, 2009

3 commits

• 65c3f0a2d   security: Wrap SMACK and SELINUX audit data structs in ifdefs ... Browse Code »

  Wrapped the smack_audit_data and selinux_audit_data
  structs in include/linux/lsm_audit.h in ifdefs so that the
  union will always be the correct size.

  Signed-off-by: Thomas Liu
  Acked-by: Eric Paris
  Signed-off-by: James Morris

  Thomas Liu

  2009-07-10 06:59:46 +0800  
• d4131ded4   security: Make lsm_priv union in lsm_audit.h anonymous ... Browse Code »

  Made the lsm_priv union in include/linux/lsm_audit.h
  anonymous.

  Signed-off-by: Thomas Liu
  Acked-by: Eric Paris
  Signed-off-by: James Morris

  Thomas Liu

  2009-07-10 06:58:39 +0800  
• ed5215a21   Move variable function in lsm_audit.h into SMACK private space ... Browse Code »

  Moved variable function in include/linux/lsm_audit.h into the
  smack_audit_data struct since it is never used outside of it.

  Also removed setting of function in the COMMON_AUDIT_DATA_INIT
  macro because that variable is now private to SMACK.

  Signed-off-by: Thomas Liu
  Acked-by: Eric Paris
  I-dont-see-any-problems-with-it: Casey Schaufler
  Signed-off-by: James Morris

  Thomas Liu

  2009-07-10 06:54:14 +0800  

14 Apr, 2009

1 commit

• 6e837fb15   smack: implement logging V3 ... Browse Code »

  This patch creates auditing functions usable by LSM to audit security
  events. It provides standard dumping of FS, NET, task etc ... events
  (code borrowed from SELinux)
  and provides 2 callbacks to define LSM specific auditing, which should be
  flexible enough to convert SELinux too.

  Signed-off-by: Etienne Basset
  Acked-by: Casey Schaufler
  cked-by: Eric Paris
  Signed-off-by: James Morris

  Etienne Basset

  2009-04-14 07:00:19 +0800