06 Nov, 2013
3 commits
-
Move the audit_bprm() call from search_binary_handler() to exec_binprm(). This
allows us to get rid of the mm member of struct audit_aux_data_execve since
bprm->mm will equal current->mm.This also mitigates the issue that ->argc could be modified by the
load_binary() call in search_binary_handler().audit_bprm() was being called to add an AUDIT_EXECVE record to the audit
context every time search_binary_handler() was recursively called. Only one
reference is necessary.Reported-by: Oleg Nesterov
Cc: Eric Paris
Signed-off-by: Richard Guy Briggs
Signed-off-by: Eric Paris
---
This patch is against 3.11, but was developed on Oleg's post-3.11 patches that
introduce exec_binprm(). -
audit_bprm() was being called to add an AUDIT_EXECVE record to the audit
context every time search_binary_handler() was recursively called. Only one
reference is necessary, so just update it. Move the the contents of
audit_aux_data_execve into the union in audit_context, removing dependence on a
kmalloc along the way.Reported-by: Oleg Nesterov
Cc: Eric Paris
Signed-off-by: Richard Guy Briggs
Signed-off-by: Eric Paris -
The audit_status structure was not designed with extensibility in mind.
Define a new AUDIT_SET_FEATURE message type which takes a new structure
of bits where things can be enabled/disabled/locked one at a time. This
structure should be able to grow in the future while maintaining forward
and backward compatibility (based loosly on the ideas from capabilities
and prctl)This does not actually add any features, but is just infrastructure to
allow new on/off types of audit system features.Signed-off-by: Eric Paris
Signed-off-by: Richard Guy Briggs
Signed-off-by: Eric Paris
10 Jul, 2013
1 commit
-
The old audit PATH records for mq_open looked like this:
type=PATH msg=audit(1366282323.982:869): item=1 name=(null) inode=6777
dev=00:0c mode=041777 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:tmpfs_t:s15:c0.c1023
type=PATH msg=audit(1366282323.982:869): item=0 name="test_mq" inode=26732
dev=00:0c mode=0100700 ouid=0 ogid=0 rdev=00:00
obj=staff_u:object_r:user_tmpfs_t:s15:c0.c1023...with the audit related changes that went into 3.7, they now look like this:
type=PATH msg=audit(1366282236.776:3606): item=2 name=(null) inode=66655
dev=00:0c mode=0100700 ouid=0 ogid=0 rdev=00:00
obj=staff_u:object_r:user_tmpfs_t:s15:c0.c1023
type=PATH msg=audit(1366282236.776:3606): item=1 name=(null) inode=6926
dev=00:0c mode=041777 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:tmpfs_t:s15:c0.c1023
type=PATH msg=audit(1366282236.776:3606): item=0 name="test_mq"Both of these look wrong to me. As Steve Grubb pointed out:
"What we need is 1 PATH record that identifies the MQ. The other PATH
records probably should not be there."Fix it to record the mq root as a parent, and flag it such that it
should be hidden from view when the names are logged, since the root of
the mq filesystem isn't terribly interesting. With this change, we get
a single PATH record that looks more like this:type=PATH msg=audit(1368021604.836:484): item=0 name="test_mq" inode=16914
dev=00:0c mode=0100644 ouid=0 ogid=0 rdev=00:00
obj=unconfined_u:object_r:user_tmpfs_t:s0In order to do this, a new audit_inode_parent_hidden() function is
added. If we do it this way, then we avoid having the existing callers
of audit_inode needing to do any sort of flag conversion if auditing is
inactive.Signed-off-by: Jeff Layton
Reported-by: Jiri Jaburek
Cc: Steve Grubb
Cc: Eric Paris
Cc: Al Viro
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
08 May, 2013
1 commit
-
audit rule additions containing "-F auid!=4294967295" were failing
with EINVAL because of a regression caused by e1760bd.Apparently some userland audit rule sets want to know if loginuid uid
has been set and are using a test for auid != 4294967295 to determine
that.In practice that is a horrible way to ask if a value has been set,
because it relies on subtle implementation details and will break
every time the uid implementation in the kernel changes.So add a clean way to test if the audit loginuid has been set, and
silently convert the old idiom to the cleaner and more comprehensible
new idiom.Cc: # 3.7
Reported-By: Richard Guy Briggs
Signed-off-by: "Eric W. Biederman"
Tested-by: Richard Guy Briggs
Signed-off-by: Eric Paris
01 May, 2013
4 commits
-
The userspace audit tools didn't like the existing formatting of the
AUDIT_ANOM_LINK event. It needed to be expanded to emit an AUDIT_PATH
event as well, so this implements the change. The bulk of the patch is
moving code out of auditsc.c into audit.c and audit.h for general use.
It expands audit_log_name to include an optional "struct path" argument
for the simple case of just needing to report a pathname. This also
makes
audit_log_task_info available when syscall auditing is not enabled,
since
it is needed in either case for process details.Signed-off-by: Kees Cook
Reported-by: Steve Grubb -
We have a number of places we were reimplementing the same code to write
out lsm labels. Just do it one darn place.Signed-off-by: Eric Paris
-
We always use current. Stop pulling this when the skb comes in and
pushing it around as arguments. Just get it at the end when you need
it.Signed-off-by: Eric Paris
17 Apr, 2013
1 commit
-
When userspace sends messages to the audit system it includes a type.
We want to be able to filter messages based on that type without have to
do the all or nothing option currently available on the
AUDIT_FILTER_TYPE filter list. Instead we should be able to use the
AUDIT_FILTER_USER filter list and just use the message type as one part
of the matching decision.Signed-off-by: Eric Paris
11 Apr, 2013
2 commits
-
__audit_socketcall is an extern function.
better to check its parameters by itself.also can return error code, when fail (find invalid parameters).
also use macro instead of real hard code number
also give related comments for it.Signed-off-by: Chen Gang
[eparis: fix the return value when !CONFIG_AUDIT]
Signed-off-by: Eric Paris -
Commit b05d8447e782 (audit: inline audit_syscall_entry to reduce
burden on archs) changed audit_syscall_entry to check for a dummy
context before calling __audit_syscall_entry. Unfortunately the dummy
context state is maintained in __audit_syscall_entry so once set it
never gets cleared, even if the audit rules change.As a result, if there are no auditing rules when a process starts
then it will never be subject to any rules added later. x86 doesn't
see this because it has an assembly fast path that calls directly into
__audit_syscall_entry.I noticed this issue when working on audit performance optimisations.
I wrote a set of simple test cases available at:http://ozlabs.org/~anton/junkcode/audit_tests.tar.gz
02_new_rule.py fails without the patch and passes with it. The
test case clears all rules, starts a process, adds a rule then
verifies the process produces a syscall audit record.Signed-off-by: Anton Blanchard
Cc: # 3.3+
Signed-off-by: Eric Paris
12 Jan, 2013
2 commits
-
While the kernel internals want pt_regs (and so it includes
linux/ptrace.h), the user version of audit.h does not need it. So move
the include out of the uapi version.This avoids issues where people want the audit defines and userland
ptrace api. Including both the kernel ptrace and the userland ptrace
headers can easily lead to failure.Signed-off-by: Mike Frysinger
Cc: Eric Paris
Cc: Al Viro
Reviewed-by: Kees Cook
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
The seccomp path was using AUDIT_ANOM_ABEND from when seccomp mode 1
could only kill a process. While we still want to make sure an audit
record is forced on a kill, this should use a separate record type since
seccomp mode 2 introduces other behaviors.In the case of "handled" behaviors (process wasn't killed), only emit a
record if the process is under inspection. This change also fixes
userspace examination of seccomp audit events, since it was considered
malformed due to missing fields of the AUDIT_ANOM_ABEND event type.Signed-off-by: Kees Cook
Cc: Al Viro
Cc: Eric Paris
Cc: Jeff Layton
Cc: "Eric W. Biederman"
Cc: Julien Tinnes
Acked-by: Will Drewry
Acked-by: Steve Grubb
Cc: Andrea Arcangeli
Cc:
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
13 Oct, 2012
5 commits
-
Signed-off-by: David Howells
Acked-by: Arnd Bergmann
Acked-by: Thomas Gleixner
Acked-by: Michael Kerrisk
Acked-by: Paul E. McKenney
Acked-by: Dave Jones -
Pull OpenRISC updates from Jonas Bonn:
"Fixups for some corner cases, build issues, and some obvious bugs in
IRQ handling. No major changes."* tag 'for-3.7' of git://openrisc.net/jonas/linux:
openrisc: mask interrupts in irq_mask_ack function
openrisc: fix typos in comments and warnings
openrisc: PIC should act on domain-local irqs
openrisc: Make cpu_relax() invoke barrier()
audit: define AUDIT_ARCH_OPENRISC
openrisc: delay: fix handling of counter overflow
openrisc: delay: fix loops calculation for __const_udelay -
Keep a pointer to the audit_names "slot" in struct filename.
Have all of the audit_inode callers pass a struct filename ponter to
audit_inode instead of a string pointer. If the aname field is already
populated, then we can skip walking the list altogether and just use it
directly.Signed-off-by: Jeff Layton
Signed-off-by: Al Viro -
Currently, if we call getname() on a userland string more than once,
we'll get multiple copies of the string and multiple audit_names
records.Add a function that will allow the audit_names code to satisfy getname
requests using info from the audit_names list, avoiding a new allocation
and audit_names records.Signed-off-by: Jeff Layton
Signed-off-by: Al Viro -
getname() is intended to copy pathname strings from userspace into a
kernel buffer. The result is just a string in kernel space. It would
however be quite helpful to be able to attach some ancillary info to
the string.For instance, we could attach some audit-related info to reduce the
amount of audit-related processing needed. When auditing is enabled,
we could also call getname() on the string more than once and not
need to recopy it from userspace.This patchset converts the getname()/putname() interfaces to return
a struct instead of a string. For now, the struct just tracks the
string in kernel space and the original userland pointer for it.Later, we'll add other information to the struct as it becomes
convenient.Signed-off-by: Jeff Layton
Signed-off-by: Al Viro
12 Oct, 2012
4 commits
-
In order to accomodate retrying path-based syscalls, we need to add a
new "type" argument to audit_inode_child. This will tell us whether
we're looking for a child entry that represents a create or a delete.If we find a parent, don't automatically assume that we need to create a
new entry. Instead, use the information we have to try to find an
existing entry first. Update it if one is found and create a new one if
not.Signed-off-by: Jeff Layton
Signed-off-by: Al Viro -
Currently, this gets set mostly by happenstance when we call into
audit_inode_child. While that might be a little more efficient, it seems
wrong. If the syscall ends up failing before audit_inode_child ever gets
called, then you'll have an audit_names record that shows the full path
but has the parent inode info attached.Fix this by passing in a parent flag when we call audit_inode that gets
set to the value of LOOKUP_PARENT. We can then fix up the pathname for
the audit entry correctly from the get-go.While we're at it, clean up the no-op macro for audit_inode in the
!CONFIG_AUDITSYSCALL case.Signed-off-by: Jeff Layton
Signed-off-by: Al Viro -
For now, we just have two possibilities:
UNKNOWN: for a new audit_names record that we don't know anything about yet
NORMAL: for everything elseIn later patches, we'll add other types so we can distinguish and update
records created under different circumstances.Signed-off-by: Jeff Layton
Signed-off-by: Al Viro -
Most of the callers get called with an inode and dentry in the reverse
order. The compiler then has to reshuffle the arg registers and/or
stack in order to pass them on to audit_inode_child.Reverse those arguments for a micro-optimization.
Reported-by: Eric Paris
Signed-off-by: Jeff Layton
Signed-off-by: Al Viro
06 Oct, 2012
1 commit
-
Replace the #defines used when CONFIG_AUDIT or CONFIG_AUDIT_SYSCALLS are
disabled so we get type checking during those builds.Suggested-by: Andrew Morton
Signed-off-by: Kees Cook
Cc: Al Viro
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
03 Oct, 2012
1 commit
-
Pull security subsystem updates from James Morris:
"Highlights:- Integrity: add local fs integrity verification to detect offline
attacks
- Integrity: add digital signature verification
- Simple stacking of Yama with other LSMs (per LSS discussions)
- IBM vTPM support on ppc64
- Add new driver for Infineon I2C TIS TPM
- Smack: add rule revocation for subject labels"Fixed conflicts with the user namespace support in kernel/auditsc.c and
security/integrity/ima/ima_policy.c.* 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (39 commits)
Documentation: Update git repository URL for Smack userland tools
ima: change flags container data type
Smack: setprocattr memory leak fix
Smack: implement revoking all rules for a subject label
Smack: remove task_wait() hook.
ima: audit log hashes
ima: generic IMA action flag handling
ima: rename ima_must_appraise_or_measure
audit: export audit_log_task_info
tpm: fix tpm_acpi sparse warning on different address spaces
samples/seccomp: fix 31 bit build on s390
ima: digital signature verification support
ima: add support for different security.ima data types
ima: add ima_inode_setxattr/removexattr function and calls
ima: add inode_post_setattr call
ima: replace iint spinblock with rwlock/read_lock
ima: allocating iint improvements
ima: add appraise action keywords and default rules
ima: integrity appraisal extension
vfs: move ima_file_free before releasing the file
...
21 Sep, 2012
1 commit
-
When using audit on OpenRISC, an audit arch is needed. This defines
it and fixes a compile-time bug uncovered in linux-next, likely from a
cut/paste from an arch with 64/32-bit modes that defined arch_arch():
arch/openrisc/kernel/ptrace.c:190:2: error: implicit declaration of function 'audit_arch'This replaces it with the newly defined AUDIT_ARCH_OPENRISC, since it
is only 32-bit, and currently only operates in big-endian mode.Reported-by: Geert Uytterhoeven
Signed-off-by: Kees Cook
Signed-off-by: Jonas Bonn
18 Sep, 2012
4 commits
-
Always store audit loginuids in type kuid_t.
Print loginuids by converting them into uids in the appropriate user
namespace, and then printing the resulting uid.Modify audit_get_loginuid to return a kuid_t.
Modify audit_set_loginuid to take a kuid_t.
Modify /proc//loginuid on read to convert the loginuid into the
user namespace of the opener of the file.Modify /proc//loginud on write to convert the loginuid
rom the user namespace of the opener of the file.Cc: Al Viro
Cc: Eric Paris
Cc: Paul Moore ?
Cc: David Miller
Signed-off-by: Eric W. Biederman -
The audit filter code guarantees that uid are always compared with
uids and gids are always compared with gids, as the comparason
operations are type specific. Take advantage of this proper to define
audit_uid_comparator and audit_gid_comparator which use the type safe
comparasons from uidgid.h.Build on audit_uid_comparator and audit_gid_comparator and replace
audit_compare_id with audit_compare_uid and audit_compare_gid. This
is one of those odd cases where being type safe and duplicating code
leads to simpler shorter and more concise code.Don't allow bitmask operations in uid and gid comparisons in
audit_data_to_entry. Bitmask operations are already denined in
audit_rule_to_entry.Convert constants in audit_rule_to_entry and audit_data_to_entry into
kuids and kgids when appropriate.Convert the uid and gid field in struct audit_names to be of type
kuid_t and kgid_t respectively, so that the new uid and gid comparators
can be applied in a type safe manner.Cc: Al Viro
Cc: Eric Paris
Signed-off-by: "Eric W. Biederman" -
Cc: Al Viro
Cc: Eric Paris
Signed-off-by: "Eric W. Biederman" -
Get caller process uid and gid and pid values from the current task
instead of the NETLINK_CB. This is simpler than passing NETLINK_CREDS
from from audit_receive_msg to audit_filter_user_rules and avoid the
chance of being hit by the occassional bugs in netlink uid/gid
credential passing. This is a safe changes because all netlink
requests are processed in the task of the sending process.Cc: Al Viro
Cc: Eric Paris
Signed-off-by: "Eric W. Biederman"
12 Sep, 2012
1 commit
-
At the suggestion of eparis@redhat.com, move this chunk of task
logging from audit_log_exit to audit_log_task_info and export this
function so it's usuable elsewhere in the kernel.This patch is against
git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity#next-ima-appraisalChangelog v2:
- add empty audit_log_task_info if CONFIG_AUDITSYSCALL isn't set.Changelog v1:
- Initial post.Signed-off-by: Peter Moody
Signed-off-by: Mimi Zohar
30 Jul, 2012
1 commit
-
Adds audit messages for unexpected link restriction violations so that
system owners will have some sort of potentially actionable information
about misbehaving processes.Signed-off-by: Kees Cook
Signed-off-by: Al Viro
14 Apr, 2012
1 commit
-
This consolidates the seccomp filter error logging path and adds more
details to the audit log.Signed-off-by: Will Drewry
Signed-off-by: Kees Cook
Acked-by: Eric Parisv18: make compat= permanent in the record
v15: added a return code to the audit_seccomp path by wad@chromium.org
(suggested by eparis@redhat.com)
v*: original by keescook@chromium.org
Signed-off-by: James Morris
21 Mar, 2012
1 commit
-
Signed-off-by: Al Viro
18 Jan, 2012
6 commits
-
This allows audit to specify rules in which we compare two fields of a
process. Such as is the running process uid != to the running process
euid?Signed-off-by: Peter Moody
Signed-off-by: Eric Paris -
This completes the matrix of interfield comparisons between uid/gid
information for the current task and the uid/gid information for inodes.
aka I can audit based on differences between the euid of the process and
the uid of fs objects.Signed-off-by: Peter Moody
Signed-off-by: Eric Paris -
Allow audit rules to compare the gid of the running task to the gid of the
inode in question.Signed-off-by: Eric Paris
-
We wish to be able to audit when a uid=500 task accesses a file which is
uid=0. Or vice versa. This patch introduces a new audit filter type
AUDIT_FIELD_COMPARE which takes as an 'enum' which indicates which fields
should be compared. At this point we only define the task->uid vs
inode->uid, but other comparisons can be added.Signed-off-by: Eric Paris
-
The function always deals with current. Don't expose an option
pretending one can use it for something. You can't.Signed-off-by: Eric Paris
-
Much like the ability to filter audit on the uid of an inode collected, we
should be able to filter on the gid of the inode.Signed-off-by: Eric Paris