Commit ce29b682e228c70cdc91a1b2935c5adb2087bab8
Committed by
Al Viro
1 parent
e7c3497013
Exists in
master
and in
39 other branches
[PATCH] More user space subject labels
Hi, The patch below builds upon the patch sent earlier and adds subject label to all audit events generated via the netlink interface. It also cleans up a few other minor things. Signed-off-by: Steve Grubb <sgrubb@redhat.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Showing 4 changed files with 142 additions and 40 deletions Side-by-side Diff
include/linux/audit.h
... | ... | @@ -371,7 +371,7 @@ |
371 | 371 | extern int audit_filter_user(struct netlink_skb_parms *cb, int type); |
372 | 372 | extern int audit_filter_type(int type); |
373 | 373 | extern int audit_receive_filter(int type, int pid, int uid, int seq, |
374 | - void *data, size_t datasz, uid_t loginuid); | |
374 | + void *data, size_t datasz, uid_t loginuid, u32 sid); | |
375 | 375 | #else |
376 | 376 | #define audit_log(c,g,t,f,...) do { ; } while (0) |
377 | 377 | #define audit_log_start(c,g,t) ({ NULL; }) |
kernel/audit.c
... | ... | @@ -230,49 +230,103 @@ |
230 | 230 | } |
231 | 231 | } |
232 | 232 | |
233 | -static int audit_set_rate_limit(int limit, uid_t loginuid) | |
233 | +static int audit_set_rate_limit(int limit, uid_t loginuid, u32 sid) | |
234 | 234 | { |
235 | - int old = audit_rate_limit; | |
236 | - audit_rate_limit = limit; | |
237 | - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, | |
235 | + int old = audit_rate_limit; | |
236 | + | |
237 | + if (sid) { | |
238 | + char *ctx = NULL; | |
239 | + u32 len; | |
240 | + int rc; | |
241 | + if ((rc = selinux_ctxid_to_string(sid, &ctx, &len))) | |
242 | + return rc; | |
243 | + else | |
244 | + audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, | |
245 | + "audit_rate_limit=%d old=%d by auid=%u subj=%s", | |
246 | + limit, old, loginuid, ctx); | |
247 | + kfree(ctx); | |
248 | + } else | |
249 | + audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, | |
238 | 250 | "audit_rate_limit=%d old=%d by auid=%u", |
239 | - audit_rate_limit, old, loginuid); | |
251 | + limit, old, loginuid); | |
252 | + audit_rate_limit = limit; | |
240 | 253 | return old; |
241 | 254 | } |
242 | 255 | |
243 | -static int audit_set_backlog_limit(int limit, uid_t loginuid) | |
256 | +static int audit_set_backlog_limit(int limit, uid_t loginuid, u32 sid) | |
244 | 257 | { |
245 | - int old = audit_backlog_limit; | |
246 | - audit_backlog_limit = limit; | |
247 | - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, | |
258 | + int old = audit_backlog_limit; | |
259 | + | |
260 | + if (sid) { | |
261 | + char *ctx = NULL; | |
262 | + u32 len; | |
263 | + int rc; | |
264 | + if ((rc = selinux_ctxid_to_string(sid, &ctx, &len))) | |
265 | + return rc; | |
266 | + else | |
267 | + audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, | |
268 | + "audit_backlog_limit=%d old=%d by auid=%u subj=%s", | |
269 | + limit, old, loginuid, ctx); | |
270 | + kfree(ctx); | |
271 | + } else | |
272 | + audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, | |
248 | 273 | "audit_backlog_limit=%d old=%d by auid=%u", |
249 | - audit_backlog_limit, old, loginuid); | |
274 | + limit, old, loginuid); | |
275 | + audit_backlog_limit = limit; | |
250 | 276 | return old; |
251 | 277 | } |
252 | 278 | |
253 | -static int audit_set_enabled(int state, uid_t loginuid) | |
279 | +static int audit_set_enabled(int state, uid_t loginuid, u32 sid) | |
254 | 280 | { |
255 | - int old = audit_enabled; | |
281 | + int old = audit_enabled; | |
282 | + | |
256 | 283 | if (state != 0 && state != 1) |
257 | 284 | return -EINVAL; |
258 | - audit_enabled = state; | |
259 | - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, | |
285 | + | |
286 | + if (sid) { | |
287 | + char *ctx = NULL; | |
288 | + u32 len; | |
289 | + int rc; | |
290 | + if ((rc = selinux_ctxid_to_string(sid, &ctx, &len))) | |
291 | + return rc; | |
292 | + else | |
293 | + audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, | |
294 | + "audit_enabled=%d old=%d by auid=%u subj=%s", | |
295 | + state, old, loginuid, ctx); | |
296 | + kfree(ctx); | |
297 | + } else | |
298 | + audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, | |
260 | 299 | "audit_enabled=%d old=%d by auid=%u", |
261 | - audit_enabled, old, loginuid); | |
300 | + state, old, loginuid); | |
301 | + audit_enabled = state; | |
262 | 302 | return old; |
263 | 303 | } |
264 | 304 | |
265 | -static int audit_set_failure(int state, uid_t loginuid) | |
305 | +static int audit_set_failure(int state, uid_t loginuid, u32 sid) | |
266 | 306 | { |
267 | - int old = audit_failure; | |
307 | + int old = audit_failure; | |
308 | + | |
268 | 309 | if (state != AUDIT_FAIL_SILENT |
269 | 310 | && state != AUDIT_FAIL_PRINTK |
270 | 311 | && state != AUDIT_FAIL_PANIC) |
271 | 312 | return -EINVAL; |
272 | - audit_failure = state; | |
273 | - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, | |
313 | + | |
314 | + if (sid) { | |
315 | + char *ctx = NULL; | |
316 | + u32 len; | |
317 | + int rc; | |
318 | + if ((rc = selinux_ctxid_to_string(sid, &ctx, &len))) | |
319 | + return rc; | |
320 | + else | |
321 | + audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, | |
322 | + "audit_failure=%d old=%d by auid=%u subj=%s", | |
323 | + state, old, loginuid, ctx); | |
324 | + kfree(ctx); | |
325 | + } else | |
326 | + audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, | |
274 | 327 | "audit_failure=%d old=%d by auid=%u", |
275 | - audit_failure, old, loginuid); | |
328 | + state, old, loginuid); | |
329 | + audit_failure = state; | |
276 | 330 | return old; |
277 | 331 | } |
278 | 332 | |
279 | 333 | |
280 | 334 | |
281 | 335 | |
282 | 336 | |
283 | 337 | |
... | ... | @@ -437,25 +491,43 @@ |
437 | 491 | return -EINVAL; |
438 | 492 | status_get = (struct audit_status *)data; |
439 | 493 | if (status_get->mask & AUDIT_STATUS_ENABLED) { |
440 | - err = audit_set_enabled(status_get->enabled, loginuid); | |
494 | + err = audit_set_enabled(status_get->enabled, | |
495 | + loginuid, sid); | |
441 | 496 | if (err < 0) return err; |
442 | 497 | } |
443 | 498 | if (status_get->mask & AUDIT_STATUS_FAILURE) { |
444 | - err = audit_set_failure(status_get->failure, loginuid); | |
499 | + err = audit_set_failure(status_get->failure, | |
500 | + loginuid, sid); | |
445 | 501 | if (err < 0) return err; |
446 | 502 | } |
447 | 503 | if (status_get->mask & AUDIT_STATUS_PID) { |
448 | 504 | int old = audit_pid; |
505 | + if (sid) { | |
506 | + char *ctx = NULL; | |
507 | + u32 len; | |
508 | + int rc; | |
509 | + if ((rc = selinux_ctxid_to_string( | |
510 | + sid, &ctx, &len))) | |
511 | + return rc; | |
512 | + else | |
513 | + audit_log(NULL, GFP_KERNEL, | |
514 | + AUDIT_CONFIG_CHANGE, | |
515 | + "audit_pid=%d old=%d by auid=%u subj=%s", | |
516 | + status_get->pid, old, | |
517 | + loginuid, ctx); | |
518 | + kfree(ctx); | |
519 | + } else | |
520 | + audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, | |
521 | + "audit_pid=%d old=%d by auid=%u", | |
522 | + status_get->pid, old, loginuid); | |
449 | 523 | audit_pid = status_get->pid; |
450 | - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, | |
451 | - "audit_pid=%d old=%d by auid=%u", | |
452 | - audit_pid, old, loginuid); | |
453 | 524 | } |
454 | 525 | if (status_get->mask & AUDIT_STATUS_RATE_LIMIT) |
455 | - audit_set_rate_limit(status_get->rate_limit, loginuid); | |
526 | + audit_set_rate_limit(status_get->rate_limit, | |
527 | + loginuid, sid); | |
456 | 528 | if (status_get->mask & AUDIT_STATUS_BACKLOG_LIMIT) |
457 | 529 | audit_set_backlog_limit(status_get->backlog_limit, |
458 | - loginuid); | |
530 | + loginuid, sid); | |
459 | 531 | break; |
460 | 532 | case AUDIT_USER: |
461 | 533 | case AUDIT_FIRST_USER_MSG...AUDIT_LAST_USER_MSG: |
... | ... | @@ -477,7 +549,7 @@ |
477 | 549 | if (selinux_ctxid_to_string( |
478 | 550 | sid, &ctx, &len)) { |
479 | 551 | audit_log_format(ab, |
480 | - " subj=%u", sid); | |
552 | + " ssid=%u", sid); | |
481 | 553 | /* Maybe call audit_panic? */ |
482 | 554 | } else |
483 | 555 | audit_log_format(ab, |
... | ... | @@ -499,7 +571,7 @@ |
499 | 571 | case AUDIT_LIST: |
500 | 572 | err = audit_receive_filter(nlh->nlmsg_type, NETLINK_CB(skb).pid, |
501 | 573 | uid, seq, data, nlmsg_len(nlh), |
502 | - loginuid); | |
574 | + loginuid, sid); | |
503 | 575 | break; |
504 | 576 | case AUDIT_ADD_RULE: |
505 | 577 | case AUDIT_DEL_RULE: |
... | ... | @@ -509,7 +581,7 @@ |
509 | 581 | case AUDIT_LIST_RULES: |
510 | 582 | err = audit_receive_filter(nlh->nlmsg_type, NETLINK_CB(skb).pid, |
511 | 583 | uid, seq, data, nlmsg_len(nlh), |
512 | - loginuid); | |
584 | + loginuid, sid); | |
513 | 585 | break; |
514 | 586 | case AUDIT_SIGNAL_INFO: |
515 | 587 | sig_data.uid = audit_sig_uid; |
kernel/auditfilter.c
... | ... | @@ -586,9 +586,10 @@ |
586 | 586 | * @data: payload data |
587 | 587 | * @datasz: size of payload data |
588 | 588 | * @loginuid: loginuid of sender |
589 | + * @sid: SE Linux Security ID of sender | |
589 | 590 | */ |
590 | 591 | int audit_receive_filter(int type, int pid, int uid, int seq, void *data, |
591 | - size_t datasz, uid_t loginuid) | |
592 | + size_t datasz, uid_t loginuid, u32 sid) | |
592 | 593 | { |
593 | 594 | struct task_struct *tsk; |
594 | 595 | int *dest; |
... | ... | @@ -631,9 +632,23 @@ |
631 | 632 | |
632 | 633 | err = audit_add_rule(entry, |
633 | 634 | &audit_filter_list[entry->rule.listnr]); |
634 | - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, | |
635 | - "auid=%u add rule to list=%d res=%d\n", | |
636 | - loginuid, entry->rule.listnr, !err); | |
635 | + if (sid) { | |
636 | + char *ctx = NULL; | |
637 | + u32 len; | |
638 | + if (selinux_ctxid_to_string(sid, &ctx, &len)) { | |
639 | + /* Maybe call audit_panic? */ | |
640 | + audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, | |
641 | + "auid=%u ssid=%u add rule to list=%d res=%d", | |
642 | + loginuid, sid, entry->rule.listnr, !err); | |
643 | + } else | |
644 | + audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, | |
645 | + "auid=%u subj=%s add rule to list=%d res=%d", | |
646 | + loginuid, ctx, entry->rule.listnr, !err); | |
647 | + kfree(ctx); | |
648 | + } else | |
649 | + audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, | |
650 | + "auid=%u add rule to list=%d res=%d", | |
651 | + loginuid, entry->rule.listnr, !err); | |
637 | 652 | |
638 | 653 | if (err) |
639 | 654 | audit_free_rule(entry); |
... | ... | @@ -649,9 +664,24 @@ |
649 | 664 | |
650 | 665 | err = audit_del_rule(entry, |
651 | 666 | &audit_filter_list[entry->rule.listnr]); |
652 | - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, | |
653 | - "auid=%u remove rule from list=%d res=%d\n", | |
654 | - loginuid, entry->rule.listnr, !err); | |
667 | + | |
668 | + if (sid) { | |
669 | + char *ctx = NULL; | |
670 | + u32 len; | |
671 | + if (selinux_ctxid_to_string(sid, &ctx, &len)) { | |
672 | + /* Maybe call audit_panic? */ | |
673 | + audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, | |
674 | + "auid=%u ssid=%u remove rule from list=%d res=%d", | |
675 | + loginuid, sid, entry->rule.listnr, !err); | |
676 | + } else | |
677 | + audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, | |
678 | + "auid=%u subj=%s remove rule from list=%d res=%d", | |
679 | + loginuid, ctx, entry->rule.listnr, !err); | |
680 | + kfree(ctx); | |
681 | + } else | |
682 | + audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, | |
683 | + "auid=%u remove rule from list=%d res=%d", | |
684 | + loginuid, entry->rule.listnr, !err); | |
655 | 685 | |
656 | 686 | audit_free_rule(entry); |
657 | 687 | break; |
kernel/auditsc.c
... | ... | @@ -637,7 +637,7 @@ |
637 | 637 | u32 len; |
638 | 638 | if (selinux_ctxid_to_string( |
639 | 639 | axi->osid, &ctx, &len)) { |
640 | - audit_log_format(ab, " obj=%u", | |
640 | + audit_log_format(ab, " osid=%u", | |
641 | 641 | axi->osid); |
642 | 642 | call_panic = 1; |
643 | 643 | } else |
... | ... | @@ -712,7 +712,7 @@ |
712 | 712 | u32 len; |
713 | 713 | if (selinux_ctxid_to_string( |
714 | 714 | context->names[i].osid, &ctx, &len)) { |
715 | - audit_log_format(ab, " obj=%u", | |
715 | + audit_log_format(ab, " osid=%u", | |
716 | 716 | context->names[i].osid); |
717 | 717 | call_panic = 2; |
718 | 718 | } else |