06 Dec, 2016
1 commit
-
Signed-off-by: Al Viro
27 Jun, 2016
1 commit
-
RFE: add additional fields for use in audit filter exclude rules
https://github.com/linux-audit/audit-kernel/issues/5Re-factor and combine audit_filter_type() with audit_filter_user() to
use audit_filter_user_rules() to enable the exclude filter to
additionally filter on PID, UID, GID, AUID, LOGINUID_SET, SUBJ_*.The process of combining the similar audit_filter_user() and
audit_filter_type() functions, required inverting the meaning and
including the ALWAYS action of the latter.Include audit_filter_user_rules() into audit_filter(), removing
unneeded logic in the process.Keep the check to quit early if the list is empty.
Signed-off-by: Richard Guy Briggs
[PM: checkpatch.pl fixes - whitespace damage, wrapped description]
Signed-off-by: Paul Moore
28 Jan, 2016
1 commit
-
The audit_tty and audit_tty_log_passwd fields are actually bool
values, so merge into single memory location to access atomically.NB: audit log operations may still occur after tty audit is disabled
which is consistent with the existing functionalitySigned-off-by: Peter Hurley
Signed-off-by: Greg Kroah-Hartman
18 Jan, 2016
1 commit
-
Pull security subsystem updates from James Morris:
- EVM gains support for loading an x509 cert from the kernel
(EVM_LOAD_X509), into the EVM trusted kernel keyring.- Smack implements 'file receive' process-based permission checking for
sockets, rather than just depending on inode checks.- Misc enhancments for TPM & TPM2.
- Cleanups and bugfixes for SELinux, Keys, and IMA.
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (41 commits)
selinux: Inode label revalidation performance fix
KEYS: refcount bug fix
ima: ima_write_policy() limit locking
IMA: policy can be updated zero times
selinux: rate-limit netlink message warnings in selinux_nlmsg_perm()
selinux: export validatetrans decisions
gfs2: Invalid security labels of inodes when they go invalid
selinux: Revalidate invalid inode security labels
security: Add hook to invalidate inode security labels
selinux: Add accessor functions for inode->i_security
security: Make inode argument of inode_getsecid non-const
security: Make inode argument of inode_getsecurity non-const
selinux: Remove unused variable in selinux_inode_init_security
keys, trusted: seal with a TPM2 authorization policy
keys, trusted: select hash algorithm for TPM2 chips
keys, trusted: fix: *do not* allow duplicate key options
tpm_ibmvtpm: properly handle interrupted packet receptions
tpm_tis: Tighten IRQ auto-probing
tpm_tis: Refactor the interrupt setup
tpm_tis: Get rid of the duplicate IRQ probing code
...
13 Jan, 2016
1 commit
-
Previously we were emitting seccomp audit records regardless of the
audit_enabled setting, a deparature from the rest of audit. This
patch makes seccomp auditing consistent with the rest of the audit
record generation code in that when audit_enabled=0 nothing is logged
by the audit subsystem.The bulk of this patch is moving the CONFIG_AUDIT block ahead of the
CONFIG_AUDITSYSCALL block in include/linux/audit.h; the only real
code change was in the audit_seccomp() definition.Signed-off-by: Tony Jones
Signed-off-by: Paul Moore
25 Dec, 2015
1 commit
-
Make the inode argument of the inode_getsecid hook non-const so that we
can use it to revalidate invalid security labels.Signed-off-by: Andreas Gruenbacher
Acked-by: Stephen Smalley
Signed-off-by: Paul Moore
04 Nov, 2015
2 commits
-
This patch makes audit_string_contains_control return bool to improve
readability due to this particular function only using either one or
zero as its return value.Signed-off-by: Yaowei Bai
[PM: tweaked subject line]
Signed-off-by: Paul Moore -
This patch makes audit_dummy_context return bool due to this
particular function only using either one or zero as its return
value.No functional change.
Signed-off-by: Yaowei Bai
[PM: subject line tweak]
Signed-off-by: Paul Moore
07 Aug, 2015
2 commits
-
This adds the ability audit the actions of a not-yet-running process.
This patch implements the ability to filter on the executable path. Instead of
just hard coding the ino and dev of the executable we care about at the moment
the rule is inserted into the kernel, use the new audit_fsnotify
infrastructure to manage this dynamically. This means that if the filename
does not yet exist but the containing directory does, or if the inode in
question is unlinked and creat'd (aka updated) the rule will just continue to
work. If the containing directory is moved or deleted or the filesystem is
unmounted, the rule is deleted automatically. A future enhancement would be to
have the rule survive across directory disruptions.This is a heavily modified version of a patch originally submitted by Eric
Paris with some ideas from Peter Moody.Cc: Peter Moody
Cc: Eric Paris
Signed-off-by: Richard Guy Briggs
[PM: minor whitespace clean to satisfy ./scripts/checkpatch]
Signed-off-by: Paul Moore -
Clean up a number of places were casted magic numbers are used to represent
unset inode and device numbers in preparation for the audit by executable path
patch set.Signed-off-by: Richard Guy Briggs
[PM: enclosed the _UNSET macros in parentheses for ./scripts/checkpatch]
Signed-off-by: Paul Moore
18 Feb, 2015
1 commit
-
Pull getname/putname updates from Al Viro:
"Rework of getname/getname_kernel/etc., mostly from Paul Moore. Gets
rid of quite a pile of kludges between namei and audit..."* 'getname2' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
audit: replace getname()/putname() hacks with reference counters
audit: fix filename matching in __audit_inode() and __audit_inode_child()
audit: enable filename recording via getname_kernel()
simpler calling conventions for filename_mountpoint()
fs: create proper filename objects using getname_kernel()
fs: rework getname_kernel to handle up to PATH_MAX sized filenames
cut down the number of do_path_lookup() callers
12 Feb, 2015
1 commit
-
Pull audit fix from Paul Moore:
"Just one patch from the audit tree for v3.20, and a very minor one at
that.The patch simply removes an old, unused field from the audit_krule
structure, a private audit-only struct. In audit related news, we did
a proper overhaul of the audit pathname code and removed the nasty
getname()/putname() hacks for audit, you should see those patches in
Al's vfs tree if you haven't already.That's it for audit this time, let's hope for a quiet -rcX series"
* 'upstream' of git://git.infradead.org/users/pcmoore/audit:
audit: remove vestiges of vers_ops
23 Jan, 2015
1 commit
-
In order to ensure that filenames are not released before the audit
subsystem is done with the strings there are a number of hacks built
into the fs and audit subsystems around getname() and putname(). To
say these hacks are "ugly" would be kind.This patch removes the filename hackery in favor of a more
conventional reference count based approach. The diffstat below tells
most of the story; lots of audit/fs specific code is replaced with a
traditional reference count based approach that is easily understood,
even by those not familiar with the audit and/or fs subsystems.CC: viro@zeniv.linux.org.uk
CC: linux-fsdevel@vger.kernel.org
Signed-off-by: Paul Moore
Signed-off-by: Al Viro
20 Jan, 2015
1 commit
-
Should have been removed with commit 18900909 ("audit: remove the old
depricated kernel interface").Signed-off-by: Richard Guy Briggs
Signed-off-by: Paul Moore
24 Dec, 2014
2 commits
-
Pull audit fixes from Paul Moore:
"Four patches to fix various problems with the audit subsystem, all are
fairly small and straightforward.One patch fixes a problem where we weren't using the correct gfp
allocation flags (GFP_KERNEL regardless of context, oops), one patch
fixes a problem with old userspace tools (this was broken for a
while), one patch fixes a problem where we weren't recording pathnames
correctly, and one fixes a problem with PID based filters.In general I don't think there is anything controversial with this
patchset, and it fixes some rather unfortunate bugs; the allocation
flag one can be particularly scary looking for users"* 'upstream' of git://git.infradead.org/users/pcmoore/audit:
audit: restore AUDIT_LOGINUID unset ABI
audit: correctly record file names with different path name types
audit: use supplied gfp_mask from audit_buffer in kauditd_send_multicast_skb
audit: don't attempt to lookup PIDs when changing PID filtering audit rules -
A regression was caused by commit 780a7654cee8:
audit: Make testing for a valid loginuid explicit.
(which in turn attempted to fix a regression caused by e1760bd)When audit_krule_to_data() fills in the rules to get a listing, there was a
missing clause to convert back from AUDIT_LOGINUID_SET to AUDIT_LOGINUID.This broke userspace by not returning the same information that was sent and
expected.The rule:
auditctl -a exit,never -F auid=-1
gives:
auditctl -l
LIST_RULES: exit,never f24=0 syscall=all
when it should give:
LIST_RULES: exit,never auid=-1 (0xffffffff) syscall=allTag it so that it is reported the same way it was set. Create a new
private flags audit_krule field (pflags) to store it that won't interact with
the public one from the API.Cc: stable@vger.kernel.org # v3.10-rc1+
Signed-off-by: Richard Guy Briggs
Signed-off-by: Paul Moore
20 Nov, 2014
1 commit
-
... for situations when we don't have any candidate in pathnames - basically,
in descriptor-based syscalls.[Folded the build fix for !CONFIG_AUDITSYSCALL configs from Chen Gang]
Signed-off-by: Al Viro
23 Oct, 2014
1 commit
-
There's only one audit_classify_compat_syscall() definition, so it doesn't
need to be weak.Remove the "weak" attribute from the audit_classify_compat_syscall()
declaration.Signed-off-by: Bjorn Helgaas
Acked-by: Richard Guy Briggs
CC: AKASHI Takahiro
24 Sep, 2014
4 commits
-
Since only one of val, uid, gid and lsm* are used at any given time, combine
them to reduce the size of the struct audit_field.Signed-off-by: Richard Guy Briggs
-
Since the arch is found locally in __audit_syscall_entry(), there is no need to
pass it in as a parameter. Delete it from the parameter list.x86* was the only arch to call __audit_syscall_entry() directly and did so from
assembly code.Signed-off-by: Richard Guy Briggs
Cc: Thomas Gleixner
Cc: Ingo Molnar
Cc: "H. Peter Anvin"
Cc: x86@kernel.org
Cc: linux-kernel@vger.kernel.org
Cc: linux-audit@redhat.com
Signed-off-by: Eric Paris---
As this patch relies on changes in the audit tree, I think it
appropriate to send it through my tree rather than the x86 tree. -
avr32 does not have an asm/syscall.h file. We need the
syscall_get_arch() definition from that file for all arch's which
support CONFIG_AUDITSYSCALL. Obviously avr32 is not one of those
arch's. Move the include inside the CONFIG_AUDITSYSCALL such that we
only do the include if we need the results.When the syscall_get_arch() call is moved inside __audit_syscall_entry()
this include can be dropped entirely. But that is going to require some
assembly changes on x86* in a patch that is not ready for the tree...Reported-by: Paul Gortmaker
Signed-off-by: Eric Paris -
We have a function where the arch can be queried, syscall_get_arch().
So rather than have every single piece of arch specific code use and/or
duplicate syscall_get_arch(), just have the audit code use the
syscall_get_arch() code.Based-on-patch-by: Richard Briggs
Signed-off-by: Eric Paris
Cc: linux-alpha@vger.kernel.org
Cc: linux-arm-kernel@lists.infradead.org
Cc: linux-ia64@vger.kernel.org
Cc: microblaze-uclinux@itee.uq.edu.au
Cc: linux-mips@linux-mips.org
Cc: linux@lists.openrisc.net
Cc: linux-parisc@vger.kernel.org
Cc: linuxppc-dev@lists.ozlabs.org
Cc: linux-s390@vger.kernel.org
Cc: linux-sh@vger.kernel.org
Cc: sparclinux@vger.kernel.org
Cc: user-mode-linux-devel@lists.sourceforge.net
Cc: linux-xtensa@linux-xtensa.org
Cc: x86@kernel.org
11 Apr, 2014
1 commit
-
On systems with CONFIG_COMPAT we introduced the new requirement that
audit_classify_compat_syscall() exists. This wasn't true for everything
(apparently not for "tilegx", which I know less that nothing about.)Instead of wrapping the preprocessor optomization with CONFIG_COMPAT we
should have used the new CONFIG_AUDIT_COMPAT_GENERIC. This patch uses
that config option to make sure only arches which intend to implement
this have the requirement.This works fine for tilegx according to Chris Metcalf
Signed-off-by: Eric Paris
25 Mar, 2014
1 commit
-
We were exposing a function based on kernel config options to userspace.
This is wrong. Move it to the audit internal header.Suggested-by: Chris Metcalf
Signed-off-by: Eric Paris
20 Mar, 2014
2 commits
-
lib/audit.c provides a generic function for auditing system calls.
This patch extends it for compat syscall support on bi-architectures
(32/64-bit) by adding lib/compat_audit.c.
What is required to support this feature are:
* add asm/unistd32.h for compat system call names
* select CONFIG_AUDIT_ARCH_COMPAT_GENERICSigned-off-by: AKASHI Takahiro
Acked-by: Richard Guy Briggs
Signed-off-by: Eric Paris -
In perverse cases of file descriptor passing the current network
namespace of a process and the network namespace of a socket used by
that socket may differ. Therefore use the network namespace of the
appropiate socket to ensure replies always go to the appropiate
socket.Signed-off-by: "Eric W. Biederman"
Acked-by: Richard Guy Briggs
Signed-off-by: Eric Paris
15 Jan, 2014
1 commit
-
The equivalent uapi struct uses __u32 so make the kernel
uses u32 too.This can prevent some oddities where the limit is
logged/emitted as a negative value.Convert kstrtol to kstrtouint to disallow negative values.
Signed-off-by: Joe Perches
[eparis: do not remove static from audit_default declaration]
14 Jan, 2014
5 commits
-
audit_syscall_exit() saves a result of regs_return_value() in intermediate
"int" variable and passes it to __audit_syscall_exit(), which expects its
second argument as a "long" value. This will result in truncating the
value returned by a system call and making a wrong audit record.I don't know why gcc compiler doesn't complain about this, but anyway it
causes a problem at runtime on arm64 (and probably most 64-bit archs).Signed-off-by: AKASHI Takahiro
Cc: Al Viro
Cc: Eric Paris
Cc:
Signed-off-by: Andrew Morton
Signed-off-by: Eric Paris -
audit_receive_msg() needlessly contained a fallthrough case that called
audit_receive_filter(), containing no common code between the cases. Separate
them to make the logic clearer. Refactor AUDIT_LIST_RULES, AUDIT_ADD_RULE,
AUDIT_DEL_RULE cases to create audit_rule_change(), audit_list_rules_send()
functions. This should not functionally change the logic.Signed-off-by: Richard Guy Briggs
Signed-off-by: Eric Paris -
The type of task->sessionid is unsigned int, the return
type of audit_get_sessionid should be consistent with it.Signed-off-by: Gao feng
Signed-off-by: Richard Guy Briggs
Signed-off-by: Eric Paris -
Normally, netlink ports use the PID of the userspace process as the port ID.
If the PID is already in use by a port, the kernel will allocate another port
ID to avoid conflict. Re-name all references to netlink ports from pid to
portid to reflect this reality and avoid confusion with actual PIDs. Ports
use the __u32 type, so re-type all portids accordingly.(This patch is very similar to ebiederman's 5deadd69)
Signed-off-by: Richard Guy Briggs
Signed-off-by: Gao feng
Signed-off-by: Eric Paris -
- Always report the current process as capset now always only works on
the current process. This prevents reporting 0 or a random pid in
a random pid namespace.- Don't bother to pass the pid as is available.
Signed-off-by: "Eric W. Biederman"
(cherry picked from commit bcc85f0af31af123e32858069eb2ad8f39f90e67)
(cherry picked from commit f911cac4556a7a23e0b3ea850233d13b32328692)Signed-off-by: Richard Guy Briggs
[eparis: fix build error when audit disabled]
Signed-off-by: Eric Paris
06 Nov, 2013
3 commits
-
Move the audit_bprm() call from search_binary_handler() to exec_binprm(). This
allows us to get rid of the mm member of struct audit_aux_data_execve since
bprm->mm will equal current->mm.This also mitigates the issue that ->argc could be modified by the
load_binary() call in search_binary_handler().audit_bprm() was being called to add an AUDIT_EXECVE record to the audit
context every time search_binary_handler() was recursively called. Only one
reference is necessary.Reported-by: Oleg Nesterov
Cc: Eric Paris
Signed-off-by: Richard Guy Briggs
Signed-off-by: Eric Paris
---
This patch is against 3.11, but was developed on Oleg's post-3.11 patches that
introduce exec_binprm(). -
audit_bprm() was being called to add an AUDIT_EXECVE record to the audit
context every time search_binary_handler() was recursively called. Only one
reference is necessary, so just update it. Move the the contents of
audit_aux_data_execve into the union in audit_context, removing dependence on a
kmalloc along the way.Reported-by: Oleg Nesterov
Cc: Eric Paris
Signed-off-by: Richard Guy Briggs
Signed-off-by: Eric Paris -
The audit_status structure was not designed with extensibility in mind.
Define a new AUDIT_SET_FEATURE message type which takes a new structure
of bits where things can be enabled/disabled/locked one at a time. This
structure should be able to grow in the future while maintaining forward
and backward compatibility (based loosly on the ideas from capabilities
and prctl)This does not actually add any features, but is just infrastructure to
allow new on/off types of audit system features.Signed-off-by: Eric Paris
Signed-off-by: Richard Guy Briggs
Signed-off-by: Eric Paris
10 Jul, 2013
1 commit
-
The old audit PATH records for mq_open looked like this:
type=PATH msg=audit(1366282323.982:869): item=1 name=(null) inode=6777
dev=00:0c mode=041777 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:tmpfs_t:s15:c0.c1023
type=PATH msg=audit(1366282323.982:869): item=0 name="test_mq" inode=26732
dev=00:0c mode=0100700 ouid=0 ogid=0 rdev=00:00
obj=staff_u:object_r:user_tmpfs_t:s15:c0.c1023...with the audit related changes that went into 3.7, they now look like this:
type=PATH msg=audit(1366282236.776:3606): item=2 name=(null) inode=66655
dev=00:0c mode=0100700 ouid=0 ogid=0 rdev=00:00
obj=staff_u:object_r:user_tmpfs_t:s15:c0.c1023
type=PATH msg=audit(1366282236.776:3606): item=1 name=(null) inode=6926
dev=00:0c mode=041777 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:tmpfs_t:s15:c0.c1023
type=PATH msg=audit(1366282236.776:3606): item=0 name="test_mq"Both of these look wrong to me. As Steve Grubb pointed out:
"What we need is 1 PATH record that identifies the MQ. The other PATH
records probably should not be there."Fix it to record the mq root as a parent, and flag it such that it
should be hidden from view when the names are logged, since the root of
the mq filesystem isn't terribly interesting. With this change, we get
a single PATH record that looks more like this:type=PATH msg=audit(1368021604.836:484): item=0 name="test_mq" inode=16914
dev=00:0c mode=0100644 ouid=0 ogid=0 rdev=00:00
obj=unconfined_u:object_r:user_tmpfs_t:s0In order to do this, a new audit_inode_parent_hidden() function is
added. If we do it this way, then we avoid having the existing callers
of audit_inode needing to do any sort of flag conversion if auditing is
inactive.Signed-off-by: Jeff Layton
Reported-by: Jiri Jaburek
Cc: Steve Grubb
Cc: Eric Paris
Cc: Al Viro
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
08 May, 2013
1 commit
-
audit rule additions containing "-F auid!=4294967295" were failing
with EINVAL because of a regression caused by e1760bd.Apparently some userland audit rule sets want to know if loginuid uid
has been set and are using a test for auid != 4294967295 to determine
that.In practice that is a horrible way to ask if a value has been set,
because it relies on subtle implementation details and will break
every time the uid implementation in the kernel changes.So add a clean way to test if the audit loginuid has been set, and
silently convert the old idiom to the cleaner and more comprehensible
new idiom.Cc: # 3.7
Reported-By: Richard Guy Briggs
Signed-off-by: "Eric W. Biederman"
Tested-by: Richard Guy Briggs
Signed-off-by: Eric Paris
01 May, 2013
3 commits
-
The userspace audit tools didn't like the existing formatting of the
AUDIT_ANOM_LINK event. It needed to be expanded to emit an AUDIT_PATH
event as well, so this implements the change. The bulk of the patch is
moving code out of auditsc.c into audit.c and audit.h for general use.
It expands audit_log_name to include an optional "struct path" argument
for the simple case of just needing to report a pathname. This also
makes
audit_log_task_info available when syscall auditing is not enabled,
since
it is needed in either case for process details.Signed-off-by: Kees Cook
Reported-by: Steve Grubb -
We have a number of places we were reimplementing the same code to write
out lsm labels. Just do it one darn place.Signed-off-by: Eric Paris