22 Nov, 2013
1 commit
-
Pull audit updates from Eric Paris:
"Nothing amazing. Formatting, small bug fixes, couple of fixes where
we didn't get records due to some old VFS changes, and a change to how
we collect execve info..."Fixed conflict in fs/exec.c as per Eric and linux-next.
* git://git.infradead.org/users/eparis/audit: (28 commits)
audit: fix type of sessionid in audit_set_loginuid()
audit: call audit_bprm() only once to add AUDIT_EXECVE information
audit: move audit_aux_data_execve contents into audit_context union
audit: remove unused envc member of audit_aux_data_execve
audit: Kill the unused struct audit_aux_data_capset
audit: do not reject all AUDIT_INODE filter types
audit: suppress stock memalloc failure warnings since already managed
audit: log the audit_names record type
audit: add child record before the create to handle case where create fails
audit: use given values in tty_audit enable api
audit: use nlmsg_len() to get message payload length
audit: use memset instead of trying to initialize field by field
audit: fix info leak in AUDIT_GET requests
audit: update AUDIT_INODE filter rule to comparator function
audit: audit feature to set loginuid immutable
audit: audit feature to only allow unsetting the loginuid
audit: allow unsetting the loginuid (with priv)
audit: remove CONFIG_AUDIT_LOGINUID_IMMUTABLE
audit: loginuid functions coding style
selinux: apply selinux checks on new audit message types
...
06 Nov, 2013
13 commits
-
...to make it clear what the intent behind each record's operation was.
In many cases you can infer this, based on the context of the syscall
and the result. In other cases it's not so obvious. For instance, in
the case where you have a file being renamed over another, you'll have
two different records with the same filename but different inode info.
By logging this information we can clearly tell which one was created
and which was deleted.This fixes what was broken in commit bfcec708.
Commit 79f6530c should also be backported to stable v3.7+.Signed-off-by: Jeff Layton
Signed-off-by: Eric Paris
Signed-off-by: Richard Guy Briggs
Signed-off-by: Eric Paris -
In send/GET, we don't want the kernel to lie about what value is set.
Signed-off-by: Richard Guy Briggs
Signed-off-by: Eric Paris -
Using the nlmsg_len member of the netlink header to test if the message
is valid is wrong as it includes the size of the netlink header itself.
Thereby allowing to send short netlink messages that pass those checks.Use nlmsg_len() instead to test for the right message length. The result
of nlmsg_len() is guaranteed to be non-negative as the netlink message
already passed the checks of nlmsg_ok().Also switch to min_t() to please checkpatch.pl.
Cc: Al Viro
Cc: Eric Paris
Cc: stable@vger.kernel.org # v2.6.6+ for the 1st hunk, v2.6.23+ for the 2nd
Signed-off-by: Mathias Krause
Signed-off-by: Richard Guy Briggs
Signed-off-by: Eric Paris -
We currently are setting fields to 0 to initialize the structure
declared on the stack. This is a bad idea as if the structure has holes
or unpacked space these will not be initialized. Just use memset. This
is not a performance critical section of code.Signed-off-by: Eric Paris
-
We leak 4 bytes of kernel stack in response to an AUDIT_GET request as
we miss to initialize the mask member of status_set. Fix that.Cc: Al Viro
Cc: Eric Paris
Cc: stable@vger.kernel.org # v2.6.6+
Signed-off-by: Mathias Krause
Signed-off-by: Richard Guy Briggs
Signed-off-by: Eric Paris -
This adds a new 'audit_feature' bit which allows userspace to set it
such that the loginuid is absolutely immutable, even if you have
CAP_AUDIT_CONTROL.Signed-off-by: Eric Paris
Signed-off-by: Richard Guy Briggs
Signed-off-by: Eric Paris -
This is a new audit feature which only grants processes with
CAP_AUDIT_CONTROL the ability to unset their loginuid. They cannot
directly set it from a valid uid to another valid uid. The ability to
unset the loginuid is nice because a priviledged task, like that of
container creation, can unset the loginuid and then priv is not needed
inside the container when a login daemon needs to set the loginuid.Signed-off-by: Eric Paris
Signed-off-by: Richard Guy Briggs
Signed-off-by: Eric Paris -
The audit_status structure was not designed with extensibility in mind.
Define a new AUDIT_SET_FEATURE message type which takes a new structure
of bits where things can be enabled/disabled/locked one at a time. This
structure should be able to grow in the future while maintaining forward
and backward compatibility (based loosly on the ideas from capabilities
and prctl)This does not actually add any features, but is just infrastructure to
allow new on/off types of audit system features.Signed-off-by: Eric Paris
Signed-off-by: Richard Guy Briggs
Signed-off-by: Eric Paris -
When the audit=1 kernel parameter is absent and auditd is not running,
AUDIT_USER_AVC messages are being silently discarded.AUDIT_USER_AVC messages should be sent to userspace using printk(), as
mentioned in the commit message of 4a4cd633 ("AUDIT: Optimise the
audit-disabled case for discarding user messages").When audit_enabled is 0, audit_receive_msg() discards all user messages
except for AUDIT_USER_AVC messages. However, audit_log_common_recv_msg()
refuses to allocate an audit_buffer if audit_enabled is 0. The fix is to
special case AUDIT_USER_AVC messages in both functions.It looks like commit 50397bd1 ("[AUDIT] clean up audit_receive_msg()")
introduced this bug.Cc: # v2.6.25+
Signed-off-by: Tyler Hicks
Cc: Al Viro
Cc: Eric Paris
Cc: linux-audit@redhat.com
Acked-by: Kees Cook
Signed-off-by: Richard Guy Briggs
Signed-off-by: Eric Paris -
Remove it.
Signed-off-by: Gao feng
Signed-off-by: Richard Guy Briggs
Signed-off-by: Eric Paris -
A newline was accidentally added during session ID helper refactorization in
commit 4d3fb709. This needlessly uses up buffer space, messes up syslog
formatting and makes userspace processing less efficient. Remove it.Signed-off-by: Richard Guy Briggs
Acked-by: Eric Paris
Signed-off-by: Eric Paris -
Signed-off-by: Ilya V. Matveychikov
Signed-off-by: Richard Guy Briggs
Signed-off-by: Eric Paris -
Messages of type AUDIT_USER_TTY were being formatted to 1024 octets,
truncating messages approaching MAX_AUDIT_MESSAGE_LENGTH (8970 octets).Set the formatting to 8560 characters, given maximum estimates for prefix and
suffix budgets.See the problem discussion:
https://www.redhat.com/archives/linux-audit/2009-January/msg00030.htmlAnd the new size rationale:
https://www.redhat.com/archives/linux-audit/2013-September/msg00016.htmlTest ~8k messages with:
auditctl -m "$(for i in $(seq -w 001 820);do echo -n "${i}0______";done)"Reported-by: LC Bruzenak
Reported-by: Justin Stephenson
Signed-off-by: Richard Guy Briggs
Signed-off-by: Eric Paris
25 Sep, 2013
1 commit
-
After commit 829199197a43 ("kernel/audit.c: avoid negative sleep
durations") audit emitters will block forever if userspace daemon cannot
handle backlog.After the timeout the waiting loop turns into busy loop and runs until
daemon dies or returns back to work. This is a minimal patch for that
bug.Signed-off-by: Konstantin Khlebnikov
Cc: Luiz Capitulino
Cc: Richard Guy Briggs
Cc: Eric Paris
Cc: Chuck Anderson
Cc: Dan Duval
Cc: Dave Kleikamp
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
13 Jun, 2013
1 commit
-
audit_log_start() does wait_for_auditd() in a loop until
audit_backlog_wait_time passes or audit_skb_queue has a room.If signal_pending() is true this becomes a busy-wait loop, schedule() in
TASK_INTERRUPTIBLE won't block.Thanks to Guy for fully investigating and explaining the problem.
(akpm: that'll cause the system to lock up on a non-preemptible
uniprocessor kernel)(Guy: "Our customer was in fact running a uniprocessor machine, and they
reported a system hang.")Signed-off-by: Oleg Nesterov
Reported-by: Guy Streeter
Cc: Eric Paris
Cc: Al Viro
Cc:
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
12 May, 2013
1 commit
-
Pull audit changes from Eric Paris:
"Al used to send pull requests every couple of years but he told me to
just start pushing them to you directly.Our touching outside of core audit code is pretty straight forward. A
couple of interface changes which hit net/. A simple argument bug
calling audit functions in namei.c and the removal of some assembly
branch prediction code on ppc"* git://git.infradead.org/users/eparis/audit: (31 commits)
audit: fix message spacing printing auid
Revert "audit: move kaudit thread start from auditd registration to kaudit init"
audit: vfs: fix audit_inode call in O_CREAT case of do_last
audit: Make testing for a valid loginuid explicit.
audit: fix event coverage of AUDIT_ANOM_LINK
audit: use spin_lock in audit_receive_msg to process tty logging
audit: do not needlessly take a lock in tty_audit_exit
audit: do not needlessly take a spinlock in copy_signal
audit: add an option to control logging of passwords with pam_tty_audit
audit: use spin_lock_irqsave/restore in audit tty code
helper for some session id stuff
audit: use a consistent audit helper to log lsm information
audit: push loginuid and sessionid processing down
audit: stop pushing loginid, uid, sessionid as arguments
audit: remove the old depricated kernel interface
audit: make validity checking generic
audit: allow checking the type of audit message in the user filter
audit: fix build break when AUDIT_DEBUG == 2
audit: remove duplicate export of audit_enabled
Audit: do not print error when LSMs disabled
...
08 May, 2013
2 commits
-
The helper function didn't include a leading space, so it was jammed
against the previous text in the audit record.Signed-off-by: Eric Paris
-
This reverts commit 6ff5e45985c2fcb97947818f66d1eeaf9d6600b2.
Conflicts:
kernel/audit.cThis patch was starting a kthread for all the time. Since the follow on
patches that required it didn't get finished in 3.10 time, we shouldn't
ship this change in 3.10.Signed-off-by: Eric Paris
02 May, 2013
1 commit
-
Pull networking updates from David Miller:
"Highlights (1721 non-merge commits, this has to be a record of some
sort):1) Add 'random' mode to team driver, from Jiri Pirko and Eric
Dumazet.2) Make it so that any driver that supports configuration of multiple
MAC addresses can provide the forwarding database add and del
calls by providing a default implementation and hooking that up if
the driver doesn't have an explicit set of handlers. From Vlad
Yasevich.3) Support GSO segmentation over tunnels and other encapsulating
devices such as VXLAN, from Pravin B Shelar.4) Support L2 GRE tunnels in the flow dissector, from Michael Dalton.
5) Implement Tail Loss Probe (TLP) detection in TCP, from Nandita
Dukkipati.6) In the PHY layer, allow supporting wake-on-lan in situations where
the PHY registers have to be written for it to be configured.Use it to support wake-on-lan in mv643xx_eth.
From Michael Stapelberg.
7) Significantly improve firewire IPV6 support, from YOSHIFUJI
Hideaki.8) Allow multiple packets to be sent in a single transmission using
network coding in batman-adv, from Martin Hundebøll.9) Add support for T5 cxgb4 chips, from Santosh Rastapur.
10) Generalize the VXLAN forwarding tables so that there is more
flexibility in configurating various aspects of the endpoints.
From David Stevens.11) Support RSS and TSO in hardware over GRE tunnels in bxn2x driver,
from Dmitry Kravkov.12) Zero copy support in nfnelink_queue, from Eric Dumazet and Pablo
Neira Ayuso.13) Start adding networking selftests.
14) In situations of overload on the same AF_PACKET fanout socket, or
per-cpu packet receive queue, minimize drop by distributing the
load to other cpus/fanouts. From Willem de Bruijn and Eric
Dumazet.15) Add support for new payload offset BPF instruction, from Daniel
Borkmann.16) Convert several drivers over to mdoule_platform_driver(), from
Sachin Kamat.17) Provide a minimal BPF JIT image disassembler userspace tool, from
Daniel Borkmann.18) Rewrite F-RTO implementation in TCP to match the final
specification of it in RFC4138 and RFC5682. From Yuchung Cheng.19) Provide netlink socket diag of netlink sockets ("Yo dawg, I hear
you like netlink, so I implemented netlink dumping of netlink
sockets.") From Andrey Vagin.20) Remove ugly passing of rtnetlink attributes into rtnl_doit
functions, from Thomas Graf.21) Allow userspace to be able to see if a configuration change occurs
in the middle of an address or device list dump, from Nicolas
Dichtel.22) Support RFC3168 ECN protection for ipv6 fragments, from Hannes
Frederic Sowa.23) Increase accuracy of packet length used by packet scheduler, from
Jason Wang.24) Beginning set of changes to make ipv4/ipv6 fragment handling more
scalable and less susceptible to overload and locking contention,
from Jesper Dangaard Brouer.25) Get rid of using non-type-safe NLMSG_* macros and use nlmsg_*()
instead. From Hong Zhiguo.26) Optimize route usage in IPVS by avoiding reference counting where
possible, from Julian Anastasov.27) Convert IPVS schedulers to RCU, also from Julian Anastasov.
28) Support cpu fanouts in xt_NFQUEUE netfilter target, from Holger
Eitzenberger.29) Network namespace support for nf_log, ebt_log, xt_LOG, ipt_ULOG,
nfnetlink_log, and nfnetlink_queue. From Gao feng.30) Implement RFC3168 ECN protection, from Hannes Frederic Sowa.
31) Support several new r8169 chips, from Hayes Wang.
32) Support tokenized interface identifiers in ipv6, from Daniel
Borkmann.33) Use usbnet_link_change() helper in USB net driver, from Ming Lei.
34) Add 802.1ad vlan offload support, from Patrick McHardy.
35) Support mmap() based netlink communication, also from Patrick
McHardy.36) Support HW timestamping in mlx4 driver, from Amir Vadai.
37) Rationalize AF_PACKET packet timestamping when transmitting, from
Willem de Bruijn and Daniel Borkmann.38) Bring parity to what's provided by /proc/net/packet socket dumping
and the info provided by netlink socket dumping of AF_PACKET
sockets. From Nicolas Dichtel.39) Fix peeking beyond zero sized SKBs in AF_UNIX, from Benjamin
Poirier"* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next: (1722 commits)
filter: fix va_list build error
af_unix: fix a fatal race with bit fields
bnx2x: Prevent memory leak when cnic is absent
bnx2x: correct reading of speed capabilities
net: sctp: attribute printl with __printf for gcc fmt checks
netlink: kconfig: move mmap i/o into netlink kconfig
netpoll: convert mutex into a semaphore
netlink: Fix skb ref counting.
net_sched: act_ipt forward compat with xtables
mlx4_en: fix a build error on 32bit arches
Revert "bnx2x: allow nvram test to run when device is down"
bridge: avoid OOPS if root port not found
drivers: net: cpsw: fix kernel warn on cpsw irq enable
sh_eth: use random MAC address if no valid one supplied
3c509.c: call SET_NETDEV_DEV for all device types (ISA/ISAPnP/EISA)
tg3: fix to append hardware time stamping flags
unix/stream: fix peeking with an offset larger than data in queue
unix/dgram: fix peeking with an offset larger than data in queue
unix/dgram: peek beyond 0-sized skbs
openvswitch: Remove unneeded ovs_netdev_get_ifindex()
...
01 May, 2013
9 commits
-
The userspace audit tools didn't like the existing formatting of the
AUDIT_ANOM_LINK event. It needed to be expanded to emit an AUDIT_PATH
event as well, so this implements the change. The bulk of the patch is
moving code out of auditsc.c into audit.c and audit.h for general use.
It expands audit_log_name to include an optional "struct path" argument
for the simple case of just needing to report a pathname. This also
makes
audit_log_task_info available when syscall auditing is not enabled,
since
it is needed in either case for process details.Signed-off-by: Kees Cook
Reported-by: Steve Grubb -
This function is called when we receive a netlink message from
userspace. We don't need to worry about it coming from irq context or
irqs making it re-entrant.Signed-off-by: Eric Paris
-
Most commands are entered one line at a time and processed as complete lines
in non-canonical mode. Commands that interactively require a password, enter
canonical mode to do this while shutting off echo. This pair of features
(icanon and !echo) can be used to avoid logging passwords by audit while still
logging the rest of the command.Adding a member (log_passwd) to the struct audit_tty_status passed in by
pam_tty_audit allows control of canonical mode without echo per task.Signed-off-by: Richard Guy Briggs
Signed-off-by: Eric Paris -
Some of the callers of the audit tty function use spin_lock_irqsave/restore.
We were using the forced always enable version, which seems really bad.
Since I don't know every one of these code paths well enough, it makes
sense to just switch everything to the safe version. Maybe it's a
little overzealous, but it's a lot better than an unlucky deadlock when
we return to a caller with irq enabled and they expect it to be
disabled.Signed-off-by: Eric Paris
-
We have a number of places we were reimplementing the same code to write
out lsm labels. Just do it one darn place.Signed-off-by: Eric Paris
-
Since we are always current, we can push a lot of this stuff to the
bottom and get rid of useless interfaces and arguments.Signed-off-by: Eric Paris
-
We always use current. Stop pulling this when the skb comes in and
pushing it around as arguments. Just get it at the end when you need
it.Signed-off-by: Eric Paris
-
We used to have an inflexible mechanism to add audit rules to the
kernel. It hasn't been used in a long time. Get rid of that stuff.Signed-off-by: Eric Paris
30 Apr, 2013
1 commit
-
We only need to check if kauditd is valid after we start it, if kauditd
is invalid, we will set kauditd_task to NULL. So next time, we will
start kauditd again.It means if kauditd_task is not NULL,it must be valid.
Signed-off-by: Gao feng
Cc: Eric Paris
Cc: Al Viro
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
17 Apr, 2013
1 commit
-
When userspace sends messages to the audit system it includes a type.
We want to be able to filter messages based on that type without have to
do the all or nothing option currently available on the
AUDIT_FILTER_TYPE filter list. Instead we should be able to use the
AUDIT_FILTER_USER filter list and just use the message type as one part
of the matching decision.Signed-off-by: Eric Paris
11 Apr, 2013
1 commit
-
Userspace parsing libraries assume that msg= is only for userspace audit
records, not for user tty records. Make this consistent with the other
tty records.Reported-by: Steve Grubb
Signed-off-by: Eric Paris
09 Apr, 2013
3 commits
-
The kauditd_thread() task was started only after the auditd userspace daemon
registers itself with kaudit. This was fine when only auditd consumed messages
from the kaudit netlink unicast socket. With the addition of a multicast group
to that socket it is more convenient to have the thread start on init of the
kaudit kernel subsystem.Signed-off-by: Richard Guy Briggs
Signed-off-by: Eric Paris -
The wait queue control code in kauditd_thread() was nested deeper than
necessary. The function has been flattened for better legibility.Signed-off-by: Richard Guy Briggs
Signed-off-by: Eric Paris -
The hold queue flush code is an autonomous chunk of code that can be
refactored, removed from kauditd_thread() into flush_hold_queue() and
flattenned for better legibility.Signed-off-by: Richard Guy Briggs
Signed-off-by: Eric Paris
29 Mar, 2013
2 commits
-
Commit 941912133025926307c7a65b203fa38403b1063a replaced the macros
NLMSG_NEXT with calls to nlmsg_next which produces this warning:kernel/audit.c: In function ‘audit_receive_skb’:
kernel/audit.c:928:3: warning: passing argument 2 of ‘nlmsg_next’ makes pointer from integer without a cast
In file included from include/net/rtnetlink.h:5:0,
from include/net/neighbour.h:28,
from include/net/dst.h:17,
from include/net/sock.h:68,
from kernel/audit.c:55:
include/net/netlink.h:359:1: note: expected ‘int *’ but argument is of type ‘int’Fix this by sending the intended pointer.
Signed-off-by: Alexandru Copot
Signed-off-by: David S. Miller -
Signed-off-by: Hong Zhiguo
Acked-by: Thomas Graf
Signed-off-by: David S. Miller
12 Jan, 2013
2 commits
-
audit_log_start() performs the same jiffies comparison in two places.
If sufficient time has elapsed between the two comparisons, the second
one produces a negative sleep duration:schedule_timeout: wrong timeout value fffffffffffffff0
Pid: 6606, comm: trinity-child1 Not tainted 3.8.0-rc1+ #43
Call Trace:
schedule_timeout+0x305/0x340
audit_log_start+0x311/0x470
audit_log_exit+0x4b/0xfb0
__audit_syscall_exit+0x25f/0x2c0
sysret_audit+0x17/0x21Fix it by performing the comparison a single time.
Reported-by: Dave Jones
Cc: Al Viro
Cc: Eric Paris
Reviewed-by: Kees Cook
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
It's possible for audit_log_start() to return NULL. Handle it in the
various callers.Signed-off-by: Kees Cook
Cc: Al Viro
Cc: Eric Paris
Cc: Jeff Layton
Cc: "Eric W. Biederman"
Cc: Julien Tinnes
Cc: Will Drewry
Cc: Steve Grubb
Cc: Andrea Arcangeli
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
10 Oct, 2012
1 commit
-
audit_log_start() may return NULL, this is unchecked by the caller in
audit_log_link_denied() and could cause a NULL ptr deref.Introduced by commit a51d9eaa ("fs: add link restriction audit reporting").
Signed-off-by: Sasha Levin
Signed-off-by: Al Viro
