24 Sep, 2009
1 commit
-
Audit will not respond to signal requests if selinux is disabled since it is
unable to translate the 0 sid from the sending process to a context. This
patch just doesn't send the context info if there isn't any.Signed-off-by: Eric Paris
Signed-off-by: Al Viro
24 Jun, 2009
6 commits
-
If syscall removes the root of subtree being watched, we
definitely do not want the rules refering that subtree
to be destroyed without the syscall in question having
a chance to match them.Signed-off-by: Al Viro
-
A number of places in the audit system we send an op= followed by a string
that includes spaces. Somehow this works but it's just wrong. This patch
moves all of those that I could find to be quoted.Example:
Change From: type=CONFIG_CHANGE msg=audit(1244666690.117:31): auid=0 ses=1
subj=unconfined_u:unconfined_r:auditctl_t:s0-s0:c0.c1023 op=remove rule
key="number2" list=4 res=0Change To: type=CONFIG_CHANGE msg=audit(1244666690.117:31): auid=0 ses=1
subj=unconfined_u:unconfined_r:auditctl_t:s0-s0:c0.c1023 op="remove rule"
key="number2" list=4 res=0Signed-off-by: Eric Paris
-
In preparation for converting audit to use fsnotify instead of inotify we
seperate the inode watching code into it's own file. This is similar to
how the audit tree watching code is already seperated into audit_tree.cSigned-off-by: Eric Paris
-
audit_receive_skb is hard to clearly parse what it is doing to the netlink
message. Clean the function up so it is easy and clear to see what is going
on.Signed-off-by: Eric Paris
-
The audit handling of netlink messages is all over the place. Clean things
up, use predetermined macros, generally make it more readable.Signed-off-by: Eric Paris
-
Remove code duplication of skb printk when auditd is not around in userspace
to deal with this message.Signed-off-by: Eric Paris
06 Apr, 2009
3 commits
-
audit_log_d_path had spaces in the strings which would be emitted on the
error paths. This patch simply replaces those spaces with an _ or removes
the needless spaces entirely.Signed-off-by: Eric Paris
Signed-off-by: Al Viro -
AUDIT_USER_TTY, like all other messages sent from user-space, is sent
NUL-terminated. Unlike other user-space audit messages, which come only
from trusted sources, AUDIT_USER_TTY messages are processed using
audit_log_n_untrustedstring().This patch modifies AUDIT_USER_TTY handling to ignore the trailing NUL
and use the "quoted_string" representation of the message if possible.Signed-off-by: Miloslav Trmac
Cc: Eric Paris
Cc: Al Viro
Cc: Steve Grubb
Signed-off-by: Andrew Morton
Signed-off-by: Al Viro -
currently audit_log_n_untrustedstring() uses audit_string_contains_control()
to check if the 'string' has any control characters. If the 'string' has an
embedded NULL audit_string_contains_control() will return that the data has
no control characters and will then pass the string to audit_log_n_string
with the total length, not the length up to the first NULL.
audit_log_n_string() does a memcpy of the entire length and so the actual
audit record emitted may then contain a NULL and then whatever random memory
is after the NULL.Since we want to log the entire octet stream (if we can't trust the data
to be a string we can't trust that a NULL isn't actually a part of it)
we should just consider NULL as a control character. If the caller is
certain they want to stop at the first NULL they should be using
audit_log_untrustedstring.Signed-off-by: Eric Paris
Signed-off-by: Al Viro
09 Dec, 2008
2 commits
-
Timestamp in audit_context is valid only if ->in_syscall is set.
Signed-off-by: Al Viro
-
Currently audit=0 on the kernel command line does absolutely nothing.
Audit always loads and always uses its resources such as creating the
kernel netlink socket. This patch causes audit=0 to actually disable
audit. Audit will use no resources and starting the userspace auditd
daemon will not cause the kernel audit system to activate.Signed-off-by: Eric Paris
Signed-off-by: Al Viro
02 Aug, 2008
2 commits
-
When the "status_get->mask" is "AUDIT_STATUS_RATE_LIMIT || AUDIT_STATUS_BACKLOG_LIMIT".
If "audit_set_rate_limit" fails and "audit_set_backlog_limit" succeeds, the "err" value
will be greater than or equal to 0. It will miss the failure of rate set.Signed-off-by: Zhang Xiliang
Acked-by: Eric Paris
Signed-off-by: Al Viro -
Hello,
According to my understanding there is an off-by-one bug in the
function:audit_string_contains_control()
in:
kernel/audit.c
Patch is included.
I do not know from how many places the function is called from, but for
example, SELinux Access Vector Cache tries to log untrusted filenames via
call path:avc_audit()
audit_log_untrustedstring()
audit_log_n_untrustedstring()
audit_string_contains_control()If audit_string_contains_control() detects control characters, then the
string is hex-encoded. But the hex=0x7f dec=127, DEL-character, is not
detected.I guess this could have at least some minor security implications, since a
user can create a filename with 0x7f in it, causing logged filename to
possibly look different when someone reads it on the terminal.Signed-off-by: Vesa-Matti Kari
Signed-off-by: Al Viro
25 Jun, 2008
2 commits
-
The second argument "type" is not used in audit_filter_user(), so I think that type can be removed. If I'm wrong, please tell me.
Signed-off-by: Peng Haitao
Signed-off-by: Al Viro -
The first argument "nlh->nlmsg_type" of audit_receive_filter() should be modified to "msg_type" in audit_receive_msg().
Signed-off-by: Peng Haitao
Signed-off-by: Al Viro
17 May, 2008
1 commit
-
Addresses http://bugzilla.kernel.org/show_bug.cgi?id=10663
Reporter: Daniel Marjamki
Cc: Al Viro
Signed-off-by: Andrew Morton
Signed-off-by: Al Viro
28 Apr, 2008
6 commits
-
The pid to lookup a task by is passed inside audit code via netlink message.
Thanks to Denis Lunev, netlink packets are now (since 2.6.24) _always_
processed in the context of the sending task. So this is correct to lookup
the task with find_task_by_vpid() here.Signed-off-by: Pavel Emelyanov
Cc: "Eric W. Biederman"
Cc: Al Viro
Signed-off-by: Andrew Morton
Signed-off-by: Al Viro -
Use msglen as the identifier.
kernel/audit.c:724:10: warning: symbol 'len' shadows an earlier one
kernel/audit.c:575:8: originally declared hereDon't use ino_f to check the inode field at the end of the functions.
kernel/auditfilter.c:429:22: warning: symbol 'f' shadows an earlier one
kernel/auditfilter.c:420:21: originally declared here
kernel/auditfilter.c:542:22: warning: symbol 'f' shadows an earlier one
kernel/auditfilter.c:529:21: originally declared herei always used as a counter for a for loop and initialized to zero before
use. Eliminate the inner i variables.
kernel/auditsc.c:1295:8: warning: symbol 'i' shadows an earlier one
kernel/auditsc.c:1152:6: originally declared here
kernel/auditsc.c:1320:7: warning: symbol 'i' shadows an earlier one
kernel/auditsc.c:1152:6: originally declared hereSigned-off-by: Harvey Harrison
Signed-off-by: Al Viro -
This patch standardized the string auditing interfaces. No userspace
changes will be visible and this is all just cleanup and consistancy
work. We have the following string audit interfaces to use:void audit_log_n_hex(struct audit_buffer *ab, const unsigned char *buf, size_t len);
void audit_log_n_string(struct audit_buffer *ab, const char *buf, size_t n);
void audit_log_string(struct audit_buffer *ab, const char *buf);void audit_log_n_untrustedstring(struct audit_buffer *ab, const char *string, size_t n);
void audit_log_untrustedstring(struct audit_buffer *ab, const char *string);This may be the first step to possibly fixing some of the issues that
people have with the string output from the kernel audit system. But we
still don't have an agreed upon solution to that problem.Signed-off-by: Eric Paris
Signed-off-by: Al Viro -
A deadlock is possible between kauditd and auditd under load if auditd
receives a signal. When auditd receives a signal it sends a netlink
message to the kernel asking for information about the sender of the
signal. In that same context the audit system will attempt to send a
netlink message back to the userspace auditd. If kauditd has already
filled the socket buffer (see netlink_attachskb()) auditd will now put
itself to sleep waiting for room to send the message. Since auditd is
responsible for draining that socket we have a deadlock. The fix, since
the response from the kernel does not need to be synchronous is to send
the signal information back to auditd in a separate thread. And thus
auditd can continue to drain the audit queue normally.Signed-off-by: Eric Paris
Signed-off-by: Al Viro -
This patch causes the kernel audit subsystem to store up to
audit_backlog_limit messages for use by auditd if it ever appears
sometime in the future in userspace. This is useful to collect audit
messages during bootup and even when auditd is stopped. This is NOT a
reliable mechanism, it does not ever call audit_panic, nor should it.
audit_log_lost()/audit_panic() are called during the normal delivery
mechanism. The messages are still sent to printk/syslog as usual and if
too many messages appear to be queued they will be silently discarded.I liked doing it by default, but this patch only uses the queue in
question if it was booted with audit=1 or if the kernel was built
enabling audit by default.Signed-off-by: Eric Paris
Signed-off-by: Al Viro -
Previously I added sessionid output to all audit messages where it was
available but we still didn't know the sessionid of the sender of
netlink messages. This patch adds that information to netlink messages
so we can audit who sent netlink messages.Signed-off-by: Eric Paris
Signed-off-by: Al Viro
19 Apr, 2008
2 commits
-
Convert Audit to use the new LSM Audit hooks instead of
the exported SELinux interface.Basically, use:
security_audit_rule_init
secuirty_audit_rule_free
security_audit_rule_known
security_audit_rule_matchinstad of (respectively) :
selinux_audit_rule_init
selinux_audit_rule_free
audit_rule_has_selinux
selinux_audit_rule_matchSigned-off-by: Casey Schaufler
Signed-off-by: Ahmed S. Darwish
Acked-by: James Morris -
Stop using the following exported SELinux interfaces:
selinux_get_inode_sid(inode, sid)
selinux_get_ipc_sid(ipcp, sid)
selinux_get_task_sid(tsk, sid)
selinux_sid_to_string(sid, ctx, len)
kfree(ctx)and use following generic LSM equivalents respectively:
security_inode_getsecid(inode, secid)
security_ipc_getsecid*(ipcp, secid)
security_task_getsecid(tsk, secid)
security_sid_to_secctx(sid, ctx, len)
security_release_secctx(ctx, len)Call security_release_secctx only if security_secid_to_secctx
succeeded.Signed-off-by: Casey Schaufler
Signed-off-by: Ahmed S. Darwish
Acked-by: James Morris
Reviewed-by: Paul Moore
29 Mar, 2008
1 commit
-
Silence two kerneldoc warnings.
Warning(kernel/audit.c:1276): No description found for parameter 'string'
Warning(kernel/audit.c:1276): No description found for parameter 'len'[also fix a typo for bonus points]
Signed-off-by: Dave Jones
Acked-by: Randy Dunlap
Cc: Al Viro
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
21 Mar, 2008
1 commit
-
From: Pavel Emelyanov
This patch is based on the one from Thomas.
The kauditd_thread() calls the netlink_unicast() and passes
the audit_pid to it. The audit_pid, in turn, is received from
the user space and the tool (I've checked the audit v1.6.9)
uses getpid() to pass one in the kernel. Besides, this tool
doesn't bind the netlink socket to this id, but simply creates
it allowing the kernel to auto-bind one.That's the preamble.
The problem is that netlink_autobind() _does_not_ guarantees
that the socket will be auto-bound to the current pid. Instead
it uses the current pid as a hint to start looking for a free
id. So, in case of conflict, the audit messages can be sent
to a wrong socket. This can happen (it's unlikely, but can be)
in case some task opens more than one netlink sockets and then
the audit one starts - in this case the audit's pid can be busy
and its socket will be bound to another id.The proposal is to introduce an audit_nlk_pid in audit subsys,
that will point to the netlink socket to send packets to. It
will most often be equal to audit_pid. The socket id can be
got from the skb's netlink CB right in the audit_receive_msg.
The audit_nlk_pid reset to 0 is not required, since all the
decisions are taken based on audit_pid value only.Later, if the audit tools will bind the socket themselves, the
kernel will have to provide a way to setup the audit_nlk_pid
as well.A good side effect of this patch is that audit_pid can later
be converted to struct pid, as it is not longer safe to use
pid_t-s in the presence of pid namespaces. But audit code still
uses the tgid from task_struct in the audit_signal_info and in
the audit_filter_syscall.Signed-off-by: Thomas Graf
Signed-off-by: Pavel Emelyanov
Acked-by: Eric Paris
Signed-off-by: David S. Miller
01 Mar, 2008
2 commits
-
Hi,
While we are looking at the printk issue, I see that its printk'ing the EOE
(end of event) records which is really not something that we need in syslog.
Its really intended for the realtime audit event stream handled by the audit
daemon. So, lets avoid printk'ing that record type.Signed-off-by: Steve Grubb
Signed-off-by: Al Viro -
On the latest kernels if one was to load about 15 rules, set the failure
state to panic, and then run service auditd stop the kernel will panic.
This is because auditd stops, then the script deletes all of the rules.
These deletions are sent as audit messages out of the printk kernel
interface which is already known to be lossy. These will overun the
default kernel rate limiting (10 really fast messages) and will call
audit_panic(). The same effect can happen if a slew of avc's come
through while auditd is stopped.This can be fixed a number of ways but this patch fixes the problem by
just not panicing if auditd is not running. We know printk is lossy and
if the user chooses to set the failure mode to panic and tries to use
printk we can't make any promises no matter how hard we try, so why try?
At least in this way we continue to get lost message accounting and will
eventually know that things went bad.The other change is to add a new call to audit_log_lost() if auditd
disappears. We already pulled the skb off the queue and couldn't send
it so that message is lost. At least this way we will account for the
last message and panic if the machine is configured to panic. This code
path should only be run if auditd dies for unforeseen reasons. If
auditd closes correctly audit_pid will get set to 0 and we won't walk
this code path.Signed-off-by: Al Viro
15 Feb, 2008
2 commits
-
d_path() is used on a pair. Lets use a struct path to
reflect this.[akpm@linux-foundation.org: fix build in mm/memory.c]
Signed-off-by: Jan Blunck
Acked-by: Bryan Wu
Acked-by: Christoph Hellwig
Cc: Al Viro
Cc: "J. Bruce Fields"
Cc: Neil Brown
Cc: Michael Halcrow
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
audit_log_d_path() is a d_path() wrapper that is used by the audit code. To
use a struct path in audit_log_d_path() I need to embed it into struct
avc_audit_data.[akpm@linux-foundation.org: coding-style fixes]
Signed-off-by: Jan Blunck
Acked-by: Christoph Hellwig
Cc: Al Viro
Cc: "J. Bruce Fields"
Cc: Neil Brown
Cc: Stephen Smalley
Cc: James Morris
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
02 Feb, 2008
8 commits
-
some printk messages from the audit system can become excessive. This
patch ratelimits those messages. It was found that messages, such as
the audit backlog lost printk message could flood the logs to the point
that a machine could take an nmi watchdog hit or otherwise become
unresponsive.Signed-off-by: Eric Paris
-
Complement va_copy() with va_end().
Signed-off-by: Richard Knutsson
Cc: Al Viro
Signed-off-by: Andrew Morton -
kernel/audit.c: In function 'audit_log_start':
kernel/audit.c:1133: warning: 'serial' may be used uninitialized in this functionCc: Al Viro
Signed-off-by: Andrew Morton -
Disabling audit at runtime by auditctl doesn't mean that we can
stop allocating contexts for new processes; we don't want to miss them
when that sucker is reenabled.(based on work from Al Viro in the RHEL kernel series)
Signed-off-by: Eric Paris
-
generally clean up audit_receive_msg() don't free random memory if
selinux_sid_to_string fails for some reason. Move generic auditing
to a helper functionSigned-off-by: Eric Paris
-
Some audit messages (namely configuration changes) are still emitted even if
the audit subsystem has been explicitly disabled. This patch turns those
messages off as well.Signed-off-by: Eric Paris
-
execve arguments can be quite large. There is no limit on the number of
arguments and a 4G limit on the size of an argument.this patch prints those aruguments in bite sized pieces. a userspace size
limitation of 8k was discovered so this keeps messages around 7.5ksingle arguments larger than 7.5k in length are split into multiple records
and can be identified as aX[Y]=Signed-off-by: Eric Paris
-
Currently audit drops the audit type when an audit message goes through
printk instead of the audit deamon. This is a minor annoyance in
that the audit type is no longer part of the message and the information
the audit type conveys needs to be carried in, or derived from the
message data.The attached patch includes the type number as part of the printk.
Admittedly it isn't the type name that the audit deamon provides but I
think this is better than dropping the type completely.Signed-pff-by: John Johansen
Signed-off-by: Eric Paris
01 Feb, 2008
1 commit
-
The recent UDP patch exposed this bug in the audit code. It
was calling pskb_expand_head without increasing skb->truesize.
The caller of pskb_expand_head needs to do so because that function
is designed to be called in places where truesize is already fixed
and therefore it doesn't update its value.Because the audit system is using it in a place where the truesize
has not yet been fixed, it needs to update its value manually.Signed-off-by: Herbert Xu
Acked-by: James Morris
Signed-off-by: David S. Miller
