05 Mar, 2020
1 commit
-
commit 756125289285f6e55a03861bf4b6257aa3d19a93 upstream.
This patch ensures that we always check the netlink payload length
in audit_receive_msg() before we take any action on the payload
itself.Cc: stable@vger.kernel.org
Reported-by: syzbot+399c44bf1f43b8747403@syzkaller.appspotmail.com
Reported-by: syzbot+e4b12d8d202701f08b6d@syzkaller.appspotmail.com
Signed-off-by: Paul Moore
Signed-off-by: Greg Kroah-Hartman
09 Jul, 2019
1 commit
-
Pull audit updates from Paul Moore:
"This pull request is a bit early, but with some vacation time coming
up I wanted to send this out now just in case the remote Internet Gods
decide not to smile on me once the merge window opens. The patchset
for v5.3 is pretty minor this time, the highlights include:- When the audit daemon is sent a signal, ensure we deliver
information about the sender even when syscall auditing is not
enabled/supported.- Add the ability to filter audit records based on network address
family.- Tighten the audit field filtering restrictions on string based
fields.- Cleanup the audit field filtering verification code.
- Remove a few BUG() calls from the audit code"
* tag 'audit-pr-20190702' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit:
audit: remove the BUG() calls in the audit rule comparison functions
audit: enforce op for string fields
audit: add saddr_fam filter field
audit: re-structure audit field valid checks
audit: deliver signal_info regarless of syscall
31 May, 2019
1 commit
-
Based on 1 normalized pattern(s):
this program is free software you can redistribute it and or modify
it under the terms of the gnu general public license as published by
the free software foundation either version 2 of the license or at
your option any later version this program is distributed in the
hope that it will be useful but without any warranty without even
the implied warranty of merchantability or fitness for a particular
purpose see the gnu general public license for more details you
should have received a copy of the gnu general public license along
with this program if not write to the free software foundation inc
59 temple place suite 330 boston ma 02111 1307 usaextracted by the scancode license scanner the SPDX license identifier
GPL-2.0-or-later
has been chosen to replace the boilerplate/reference in 1334 file(s).
Signed-off-by: Thomas Gleixner
Reviewed-by: Allison Randal
Reviewed-by: Richard Fontana
Cc: linux-spdx@vger.kernel.org
Link: https://lkml.kernel.org/r/20190527070033.113240726@linutronix.de
Signed-off-by: Greg Kroah-Hartman
22 May, 2019
1 commit
-
When a process signals the audit daemon (shutdown, rotate, resume,
reconfig) but syscall auditing is not enabled, we still want to know the
identity of the process sending the signal to the audit daemon.Move audit_signal_info() out of syscall auditing to general auditing but
create a new function audit_signal_info_syscall() to take care of the
syscall dependent parts for when syscall auditing is enabled.Please see the github kernel audit issue
https://github.com/linux-audit/audit-kernel/issues/111Signed-off-by: Richard Guy Briggs
Signed-off-by: Paul Moore
21 Mar, 2019
1 commit
-
Currently the AUDIT_LOGIN event is a standalone record that isn't
connected to any other records that may be part of its syscall event. To
avoid the confusion of generating two events, connect the records by
using its syscall context.Please see the github issue
https://github.com/linux-audit/audit-kernel/issues/110Signed-off-by: Richard Guy Briggs
Signed-off-by: Paul Moore
04 Feb, 2019
1 commit
-
Remove audit_context from struct task_struct and struct audit_buffer
when CONFIG_AUDIT is enabled but CONFIG_AUDITSYSCALL is not.Also, audit_log_name() (and supporting inode and fcaps functions) should
have been put back in auditsc.c when soft and hard link logging was
normalized since it is only used by syscall auditing.See github issue https://github.com/linux-audit/audit-kernel/issues/105
Signed-off-by: Richard Guy Briggs
Signed-off-by: Paul Moore
31 Jan, 2019
1 commit
-
Don't fetch fcaps when umount2 is called to avoid a process hang while
it waits for the missing resource to (possibly never) re-appear.Note the comment above user_path_mountpoint_at():
* A umount is a special case for path walking. We're not actually interested
* in the inode in this situation, and ESTALE errors can be a problem. We
* simply want track down the dentry and vfsmount attached at the mountpoint
* and avoid revalidating the last component.This can happen on ceph, cifs, 9p, lustre, fuse (gluster) or NFS.
Please see the github issue tracker
https://github.com/linux-audit/audit-kernel/issues/100Signed-off-by: Richard Guy Briggs
[PM: merge fuzz in audit_log_fcaps()]
Signed-off-by: Paul Moore
26 Jan, 2019
2 commits
-
V3 namespaced file capabilities were introduced in
commit 8db6c34f1dbc ("Introduce v3 namespaced file capabilities")Add support for these by adding the "frootid" field to the existing
fcaps fields in the NAME and BPRM_FCAPS records.Please see github issue
https://github.com/linux-audit/audit-kernel/issues/103Signed-off-by: Richard Guy Briggs
Acked-by: Serge Hallyn
[PM: comment tweak to fit an 80 char line width]
Signed-off-by: Paul Moore -
loginuid and sessionid (and audit_log_session_info) should be part of
CONFIG_AUDIT scope and not CONFIG_AUDITSYSCALL since it is used in
CONFIG_CHANGE, ANOM_LINK, FEATURE_CHANGE (and INTEGRITY_RULE), none of
which are otherwise dependent on AUDITSYSCALL.Please see github issue
https://github.com/linux-audit/audit-kernel/issues/104Signed-off-by: Richard Guy Briggs
[PM: tweaked subject line for better grep'ing]
Signed-off-by: Paul Moore
19 Jan, 2019
1 commit
-
Tie syscall information to all CONFIG_CHANGE calls since they are all a
result of user actions.Exclude user records from syscall context:
Since the function audit_log_common_recv_msg() is shared by a number of
AUDIT_CONFIG_CHANGE and the entire range of AUDIT_USER_* record types,
and since the AUDIT_CONFIG_CHANGE message type has been converted to a
syscall accompanied record type, special-case the AUDIT_USER_* range of
messages so they remain standalone records.See: https://github.com/linux-audit/audit-kernel/issues/59
See: https://github.com/linux-audit/audit-kernel/issues/50Signed-off-by: Richard Guy Briggs
[PM: fix line lengths in kernel/audit.c]
Signed-off-by: Paul Moore
15 Jan, 2019
1 commit
-
The failure to add an audit rule due to audit locked gives no clue
what CONFIG_CHANGE operation failed.
Similarly the set operation is the only other operation that doesn't
give the "op=" field to indicate the action.
All other CONFIG_CHANGE records include an op= field to give a clue as
to what sort of configuration change is being executed.Since these are the only CONFIG_CHANGE records that that do not have an
op= field, add them to bring them in line with the rest.Old records:
type=CONFIG_CHANGE msg=audit(1519812997.781:374): pid=610 uid=0 auid=0 ses=1 subj=... audit_enabled=2 res=0
type=CONFIG_CHANGE msg=audit(2018-06-14 14:55:04.507:47) : audit_enabled=1 old=1 auid=unset ses=unset subj=... res=yesNew records:
type=CONFIG_CHANGE msg=audit(1520958477.855:100): pid=610 uid=0 auid=0 ses=1 subj=... op=add_rule audit_enabled=2 res=0type=CONFIG_CHANGE msg=audit(2018-06-14 14:55:04.507:47) : op=set audit_enabled=1 old=1 auid=unset ses=unset subj=... res=yes
See: https://github.com/linux-audit/audit-kernel/issues/59
Signed-off-by: Richard Guy Briggs
[PM: fixed checkpatch.pl line length problems]
Signed-off-by: Paul Moore
15 Dec, 2018
1 commit
-
Remove duplicated include.
Signed-off-by: YueHaibing
Signed-off-by: Paul Moore
04 Dec, 2018
1 commit
-
Since the vast majority of files (99.993% on a typical system) have no
fcaps, display "0" instead of the full zero-padded 16 hex digits in the
two PATH record cap_f* fields to save netlink bandwidth and disk space.Simply changing the format to %x won't work since the value is two (or
possibly more in the future) 32-bit hexadecimal values concatenated and
bits in higher order values will be misrepresented.Passes audit-testsuite and userspace tools already work fine.
Please see the github issue tracker for more details
https://github.com/linux-audit/audit-kernel/issues/101Signed-off-by: Richard Guy Briggs
Acked-by: Steve Grubb
Signed-off-by: Paul Moore
27 Nov, 2018
2 commits
-
There are many places, notably audit_log_task_info() and
audit_log_exit(), that take task_struct pointers but in reality they
are always working on the current task. This patch eliminates the
task_struct arguments and uses current directly which allows a number
of cleanups as well.Acked-by: Richard Guy Briggs
Signed-off-by: Paul Moore -
There are some cases where we are making multiple audit_log_format()
calls in a row, for no apparent reason. Squash these down to a
single audit_log_format() call whenever possible.Acked-by: Richard Guy Briggs
Signed-off-by: Paul Moore
20 Nov, 2018
1 commit
-
There are still a couple of places (mark and watch config changes) that
open code auid and ses fields in sequence in records instead of using
the audit_log_session_info() helper. Use the helper. Adjust the helper
to accommodate being the first fields. Passes audit-testsuite.Signed-off-by: Richard Guy Briggs
[PM: fixed misspellings in the description]
Signed-off-by: Paul Moore
18 Jul, 2018
1 commit
-
Commit c72051d5778a ("audit: use ktime_get_coarse_ts64() for time
access") converted audit's use of current_kernel_time64() to the
new ktime_get_coarse_ts64() function. Unfortunately this resulted
in incorrect timestamps, e.g. events stamped with the year 1969
despite it being 2018. This patch corrects this by using
ktime_get_coarse_real_ts64() just like the current_kernel_time64()
wrapper.Fixes: c72051d5778a ("audit: use ktime_get_coarse_ts64() for time access")
Reviewed-by: Arnd Bergmann
Signed-off-by: Paul Moore
03 Jul, 2018
1 commit
-
The API got renamed for consistency with the other time accessors,
this changes the audit caller as well.Signed-off-by: Arnd Bergmann
Reviewed-by: Richard Guy Briggs
Signed-off-by: Paul Moore
19 Jun, 2018
2 commits
-
Remove comparison of audit_enabled to magic numbers outside of audit.
Related: https://github.com/linux-audit/audit-kernel/issues/86
Signed-off-by: Richard Guy Briggs
Signed-off-by: Paul Moore -
The AUDIT_FILTER_TYPE name is vague and misleading due to not describing
where or when the filter is applied and obsolete due to its available
filter fields having been expanded.Userspace has already renamed it from AUDIT_FILTER_TYPE to
AUDIT_FILTER_EXCLUDE without checking if it already exists. The
userspace maintainer assures that as long as it is set to the same value
it will not be a problem since the userspace code does not treat
compiler warnings as errors. If this policy changes then checks if it
already exists can be added at the same time.See: https://github.com/linux-audit/audit-kernel/issues/89
Signed-off-by: Richard Guy Briggs
Signed-off-by: Paul Moore
15 May, 2018
1 commit
-
Recognizing that the audit context is an internal audit value, use an
access function to retrieve the audit context pointer for the task
rather than reaching directly into the task struct to get it.Signed-off-by: Richard Guy Briggs
[PM: merge fuzz in auditsc.c and selinuxfs.c, checkpatch.pl fixes]
Signed-off-by: Paul Moore
21 Apr, 2018
1 commit
-
Tie syscall information to FEATURE_CHANGE calls since it is a result of
user action.See: https://github.com/linux-audit/audit-kernel/issues/80
Signed-off-by: Richard Guy Briggs
[PM: 80-char fixes]
Signed-off-by: Paul Moore
07 Apr, 2018
1 commit
-
Pull audit updates from Paul Moore:
"We didn't have anything to send for v4.16, but we're back with a
little more than usual for v4.17.Eleven patches in total, most fall into the small fix category, but
there are three non-trivial changes worth calling out:- the audit entry filter is being removed after deprecating it for
quite a while (years of no one really using it because it turns out
to be not very practical)- created our own version of "__mutex_owner()" because the locking
folks were upset we were using theirs- improved our handling of kernel command line parameters to make
them more forgiving- we fixed auditing of symlink operations
Everything passes the audit-testsuite and as of a few minutes ago it
merges well with your tree"* tag 'audit-pr-20180403' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit:
audit: add refused symlink to audit_names
audit: remove path param from link denied function
audit: link denied should not directly generate PATH record
audit: make ANOM_LINK obey audit_enabled and audit_dummy_context
audit: do not panic on invalid boot parameter
audit: track the owner of the command mutex ourselves
audit: return on memory error to avoid null pointer dereference
audit: bail before bug check if audit disabled
audit: deprecate the AUDIT_FILTER_ENTRY filter
audit: session ID should not set arch quick field pointer
audit: update bugtracker and source URIs
26 Mar, 2018
1 commit
-
Some functions definitions have either the initial open brace and/or
the closing brace outside of column 1.Move those braces to column 1.
This allows various function analyzers like gnu complexity to work
properly for these modified functions.Signed-off-by: Joe Perches
Acked-by: Andy Shevchenko
Acked-by: Paul Moore
Acked-by: Alex Deucher
Acked-by: Dave Chinner
Reviewed-by: Darrick J. Wong
Acked-by: Alexandre Belloni
Acked-by: Martin K. Petersen
Acked-by: Takashi Iwai
Acked-by: Mauro Carvalho Chehab
Acked-by: Rafael J. Wysocki
Acked-by: Nicolin Chen
Acked-by: Martin K. Petersen
Acked-by: Steven Rostedt (VMware)
Signed-off-by: Jiri Kosina
21 Mar, 2018
1 commit
-
In commit 45b578fe4c3cade6f4ca1fc934ce199afd857edc
("audit: link denied should not directly generate PATH record")
the need for the struct path *link parameter was removed.
Remove the now useless struct path argument.Signed-off-by: Richard Guy Briggs
Signed-off-by: Paul Moore
09 Mar, 2018
2 commits
-
Audit link denied events generate duplicate PATH records which disagree
in different ways from symlink and hardlink denials.
audit_log_link_denied() should not directly generate PATH records.See: https://github.com/linux-audit/audit-kernel/issues/21
Signed-off-by: Richard Guy Briggs
Signed-off-by: Paul Moore -
Audit link denied events emit disjointed records when audit is disabled.
No records should be emitted when audit is disabled.See: https://github.com/linux-audit/audit-kernel/issues/21
Signed-off-by: Richard Guy Briggs
Signed-off-by: Paul Moore
07 Mar, 2018
1 commit
-
If you pass in an invalid audit boot parameter value, e.g. "audit=off",
the kernel panics very early in boot before the regular console is
initialized. Unless you have earlyprintk enabled, there is no
indication of what the problem is on the console.Convert the panic() calls to pr_err(), and leave auditing enabled if an
invalid parameter value was passed in.Modify the parameter to also accept "on" or "off" as valid values, and
update the documentation accordingly.Signed-off-by: Greg Edwards
Signed-off-by: Paul Moore
24 Feb, 2018
1 commit
-
Evidently the __mutex_owner() function was never intended for use
outside the core mutex code, so build a thing locking wrapper around
the mutex code which allows us to track the mutex owner.One, arguably positive, side effect is that this allows us to hide
the audit_cmd_mutex inside of kernel/audit.c behind the lock/unlock
functions.Reported-by: Peter Zijlstra
Reviewed-by: Richard Guy Briggs
Signed-off-by: Paul Moore
22 Feb, 2018
1 commit
-
If there is a memory allocation error when trying to change an audit
kernel feature value, the ignored allocation error will trigger a NULL
pointer dereference oops on subsequent use of that pointer. Return
instead.Passes audit-testsuite.
See: https://github.com/linux-audit/audit-kernel/issues/76Signed-off-by: Richard Guy Briggs
[PM: not necessary (other funcs check for NULL), but a good practice]
Signed-off-by: Paul Moore
15 Feb, 2018
1 commit
-
Since the Linux Audit project has transitioned completely over to
github, update the MAINTAINERS file and the primary audit source file to
reflect that reality.Signed-off-by: Richard Guy Briggs
Signed-off-by: Paul Moore
11 Nov, 2017
7 commits
-
The function audit_log_secctx() is unused in the upstream kernel.
All it does is wrap another function that doesn't need wrapping.
It claims to give you the SELinux context, but that is not true if
you are using a different security module.Signed-off-by: Casey Schaufler
Reviewed-by: James Morris
Signed-off-by: Paul Moore -
The API to end auditing has historically been for auditd to set the
pid to 0. This patch restores that functionality.See: https://github.com/linux-audit/audit-kernel/issues/69
Reviewed-by: Richard Guy Briggs
Signed-off-by: Steve Grubb
Signed-off-by: Paul Moore -
Use audit_set_enabled() to enable auditing during early boot. This
obviously won't emit an audit change record, but it will work anyway
and should help prevent in future problems by consolidating the
enable/disable code in one function.Reviewed-by: Richard Guy Briggs
Signed-off-by: Paul Moore -
We were treating it as a boolean, let's make it a boolean to help
avoid future mistakes.Reviewed-by: Richard Guy Briggs
Signed-off-by: Paul Moore -
The simple_strtol() function is deprecated, use kstrtol() instead.
Reviewed-by: Richard Guy Briggs
Signed-off-by: Paul Moore -
We can't initialize the audit subsystem until after the network layer
is initialized (core_initcall), but do it soon after.Reviewed-by: Richard Guy Briggs
Signed-off-by: Paul Moore -
Prior to this patch we enabled audit in audit_init(), which is too
late for PID 1 as the standard initcalls are run after the PID 1 task
is forked. This means that we never allocate an audit_context (see
audit_alloc()) for PID 1 and therefore miss a lot of audit events
generated by PID 1.This patch enables audit as early as possible to help ensure that when
PID 1 is forked it can allocate an audit_context if required.Reviewed-by: Richard Guy Briggs
Signed-off-by: Paul Moore
05 Sep, 2017
2 commits
-
Update the function comments to match the code.
Signed-off-by: Geliang Tang
Signed-off-by: Paul Moore -
Commit 2115bb250f26 ("audit: Use timespec64 to represent audit timestamps")
noted that audit timestamps were not y2038 safe and used a 64-bit
timestamp. In itself, this makes sense but the conversion was from
CURRENT_TIME to ktime_get_real_ts64() which is a heavier call to record
an accurate timestamp which is required in some, but not all, cases. The
impact is that when auditd is running without any rules that all syscalls
have higher overhead. This is visible in the sysbench-thread benchmark as
a 11.5% performance hit. That benchmark is dumb as rocks but it's also
visible in redis as an 8-10% hit on all operations which is of greater
concern. It is somewhat stupid of audit to track syscalls without any
rules related to syscalls but that is how it behaves.The overhead can be directly measured with perf comparing 4.9 with 4.12
4.9
7.76% sysbench [kernel.vmlinux] [k] __schedule
7.62% sysbench [kernel.vmlinux] [k] _raw_spin_lock
7.37% sysbench libpthread-2.22.so [.] __lll_lock_elision
7.29% sysbench [kernel.vmlinux] [.] syscall_return_via_sysret
6.59% sysbench [kernel.vmlinux] [k] native_sched_clock
5.21% sysbench libc-2.22.so [.] __sched_yield
4.38% sysbench [kernel.vmlinux] [k] entry_SYSCALL_64
4.28% sysbench [kernel.vmlinux] [k] do_syscall_64
3.49% sysbench libpthread-2.22.so [.] __lll_unlock_elision
3.13% sysbench [kernel.vmlinux] [k] __audit_syscall_exit
2.87% sysbench [kernel.vmlinux] [k] update_curr
2.73% sysbench [kernel.vmlinux] [k] pick_next_task_fair
2.31% sysbench [kernel.vmlinux] [k] syscall_trace_enter
2.20% sysbench [kernel.vmlinux] [k] __audit_syscall_entry
.....
0.00% swapper [kernel.vmlinux] [k] read_tsc4.12
7.84% sysbench [kernel.vmlinux] [k] __schedule
7.05% sysbench [kernel.vmlinux] [k] _raw_spin_lock
6.57% sysbench libpthread-2.22.so [.] __lll_lock_elision
6.50% sysbench [kernel.vmlinux] [.] syscall_return_via_sysret
5.95% sysbench [kernel.vmlinux] [k] read_tsc
5.71% sysbench [kernel.vmlinux] [k] native_sched_clock
4.78% sysbench libc-2.22.so [.] __sched_yield
4.30% sysbench [kernel.vmlinux] [k] entry_SYSCALL_64
3.94% sysbench [kernel.vmlinux] [k] do_syscall_64
3.37% sysbench libpthread-2.22.so [.] __lll_unlock_elision
3.32% sysbench [kernel.vmlinux] [k] __audit_syscall_exit
2.91% sysbench [kernel.vmlinux] [k] __getnstimeofday64Note the additional overhead from read_tsc which goes from 0% to 5.95%.
This is on a single-socket E3-1230 but similar overheads have been measured
on an older machine which the patch also eliminates.The patch in question has no explanation as to why a fully-accurate timestamp
is required and is likely an oversight. Using a coarser, but monotically
increasing, timestamp the overhead can be eliminated. While it can be
worked around by configuring or disabling audit, it's tricky enough to
detect that a kernel fix is justified. With this patch, we see the following;sysbenchthread
4.9.0 4.12.0 4.12.0
vanilla vanilla coarse-v1r1
Amean 1 1.49 ( 0.00%) 1.66 ( -11.42%) 1.51 ( -1.34%)
Amean 3 1.48 ( 0.00%) 1.65 ( -11.45%) 1.50 ( -0.96%)
Amean 5 1.49 ( 0.00%) 1.67 ( -12.31%) 1.51 ( -1.83%)
Amean 7 1.49 ( 0.00%) 1.66 ( -11.72%) 1.50 ( -0.67%)
Amean 12 1.48 ( 0.00%) 1.65 ( -11.57%) 1.52 ( -2.89%)
Amean 16 1.49 ( 0.00%) 1.65 ( -11.13%) 1.51 ( -1.73%)The benchmark is reporting the time required for different thread counts to
lock/unlock a private mutex which, while dense, demonstrates the syscall
overhead. This is showing that 4.12 took a 11-12% hit but the overhead is
almost eliminated by the patch. While the variance is not reported here,
it's well within the noise with the patch applied.Signed-off-by: Mel Gorman
Acked-by: Arnd Bergmann
Acked-by: Deepa Dinamani
Signed-off-by: Paul Moore