13 Apr, 2014
1 commit
-
Pull audit updates from Eric Paris.
* git://git.infradead.org/users/eparis/audit: (28 commits)
AUDIT: make audit_is_compat depend on CONFIG_AUDIT_COMPAT_GENERIC
audit: renumber AUDIT_FEATURE_CHANGE into the 1300 range
audit: do not cast audit_rule_data pointers pointlesly
AUDIT: Allow login in non-init namespaces
audit: define audit_is_compat in kernel internal header
kernel: Use RCU_INIT_POINTER(x, NULL) in audit.c
sched: declare pid_alive as inline
audit: use uapi/linux/audit.h for AUDIT_ARCH declarations
syscall_get_arch: remove useless function arguments
audit: remove stray newline from audit_log_execve_info() audit_panic() call
audit: remove stray newlines from audit_log_lost messages
audit: include subject in login records
audit: remove superfluous new- prefix in AUDIT_LOGIN messages
audit: allow user processes to log from another PID namespace
audit: anchor all pid references in the initial pid namespace
audit: convert PPIDs to the inital PID namespace.
pid: get pid_t ppid of task in init_pid_ns
audit: rename the misleading audit_get_context() to audit_take_context()
audit: Add generic compat syscall support
audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL
...
03 Apr, 2014
1 commit
-
For some sort of legacy support audit_rule is a subset of (and first
entry in) audit_rule_data. We don't actually need or use audit_rule.
We just do a cast from one to the other for no gain what so ever. Stop
the crazy casting.Signed-off-by: Eric Paris
20 Mar, 2014
3 commits
-
Store and log all PIDs with reference to the initial PID namespace and
use the access functions task_pid_nr() and task_tgid_nr() for task->pid
and task->tgid.Cc: "Eric W. Biederman"
(informed by ebiederman's c776b5d2)
Signed-off-by: Richard Guy Briggs -
In perverse cases of file descriptor passing the current network
namespace of a process and the network namespace of a socket used by
that socket may differ. Therefore use the network namespace of the
appropiate socket to ensure replies always go to the appropiate
socket.Signed-off-by: "Eric W. Biederman"
Acked-by: Richard Guy Briggs
Signed-off-by: Eric Paris -
While reading through 3.14-rc1 I found a pretty siginficant mishandling
of network namespaces in the recent audit changes.In struct audit_netlink_list and audit_reply add a reference to the
network namespace of the caller and remove the userspace pid of the
caller. This cleanly remembers the callers network namespace, and
removes a huge class of races and nasty failure modes that can occur
when attempting to relook up the callers network namespace from a pid_t
(including the caller's network namespace changing, pid wraparound, and
the pid simply not being present).Signed-off-by: "Eric W. Biederman"
Acked-by: Richard Guy Briggs
Signed-off-by: Eric Paris
09 Mar, 2014
1 commit
-
The kbuild test robot reported:
> tree: git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace.git for-next
> head: 6f285b19d09f72e801525f5eea1bdad22e559bf0
> commit: 6f285b19d09f72e801525f5eea1bdad22e559bf0 [2/2] audit: Send replies in the proper network namespace.
> reproduce: make htmldocs
>
> >> Warning(kernel/audit.c:575): No description found for parameter 'request_skb'
> >> Warning(kernel/audit.c:575): Excess function parameter 'portid' description in 'audit_send_reply'
> >> Warning(kernel/auditfilter.c:1074): No description found for parameter 'request_skb'
> >> Warning(kernel/auditfilter.c:1074): Excess function parameter 'portid' description in 'audit_list_rules_sWhich was caused by my failure to update the kdoc annotations when I
updated the functions. Fix that small oversight now.Signed-off-by: "Eric W. Biederman"
08 Mar, 2014
1 commit
-
Add pr_fmt to prefix "audit: " to output
Convert printk(KERN_ to pr_
Coalesce formatsSigned-off-by: Richard Guy Briggs
01 Mar, 2014
1 commit
-
In perverse cases of file descriptor passing the current network
namespace of a process and the network namespace of a socket used by
that socket may differ. Therefore use the network namespace of the
appropiate socket to ensure replies always go to the appropiate
socket.Signed-off-by: "Eric W. Biederman"
28 Feb, 2014
1 commit
-
In struct audit_netlink_list and audit_reply add a reference to the
network namespace of the caller and remove the userspace pid of the
caller. This cleanly remembers the callers network namespace, and
removes a huge class of races and nasty failure modes that can occur
when attempting to relook up the callers network namespace from a
pid_t (including the caller's network namespace changing, pid
wraparound, and the pid simply not being present).Signed-off-by: "Eric W. Biederman"
14 Jan, 2014
5 commits
-
An error on an AUDIT_NEVER rule disabled logging on that rule.
On error on AUDIT_NEVER rules, log.Signed-off-by: Richard Guy Briggs
Signed-off-by: Eric Paris -
Right now the sessionid value in the kernel is a combination of u32,
int, and unsigned int. Just use unsigned int throughout.Signed-off-by: Eric Paris
Signed-off-by: Richard Guy Briggs
Signed-off-by: Eric Paris -
audit_receive_msg() needlessly contained a fallthrough case that called
audit_receive_filter(), containing no common code between the cases. Separate
them to make the logic clearer. Refactor AUDIT_LIST_RULES, AUDIT_ADD_RULE,
AUDIT_DEL_RULE cases to create audit_rule_change(), audit_list_rules_send()
functions. This should not functionally change the logic.Signed-off-by: Richard Guy Briggs
Signed-off-by: Eric Paris -
Convert audit from only listening in init_net to use register_pernet_subsys()
to dynamically manage the netlink socket list.Signed-off-by: Richard Guy Briggs
Signed-off-by: Eric Paris -
Normally, netlink ports use the PID of the userspace process as the port ID.
If the PID is already in use by a port, the kernel will allocate another port
ID to avoid conflict. Re-name all references to netlink ports from pid to
portid to reflect this reality and avoid confusion with actual PIDs. Ports
use the __u32 type, so re-type all portids accordingly.(This patch is very similar to ebiederman's 5deadd69)
Signed-off-by: Richard Guy Briggs
Signed-off-by: Gao feng
Signed-off-by: Eric Paris
06 Nov, 2013
2 commits
-
commit ab61d38ed8cf670946d12dc46b9198b521c790ea tried to merge the
invalid filter checking into a single function. However AUDIT_INODE
filters were not verified in the new generic checker. Thus such rules
were being denied even though they were perfectly valid.Ex:
$ auditctl -a exit,always -F arch=b64 -S open -F key=/foo -F inode=6955 -F devmajor=9 -F devminor=1
Error sending add rule data request (Invalid argument)Signed-off-by: Eric Paris
Signed-off-by: Richard Guy Briggs
Signed-off-by: Eric Paris -
SFR reported this 2013-05-15:
> After merging the final tree, today's linux-next build (i386 defconfig)
> produced this warning:
>
> kernel/auditfilter.c: In function 'audit_data_to_entry':
> kernel/auditfilter.c:426:3: warning: this decimal constant is unsigned only
> in ISO C90 [enabled by default]
>
> Introduced by commit 780a7654cee8 ("audit: Make testing for a valid
> loginuid explicit") from Linus' tree.Replace this decimal constant in the code with a macro to make it more readable
(add to the unsigned cast to quiet the warning).Cc: Stephen Rothwell
Cc: "Eric W. Biederman"
Signed-off-by: Richard Guy Briggs
Signed-off-by: Eric Paris
10 Jul, 2013
3 commits
-
Use proper decimal type for comparison with u32.
Compilation warning was introduced by 780a7654 ("audit: Make testing for
a valid loginuid explicit.")kernel/auditfilter.c: In function 'audit_data_to_entry':
kernel/auditfilter.c:426:3: warning: this decimal constant is unsigned only in ISO C90 [enabled by default]
if ((f->type == AUDIT_LOGINUID) && (f->val == 4294967295)) {Signed-off-by: Michal Simek
Cc: Al Viro
Cc: Eric Paris
Acked-by: Geert Uytterhoeven
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
If both 'tree' and 'watch' are valid we must call audit_put_tree(), just
like the preceding code within audit_add_rule().Signed-off-by: Chen Gang
Cc: Al Viro
Cc: Eric Paris
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
kernel/auditfilter.c:426: warning: this decimal constant is unsigned only in ISO C90
Signed-off-by: Raphael S. Carvalho
Cc: Eric Paris
Cc: Al Viro
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
25 May, 2013
1 commit
-
Fix kernel-doc warnings in kernel/auditfilter.c:
Warning(kernel/auditfilter.c:1029): Excess function parameter 'loginuid' description in 'audit_receive_filter'
Warning(kernel/auditfilter.c:1029): Excess function parameter 'sessionid' description in 'audit_receive_filter'
Warning(kernel/auditfilter.c:1029): Excess function parameter 'sid' description in 'audit_receive_filter'Signed-off-by: Randy Dunlap
Cc: Eric Paris
Cc: Al Viro
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
12 May, 2013
1 commit
-
Pull audit changes from Eric Paris:
"Al used to send pull requests every couple of years but he told me to
just start pushing them to you directly.Our touching outside of core audit code is pretty straight forward. A
couple of interface changes which hit net/. A simple argument bug
calling audit functions in namei.c and the removal of some assembly
branch prediction code on ppc"* git://git.infradead.org/users/eparis/audit: (31 commits)
audit: fix message spacing printing auid
Revert "audit: move kaudit thread start from auditd registration to kaudit init"
audit: vfs: fix audit_inode call in O_CREAT case of do_last
audit: Make testing for a valid loginuid explicit.
audit: fix event coverage of AUDIT_ANOM_LINK
audit: use spin_lock in audit_receive_msg to process tty logging
audit: do not needlessly take a lock in tty_audit_exit
audit: do not needlessly take a spinlock in copy_signal
audit: add an option to control logging of passwords with pam_tty_audit
audit: use spin_lock_irqsave/restore in audit tty code
helper for some session id stuff
audit: use a consistent audit helper to log lsm information
audit: push loginuid and sessionid processing down
audit: stop pushing loginid, uid, sessionid as arguments
audit: remove the old depricated kernel interface
audit: make validity checking generic
audit: allow checking the type of audit message in the user filter
audit: fix build break when AUDIT_DEBUG == 2
audit: remove duplicate export of audit_enabled
Audit: do not print error when LSMs disabled
...
08 May, 2013
1 commit
-
audit rule additions containing "-F auid!=4294967295" were failing
with EINVAL because of a regression caused by e1760bd.Apparently some userland audit rule sets want to know if loginuid uid
has been set and are using a test for auid != 4294967295 to determine
that.In practice that is a horrible way to ask if a value has been set,
because it relies on subtle implementation details and will break
every time the uid implementation in the kernel changes.So add a clean way to test if the audit loginuid has been set, and
silently convert the old idiom to the cleaner and more comprehensible
new idiom.Cc: # 3.7
Reported-By: Richard Guy Briggs
Signed-off-by: "Eric W. Biederman"
Tested-by: Richard Guy Briggs
Signed-off-by: Eric Paris
01 May, 2013
4 commits
-
We have a number of places we were reimplementing the same code to write
out lsm labels. Just do it one darn place.Signed-off-by: Eric Paris
-
We always use current. Stop pulling this when the skb comes in and
pushing it around as arguments. Just get it at the end when you need
it.Signed-off-by: Eric Paris
-
We used to have an inflexible mechanism to add audit rules to the
kernel. It hasn't been used in a long time. Get rid of that stuff.Signed-off-by: Eric Paris
-
We have 2 interfaces to send audit rules. Rather than check validity of
things in 2 places make a helper function.Signed-off-by: Eric Paris
30 Apr, 2013
1 commit
-
In audit_data_to_entry() when a failure occurs we must check and free
the tree and watch to avoid a memory leak.test:
plan:
test command:
"auditctl -a exit,always -w /etc -F auid=-1"
(on fedora17, need modify auditctl to let "-w /etc" has effect)
running:
under fedora17 x86_64, 2 CPUs 3.20GHz, 2.5GB RAM.
let 15 auditctl processes continue running at the same time.
monitor command:
watch -d -n 1 "cat /proc/meminfo | awk '{print \$2}' \
| head -n 4 | xargs \
| awk '{print \"used \",\$1 - \$2 - \$3 - \$4}'"result:
for original version:
will use up all memory, within 3 hours.
kill all auditctl, the memory still does not free.
for new version (apply this patch):
after 14 hours later, not find issues.Signed-off-by: Chen Gang
Cc: Eric Paris
Cc: Al Viro
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
17 Apr, 2013
1 commit
-
When userspace sends messages to the audit system it includes a type.
We want to be able to filter messages based on that type without have to
do the all or nothing option currently available on the
AUDIT_FILTER_TYPE filter list. Instead we should be able to use the
AUDIT_FILTER_USER filter list and just use the message type as one part
of the matching decision.Signed-off-by: Eric Paris
11 Jan, 2013
1 commit
-
Fix new kernel-doc warning in auditfilter.c:
Warning(kernel/auditfilter.c:1157): Excess function parameter 'uid' description in 'audit_receive_filter'
Signed-off-by: Randy Dunlap
Cc: Al Viro
Cc: Eric Paris
Cc: linux-audit@redhat.com (subscribers-only)
Signed-off-by: Linus Torvalds
12 Oct, 2012
4 commits
-
In the cases where we already know the length of the parent, pass it as
a parm so we don't need to recompute it. In the cases where we don't
know the length, pass in AUDIT_NAME_FULL (-1) to indicate that it should
be determined.Signed-off-by: Jeff Layton
Signed-off-by: Al Viro -
Signed-off-by: Eric Paris
Signed-off-by: Al Viro -
All the callers set this to NULL now.
Signed-off-by: Jeff Layton
Signed-off-by: Al Viro -
Currently, this gets set mostly by happenstance when we call into
audit_inode_child. While that might be a little more efficient, it seems
wrong. If the syscall ends up failing before audit_inode_child ever gets
called, then you'll have an audit_names record that shows the full path
but has the parent inode info attached.Fix this by passing in a parent flag when we call audit_inode that gets
set to the value of LOOKUP_PARENT. We can then fix up the pathname for
the audit entry correctly from the get-go.While we're at it, clean up the no-op macro for audit_inode in the
!CONFIG_AUDITSYSCALL case.Signed-off-by: Jeff Layton
Signed-off-by: Al Viro
18 Sep, 2012
4 commits
-
Always store audit loginuids in type kuid_t.
Print loginuids by converting them into uids in the appropriate user
namespace, and then printing the resulting uid.Modify audit_get_loginuid to return a kuid_t.
Modify audit_set_loginuid to take a kuid_t.
Modify /proc//loginuid on read to convert the loginuid into the
user namespace of the opener of the file.Modify /proc//loginud on write to convert the loginuid
rom the user namespace of the opener of the file.Cc: Al Viro
Cc: Eric Paris
Cc: Paul Moore ?
Cc: David Miller
Signed-off-by: Eric W. Biederman -
The audit filter code guarantees that uid are always compared with
uids and gids are always compared with gids, as the comparason
operations are type specific. Take advantage of this proper to define
audit_uid_comparator and audit_gid_comparator which use the type safe
comparasons from uidgid.h.Build on audit_uid_comparator and audit_gid_comparator and replace
audit_compare_id with audit_compare_uid and audit_compare_gid. This
is one of those odd cases where being type safe and duplicating code
leads to simpler shorter and more concise code.Don't allow bitmask operations in uid and gid comparisons in
audit_data_to_entry. Bitmask operations are already denined in
audit_rule_to_entry.Convert constants in audit_rule_to_entry and audit_data_to_entry into
kuids and kgids when appropriate.Convert the uid and gid field in struct audit_names to be of type
kuid_t and kgid_t respectively, so that the new uid and gid comparators
can be applied in a type safe manner.Cc: Al Viro
Cc: Eric Paris
Signed-off-by: "Eric W. Biederman" -
Cc: Al Viro
Cc: Eric Paris
Signed-off-by: "Eric W. Biederman" -
Get caller process uid and gid and pid values from the current task
instead of the NETLINK_CB. This is simpler than passing NETLINK_CREDS
from from audit_receive_msg to audit_filter_user_rules and avoid the
chance of being hit by the occassional bugs in netlink uid/gid
credential passing. This is a safe changes because all netlink
requests are processed in the task of the sending process.Cc: Al Viro
Cc: Eric Paris
Signed-off-by: "Eric W. Biederman"
18 Jan, 2012
3 commits
-
We wish to be able to audit when a uid=500 task accesses a file which is
uid=0. Or vice versa. This patch introduces a new audit filter type
AUDIT_FIELD_COMPARE which takes as an 'enum' which indicates which fields
should be compared. At this point we only define the task->uid vs
inode->uid, but other comparisons can be added.Signed-off-by: Eric Paris
-
Much like the ability to filter audit on the uid of an inode collected, we
should be able to filter on the gid of the inode.Signed-off-by: Eric Paris
-
Allow syscall exit filter matching based on the uid of the owner of an
inode used in a syscall. aka:auditctl -a always,exit -S open -F obj_uid=0 -F perm=wa
Signed-off-by: Eric Paris