13 Apr, 2014
1 commit
-
Pull audit updates from Eric Paris.
* git://git.infradead.org/users/eparis/audit: (28 commits)
AUDIT: make audit_is_compat depend on CONFIG_AUDIT_COMPAT_GENERIC
audit: renumber AUDIT_FEATURE_CHANGE into the 1300 range
audit: do not cast audit_rule_data pointers pointlesly
AUDIT: Allow login in non-init namespaces
audit: define audit_is_compat in kernel internal header
kernel: Use RCU_INIT_POINTER(x, NULL) in audit.c
sched: declare pid_alive as inline
audit: use uapi/linux/audit.h for AUDIT_ARCH declarations
syscall_get_arch: remove useless function arguments
audit: remove stray newline from audit_log_execve_info() audit_panic() call
audit: remove stray newlines from audit_log_lost messages
audit: include subject in login records
audit: remove superfluous new- prefix in AUDIT_LOGIN messages
audit: allow user processes to log from another PID namespace
audit: anchor all pid references in the initial pid namespace
audit: convert PPIDs to the inital PID namespace.
pid: get pid_t ppid of task in init_pid_ns
audit: rename the misleading audit_get_context() to audit_take_context()
audit: Add generic compat syscall support
audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL
...
01 Apr, 2014
1 commit
-
It its possible to configure your PAM stack to refuse login if audit
messages (about the login) were unable to be sent. This is common in
many distros and thus normal configuration of many containers. The PAM
modules determine if audit is enabled/disabled in the kernel based on
the return value from sending an audit message on the netlink socket.
If userspace gets back ECONNREFUSED it believes audit is disabled in the
kernel. If it gets any other error else it refuses to let the login
proceed.Just about ever since the introduction of namespaces the kernel audit
subsystem has returned EPERM if the task sending a message was not in
the init user or pid namespace. So many forms of containers have never
worked if audit was enabled in the kernel.BUT if the container was not in net_init then the kernel network code
would send ECONNREFUSED (instead of the audit code sending EPERM). Thus
by pure accident/dumb luck/bug if an admin configured the PAM stack to
reject all logins that didn't talk to audit, but then ran the login
untility in the non-init_net namespace, it would work!! Clearly this was
a bug, but it is a bug some people expected.With the introduction of network namespace support in 3.14-rc1 the two
bugs stopped cancelling each other out. Now, containers in the
non-init_net namespace refused to let users log in (just like PAM was
configfured!) Obviously some people were not happy that what used to let
users log in, now didn't!This fix is kinda hacky. We return ECONNREFUSED for all non-init
relevant namespaces. That means that not only will the old broken
non-init_net setups continue to work, now the broken non-init_pid or
non-init_user setups will 'work'. They don't really work, since audit
isn't logging things. But it's what most users want.In 3.15 we should have patches to support not only the non-init_net
(3.14) namespace but also the non-init_pid and non-init_user namespace.
So all will be right in the world. This just opens the doors wide open
on 3.14 and hopefully makes users happy, if not the audit system...Reported-by: Andre Tomt
Reported-by: Adam Richter
Signed-off-by: Eric Paris
Signed-off-by: Linus TorvaldsConflicts:
kernel/audit.c
31 Mar, 2014
1 commit
-
It its possible to configure your PAM stack to refuse login if audit
messages (about the login) were unable to be sent. This is common in
many distros and thus normal configuration of many containers. The PAM
modules determine if audit is enabled/disabled in the kernel based on
the return value from sending an audit message on the netlink socket.
If userspace gets back ECONNREFUSED it believes audit is disabled in the
kernel. If it gets any other error else it refuses to let the login
proceed.Just about ever since the introduction of namespaces the kernel audit
subsystem has returned EPERM if the task sending a message was not in
the init user or pid namespace. So many forms of containers have never
worked if audit was enabled in the kernel.BUT if the container was not in net_init then the kernel network code
would send ECONNREFUSED (instead of the audit code sending EPERM). Thus
by pure accident/dumb luck/bug if an admin configured the PAM stack to
reject all logins that didn't talk to audit, but then ran the login
untility in the non-init_net namespace, it would work!! Clearly this was
a bug, but it is a bug some people expected.With the introduction of network namespace support in 3.14-rc1 the two
bugs stopped cancelling each other out. Now, containers in the
non-init_net namespace refused to let users log in (just like PAM was
configfured!) Obviously some people were not happy that what used to let
users log in, now didn't!This fix is kinda hacky. We return ECONNREFUSED for all non-init
relevant namespaces. That means that not only will the old broken
non-init_net setups continue to work, now the broken non-init_pid or
non-init_user setups will 'work'. They don't really work, since audit
isn't logging things. But it's what most users want.In 3.15 we should have patches to support not only the non-init_net
(3.14) namespace but also the non-init_pid and non-init_user namespace.
So all will be right in the world. This just opens the doors wide open
on 3.14 and hopefully makes users happy, if not the audit system...Reported-by: Andre Tomt
Reported-by: Adam Richter
Signed-off-by: Eric Paris
Signed-off-by: Linus Torvalds
25 Mar, 2014
1 commit
-
This patch replaces rcu_assign_pointer(x, NULL) with RCU_INIT_POINTER(x, NULL)
The rcu_assign_pointer() ensures that the initialization of a structure
is carried out before storing a pointer to that structure.
And in the case of the NULL pointer, there is no structure to initialize.
So, rcu_assign_pointer(p, NULL) can be safely converted to RCU_INIT_POINTER(p, NULL)Signed-off-by: Monam Agarwal
Signed-off-by: Eric Paris
20 Mar, 2014
6 commits
-
Calling audit_log_lost with a \n in the format string leads to extra
newlines in dmesg. That function will eventually call audit_panic which
uses pr_err with an explicit \n included. Just make these calls match the
others that lack \n.Reported-by: Jonathan Kamens
Signed-off-by: Josh Boyer
Signed-off-by: Richard Guy Briggs -
Still only permit the audit logging daemon and control to operate from the
initial PID namespace, but allow processes to log from another PID namespace.Cc: "Eric W. Biederman"
(informed by ebiederman's c776b5d2)Signed-off-by: Richard Guy Briggs
-
Store and log all PIDs with reference to the initial PID namespace and
use the access functions task_pid_nr() and task_tgid_nr() for task->pid
and task->tgid.Cc: "Eric W. Biederman"
(informed by ebiederman's c776b5d2)
Signed-off-by: Richard Guy Briggs -
sys_getppid() returns the parent pid of the current process in its own pid
namespace. Since audit filters are based in the init pid namespace, a process
could avoid a filter or trigger an unintended one by being in an alternate pid
namespace or log meaningless information.Switch to task_ppid_nr() for PPIDs to anchor all audit filters in the
init_pid_ns.(informed by ebiederman's 6c621b7e)
Cc: stable@vger.kernel.org
Cc: Eric W. Biederman
Signed-off-by: Richard Guy Briggs -
In perverse cases of file descriptor passing the current network
namespace of a process and the network namespace of a socket used by
that socket may differ. Therefore use the network namespace of the
appropiate socket to ensure replies always go to the appropiate
socket.Signed-off-by: "Eric W. Biederman"
Acked-by: Richard Guy Briggs
Signed-off-by: Eric Paris -
While reading through 3.14-rc1 I found a pretty siginficant mishandling
of network namespaces in the recent audit changes.In struct audit_netlink_list and audit_reply add a reference to the
network namespace of the caller and remove the userspace pid of the
caller. This cleanly remembers the callers network namespace, and
removes a huge class of races and nasty failure modes that can occur
when attempting to relook up the callers network namespace from a pid_t
(including the caller's network namespace changing, pid wraparound, and
the pid simply not being present).Signed-off-by: "Eric W. Biederman"
Acked-by: Richard Guy Briggs
Signed-off-by: Eric Paris
09 Mar, 2014
1 commit
-
The kbuild test robot reported:
> tree: git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace.git for-next
> head: 6f285b19d09f72e801525f5eea1bdad22e559bf0
> commit: 6f285b19d09f72e801525f5eea1bdad22e559bf0 [2/2] audit: Send replies in the proper network namespace.
> reproduce: make htmldocs
>
> >> Warning(kernel/audit.c:575): No description found for parameter 'request_skb'
> >> Warning(kernel/audit.c:575): Excess function parameter 'portid' description in 'audit_send_reply'
> >> Warning(kernel/auditfilter.c:1074): No description found for parameter 'request_skb'
> >> Warning(kernel/auditfilter.c:1074): Excess function parameter 'portid' description in 'audit_list_rules_sWhich was caused by my failure to update the kdoc annotations when I
updated the functions. Fix that small oversight now.Signed-off-by: "Eric W. Biederman"
01 Mar, 2014
1 commit
-
In perverse cases of file descriptor passing the current network
namespace of a process and the network namespace of a socket used by
that socket may differ. Therefore use the network namespace of the
appropiate socket to ensure replies always go to the appropiate
socket.Signed-off-by: "Eric W. Biederman"
28 Feb, 2014
1 commit
-
In struct audit_netlink_list and audit_reply add a reference to the
network namespace of the caller and remove the userspace pid of the
caller. This cleanly remembers the callers network namespace, and
removes a huge class of races and nasty failure modes that can occur
when attempting to relook up the callers network namespace from a
pid_t (including the caller's network namespace changing, pid
wraparound, and the pid simply not being present).Signed-off-by: "Eric W. Biederman"
18 Jan, 2014
2 commits
-
Fixup caught by checkpatch.
Signed-off-by: Richard Guy Briggs
Signed-off-by: Eric Paris -
A message about creating the audit socket might be fine at startup, but
a pr_info for every single network namespace created on a system isn't
useful.Signed-off-by: Eric Paris
15 Jan, 2014
3 commits
-
The equivalent uapi struct uses __u32 so make the kernel
uses u32 too.This can prevent some oddities where the limit is
logged/emitted as a negative value.Convert kstrtol to kstrtouint to disallow negative values.
Signed-off-by: Joe Perches
[eparis: do not remove static from audit_default declaration] -
Add pr_fmt to prefix "audit: " to output
Convert printk(KERN_ to pr_
Coalesce formats
Use pr_cont
Move a brace after switchSigned-off-by: Joe Perches
-
Using the generic kernel function causes the
object size to increase with gcc 4.8.1.$ size kernel/audit.o*
text data bss dec hex filename
18577 6079 8436 33092 8144 kernel/audit.o.new
18579 6015 8420 33014 80f6 kernel/audit.o.oldUnsigned...
14 Jan, 2014
22 commits
-
An admin is likely to want to see old and new values next to each other.
Putting all of the old values followed by all of the new values is just
hard to read as a human.Signed-off-by: Eric Paris
-
We can simplify the AUDIT_TTY_SET code to only grab the spin_lock one
time. We need to determine if the new values are valid and if so, set
the new values at the same time we grab the old onces. While we are
here get rid of 'res' and just use err.Signed-off-by: Eric Paris
-
If userspace specified that it was setting values via the mask we do not
need a second check to see if they also set the version field high
enough to understand those values. (clearly if they set the mask they
knew those values).Signed-off-by: Eric Paris
-
Give names to the audit versions. Just something for a userspace
programmer to know what the version provides.Signed-off-by: Eric Paris
-
We had some craziness with signed to unsigned long casting which appears
wholely unnecessary. Just use signed long. Even though 2 values of the
math equation are unsigned longs the result is expected to be a signed
long. So why keep casting the result to signed long? Just make it
signed long and use it.We also remove the needless "timeout" variable. We already have the
stack "sleep_time" variable. Just use that...Signed-off-by: Eric Paris
-
Add task information to the log when changing a feature state.
Signed-off-by: Eric Paris
-
NETLINK_CB(skb).sk is the socket of user space process,
netlink_unicast in kauditd_send_skb wants the kernel
side socket. Since the sk_state of audit netlink socket
is not NETLINK_CONNECTED, so the netlink_getsockbyportid
doesn't return -ECONNREFUSED.And the socket of userspace process can be released anytime,
so the audit_sock may point to invalid socket.this patch sets the audit_sock to the kernel side audit
netlink socket.Signed-off-by: Gao feng
Acked-by: Eric Paris
Signed-off-by: Richard Guy Briggs
Signed-off-by: Eric Paris -
print the error message and then return -ENOMEM.
Signed-off-by: Gao feng
Acked-by: Eric Paris
Signed-off-by: Richard Guy Briggs
Signed-off-by: Eric Paris -
An error on an AUDIT_NEVER rule disabled logging on that rule.
On error on AUDIT_NEVER rules, log.Signed-off-by: Richard Guy Briggs
Signed-off-by: Eric Paris -
The backlog cannot be consumed when audit_log_start is running on auditd
even if audit_log_start calls wait_for_auditd to consume it.
The situation is the deadlock because only auditd can consume the backlog.
If the other process needs to send the backlog, it can be also stopped
by the deadlock.So, audit_log_start running on auditd should not stop.
You can see the deadlock with the following reproducer:
# auditctl -a exit,always -S all
# rebootSigned-off-by: Toshiyuki Okajima
Reviewed-by: gaofeng@cn.fujitsu.com
Signed-off-by: Richard Guy Briggs
Signed-off-by: Eric Paris -
We do not need to hold the audit_cmd_mutex for this family of cases. The
possible exception to this is the call to audit_filter_user(), so drop the lock
immediately after. To help in fixing the race we are trying to avoid, make
sure that nothing called by audit_filter_user() calls audit_log_start(). In
particular, watch out for *_audit_rule_match().This fix will take care of systemd and anything USING audit. It still means
that we could race with something configuring audit and auditd shutting down.Signed-off-by: Richard Guy Briggs
Reported-by: toshi.okajima@jp.fujitsu.com
Tested-by: toshi.okajima@jp.fujitsu.com
Signed-off-by: Eric Paris -
Right now the sessionid value in the kernel is a combination of u32,
int, and unsigned int. Just use unsigned int throughout.Signed-off-by: Eric Paris
Signed-off-by: Richard Guy Briggs
Signed-off-by: Eric Paris -
Currently when the coredump signals are logged by the audit system, the
actual path to the executable is not logged. Without details of exe, the
system admin may not have an exact idea on what program failed.This patch changes the audit_log_task() so that the path to the exe is also
logged.This was copied from audit_log_task_info() and the latter enhanced to avoid
disappearing text fields.Signed-off-by: Paul Davies C
Signed-off-by: Richard Guy Briggs
Signed-off-by: Eric Paris -
There have been reports of auditd restarts resulting in kaudit not being able
to find a newly registered auditd. It results in reports such as:
kernel: [ 2077.233573] audit: *NO* daemon at audit_pid=1614
kernel: [ 2077.234712] audit: audit_lost=97 audit_rate_limit=0 audit_backlog_limit=320
kernel: [ 2077.234718] audit: auditd disappeared
(previously mis-spelled "dissapeared")One possible cause is a race between the shutdown of an older auditd and a
newer one. If the newer one sets the daemon pid to itself in kauditd before
the older one has cleared the daemon pid, the newer daemon pid will be erased.
This could be caused by an automated system, or by manual intervention, but in
either case, there is no use in having the older daemon clear the daemon pid
reference since its old pid is no longer being referenced. This patch will
prevent that specific case, returning an error of EACCES.The case for preventing a newer auditd from registering itself if there is an
existing auditd is a more difficult case that is beyond the scope of this
patch.Signed-off-by: Richard Guy Briggs
Signed-off-by: Eric Paris -
audit_receive_msg() needlessly contained a fallthrough case that called
audit_receive_filter(), containing no common code between the cases. Separate
them to make the logic clearer. Refactor AUDIT_LIST_RULES, AUDIT_ADD_RULE,
AUDIT_DEL_RULE cases to create audit_rule_change(), audit_list_rules_send()
functions. This should not functionally change the logic.Signed-off-by: Richard Guy Briggs
Signed-off-by: Eric Paris -
Log transition of config changes when AUDIT_TTY_SET is called, including both
enabled and log_passwd values now in the struct.Signed-off-by: Richard Guy Briggs
Signed-off-by: Eric Paris -
kauditd_send_skb is called after audit_pid was checked to be non-zero.
However, it can be set to 0 due to auditd exiting while kauditd_send_skb
is still executed and this can result in a spurious warning about missing
auditd.Re-check audit_pid before printing the message.
Signed-off-by: Mateusz Guzik
Cc: Eric Paris
Cc: linux-kernel@vger.kernel.org
Acked-by: Eric Paris
Signed-off-by: Richard Guy Briggs
Signed-off-by: Eric Paris -
Since audit can already be disabled by "audit=0" on the kernel boot line, or by
the command "auditctl -e 0", it would be more useful to have the
audit_backlog_limit set to zero mean effectively unlimited (limited only by
system RAM).Acked-by: Gao feng
Signed-off-by: Richard Guy Briggs
Signed-off-by: Eric Paris -
we already have old_lock, no need to calculate it again.
Acked-by: Eric Paris
Signed-off-by: Gao feng
Signed-off-by: Richard Guy Briggs
Signed-off-by: Eric Paris -
If audit is disabled,we shouldn't generate the audit log.
Acked-by: Eric Paris
Signed-off-by: Gao feng
Signed-off-by: Richard Guy Briggs
Signed-off-by: Eric Paris -
The order of new feature and old feature is incorrect,
this patch fix it.Acked-by: Eric Paris
Signed-off-by: Gao feng
Signed-off-by: Richard Guy Briggs
Signed-off-by: Eric Paris -
Since kernel parameter is operated before
initcall, so the audit_initialized must be
AUDIT_UNINITIALIZED or DISABLED in audit_enable.Signed-off-by: Gao feng
Signed-off-by: Richard Guy Briggs
Signed-off-by: Eric Paris