1. 04 Sep, 2017 1 commit
  2. 12 Jun, 2017 1 commit
  3. 30 May, 2017 1 commit
    • Richard Guy Briggs's avatar
      audit: add ambient capabilities to CAPSET and BPRM_FCAPS records · 7786f6b6
      Richard Guy Briggs authored
      Capabilities were augmented to include ambient capabilities in v4.3
      commit 58319057 ("capabilities: ambient capabilities").
      Add ambient capabilities to the audit BPRM_FCAPS and CAPSET records.
      The record contains fields "old_pp", "old_pi", "old_pe", "new_pp",
      "new_pi", "new_pe" so in keeping with the previous record
      normalizations, change the "new_*" variants to simply drop the "new_"
      A sample of the replaced BPRM_FCAPS record:
      RAW: type=BPRM_FCAPS msg=audit(1491468034.252:237): fver=2
      fp=0000000000200000 fi=0000000000000000 fe=1 old_pp=0000000000000000
      old_pi=0000000000000000 old_pe=0000000000000000 old_pa=0000000000000000
      pp=0000000000200000 pi=0000000000000000 pe=0000000000200000
      INTERPRET: type=BPRM_FCAPS msg=audit(04/06/2017 04:40:34.252:237):
      fver=2 fp=sys_admin fi=none fe=chown old_pp=none old_pi=none
      old_pe=none old_pa=none pp=sys_admin pi=none pe=sys_admin pa=none
      A sample of the replaced CAPSET record:
      RAW: type=CAPSET msg=audit(1491469502.371:242): pid=833
      cap_pi=0000003fffffffff cap_pp=0000003fffffffff cap_pe=0000003fffffffff
      INTERPRET: type=CAPSET msg=audit(04/06/2017 05:05:02.371:242) : pid=833
      See: https://github.com/linux-audit/audit-kernel/issues/40Signed-off-by: default avatarRichard Guy Briggs <rgb@redhat.com>
      Acked-by: default avatarSerge Hallyn <serge@hallyn.com>
      Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
  4. 02 May, 2017 3 commits
  5. 27 Mar, 2017 1 commit
  6. 21 Mar, 2017 1 commit
    • Paul Moore's avatar
      audit: fix auditd/kernel connection state tracking · 5b52330b
      Paul Moore authored
      What started as a rather straightforward race condition reported by
      Dmitry using the syzkaller fuzzer ended up revealing some major
      problems with how the audit subsystem managed its netlink sockets and
      its connection with the userspace audit daemon.  Fixing this properly
      had quite the cascading effect and what we are left with is this rather
      large and complicated patch.  My initial goal was to try and decompose
      this patch into multiple smaller patches, but the way these changes
      are intertwined makes it difficult to split these changes into
      meaningful pieces that don't break or somehow make things worse for
      the intermediate states.
      The patch makes a number of changes, but the most significant are
      highlighted below:
      * The auditd tracking variables, e.g. audit_sock, are now gone and
      replaced by a RCU/spin_lock protected variable auditd_conn which is
      a structure containing all of the auditd tracking information.
      * We no longer track the auditd sock directly, instead we track it
      via the network namespace in which it resides and we use the audit
      socket associated with that namespace.  In spirit, this is what the
      code was trying to do prior to this patch (at least I think that is
      what the original authors intended), but it was done rather poorly
      and added a layer of obfuscation that only masked the underlying
      * Big backlog queue cleanup, again.  In v4.10 we made some pretty big
      changes to how the audit backlog queues work, here we haven't changed
      the queue design so much as cleaned up the implementation.  Brought
      about by the locking changes, we've simplified kauditd_thread() quite
      a bit by consolidating the queue handling into a new helper function,
      kauditd_send_queue(), which allows us to eliminate a lot of very
      similar code and makes the looping logic in kauditd_thread() clearer.
      * All netlink messages sent to auditd are now sent via
      auditd_send_unicast_skb().  Other than just making sense, this makes
      the lock handling easier.
      * Change the audit_log_start() sleep behavior so that we never sleep
      on auditd events (unchanged) or if the caller is holding the
      audit_cmd_mutex (changed).  Previously we didn't sleep if the caller
      was auditd or if the message type fell between a certain range; the
      type check was a poor effort of doing what the cmd_mutex check now
      does.  Richard Guy Briggs originally proposed not sleeping the
      cmd_mutex owner several years ago but his patch wasn't acceptable
      at the time.  At least the idea lives on here.
      * A problem with the lost record counter has been resolved.  Steve
      Grubb and I both happened to notice this problem and according to
      some quick testing by Steve, this problem goes back quite some time.
      It's largely a harmless problem, although it may have left some
      careful sysadmins quite puzzled.
      Cc: <stable@vger.kernel.org> # 4.10.x-
      Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
  7. 13 Feb, 2017 1 commit
  8. 06 Dec, 2016 1 commit
  9. 28 Jun, 2016 1 commit
  10. 27 Jun, 2016 1 commit
  11. 24 Dec, 2015 1 commit
  12. 04 Nov, 2015 1 commit
  13. 06 Aug, 2015 2 commits
    • Richard Guy Briggs's avatar
      audit: implement audit by executable · 34d99af5
      Richard Guy Briggs authored
      This adds the ability audit the actions of a not-yet-running process.
      This patch implements the ability to filter on the executable path.  Instead of
      just hard coding the ino and dev of the executable we care about at the moment
      the rule is inserted into the kernel, use the new audit_fsnotify
      infrastructure to manage this dynamically.  This means that if the filename
      does not yet exist but the containing directory does, or if the inode in
      question is unlinked and creat'd (aka updated) the rule will just continue to
      work.  If the containing directory is moved or deleted or the filesystem is
      unmounted, the rule is deleted automatically.  A future enhancement would be to
      have the rule survive across directory disruptions.
      This is a heavily modified version of a patch originally submitted by Eric
      Paris with some ideas from Peter Moody.
      Cc: Peter Moody <peter@hda3.com>
      Cc: Eric Paris <eparis@redhat.com>
      Signed-off-by: default avatarRichard Guy Briggs <rgb@redhat.com>
      [PM: minor whitespace clean to satisfy ./scripts/checkpatch]
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
    • Richard Guy Briggs's avatar
      audit: clean simple fsnotify implementation · 7f492942
      Richard Guy Briggs authored
      This is to be used to audit by executable path rules, but audit watches should
      be able to share this code eventually.
      At the moment the audit watch code is a lot more complex.  That code only
      creates one fsnotify watch per parent directory.  That 'audit_parent' in
      turn has a list of 'audit_watches' which contain the name, ino, dev of
      the specific object we care about.  This just creates one fsnotify watch
      per object we care about.  So if you watch 100 inodes in /etc this code
      will create 100 fsnotify watches on /etc.  The audit_watch code will
      instead create 1 fsnotify watch on /etc (the audit_parent) and then 100
      individual watches chained from that fsnotify mark.
      We should be able to convert the audit_watch code to do one fsnotify
      mark per watch and simplify things/remove a whole lot of code.  After
      that conversion we should be able to convert the audit_fsnotify code to
      support that hierarchy if the optimization is necessary.
      Move the access to the entry for audit_match_signal() to the beginning of
      the audit_del_rule() function in case the entry found is the same one passed
      in.  This will enable it to be used by audit_autoremove_mark_rule(),
      kill_rules() and audit_remove_parent_watches().
      This is a heavily modified and merged version of two patches originally
      submitted by Eric Paris.
      Cc: Peter Moody <peter@hda3.com>
      Cc: Eric Paris <eparis@redhat.com>
      Signed-off-by: default avatarRichard Guy Briggs <rgb@redhat.com>
      [PM: added a space after a declaration to keep ./scripts/checkpatch happy]
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
  14. 23 Feb, 2015 1 commit
  15. 23 Jan, 2015 1 commit
    • Paul Moore's avatar
      audit: replace getname()/putname() hacks with reference counters · 55422d0b
      Paul Moore authored
      In order to ensure that filenames are not released before the audit
      subsystem is done with the strings there are a number of hacks built
      into the fs and audit subsystems around getname() and putname().  To
      say these hacks are "ugly" would be kind.
      This patch removes the filename hackery in favor of a more
      conventional reference count based approach.  The diffstat below tells
      most of the story; lots of audit/fs specific code is replaced with a
      traditional reference count based approach that is easily understood,
      even by those not familiar with the audit and/or fs subsystems.
      CC: viro@zeniv.linux.org.uk
      CC: linux-fsdevel@vger.kernel.org
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
  16. 23 Sep, 2014 1 commit
  17. 20 Mar, 2014 2 commits
    • Eric W. Biederman's avatar
      audit: Use struct net not pid_t to remember the network namespce to reply in · 638a0fd2
      Eric W. Biederman authored
      While reading through 3.14-rc1 I found a pretty siginficant mishandling
      of network namespaces in the recent audit changes.
      In struct audit_netlink_list and audit_reply add a reference to the
      network namespace of the caller and remove the userspace pid of the
      caller.  This cleanly remembers the callers network namespace, and
      removes a huge class of races and nasty failure modes that can occur
      when attempting to relook up the callers network namespace from a pid_t
      (including the caller's network namespace changing, pid wraparound, and
      the pid simply not being present).
      Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      Acked-by: default avatarRichard Guy Briggs <rgb@redhat.com>
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
    • William Roberts's avatar
      audit: Audit proc/<pid>/cmdline aka proctitle · 3f1c8250
      William Roberts authored
      During an audit event, cache and print the value of the process's
      proctitle value (proc/<pid>/cmdline). This is useful in situations
      where processes are started via fork'd virtual machines where the
      comm field is incorrect. Often times, setting the comm field still
      is insufficient as the comm width is not very wide and most
      virtual machine "package names" do not fit. Also, during execution,
      many threads have their comm field set as well. By tying it back to
      the global cmdline value for the process, audit records will be more
      complete in systems with these properties. An example of where this
      is useful and applicable is in the realm of Android. With Android,
      their is no fork/exec for VM instances. The bare, preloaded Dalvik
      VM listens for a fork and specialize request. When this request comes
      in, the VM forks, and the loads the specific application (specializing).
      This was done to take advantage of COW and to not require a load of
      basic packages by the VM on very app spawn. When this spawn occurs,
      the package name is set via setproctitle() and shows up in procfs.
      Many of these package names are longer then 16 bytes, the historical
      width of task->comm. Having the cmdline in the audit records will
      couple the application back to the record directly. Also, on my
      Debian development box, some audit records were more useful then
      what was printed under comm.
      The cached proctitle is tied to the life-cycle of the audit_context
      structure and is built on demand.
      Proctitle is controllable by userspace, and thus should not be trusted.
      It is meant as an aid to assist in debugging. The proctitle event is
      emitted during syscall audits, and can be filtered with auditctl.
      type=AVC msg=audit(1391217013.924:386): avc:  denied  { getattr } for  pid=1971 comm="mkdir" name="/" dev="selinuxfs" ino=1 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c255 tcontext=system_u:object_r:security_t:s0 tclass=filesystem
      type=SYSCALL msg=audit(1391217013.924:386): arch=c000003e syscall=137 success=yes exit=0 a0=7f019dfc8bd7 a1=7fffa6aed2c0 a2=fffffffffff4bd25 a3=7fffa6aed050 items=0 ppid=1967 pid=1971 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mkdir" exe="/bin/mkdir" subj=system_u:system_r:consolekit_t:s0-s0:c0.c255 key=(null)
      type=UNKNOWN[1327] msg=audit(1391217013.924:386):  proctitle=6D6B646972002D70002F7661722F72756E2F636F6E736F6C65
      Acked-by: Steve Grubb <sgrubb@redhat.com> (wrt record formating)
      Signed-off-by: default avatarWilliam Roberts <wroberts@tresys.com>
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
  18. 28 Feb, 2014 1 commit
  19. 14 Jan, 2014 3 commits
  20. 05 Nov, 2013 2 commits
  21. 09 Jul, 2013 1 commit
    • Jeff Layton's avatar
      audit: fix mq_open and mq_unlink to add the MQ root as a hidden parent audit_names record · 79f6530c
      Jeff Layton authored
      The old audit PATH records for mq_open looked like this:
        type=PATH msg=audit(1366282323.982:869): item=1 name=(null) inode=6777
        dev=00:0c mode=041777 ouid=0 ogid=0 rdev=00:00
        type=PATH msg=audit(1366282323.982:869): item=0 name="test_mq" inode=26732
        dev=00:0c mode=0100700 ouid=0 ogid=0 rdev=00:00
      ...with the audit related changes that went into 3.7, they now look like this:
        type=PATH msg=audit(1366282236.776:3606): item=2 name=(null) inode=66655
        dev=00:0c mode=0100700 ouid=0 ogid=0 rdev=00:00
        type=PATH msg=audit(1366282236.776:3606): item=1 name=(null) inode=6926
        dev=00:0c mode=041777 ouid=0 ogid=0 rdev=00:00
        type=PATH msg=audit(1366282236.776:3606): item=0 name="test_mq"
      Both of these look wrong to me.  As Steve Grubb pointed out:
       "What we need is 1 PATH record that identifies the MQ.  The other PATH
        records probably should not be there."
      Fix it to record the mq root as a parent, and flag it such that it
      should be hidden from view when the names are logged, since the root of
      the mq filesystem isn't terribly interesting.  With this change, we get
      a single PATH record that looks more like this:
        type=PATH msg=audit(1368021604.836:484): item=0 name="test_mq" inode=16914
        dev=00:0c mode=0100644 ouid=0 ogid=0 rdev=00:00
      In order to do this, a new audit_inode_parent_hidden() function is
      added.  If we do it this way, then we avoid having the existing callers
      of audit_inode needing to do any sort of flag conversion if auditing is
      Signed-off-by: default avatarJeff Layton <jlayton@redhat.com>
      Reported-by: default avatarJiri Jaburek <jjaburek@redhat.com>
      Cc: Steve Grubb <sgrubb@redhat.com>
      Cc: Eric Paris <eparis@redhat.com>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
  22. 30 Apr, 2013 1 commit
    • Eric Paris's avatar
      audit: fix event coverage of AUDIT_ANOM_LINK · b24a30a7
      Eric Paris authored
      The userspace audit tools didn't like the existing formatting of the
      AUDIT_ANOM_LINK event. It needed to be expanded to emit an AUDIT_PATH
      event as well, so this implements the change. The bulk of the patch is
      moving code out of auditsc.c into audit.c and audit.h for general use.
      It expands audit_log_name to include an optional "struct path" argument
      for the simple case of just needing to report a pathname. This also
      audit_log_task_info available when syscall auditing is not enabled,
      it is needed in either case for process details.
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Reported-by: default avatarSteve Grubb <sgrubb@redhat.com>
  23. 29 Apr, 2013 2 commits
  24. 12 Apr, 2013 1 commit
  25. 12 Oct, 2012 3 commits
  26. 18 Sep, 2012 2 commits
    • Eric W. Biederman's avatar
      userns: Convert audit to work with user namespaces enabled · cca080d9
      Eric W. Biederman authored
      - Explicitly format uids gids in audit messges in the initial user
        namespace. This is safe because auditd is restrected to be in
        the initial user namespace.
      - Convert audit_sig_uid into a kuid_t.
      - Enable building the audit code and user namespaces at the same time.
      The net result is that the audit subsystem now uses kuid_t and kgid_t whenever
      possible making it almost impossible to confuse a raw uid_t with a kuid_t
      preventing bugs.
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: Eric Paris <eparis@redhat.com>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarEric W. Biederman <ebiederm@xmission.com>
    • Eric W. Biederman's avatar
      audit: Add typespecific uid and gid comparators · ca57ec0f
      Eric W. Biederman authored
      The audit filter code guarantees that uid are always compared with
      uids and gids are always compared with gids, as the comparason
      operations are type specific.  Take advantage of this proper to define
      audit_uid_comparator and audit_gid_comparator which use the type safe
      comparasons from uidgid.h.
      Build on audit_uid_comparator and audit_gid_comparator and replace
      audit_compare_id with audit_compare_uid and audit_compare_gid.  This
      is one of those odd cases where being type safe and duplicating code
      leads to simpler shorter and more concise code.
      Don't allow bitmask operations in uid and gid comparisons in
      audit_data_to_entry.  Bitmask operations are already denined in
      Convert constants in audit_rule_to_entry and audit_data_to_entry into
      kuids and kgids when appropriate.
      Convert the uid and gid field in struct audit_names to be of type
      kuid_t and kgid_t respectively, so that the new uid and gid comparators
      can be applied in a type safe manner.
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: Eric Paris <eparis@redhat.com>
      Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
  27. 17 Jan, 2012 1 commit
  28. 30 Oct, 2010 1 commit
  29. 28 Jul, 2010 1 commit