1. 12 Oct, 2012 2 commits
  2. 09 Oct, 2012 1 commit
  3. 18 Sep, 2012 3 commits
    • Eric W. Biederman's avatar
      userns: Convert audit to work with user namespaces enabled · cca080d9
      Eric W. Biederman authored
      - Explicitly format uids gids in audit messges in the initial user
        namespace. This is safe because auditd is restrected to be in
        the initial user namespace.
      
      - Convert audit_sig_uid into a kuid_t.
      
      - Enable building the audit code and user namespaces at the same time.
      
      The net result is that the audit subsystem now uses kuid_t and kgid_t whenever
      possible making it almost impossible to confuse a raw uid_t with a kuid_t
      preventing bugs.
      
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: Eric Paris <eparis@redhat.com>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarEric W. Biederman <ebiederm@xmission.com>
      cca080d9
    • Eric W. Biederman's avatar
      userns: Convert the audit loginuid to be a kuid · e1760bd5
      Eric W. Biederman authored
      Always store audit loginuids in type kuid_t.
      
      Print loginuids by converting them into uids in the appropriate user
      namespace, and then printing the resulting uid.
      
      Modify audit_get_loginuid to return a kuid_t.
      
      Modify audit_set_loginuid to take a kuid_t.
      
      Modify /proc/<pid>/loginuid on read to convert the loginuid into the
      user namespace of the opener of the file.
      
      Modify /proc/<pid>/loginud on write to convert the loginuid
      rom the user namespace of the opener of the file.
      
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: Eric Paris <eparis@redhat.com>
      Cc: Paul Moore <paul@paul-moore.com> ?
      Cc: David Miller <davem@davemloft.net>
      Signed-off-by: default avatarEric W. Biederman <ebiederm@xmission.com>
      e1760bd5
    • Eric W. Biederman's avatar
      audit: Add typespecific uid and gid comparators · ca57ec0f
      Eric W. Biederman authored
      The audit filter code guarantees that uid are always compared with
      uids and gids are always compared with gids, as the comparason
      operations are type specific.  Take advantage of this proper to define
      audit_uid_comparator and audit_gid_comparator which use the type safe
      comparasons from uidgid.h.
      
      Build on audit_uid_comparator and audit_gid_comparator and replace
      audit_compare_id with audit_compare_uid and audit_compare_gid.  This
      is one of those odd cases where being type safe and duplicating code
      leads to simpler shorter and more concise code.
      
      Don't allow bitmask operations in uid and gid comparisons in
      audit_data_to_entry.  Bitmask operations are already denined in
      audit_rule_to_entry.
      
      Convert constants in audit_rule_to_entry and audit_data_to_entry into
      kuids and kgids when appropriate.
      
      Convert the uid and gid field in struct audit_names to be of type
      kuid_t and kgid_t respectively, so that the new uid and gid comparators
      can be applied in a type safe manner.
      
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: Eric Paris <eparis@redhat.com>
      Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      ca57ec0f
  4. 12 Sep, 2012 1 commit
  5. 14 Apr, 2012 1 commit
  6. 23 Jan, 2012 1 commit
  7. 17 Jan, 2012 22 commits
    • Kees Cook's avatar
      audit: no leading space in audit_log_d_path prefix · c158a35c
      Kees Cook authored
      audit_log_d_path() injects an additional space before the prefix,
      which serves no purpose and doesn't mix well with other audit_log*()
      functions that do not sneak extra characters into the log.
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      c158a35c
    • Xi Wang's avatar
      audit: fix signedness bug in audit_log_execve_info() · 5afb8a3f
      Xi Wang authored
      In the loop, a size_t "len" is used to hold the return value of
      audit_log_single_execve_arg(), which returns -1 on error.  In that
      case the error handling (len <= 0) will be bypassed since "len" is
      unsigned, and the loop continues with (p += len) being wrapped.
      Change the type of "len" to signed int to fix the error handling.
      
      	size_t len;
      	...
      	for (...) {
      		len = audit_log_single_execve_arg(...);
      		if (len <= 0)
      			break;
      		p += len;
      	}
      Signed-off-by: default avatarXi Wang <xi.wang@gmail.com>
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      5afb8a3f
    • Peter Moody's avatar
      audit: comparison on interprocess fields · 10d68360
      Peter Moody authored
      This allows audit to specify rules in which we compare two fields of a
      process.  Such as is the running process uid != to the running process
      euid?
      Signed-off-by: default avatarPeter Moody <pmoody@google.com>
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      10d68360
    • Peter Moody's avatar
      audit: implement all object interfield comparisons · 4a6633ed
      Peter Moody authored
      This completes the matrix of interfield comparisons between uid/gid
      information for the current task and the uid/gid information for inodes.
      aka I can audit based on differences between the euid of the process and
      the uid of fs objects.
      Signed-off-by: default avatarPeter Moody <pmoody@google.com>
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      4a6633ed
    • Eric Paris's avatar
      audit: allow interfield comparison between gid and ogid · c9fe685f
      Eric Paris authored
      Allow audit rules to compare the gid of the running task to the gid of the
      inode in question.
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      c9fe685f
    • Eric Paris's avatar
      audit: complex interfield comparison helper · b34b0393
      Eric Paris authored
      Rather than code the same loop over and over implement a helper function which
      uses some pointer magic to make it generic enough to be used numerous places
      as we implement more audit interfield comparisons
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      b34b0393
    • Eric Paris's avatar
      audit: allow interfield comparison in audit rules · 02d86a56
      Eric Paris authored
      We wish to be able to audit when a uid=500 task accesses a file which is
      uid=0.  Or vice versa.  This patch introduces a new audit filter type
      AUDIT_FIELD_COMPARE which takes as an 'enum' which indicates which fields
      should be compared.  At this point we only define the task->uid vs
      inode->uid, but other comparisons can be added.
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      02d86a56
    • Eric Paris's avatar
      audit: do not call audit_getname on error · 4043cde8
      Eric Paris authored
      Just a code cleanup really.  We don't need to make a function call just for
      it to return on error.  This also makes the VFS function even easier to follow
      and removes a conditional on a hot path.
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      4043cde8
    • Eric Paris's avatar
      audit: only allow tasks to set their loginuid if it is -1 · 633b4545
      Eric Paris authored
      At the moment we allow tasks to set their loginuid if they have
      CAP_AUDIT_CONTROL.  In reality we want tasks to set the loginuid when they
      log in and it be impossible to ever reset.  We had to make it mutable even
      after it was once set (with the CAP) because on update and admin might have
      to restart sshd.  Now sshd would get his loginuid and the next user which
      logged in using ssh would not be able to set his loginuid.
      
      Systemd has changed how userspace works and allowed us to make the kernel
      work the way it should.  With systemd users (even admins) are not supposed
      to restart services directly.  The system will restart the service for
      them.  Thus since systemd is going to loginuid==-1, sshd would get -1, and
      sshd would be allowed to set a new loginuid without special permissions.
      
      If an admin in this system were to manually start an sshd he is inserting
      himself into the system chain of trust and thus, logically, it's his
      loginuid that should be used!  Since we have old systems I make this a
      Kconfig option.
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      633b4545
    • Eric Paris's avatar
      audit: remove task argument to audit_set_loginuid · 0a300be6
      Eric Paris authored
      The function always deals with current.  Don't expose an option
      pretending one can use it for something.  You can't.
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      0a300be6
    • Eric Paris's avatar
      audit: allow audit matching on inode gid · 54d3218b
      Eric Paris authored
      Much like the ability to filter audit on the uid of an inode collected, we
      should be able to filter on the gid of the inode.
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      54d3218b
    • Eric Paris's avatar
      audit: allow matching on obj_uid · efaffd6e
      Eric Paris authored
      Allow syscall exit filter matching based on the uid of the owner of an
      inode used in a syscall.  aka:
      
      auditctl -a always,exit -S open -F obj_uid=0 -F perm=wa
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      efaffd6e
    • Eric Paris's avatar
      audit: remove audit_finish_fork as it can't be called · 6422e78d
      Eric Paris authored
      Audit entry,always rules are not allowed and are automatically changed in
      exit,always rules in userspace.  The kernel refuses to load such rules.
      
      Thus a task in the middle of a syscall (and thus in audit_finish_fork())
      can only be in one of two states: AUDIT_BUILD_CONTEXT or AUDIT_DISABLED.
      Since the current task cannot be in AUDIT_RECORD_CONTEXT we aren't every
      going to actually use the code in audit_finish_fork() since it will
      return without doing anything.  Thus drop the code.
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      6422e78d
    • Eric Paris's avatar
      audit: inline audit_free to simplify the look of generic code · a4ff8dba
      Eric Paris authored
      make the conditional a static inline instead of doing it in generic code.
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      a4ff8dba
    • Eric Paris's avatar
      audit: inline checks for not needing to collect aux records · 07c49417
      Eric Paris authored
      A number of audit hooks make function calls before they determine that
      auxilary records do not need to be collected.  Do those checks as static
      inlines since the most common case is going to be that records are not
      needed and we can skip the function call overhead.
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      07c49417
    • Eric Paris's avatar
      audit: drop some potentially inadvisable likely notations · 56179a6e
      Eric Paris authored
      The audit code makes heavy use of likely() and unlikely() macros, but they
      don't always make sense.  Drop any that seem questionable and let the
      computer do it's thing.
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      56179a6e
    • Eric Paris's avatar
      audit: inline audit_syscall_entry to reduce burden on archs · b05d8447
      Eric Paris authored
      Every arch calls:
      
      if (unlikely(current->audit_context))
      	audit_syscall_entry()
      
      which requires knowledge about audit (the existance of audit_context) in
      the arch code.  Just do it all in static inline in audit.h so that arch's
      can remain blissfully ignorant.
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      b05d8447
    • Eric Paris's avatar
      Audit: push audit success and retcode into arch ptrace.h · d7e7528b
      Eric Paris authored
      The audit system previously expected arches calling to audit_syscall_exit to
      supply as arguments if the syscall was a success and what the return code was.
      Audit also provides a helper AUDITSC_RESULT which was supposed to simplify things
      by converting from negative retcodes to an audit internal magic value stating
      success or failure.  This helper was wrong and could indicate that a valid
      pointer returned to userspace was a failed syscall.  The fix is to fix the
      layering foolishness.  We now pass audit_syscall_exit a struct pt_reg and it
      in turns calls back into arch code to collect the return value and to
      determine if the syscall was a success or failure.  We also define a generic
      is_syscall_success() macro which determines success/failure based on if the
      value is < -MAX_ERRNO.  This works for arches like x86 which do not use a
      separate mechanism to indicate syscall failure.
      
      We make both the is_syscall_success() and regs_return_value() static inlines
      instead of macros.  The reason is because the audit function must take a void*
      for the regs.  (uml calls theirs struct uml_pt_regs instead of just struct
      pt_regs so audit_syscall_exit can't take a struct pt_regs).  Since the audit
      function takes a void* we need to use static inlines to cast it back to the
      arch correct structure to dereference it.
      
      The other major change is that on some arches, like ia64, MIPS and ppc, we
      change regs_return_value() to give us the negative value on syscall failure.
      THE only other user of this macro, kretprobe_example.c, won't notice and it
      makes the value signed consistently for the audit functions across all archs.
      
      In arch/sh/kernel/ptrace_64.c I see that we were using regs[9] in the old
      audit code as the return value.  But the ptrace_64.h code defined the macro
      regs_return_value() as regs[3].  I have no idea which one is correct, but this
      patch now uses the regs_return_value() function, so it now uses regs[3].
      
      For powerpc we previously used regs->result but now use the
      regs_return_value() function which uses regs->gprs[3].  regs->gprs[3] is
      always positive so the regs_return_value(), much like ia64 makes it negative
      before calling the audit code when appropriate.
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      Acked-by: H. Peter Anvin <hpa@zytor.com> [for x86 portion]
      Acked-by: Tony Luck <tony.luck@intel.com> [for ia64]
      Acked-by: Richard Weinberger <richard@nod.at> [for uml]
      Acked-by: David S. Miller <davem@davemloft.net> [for sparc]
      Acked-by: Ralf Baechle <ralf@linux-mips.org> [for mips]
      Acked-by: Benjamin Herrenschmidt <benh@kernel.crashing.org> [for ppc]
      d7e7528b
    • Eric Paris's avatar
      seccomp: audit abnormal end to a process due to seccomp · 85e7bac3
      Eric Paris authored
      The audit system likes to collect information about processes that end
      abnormally (SIGSEGV) as this may me useful intrusion detection information.
      This patch adds audit support to collect information when seccomp forces a
      task to exit because of misbehavior in a similar way.
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      85e7bac3
    • Eric Paris's avatar
      audit: check current inode and containing object when filtering on major and minor · 16c174bd
      Eric Paris authored
      The audit system has the ability to filter on the major and minor number of
      the device containing the inode being operated upon.  Lets say that
      /dev/sda1 has major,minor 8,1 and that we mount /dev/sda1 on /boot.  Now lets
      say we add a watch with a filter on 8,1.  If we proceed to open an inode
      inside /boot, such as /vboot/vmlinuz, we will match the major,minor filter.
      
      Lets instead assume that one were to use a tool like debugfs and were to
      open /dev/sda1 directly and to modify it's contents.  We might hope that
      this would also be logged, but it isn't.  The rules will check the
      major,minor of the device containing /dev/sda1.  In other words the rule
      would match on the major/minor of the tmpfs mounted at /dev.
      
      I believe these rules should trigger on either device.  The man page is
      devoid of useful information about the intended semantics.  It only seems
      logical that if you want to know everything that happened on a major,minor
      that would include things that happened to the device itself...
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      16c174bd
    • Eric Paris's avatar
      audit: dynamically allocate audit_names when not enough space is in the names array · 5195d8e2
      Eric Paris authored
      This patch does 2 things.  First it reduces the number of audit_names
      allocated in every audit context from 20 to 5.  5 should be enough for all
      'normal' syscalls (rename being the worst).  Some syscalls can still touch
      more the 5 inodes such as mount.  When rpc filesystem is mounted it will
      create inodes and those can exceed 5.  To handle that problem this patch will
      dynamically allocate audit_names if it needs more than 5.  This should
      decrease the typicall memory usage while still supporting all the possible
      kernel operations.
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      5195d8e2
    • Eric Paris's avatar
      audit: make filetype matching consistent with other filters · 5ef30ee5
      Eric Paris authored
      Every other filter that matches part of the inodes list collected by audit
      will match against any of the inodes on that list.  The filetype matching
      however had a strange way of doing things.  It allowed userspace to
      indicated if it should match on the first of the second name collected by
      the kernel.  Name collection ordering seems like a kernel internal and
      making userspace rules get that right just seems like a bad idea.  As it
      turns out the userspace audit writers had no idea it was doing this and
      thus never overloaded the value field.  The kernel always checked the first
      name collected which for the tested rules was always correct.
      
      This patch just makes the filetype matching like the major, minor, inode,
      and LSM rules in that it will match against any of the names collected.  It
      also changes the rule validation to reject the old unused rule types.
      
      Noone knew it was there.  Noone used it.  Why keep around the extra code?
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      5ef30ee5
  8. 04 Jan, 2012 3 commits
  9. 31 Oct, 2011 1 commit
    • Paul Gortmaker's avatar
      kernel: Map most files to use export.h instead of module.h · 9984de1a
      Paul Gortmaker authored
      The changed files were only including linux/module.h for the
      EXPORT_SYMBOL infrastructure, and nothing else.  Revector them
      onto the isolated export header for faster compile times.
      
      Nothing to see here but a whole lot of instances of:
      
        -#include <linux/module.h>
        +#include <linux/export.h>
      
      This commit is only changing the kernel dir; next targets
      will probably be mm, fs, the arch dirs, etc.
      Signed-off-by: default avatarPaul Gortmaker <paul.gortmaker@windriver.com>
      9984de1a
  10. 26 Jul, 2011 1 commit
  11. 27 Apr, 2011 1 commit
    • Tony Jones's avatar
      audit: acquire creds selectively to reduce atomic op overhead · f5629883
      Tony Jones authored
      Commit c69e8d9c ("CRED: Use RCU to access another task's creds and to
      release a task's own creds") added calls to get_task_cred and put_cred in
      audit_filter_rules.  Profiling with a large number of audit rules active
      on the exit chain shows that we are spending upto 48% in this routine for
      syscall intensive tests, most of which is in the atomic ops.
      
      1. The code should be accessing tsk->cred rather than tsk->real_cred.
      2. Since tsk is current (or tsk is being created by copy_process) access to
      tsk->cred without rcu read lock is possible.  At the request of the audit
      maintainer, a new flag has been added to audit_filter_rules in order to make
      this explicit and guide future code.
      Signed-off-by: default avatarTony Jones <tonyj@suse.de>
      Acked-by: default avatarEric Paris <eparis@redhat.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      f5629883
  12. 31 Mar, 2011 1 commit
  13. 30 Oct, 2010 1 commit
    • Al Viro's avatar
      audit mmap · 120a795d
      Al Viro authored
      Normal syscall audit doesn't catch 5th argument of syscall.  It also
      doesn't catch the contents of userland structures pointed to be
      syscall argument, so for both old and new mmap(2) ABI it doesn't
      record the descriptor we are mapping.  For old one it also misses
      flags.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      120a795d
  14. 11 Aug, 2010 1 commit