1. 23 Jan, 2015 1 commit
    • Paul Moore's avatar
      audit: replace getname()/putname() hacks with reference counters · 55422d0b
      Paul Moore authored
      In order to ensure that filenames are not released before the audit
      subsystem is done with the strings there are a number of hacks built
      into the fs and audit subsystems around getname() and putname().  To
      say these hacks are "ugly" would be kind.
      
      This patch removes the filename hackery in favor of a more
      conventional reference count based approach.  The diffstat below tells
      most of the story; lots of audit/fs specific code is replaced with a
      traditional reference count based approach that is easily understood,
      even by those not familiar with the audit and/or fs subsystems.
      
      CC: viro@zeniv.linux.org.uk
      CC: linux-fsdevel@vger.kernel.org
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      55422d0b
  2. 23 Sep, 2014 1 commit
  3. 20 Mar, 2014 2 commits
    • Eric W. Biederman's avatar
      audit: Use struct net not pid_t to remember the network namespce to reply in · 638a0fd2
      Eric W. Biederman authored
      While reading through 3.14-rc1 I found a pretty siginficant mishandling
      of network namespaces in the recent audit changes.
      
      In struct audit_netlink_list and audit_reply add a reference to the
      network namespace of the caller and remove the userspace pid of the
      caller.  This cleanly remembers the callers network namespace, and
      removes a huge class of races and nasty failure modes that can occur
      when attempting to relook up the callers network namespace from a pid_t
      (including the caller's network namespace changing, pid wraparound, and
      the pid simply not being present).
      Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      Acked-by: default avatarRichard Guy Briggs <rgb@redhat.com>
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      638a0fd2
    • William Roberts's avatar
      audit: Audit proc/<pid>/cmdline aka proctitle · 3f1c8250
      William Roberts authored
      During an audit event, cache and print the value of the process's
      proctitle value (proc/<pid>/cmdline). This is useful in situations
      where processes are started via fork'd virtual machines where the
      comm field is incorrect. Often times, setting the comm field still
      is insufficient as the comm width is not very wide and most
      virtual machine "package names" do not fit. Also, during execution,
      many threads have their comm field set as well. By tying it back to
      the global cmdline value for the process, audit records will be more
      complete in systems with these properties. An example of where this
      is useful and applicable is in the realm of Android. With Android,
      their is no fork/exec for VM instances. The bare, preloaded Dalvik
      VM listens for a fork and specialize request. When this request comes
      in, the VM forks, and the loads the specific application (specializing).
      This was done to take advantage of COW and to not require a load of
      basic packages by the VM on very app spawn. When this spawn occurs,
      the package name is set via setproctitle() and shows up in procfs.
      Many of these package names are longer then 16 bytes, the historical
      width of task->comm. Having the cmdline in the audit records will
      couple the application back to the record directly. Also, on my
      Debian development box, some audit records were more useful then
      what was printed under comm.
      
      The cached proctitle is tied to the life-cycle of the audit_context
      structure and is built on demand.
      
      Proctitle is controllable by userspace, and thus should not be trusted.
      It is meant as an aid to assist in debugging. The proctitle event is
      emitted during syscall audits, and can be filtered with auditctl.
      
      Example:
      type=AVC msg=audit(1391217013.924:386): avc:  denied  { getattr } for  pid=1971 comm="mkdir" name="/" dev="selinuxfs" ino=1 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c255 tcontext=system_u:object_r:security_t:s0 tclass=filesystem
      type=SYSCALL msg=audit(1391217013.924:386): arch=c000003e syscall=137 success=yes exit=0 a0=7f019dfc8bd7 a1=7fffa6aed2c0 a2=fffffffffff4bd25 a3=7fffa6aed050 items=0 ppid=1967 pid=1971 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mkdir" exe="/bin/mkdir" subj=system_u:system_r:consolekit_t:s0-s0:c0.c255 key=(null)
      type=UNKNOWN[1327] msg=audit(1391217013.924:386):  proctitle=6D6B646972002D70002F7661722F72756E2F636F6E736F6C65
      
      Acked-by: Steve Grubb <sgrubb@redhat.com> (wrt record formating)
      Signed-off-by: default avatarWilliam Roberts <wroberts@tresys.com>
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      3f1c8250
  4. 28 Feb, 2014 1 commit
  5. 14 Jan, 2014 3 commits
  6. 05 Nov, 2013 2 commits
  7. 09 Jul, 2013 1 commit
    • Jeff Layton's avatar
      audit: fix mq_open and mq_unlink to add the MQ root as a hidden parent audit_names record · 79f6530c
      Jeff Layton authored
      The old audit PATH records for mq_open looked like this:
      
        type=PATH msg=audit(1366282323.982:869): item=1 name=(null) inode=6777
        dev=00:0c mode=041777 ouid=0 ogid=0 rdev=00:00
        obj=system_u:object_r:tmpfs_t:s15:c0.c1023
        type=PATH msg=audit(1366282323.982:869): item=0 name="test_mq" inode=26732
        dev=00:0c mode=0100700 ouid=0 ogid=0 rdev=00:00
        obj=staff_u:object_r:user_tmpfs_t:s15:c0.c1023
      
      ...with the audit related changes that went into 3.7, they now look like this:
      
        type=PATH msg=audit(1366282236.776:3606): item=2 name=(null) inode=66655
        dev=00:0c mode=0100700 ouid=0 ogid=0 rdev=00:00
        obj=staff_u:object_r:user_tmpfs_t:s15:c0.c1023
        type=PATH msg=audit(1366282236.776:3606): item=1 name=(null) inode=6926
        dev=00:0c mode=041777 ouid=0 ogid=0 rdev=00:00
        obj=system_u:object_r:tmpfs_t:s15:c0.c1023
        type=PATH msg=audit(1366282236.776:3606): item=0 name="test_mq"
      
      Both of these look wrong to me.  As Steve Grubb pointed out:
      
       "What we need is 1 PATH record that identifies the MQ.  The other PATH
        records probably should not be there."
      
      Fix it to record the mq root as a parent, and flag it such that it
      should be hidden from view when the names are logged, since the root of
      the mq filesystem isn't terribly interesting.  With this change, we get
      a single PATH record that looks more like this:
      
        type=PATH msg=audit(1368021604.836:484): item=0 name="test_mq" inode=16914
        dev=00:0c mode=0100644 ouid=0 ogid=0 rdev=00:00
        obj=unconfined_u:object_r:user_tmpfs_t:s0
      
      In order to do this, a new audit_inode_parent_hidden() function is
      added.  If we do it this way, then we avoid having the existing callers
      of audit_inode needing to do any sort of flag conversion if auditing is
      inactive.
      Signed-off-by: default avatarJeff Layton <jlayton@redhat.com>
      Reported-by: default avatarJiri Jaburek <jjaburek@redhat.com>
      Cc: Steve Grubb <sgrubb@redhat.com>
      Cc: Eric Paris <eparis@redhat.com>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      79f6530c
  8. 30 Apr, 2013 1 commit
    • Eric Paris's avatar
      audit: fix event coverage of AUDIT_ANOM_LINK · b24a30a7
      Eric Paris authored
      The userspace audit tools didn't like the existing formatting of the
      AUDIT_ANOM_LINK event. It needed to be expanded to emit an AUDIT_PATH
      event as well, so this implements the change. The bulk of the patch is
      moving code out of auditsc.c into audit.c and audit.h for general use.
      It expands audit_log_name to include an optional "struct path" argument
      for the simple case of just needing to report a pathname. This also
      makes
      audit_log_task_info available when syscall auditing is not enabled,
      since
      it is needed in either case for process details.
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Reported-by: default avatarSteve Grubb <sgrubb@redhat.com>
      b24a30a7
  9. 29 Apr, 2013 2 commits
  10. 12 Apr, 2013 1 commit
  11. 12 Oct, 2012 3 commits
  12. 18 Sep, 2012 2 commits
    • Eric W. Biederman's avatar
      userns: Convert audit to work with user namespaces enabled · cca080d9
      Eric W. Biederman authored
      - Explicitly format uids gids in audit messges in the initial user
        namespace. This is safe because auditd is restrected to be in
        the initial user namespace.
      
      - Convert audit_sig_uid into a kuid_t.
      
      - Enable building the audit code and user namespaces at the same time.
      
      The net result is that the audit subsystem now uses kuid_t and kgid_t whenever
      possible making it almost impossible to confuse a raw uid_t with a kuid_t
      preventing bugs.
      
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: Eric Paris <eparis@redhat.com>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarEric W. Biederman <ebiederm@xmission.com>
      cca080d9
    • Eric W. Biederman's avatar
      audit: Add typespecific uid and gid comparators · ca57ec0f
      Eric W. Biederman authored
      The audit filter code guarantees that uid are always compared with
      uids and gids are always compared with gids, as the comparason
      operations are type specific.  Take advantage of this proper to define
      audit_uid_comparator and audit_gid_comparator which use the type safe
      comparasons from uidgid.h.
      
      Build on audit_uid_comparator and audit_gid_comparator and replace
      audit_compare_id with audit_compare_uid and audit_compare_gid.  This
      is one of those odd cases where being type safe and duplicating code
      leads to simpler shorter and more concise code.
      
      Don't allow bitmask operations in uid and gid comparisons in
      audit_data_to_entry.  Bitmask operations are already denined in
      audit_rule_to_entry.
      
      Convert constants in audit_rule_to_entry and audit_data_to_entry into
      kuids and kgids when appropriate.
      
      Convert the uid and gid field in struct audit_names to be of type
      kuid_t and kgid_t respectively, so that the new uid and gid comparators
      can be applied in a type safe manner.
      
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: Eric Paris <eparis@redhat.com>
      Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      ca57ec0f
  13. 17 Jan, 2012 1 commit
  14. 30 Oct, 2010 1 commit
  15. 28 Jul, 2010 3 commits
  16. 24 Jun, 2009 3 commits
  17. 04 Jan, 2009 1 commit
    • Al Viro's avatar
      fixing audit rule ordering mess, part 1 · 0590b933
      Al Viro authored
      Problem: ordering between the rules on exit chain is currently lost;
      all watch and inode rules are listed after everything else _and_
      exit,never on one kind doesn't stop exit,always on another from
      being matched.
      
      Solution: assign priorities to rules, keep track of the current
      highest-priority matching rule and its result (always/never).
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      0590b933
  18. 28 Apr, 2008 1 commit
    • Harvey Harrison's avatar
      [PATCH 1/2] audit: move extern declarations to audit.h · c782f242
      Harvey Harrison authored
      Leave audit_sig_{uid|pid|sid} protected by #ifdef CONFIG_AUDITSYSCALL.
      
      Noticed by sparse:
      kernel/audit.c:73:6: warning: symbol 'audit_ever_enabled' was not declared. Should it be static?
      kernel/audit.c:100:8: warning: symbol 'audit_sig_uid' was not declared. Should it be static?
      kernel/audit.c:101:8: warning: symbol 'audit_sig_pid' was not declared. Should it be static?
      kernel/audit.c:102:6: warning: symbol 'audit_sig_sid' was not declared. Should it be static?
      kernel/audit.c:117:23: warning: symbol 'audit_ih' was not declared. Should it be static?
      kernel/auditfilter.c:78:18: warning: symbol 'audit_filter_list' was not declared. Should it be static?
      Signed-off-by: default avatarHarvey Harrison <harvey.harrison@gmail.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      c782f242
  19. 18 Apr, 2008 1 commit
  20. 21 Oct, 2007 1 commit
    • Al Viro's avatar
      [PATCH] audit: watching subtrees · 74c3cbe3
      Al Viro authored
      New kind of audit rule predicates: "object is visible in given subtree".
      The part that can be sanely implemented, that is.  Limitations:
      	* if you have hardlink from outside of tree, you'd better watch
      it too (or just watch the object itself, obviously)
      	* if you mount something under a watched tree, tell audit
      that new chunk should be added to watched subtrees
      	* if you umount something in a watched tree and it's still mounted
      elsewhere, you will get matches on events happening there.  New command
      tells audit to recalculate the trees, trimming such sources of false
      positives.
      
      Note that it's _not_ about path - if something mounted in several places
      (multiple mount, bindings, different namespaces, etc.), the match does
      _not_ depend on which one we are using for access.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      74c3cbe3
  21. 16 Jul, 2007 1 commit
    • Miloslav Trmac's avatar
      Audit: add TTY input auditing · 522ed776
      Miloslav Trmac authored
      Add TTY input auditing, used to audit system administrator's actions.  This is
      required by various security standards such as DCID 6/3 and PCI to provide
      non-repudiation of administrator's actions and to allow a review of past
      actions if the administrator seems to overstep their duties or if the system
      becomes misconfigured for unknown reasons.  These requirements do not make it
      necessary to audit TTY output as well.
      
      Compared to an user-space keylogger, this approach records TTY input using the
      audit subsystem, correlated with other audit events, and it is completely
      transparent to the user-space application (e.g.  the console ioctls still
      work).
      
      TTY input auditing works on a higher level than auditing all system calls
      within the session, which would produce an overwhelming amount of mostly
      useless audit events.
      
      Add an "audit_tty" attribute, inherited across fork ().  Data read from TTYs
      by process with the attribute is sent to the audit subsystem by the kernel.
      The audit netlink interface is extended to allow modifying the audit_tty
      attribute, and to allow sending explanatory audit events from user-space (for
      example, a shell might send an event containing the final command, after the
      interactive command-line editing and history expansion is performed, which
      might be difficult to decipher from the TTY input alone).
      
      Because the "audit_tty" attribute is inherited across fork (), it would be set
      e.g.  for sshd restarted within an audited session.  To prevent this, the
      audit_tty attribute is cleared when a process with no open TTY file
      descriptors (e.g.  after daemon startup) opens a TTY.
      
      See https://www.redhat.com/archives/linux-audit/2007-June/msg00000.html for a
      more detailed rationale document for an older version of this patch.
      
      [akpm@linux-foundation.org: build fix]
      Signed-off-by: default avatarMiloslav Trmac <mitr@redhat.com>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
      Cc: Paul Fulghum <paulkf@microgate.com>
      Cc: Casey Schaufler <casey@schaufler-ca.com>
      Cc: Steve Grubb <sgrubb@redhat.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      522ed776
  22. 11 May, 2007 1 commit
    • Amy Griffis's avatar
      [PATCH] audit signal recipients · e54dc243
      Amy Griffis authored
      When auditing syscalls that send signals, log the pid and security
      context for each target process. Optimize the data collection by
      adding a counter for signal-related rules, and avoiding allocating an
      aux struct unless we have more than one target process. For process
      groups, collect pid/context data in blocks of 16. Move the
      audit_signal_info() hook up in check_kill_permission() so we audit
      attempts where permission is denied.
      Signed-off-by: default avatarAmy Griffis <amy.griffis@hp.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      e54dc243
  23. 11 Sep, 2006 1 commit
  24. 01 Jul, 2006 1 commit
    • Amy Griffis's avatar
      [PATCH] add rule filterkey · 5adc8a6a
      Amy Griffis authored
      Add support for a rule key, which can be used to tie audit records to audit
      rules.  This is useful when a watched file is accessed through a link or
      symlink, as well as for general audit log analysis.
      
      Because this patch uses a string key instead of an integer key, there is a bit
      of extra overhead to do the kstrdup() when a rule fires.  However, we're also
      allocating memory for the audit record buffer, so it's probably not that
      significant.  I went ahead with a string key because it seems more
      user-friendly.
      
      Note that the user must ensure that filterkeys are unique.  The kernel only
      checks for duplicate rules.
      Signed-off-by: default avatarAmy Griffis <amy.griffis@hpd.com>
      5adc8a6a
  25. 20 Jun, 2006 4 commits
    • Amy Griffis's avatar
      [PATCH] log more info for directory entry change events · 9c937dcc
      Amy Griffis authored
      When an audit event involves changes to a directory entry, include
      a PATH record for the directory itself.  A few other notable changes:
      
          - fixed audit_inode_child() hooks in fsnotify_move()
          - removed unused flags arg from audit_inode()
          - added audit log routines for logging a portion of a string
      
      Here's some sample output.
      
      before patch:
      type=SYSCALL msg=audit(1149821605.320:26): arch=40000003 syscall=39 success=yes exit=0 a0=bf8d3c7c a1=1ff a2=804e1b8 a3=bf8d3c7c items=1 ppid=739 pid=800 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 comm="mkdir" exe="/bin/mkdir" subj=root:system_r:unconfined_t:s0-s0:c0.c255
      type=CWD msg=audit(1149821605.320:26):  cwd="/root"
      type=PATH msg=audit(1149821605.320:26): item=0 name="foo" parent=164068 inode=164010 dev=03:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=root:object_r:user_home_t:s0
      
      after patch:
      type=SYSCALL msg=audit(1149822032.332:24): arch=40000003 syscall=39 success=yes exit=0 a0=bfdd9c7c a1=1ff a2=804e1b8 a3=bfdd9c7c items=2 ppid=714 pid=777 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 comm="mkdir" exe="/bin/mkdir" subj=root:system_r:unconfined_t:s0-s0:c0.c255
      type=CWD msg=audit(1149822032.332:24):  cwd="/root"
      type=PATH msg=audit(1149822032.332:24): item=0 name="/root" inode=164068 dev=03:00 mode=040750 ouid=0 ogid=0 rdev=00:00 obj=root:object_r:user_home_dir_t:s0
      type=PATH msg=audit(1149822032.332:24): item=1 name="foo" inode=164010 dev=03:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=root:object_r:user_home_t:s0
      Signed-off-by: default avatarAmy Griffis <amy.griffis@hp.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      9c937dcc
    • Amy Griffis's avatar
      [PATCH] audit: path-based rules · f368c07d
      Amy Griffis authored
      In this implementation, audit registers inotify watches on the parent
      directories of paths specified in audit rules.  When audit's inotify
      event handler is called, it updates any affected rules based on the
      filesystem event.  If the parent directory is renamed, removed, or its
      filesystem is unmounted, audit removes all rules referencing that
      inotify watch.
      
      To keep things simple, this implementation limits location-based
      auditing to the directory entries in an existing directory.  Given
      a path-based rule for /foo/bar/passwd, the following table applies:
      
          passwd modified -- audit event logged
          passwd replaced -- audit event logged, rules list updated
          bar renamed     -- rule removed
          foo renamed     -- untracked, meaning that the rule now applies to
      		       the new location
      
      Audit users typically want to have many rules referencing filesystem
      objects, which can significantly impact filtering performance.  This
      patch also adds an inode-number-based rule hash to mitigate this
      situation.
      
      The patch is relative to the audit git tree:
      http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
      and uses the inotify kernel API:
      http://lkml.org/lkml/2006/6/1/145Signed-off-by: default avatarAmy Griffis <amy.griffis@hp.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      f368c07d
    • Al Viro's avatar
      e1396065
    • Al Viro's avatar
      [PATCH] fix deadlocks in AUDIT_LIST/AUDIT_LIST_RULES · 9044e6bc
      Al Viro authored
      We should not send a pile of replies while holding audit_netlink_mutex
      since we hold the same mutex when we receive commands.  As the result,
      we can get blocked while sending and sit there holding the mutex while
      auditctl is unable to send the next command and get around to receiving
      what we'd sent.
      
      Solution: create skb and put them into a queue instead of sending;
      once we are done, send what we've got on the list.  The former can
      be done synchronously while we are handling AUDIT_LIST or AUDIT_LIST_RULES;
      we are holding audit_netlink_mutex at that point.  The latter is done
      asynchronously and without messing with audit_netlink_mutex.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      9044e6bc