Re: aulast only displaying reboot pseudo-users
On Monday, June 16, 2014 05:20:10 PM Eric Paris wrote: My guess is that userspace just throws away record where it doesn't find the auid= and ses= and you kernel happens to live in those couple of months were it had new-ses and new-auid Was this patch sent to stable? The audit code tries to handle the old way and the new way: https://fedorahosted.org/audit/browser/trunk/tools/aulast/aulast.c#L175 But I thought the patch went to stable to prevent breaking user space. This is only one issue. I am seeing duplicate and missing events between systemd, gdm, and lightdm. I'd call this a pretty clear userspace bug where it just completely drops records, even if it can't parse them... That theory can be tested by using: ausearch --start this-week --debug /dev/null Anything that gets tossed out will be reported to stderr. -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: aulast only displaying reboot pseudo-users
Le Tue, 17 Jun 2014 09:29:21 -0400, Steve Grubb sgr...@redhat.com a écrit : On Monday, June 16, 2014 05:20:10 PM Eric Paris wrote: [...] I'd call this a pretty clear userspace bug where it just completely drops records, even if it can't parse them... That theory can be tested by using: ausearch --start this-week --debug /dev/null Anything that gets tossed out will be reported to stderr. I'm getting indeed quite a lot of skipped event: Malformed event skipped, rc=7. type=LOGIN msg=audit(1402934401.462:1626): pid=1719 uid=0 old-auid=4294967295 new-auid=0 old-ses=4294967295 new-ses=121 res=1 -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: aulast only displaying reboot pseudo-users
On Tue, 17 Jun 2014 16:09:32 +0200 Laurent Bigonville bi...@debian.org wrote: Le Tue, 17 Jun 2014 09:29:21 -0400, Steve Grubb sgr...@redhat.com a écrit : On Monday, June 16, 2014 05:20:10 PM Eric Paris wrote: [...] I'd call this a pretty clear userspace bug where it just completely drops records, even if it can't parse them... That theory can be tested by using: ausearch --start this-week --debug /dev/null Anything that gets tossed out will be reported to stderr. I'm getting indeed quite a lot of skipped event: Malformed event skipped, rc=7. type=LOGIN msg=audit(1402934401.462:1626): pid=1719 uid=0 old-auid=4294967295 new-auid=0 old-ses=4294967295 new-ses=121 res=1 This feel like 2 clear bugs. 1) The kernel records for LOGIN are 'malformed' in 3.14. 2) Userspace silently throws records which are 'malformed' away, instead of just printing them... ausearch -m LOGIN should be able to display these things... -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: aulast only displaying reboot pseudo-users
On Tuesday, June 17, 2014 10:55:42 AM Richard Guy Briggs wrote: This feel like 2 clear bugs. 1) The kernel records for LOGIN are 'malformed' in 3.14. Yes. That's why it got fixed for 3.15. 5ee9a75 audit: fix dangling keywords in audit_log_set_loginuid() output introduced it between 3.13 and 3.14-rc1 aa589a1 audit: remove superfluous new- prefix in AUDIT_LOGIN messages fixed it between 3.14 and 3.15-rc1 So it is fine in 3.15. We need this fixed in current kernels. Its a low risk patch that fixes this problem for a lot of people. 2) Userspace silently throws records which are 'malformed' away, instead of just printing them... So according to Linus, we (I) violated the thou shalt not break userspace golden rule with the second patch. But it was already broken according to Steve which is why the first patch was submitted. ausearch -m LOGIN should be able to display these things... Agreed. One lesson here? Let's get a minimum useful subset of http://people.redhat.com/sgrubb/audit/audit-parse.txt into linux-2.6/Documentation/ tree to try to avoid this issue in the future. I'd like to reformat that before putting it in the linux kernel. It needs to be written from a generic howto perspective and not a library design perspective. Although that document is what has guided audit event design for about 8 or 9 years. -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: aulast only displaying reboot pseudo-users
On Tuesday, June 17, 2014 10:31:25 AM Eric Paris wrote: On Tue, 17 Jun 2014 16:09:32 +0200 Laurent Bigonville bi...@debian.org wrote: Le Tue, 17 Jun 2014 09:29:21 -0400, Steve Grubb sgr...@redhat.com a écrit : On Monday, June 16, 2014 05:20:10 PM Eric Paris wrote: [...] I'd call this a pretty clear userspace bug where it just completely drops records, even if it can't parse them... That theory can be tested by using: ausearch --start this-week --debug /dev/null Anything that gets tossed out will be reported to stderr. I'm getting indeed quite a lot of skipped event: Malformed event skipped, rc=7. type=LOGIN msg=audit(1402934401.462:1626): pid=1719 uid=0 old-auid=4294967295 new-auid=0 old-ses=4294967295 new-ses=121 res=1 This feel like 2 clear bugs. 1) The kernel records for LOGIN are 'malformed' in 3.14. Was the patch sent to stable? If not, could it be? 2) Userspace silently throws records which are 'malformed' away, instead of just printing them... ausearch -m LOGIN should be able to display these things... The problem is that all of the utilities are expecting fields with certain names in a certain order. Moving them around or changing them breaks things. When we add work-arounds, it causes the utilities to run slower because it tries one method and then another. When you run test cases that parse 100 Gb of logs, you'll see the effects of the work-arounds because the search takes minutes rather than seconds. The utilities are tuned for the massive logs use case. The particular code in question, ausearch-parse.c is used by both aureport and ausearch. It does not have a concept of completing search criteria and just dumping the record out. There might be something that can be done here, but lots a changes risks breaking things in subtle ways. -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: aulast only displaying reboot pseudo-users
On 14/06/17, Eric Paris wrote: On Tue, 17 Jun 2014 16:09:32 +0200 Laurent Bigonville bi...@debian.org wrote: Le Tue, 17 Jun 2014 09:29:21 -0400, Steve Grubb sgr...@redhat.com a écrit : On Monday, June 16, 2014 05:20:10 PM Eric Paris wrote: [...] I'd call this a pretty clear userspace bug where it just completely drops records, even if it can't parse them... That theory can be tested by using: ausearch --start this-week --debug /dev/null Anything that gets tossed out will be reported to stderr. I'm getting indeed quite a lot of skipped event: Malformed event skipped, rc=7. type=LOGIN msg=audit(1402934401.462:1626): pid=1719 uid=0 old-auid=4294967295 new-auid=0 old-ses=4294967295 new-ses=121 res=1 This feel like 2 clear bugs. 1) The kernel records for LOGIN are 'malformed' in 3.14. Yes. That's why it got fixed for 3.15. 5ee9a75 audit: fix dangling keywords in audit_log_set_loginuid() output introduced it between 3.13 and 3.14-rc1 aa589a1 audit: remove superfluous new- prefix in AUDIT_LOGIN messages fixed it between 3.14 and 3.15-rc1 So it is fine in 3.15. 2) Userspace silently throws records which are 'malformed' away, instead of just printing them... So according to Linus, we (I) violated the thou shalt not break userspace golden rule with the second patch. But it was already broken according to Steve which is why the first patch was submitted. ausearch -m LOGIN should be able to display these things... Agreed. One lesson here? Let's get a minimum useful subset of http://people.redhat.com/sgrubb/audit/audit-parse.txt into linux-2.6/Documentation/ tree to try to avoid this issue in the future. - RGB -- Richard Guy Briggs rbri...@redhat.com Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545 -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: aulast only displaying reboot pseudo-users
On 14/06/17, Steve Grubb wrote: On Tuesday, June 17, 2014 10:31:25 AM Eric Paris wrote: On Tue, 17 Jun 2014 16:09:32 +0200 Laurent Bigonville bi...@debian.org wrote: Le Tue, 17 Jun 2014 09:29:21 -0400, Steve Grubb sgr...@redhat.com a écrit : On Monday, June 16, 2014 05:20:10 PM Eric Paris wrote: [...] I'd call this a pretty clear userspace bug where it just completely drops records, even if it can't parse them... That theory can be tested by using: ausearch --start this-week --debug /dev/null Anything that gets tossed out will be reported to stderr. I'm getting indeed quite a lot of skipped event: Malformed event skipped, rc=7. type=LOGIN msg=audit(1402934401.462:1626): pid=1719 uid=0 old-auid=4294967295 new-auid=0 old-ses=4294967295 new-ses=121 res=1 This feel like 2 clear bugs. 1) The kernel records for LOGIN are 'malformed' in 3.14. Was the patch sent to stable? If not, could it be? To the best of my knowledge, no. This sounds reasonable. 2) Userspace silently throws records which are 'malformed' away, instead of just printing them... ausearch -m LOGIN should be able to display these things... The problem is that all of the utilities are expecting fields with certain names in a certain order. Moving them around or changing them breaks things. When we add work-arounds, it causes the utilities to run slower because it tries one method and then another. When you run test cases that parse 100 Gb of logs, you'll see the effects of the work-arounds because the search takes minutes rather than seconds. The utilities are tuned for the massive logs use case. The particular code in question, ausearch-parse.c is used by both aureport and ausearch. It does not have a concept of completing search criteria and just dumping the record out. There might be something that can be done here, but lots a changes risks breaking things in subtle ways. -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit - RGB -- Richard Guy Briggs rbri...@redhat.com Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545 -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: aulast only displaying reboot pseudo-users
On Tue, 17 Jun 2014 10:56:24 -0400 Steve Grubb sgr...@redhat.com wrote: On Tuesday, June 17, 2014 10:31:25 AM Eric Paris wrote: On Tue, 17 Jun 2014 16:09:32 +0200 2) Userspace silently throws records which are 'malformed' away, instead of just printing them... ausearch -m LOGIN should be able to display these things... It does not have a concept of completing search criteria and just dumping the record out. There might be something that can be done here, but lots a changes risks breaking things in subtle ways. I understand, but I can't imagine any customer that would want these records silently thrown away. When grep is a more reliable tool, we're in trouble :) -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: aulast only displaying reboot pseudo-users
On Tuesday, June 17, 2014 11:26:01 AM Eric Paris wrote: On Tue, 17 Jun 2014 10:56:24 -0400 Steve Grubb sgr...@redhat.com wrote: On Tuesday, June 17, 2014 10:31:25 AM Eric Paris wrote: On Tue, 17 Jun 2014 16:09:32 +0200 2) Userspace silently throws records which are 'malformed' away, instead of just printing them... ausearch -m LOGIN should be able to display these things... It does not have a concept of completing search criteria and just dumping the record out. There might be something that can be done here, but lots a changes risks breaking things in subtle ways. I understand, but I can't imagine any customer that would want these records silently thrown away. When grep is a more reliable tool, we're in trouble :) Grep is not trying to make sense out of the audit trail. :-) I checked in a change that helps some, but it only fixes ausearch when loginuid is not specified. https://fedorahosted.org/audit/changeset/957 -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
[PATCH] fixup! audit: use union for audit_field values since they are mutually exclusive
Eric Paris suggested lsm_str and lsm_rule could be added to this optimisation. audit_free_rule needed a bit of re-factoring to accompish this, but nothing too controversial. Signed-off-by: Richard Guy Briggs r...@redhat.com --- include/linux/audit.h |6 -- kernel/auditfilter.c | 27 --- 2 files changed, 24 insertions(+), 9 deletions(-) diff --git a/include/linux/audit.h b/include/linux/audit.h index 06141b3..36dffec 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -70,10 +70,12 @@ struct audit_field { u32 val; kuid_t uid; kgid_t gid; + struct { + char*lsm_str; + void*lsm_rule; + }; }; u32 op; - char*lsm_str; - void*lsm_rule; }; extern int is_audit_feature_set(int which); diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index ea8d389..ff0cb7e 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -71,6 +71,24 @@ static struct list_head audit_rules_list[AUDIT_NR_FILTERS] = { DEFINE_MUTEX(audit_filter_mutex); +static void audit_free_lsm_field(struct audit_field *f) +{ + switch (f.type) { + case AUDIT_SUBJ_USER: + case AUDIT_SUBJ_ROLE: + case AUDIT_SUBJ_TYPE: + case AUDIT_SUBJ_SEN: + case AUDIT_SUBJ_CLR: + case AUDIT_OBJ_USER: + case AUDIT_OBJ_ROLE: + case AUDIT_OBJ_TYPE: + case AUDIT_OBJ_LEV_LOW: + case AUDIT_OBJ_LEV_HIGH: + kfree(f-lsm_str); + security_audit_rule_free(f-lsm_rule); + } +} + static inline void audit_free_rule(struct audit_entry *e) { int i; @@ -80,11 +98,8 @@ static inline void audit_free_rule(struct audit_entry *e) if (erule-watch) audit_put_watch(erule-watch); if (erule-fields) - for (i = 0; i erule-field_count; i++) { - struct audit_field *f = erule-fields[i]; - kfree(f-lsm_str); - security_audit_rule_free(f-lsm_rule); - } + for (i = 0; i erule-field_count; i++) + audit_free_lsm_field(erule-fields[i]); kfree(erule-fields); kfree(erule-filterkey); kfree(e); @@ -422,8 +437,6 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data, f-type = data-fields[i]; f-val = data-values[i]; - f-lsm_str = NULL; - f-lsm_rule = NULL; /* Support legacy tests for a valid loginuid */ if ((f-type == AUDIT_LOGINUID) (f-val == AUDIT_UID_UNSET)) { -- 1.7.1 -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
[PATCH] [STABLE] audit: remove superfluous new- prefix in AUDIT_LOGIN messages
The new- prefix on ses and auid are un-necessary and break ausearch. Upstream-commit: aa589a1 Cc: sta...@vger.kernel.org # v3.14-rc1 to v3.14 Reported-by: Steve Grubb sgr...@redhat.com Signed-off-by: Richard Guy Briggs r...@redhat.com --- kernel/auditsc.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 37e6216..619b58d 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -1991,7 +1991,7 @@ static void audit_log_set_loginuid(kuid_t koldloginuid, kuid_t kloginuid, if (!ab) return; audit_log_format(ab, pid=%d uid=%u - old-auid=%u new-auid=%u old-ses=%u new-ses=%u + old-auid=%u auid=%u old-ses=%u ses=%u res=%d, current-pid, uid, oldloginuid, loginuid, oldsessionid, sessionid, -- 1.7.1 -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [Linux-ima-user] [PATCH] audit: fix dangling keywords in integrity ima message output
On Mon, 2014-06-16 at 15:52 -0400, Richard Guy Briggs wrote: Replace spaces in op keyword labels in log output since userspace audit tools can't parse orphaned keywords. The patch didn't apply cleanly to linux-integrity/#next. Please take a look at it (linux-integrity/#next-fixes). thanks, Mimi Reported-by: Steve Grubb sgr...@redhat.com Signed-off-by: Richard Guy Briggs r...@redhat.com --- security/integrity/ima/ima_appraise.c |2 +- security/integrity/ima/ima_policy.c |6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c index 734e946..61c95af 100644 --- a/security/integrity/ima/ima_appraise.c +++ b/security/integrity/ima/ima_appraise.c @@ -214,7 +214,7 @@ int ima_appraise_measurement(int func, struct integrity_iint_cache *iint, hash_start = 1; case IMA_XATTR_DIGEST: if (iint-flags IMA_DIGSIG_REQUIRED) { - cause = IMA signature required; + cause = IMA-signature-required; status = INTEGRITY_FAIL; break; } diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index a9c3d3c..dbdc528 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -330,7 +330,7 @@ void __init ima_init_policy(void) void ima_update_policy(void) { const char *op = policy_update; - const char *cause = already exists; + const char *cause = already-exists; int result = 1; int audit_info = 0; @@ -654,7 +654,7 @@ ssize_t ima_parse_add_rule(char *rule) /* Prevent installed policy from changing */ if (ima_rules != ima_default_rules) { integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL, - NULL, op, already exists, + NULL, op, already-exists, -EACCES, audit_info); return -EACCES; } @@ -680,7 +680,7 @@ ssize_t ima_parse_add_rule(char *rule) if (result) { kfree(entry); integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL, - NULL, op, invalid policy, result, + NULL, op, invalid-policy, result, audit_info); return result; } -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
[PATCH 00/14] audit by executable name
This is a continuation of Peter Moody, my and Eric Paris' work to implement audit by executable name. Some of these are obvious. Some demonstrate my lack of understanding of the problem and of the services of fs/notify because they put needless restrictions due to the orthogonal nature of the features involved or attempt to solve problems that don't exist. Posting this now to clarify some of that and move on... Eric Paris (3): audit: implement audit by executable audit: clean simple fsnotify implementation audit: convert audit_exe to audit_fsnotify Richard Guy Briggs (11): fixup! audit: convert audit_exe to audit_fsnotify fixup! audit: clean simple fsnotify implementation audit: avoid double copying the audit_exe path string fixup! audit: convert audit_exe to audit_fsnotify fixup! audit: clean simple fsnotify implementation audit: put rule existence check in canonical order fixup! audit: implement audit by executable fixup! audit: implement audit by executable fixup! audit: clean simple fsnotify implementation audit: continue fleshing out audit by exe audit: enable audit_get/put_mark() include/linux/audit.h |2 + include/uapi/linux/audit.h |2 + kernel/Makefile|2 +- kernel/audit.h | 42 +++ kernel/audit_exe.c | 50 + kernel/audit_fsnotify.c| 257 kernel/audit_tree.c|2 +- kernel/audit_watch.c |2 +- kernel/auditfilter.c | 74 - kernel/auditsc.c | 16 +++ 10 files changed, 442 insertions(+), 7 deletions(-) create mode 100644 kernel/audit_exe.c create mode 100644 kernel/audit_fsnotify.c -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
[PATCH 11/14] fixup! audit: implement audit by executable
Add space for consistency. --- kernel/auditfilter.c |1 + 1 files changed, 1 insertions(+), 0 deletions(-) diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index eede673..f40c13b 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -1012,6 +1012,7 @@ int audit_del_rule(struct audit_entry *entry) if (e-rule.exe) audit_remove_mark(e-rule.exe); + list_del_rcu(e-list); list_del(e-rule.list); call_rcu(e-rcu, audit_free_rule_rcu); -- 1.7.1 -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
[PATCH 08/14] fixup! audit: clean simple fsnotify implementation
Remove redundant goto. --- kernel/audit_fsnotify.c |1 - 1 files changed, 0 insertions(+), 1 deletions(-) diff --git a/kernel/audit_fsnotify.c b/kernel/audit_fsnotify.c index 0fda71f..d169326 100644 --- a/kernel/audit_fsnotify.c +++ b/kernel/audit_fsnotify.c @@ -134,7 +134,6 @@ struct audit_fsnotify_mark *audit_alloc_mark(struct audit_krule *krule, char *pa if (ret 0) { audit_free_mark(audit_mark); audit_mark = ERR_PTR(ret); - goto out; } out: dput(dentry); -- 1.7.1 -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
[PATCH 09/14] audit: put rule existence check in canonical order
--- kernel/auditfilter.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index c52cbc0..cae8eae 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -148,7 +148,7 @@ static inline int audit_to_inode(struct audit_krule *krule, struct audit_field *f) { if (krule-listnr != AUDIT_FILTER_EXIT || - krule-watch || krule-inode_f || krule-tree || + krule-inode_f || krule-watch || krule-tree || (f-op != Audit_equal f-op != Audit_not_equal)) return -EINVAL; -- 1.7.1 -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
[PATCH 03/14] audit: convert audit_exe to audit_fsnotify
From: Eric Paris epa...@redhat.com Instead of just hard coding the ino and dev of the executable we care about at the moment the rule is inserted into the kernel, use the new audit_fsnotify infrastructure. This means that if the inode in question is unlinked and creat'd (aka updated) the rule will just continue to work. Signed-off-by: Eric Paris epa...@redhat.com Signed-off-by: Richard Guy Briggs r...@redhat.com --- include/linux/audit.h |2 +- kernel/audit.h| 31 - kernel/audit_exe.c| 87 +++-- kernel/auditfilter.c | 18 ++ 4 files changed, 31 insertions(+), 107 deletions(-) diff --git a/include/linux/audit.h b/include/linux/audit.h index 227171c..f2a8044 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -59,7 +59,7 @@ struct audit_krule { struct audit_field *inode_f; /* quick access to an inode field */ struct audit_watch *watch; /* associated watch */ struct audit_tree *tree; /* associated watched tree */ - struct audit_exe*exe; + struct audit_fsnotify_mark *exe; struct list_headrlist; /* entry in audit_{watch,tree}.rules list */ struct list_headlist; /* for AUDIT_LIST* purposes only */ u64 prio; diff --git a/kernel/audit.h b/kernel/audit.h index 8d863d4..61688ba 100644 --- a/kernel/audit.h +++ b/kernel/audit.h @@ -57,7 +57,6 @@ enum audit_state { /* Rule lists */ struct audit_watch; struct audit_fsnotify_mark; -struct audit_exe; struct audit_tree; struct audit_chunk; @@ -289,11 +288,8 @@ char *audit_mark_path(struct audit_fsnotify_mark *mark); void audit_remove_mark(struct audit_fsnotify_mark *audit_mark); int audit_mark_compare(struct audit_fsnotify_mark *mark, unsigned long ino, dev_t dev); -int audit_make_exe_rule(struct audit_krule *krule, char *pathname, int len, u32 op); -void audit_remove_exe_rule(struct audit_krule *krule); -char *audit_exe_path(struct audit_exe *exe); int audit_dup_exe(struct audit_krule *new, struct audit_krule *old); -int audit_exe_compare(struct task_struct *tsk, struct audit_exe *exe); +int audit_exe_compare(struct task_struct *tsk, struct audit_fsnotify_mark *mark); #else #define audit_put_watch(w) {} @@ -320,31 +316,18 @@ static inline void audit_remove_mark(struct audit_fsnotify_mark *audit_mark) BUG(); } -static inline int audit_mark_compare(struct audit_fsnotify_mark *mark, unsigned long ino, dev_t dev) +static inline int audit_exe_compare(struct task_struct *tsk, struct audit_fsnotify_mark *mark) { BUG(); - return 0; -} - -static inline int audit_make_exe_rule(struct audit_krule *krule, char *pathname, int len, u32 op) { return -EINVAL; } -static inline void audit_remove_exe_rule(struct audit_krule *krule) { - BUG(); - return 0; -} -static inline char *audit_exe_path(struct audit_exe *exe) { - BUG(); - return ; -} -static inline int audit_dup_exe(struct audit_krule *new, struct audit_krule *old) { - BUG(); - return -EINVAL -} -static inline int audit_exe_compare(struct task_struct *tsk, struct audit_exe *exe) { + +static inline int audit_dup_exe(struct audit_krule *new, struct audit_krule *old) +{ BUG(); - return 0; + return -EINVAL; } + #endif /* CONFIG_AUDIT_WATCH */ #ifdef CONFIG_AUDIT_TREE diff --git a/kernel/audit_exe.c b/kernel/audit_exe.c index 09c436c..d704a54 100644 --- a/kernel/audit_exe.c +++ b/kernel/audit_exe.c @@ -21,93 +21,30 @@ #include linux/kernel.h #include linux/audit.h -#include linux/mutex.h #include linux/fs.h #include linux/namei.h #include linux/slab.h #include audit.h -struct audit_exe { - char *pathname; - unsigned long ino; - dev_t dev; -}; - -/* Translate a watch string to kernel respresentation. */ -int audit_make_exe_rule(struct audit_krule *krule, char *pathname, int len, u32 op) -{ - struct audit_exe *exe; - struct path path; - struct dentry *dentry; - unsigned long ino; - dev_t dev; - - if (pathname[0] != '/' || pathname[len-1] == '/') - return -EINVAL; - - dentry = kern_path_locked(pathname, path); - if (IS_ERR(dentry)) - return PTR_ERR(dentry); - mutex_unlock(path.dentry-d_inode-i_mutex); - - if (!dentry-d_inode) - return -ENOENT; - dev = dentry-d_inode-i_sb-s_dev; - ino = dentry-d_inode-i_ino; - dput(dentry); - - exe = kmalloc(sizeof(*exe), GFP_KERNEL); - if (!exe) - return -ENOMEM; - exe-ino = ino; - exe-dev = dev; - exe-pathname = pathname; - krule-exe = exe; - - return 0; -} - -void audit_remove_exe_rule(struct audit_krule *krule) -{ - struct audit_exe *exe; - - exe = krule-exe; - krule-exe = NULL; - kfree(exe-pathname); - kfree(exe); -} -
[PATCH 07/14] fixup! audit: convert audit_exe to audit_fsnotify
Put audit_alloc_mark() arguments in same order as watch, tree and inode. --- kernel/audit.h |2 +- kernel/audit_exe.c |2 +- kernel/audit_fsnotify.c |2 +- kernel/auditfilter.c|2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/kernel/audit.h b/kernel/audit.h index 61688ba..7bf3138 100644 --- a/kernel/audit.h +++ b/kernel/audit.h @@ -283,7 +283,7 @@ extern void audit_remove_watch_rule(struct audit_krule *krule); extern char *audit_watch_path(struct audit_watch *watch); extern int audit_watch_compare(struct audit_watch *watch, unsigned long ino, dev_t dev); -struct audit_fsnotify_mark *audit_alloc_mark(char *pathname, int len, struct audit_krule *krule); +struct audit_fsnotify_mark *audit_alloc_mark(struct audit_krule *krule, char *pathname, int len); char *audit_mark_path(struct audit_fsnotify_mark *mark); void audit_remove_mark(struct audit_fsnotify_mark *audit_mark); int audit_mark_compare(struct audit_fsnotify_mark *mark, unsigned long ino, dev_t dev); diff --git a/kernel/audit_exe.c b/kernel/audit_exe.c index d704a54..42c6f55 100644 --- a/kernel/audit_exe.c +++ b/kernel/audit_exe.c @@ -33,7 +33,7 @@ int audit_dup_exe(struct audit_krule *new, struct audit_krule *old) pathname = audit_mark_path(old-exe); - audit_mark = audit_alloc_mark(pathname, strlen(pathname), new); + audit_mark = audit_alloc_mark(new, pathname, strlen(pathname)); if (IS_ERR(audit_mark)) return PTR_ERR(audit_mark); new-exe = audit_mark; diff --git a/kernel/audit_fsnotify.c b/kernel/audit_fsnotify.c index 07e..0fda71f 100644 --- a/kernel/audit_fsnotify.c +++ b/kernel/audit_fsnotify.c @@ -92,7 +92,7 @@ int audit_mark_compare(struct audit_fsnotify_mark *mark, unsigned long ino, dev_ (mark-dev == dev)); } -struct audit_fsnotify_mark *audit_alloc_mark(char *pathname, int len, struct audit_krule *krule) +struct audit_fsnotify_mark *audit_alloc_mark(struct audit_krule *krule, char *pathname, int len) { struct audit_fsnotify_mark *audit_mark; struct path path; diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index 5679b61..c52cbc0 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -560,7 +560,7 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data, } entry-rule.buflen += f-val; - audit_mark = audit_alloc_mark(str, f-val, entry-rule); + audit_mark = audit_alloc_mark(entry-rule, str, f-val); if (IS_ERR(audit_mark)) { kfree(str); err = PTR_ERR(audit_mark); -- 1.7.1 -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
[PATCH 06/14] audit: avoid double copying the audit_exe path string
--- kernel/audit_fsnotify.c | 12 ++-- kernel/auditfilter.c|2 +- 2 files changed, 3 insertions(+), 11 deletions(-) diff --git a/kernel/audit_fsnotify.c b/kernel/audit_fsnotify.c index 707df2b..07e 100644 --- a/kernel/audit_fsnotify.c +++ b/kernel/audit_fsnotify.c @@ -99,7 +99,6 @@ struct audit_fsnotify_mark *audit_alloc_mark(char *pathname, int len, struct aud struct dentry *dentry; struct inode *inode; unsigned long ino; - char *local_pathname; dev_t dev; int ret; @@ -120,20 +119,13 @@ struct audit_fsnotify_mark *audit_alloc_mark(char *pathname, int len, struct aud ino = dentry-d_inode-i_ino; } - audit_mark = ERR_PTR(-ENOMEM); - local_pathname = kstrdup(pathname, GFP_KERNEL); - if (!local_pathname) - goto out; - audit_mark = kzalloc(sizeof(*audit_mark), GFP_KERNEL); - if (unlikely(!audit_mark)) { - kfree(local_pathname); + if (unlikely(!audit_mark)) goto out; - } fsnotify_init_mark(audit_mark-mark, audit_free_fsnotify_mark); audit_mark-mark.mask = AUDIT_FS_EVENTS; - audit_mark-path = local_pathname; + audit_mark-path = pathname; audit_mark-ino = ino; audit_mark-dev = dev; audit_mark-rule = krule; diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index 94b6af1..5679b61 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -561,8 +561,8 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data, entry-rule.buflen += f-val; audit_mark = audit_alloc_mark(str, f-val, entry-rule); - kfree(str); if (IS_ERR(audit_mark)) { + kfree(str); err = PTR_ERR(audit_mark); goto exit_free; } -- 1.7.1 -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
[PATCH 04/14] fixup! audit: convert audit_exe to audit_fsnotify
Remove unnecessary space. --- kernel/auditfilter.c |1 - 1 files changed, 0 insertions(+), 1 deletions(-) diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index 30091ce..94b6af1 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -551,7 +551,6 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data, break; case AUDIT_EXE: case AUDIT_EXE_CHILDREN: - if (entry-rule.exe || f-val PATH_MAX) goto exit_free; str = audit_unpack_string(bufp, remain, f-val); -- 1.7.1 -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
[PATCH 02/14] audit: clean simple fsnotify implementation
From: Eric Paris epa...@redhat.com This is to be used to audit by executable rules, but audit watches should be able to share this code eventually. At the moment the audit watch code is a lot more complex, that code only creates one fsnotify watch per parent directory. That 'audit_parent' in turn has a list of 'audit_watches' which contain the name, ino, dev of the specific object we care about. This just creates one fsnotify watch per object we care about. So if you watch 100 inodes in /etc this code will create 100 fsnotify watches on /etc. The audit_watch code will instead create 1 fsnotify watch on /etc (the audit_parent) and then 100 individual watches chained from that fsnotify mark. We should be able to convert the audit_watch code to do one fsnotify mark per watch and simplify things/remove a whole lot of code. After that conversion we should be able to convert the audit_fsnotify code to support that hierarchy if the optomization is necessary. Signed-off-by: Eric Paris epa...@redhat.com Signed-off-by: Richard Guy Briggs r...@redhat.com --- kernel/Makefile |2 +- kernel/audit.h | 29 ++ kernel/audit_fsnotify.c | 251 +++ kernel/auditfilter.c|2 +- 4 files changed, 282 insertions(+), 2 deletions(-) create mode 100644 kernel/audit_fsnotify.c diff --git a/kernel/Makefile b/kernel/Makefile index a1d5715..32617ef 100644 --- a/kernel/Makefile +++ b/kernel/Makefile @@ -61,7 +61,7 @@ obj-$(CONFIG_SMP) += stop_machine.o obj-$(CONFIG_KPROBES_SANITY_TEST) += test_kprobes.o obj-$(CONFIG_AUDIT) += audit.o auditfilter.o obj-$(CONFIG_AUDITSYSCALL) += auditsc.o -obj-$(CONFIG_AUDIT_WATCH) += audit_watch.o audit_exe.o +obj-$(CONFIG_AUDIT_WATCH) += audit_watch.o audit_exe.o audit_fsnotify.o obj-$(CONFIG_AUDIT_TREE) += audit_tree.o obj-$(CONFIG_GCOV_KERNEL) += gcov/ obj-$(CONFIG_KPROBES) += kprobes.o diff --git a/kernel/audit.h b/kernel/audit.h index 58ed955..8d863d4 100644 --- a/kernel/audit.h +++ b/kernel/audit.h @@ -56,6 +56,7 @@ enum audit_state { /* Rule lists */ struct audit_watch; +struct audit_fsnotify_mark; struct audit_exe; struct audit_tree; struct audit_chunk; @@ -267,6 +268,7 @@ struct audit_net { extern int selinux_audit_rule_update(void); extern struct mutex audit_filter_mutex; +extern int audit_del_rule(struct audit_entry *); extern void audit_free_rule_rcu(struct rcu_head *); extern struct list_head audit_filter_list[]; @@ -282,6 +284,11 @@ extern void audit_remove_watch_rule(struct audit_krule *krule); extern char *audit_watch_path(struct audit_watch *watch); extern int audit_watch_compare(struct audit_watch *watch, unsigned long ino, dev_t dev); +struct audit_fsnotify_mark *audit_alloc_mark(char *pathname, int len, struct audit_krule *krule); +char *audit_mark_path(struct audit_fsnotify_mark *mark); +void audit_remove_mark(struct audit_fsnotify_mark *audit_mark); +int audit_mark_compare(struct audit_fsnotify_mark *mark, unsigned long ino, dev_t dev); + int audit_make_exe_rule(struct audit_krule *krule, char *pathname, int len, u32 op); void audit_remove_exe_rule(struct audit_krule *krule); char *audit_exe_path(struct audit_exe *exe); @@ -297,6 +304,28 @@ int audit_exe_compare(struct task_struct *tsk, struct audit_exe *exe); #define audit_watch_path(w) #define audit_watch_compare(w, i, d) 0 +static inline struct audit_fsnotify_mark *audit_alloc_mark(char *pathname, int len, struct audit_krule *krule) +{ + return ERR_PTR(-EINVAL); +} + +static inline char *audit_mark_path(struct audit_fsnotify_mark *mark) +{ + BUG(); + return ; +} + +static inline void audit_remove_mark(struct audit_fsnotify_mark *audit_mark) +{ + BUG(); +} + +static inline int audit_mark_compare(struct audit_fsnotify_mark *mark, unsigned long ino, dev_t dev) +{ + BUG(); + return 0; +} + static inline int audit_make_exe_rule(struct audit_krule *krule, char *pathname, int len, u32 op) { return -EINVAL; } diff --git a/kernel/audit_fsnotify.c b/kernel/audit_fsnotify.c new file mode 100644 index 000..d0aa8f5 --- /dev/null +++ b/kernel/audit_fsnotify.c @@ -0,0 +1,251 @@ +/* audit_watch.c -- watching inodes + * + * Copyright 2003-2009 Red Hat, Inc. + * Copyright 2005 Hewlett-Packard Development Company, L.P. + * Copyright 2005 IBM Corporation + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not,
[PATCH 13/14] audit: continue fleshing out audit by exe
--- include/linux/audit.h |1 + kernel/audit.h |1 + kernel/audit_fsnotify.c | 15 +++ kernel/auditfilter.c| 21 - 4 files changed, 37 insertions(+), 1 deletions(-) diff --git a/include/linux/audit.h b/include/linux/audit.h index f2a8044..0bb9ea6 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -43,6 +43,7 @@ struct mq_attr; struct mqstat; struct audit_watch; struct audit_tree; +struct audit_fsnotify_mark; struct sk_buff; struct audit_krule { diff --git a/kernel/audit.h b/kernel/audit.h index 7bf3138..2093c5e 100644 --- a/kernel/audit.h +++ b/kernel/audit.h @@ -285,6 +285,7 @@ extern int audit_watch_compare(struct audit_watch *watch, unsigned long ino, dev struct audit_fsnotify_mark *audit_alloc_mark(struct audit_krule *krule, char *pathname, int len); char *audit_mark_path(struct audit_fsnotify_mark *mark); +int audit_add_mark_rule(struct audit_krule *krule, struct list_head **list); void audit_remove_mark(struct audit_fsnotify_mark *audit_mark); int audit_mark_compare(struct audit_fsnotify_mark *mark, unsigned long ino, dev_t dev); diff --git a/kernel/audit_fsnotify.c b/kernel/audit_fsnotify.c index efefa16..cc4175a 100644 --- a/kernel/audit_fsnotify.c +++ b/kernel/audit_fsnotify.c @@ -161,6 +161,21 @@ static void audit_mark_log_rule_change(struct audit_fsnotify_mark *audit_mark, c audit_log_end(ab); } +int audit_add_mark_rule(struct audit_krule *krule, struct list_head **list) +{ + struct audit_fsnotify_mark *audit_mark; + int h, ret = 0; + + if (krule-exe) + audit_mark = krule-exe; + else + return -EINVAL; //XXX + + h = audit_hash_ino((u32)audit_mark-ino); + *list = audit_inode_hash[h]; + return ret; +} + static int audit_update_mark(struct audit_fsnotify_mark *audit_mark, struct inode *inode) { diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index f40c13b..7b6e892 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -34,6 +34,7 @@ #include net/net_namespace.h #include net/sock.h #include audit.h +#include linux/fsnotify_backend.h /* * Locking model: @@ -79,6 +80,8 @@ static inline void audit_free_rule(struct audit_entry *e) /* some rules don't have associated watches */ if (erule-watch) audit_put_watch(erule-watch); + if (erule-exe) + fsnotify_put_mark(erule-exe-mark); if (erule-fields) for (i = 0; i erule-field_count; i++) { struct audit_field *f = erule-fields[i]; @@ -566,6 +569,7 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data, err = PTR_ERR(audit_mark); goto exit_free; } + fsnotify_get_mark(audit_mark-mark); entry-rule.exe = audit_mark; break; } @@ -582,6 +586,8 @@ exit_free: audit_put_watch(entry-rule.watch); /* matches initial get */ if (entry-rule.tree) audit_put_tree(entry-rule.tree); /* that's the temporary one */ + if (entry-rule.exe) + fsnotify_put_mark(entry-rule.exe-mark); /* matches initial get */ audit_free_rule(entry); return ERR_PTR(err); } @@ -866,7 +872,7 @@ static struct audit_entry *audit_find_rule(struct audit_entry *entry, if (entry-rule.inode_f) { h = audit_hash_ino(entry-rule.inode_f-val); *p = list = audit_inode_hash[h]; - } else if (entry-rule.watch) { + } else if (entry-rule.watch || entry-rule.exe) { /* we don't know the inode number, so must walk entire hash */ for (h = 0; h AUDIT_INODE_BUCKETS; h++) { list = audit_inode_hash[h]; @@ -900,6 +906,7 @@ static inline int audit_add_rule(struct audit_entry *entry) struct audit_entry *e; struct audit_watch *watch = entry-rule.watch; struct audit_tree *tree = entry-rule.tree; + struct audit_fsnotify_mark *exe = entry-rule.exe; struct list_head *list; int err; #ifdef CONFIG_AUDITSYSCALL @@ -943,6 +950,13 @@ static inline int audit_add_rule(struct audit_entry *entry) goto error; } } + if (exe) { + err = audit_add_mark_rule(entry-rule, list); + if (err) { + mutex_unlock(audit_filter_mutex); + goto error; + } + } entry-rule.prio = ~0ULL; if (entry-rule.listnr == AUDIT_FILTER_EXIT) { @@ -976,6 +990,8 @@ static inline int audit_add_rule(struct audit_entry *entry) error: if (watch) audit_put_watch(watch); /* tmp watch, matches initial get */ + if (exe) +
[PATCH 01/14] audit: implement audit by executable
From: Eric Paris epa...@redhat.com This patch implements the ability to filter on the executable. It is clearly incomplete! This patch adds the inode/dev of the executable at the moment the rule is loaded. It does not update if the executable is updated/moved/whatever. That should be added. But at this moment, this patch works. Based-on-user-interface-by: Richard Guy Briggs r...@redhat.com Cc: r...@redhat.com Based-on-idea-by: Peter Moody pmo...@google.com Cc: pmo...@google.com Signed-off-by: Eric Paris epa...@redhat.com Signed-off-by: Richard Guy Briggs r...@redhat.com --- include/linux/audit.h |1 + include/uapi/linux/audit.h |2 + kernel/Makefile|2 +- kernel/audit.h | 27 ++ kernel/audit_exe.c | 113 kernel/auditfilter.c | 43 + kernel/auditsc.c | 16 ++ 7 files changed, 203 insertions(+), 1 deletions(-) create mode 100644 kernel/audit_exe.c diff --git a/include/linux/audit.h b/include/linux/audit.h index 22cfddb..227171c 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -59,6 +59,7 @@ struct audit_krule { struct audit_field *inode_f; /* quick access to an inode field */ struct audit_watch *watch; /* associated watch */ struct audit_tree *tree; /* associated watched tree */ + struct audit_exe*exe; struct list_headrlist; /* entry in audit_{watch,tree}.rules list */ struct list_headlist; /* for AUDIT_LIST* purposes only */ u64 prio; diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h index 573dc36..f4a72b9 100644 --- a/include/uapi/linux/audit.h +++ b/include/uapi/linux/audit.h @@ -266,6 +266,8 @@ #define AUDIT_OBJ_UID 109 #define AUDIT_OBJ_GID 110 #define AUDIT_FIELD_COMPARE111 +#define AUDIT_EXE 112 +#define AUDIT_EXE_CHILDREN 113 #define AUDIT_ARG0 200 #define AUDIT_ARG1 (AUDIT_ARG0+1) diff --git a/kernel/Makefile b/kernel/Makefile index bc010ee..a1d5715 100644 --- a/kernel/Makefile +++ b/kernel/Makefile @@ -61,7 +61,7 @@ obj-$(CONFIG_SMP) += stop_machine.o obj-$(CONFIG_KPROBES_SANITY_TEST) += test_kprobes.o obj-$(CONFIG_AUDIT) += audit.o auditfilter.o obj-$(CONFIG_AUDITSYSCALL) += auditsc.o -obj-$(CONFIG_AUDIT_WATCH) += audit_watch.o +obj-$(CONFIG_AUDIT_WATCH) += audit_watch.o audit_exe.o obj-$(CONFIG_AUDIT_TREE) += audit_tree.o obj-$(CONFIG_GCOV_KERNEL) += gcov/ obj-$(CONFIG_KPROBES) += kprobes.o diff --git a/kernel/audit.h b/kernel/audit.h index 7bb6573..58ed955 100644 --- a/kernel/audit.h +++ b/kernel/audit.h @@ -56,6 +56,7 @@ enum audit_state { /* Rule lists */ struct audit_watch; +struct audit_exe; struct audit_tree; struct audit_chunk; @@ -280,6 +281,13 @@ extern int audit_add_watch(struct audit_krule *krule, struct list_head **list); extern void audit_remove_watch_rule(struct audit_krule *krule); extern char *audit_watch_path(struct audit_watch *watch); extern int audit_watch_compare(struct audit_watch *watch, unsigned long ino, dev_t dev); + +int audit_make_exe_rule(struct audit_krule *krule, char *pathname, int len, u32 op); +void audit_remove_exe_rule(struct audit_krule *krule); +char *audit_exe_path(struct audit_exe *exe); +int audit_dup_exe(struct audit_krule *new, struct audit_krule *old); +int audit_exe_compare(struct task_struct *tsk, struct audit_exe *exe); + #else #define audit_put_watch(w) {} #define audit_get_watch(w) {} @@ -289,6 +297,25 @@ extern int audit_watch_compare(struct audit_watch *watch, unsigned long ino, dev #define audit_watch_path(w) #define audit_watch_compare(w, i, d) 0 +static inline int audit_make_exe_rule(struct audit_krule *krule, char *pathname, int len, u32 op) { + return -EINVAL; +} +static inline void audit_remove_exe_rule(struct audit_krule *krule) { + BUG(); + return 0; +} +static inline char *audit_exe_path(struct audit_exe *exe) { + BUG(); + return ; +} +static inline int audit_dup_exe(struct audit_krule *new, struct audit_krule *old) { + BUG(); + return -EINVAL +} +static inline int audit_exe_compare(struct task_struct *tsk, struct audit_exe *exe) { + BUG(); + return 0; +} #endif /* CONFIG_AUDIT_WATCH */ #ifdef CONFIG_AUDIT_TREE diff --git a/kernel/audit_exe.c b/kernel/audit_exe.c new file mode 100644 index 000..09c436c --- /dev/null +++ b/kernel/audit_exe.c @@ -0,0 +1,113 @@ +/* audit_exe.c -- filtering of audit events + * + * Copyright 2014 Red Hat, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even
[PATCH 12/14] fixup! audit: clean simple fsnotify implementation
Rename audit_remove_rule() to audit_remove_mark_rule(). --- kernel/audit_fsnotify.c |4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/kernel/audit_fsnotify.c b/kernel/audit_fsnotify.c index d169326..efefa16 100644 --- a/kernel/audit_fsnotify.c +++ b/kernel/audit_fsnotify.c @@ -180,7 +180,7 @@ void audit_remove_mark(struct audit_fsnotify_mark *audit_mark) fsnotify_put_mark(audit_mark-mark); } -static void audit_remove_rule(struct audit_fsnotify_mark *audit_mark) +static void audit_remove_mark_rule(struct audit_fsnotify_mark *audit_mark) { struct audit_krule *rule = audit_mark-rule; struct audit_entry *entry = container_of(rule, struct audit_entry, rule); @@ -221,7 +221,7 @@ static int audit_mark_handle_event(struct fsnotify_group *group, return 0; audit_update_mark(audit_mark, inode); } else if (mask (FS_DELETE_SELF|FS_UNMOUNT|FS_MOVE_SELF)) - audit_remove_rule(audit_mark); + audit_remove_mark_rule(audit_mark); return 0; } -- 1.7.1 -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
[PATCH 14/14] audit: enable audit_get/put_mark()
--- kernel/audit.h |2 ++ kernel/audit_fsnotify.c |6 +++--- kernel/auditfilter.c| 10 +- 3 files changed, 10 insertions(+), 8 deletions(-) diff --git a/kernel/audit.h b/kernel/audit.h index 2093c5e..3151ae5 100644 --- a/kernel/audit.h +++ b/kernel/audit.h @@ -288,6 +288,8 @@ char *audit_mark_path(struct audit_fsnotify_mark *mark); int audit_add_mark_rule(struct audit_krule *krule, struct list_head **list); void audit_remove_mark(struct audit_fsnotify_mark *audit_mark); int audit_mark_compare(struct audit_fsnotify_mark *mark, unsigned long ino, dev_t dev); +void audit_get_mark(struct audit_fsnotify_mark *audit_mark); +void audit_put_mark(struct audit_fsnotify_mark *audit_mark); int audit_dup_exe(struct audit_krule *new, struct audit_krule *old); int audit_exe_compare(struct task_struct *tsk, struct audit_fsnotify_mark *mark); diff --git a/kernel/audit_fsnotify.c b/kernel/audit_fsnotify.c index cc4175a..f5789e1 100644 --- a/kernel/audit_fsnotify.c +++ b/kernel/audit_fsnotify.c @@ -65,14 +65,14 @@ static void audit_free_fsnotify_mark(struct fsnotify_mark *mark) audit_free_mark(audit_mark); } -#if 0 /* not sure if we need these... */ -static void audit_get_mark(struct audit_fsnotify_mark *audit_mark) +#if 1 /* not sure if we need these... */ +void audit_get_mark(struct audit_fsnotify_mark *audit_mark) { if (likely(audit_mark)) fsnotify_get_mark(audit_mark-mark); } -static void audit_put_mark(struct audit_fsnotify_mark *audit_mark) +void audit_put_mark(struct audit_fsnotify_mark *audit_mark) { if (likely(audit_mark)) fsnotify_put_mark(audit_mark-mark); diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index 7b6e892..3d168ca 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -81,7 +81,7 @@ static inline void audit_free_rule(struct audit_entry *e) if (erule-watch) audit_put_watch(erule-watch); if (erule-exe) - fsnotify_put_mark(erule-exe-mark); + audit_put_mark(erule-exe); if (erule-fields) for (i = 0; i erule-field_count; i++) { struct audit_field *f = erule-fields[i]; @@ -569,7 +569,7 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data, err = PTR_ERR(audit_mark); goto exit_free; } - fsnotify_get_mark(audit_mark-mark); + audit_get_mark(audit_mark); entry-rule.exe = audit_mark; break; } @@ -587,7 +587,7 @@ exit_free: if (entry-rule.tree) audit_put_tree(entry-rule.tree); /* that's the temporary one */ if (entry-rule.exe) - fsnotify_put_mark(entry-rule.exe-mark); /* matches initial get */ + audit_put_mark(entry-rule.exe); /* matches initial get */ audit_free_rule(entry); return ERR_PTR(err); } @@ -991,7 +991,7 @@ error: if (watch) audit_put_watch(watch); /* tmp watch, matches initial get */ if (exe) - fsnotify_put_mark(exe-mark); /* tmp mark, matches initial get */ + audit_put_mark(exe); /* tmp mark, matches initial get */ return err; } @@ -1049,7 +1049,7 @@ out: if (tree) audit_put_tree(tree); /* that's the temporary one */ if (exe) - fsnotify_put_mark(exe-mark); /* match initial get */ + audit_put_mark(exe);/* match initial get */ return ret; } -- 1.7.1 -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
[PATCH 10/14] fixup! audit: implement audit by executable
Check for existence of exe rule. --- kernel/audit_tree.c |2 +- kernel/audit_watch.c |2 +- kernel/auditfilter.c |4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/kernel/audit_tree.c b/kernel/audit_tree.c index 135944a..b4bf5d2 100644 --- a/kernel/audit_tree.c +++ b/kernel/audit_tree.c @@ -632,7 +632,7 @@ int audit_make_tree(struct audit_krule *rule, char *pathname, u32 op) if (pathname[0] != '/' || rule-listnr != AUDIT_FILTER_EXIT || op != Audit_equal || - rule-inode_f || rule-watch || rule-tree) + rule-inode_f || rule-watch || rule-exe || rule-tree) return -EINVAL; rule-tree = alloc_tree(pathname); if (!rule-tree) diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c index 70b4554..1169de3 100644 --- a/kernel/audit_watch.c +++ b/kernel/audit_watch.c @@ -196,7 +196,7 @@ int audit_to_watch(struct audit_krule *krule, char *path, int len, u32 op) if (path[0] != '/' || path[len-1] == '/' || krule-listnr != AUDIT_FILTER_EXIT || op != Audit_equal || - krule-inode_f || krule-watch || krule-tree) + krule-inode_f || krule-watch || krule-exe || krule-tree) return -EINVAL; watch = audit_init_watch(path); diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index cae8eae..eede673 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -148,7 +148,7 @@ static inline int audit_to_inode(struct audit_krule *krule, struct audit_field *f) { if (krule-listnr != AUDIT_FILTER_EXIT || - krule-inode_f || krule-watch || krule-tree || + krule-inode_f || krule-watch || krule-exe || krule-tree || (f-op != Audit_equal f-op != Audit_not_equal)) return -EINVAL; @@ -1423,7 +1423,7 @@ static int update_lsm_rule(struct audit_krule *r) list_del_rcu(entry-list); list_del(r-list); } else { - if (r-watch || r-tree) + if (r-watch || r-exe || r-tree) list_replace_init(r-rlist, nentry-rule.rlist); list_replace_rcu(entry-list, nentry-list); list_replace(r-list, nentry-rule.list); -- 1.7.1 -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit