Re: [PATCH] auditd: fix missing space with enriched log format
On Tuesday, September 14, 2021 9:55:48 PM EDT Enzo Matsumiya wrote:
> When audit.log is opened with cat or less, for example, with log format
> = ENRICHED, there's no space between data and the enriched part, only
> AUDIT_INTERP_SEPARATOR (0x1d):
This is by design.
> type=USER_CMD msg=audit(1631669179.082:2403): ... res=success'UID="enzo"
> AUID="unset" ^ (0x1d)
>
> sep_done should be checked if it's 1 as well, so a space is added before
> the first enriched field.
Why?
Thanks,
-Steve
> Signed-off-by: Enzo Matsumiya
> ---
> src/auditd-event.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/src/auditd-event.c b/src/auditd-event.c
> index 788c44a08197..636553187279 100644
> --- a/src/auditd-event.c
> +++ b/src/auditd-event.c
> @@ -365,7 +365,7 @@ static int add_simple_field(auparse_state_t *au, size_t
> len_left, int encode)
>
> // Setup pointer
> ptr = &format_buf[FORMAT_BUF_LEN - len_left];
> - if (sep_done > 1) {
> + if (sep_done >= 1) {
> *ptr = ' ';
> ptr++;
> num = 1;
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
[PATCH] auditd: fix missing space with enriched log format
When audit.log is opened with cat or less, for example, with log format
= ENRICHED, there's no space between data and the enriched part, only
AUDIT_INTERP_SEPARATOR (0x1d):
type=USER_CMD msg=audit(1631669179.082:2403): ... res=success'UID="enzo"
AUID="unset"
^ (0x1d)
sep_done should be checked if it's 1 as well, so a space is added before
the first enriched field.
Signed-off-by: Enzo Matsumiya
---
src/auditd-event.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/auditd-event.c b/src/auditd-event.c
index 788c44a08197..636553187279 100644
--- a/src/auditd-event.c
+++ b/src/auditd-event.c
@@ -365,7 +365,7 @@ static int add_simple_field(auparse_state_t *au, size_t
len_left, int encode)
// Setup pointer
ptr = &format_buf[FORMAT_BUF_LEN - len_left];
- if (sep_done > 1) {
+ if (sep_done >= 1) {
*ptr = ' ';
ptr++;
num = 1;
--
2.33.0
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
[PATCH v2] audit: Convert to SPDX identifier
Use SPDX-License-Identifier instead of a verbose license text. Signed-off-by: Cai Huoqing --- v1->v2: Change recommended token from "GPL-2.0+" to "GPL-2.0-or-later" kernel/auditsc.c | 15 +-- 1 file changed, 1 insertion(+), 14 deletions(-) diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 8dd73a64f921..969c1613fed9 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -1,3 +1,4 @@ +// SPDX-License-Identifier: GPL-2.0-or-later /* auditsc.c -- System-call auditing support * Handles all system-call specific auditing features. * @@ -6,20 +7,6 @@ * Copyright (C) 2005, 2006 IBM Corporation * All Rights Reserved. * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - * * Written by Rickard E. (Rik) Faith * * Many of the ideas implemented here are from Stephen C. Tweedie, -- 2.25.1 -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH] lsm_audit: avoid overloading the "key" audit field
On Tue, Sep 14, 2021 at 9:15 AM Ondrej Mosnacek wrote: > > The "key" field is used to associate records with the rule that > triggered them, os it's not a good idea to overload it with an > additional IPC key semantic. Moreover, as the classic "key" field is a > text field, while the IPC key is numeric, AVC records containing the IPC > key info actually confuse audit userspace, which tries to interpret the > number as a hex-encoded string, thus showing garbage for example in the > ausearch "interpret" output mode. > > Hence, change it to "ipc_key" to fix both issues and also make the > meaning of this field more clear. > > Signed-off-by: Ondrej Mosnacek > --- > security/lsm_audit.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) Seems reasonable to me, I can merge it via the audit/next tree unless James would prefer to take it via the LSM tree. > diff --git a/security/lsm_audit.c b/security/lsm_audit.c > index 5a5016ef43b0..1897cbf6fc69 100644 > --- a/security/lsm_audit.c > +++ b/security/lsm_audit.c > @@ -224,7 +224,7 @@ static void dump_common_audit_data(struct audit_buffer > *ab, > case LSM_AUDIT_DATA_NONE: > return; > case LSM_AUDIT_DATA_IPC: > - audit_log_format(ab, " key=%d ", a->u.ipc_id); > + audit_log_format(ab, " ipc_key=%d ", a->u.ipc_id); > break; > case LSM_AUDIT_DATA_CAP: > audit_log_format(ab, " capability=%d ", a->u.cap); > -- > 2.31.1 -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH v2] audit: Convert to SPDX identifier
On Mon, Sep 13, 2021 at 11:33 PM Cai Huoqing wrote: > > Use SPDX-License-Identifier instead of a verbose license text. > > Signed-off-by: Cai Huoqing > --- > v1->v2: Change recommended token from "GPL-2.0+" to "GPL-2.0-or-later" > > kernel/auditsc.c | 15 +-- > 1 file changed, 1 insertion(+), 14 deletions(-) Merged into audit/next, thanks! -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH v3 8/8] Smack: Brutalist io_uring support with debug
On Tue, Sep 14, 2021 at 10:26 AM Casey Schaufler wrote: > > On 9/13/2021 8:33 PM, Paul Moore wrote: > > From: Casey Schaufler > > > > Add Smack privilege checks for io_uring. Use CAP_MAC_OVERRIDE > > for the override_creds case and CAP_MAC_ADMIN for creating a > > polling thread. These choices are based on conjecture regarding > > the intent of the surrounding code. > > > > Signed-off-by: Casey Schaufler > > [PM: make the smack_uring_* funcs static, remove debug code] > > Signed-off-by: Paul Moore > > You want to change the subject: > > [PATCH v3 8/8] Smack: Brutalist io_uring support with debug > > s/ with debug// Thanks Casey, good catch. I updated my local copy and the selinux/working-io_uring branch but I'll refrain from pushing a new patchset just for this. -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH v3 8/8] Smack: Brutalist io_uring support with debug
On 9/13/2021 8:33 PM, Paul Moore wrote:
> From: Casey Schaufler
>
> Add Smack privilege checks for io_uring. Use CAP_MAC_OVERRIDE
> for the override_creds case and CAP_MAC_ADMIN for creating a
> polling thread. These choices are based on conjecture regarding
> the intent of the surrounding code.
>
> Signed-off-by: Casey Schaufler
> [PM: make the smack_uring_* funcs static, remove debug code]
> Signed-off-by: Paul Moore
You want to change the subject:
[PATCH v3 8/8] Smack: Brutalist io_uring support with debug
s/ with debug//
>
> ---
> v3:
> - removed debug code
> v2:
> - made the smack_uring_* funcs static
> v1:
> - initial draft
> ---
> security/smack/smack_lsm.c | 46
>
> 1 file changed, 46 insertions(+)
>
> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
> index cacbe7518519..f90ab1efeb6d 100644
> --- a/security/smack/smack_lsm.c
> +++ b/security/smack/smack_lsm.c
> @@ -4691,6 +4691,48 @@ static int smack_dentry_create_files_as(struct dentry
> *dentry, int mode,
> return 0;
> }
>
> +#ifdef CONFIG_IO_URING
> +/**
> + * smack_uring_override_creds - Is io_uring cred override allowed?
> + * @new: the target creds
> + *
> + * Check to see if the current task is allowed to override it's credentials
> + * to service an io_uring operation.
> + */
> +static int smack_uring_override_creds(const struct cred *new)
> +{
> + struct task_smack *tsp = smack_cred(current_cred());
> + struct task_smack *nsp = smack_cred(new);
> +
> + /*
> + * Allow the degenerate case where the new Smack value is
> + * the same as the current Smack value.
> + */
> + if (tsp->smk_task == nsp->smk_task)
> + return 0;
> +
> + if (smack_privileged_cred(CAP_MAC_OVERRIDE, current_cred()))
> + return 0;
> +
> + return -EPERM;
> +}
> +
> +/**
> + * smack_uring_sqpoll - check if a io_uring polling thread can be created
> + *
> + * Check to see if the current task is allowed to create a new io_uring
> + * kernel polling thread.
> + */
> +static int smack_uring_sqpoll(void)
> +{
> + if (smack_privileged_cred(CAP_MAC_ADMIN, current_cred()))
> + return 0;
> +
> + return -EPERM;
> +}
> +
> +#endif /* CONFIG_IO_URING */
> +
> struct lsm_blob_sizes smack_blob_sizes __lsm_ro_after_init = {
> .lbs_cred = sizeof(struct task_smack),
> .lbs_file = sizeof(struct smack_known *),
> @@ -4843,6 +4885,10 @@ static struct security_hook_list smack_hooks[]
> __lsm_ro_after_init = {
> LSM_HOOK_INIT(inode_copy_up, smack_inode_copy_up),
> LSM_HOOK_INIT(inode_copy_up_xattr, smack_inode_copy_up_xattr),
> LSM_HOOK_INIT(dentry_create_files_as, smack_dentry_create_files_as),
> +#ifdef CONFIG_IO_URING
> + LSM_HOOK_INIT(uring_override_creds, smack_uring_override_creds),
> + LSM_HOOK_INIT(uring_sqpoll, smack_uring_sqpoll),
> +#endif
> };
>
>
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://listman.redhat.com/mailman/listinfo/linux-audit
>
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
[PATCH] lsm_audit: avoid overloading the "key" audit field
The "key" field is used to associate records with the rule that triggered them, os it's not a good idea to overload it with an additional IPC key semantic. Moreover, as the classic "key" field is a text field, while the IPC key is numeric, AVC records containing the IPC key info actually confuse audit userspace, which tries to interpret the number as a hex-encoded string, thus showing garbage for example in the ausearch "interpret" output mode. Hence, change it to "ipc_key" to fix both issues and also make the meaning of this field more clear. Signed-off-by: Ondrej Mosnacek --- security/lsm_audit.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/lsm_audit.c b/security/lsm_audit.c index 5a5016ef43b0..1897cbf6fc69 100644 --- a/security/lsm_audit.c +++ b/security/lsm_audit.c @@ -224,7 +224,7 @@ static void dump_common_audit_data(struct audit_buffer *ab, case LSM_AUDIT_DATA_NONE: return; case LSM_AUDIT_DATA_IPC: - audit_log_format(ab, " key=%d ", a->u.ipc_id); + audit_log_format(ab, " ipc_key=%d ", a->u.ipc_id); break; case LSM_AUDIT_DATA_CAP: audit_log_format(ab, " capability=%d ", a->u.cap); -- 2.31.1 -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit
