Re: [PATCH] integrity: audit update
On Monday 09 February 2009 06:24:20 pm Mimi Zohar wrote: - Force audit result to be either 0 or 1. - make template names const - Add new stand-alone message type: AUDIT_INTEGRITY_RULE OK, I think this patch fixes the problems from 2/8. Were you going to combine them for a new 2/8 or just apply this one as 9/9? IOW, should we ack this patch or the final one? Thanks, -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH] integrity: audit update
On Tue, 2009-02-10 at 17:00 -0500, Steve Grubb wrote: On Monday 09 February 2009 06:24:20 pm Mimi Zohar wrote: - Force audit result to be either 0 or 1. - make template names const - Add new stand-alone message type: AUDIT_INTEGRITY_RULE OK, I think this patch fixes the problems from 2/8. Were you going to combine them for a new 2/8 or just apply this one as 9/9? IOW, should we ack this patch or the final one? Thanks, -Steve As the current patches have already been upstreamed, I'll re-post this patch on lkml. You can either ack this one, or the one posted on lkml. Thanks! Mimi -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH] integrity: audit update
On Monday 09 February 2009 06:24:20 pm Mimi Zohar wrote: - Force audit result to be either 0 or 1. - make template names const - Add new stand-alone message type: AUDIT_INTEGRITY_RULE Signed-off-by: Mimi Zohar zo...@us.ibm.com Acked-by: Steve Grubb sgr...@redhat.com --- diff --git a/include/linux/audit.h b/include/linux/audit.h index 930939a..4fa2810 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -36,7 +36,8 @@ * 1500 - 1599 kernel LSPP events * 1600 - 1699 kernel crypto events * 1700 - 1799 kernel anomaly records - * 1800 - 1999 future kernel use (maybe integrity labels and related events) + * 1800 - 1899 kernel integrity events + * 1900 - 1999 future kernel use * 2000 is for otherwise unclassified kernel audit messages (legacy) * 2001 - 2099 unused (kernel) * 2100 - 2199 user space anomaly records @@ -130,6 +131,7 @@ #define AUDIT_INTEGRITY_STATUS 1802 /* Integrity enable status */ #define AUDIT_INTEGRITY_HASH 1803 /* Integrity HASH type */ #define AUDIT_INTEGRITY_PCR 1804 /* PCR invalidation msgs */ +#define AUDIT_INTEGRITY_RULE 1805 /* policy rule */ #define AUDIT_KERNEL 2000/* Asynchronous audit record. NOT A REQUEST. */ diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index e3c16a2..165eb53 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -47,7 +47,7 @@ struct ima_template_data { struct ima_template_entry { u8 digest[IMA_DIGEST_SIZE]; /* sha1 or md5 measurement hash */ - char *template_name; + const char *template_name; int template_len; struct ima_template_data template; }; diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c index a148a25..3cd58b6 100644 --- a/security/integrity/ima/ima_api.c +++ b/security/integrity/ima/ima_api.c @@ -15,7 +15,7 @@ #include linux/module.h #include ima.h -static char *IMA_TEMPLATE_NAME = ima; +static const char *IMA_TEMPLATE_NAME = ima; /* * ima_store_template - store ima template measurements diff --git a/security/integrity/ima/ima_audit.c b/security/integrity/ima/ima_audit.c index 8a0f1e2..1e082bb 100644 --- a/security/integrity/ima/ima_audit.c +++ b/security/integrity/ima/ima_audit.c @@ -22,16 +22,18 @@ static int ima_audit; static int __init ima_audit_setup(char *str) { unsigned long audit; - int rc; - char *op; + int rc, result = 0; + char *op = ima_audit; + char *cause; rc = strict_strtoul(str, 0, audit); if (rc || audit 1) - printk(KERN_INFO ima: invalid ima_audit value\n); + result = 1; else ima_audit = audit; - op = ima_audit ? ima_audit_enabled : ima_audit_not_enabled; - integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL, NULL, NULL, op, 0, 0); + cause = ima_audit ? enabled : not_enabled; + integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL, NULL, + op, cause, result, 0); return 1; } __setup(ima_audit=, ima_audit_setup); @@ -47,20 +49,21 @@ void integrity_audit_msg(int audit_msgno, struct inode *inode, return; ab = audit_log_start(current-audit_context, GFP_KERNEL, audit_msgno); - audit_log_format(ab, integrity: pid=%d uid=%u auid=%u, + audit_log_format(ab, integrity: pid=%d uid=%u auid=%u ses=%u, current-pid, current-cred-uid, - audit_get_loginuid(current)); + audit_get_loginuid(current), + audit_get_sessionid(current)); audit_log_task_context(ab); switch (audit_msgno) { case AUDIT_INTEGRITY_DATA: case AUDIT_INTEGRITY_METADATA: case AUDIT_INTEGRITY_PCR: + case AUDIT_INTEGRITY_STATUS: audit_log_format(ab, op=%s cause=%s, op, cause); break; case AUDIT_INTEGRITY_HASH: audit_log_format(ab, op=%s hash=%s, op, cause); break; - case AUDIT_INTEGRITY_STATUS: default: audit_log_format(ab, op=%s, op); } @@ -73,6 +76,6 @@ void integrity_audit_msg(int audit_msgno, struct inode *inode, if (inode) audit_log_format(ab, dev=%s ino=%lu, inode-i_sb-s_id, inode-i_ino); - audit_log_format(ab, res=%d, result); + audit_log_format(ab, res=%d, !result ? 0 : 1); audit_log_end(ab); } diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c index 573780c..ffbe259 100644 --- a/security/integrity/ima/ima_fs.c +++ b/security/integrity/ima/ima_fs.c @@ -137,7 +137,7 @@ static int ima_measurements_show(struct seq_file *m, void *v) ima_putc(m, namelen, sizeof namelen); /* 4th: template name */ - ima_putc(m, e-template_name, namelen); + ima_putc(m, (void *)e-template_name, namelen); /* 5th: template specific data */
[PATCH] integrity: audit update
- Force audit result to be either 0 or 1. - make template names const - Add new stand-alone message type: AUDIT_INTEGRITY_RULE Signed-off-by: Mimi Zohar zo...@us.ibm.com --- diff --git a/include/linux/audit.h b/include/linux/audit.h index 930939a..4fa2810 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -36,7 +36,8 @@ * 1500 - 1599 kernel LSPP events * 1600 - 1699 kernel crypto events * 1700 - 1799 kernel anomaly records - * 1800 - 1999 future kernel use (maybe integrity labels and related events) + * 1800 - 1899 kernel integrity events + * 1900 - 1999 future kernel use * 2000 is for otherwise unclassified kernel audit messages (legacy) * 2001 - 2099 unused (kernel) * 2100 - 2199 user space anomaly records @@ -130,6 +131,7 @@ #define AUDIT_INTEGRITY_STATUS 1802 /* Integrity enable status */ #define AUDIT_INTEGRITY_HASH 1803 /* Integrity HASH type */ #define AUDIT_INTEGRITY_PCR1804 /* PCR invalidation msgs */ +#define AUDIT_INTEGRITY_RULE 1805 /* policy rule */ #define AUDIT_KERNEL 2000/* Asynchronous audit record. NOT A REQUEST. */ diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index e3c16a2..165eb53 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -47,7 +47,7 @@ struct ima_template_data { struct ima_template_entry { u8 digest[IMA_DIGEST_SIZE]; /* sha1 or md5 measurement hash */ - char *template_name; + const char *template_name; int template_len; struct ima_template_data template; }; diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c index a148a25..3cd58b6 100644 --- a/security/integrity/ima/ima_api.c +++ b/security/integrity/ima/ima_api.c @@ -15,7 +15,7 @@ #include linux/module.h #include ima.h -static char *IMA_TEMPLATE_NAME = ima; +static const char *IMA_TEMPLATE_NAME = ima; /* * ima_store_template - store ima template measurements diff --git a/security/integrity/ima/ima_audit.c b/security/integrity/ima/ima_audit.c index 8a0f1e2..1e082bb 100644 --- a/security/integrity/ima/ima_audit.c +++ b/security/integrity/ima/ima_audit.c @@ -22,16 +22,18 @@ static int ima_audit; static int __init ima_audit_setup(char *str) { unsigned long audit; - int rc; - char *op; + int rc, result = 0; + char *op = ima_audit; + char *cause; rc = strict_strtoul(str, 0, audit); if (rc || audit 1) - printk(KERN_INFO ima: invalid ima_audit value\n); + result = 1; else ima_audit = audit; - op = ima_audit ? ima_audit_enabled : ima_audit_not_enabled; - integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL, NULL, NULL, op, 0, 0); + cause = ima_audit ? enabled : not_enabled; + integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL, NULL, + op, cause, result, 0); return 1; } __setup(ima_audit=, ima_audit_setup); @@ -47,20 +49,21 @@ void integrity_audit_msg(int audit_msgno, struct inode *inode, return; ab = audit_log_start(current-audit_context, GFP_KERNEL, audit_msgno); - audit_log_format(ab, integrity: pid=%d uid=%u auid=%u, + audit_log_format(ab, integrity: pid=%d uid=%u auid=%u ses=%u, current-pid, current-cred-uid, -audit_get_loginuid(current)); +audit_get_loginuid(current), +audit_get_sessionid(current)); audit_log_task_context(ab); switch (audit_msgno) { case AUDIT_INTEGRITY_DATA: case AUDIT_INTEGRITY_METADATA: case AUDIT_INTEGRITY_PCR: + case AUDIT_INTEGRITY_STATUS: audit_log_format(ab, op=%s cause=%s, op, cause); break; case AUDIT_INTEGRITY_HASH: audit_log_format(ab, op=%s hash=%s, op, cause); break; - case AUDIT_INTEGRITY_STATUS: default: audit_log_format(ab, op=%s, op); } @@ -73,6 +76,6 @@ void integrity_audit_msg(int audit_msgno, struct inode *inode, if (inode) audit_log_format(ab, dev=%s ino=%lu, inode-i_sb-s_id, inode-i_ino); - audit_log_format(ab, res=%d, result); + audit_log_format(ab, res=%d, !result ? 0 : 1); audit_log_end(ab); } diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c index 573780c..ffbe259 100644 --- a/security/integrity/ima/ima_fs.c +++ b/security/integrity/ima/ima_fs.c @@ -137,7 +137,7 @@ static int ima_measurements_show(struct seq_file *m, void *v) ima_putc(m, namelen, sizeof namelen); /* 4th: template name */ - ima_putc(m, e-template_name, namelen); + ima_putc(m, (void *)e-template_name, namelen); /* 5th: template specific data */ ima_template_show(m, (struct ima_template_data