Re: [PATCH] integrity: audit update
On Monday 09 February 2009 06:24:20 pm Mimi Zohar wrote: - Force audit result to be either 0 or 1. - make template names const - Add new stand-alone message type: AUDIT_INTEGRITY_RULE OK, I think this patch fixes the problems from 2/8. Were you going to combine them for a new 2/8 or just apply this one as 9/9? IOW, should we ack this patch or the final one? Thanks, -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH] integrity: audit update
On Tue, 2009-02-10 at 17:00 -0500, Steve Grubb wrote: On Monday 09 February 2009 06:24:20 pm Mimi Zohar wrote: - Force audit result to be either 0 or 1. - make template names const - Add new stand-alone message type: AUDIT_INTEGRITY_RULE OK, I think this patch fixes the problems from 2/8. Were you going to combine them for a new 2/8 or just apply this one as 9/9? IOW, should we ack this patch or the final one? Thanks, -Steve As the current patches have already been upstreamed, I'll re-post this patch on lkml. You can either ack this one, or the one posted on lkml. Thanks! Mimi -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH] integrity: audit update
On Monday 09 February 2009 06:24:20 pm Mimi Zohar wrote:
- Force audit result to be either 0 or 1.
- make template names const
- Add new stand-alone message type: AUDIT_INTEGRITY_RULE
Signed-off-by: Mimi Zohar zo...@us.ibm.com
Acked-by: Steve Grubb sgr...@redhat.com
---
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 930939a..4fa2810 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -36,7 +36,8 @@
* 1500 - 1599 kernel LSPP events
* 1600 - 1699 kernel crypto events
* 1700 - 1799 kernel anomaly records
- * 1800 - 1999 future kernel use (maybe integrity labels and related
events) + * 1800 - 1899 kernel integrity events
+ * 1900 - 1999 future kernel use
* 2000 is for otherwise unclassified kernel audit messages (legacy)
* 2001 - 2099 unused (kernel)
* 2100 - 2199 user space anomaly records
@@ -130,6 +131,7 @@
#define AUDIT_INTEGRITY_STATUS 1802 /* Integrity enable status */
#define AUDIT_INTEGRITY_HASH 1803 /* Integrity HASH type */
#define AUDIT_INTEGRITY_PCR 1804 /* PCR invalidation msgs */
+#define AUDIT_INTEGRITY_RULE 1805 /* policy rule */
#define AUDIT_KERNEL 2000/* Asynchronous audit record. NOT A
REQUEST. */
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index e3c16a2..165eb53 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -47,7 +47,7 @@ struct ima_template_data {
struct ima_template_entry {
u8 digest[IMA_DIGEST_SIZE]; /* sha1 or md5 measurement hash */
- char *template_name;
+ const char *template_name;
int template_len;
struct ima_template_data template;
};
diff --git a/security/integrity/ima/ima_api.c
b/security/integrity/ima/ima_api.c index a148a25..3cd58b6 100644
--- a/security/integrity/ima/ima_api.c
+++ b/security/integrity/ima/ima_api.c
@@ -15,7 +15,7 @@
#include linux/module.h
#include ima.h
-static char *IMA_TEMPLATE_NAME = ima;
+static const char *IMA_TEMPLATE_NAME = ima;
/*
* ima_store_template - store ima template measurements
diff --git a/security/integrity/ima/ima_audit.c
b/security/integrity/ima/ima_audit.c index 8a0f1e2..1e082bb 100644
--- a/security/integrity/ima/ima_audit.c
+++ b/security/integrity/ima/ima_audit.c
@@ -22,16 +22,18 @@ static int ima_audit;
static int __init ima_audit_setup(char *str)
{
unsigned long audit;
- int rc;
- char *op;
+ int rc, result = 0;
+ char *op = ima_audit;
+ char *cause;
rc = strict_strtoul(str, 0, audit);
if (rc || audit 1)
- printk(KERN_INFO ima: invalid ima_audit value\n);
+ result = 1;
else
ima_audit = audit;
- op = ima_audit ? ima_audit_enabled : ima_audit_not_enabled;
- integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL, NULL, NULL, op, 0, 0);
+ cause = ima_audit ? enabled : not_enabled;
+ integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL, NULL,
+ op, cause, result, 0);
return 1;
}
__setup(ima_audit=, ima_audit_setup);
@@ -47,20 +49,21 @@ void integrity_audit_msg(int audit_msgno, struct inode
*inode, return;
ab = audit_log_start(current-audit_context, GFP_KERNEL, audit_msgno);
- audit_log_format(ab, integrity: pid=%d uid=%u auid=%u,
+ audit_log_format(ab, integrity: pid=%d uid=%u auid=%u ses=%u,
current-pid, current-cred-uid,
- audit_get_loginuid(current));
+ audit_get_loginuid(current),
+ audit_get_sessionid(current));
audit_log_task_context(ab);
switch (audit_msgno) {
case AUDIT_INTEGRITY_DATA:
case AUDIT_INTEGRITY_METADATA:
case AUDIT_INTEGRITY_PCR:
+ case AUDIT_INTEGRITY_STATUS:
audit_log_format(ab, op=%s cause=%s, op, cause);
break;
case AUDIT_INTEGRITY_HASH:
audit_log_format(ab, op=%s hash=%s, op, cause);
break;
- case AUDIT_INTEGRITY_STATUS:
default:
audit_log_format(ab, op=%s, op);
}
@@ -73,6 +76,6 @@ void integrity_audit_msg(int audit_msgno, struct inode
*inode, if (inode)
audit_log_format(ab, dev=%s ino=%lu,
inode-i_sb-s_id, inode-i_ino);
- audit_log_format(ab, res=%d, result);
+ audit_log_format(ab, res=%d, !result ? 0 : 1);
audit_log_end(ab);
}
diff --git a/security/integrity/ima/ima_fs.c
b/security/integrity/ima/ima_fs.c index 573780c..ffbe259 100644
--- a/security/integrity/ima/ima_fs.c
+++ b/security/integrity/ima/ima_fs.c
@@ -137,7 +137,7 @@ static int ima_measurements_show(struct seq_file *m,
void *v) ima_putc(m, namelen, sizeof namelen);
/* 4th: template name */
- ima_putc(m, e-template_name, namelen);
+ ima_putc(m, (void *)e-template_name, namelen);
/* 5th: template specific data */
[PATCH] integrity: audit update
- Force audit result to be either 0 or 1.
- make template names const
- Add new stand-alone message type: AUDIT_INTEGRITY_RULE
Signed-off-by: Mimi Zohar zo...@us.ibm.com
---
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 930939a..4fa2810 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -36,7 +36,8 @@
* 1500 - 1599 kernel LSPP events
* 1600 - 1699 kernel crypto events
* 1700 - 1799 kernel anomaly records
- * 1800 - 1999 future kernel use (maybe integrity labels and related events)
+ * 1800 - 1899 kernel integrity events
+ * 1900 - 1999 future kernel use
* 2000 is for otherwise unclassified kernel audit messages (legacy)
* 2001 - 2099 unused (kernel)
* 2100 - 2199 user space anomaly records
@@ -130,6 +131,7 @@
#define AUDIT_INTEGRITY_STATUS 1802 /* Integrity enable status */
#define AUDIT_INTEGRITY_HASH 1803 /* Integrity HASH type */
#define AUDIT_INTEGRITY_PCR1804 /* PCR invalidation msgs */
+#define AUDIT_INTEGRITY_RULE 1805 /* policy rule */
#define AUDIT_KERNEL 2000/* Asynchronous audit record. NOT A
REQUEST. */
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index e3c16a2..165eb53 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -47,7 +47,7 @@ struct ima_template_data {
struct ima_template_entry {
u8 digest[IMA_DIGEST_SIZE]; /* sha1 or md5 measurement hash */
- char *template_name;
+ const char *template_name;
int template_len;
struct ima_template_data template;
};
diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
index a148a25..3cd58b6 100644
--- a/security/integrity/ima/ima_api.c
+++ b/security/integrity/ima/ima_api.c
@@ -15,7 +15,7 @@
#include linux/module.h
#include ima.h
-static char *IMA_TEMPLATE_NAME = ima;
+static const char *IMA_TEMPLATE_NAME = ima;
/*
* ima_store_template - store ima template measurements
diff --git a/security/integrity/ima/ima_audit.c
b/security/integrity/ima/ima_audit.c
index 8a0f1e2..1e082bb 100644
--- a/security/integrity/ima/ima_audit.c
+++ b/security/integrity/ima/ima_audit.c
@@ -22,16 +22,18 @@ static int ima_audit;
static int __init ima_audit_setup(char *str)
{
unsigned long audit;
- int rc;
- char *op;
+ int rc, result = 0;
+ char *op = ima_audit;
+ char *cause;
rc = strict_strtoul(str, 0, audit);
if (rc || audit 1)
- printk(KERN_INFO ima: invalid ima_audit value\n);
+ result = 1;
else
ima_audit = audit;
- op = ima_audit ? ima_audit_enabled : ima_audit_not_enabled;
- integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL, NULL, NULL, op, 0, 0);
+ cause = ima_audit ? enabled : not_enabled;
+ integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL, NULL,
+ op, cause, result, 0);
return 1;
}
__setup(ima_audit=, ima_audit_setup);
@@ -47,20 +49,21 @@ void integrity_audit_msg(int audit_msgno, struct inode
*inode,
return;
ab = audit_log_start(current-audit_context, GFP_KERNEL, audit_msgno);
- audit_log_format(ab, integrity: pid=%d uid=%u auid=%u,
+ audit_log_format(ab, integrity: pid=%d uid=%u auid=%u ses=%u,
current-pid, current-cred-uid,
-audit_get_loginuid(current));
+audit_get_loginuid(current),
+audit_get_sessionid(current));
audit_log_task_context(ab);
switch (audit_msgno) {
case AUDIT_INTEGRITY_DATA:
case AUDIT_INTEGRITY_METADATA:
case AUDIT_INTEGRITY_PCR:
+ case AUDIT_INTEGRITY_STATUS:
audit_log_format(ab, op=%s cause=%s, op, cause);
break;
case AUDIT_INTEGRITY_HASH:
audit_log_format(ab, op=%s hash=%s, op, cause);
break;
- case AUDIT_INTEGRITY_STATUS:
default:
audit_log_format(ab, op=%s, op);
}
@@ -73,6 +76,6 @@ void integrity_audit_msg(int audit_msgno, struct inode *inode,
if (inode)
audit_log_format(ab, dev=%s ino=%lu,
inode-i_sb-s_id, inode-i_ino);
- audit_log_format(ab, res=%d, result);
+ audit_log_format(ab, res=%d, !result ? 0 : 1);
audit_log_end(ab);
}
diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c
index 573780c..ffbe259 100644
--- a/security/integrity/ima/ima_fs.c
+++ b/security/integrity/ima/ima_fs.c
@@ -137,7 +137,7 @@ static int ima_measurements_show(struct seq_file *m, void
*v)
ima_putc(m, namelen, sizeof namelen);
/* 4th: template name */
- ima_putc(m, e-template_name, namelen);
+ ima_putc(m, (void *)e-template_name, namelen);
/* 5th: template specific data */
ima_template_show(m, (struct ima_template_data
