2005-04-29 09:23:29 -06:00
|
|
|
/* auditsc.c -- System-call auditing support
|
2005-04-16 16:20:36 -06:00
|
|
|
* Handles all system-call specific auditing features.
|
|
|
|
*
|
|
|
|
* Copyright 2003-2004 Red Hat Inc., Durham, North Carolina.
|
2005-11-03 09:00:25 -07:00
|
|
|
* Copyright 2005 Hewlett-Packard Development Company, L.P.
|
2006-05-24 15:09:55 -06:00
|
|
|
* Copyright (C) 2005, 2006 IBM Corporation
|
2005-04-16 16:20:36 -06:00
|
|
|
* All Rights Reserved.
|
|
|
|
*
|
|
|
|
* This program is free software; you can redistribute it and/or modify
|
|
|
|
* it under the terms of the GNU General Public License as published by
|
|
|
|
* the Free Software Foundation; either version 2 of the License, or
|
|
|
|
* (at your option) any later version.
|
|
|
|
*
|
|
|
|
* This program is distributed in the hope that it will be useful,
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
* GNU General Public License for more details.
|
|
|
|
*
|
|
|
|
* You should have received a copy of the GNU General Public License
|
|
|
|
* along with this program; if not, write to the Free Software
|
|
|
|
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
|
|
|
*
|
|
|
|
* Written by Rickard E. (Rik) Faith <faith@redhat.com>
|
|
|
|
*
|
|
|
|
* Many of the ideas implemented here are from Stephen C. Tweedie,
|
|
|
|
* especially the idea of avoiding a copy by using getname.
|
|
|
|
*
|
|
|
|
* The method for actual interception of syscall entry and exit (not in
|
|
|
|
* this file -- see entry.S) is based on a GPL'd patch written by
|
|
|
|
* okir@suse.de and Copyright 2003 SuSE Linux AG.
|
|
|
|
*
|
2006-05-24 15:09:55 -06:00
|
|
|
* POSIX message queue support added by George Wilson <ltcgcw@us.ibm.com>,
|
|
|
|
* 2006.
|
|
|
|
*
|
[PATCH] Filter rule comparators
Currently, audit only supports the "=" and "!=" operators in the -F
filter rules.
This patch reworks the support for "=" and "!=", and adds support
for ">", ">=", "<", and "<=".
This turned out to be a pretty clean, and simply process. I ended up
using the high order bits of the "field", as suggested by Steve and Amy.
This allowed for no changes whatsoever to the netlink communications.
See the documentation within the patch in the include/linux/audit.h
area, where there is a table that explains the reasoning of the bitmask
assignments clearly.
The patch adds a new function, audit_comparator(left, op, right).
This function will perform the specified comparison (op, which defaults
to "==" for backward compatibility) between two values (left and right).
If the negate bit is on, it will negate whatever that result was. This
value is returned.
Signed-off-by: Dustin Kirkland <dustin.kirkland@us.ibm.com>
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
2005-11-03 08:41:46 -07:00
|
|
|
* The support of additional filter rules compares (>, <, >=, <=) was
|
|
|
|
* added by Dustin Kirkland <dustin.kirkland@us.ibm.com>, 2005.
|
|
|
|
*
|
2005-11-03 09:00:25 -07:00
|
|
|
* Modified by Amy Griffis <amy.griffis@hp.com> to collect additional
|
|
|
|
* filesystem information.
|
2005-11-03 10:15:16 -07:00
|
|
|
*
|
|
|
|
* Subject and object context labeling support added by <danjones@us.ibm.com>
|
|
|
|
* and <dustin.kirkland@us.ibm.com> for LSPP certification compliance.
|
2005-04-16 16:20:36 -06:00
|
|
|
*/
|
|
|
|
|
|
|
|
#include <linux/init.h>
|
|
|
|
#include <asm/types.h>
|
2006-01-18 18:44:07 -07:00
|
|
|
#include <asm/atomic.h>
|
2005-11-03 09:00:25 -07:00
|
|
|
#include <asm/types.h>
|
|
|
|
#include <linux/fs.h>
|
|
|
|
#include <linux/namei.h>
|
2005-04-16 16:20:36 -06:00
|
|
|
#include <linux/mm.h>
|
|
|
|
#include <linux/module.h>
|
2005-05-20 17:15:52 -06:00
|
|
|
#include <linux/mount.h>
|
2005-05-17 05:08:48 -06:00
|
|
|
#include <linux/socket.h>
|
2006-05-24 15:09:55 -06:00
|
|
|
#include <linux/mqueue.h>
|
2005-04-16 16:20:36 -06:00
|
|
|
#include <linux/audit.h>
|
|
|
|
#include <linux/personality.h>
|
|
|
|
#include <linux/time.h>
|
2005-06-24 07:14:05 -06:00
|
|
|
#include <linux/netlink.h>
|
2005-07-13 15:47:07 -06:00
|
|
|
#include <linux/compiler.h>
|
2005-04-16 16:20:36 -06:00
|
|
|
#include <asm/unistd.h>
|
2005-11-03 10:15:16 -07:00
|
|
|
#include <linux/security.h>
|
2005-12-15 11:33:52 -07:00
|
|
|
#include <linux/list.h>
|
2006-01-01 12:07:00 -07:00
|
|
|
#include <linux/tty.h>
|
2006-03-10 17:14:06 -07:00
|
|
|
#include <linux/selinux.h>
|
2006-04-26 12:04:08 -06:00
|
|
|
#include <linux/binfmts.h>
|
2006-05-06 06:22:52 -06:00
|
|
|
#include <linux/syscalls.h>
|
2005-04-16 16:20:36 -06:00
|
|
|
|
2005-12-15 11:33:52 -07:00
|
|
|
#include "audit.h"
|
2005-04-16 16:20:36 -06:00
|
|
|
|
2005-12-15 11:33:52 -07:00
|
|
|
extern struct list_head audit_filter_list[];
|
2005-04-16 16:20:36 -06:00
|
|
|
|
|
|
|
/* No syscall auditing will take place unless audit_enabled != 0. */
|
|
|
|
extern int audit_enabled;
|
|
|
|
|
|
|
|
/* AUDIT_NAMES is the number of slots we reserve in the audit_context
|
|
|
|
* for saving names from getname(). */
|
|
|
|
#define AUDIT_NAMES 20
|
|
|
|
|
|
|
|
/* AUDIT_NAMES_RESERVED is the number of slots we reserve in the
|
|
|
|
* audit_context from being used for nameless inodes from
|
|
|
|
* path_lookup. */
|
|
|
|
#define AUDIT_NAMES_RESERVED 7
|
|
|
|
|
2006-06-08 21:19:31 -06:00
|
|
|
/* Indicates that audit should log the full pathname. */
|
|
|
|
#define AUDIT_NAME_FULL -1
|
|
|
|
|
2006-07-10 06:29:24 -06:00
|
|
|
/* number of audit rules */
|
|
|
|
int audit_n_rules;
|
|
|
|
|
2005-04-16 16:20:36 -06:00
|
|
|
/* When fs/namei.c:getname() is called, we store the pointer in name and
|
|
|
|
* we don't let putname() free it (instead we free all of the saved
|
|
|
|
* pointers at syscall exit time).
|
|
|
|
*
|
|
|
|
* Further, in fs/namei.c:path_lookup() we store the inode and device. */
|
|
|
|
struct audit_names {
|
|
|
|
const char *name;
|
2006-06-08 21:19:31 -06:00
|
|
|
int name_len; /* number of name's characters to log */
|
|
|
|
unsigned name_put; /* call __putname() for this name */
|
2005-04-16 16:20:36 -06:00
|
|
|
unsigned long ino;
|
|
|
|
dev_t dev;
|
|
|
|
umode_t mode;
|
|
|
|
uid_t uid;
|
|
|
|
gid_t gid;
|
|
|
|
dev_t rdev;
|
2006-04-03 12:06:13 -06:00
|
|
|
u32 osid;
|
2005-04-16 16:20:36 -06:00
|
|
|
};
|
|
|
|
|
|
|
|
struct audit_aux_data {
|
|
|
|
struct audit_aux_data *next;
|
|
|
|
int type;
|
|
|
|
};
|
|
|
|
|
|
|
|
#define AUDIT_AUX_IPCPERM 0
|
|
|
|
|
2006-05-24 15:09:55 -06:00
|
|
|
struct audit_aux_data_mq_open {
|
|
|
|
struct audit_aux_data d;
|
|
|
|
int oflag;
|
|
|
|
mode_t mode;
|
|
|
|
struct mq_attr attr;
|
|
|
|
};
|
|
|
|
|
|
|
|
struct audit_aux_data_mq_sendrecv {
|
|
|
|
struct audit_aux_data d;
|
|
|
|
mqd_t mqdes;
|
|
|
|
size_t msg_len;
|
|
|
|
unsigned int msg_prio;
|
|
|
|
struct timespec abs_timeout;
|
|
|
|
};
|
|
|
|
|
|
|
|
struct audit_aux_data_mq_notify {
|
|
|
|
struct audit_aux_data d;
|
|
|
|
mqd_t mqdes;
|
|
|
|
struct sigevent notification;
|
|
|
|
};
|
|
|
|
|
|
|
|
struct audit_aux_data_mq_getsetattr {
|
|
|
|
struct audit_aux_data d;
|
|
|
|
mqd_t mqdes;
|
|
|
|
struct mq_attr mqstat;
|
|
|
|
};
|
|
|
|
|
2005-04-16 16:20:36 -06:00
|
|
|
struct audit_aux_data_ipcctl {
|
|
|
|
struct audit_aux_data d;
|
|
|
|
struct ipc_perm p;
|
|
|
|
unsigned long qbytes;
|
|
|
|
uid_t uid;
|
|
|
|
gid_t gid;
|
|
|
|
mode_t mode;
|
2006-03-31 13:22:49 -07:00
|
|
|
u32 osid;
|
2005-04-16 16:20:36 -06:00
|
|
|
};
|
|
|
|
|
2006-04-26 12:04:08 -06:00
|
|
|
struct audit_aux_data_execve {
|
|
|
|
struct audit_aux_data d;
|
|
|
|
int argc;
|
|
|
|
int envc;
|
|
|
|
char mem[0];
|
|
|
|
};
|
|
|
|
|
2005-05-17 05:08:48 -06:00
|
|
|
struct audit_aux_data_socketcall {
|
|
|
|
struct audit_aux_data d;
|
|
|
|
int nargs;
|
|
|
|
unsigned long args[0];
|
|
|
|
};
|
|
|
|
|
|
|
|
struct audit_aux_data_sockaddr {
|
|
|
|
struct audit_aux_data d;
|
|
|
|
int len;
|
|
|
|
char a[0];
|
|
|
|
};
|
|
|
|
|
2005-05-20 17:15:52 -06:00
|
|
|
struct audit_aux_data_path {
|
|
|
|
struct audit_aux_data d;
|
|
|
|
struct dentry *dentry;
|
|
|
|
struct vfsmount *mnt;
|
|
|
|
};
|
2005-04-16 16:20:36 -06:00
|
|
|
|
|
|
|
/* The per-task audit context. */
|
|
|
|
struct audit_context {
|
2006-08-03 08:59:26 -06:00
|
|
|
int dummy; /* must be the first element */
|
2005-04-16 16:20:36 -06:00
|
|
|
int in_syscall; /* 1 if task is in a syscall */
|
|
|
|
enum audit_state state;
|
|
|
|
unsigned int serial; /* serial number for record */
|
|
|
|
struct timespec ctime; /* time of syscall entry */
|
|
|
|
uid_t loginuid; /* login uid (identity) */
|
|
|
|
int major; /* syscall number */
|
|
|
|
unsigned long argv[4]; /* syscall arguments */
|
|
|
|
int return_valid; /* return code is valid */
|
2005-04-29 09:08:28 -06:00
|
|
|
long return_code;/* syscall return code */
|
2005-04-16 16:20:36 -06:00
|
|
|
int auditable; /* 1 if record should be written */
|
|
|
|
int name_count;
|
|
|
|
struct audit_names names[AUDIT_NAMES];
|
2006-06-14 16:45:21 -06:00
|
|
|
char * filterkey; /* key for rule that triggered record */
|
2005-05-27 05:17:28 -06:00
|
|
|
struct dentry * pwd;
|
|
|
|
struct vfsmount * pwdmnt;
|
2005-04-16 16:20:36 -06:00
|
|
|
struct audit_context *previous; /* For nested syscalls */
|
|
|
|
struct audit_aux_data *aux;
|
|
|
|
|
|
|
|
/* Save things to print about task_struct */
|
2006-05-06 06:22:52 -06:00
|
|
|
pid_t pid, ppid;
|
2005-04-16 16:20:36 -06:00
|
|
|
uid_t uid, euid, suid, fsuid;
|
|
|
|
gid_t gid, egid, sgid, fsgid;
|
|
|
|
unsigned long personality;
|
2005-04-29 09:08:28 -06:00
|
|
|
int arch;
|
2005-04-16 16:20:36 -06:00
|
|
|
|
|
|
|
#if AUDIT_DEBUG
|
|
|
|
int put_count;
|
|
|
|
int ino_count;
|
|
|
|
#endif
|
|
|
|
};
|
|
|
|
|
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2006-04-07 14:55:56 -06:00
|
|
|
/* Determine if any context name data matches a rule's watch data */
|
2005-04-16 16:20:36 -06:00
|
|
|
/* Compare a task_struct with an audit_rule. Return 1 on match, 0
|
|
|
|
* otherwise. */
|
|
|
|
static int audit_filter_rules(struct task_struct *tsk,
|
2006-02-07 10:05:27 -07:00
|
|
|
struct audit_krule *rule,
|
2005-04-16 16:20:36 -06:00
|
|
|
struct audit_context *ctx,
|
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2006-04-07 14:55:56 -06:00
|
|
|
struct audit_names *name,
|
2005-04-16 16:20:36 -06:00
|
|
|
enum audit_state *state)
|
|
|
|
{
|
2006-04-11 06:50:56 -06:00
|
|
|
int i, j, need_sid = 1;
|
2006-03-10 17:14:06 -07:00
|
|
|
u32 sid;
|
|
|
|
|
2005-04-16 16:20:36 -06:00
|
|
|
for (i = 0; i < rule->field_count; i++) {
|
2006-02-07 10:05:27 -07:00
|
|
|
struct audit_field *f = &rule->fields[i];
|
2005-04-16 16:20:36 -06:00
|
|
|
int result = 0;
|
|
|
|
|
2006-02-07 10:05:27 -07:00
|
|
|
switch (f->type) {
|
2005-04-16 16:20:36 -06:00
|
|
|
case AUDIT_PID:
|
2006-02-07 10:05:27 -07:00
|
|
|
result = audit_comparator(tsk->pid, f->op, f->val);
|
2005-04-16 16:20:36 -06:00
|
|
|
break;
|
2006-05-06 06:26:27 -06:00
|
|
|
case AUDIT_PPID:
|
|
|
|
if (ctx)
|
|
|
|
result = audit_comparator(ctx->ppid, f->op, f->val);
|
|
|
|
break;
|
2005-04-16 16:20:36 -06:00
|
|
|
case AUDIT_UID:
|
2006-02-07 10:05:27 -07:00
|
|
|
result = audit_comparator(tsk->uid, f->op, f->val);
|
2005-04-16 16:20:36 -06:00
|
|
|
break;
|
|
|
|
case AUDIT_EUID:
|
2006-02-07 10:05:27 -07:00
|
|
|
result = audit_comparator(tsk->euid, f->op, f->val);
|
2005-04-16 16:20:36 -06:00
|
|
|
break;
|
|
|
|
case AUDIT_SUID:
|
2006-02-07 10:05:27 -07:00
|
|
|
result = audit_comparator(tsk->suid, f->op, f->val);
|
2005-04-16 16:20:36 -06:00
|
|
|
break;
|
|
|
|
case AUDIT_FSUID:
|
2006-02-07 10:05:27 -07:00
|
|
|
result = audit_comparator(tsk->fsuid, f->op, f->val);
|
2005-04-16 16:20:36 -06:00
|
|
|
break;
|
|
|
|
case AUDIT_GID:
|
2006-02-07 10:05:27 -07:00
|
|
|
result = audit_comparator(tsk->gid, f->op, f->val);
|
2005-04-16 16:20:36 -06:00
|
|
|
break;
|
|
|
|
case AUDIT_EGID:
|
2006-02-07 10:05:27 -07:00
|
|
|
result = audit_comparator(tsk->egid, f->op, f->val);
|
2005-04-16 16:20:36 -06:00
|
|
|
break;
|
|
|
|
case AUDIT_SGID:
|
2006-02-07 10:05:27 -07:00
|
|
|
result = audit_comparator(tsk->sgid, f->op, f->val);
|
2005-04-16 16:20:36 -06:00
|
|
|
break;
|
|
|
|
case AUDIT_FSGID:
|
2006-02-07 10:05:27 -07:00
|
|
|
result = audit_comparator(tsk->fsgid, f->op, f->val);
|
2005-04-16 16:20:36 -06:00
|
|
|
break;
|
|
|
|
case AUDIT_PERS:
|
2006-02-07 10:05:27 -07:00
|
|
|
result = audit_comparator(tsk->personality, f->op, f->val);
|
2005-04-16 16:20:36 -06:00
|
|
|
break;
|
2005-04-29 09:08:28 -06:00
|
|
|
case AUDIT_ARCH:
|
[PATCH] Filter rule comparators
Currently, audit only supports the "=" and "!=" operators in the -F
filter rules.
This patch reworks the support for "=" and "!=", and adds support
for ">", ">=", "<", and "<=".
This turned out to be a pretty clean, and simply process. I ended up
using the high order bits of the "field", as suggested by Steve and Amy.
This allowed for no changes whatsoever to the netlink communications.
See the documentation within the patch in the include/linux/audit.h
area, where there is a table that explains the reasoning of the bitmask
assignments clearly.
The patch adds a new function, audit_comparator(left, op, right).
This function will perform the specified comparison (op, which defaults
to "==" for backward compatibility) between two values (left and right).
If the negate bit is on, it will negate whatever that result was. This
value is returned.
Signed-off-by: Dustin Kirkland <dustin.kirkland@us.ibm.com>
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
2005-11-03 08:41:46 -07:00
|
|
|
if (ctx)
|
2006-02-07 10:05:27 -07:00
|
|
|
result = audit_comparator(ctx->arch, f->op, f->val);
|
2005-04-29 09:08:28 -06:00
|
|
|
break;
|
2005-04-16 16:20:36 -06:00
|
|
|
|
|
|
|
case AUDIT_EXIT:
|
|
|
|
if (ctx && ctx->return_valid)
|
2006-02-07 10:05:27 -07:00
|
|
|
result = audit_comparator(ctx->return_code, f->op, f->val);
|
2005-04-16 16:20:36 -06:00
|
|
|
break;
|
|
|
|
case AUDIT_SUCCESS:
|
2005-08-27 03:25:43 -06:00
|
|
|
if (ctx && ctx->return_valid) {
|
2006-02-07 10:05:27 -07:00
|
|
|
if (f->val)
|
|
|
|
result = audit_comparator(ctx->return_valid, f->op, AUDITSC_SUCCESS);
|
2005-08-27 03:25:43 -06:00
|
|
|
else
|
2006-02-07 10:05:27 -07:00
|
|
|
result = audit_comparator(ctx->return_valid, f->op, AUDITSC_FAILURE);
|
2005-08-27 03:25:43 -06:00
|
|
|
}
|
2005-04-16 16:20:36 -06:00
|
|
|
break;
|
|
|
|
case AUDIT_DEVMAJOR:
|
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2006-04-07 14:55:56 -06:00
|
|
|
if (name)
|
|
|
|
result = audit_comparator(MAJOR(name->dev),
|
|
|
|
f->op, f->val);
|
|
|
|
else if (ctx) {
|
2005-04-16 16:20:36 -06:00
|
|
|
for (j = 0; j < ctx->name_count; j++) {
|
2006-02-07 10:05:27 -07:00
|
|
|
if (audit_comparator(MAJOR(ctx->names[j].dev), f->op, f->val)) {
|
2005-04-16 16:20:36 -06:00
|
|
|
++result;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
case AUDIT_DEVMINOR:
|
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2006-04-07 14:55:56 -06:00
|
|
|
if (name)
|
|
|
|
result = audit_comparator(MINOR(name->dev),
|
|
|
|
f->op, f->val);
|
|
|
|
else if (ctx) {
|
2005-04-16 16:20:36 -06:00
|
|
|
for (j = 0; j < ctx->name_count; j++) {
|
2006-02-07 10:05:27 -07:00
|
|
|
if (audit_comparator(MINOR(ctx->names[j].dev), f->op, f->val)) {
|
2005-04-16 16:20:36 -06:00
|
|
|
++result;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
case AUDIT_INODE:
|
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2006-04-07 14:55:56 -06:00
|
|
|
if (name)
|
2006-06-08 21:19:31 -06:00
|
|
|
result = (name->ino == f->val);
|
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2006-04-07 14:55:56 -06:00
|
|
|
else if (ctx) {
|
2005-04-16 16:20:36 -06:00
|
|
|
for (j = 0; j < ctx->name_count; j++) {
|
2006-06-08 21:19:31 -06:00
|
|
|
if (audit_comparator(ctx->names[j].ino, f->op, f->val)) {
|
2005-04-16 16:20:36 -06:00
|
|
|
++result;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
break;
|
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2006-04-07 14:55:56 -06:00
|
|
|
case AUDIT_WATCH:
|
|
|
|
if (name && rule->watch->ino != (unsigned long)-1)
|
|
|
|
result = (name->dev == rule->watch->dev &&
|
2006-06-08 21:19:31 -06:00
|
|
|
name->ino == rule->watch->ino);
|
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2006-04-07 14:55:56 -06:00
|
|
|
break;
|
2005-04-16 16:20:36 -06:00
|
|
|
case AUDIT_LOGINUID:
|
|
|
|
result = 0;
|
|
|
|
if (ctx)
|
2006-02-07 10:05:27 -07:00
|
|
|
result = audit_comparator(ctx->loginuid, f->op, f->val);
|
2005-04-16 16:20:36 -06:00
|
|
|
break;
|
2006-06-29 15:56:39 -06:00
|
|
|
case AUDIT_SUBJ_USER:
|
|
|
|
case AUDIT_SUBJ_ROLE:
|
|
|
|
case AUDIT_SUBJ_TYPE:
|
|
|
|
case AUDIT_SUBJ_SEN:
|
|
|
|
case AUDIT_SUBJ_CLR:
|
2006-03-10 17:14:06 -07:00
|
|
|
/* NOTE: this may return negative values indicating
|
|
|
|
a temporary error. We simply treat this as a
|
|
|
|
match for now to avoid losing information that
|
|
|
|
may be wanted. An error message will also be
|
|
|
|
logged upon error */
|
2006-04-11 06:50:56 -06:00
|
|
|
if (f->se_rule) {
|
|
|
|
if (need_sid) {
|
|
|
|
selinux_task_ctxid(tsk, &sid);
|
|
|
|
need_sid = 0;
|
|
|
|
}
|
2006-03-10 17:14:06 -07:00
|
|
|
result = selinux_audit_rule_match(sid, f->type,
|
|
|
|
f->op,
|
|
|
|
f->se_rule,
|
|
|
|
ctx);
|
2006-04-11 06:50:56 -06:00
|
|
|
}
|
2006-03-10 17:14:06 -07:00
|
|
|
break;
|
2006-06-29 15:57:08 -06:00
|
|
|
case AUDIT_OBJ_USER:
|
|
|
|
case AUDIT_OBJ_ROLE:
|
|
|
|
case AUDIT_OBJ_TYPE:
|
|
|
|
case AUDIT_OBJ_LEV_LOW:
|
|
|
|
case AUDIT_OBJ_LEV_HIGH:
|
|
|
|
/* The above note for AUDIT_SUBJ_USER...AUDIT_SUBJ_CLR
|
|
|
|
also applies here */
|
|
|
|
if (f->se_rule) {
|
|
|
|
/* Find files that match */
|
|
|
|
if (name) {
|
|
|
|
result = selinux_audit_rule_match(
|
|
|
|
name->osid, f->type, f->op,
|
|
|
|
f->se_rule, ctx);
|
|
|
|
} else if (ctx) {
|
|
|
|
for (j = 0; j < ctx->name_count; j++) {
|
|
|
|
if (selinux_audit_rule_match(
|
|
|
|
ctx->names[j].osid,
|
|
|
|
f->type, f->op,
|
|
|
|
f->se_rule, ctx)) {
|
|
|
|
++result;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
/* Find ipc objects that match */
|
|
|
|
if (ctx) {
|
|
|
|
struct audit_aux_data *aux;
|
|
|
|
for (aux = ctx->aux; aux;
|
|
|
|
aux = aux->next) {
|
|
|
|
if (aux->type == AUDIT_IPC) {
|
|
|
|
struct audit_aux_data_ipcctl *axi = (void *)aux;
|
|
|
|
if (selinux_audit_rule_match(axi->osid, f->type, f->op, f->se_rule, ctx)) {
|
|
|
|
++result;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
break;
|
2005-04-16 16:20:36 -06:00
|
|
|
case AUDIT_ARG0:
|
|
|
|
case AUDIT_ARG1:
|
|
|
|
case AUDIT_ARG2:
|
|
|
|
case AUDIT_ARG3:
|
|
|
|
if (ctx)
|
2006-02-07 10:05:27 -07:00
|
|
|
result = audit_comparator(ctx->argv[f->type-AUDIT_ARG0], f->op, f->val);
|
2005-04-16 16:20:36 -06:00
|
|
|
break;
|
2006-06-14 16:45:21 -06:00
|
|
|
case AUDIT_FILTERKEY:
|
|
|
|
/* ignore this field for filtering */
|
|
|
|
result = 1;
|
|
|
|
break;
|
2005-04-16 16:20:36 -06:00
|
|
|
}
|
|
|
|
|
|
|
|
if (!result)
|
|
|
|
return 0;
|
|
|
|
}
|
2006-06-14 16:45:21 -06:00
|
|
|
if (rule->filterkey)
|
|
|
|
ctx->filterkey = kstrdup(rule->filterkey, GFP_ATOMIC);
|
2005-04-16 16:20:36 -06:00
|
|
|
switch (rule->action) {
|
|
|
|
case AUDIT_NEVER: *state = AUDIT_DISABLED; break;
|
|
|
|
case AUDIT_ALWAYS: *state = AUDIT_RECORD_CONTEXT; break;
|
|
|
|
}
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* At process creation time, we can determine if system-call auditing is
|
|
|
|
* completely disabled for this task. Since we only have the task
|
|
|
|
* structure at this point, we can only check uid and gid.
|
|
|
|
*/
|
|
|
|
static enum audit_state audit_filter_task(struct task_struct *tsk)
|
|
|
|
{
|
|
|
|
struct audit_entry *e;
|
|
|
|
enum audit_state state;
|
|
|
|
|
|
|
|
rcu_read_lock();
|
2005-06-19 12:35:50 -06:00
|
|
|
list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TASK], list) {
|
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2006-04-07 14:55:56 -06:00
|
|
|
if (audit_filter_rules(tsk, &e->rule, NULL, NULL, &state)) {
|
2005-04-16 16:20:36 -06:00
|
|
|
rcu_read_unlock();
|
|
|
|
return state;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
rcu_read_unlock();
|
|
|
|
return AUDIT_BUILD_CONTEXT;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* At syscall entry and exit time, this filter is called if the
|
|
|
|
* audit_state is not low enough that auditing cannot take place, but is
|
2005-05-13 11:35:15 -06:00
|
|
|
* also not high enough that we already know we have to write an audit
|
2005-09-13 13:47:11 -06:00
|
|
|
* record (i.e., the state is AUDIT_SETUP_CONTEXT or AUDIT_BUILD_CONTEXT).
|
2005-04-16 16:20:36 -06:00
|
|
|
*/
|
|
|
|
static enum audit_state audit_filter_syscall(struct task_struct *tsk,
|
|
|
|
struct audit_context *ctx,
|
|
|
|
struct list_head *list)
|
|
|
|
{
|
|
|
|
struct audit_entry *e;
|
2005-08-17 07:49:57 -06:00
|
|
|
enum audit_state state;
|
2005-04-16 16:20:36 -06:00
|
|
|
|
2005-07-14 07:40:06 -06:00
|
|
|
if (audit_pid && tsk->tgid == audit_pid)
|
2005-06-20 09:07:33 -06:00
|
|
|
return AUDIT_DISABLED;
|
|
|
|
|
2005-04-16 16:20:36 -06:00
|
|
|
rcu_read_lock();
|
2005-08-17 07:49:57 -06:00
|
|
|
if (!list_empty(list)) {
|
[PATCH] Filter rule comparators
Currently, audit only supports the "=" and "!=" operators in the -F
filter rules.
This patch reworks the support for "=" and "!=", and adds support
for ">", ">=", "<", and "<=".
This turned out to be a pretty clean, and simply process. I ended up
using the high order bits of the "field", as suggested by Steve and Amy.
This allowed for no changes whatsoever to the netlink communications.
See the documentation within the patch in the include/linux/audit.h
area, where there is a table that explains the reasoning of the bitmask
assignments clearly.
The patch adds a new function, audit_comparator(left, op, right).
This function will perform the specified comparison (op, which defaults
to "==" for backward compatibility) between two values (left and right).
If the negate bit is on, it will negate whatever that result was. This
value is returned.
Signed-off-by: Dustin Kirkland <dustin.kirkland@us.ibm.com>
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
2005-11-03 08:41:46 -07:00
|
|
|
int word = AUDIT_WORD(ctx->major);
|
|
|
|
int bit = AUDIT_BIT(ctx->major);
|
|
|
|
|
|
|
|
list_for_each_entry_rcu(e, list, list) {
|
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2006-04-07 14:55:56 -06:00
|
|
|
if ((e->rule.mask[word] & bit) == bit &&
|
|
|
|
audit_filter_rules(tsk, &e->rule, ctx, NULL,
|
|
|
|
&state)) {
|
|
|
|
rcu_read_unlock();
|
|
|
|
return state;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
rcu_read_unlock();
|
|
|
|
return AUDIT_BUILD_CONTEXT;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* At syscall exit time, this filter is called if any audit_names[] have been
|
|
|
|
* collected during syscall processing. We only check rules in sublists at hash
|
|
|
|
* buckets applicable to the inode numbers in audit_names[].
|
|
|
|
* Regarding audit_state, same rules apply as for audit_filter_syscall().
|
|
|
|
*/
|
|
|
|
enum audit_state audit_filter_inodes(struct task_struct *tsk,
|
|
|
|
struct audit_context *ctx)
|
|
|
|
{
|
|
|
|
int i;
|
|
|
|
struct audit_entry *e;
|
|
|
|
enum audit_state state;
|
|
|
|
|
|
|
|
if (audit_pid && tsk->tgid == audit_pid)
|
|
|
|
return AUDIT_DISABLED;
|
|
|
|
|
|
|
|
rcu_read_lock();
|
|
|
|
for (i = 0; i < ctx->name_count; i++) {
|
|
|
|
int word = AUDIT_WORD(ctx->major);
|
|
|
|
int bit = AUDIT_BIT(ctx->major);
|
|
|
|
struct audit_names *n = &ctx->names[i];
|
|
|
|
int h = audit_hash_ino((u32)n->ino);
|
|
|
|
struct list_head *list = &audit_inode_hash[h];
|
|
|
|
|
|
|
|
if (list_empty(list))
|
|
|
|
continue;
|
|
|
|
|
|
|
|
list_for_each_entry_rcu(e, list, list) {
|
|
|
|
if ((e->rule.mask[word] & bit) == bit &&
|
|
|
|
audit_filter_rules(tsk, &e->rule, ctx, n, &state)) {
|
[PATCH] Filter rule comparators
Currently, audit only supports the "=" and "!=" operators in the -F
filter rules.
This patch reworks the support for "=" and "!=", and adds support
for ">", ">=", "<", and "<=".
This turned out to be a pretty clean, and simply process. I ended up
using the high order bits of the "field", as suggested by Steve and Amy.
This allowed for no changes whatsoever to the netlink communications.
See the documentation within the patch in the include/linux/audit.h
area, where there is a table that explains the reasoning of the bitmask
assignments clearly.
The patch adds a new function, audit_comparator(left, op, right).
This function will perform the specified comparison (op, which defaults
to "==" for backward compatibility) between two values (left and right).
If the negate bit is on, it will negate whatever that result was. This
value is returned.
Signed-off-by: Dustin Kirkland <dustin.kirkland@us.ibm.com>
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
2005-11-03 08:41:46 -07:00
|
|
|
rcu_read_unlock();
|
|
|
|
return state;
|
|
|
|
}
|
2005-06-19 12:35:50 -06:00
|
|
|
}
|
|
|
|
}
|
|
|
|
rcu_read_unlock();
|
2005-04-16 16:20:36 -06:00
|
|
|
return AUDIT_BUILD_CONTEXT;
|
2005-06-19 12:35:50 -06:00
|
|
|
}
|
|
|
|
|
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2006-04-07 14:55:56 -06:00
|
|
|
void audit_set_auditable(struct audit_context *ctx)
|
|
|
|
{
|
|
|
|
ctx->auditable = 1;
|
|
|
|
}
|
|
|
|
|
2005-04-16 16:20:36 -06:00
|
|
|
static inline struct audit_context *audit_get_context(struct task_struct *tsk,
|
|
|
|
int return_valid,
|
|
|
|
int return_code)
|
|
|
|
{
|
|
|
|
struct audit_context *context = tsk->audit_context;
|
|
|
|
|
|
|
|
if (likely(!context))
|
|
|
|
return NULL;
|
|
|
|
context->return_valid = return_valid;
|
|
|
|
context->return_code = return_code;
|
|
|
|
|
2006-08-03 08:59:26 -06:00
|
|
|
if (context->in_syscall && !context->dummy && !context->auditable) {
|
2005-04-16 16:20:36 -06:00
|
|
|
enum audit_state state;
|
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2006-04-07 14:55:56 -06:00
|
|
|
|
2005-06-19 12:35:50 -06:00
|
|
|
state = audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_EXIT]);
|
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2006-04-07 14:55:56 -06:00
|
|
|
if (state == AUDIT_RECORD_CONTEXT) {
|
|
|
|
context->auditable = 1;
|
|
|
|
goto get_context;
|
|
|
|
}
|
|
|
|
|
|
|
|
state = audit_filter_inodes(tsk, context);
|
2005-04-16 16:20:36 -06:00
|
|
|
if (state == AUDIT_RECORD_CONTEXT)
|
|
|
|
context->auditable = 1;
|
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2006-04-07 14:55:56 -06:00
|
|
|
|
2005-04-16 16:20:36 -06:00
|
|
|
}
|
|
|
|
|
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2006-04-07 14:55:56 -06:00
|
|
|
get_context:
|
2006-07-16 04:43:48 -06:00
|
|
|
|
2005-04-16 16:20:36 -06:00
|
|
|
tsk->audit_context = NULL;
|
|
|
|
return context;
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline void audit_free_names(struct audit_context *context)
|
|
|
|
{
|
|
|
|
int i;
|
|
|
|
|
|
|
|
#if AUDIT_DEBUG == 2
|
|
|
|
if (context->auditable
|
|
|
|
||context->put_count + context->ino_count != context->name_count) {
|
2005-11-03 09:00:25 -07:00
|
|
|
printk(KERN_ERR "%s:%d(:%d): major=%d in_syscall=%d"
|
2005-04-16 16:20:36 -06:00
|
|
|
" name_count=%d put_count=%d"
|
|
|
|
" ino_count=%d [NOT freeing]\n",
|
2005-11-03 09:00:25 -07:00
|
|
|
__FILE__, __LINE__,
|
2005-04-16 16:20:36 -06:00
|
|
|
context->serial, context->major, context->in_syscall,
|
|
|
|
context->name_count, context->put_count,
|
|
|
|
context->ino_count);
|
2005-11-03 10:15:16 -07:00
|
|
|
for (i = 0; i < context->name_count; i++) {
|
2005-04-16 16:20:36 -06:00
|
|
|
printk(KERN_ERR "names[%d] = %p = %s\n", i,
|
|
|
|
context->names[i].name,
|
2005-11-03 09:00:25 -07:00
|
|
|
context->names[i].name ?: "(null)");
|
2005-11-03 10:15:16 -07:00
|
|
|
}
|
2005-04-16 16:20:36 -06:00
|
|
|
dump_stack();
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
#if AUDIT_DEBUG
|
|
|
|
context->put_count = 0;
|
|
|
|
context->ino_count = 0;
|
|
|
|
#endif
|
|
|
|
|
2005-11-03 10:15:16 -07:00
|
|
|
for (i = 0; i < context->name_count; i++) {
|
2006-06-08 21:19:31 -06:00
|
|
|
if (context->names[i].name && context->names[i].name_put)
|
2005-04-16 16:20:36 -06:00
|
|
|
__putname(context->names[i].name);
|
2005-11-03 10:15:16 -07:00
|
|
|
}
|
2005-04-16 16:20:36 -06:00
|
|
|
context->name_count = 0;
|
2005-05-27 05:17:28 -06:00
|
|
|
if (context->pwd)
|
|
|
|
dput(context->pwd);
|
|
|
|
if (context->pwdmnt)
|
|
|
|
mntput(context->pwdmnt);
|
|
|
|
context->pwd = NULL;
|
|
|
|
context->pwdmnt = NULL;
|
2005-04-16 16:20:36 -06:00
|
|
|
}
|
|
|
|
|
|
|
|
static inline void audit_free_aux(struct audit_context *context)
|
|
|
|
{
|
|
|
|
struct audit_aux_data *aux;
|
|
|
|
|
|
|
|
while ((aux = context->aux)) {
|
2005-05-20 17:15:52 -06:00
|
|
|
if (aux->type == AUDIT_AVC_PATH) {
|
|
|
|
struct audit_aux_data_path *axi = (void *)aux;
|
|
|
|
dput(axi->dentry);
|
|
|
|
mntput(axi->mnt);
|
|
|
|
}
|
2005-11-03 10:15:16 -07:00
|
|
|
|
2005-04-16 16:20:36 -06:00
|
|
|
context->aux = aux->next;
|
|
|
|
kfree(aux);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline void audit_zero_context(struct audit_context *context,
|
|
|
|
enum audit_state state)
|
|
|
|
{
|
|
|
|
uid_t loginuid = context->loginuid;
|
|
|
|
|
|
|
|
memset(context, 0, sizeof(*context));
|
|
|
|
context->state = state;
|
|
|
|
context->loginuid = loginuid;
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline struct audit_context *audit_alloc_context(enum audit_state state)
|
|
|
|
{
|
|
|
|
struct audit_context *context;
|
|
|
|
|
|
|
|
if (!(context = kmalloc(sizeof(*context), GFP_KERNEL)))
|
|
|
|
return NULL;
|
|
|
|
audit_zero_context(context, state);
|
|
|
|
return context;
|
|
|
|
}
|
|
|
|
|
2005-09-13 13:47:11 -06:00
|
|
|
/**
|
|
|
|
* audit_alloc - allocate an audit context block for a task
|
|
|
|
* @tsk: task
|
|
|
|
*
|
|
|
|
* Filter on the task information and allocate a per-task audit context
|
2005-04-16 16:20:36 -06:00
|
|
|
* if necessary. Doing so turns on system call auditing for the
|
|
|
|
* specified task. This is called from copy_process, so no lock is
|
2005-09-13 13:47:11 -06:00
|
|
|
* needed.
|
|
|
|
*/
|
2005-04-16 16:20:36 -06:00
|
|
|
int audit_alloc(struct task_struct *tsk)
|
|
|
|
{
|
|
|
|
struct audit_context *context;
|
|
|
|
enum audit_state state;
|
|
|
|
|
|
|
|
if (likely(!audit_enabled))
|
|
|
|
return 0; /* Return if not auditing. */
|
|
|
|
|
|
|
|
state = audit_filter_task(tsk);
|
|
|
|
if (likely(state == AUDIT_DISABLED))
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
if (!(context = audit_alloc_context(state))) {
|
|
|
|
audit_log_lost("out of memory in audit_alloc");
|
|
|
|
return -ENOMEM;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Preserve login uid */
|
|
|
|
context->loginuid = -1;
|
|
|
|
if (current->audit_context)
|
|
|
|
context->loginuid = current->audit_context->loginuid;
|
|
|
|
|
|
|
|
tsk->audit_context = context;
|
|
|
|
set_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline void audit_free_context(struct audit_context *context)
|
|
|
|
{
|
|
|
|
struct audit_context *previous;
|
|
|
|
int count = 0;
|
|
|
|
|
|
|
|
do {
|
|
|
|
previous = context->previous;
|
|
|
|
if (previous || (count && count < 10)) {
|
|
|
|
++count;
|
|
|
|
printk(KERN_ERR "audit(:%d): major=%d name_count=%d:"
|
|
|
|
" freeing multiple contexts (%d)\n",
|
|
|
|
context->serial, context->major,
|
|
|
|
context->name_count, count);
|
|
|
|
}
|
|
|
|
audit_free_names(context);
|
|
|
|
audit_free_aux(context);
|
2006-06-14 16:45:21 -06:00
|
|
|
kfree(context->filterkey);
|
2005-04-16 16:20:36 -06:00
|
|
|
kfree(context);
|
|
|
|
context = previous;
|
|
|
|
} while (context);
|
|
|
|
if (count >= 10)
|
|
|
|
printk(KERN_ERR "audit: freed %d contexts\n", count);
|
|
|
|
}
|
|
|
|
|
2006-03-29 18:17:10 -07:00
|
|
|
static void audit_log_task_context(struct audit_buffer *ab)
|
2005-11-03 10:15:16 -07:00
|
|
|
{
|
|
|
|
char *ctx = NULL;
|
|
|
|
ssize_t len = 0;
|
|
|
|
|
|
|
|
len = security_getprocattr(current, "current", NULL, 0);
|
|
|
|
if (len < 0) {
|
|
|
|
if (len != -EINVAL)
|
|
|
|
goto error_path;
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2006-03-29 18:17:10 -07:00
|
|
|
ctx = kmalloc(len, GFP_KERNEL);
|
2005-11-16 08:53:13 -07:00
|
|
|
if (!ctx)
|
2005-11-03 10:15:16 -07:00
|
|
|
goto error_path;
|
|
|
|
|
|
|
|
len = security_getprocattr(current, "current", ctx, len);
|
|
|
|
if (len < 0 )
|
|
|
|
goto error_path;
|
|
|
|
|
|
|
|
audit_log_format(ab, " subj=%s", ctx);
|
2005-11-16 08:53:13 -07:00
|
|
|
return;
|
2005-11-03 10:15:16 -07:00
|
|
|
|
|
|
|
error_path:
|
2006-06-27 03:55:05 -06:00
|
|
|
kfree(ctx);
|
2005-11-16 08:53:13 -07:00
|
|
|
audit_panic("error in audit_log_task_context");
|
2005-11-03 10:15:16 -07:00
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2006-03-29 18:17:10 -07:00
|
|
|
static void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk)
|
2005-04-18 11:47:35 -06:00
|
|
|
{
|
2006-03-29 18:02:55 -07:00
|
|
|
char name[sizeof(tsk->comm)];
|
|
|
|
struct mm_struct *mm = tsk->mm;
|
2005-04-18 11:47:35 -06:00
|
|
|
struct vm_area_struct *vma;
|
|
|
|
|
2006-03-29 18:17:10 -07:00
|
|
|
/* tsk == current */
|
|
|
|
|
2006-03-29 18:02:55 -07:00
|
|
|
get_task_comm(name, tsk);
|
2005-05-23 14:57:41 -06:00
|
|
|
audit_log_format(ab, " comm=");
|
|
|
|
audit_log_untrustedstring(ab, name);
|
2005-04-18 11:47:35 -06:00
|
|
|
|
2006-03-29 18:17:10 -07:00
|
|
|
if (mm) {
|
|
|
|
down_read(&mm->mmap_sem);
|
|
|
|
vma = mm->mmap;
|
|
|
|
while (vma) {
|
|
|
|
if ((vma->vm_flags & VM_EXECUTABLE) &&
|
|
|
|
vma->vm_file) {
|
|
|
|
audit_log_d_path(ab, "exe=",
|
|
|
|
vma->vm_file->f_dentry,
|
|
|
|
vma->vm_file->f_vfsmnt);
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
vma = vma->vm_next;
|
2005-04-18 11:47:35 -06:00
|
|
|
}
|
2006-03-29 18:17:10 -07:00
|
|
|
up_read(&mm->mmap_sem);
|
2005-04-18 11:47:35 -06:00
|
|
|
}
|
2006-03-29 18:17:10 -07:00
|
|
|
audit_log_task_context(ab);
|
2005-04-18 11:47:35 -06:00
|
|
|
}
|
|
|
|
|
2006-03-29 18:17:10 -07:00
|
|
|
static void audit_log_exit(struct audit_context *context, struct task_struct *tsk)
|
2005-04-16 16:20:36 -06:00
|
|
|
{
|
2006-03-31 13:22:49 -07:00
|
|
|
int i, call_panic = 0;
|
2005-04-16 16:20:36 -06:00
|
|
|
struct audit_buffer *ab;
|
2005-05-26 05:04:57 -06:00
|
|
|
struct audit_aux_data *aux;
|
2006-01-01 12:07:00 -07:00
|
|
|
const char *tty;
|
2005-04-16 16:20:36 -06:00
|
|
|
|
2006-03-29 18:17:10 -07:00
|
|
|
/* tsk == current */
|
2006-07-16 04:43:48 -06:00
|
|
|
context->pid = tsk->pid;
|
|
|
|
context->ppid = sys_getppid(); /* sic. tsk == current in all cases */
|
|
|
|
context->uid = tsk->uid;
|
|
|
|
context->gid = tsk->gid;
|
|
|
|
context->euid = tsk->euid;
|
|
|
|
context->suid = tsk->suid;
|
|
|
|
context->fsuid = tsk->fsuid;
|
|
|
|
context->egid = tsk->egid;
|
|
|
|
context->sgid = tsk->sgid;
|
|
|
|
context->fsgid = tsk->fsgid;
|
|
|
|
context->personality = tsk->personality;
|
2006-03-29 18:17:10 -07:00
|
|
|
|
|
|
|
ab = audit_log_start(context, GFP_KERNEL, AUDIT_SYSCALL);
|
2005-04-16 16:20:36 -06:00
|
|
|
if (!ab)
|
|
|
|
return; /* audit_panic has been called */
|
2005-05-23 14:35:28 -06:00
|
|
|
audit_log_format(ab, "arch=%x syscall=%d",
|
|
|
|
context->arch, context->major);
|
2005-04-16 16:20:36 -06:00
|
|
|
if (context->personality != PER_LINUX)
|
|
|
|
audit_log_format(ab, " per=%lx", context->personality);
|
|
|
|
if (context->return_valid)
|
2005-04-29 09:08:28 -06:00
|
|
|
audit_log_format(ab, " success=%s exit=%ld",
|
|
|
|
(context->return_valid==AUDITSC_SUCCESS)?"yes":"no",
|
|
|
|
context->return_code);
|
2006-03-29 18:02:55 -07:00
|
|
|
if (tsk->signal && tsk->signal->tty && tsk->signal->tty->name)
|
|
|
|
tty = tsk->signal->tty->name;
|
2006-01-01 12:07:00 -07:00
|
|
|
else
|
|
|
|
tty = "(none)";
|
2005-04-16 16:20:36 -06:00
|
|
|
audit_log_format(ab,
|
|
|
|
" a0=%lx a1=%lx a2=%lx a3=%lx items=%d"
|
2006-05-06 06:22:52 -06:00
|
|
|
" ppid=%d pid=%d auid=%u uid=%u gid=%u"
|
2005-05-20 17:22:31 -06:00
|
|
|
" euid=%u suid=%u fsuid=%u"
|
2006-01-01 12:07:00 -07:00
|
|
|
" egid=%u sgid=%u fsgid=%u tty=%s",
|
2005-04-16 16:20:36 -06:00
|
|
|
context->argv[0],
|
|
|
|
context->argv[1],
|
|
|
|
context->argv[2],
|
|
|
|
context->argv[3],
|
|
|
|
context->name_count,
|
2006-05-06 06:22:52 -06:00
|
|
|
context->ppid,
|
2005-04-16 16:20:36 -06:00
|
|
|
context->pid,
|
|
|
|
context->loginuid,
|
|
|
|
context->uid,
|
|
|
|
context->gid,
|
|
|
|
context->euid, context->suid, context->fsuid,
|
2006-01-01 12:07:00 -07:00
|
|
|
context->egid, context->sgid, context->fsgid, tty);
|
2006-03-29 18:17:10 -07:00
|
|
|
audit_log_task_info(ab, tsk);
|
2006-06-14 16:45:21 -06:00
|
|
|
if (context->filterkey) {
|
|
|
|
audit_log_format(ab, " key=");
|
|
|
|
audit_log_untrustedstring(ab, context->filterkey);
|
|
|
|
} else
|
|
|
|
audit_log_format(ab, " key=(null)");
|
2005-04-16 16:20:36 -06:00
|
|
|
audit_log_end(ab);
|
|
|
|
|
2005-05-26 05:04:57 -06:00
|
|
|
for (aux = context->aux; aux; aux = aux->next) {
|
2005-05-13 11:17:42 -06:00
|
|
|
|
2006-03-29 18:17:10 -07:00
|
|
|
ab = audit_log_start(context, GFP_KERNEL, aux->type);
|
2005-04-16 16:20:36 -06:00
|
|
|
if (!ab)
|
|
|
|
continue; /* audit_panic has been called */
|
|
|
|
|
|
|
|
switch (aux->type) {
|
2006-05-24 15:09:55 -06:00
|
|
|
case AUDIT_MQ_OPEN: {
|
|
|
|
struct audit_aux_data_mq_open *axi = (void *)aux;
|
|
|
|
audit_log_format(ab,
|
|
|
|
"oflag=0x%x mode=%#o mq_flags=0x%lx mq_maxmsg=%ld "
|
|
|
|
"mq_msgsize=%ld mq_curmsgs=%ld",
|
|
|
|
axi->oflag, axi->mode, axi->attr.mq_flags,
|
|
|
|
axi->attr.mq_maxmsg, axi->attr.mq_msgsize,
|
|
|
|
axi->attr.mq_curmsgs);
|
|
|
|
break; }
|
|
|
|
|
|
|
|
case AUDIT_MQ_SENDRECV: {
|
|
|
|
struct audit_aux_data_mq_sendrecv *axi = (void *)aux;
|
|
|
|
audit_log_format(ab,
|
|
|
|
"mqdes=%d msg_len=%zd msg_prio=%u "
|
|
|
|
"abs_timeout_sec=%ld abs_timeout_nsec=%ld",
|
|
|
|
axi->mqdes, axi->msg_len, axi->msg_prio,
|
|
|
|
axi->abs_timeout.tv_sec, axi->abs_timeout.tv_nsec);
|
|
|
|
break; }
|
|
|
|
|
|
|
|
case AUDIT_MQ_NOTIFY: {
|
|
|
|
struct audit_aux_data_mq_notify *axi = (void *)aux;
|
|
|
|
audit_log_format(ab,
|
|
|
|
"mqdes=%d sigev_signo=%d",
|
|
|
|
axi->mqdes,
|
|
|
|
axi->notification.sigev_signo);
|
|
|
|
break; }
|
|
|
|
|
|
|
|
case AUDIT_MQ_GETSETATTR: {
|
|
|
|
struct audit_aux_data_mq_getsetattr *axi = (void *)aux;
|
|
|
|
audit_log_format(ab,
|
|
|
|
"mqdes=%d mq_flags=0x%lx mq_maxmsg=%ld mq_msgsize=%ld "
|
|
|
|
"mq_curmsgs=%ld ",
|
|
|
|
axi->mqdes,
|
|
|
|
axi->mqstat.mq_flags, axi->mqstat.mq_maxmsg,
|
|
|
|
axi->mqstat.mq_msgsize, axi->mqstat.mq_curmsgs);
|
|
|
|
break; }
|
|
|
|
|
2005-05-13 11:17:42 -06:00
|
|
|
case AUDIT_IPC: {
|
2005-04-16 16:20:36 -06:00
|
|
|
struct audit_aux_data_ipcctl *axi = (void *)aux;
|
|
|
|
audit_log_format(ab,
|
2006-05-16 20:03:48 -06:00
|
|
|
"ouid=%u ogid=%u mode=%x",
|
|
|
|
axi->uid, axi->gid, axi->mode);
|
2006-03-31 13:22:49 -07:00
|
|
|
if (axi->osid != 0) {
|
|
|
|
char *ctx = NULL;
|
|
|
|
u32 len;
|
|
|
|
if (selinux_ctxid_to_string(
|
|
|
|
axi->osid, &ctx, &len)) {
|
2006-04-01 16:29:34 -07:00
|
|
|
audit_log_format(ab, " osid=%u",
|
2006-03-31 13:22:49 -07:00
|
|
|
axi->osid);
|
|
|
|
call_panic = 1;
|
|
|
|
} else
|
|
|
|
audit_log_format(ab, " obj=%s", ctx);
|
|
|
|
kfree(ctx);
|
|
|
|
}
|
2005-05-17 05:08:48 -06:00
|
|
|
break; }
|
|
|
|
|
2006-04-02 15:07:33 -06:00
|
|
|
case AUDIT_IPC_SET_PERM: {
|
|
|
|
struct audit_aux_data_ipcctl *axi = (void *)aux;
|
|
|
|
audit_log_format(ab,
|
2006-05-16 20:03:48 -06:00
|
|
|
"qbytes=%lx ouid=%u ogid=%u mode=%x",
|
2006-04-02 15:07:33 -06:00
|
|
|
axi->qbytes, axi->uid, axi->gid, axi->mode);
|
|
|
|
break; }
|
2006-05-16 20:03:48 -06:00
|
|
|
|
2006-04-26 12:04:08 -06:00
|
|
|
case AUDIT_EXECVE: {
|
|
|
|
struct audit_aux_data_execve *axi = (void *)aux;
|
|
|
|
int i;
|
|
|
|
const char *p;
|
|
|
|
for (i = 0, p = axi->mem; i < axi->argc; i++) {
|
|
|
|
audit_log_format(ab, "a%d=", i);
|
|
|
|
p = audit_log_untrustedstring(ab, p);
|
|
|
|
audit_log_format(ab, "\n");
|
|
|
|
}
|
|
|
|
break; }
|
2006-04-02 15:07:33 -06:00
|
|
|
|
2005-05-17 05:08:48 -06:00
|
|
|
case AUDIT_SOCKETCALL: {
|
|
|
|
int i;
|
|
|
|
struct audit_aux_data_socketcall *axs = (void *)aux;
|
|
|
|
audit_log_format(ab, "nargs=%d", axs->nargs);
|
|
|
|
for (i=0; i<axs->nargs; i++)
|
|
|
|
audit_log_format(ab, " a%d=%lx", i, axs->args[i]);
|
|
|
|
break; }
|
|
|
|
|
|
|
|
case AUDIT_SOCKADDR: {
|
|
|
|
struct audit_aux_data_sockaddr *axs = (void *)aux;
|
|
|
|
|
|
|
|
audit_log_format(ab, "saddr=");
|
|
|
|
audit_log_hex(ab, axs->a, axs->len);
|
|
|
|
break; }
|
2005-05-20 17:15:52 -06:00
|
|
|
|
|
|
|
case AUDIT_AVC_PATH: {
|
|
|
|
struct audit_aux_data_path *axi = (void *)aux;
|
|
|
|
audit_log_d_path(ab, "path=", axi->dentry, axi->mnt);
|
|
|
|
break; }
|
|
|
|
|
2005-04-16 16:20:36 -06:00
|
|
|
}
|
|
|
|
audit_log_end(ab);
|
|
|
|
}
|
|
|
|
|
2005-05-27 05:17:28 -06:00
|
|
|
if (context->pwd && context->pwdmnt) {
|
2006-03-29 18:17:10 -07:00
|
|
|
ab = audit_log_start(context, GFP_KERNEL, AUDIT_CWD);
|
2005-05-27 05:17:28 -06:00
|
|
|
if (ab) {
|
|
|
|
audit_log_d_path(ab, "cwd=", context->pwd, context->pwdmnt);
|
|
|
|
audit_log_end(ab);
|
|
|
|
}
|
|
|
|
}
|
2005-04-16 16:20:36 -06:00
|
|
|
for (i = 0; i < context->name_count; i++) {
|
2006-06-08 21:19:31 -06:00
|
|
|
struct audit_names *n = &context->names[i];
|
2005-11-03 09:00:25 -07:00
|
|
|
|
2006-03-29 18:17:10 -07:00
|
|
|
ab = audit_log_start(context, GFP_KERNEL, AUDIT_PATH);
|
2005-04-16 16:20:36 -06:00
|
|
|
if (!ab)
|
|
|
|
continue; /* audit_panic has been called */
|
2005-05-27 05:17:28 -06:00
|
|
|
|
2005-04-16 16:20:36 -06:00
|
|
|
audit_log_format(ab, "item=%d", i);
|
2005-11-03 09:00:25 -07:00
|
|
|
|
2006-06-08 21:19:31 -06:00
|
|
|
if (n->name) {
|
|
|
|
switch(n->name_len) {
|
|
|
|
case AUDIT_NAME_FULL:
|
|
|
|
/* log the full path */
|
|
|
|
audit_log_format(ab, " name=");
|
|
|
|
audit_log_untrustedstring(ab, n->name);
|
|
|
|
break;
|
|
|
|
case 0:
|
|
|
|
/* name was specified as a relative path and the
|
|
|
|
* directory component is the cwd */
|
|
|
|
audit_log_d_path(ab, " name=", context->pwd,
|
|
|
|
context->pwdmnt);
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
/* log the name's directory component */
|
|
|
|
audit_log_format(ab, " name=");
|
|
|
|
audit_log_n_untrustedstring(ab, n->name_len,
|
|
|
|
n->name);
|
|
|
|
}
|
|
|
|
} else
|
|
|
|
audit_log_format(ab, " name=(null)");
|
|
|
|
|
|
|
|
if (n->ino != (unsigned long)-1) {
|
|
|
|
audit_log_format(ab, " inode=%lu"
|
|
|
|
" dev=%02x:%02x mode=%#o"
|
|
|
|
" ouid=%u ogid=%u rdev=%02x:%02x",
|
|
|
|
n->ino,
|
|
|
|
MAJOR(n->dev),
|
|
|
|
MINOR(n->dev),
|
|
|
|
n->mode,
|
|
|
|
n->uid,
|
|
|
|
n->gid,
|
|
|
|
MAJOR(n->rdev),
|
|
|
|
MINOR(n->rdev));
|
|
|
|
}
|
|
|
|
if (n->osid != 0) {
|
2006-04-03 12:06:13 -06:00
|
|
|
char *ctx = NULL;
|
|
|
|
u32 len;
|
|
|
|
if (selinux_ctxid_to_string(
|
2006-06-08 21:19:31 -06:00
|
|
|
n->osid, &ctx, &len)) {
|
|
|
|
audit_log_format(ab, " osid=%u", n->osid);
|
2006-03-31 13:22:49 -07:00
|
|
|
call_panic = 2;
|
2006-04-03 12:06:13 -06:00
|
|
|
} else
|
|
|
|
audit_log_format(ab, " obj=%s", ctx);
|
|
|
|
kfree(ctx);
|
2005-11-03 10:15:16 -07:00
|
|
|
}
|
|
|
|
|
2005-04-16 16:20:36 -06:00
|
|
|
audit_log_end(ab);
|
|
|
|
}
|
2006-03-31 13:22:49 -07:00
|
|
|
if (call_panic)
|
|
|
|
audit_panic("error converting sid to string");
|
2005-04-16 16:20:36 -06:00
|
|
|
}
|
|
|
|
|
2005-09-13 13:47:11 -06:00
|
|
|
/**
|
|
|
|
* audit_free - free a per-task audit context
|
|
|
|
* @tsk: task whose audit context block to free
|
|
|
|
*
|
2006-03-29 18:30:19 -07:00
|
|
|
* Called from copy_process and do_exit
|
2005-09-13 13:47:11 -06:00
|
|
|
*/
|
2005-04-16 16:20:36 -06:00
|
|
|
void audit_free(struct task_struct *tsk)
|
|
|
|
{
|
|
|
|
struct audit_context *context;
|
|
|
|
|
|
|
|
context = audit_get_context(tsk, 0, 0);
|
|
|
|
if (likely(!context))
|
|
|
|
return;
|
|
|
|
|
|
|
|
/* Check for system calls that do not go through the exit
|
2005-07-13 15:47:07 -06:00
|
|
|
* function (e.g., exit_group), then free context block.
|
|
|
|
* We use GFP_ATOMIC here because we might be doing this
|
|
|
|
* in the context of the idle thread */
|
2006-03-29 18:17:10 -07:00
|
|
|
/* that can happen only if we are called from do_exit() */
|
2005-06-20 09:07:33 -06:00
|
|
|
if (context->in_syscall && context->auditable)
|
2006-03-29 18:17:10 -07:00
|
|
|
audit_log_exit(context, tsk);
|
2005-04-16 16:20:36 -06:00
|
|
|
|
|
|
|
audit_free_context(context);
|
|
|
|
}
|
|
|
|
|
2005-09-13 13:47:11 -06:00
|
|
|
/**
|
|
|
|
* audit_syscall_entry - fill in an audit record at syscall entry
|
|
|
|
* @tsk: task being audited
|
|
|
|
* @arch: architecture type
|
|
|
|
* @major: major syscall type (function)
|
|
|
|
* @a1: additional syscall register 1
|
|
|
|
* @a2: additional syscall register 2
|
|
|
|
* @a3: additional syscall register 3
|
|
|
|
* @a4: additional syscall register 4
|
|
|
|
*
|
|
|
|
* Fill in audit context at syscall entry. This only happens if the
|
2005-04-16 16:20:36 -06:00
|
|
|
* audit context was created when the task was created and the state or
|
|
|
|
* filters demand the audit context be built. If the state from the
|
|
|
|
* per-task filter or from the per-syscall filter is AUDIT_RECORD_CONTEXT,
|
|
|
|
* then the record will be written at syscall exit time (otherwise, it
|
|
|
|
* will only be written if another part of the kernel requests that it
|
2005-09-13 13:47:11 -06:00
|
|
|
* be written).
|
|
|
|
*/
|
2006-03-29 18:23:36 -07:00
|
|
|
void audit_syscall_entry(int arch, int major,
|
2005-04-16 16:20:36 -06:00
|
|
|
unsigned long a1, unsigned long a2,
|
|
|
|
unsigned long a3, unsigned long a4)
|
|
|
|
{
|
2006-03-29 18:23:36 -07:00
|
|
|
struct task_struct *tsk = current;
|
2005-04-16 16:20:36 -06:00
|
|
|
struct audit_context *context = tsk->audit_context;
|
|
|
|
enum audit_state state;
|
|
|
|
|
|
|
|
BUG_ON(!context);
|
|
|
|
|
2005-09-13 13:47:11 -06:00
|
|
|
/*
|
|
|
|
* This happens only on certain architectures that make system
|
2005-04-16 16:20:36 -06:00
|
|
|
* calls in kernel_thread via the entry.S interface, instead of
|
|
|
|
* with direct calls. (If you are porting to a new
|
|
|
|
* architecture, hitting this condition can indicate that you
|
|
|
|
* got the _exit/_leave calls backward in entry.S.)
|
|
|
|
*
|
|
|
|
* i386 no
|
|
|
|
* x86_64 no
|
2006-01-23 09:58:20 -07:00
|
|
|
* ppc64 yes (see arch/powerpc/platforms/iseries/misc.S)
|
2005-04-16 16:20:36 -06:00
|
|
|
*
|
|
|
|
* This also happens with vm86 emulation in a non-nested manner
|
|
|
|
* (entries without exits), so this case must be caught.
|
|
|
|
*/
|
|
|
|
if (context->in_syscall) {
|
|
|
|
struct audit_context *newctx;
|
|
|
|
|
|
|
|
#if AUDIT_DEBUG
|
|
|
|
printk(KERN_ERR
|
|
|
|
"audit(:%d) pid=%d in syscall=%d;"
|
|
|
|
" entering syscall=%d\n",
|
|
|
|
context->serial, tsk->pid, context->major, major);
|
|
|
|
#endif
|
|
|
|
newctx = audit_alloc_context(context->state);
|
|
|
|
if (newctx) {
|
|
|
|
newctx->previous = context;
|
|
|
|
context = newctx;
|
|
|
|
tsk->audit_context = newctx;
|
|
|
|
} else {
|
|
|
|
/* If we can't alloc a new context, the best we
|
|
|
|
* can do is to leak memory (any pending putname
|
|
|
|
* will be lost). The only other alternative is
|
|
|
|
* to abandon auditing. */
|
|
|
|
audit_zero_context(context, context->state);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
BUG_ON(context->in_syscall || context->name_count);
|
|
|
|
|
|
|
|
if (!audit_enabled)
|
|
|
|
return;
|
|
|
|
|
2005-04-29 09:08:28 -06:00
|
|
|
context->arch = arch;
|
2005-04-16 16:20:36 -06:00
|
|
|
context->major = major;
|
|
|
|
context->argv[0] = a1;
|
|
|
|
context->argv[1] = a2;
|
|
|
|
context->argv[2] = a3;
|
|
|
|
context->argv[3] = a4;
|
|
|
|
|
|
|
|
state = context->state;
|
2006-08-03 08:59:26 -06:00
|
|
|
context->dummy = !audit_n_rules;
|
|
|
|
if (!context->dummy && (state == AUDIT_SETUP_CONTEXT || state == AUDIT_BUILD_CONTEXT))
|
2005-06-19 12:35:50 -06:00
|
|
|
state = audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_ENTRY]);
|
2005-04-16 16:20:36 -06:00
|
|
|
if (likely(state == AUDIT_DISABLED))
|
|
|
|
return;
|
|
|
|
|
2005-07-18 12:24:46 -06:00
|
|
|
context->serial = 0;
|
2005-04-16 16:20:36 -06:00
|
|
|
context->ctime = CURRENT_TIME;
|
|
|
|
context->in_syscall = 1;
|
|
|
|
context->auditable = !!(state == AUDIT_RECORD_CONTEXT);
|
|
|
|
}
|
|
|
|
|
2005-09-13 13:47:11 -06:00
|
|
|
/**
|
|
|
|
* audit_syscall_exit - deallocate audit context after a system call
|
|
|
|
* @tsk: task being audited
|
|
|
|
* @valid: success/failure flag
|
|
|
|
* @return_code: syscall return value
|
|
|
|
*
|
|
|
|
* Tear down after system call. If the audit context has been marked as
|
2005-04-16 16:20:36 -06:00
|
|
|
* auditable (either because of the AUDIT_RECORD_CONTEXT state from
|
|
|
|
* filtering, or because some other part of the kernel write an audit
|
|
|
|
* message), then write out the syscall information. In call cases,
|
2005-09-13 13:47:11 -06:00
|
|
|
* free the names stored from getname().
|
|
|
|
*/
|
2006-03-29 18:23:36 -07:00
|
|
|
void audit_syscall_exit(int valid, long return_code)
|
2005-04-16 16:20:36 -06:00
|
|
|
{
|
2006-03-29 18:23:36 -07:00
|
|
|
struct task_struct *tsk = current;
|
2005-04-16 16:20:36 -06:00
|
|
|
struct audit_context *context;
|
|
|
|
|
2005-04-29 09:08:28 -06:00
|
|
|
context = audit_get_context(tsk, valid, return_code);
|
2005-04-16 16:20:36 -06:00
|
|
|
|
|
|
|
if (likely(!context))
|
2006-03-29 18:26:24 -07:00
|
|
|
return;
|
2005-04-16 16:20:36 -06:00
|
|
|
|
2005-06-20 09:07:33 -06:00
|
|
|
if (context->in_syscall && context->auditable)
|
2006-03-29 18:17:10 -07:00
|
|
|
audit_log_exit(context, tsk);
|
2005-04-16 16:20:36 -06:00
|
|
|
|
|
|
|
context->in_syscall = 0;
|
|
|
|
context->auditable = 0;
|
2005-04-29 09:08:28 -06:00
|
|
|
|
2005-04-16 16:20:36 -06:00
|
|
|
if (context->previous) {
|
|
|
|
struct audit_context *new_context = context->previous;
|
|
|
|
context->previous = NULL;
|
|
|
|
audit_free_context(context);
|
|
|
|
tsk->audit_context = new_context;
|
|
|
|
} else {
|
|
|
|
audit_free_names(context);
|
|
|
|
audit_free_aux(context);
|
2006-06-14 16:45:21 -06:00
|
|
|
kfree(context->filterkey);
|
|
|
|
context->filterkey = NULL;
|
2005-04-16 16:20:36 -06:00
|
|
|
tsk->audit_context = context;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2005-09-13 13:47:11 -06:00
|
|
|
/**
|
|
|
|
* audit_getname - add a name to the list
|
|
|
|
* @name: name to add
|
|
|
|
*
|
|
|
|
* Add a name to the list of audit names for this context.
|
|
|
|
* Called from fs/namei.c:getname().
|
|
|
|
*/
|
2006-05-18 14:01:30 -06:00
|
|
|
void __audit_getname(const char *name)
|
2005-04-16 16:20:36 -06:00
|
|
|
{
|
|
|
|
struct audit_context *context = current->audit_context;
|
|
|
|
|
2006-05-18 14:01:30 -06:00
|
|
|
if (IS_ERR(name) || !name)
|
2005-04-16 16:20:36 -06:00
|
|
|
return;
|
|
|
|
|
|
|
|
if (!context->in_syscall) {
|
|
|
|
#if AUDIT_DEBUG == 2
|
|
|
|
printk(KERN_ERR "%s:%d(:%d): ignoring getname(%p)\n",
|
|
|
|
__FILE__, __LINE__, context->serial, name);
|
|
|
|
dump_stack();
|
|
|
|
#endif
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
BUG_ON(context->name_count >= AUDIT_NAMES);
|
|
|
|
context->names[context->name_count].name = name;
|
2006-06-08 21:19:31 -06:00
|
|
|
context->names[context->name_count].name_len = AUDIT_NAME_FULL;
|
|
|
|
context->names[context->name_count].name_put = 1;
|
2005-04-16 16:20:36 -06:00
|
|
|
context->names[context->name_count].ino = (unsigned long)-1;
|
|
|
|
++context->name_count;
|
2005-05-27 05:17:28 -06:00
|
|
|
if (!context->pwd) {
|
|
|
|
read_lock(¤t->fs->lock);
|
|
|
|
context->pwd = dget(current->fs->pwd);
|
|
|
|
context->pwdmnt = mntget(current->fs->pwdmnt);
|
|
|
|
read_unlock(¤t->fs->lock);
|
|
|
|
}
|
|
|
|
|
2005-04-16 16:20:36 -06:00
|
|
|
}
|
|
|
|
|
2005-09-13 13:47:11 -06:00
|
|
|
/* audit_putname - intercept a putname request
|
|
|
|
* @name: name to intercept and delay for putname
|
|
|
|
*
|
|
|
|
* If we have stored the name from getname in the audit context,
|
|
|
|
* then we delay the putname until syscall exit.
|
|
|
|
* Called from include/linux/fs.h:putname().
|
|
|
|
*/
|
2005-04-16 16:20:36 -06:00
|
|
|
void audit_putname(const char *name)
|
|
|
|
{
|
|
|
|
struct audit_context *context = current->audit_context;
|
|
|
|
|
|
|
|
BUG_ON(!context);
|
|
|
|
if (!context->in_syscall) {
|
|
|
|
#if AUDIT_DEBUG == 2
|
|
|
|
printk(KERN_ERR "%s:%d(:%d): __putname(%p)\n",
|
|
|
|
__FILE__, __LINE__, context->serial, name);
|
|
|
|
if (context->name_count) {
|
|
|
|
int i;
|
|
|
|
for (i = 0; i < context->name_count; i++)
|
|
|
|
printk(KERN_ERR "name[%d] = %p = %s\n", i,
|
|
|
|
context->names[i].name,
|
2005-11-03 09:00:25 -07:00
|
|
|
context->names[i].name ?: "(null)");
|
2005-04-16 16:20:36 -06:00
|
|
|
}
|
|
|
|
#endif
|
|
|
|
__putname(name);
|
|
|
|
}
|
|
|
|
#if AUDIT_DEBUG
|
|
|
|
else {
|
|
|
|
++context->put_count;
|
|
|
|
if (context->put_count > context->name_count) {
|
|
|
|
printk(KERN_ERR "%s:%d(:%d): major=%d"
|
|
|
|
" in_syscall=%d putname(%p) name_count=%d"
|
|
|
|
" put_count=%d\n",
|
|
|
|
__FILE__, __LINE__,
|
|
|
|
context->serial, context->major,
|
|
|
|
context->in_syscall, name, context->name_count,
|
|
|
|
context->put_count);
|
|
|
|
dump_stack();
|
|
|
|
}
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
}
|
|
|
|
|
2006-07-13 11:16:02 -06:00
|
|
|
/* Copy inode data into an audit_names. */
|
|
|
|
static void audit_copy_inode(struct audit_names *name, const struct inode *inode)
|
2005-11-03 10:15:16 -07:00
|
|
|
{
|
2006-07-13 11:16:02 -06:00
|
|
|
name->ino = inode->i_ino;
|
|
|
|
name->dev = inode->i_sb->s_dev;
|
|
|
|
name->mode = inode->i_mode;
|
|
|
|
name->uid = inode->i_uid;
|
|
|
|
name->gid = inode->i_gid;
|
|
|
|
name->rdev = inode->i_rdev;
|
|
|
|
selinux_get_inode_sid(inode, &name->osid);
|
2005-11-03 10:15:16 -07:00
|
|
|
}
|
|
|
|
|
2005-09-13 13:47:11 -06:00
|
|
|
/**
|
|
|
|
* audit_inode - store the inode and device from a lookup
|
|
|
|
* @name: name being audited
|
|
|
|
* @inode: inode being audited
|
|
|
|
*
|
|
|
|
* Called from fs/namei.c:path_lookup().
|
|
|
|
*/
|
2006-06-08 21:19:31 -06:00
|
|
|
void __audit_inode(const char *name, const struct inode *inode)
|
2005-04-16 16:20:36 -06:00
|
|
|
{
|
|
|
|
int idx;
|
|
|
|
struct audit_context *context = current->audit_context;
|
|
|
|
|
|
|
|
if (!context->in_syscall)
|
|
|
|
return;
|
|
|
|
if (context->name_count
|
|
|
|
&& context->names[context->name_count-1].name
|
|
|
|
&& context->names[context->name_count-1].name == name)
|
|
|
|
idx = context->name_count - 1;
|
|
|
|
else if (context->name_count > 1
|
|
|
|
&& context->names[context->name_count-2].name
|
|
|
|
&& context->names[context->name_count-2].name == name)
|
|
|
|
idx = context->name_count - 2;
|
|
|
|
else {
|
|
|
|
/* FIXME: how much do we care about inodes that have no
|
|
|
|
* associated name? */
|
|
|
|
if (context->name_count >= AUDIT_NAMES - AUDIT_NAMES_RESERVED)
|
|
|
|
return;
|
|
|
|
idx = context->name_count++;
|
|
|
|
context->names[idx].name = NULL;
|
|
|
|
#if AUDIT_DEBUG
|
|
|
|
++context->ino_count;
|
|
|
|
#endif
|
|
|
|
}
|
2006-07-13 11:16:02 -06:00
|
|
|
audit_copy_inode(&context->names[idx], inode);
|
2005-11-03 09:00:25 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* audit_inode_child - collect inode info for created/removed objects
|
|
|
|
* @dname: inode's dentry name
|
|
|
|
* @inode: inode being audited
|
2006-07-13 11:16:39 -06:00
|
|
|
* @parent: inode of dentry parent
|
2005-11-03 09:00:25 -07:00
|
|
|
*
|
|
|
|
* For syscalls that create or remove filesystem objects, audit_inode
|
|
|
|
* can only collect information for the filesystem object's parent.
|
|
|
|
* This call updates the audit context with the child's information.
|
|
|
|
* Syscalls that create a new filesystem object must be hooked after
|
|
|
|
* the object is created. Syscalls that remove a filesystem object
|
|
|
|
* must be hooked prior, in order to capture the target inode during
|
|
|
|
* unsuccessful attempts.
|
|
|
|
*/
|
|
|
|
void __audit_inode_child(const char *dname, const struct inode *inode,
|
2006-07-13 11:16:39 -06:00
|
|
|
const struct inode *parent)
|
2005-11-03 09:00:25 -07:00
|
|
|
{
|
|
|
|
int idx;
|
|
|
|
struct audit_context *context = current->audit_context;
|
2006-06-08 21:19:31 -06:00
|
|
|
const char *found_name = NULL;
|
|
|
|
int dirlen = 0;
|
2005-11-03 09:00:25 -07:00
|
|
|
|
|
|
|
if (!context->in_syscall)
|
|
|
|
return;
|
|
|
|
|
|
|
|
/* determine matching parent */
|
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2006-04-07 14:55:56 -06:00
|
|
|
if (!dname)
|
2006-06-08 21:19:31 -06:00
|
|
|
goto update_context;
|
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2006-04-07 14:55:56 -06:00
|
|
|
for (idx = 0; idx < context->name_count; idx++)
|
2006-07-13 11:16:39 -06:00
|
|
|
if (context->names[idx].ino == parent->i_ino) {
|
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2006-04-07 14:55:56 -06:00
|
|
|
const char *name = context->names[idx].name;
|
2005-11-03 09:00:25 -07:00
|
|
|
|
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2006-04-07 14:55:56 -06:00
|
|
|
if (!name)
|
|
|
|
continue;
|
|
|
|
|
2006-06-08 21:19:31 -06:00
|
|
|
if (audit_compare_dname_path(dname, name, &dirlen) == 0) {
|
|
|
|
context->names[idx].name_len = dirlen;
|
|
|
|
found_name = name;
|
|
|
|
break;
|
|
|
|
}
|
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2006-04-07 14:55:56 -06:00
|
|
|
}
|
2005-11-03 09:00:25 -07:00
|
|
|
|
2006-06-08 21:19:31 -06:00
|
|
|
update_context:
|
2005-11-03 09:00:25 -07:00
|
|
|
idx = context->name_count++;
|
|
|
|
#if AUDIT_DEBUG
|
|
|
|
context->ino_count++;
|
|
|
|
#endif
|
2006-06-08 21:19:31 -06:00
|
|
|
/* Re-use the name belonging to the slot for a matching parent directory.
|
|
|
|
* All names for this context are relinquished in audit_free_names() */
|
|
|
|
context->names[idx].name = found_name;
|
|
|
|
context->names[idx].name_len = AUDIT_NAME_FULL;
|
|
|
|
context->names[idx].name_put = 0; /* don't call __putname() */
|
2005-11-03 09:00:25 -07:00
|
|
|
|
2006-07-13 11:16:02 -06:00
|
|
|
if (!inode)
|
|
|
|
context->names[idx].ino = (unsigned long)-1;
|
|
|
|
else
|
|
|
|
audit_copy_inode(&context->names[idx], inode);
|
2006-07-13 11:16:39 -06:00
|
|
|
|
|
|
|
/* A parent was not found in audit_names, so copy the inode data for the
|
|
|
|
* provided parent. */
|
|
|
|
if (!found_name) {
|
|
|
|
idx = context->name_count++;
|
|
|
|
#if AUDIT_DEBUG
|
|
|
|
context->ino_count++;
|
|
|
|
#endif
|
|
|
|
audit_copy_inode(&context->names[idx], parent);
|
|
|
|
}
|
2006-07-13 11:16:02 -06:00
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* audit_inode_update - update inode info for last collected name
|
|
|
|
* @inode: inode being audited
|
|
|
|
*
|
|
|
|
* When open() is called on an existing object with the O_CREAT flag, the inode
|
|
|
|
* data audit initially collects is incorrect. This additional hook ensures
|
|
|
|
* audit has the inode data for the actual object to be opened.
|
|
|
|
*/
|
|
|
|
void __audit_inode_update(const struct inode *inode)
|
|
|
|
{
|
|
|
|
struct audit_context *context = current->audit_context;
|
|
|
|
int idx;
|
|
|
|
|
|
|
|
if (!context->in_syscall || !inode)
|
|
|
|
return;
|
|
|
|
|
|
|
|
if (context->name_count == 0) {
|
|
|
|
context->name_count++;
|
|
|
|
#if AUDIT_DEBUG
|
|
|
|
context->ino_count++;
|
|
|
|
#endif
|
|
|
|
}
|
|
|
|
idx = context->name_count - 1;
|
|
|
|
|
|
|
|
audit_copy_inode(&context->names[idx], inode);
|
2005-04-16 16:20:36 -06:00
|
|
|
}
|
|
|
|
|
2005-09-13 13:47:11 -06:00
|
|
|
/**
|
|
|
|
* auditsc_get_stamp - get local copies of audit_context values
|
|
|
|
* @ctx: audit_context for the task
|
|
|
|
* @t: timespec to store time recorded in the audit_context
|
|
|
|
* @serial: serial value that is recorded in the audit_context
|
|
|
|
*
|
|
|
|
* Also sets the context as auditable.
|
|
|
|
*/
|
2005-05-21 14:08:09 -06:00
|
|
|
void auditsc_get_stamp(struct audit_context *ctx,
|
|
|
|
struct timespec *t, unsigned int *serial)
|
2005-04-16 16:20:36 -06:00
|
|
|
{
|
2005-07-18 12:24:46 -06:00
|
|
|
if (!ctx->serial)
|
|
|
|
ctx->serial = audit_serial();
|
2005-05-21 14:08:09 -06:00
|
|
|
t->tv_sec = ctx->ctime.tv_sec;
|
|
|
|
t->tv_nsec = ctx->ctime.tv_nsec;
|
|
|
|
*serial = ctx->serial;
|
|
|
|
ctx->auditable = 1;
|
2005-04-16 16:20:36 -06:00
|
|
|
}
|
|
|
|
|
2005-09-13 13:47:11 -06:00
|
|
|
/**
|
|
|
|
* audit_set_loginuid - set a task's audit_context loginuid
|
|
|
|
* @task: task whose audit context is being modified
|
|
|
|
* @loginuid: loginuid value
|
|
|
|
*
|
|
|
|
* Returns 0.
|
|
|
|
*
|
|
|
|
* Called (set) from fs/proc/base.c::proc_loginuid_write().
|
|
|
|
*/
|
2005-04-29 10:30:07 -06:00
|
|
|
int audit_set_loginuid(struct task_struct *task, uid_t loginuid)
|
2005-04-16 16:20:36 -06:00
|
|
|
{
|
2006-06-12 05:48:28 -06:00
|
|
|
struct audit_context *context = task->audit_context;
|
|
|
|
|
|
|
|
if (context) {
|
|
|
|
/* Only log if audit is enabled */
|
|
|
|
if (context->in_syscall) {
|
|
|
|
struct audit_buffer *ab;
|
|
|
|
|
|
|
|
ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN);
|
|
|
|
if (ab) {
|
|
|
|
audit_log_format(ab, "login pid=%d uid=%u "
|
|
|
|
"old auid=%u new auid=%u",
|
|
|
|
task->pid, task->uid,
|
|
|
|
context->loginuid, loginuid);
|
|
|
|
audit_log_end(ab);
|
|
|
|
}
|
2005-05-13 11:17:42 -06:00
|
|
|
}
|
2006-06-12 05:48:28 -06:00
|
|
|
context->loginuid = loginuid;
|
2005-04-16 16:20:36 -06:00
|
|
|
}
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2005-09-13 13:47:11 -06:00
|
|
|
/**
|
|
|
|
* audit_get_loginuid - get the loginuid for an audit_context
|
|
|
|
* @ctx: the audit_context
|
|
|
|
*
|
|
|
|
* Returns the context's loginuid or -1 if @ctx is NULL.
|
|
|
|
*/
|
2005-04-16 16:20:36 -06:00
|
|
|
uid_t audit_get_loginuid(struct audit_context *ctx)
|
|
|
|
{
|
|
|
|
return ctx ? ctx->loginuid : -1;
|
|
|
|
}
|
|
|
|
|
2006-05-24 15:09:55 -06:00
|
|
|
/**
|
|
|
|
* __audit_mq_open - record audit data for a POSIX MQ open
|
|
|
|
* @oflag: open flag
|
|
|
|
* @mode: mode bits
|
|
|
|
* @u_attr: queue attributes
|
|
|
|
*
|
|
|
|
* Returns 0 for success or NULL context or < 0 on error.
|
|
|
|
*/
|
|
|
|
int __audit_mq_open(int oflag, mode_t mode, struct mq_attr __user *u_attr)
|
|
|
|
{
|
|
|
|
struct audit_aux_data_mq_open *ax;
|
|
|
|
struct audit_context *context = current->audit_context;
|
|
|
|
|
|
|
|
if (!audit_enabled)
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
if (likely(!context))
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
ax = kmalloc(sizeof(*ax), GFP_ATOMIC);
|
|
|
|
if (!ax)
|
|
|
|
return -ENOMEM;
|
|
|
|
|
|
|
|
if (u_attr != NULL) {
|
|
|
|
if (copy_from_user(&ax->attr, u_attr, sizeof(ax->attr))) {
|
|
|
|
kfree(ax);
|
|
|
|
return -EFAULT;
|
|
|
|
}
|
|
|
|
} else
|
|
|
|
memset(&ax->attr, 0, sizeof(ax->attr));
|
|
|
|
|
|
|
|
ax->oflag = oflag;
|
|
|
|
ax->mode = mode;
|
|
|
|
|
|
|
|
ax->d.type = AUDIT_MQ_OPEN;
|
|
|
|
ax->d.next = context->aux;
|
|
|
|
context->aux = (void *)ax;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* __audit_mq_timedsend - record audit data for a POSIX MQ timed send
|
|
|
|
* @mqdes: MQ descriptor
|
|
|
|
* @msg_len: Message length
|
|
|
|
* @msg_prio: Message priority
|
2006-06-27 03:54:01 -06:00
|
|
|
* @u_abs_timeout: Message timeout in absolute time
|
2006-05-24 15:09:55 -06:00
|
|
|
*
|
|
|
|
* Returns 0 for success or NULL context or < 0 on error.
|
|
|
|
*/
|
|
|
|
int __audit_mq_timedsend(mqd_t mqdes, size_t msg_len, unsigned int msg_prio,
|
|
|
|
const struct timespec __user *u_abs_timeout)
|
|
|
|
{
|
|
|
|
struct audit_aux_data_mq_sendrecv *ax;
|
|
|
|
struct audit_context *context = current->audit_context;
|
|
|
|
|
|
|
|
if (!audit_enabled)
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
if (likely(!context))
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
ax = kmalloc(sizeof(*ax), GFP_ATOMIC);
|
|
|
|
if (!ax)
|
|
|
|
return -ENOMEM;
|
|
|
|
|
|
|
|
if (u_abs_timeout != NULL) {
|
|
|
|
if (copy_from_user(&ax->abs_timeout, u_abs_timeout, sizeof(ax->abs_timeout))) {
|
|
|
|
kfree(ax);
|
|
|
|
return -EFAULT;
|
|
|
|
}
|
|
|
|
} else
|
|
|
|
memset(&ax->abs_timeout, 0, sizeof(ax->abs_timeout));
|
|
|
|
|
|
|
|
ax->mqdes = mqdes;
|
|
|
|
ax->msg_len = msg_len;
|
|
|
|
ax->msg_prio = msg_prio;
|
|
|
|
|
|
|
|
ax->d.type = AUDIT_MQ_SENDRECV;
|
|
|
|
ax->d.next = context->aux;
|
|
|
|
context->aux = (void *)ax;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* __audit_mq_timedreceive - record audit data for a POSIX MQ timed receive
|
|
|
|
* @mqdes: MQ descriptor
|
|
|
|
* @msg_len: Message length
|
2006-06-27 03:54:01 -06:00
|
|
|
* @u_msg_prio: Message priority
|
|
|
|
* @u_abs_timeout: Message timeout in absolute time
|
2006-05-24 15:09:55 -06:00
|
|
|
*
|
|
|
|
* Returns 0 for success or NULL context or < 0 on error.
|
|
|
|
*/
|
|
|
|
int __audit_mq_timedreceive(mqd_t mqdes, size_t msg_len,
|
|
|
|
unsigned int __user *u_msg_prio,
|
|
|
|
const struct timespec __user *u_abs_timeout)
|
|
|
|
{
|
|
|
|
struct audit_aux_data_mq_sendrecv *ax;
|
|
|
|
struct audit_context *context = current->audit_context;
|
|
|
|
|
|
|
|
if (!audit_enabled)
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
if (likely(!context))
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
ax = kmalloc(sizeof(*ax), GFP_ATOMIC);
|
|
|
|
if (!ax)
|
|
|
|
return -ENOMEM;
|
|
|
|
|
|
|
|
if (u_msg_prio != NULL) {
|
|
|
|
if (get_user(ax->msg_prio, u_msg_prio)) {
|
|
|
|
kfree(ax);
|
|
|
|
return -EFAULT;
|
|
|
|
}
|
|
|
|
} else
|
|
|
|
ax->msg_prio = 0;
|
|
|
|
|
|
|
|
if (u_abs_timeout != NULL) {
|
|
|
|
if (copy_from_user(&ax->abs_timeout, u_abs_timeout, sizeof(ax->abs_timeout))) {
|
|
|
|
kfree(ax);
|
|
|
|
return -EFAULT;
|
|
|
|
}
|
|
|
|
} else
|
|
|
|
memset(&ax->abs_timeout, 0, sizeof(ax->abs_timeout));
|
|
|
|
|
|
|
|
ax->mqdes = mqdes;
|
|
|
|
ax->msg_len = msg_len;
|
|
|
|
|
|
|
|
ax->d.type = AUDIT_MQ_SENDRECV;
|
|
|
|
ax->d.next = context->aux;
|
|
|
|
context->aux = (void *)ax;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* __audit_mq_notify - record audit data for a POSIX MQ notify
|
|
|
|
* @mqdes: MQ descriptor
|
|
|
|
* @u_notification: Notification event
|
|
|
|
*
|
|
|
|
* Returns 0 for success or NULL context or < 0 on error.
|
|
|
|
*/
|
|
|
|
|
|
|
|
int __audit_mq_notify(mqd_t mqdes, const struct sigevent __user *u_notification)
|
|
|
|
{
|
|
|
|
struct audit_aux_data_mq_notify *ax;
|
|
|
|
struct audit_context *context = current->audit_context;
|
|
|
|
|
|
|
|
if (!audit_enabled)
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
if (likely(!context))
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
ax = kmalloc(sizeof(*ax), GFP_ATOMIC);
|
|
|
|
if (!ax)
|
|
|
|
return -ENOMEM;
|
|
|
|
|
|
|
|
if (u_notification != NULL) {
|
|
|
|
if (copy_from_user(&ax->notification, u_notification, sizeof(ax->notification))) {
|
|
|
|
kfree(ax);
|
|
|
|
return -EFAULT;
|
|
|
|
}
|
|
|
|
} else
|
|
|
|
memset(&ax->notification, 0, sizeof(ax->notification));
|
|
|
|
|
|
|
|
ax->mqdes = mqdes;
|
|
|
|
|
|
|
|
ax->d.type = AUDIT_MQ_NOTIFY;
|
|
|
|
ax->d.next = context->aux;
|
|
|
|
context->aux = (void *)ax;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* __audit_mq_getsetattr - record audit data for a POSIX MQ get/set attribute
|
|
|
|
* @mqdes: MQ descriptor
|
|
|
|
* @mqstat: MQ flags
|
|
|
|
*
|
|
|
|
* Returns 0 for success or NULL context or < 0 on error.
|
|
|
|
*/
|
|
|
|
int __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat)
|
|
|
|
{
|
|
|
|
struct audit_aux_data_mq_getsetattr *ax;
|
|
|
|
struct audit_context *context = current->audit_context;
|
|
|
|
|
|
|
|
if (!audit_enabled)
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
if (likely(!context))
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
ax = kmalloc(sizeof(*ax), GFP_ATOMIC);
|
|
|
|
if (!ax)
|
|
|
|
return -ENOMEM;
|
|
|
|
|
|
|
|
ax->mqdes = mqdes;
|
|
|
|
ax->mqstat = *mqstat;
|
|
|
|
|
|
|
|
ax->d.type = AUDIT_MQ_GETSETATTR;
|
|
|
|
ax->d.next = context->aux;
|
|
|
|
context->aux = (void *)ax;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2005-09-13 13:47:11 -06:00
|
|
|
/**
|
2006-04-02 15:07:33 -06:00
|
|
|
* audit_ipc_obj - record audit data for ipc object
|
|
|
|
* @ipcp: ipc permissions
|
|
|
|
*
|
|
|
|
* Returns 0 for success or NULL context or < 0 on error.
|
|
|
|
*/
|
2006-05-18 14:01:30 -06:00
|
|
|
int __audit_ipc_obj(struct kern_ipc_perm *ipcp)
|
2006-04-02 15:07:33 -06:00
|
|
|
{
|
|
|
|
struct audit_aux_data_ipcctl *ax;
|
|
|
|
struct audit_context *context = current->audit_context;
|
|
|
|
|
|
|
|
ax = kmalloc(sizeof(*ax), GFP_ATOMIC);
|
|
|
|
if (!ax)
|
|
|
|
return -ENOMEM;
|
|
|
|
|
|
|
|
ax->uid = ipcp->uid;
|
|
|
|
ax->gid = ipcp->gid;
|
|
|
|
ax->mode = ipcp->mode;
|
|
|
|
selinux_get_ipc_sid(ipcp, &ax->osid);
|
|
|
|
|
|
|
|
ax->d.type = AUDIT_IPC;
|
|
|
|
ax->d.next = context->aux;
|
|
|
|
context->aux = (void *)ax;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* audit_ipc_set_perm - record audit data for new ipc permissions
|
2005-09-13 13:47:11 -06:00
|
|
|
* @qbytes: msgq bytes
|
|
|
|
* @uid: msgq user id
|
|
|
|
* @gid: msgq group id
|
|
|
|
* @mode: msgq mode (permissions)
|
|
|
|
*
|
|
|
|
* Returns 0 for success or NULL context or < 0 on error.
|
|
|
|
*/
|
2006-05-18 14:01:30 -06:00
|
|
|
int __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode)
|
2005-04-16 16:20:36 -06:00
|
|
|
{
|
|
|
|
struct audit_aux_data_ipcctl *ax;
|
|
|
|
struct audit_context *context = current->audit_context;
|
|
|
|
|
2005-11-03 10:15:16 -07:00
|
|
|
ax = kmalloc(sizeof(*ax), GFP_ATOMIC);
|
2005-04-16 16:20:36 -06:00
|
|
|
if (!ax)
|
|
|
|
return -ENOMEM;
|
|
|
|
|
|
|
|
ax->qbytes = qbytes;
|
|
|
|
ax->uid = uid;
|
|
|
|
ax->gid = gid;
|
|
|
|
ax->mode = mode;
|
|
|
|
|
2006-04-02 15:07:33 -06:00
|
|
|
ax->d.type = AUDIT_IPC_SET_PERM;
|
2005-04-16 16:20:36 -06:00
|
|
|
ax->d.next = context->aux;
|
|
|
|
context->aux = (void *)ax;
|
|
|
|
return 0;
|
|
|
|
}
|
2005-05-06 05:38:39 -06:00
|
|
|
|
2006-04-26 12:04:08 -06:00
|
|
|
int audit_bprm(struct linux_binprm *bprm)
|
|
|
|
{
|
|
|
|
struct audit_aux_data_execve *ax;
|
|
|
|
struct audit_context *context = current->audit_context;
|
|
|
|
unsigned long p, next;
|
|
|
|
void *to;
|
|
|
|
|
2006-07-16 04:38:45 -06:00
|
|
|
if (likely(!audit_enabled || !context || context->dummy))
|
2006-04-26 12:04:08 -06:00
|
|
|
return 0;
|
|
|
|
|
|
|
|
ax = kmalloc(sizeof(*ax) + PAGE_SIZE * MAX_ARG_PAGES - bprm->p,
|
|
|
|
GFP_KERNEL);
|
|
|
|
if (!ax)
|
|
|
|
return -ENOMEM;
|
|
|
|
|
|
|
|
ax->argc = bprm->argc;
|
|
|
|
ax->envc = bprm->envc;
|
|
|
|
for (p = bprm->p, to = ax->mem; p < MAX_ARG_PAGES*PAGE_SIZE; p = next) {
|
|
|
|
struct page *page = bprm->page[p / PAGE_SIZE];
|
|
|
|
void *kaddr = kmap(page);
|
|
|
|
next = (p + PAGE_SIZE) & ~(PAGE_SIZE - 1);
|
|
|
|
memcpy(to, kaddr + (p & (PAGE_SIZE - 1)), next - p);
|
|
|
|
to += next - p;
|
|
|
|
kunmap(page);
|
|
|
|
}
|
|
|
|
|
|
|
|
ax->d.type = AUDIT_EXECVE;
|
|
|
|
ax->d.next = context->aux;
|
|
|
|
context->aux = (void *)ax;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2005-09-13 13:47:11 -06:00
|
|
|
/**
|
|
|
|
* audit_socketcall - record audit data for sys_socketcall
|
|
|
|
* @nargs: number of args
|
|
|
|
* @args: args array
|
|
|
|
*
|
|
|
|
* Returns 0 for success or NULL context or < 0 on error.
|
|
|
|
*/
|
2005-05-17 05:08:48 -06:00
|
|
|
int audit_socketcall(int nargs, unsigned long *args)
|
|
|
|
{
|
|
|
|
struct audit_aux_data_socketcall *ax;
|
|
|
|
struct audit_context *context = current->audit_context;
|
|
|
|
|
2006-07-16 04:38:45 -06:00
|
|
|
if (likely(!context || context->dummy))
|
2005-05-17 05:08:48 -06:00
|
|
|
return 0;
|
|
|
|
|
|
|
|
ax = kmalloc(sizeof(*ax) + nargs * sizeof(unsigned long), GFP_KERNEL);
|
|
|
|
if (!ax)
|
|
|
|
return -ENOMEM;
|
|
|
|
|
|
|
|
ax->nargs = nargs;
|
|
|
|
memcpy(ax->args, args, nargs * sizeof(unsigned long));
|
|
|
|
|
|
|
|
ax->d.type = AUDIT_SOCKETCALL;
|
|
|
|
ax->d.next = context->aux;
|
|
|
|
context->aux = (void *)ax;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2005-09-13 13:47:11 -06:00
|
|
|
/**
|
|
|
|
* audit_sockaddr - record audit data for sys_bind, sys_connect, sys_sendto
|
|
|
|
* @len: data length in user space
|
|
|
|
* @a: data address in kernel space
|
|
|
|
*
|
|
|
|
* Returns 0 for success or NULL context or < 0 on error.
|
|
|
|
*/
|
2005-05-17 05:08:48 -06:00
|
|
|
int audit_sockaddr(int len, void *a)
|
|
|
|
{
|
|
|
|
struct audit_aux_data_sockaddr *ax;
|
|
|
|
struct audit_context *context = current->audit_context;
|
|
|
|
|
2006-07-16 04:38:45 -06:00
|
|
|
if (likely(!context || context->dummy))
|
2005-05-17 05:08:48 -06:00
|
|
|
return 0;
|
|
|
|
|
|
|
|
ax = kmalloc(sizeof(*ax) + len, GFP_KERNEL);
|
|
|
|
if (!ax)
|
|
|
|
return -ENOMEM;
|
|
|
|
|
|
|
|
ax->len = len;
|
|
|
|
memcpy(ax->a, a, len);
|
|
|
|
|
|
|
|
ax->d.type = AUDIT_SOCKADDR;
|
|
|
|
ax->d.next = context->aux;
|
|
|
|
context->aux = (void *)ax;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2005-09-13 13:47:11 -06:00
|
|
|
/**
|
|
|
|
* audit_avc_path - record the granting or denial of permissions
|
|
|
|
* @dentry: dentry to record
|
|
|
|
* @mnt: mnt to record
|
|
|
|
*
|
|
|
|
* Returns 0 for success or NULL context or < 0 on error.
|
|
|
|
*
|
|
|
|
* Called from security/selinux/avc.c::avc_audit()
|
|
|
|
*/
|
2005-05-20 17:15:52 -06:00
|
|
|
int audit_avc_path(struct dentry *dentry, struct vfsmount *mnt)
|
|
|
|
{
|
|
|
|
struct audit_aux_data_path *ax;
|
|
|
|
struct audit_context *context = current->audit_context;
|
|
|
|
|
|
|
|
if (likely(!context))
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
ax = kmalloc(sizeof(*ax), GFP_ATOMIC);
|
|
|
|
if (!ax)
|
|
|
|
return -ENOMEM;
|
|
|
|
|
|
|
|
ax->dentry = dget(dentry);
|
|
|
|
ax->mnt = mntget(mnt);
|
|
|
|
|
|
|
|
ax->d.type = AUDIT_AVC_PATH;
|
|
|
|
ax->d.next = context->aux;
|
|
|
|
context->aux = (void *)ax;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2005-09-13 13:47:11 -06:00
|
|
|
/**
|
|
|
|
* audit_signal_info - record signal info for shutting down audit subsystem
|
|
|
|
* @sig: signal value
|
|
|
|
* @t: task being signaled
|
|
|
|
*
|
|
|
|
* If the audit subsystem is being terminated, record the task (pid)
|
|
|
|
* and uid that is doing that.
|
|
|
|
*/
|
2006-05-25 08:19:47 -06:00
|
|
|
void __audit_signal_info(int sig, struct task_struct *t)
|
2005-05-06 05:38:39 -06:00
|
|
|
{
|
|
|
|
extern pid_t audit_sig_pid;
|
|
|
|
extern uid_t audit_sig_uid;
|
2006-05-25 08:19:47 -06:00
|
|
|
extern u32 audit_sig_sid;
|
|
|
|
|
|
|
|
if (sig == SIGTERM || sig == SIGHUP || sig == SIGUSR1) {
|
|
|
|
struct task_struct *tsk = current;
|
|
|
|
struct audit_context *ctx = tsk->audit_context;
|
|
|
|
audit_sig_pid = tsk->pid;
|
|
|
|
if (ctx)
|
|
|
|
audit_sig_uid = ctx->loginuid;
|
|
|
|
else
|
|
|
|
audit_sig_uid = tsk->uid;
|
|
|
|
selinux_get_task_sid(tsk, &audit_sig_sid);
|
2005-05-06 05:38:39 -06:00
|
|
|
}
|
|
|
|
}
|