From: Steve Grubb <sgrubb@redhat.com>
To: Richard Guy Briggs <rgb@redhat.com>
Cc: linux-audit@redhat.com, linux-kernel@vger.kernel.org,
pmoore@redhat.com, eparis@redhat.com
Subject: Re: [PATCH V6 0/4] audit by executable name
Date: Wed, 15 Jul 2015 08:28:19 -0400 [thread overview]
Message-ID: <2290951.jxBbQJQ7l8@x2> (raw)
In-Reply-To: <cover.1436823321.git.rgb@redhat.com>
On Tuesday, July 14, 2015 11:50:22 AM Richard Guy Briggs wrote:
> Please see the accompanying userspace patchset:
> https://www.redhat.com/archives/linux-audit/2015-July/thread.html
> [[PATCH V2] 0/2] Log on the future execution of a path
> The userspace interface is not expected to change appreciably unless
> something important has been overlooked. Setting and deleting rules works
> as expected.
>
> If the path does not exist at rule creation time, it will be re-evaluated
> every time there is a change to the parent directory at which point the
> change in device and inode will be noted.
Thanks for doing this. Its a much needed feature.
In looking over it...does this add an AUDIT_VERSION_ define and use it in the
feature mask so that I can tell what kernels support this? I might have missed
it, but I can't find one.
Thanks,
-Steve
> Here's a sample run:
> Test for addition, trigger and deletion of tree executable rule:
> # auditctl -a always,exit -S all -F dir=/tmp -F exe=/usr/bin/touch -F
> key=exetest_tree ----
> time->Sat Jul 11 10:41:50 2015
> type=CONFIG_CHANGE msg=audit(1436629310.720:44711): auid=0 ses=1
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 op="add_rule"
> key="exetest_tree" list=4 res=1 ----
>
> # /usr/bin/touch /tmp/test
> ----
> time->Sat Jul 11 10:41:50 2015
> type=PROCTITLE msg=audit(1436629310.757:44712):
> proctitle=2F7573722F62696E2F746F756368002F746D702F74657374 type=PATH
> msg=audit(1436629310.757:44712): item=1 name="/tmp/test" inode=166932
> dev=00:24 mode=0100644 ouid=0 ogid=0 rdev=00:00
> obj=unconfined_u:object_r:user_tmp_t:s0 nametype=CREATE type=PATH
> msg=audit(1436629310.757:44712): item=0 name="/tmp/" inode=11525 dev=00:24
> mode=041777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmp_t:s0
> nametype=PARENT type=CWD msg=audit(1436629310.757:44712): cwd="/root"
> type=SYSCALL msg=audit(1436629310.757:44712): arch=c000003e syscall=2
> success=yes exit=3 a0=7ffdee2f9e27 a1=941 a2=1b6 a3=691 items=2 ppid=17655
> pid=17762 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> tty=ttyS0 ses=1 comm="touch" exe="/usr/bin/touch"
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> key="exetest_tree" ----
>
> # auditctl -d always,exit -S all -F dir=/tmp -F exe=/usr/bin/touch -F
> key=exetest_tree ----
> time->Sat Jul 11 10:41:50 2015
> type=CONFIG_CHANGE msg=audit(1436629310.839:44713): auid=0 ses=1
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 op="remove_rule"
> key="exetest_tree" list=4 res=1 ----
>
>
> Revision history:
> v6: Explicitly declare prototypes as external.
> Rename audit_dup_exe() to audit_dupe_exe() consistent with rule, watch,
> lsm_field. Rebased on v4.1.
> Rename audit_remove_mark_rule() called from audit_mark_handle_event() to
> audit_autoremove_mark_rule() to avoid confusion with
> audit_remove_{watch,tree}_rule() usage.
> Add audit_remove_mark_rule() to provide similar interface as
> audit_remove_{watch,tree}_rule().
> Simplify stubs to defines.
> Rename audit_free_fsnotify_mark() to audit_fsnotify_free_mark() in
> keeping with the naming convention of inotify_free_mark(),
> dnotify_free_mark(), fanotify_free_mark(), audit_watch_free_mark().
> Return -ENOMEM rather than null in case of memory allocation failure for
> audit_mark in audit_alloc_mark().
> Rename audit_free_mark() to audit_mark_free() to avoid association with
> {i,d,fa}notify_free_mark() and audit_watch_free_mark().
> Clean up exe with similar interface as watch and tree.
> Clean up audit exe mark just before audit_free_rule() rather than in it
> to avoid mutex in software interrupt context.
> Fixed bug in audit_dupe_exe() that returned error rather than valid
> pointer.
>
> v5: Revert patch "Let audit_free_rule() take care of calling
> audit_remove_mark()." since it caused a group mark deadlock.
> https://www.redhat.com/archives/linux-audit/2014-October/msg00024.html
>
> v4: Re-order and squash down fixups
> Fix audit_dup_exe() to copy pathname string before calling
> audit_alloc_mark().
> https://www.redhat.com/archives/linux-audit/2014-August/msg00065.html
>
> v3: Rationalize and rename some function names and clean up get/put and free
> code. Rename several "watch" references to "mark".
> Rename audit_remove_rule() to audit_remove_mark_rule().
> Let audit_free_rule() take care of calling audit_remove_mark().
> Put audit_alloc_mark() arguments in same order as watch, tree and inode.
> Move the access to the entry for audit_match_signal() to the beginning of
> the function in case the entry found is the same one passed in. This will
> enable it to be used by audit_remove_mark_rule().
> https://www.redhat.com/archives/linux-audit/2014-July/msg00000.html
>
> v2: Misguided attempt to add in audit_exe similar to watches
> https://www.redhat.com/archives/linux-audit/2014-June/msg00066.html
>
> v1.5: eparis' switch to fsnotify
> https://www.redhat.com/archives/linux-audit/2014-May/msg00046.html
> https://www.redhat.com/archives/linux-audit/2014-May/msg00066.html
>
> v1: Change to path interface instead of inode
> https://www.redhat.com/archives/linux-audit/2014-May/msg00017.html
>
> v0: Peter Moodie's original patches
> https://www.redhat.com/archives/linux-audit/2012-August/msg00033.html
>
>
> Future step:
> Get full-path notify working.
>
>
> Eric Paris (1):
> audit: implement audit by executable
>
> Richard Guy Briggs (3):
> audit: clean simple fsnotify implementation
> audit: convert audit_exe to audit_fsnotify
> audit: avoid double copying the audit_exe path string
>
> include/linux/audit.h | 1 +
> include/uapi/linux/audit.h | 2 +
> kernel/Makefile | 2 +-
> kernel/audit.h | 33 ++++++
> kernel/audit_exe.c | 50 +++++++++
> kernel/audit_fsnotify.c | 246
> ++++++++++++++++++++++++++++++++++++++++++++ kernel/audit_tree.c |
> 2 +
> kernel/audit_watch.c | 4 +
> kernel/auditfilter.c | 63 +++++++++++-
> kernel/auditsc.c | 16 +++
> 10 files changed, 415 insertions(+), 4 deletions(-)
> create mode 100644 kernel/audit_exe.c
> create mode 100644 kernel/audit_fsnotify.c
next prev parent reply other threads:[~2015-07-15 12:28 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-07-14 15:50 [PATCH V6 0/4] audit by executable name Richard Guy Briggs
2015-07-14 15:50 ` Richard Guy Briggs
2015-07-14 15:50 ` [PATCH V6 1/4] audit: implement audit by executable Richard Guy Briggs
2015-07-14 15:50 ` Richard Guy Briggs
2015-07-17 1:18 ` Paul Moore
2015-07-17 15:33 ` Richard Guy Briggs
2015-07-17 18:24 ` Paul Moore
2015-07-17 20:46 ` Richard Guy Briggs
2015-07-20 15:10 ` Paul Moore
2015-07-20 15:10 ` Paul Moore
2015-07-17 20:27 ` Richard Guy Briggs
2015-07-14 15:50 ` [PATCH V6 2/4] audit: clean simple fsnotify implementation Richard Guy Briggs
2015-07-14 15:50 ` Richard Guy Briggs
2015-07-17 1:45 ` Paul Moore
2015-08-01 20:03 ` Richard Guy Briggs
2015-07-14 15:50 ` [PATCH V6 3/4] audit: convert audit_exe to audit_fsnotify Richard Guy Briggs
2015-07-14 15:50 ` Richard Guy Briggs
2015-07-17 1:54 ` Paul Moore
2015-07-17 2:02 ` Richard Guy Briggs
2015-07-14 15:50 ` [PATCH V6 4/4] audit: avoid double copying the audit_exe path string Richard Guy Briggs
2015-07-14 15:50 ` Richard Guy Briggs
2015-07-17 1:56 ` Paul Moore
2015-07-17 2:01 ` Richard Guy Briggs
2015-07-17 2:42 ` Paul Moore
2015-07-17 3:01 ` Eric Paris
2015-07-17 3:24 ` Paul Moore
2015-07-17 16:48 ` Richard Guy Briggs
2015-07-17 16:48 ` Richard Guy Briggs
2015-07-17 18:09 ` Paul Moore
2015-07-17 16:18 ` Richard Guy Briggs
2015-07-17 18:01 ` Paul Moore
2015-07-15 12:28 ` Steve Grubb [this message]
2015-07-15 18:23 ` [PATCH V6 0/4] audit by executable name Richard Guy Briggs
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2290951.jxBbQJQ7l8@x2 \
--to=sgrubb@redhat.com \
--cc=eparis@redhat.com \
--cc=linux-audit@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=pmoore@redhat.com \
--cc=rgb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.