From: Paul Moore <pmoore@redhat.com>
To: Richard Guy Briggs <rgb@redhat.com>
Cc: linux-audit@redhat.com, linux-kernel@vger.kernel.org
Subject: Re: [PATCH V9 3/3] audit: add audit by children of executable path
Date: Thu, 06 Aug 2015 16:24:58 -0400 [thread overview]
Message-ID: <5456503.IfTzUNfidJ@sifl> (raw)
In-Reply-To: <d9b6e7ce17a8ffa71fe756a06922898f54ad78e5.1438801342.git.rgb@redhat.com>
On Wednesday, August 05, 2015 04:29:38 PM Richard Guy Briggs wrote:
> This adds the ability to audit the actions of children of a not-yet-running
> process.
>
> This is a split-out of a heavily modified version of a patch originally
> submitted by Eric Paris with some ideas from Peter Moody.
>
> Cc: Peter Moody <peter@hda3.com>
> Cc: Eric Paris <eparis@redhat.com>
> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> ---
> include/uapi/linux/audit.h | 1 +
> kernel/auditfilter.c | 5 +++++
> kernel/auditsc.c | 11 +++++++++++
> 3 files changed, 17 insertions(+), 0 deletions(-)
I'm still not really comfortable with that loop and since there hasn't been a
really convincing use case I'm going to pass on this patch for right now. If
someone comes up with a *really* compelling case in the future I'll reconsider
it.
> diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> index e2ca600..55a8dec 100644
> --- a/include/uapi/linux/audit.h
> +++ b/include/uapi/linux/audit.h
> @@ -267,6 +267,7 @@
> #define AUDIT_OBJ_GID 110
> #define AUDIT_FIELD_COMPARE 111
> #define AUDIT_EXE 112
> +#define AUDIT_EXE_CHILDREN 113
>
> #define AUDIT_ARG0 200
> #define AUDIT_ARG1 (AUDIT_ARG0+1)
> diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
> index c662638..802f0cc 100644
> --- a/kernel/auditfilter.c
> +++ b/kernel/auditfilter.c
> @@ -406,6 +406,7 @@ static int audit_field_valid(struct audit_entry *entry,
> struct audit_field *f) return -EINVAL;
> break;
> case AUDIT_EXE:
> + case AUDIT_EXE_CHILDREN:
> if (f->op != Audit_equal)
> return -EINVAL;
> if (entry->rule.listnr != AUDIT_FILTER_EXIT)
> @@ -547,6 +548,7 @@ static struct audit_entry *audit_data_to_entry(struct
> audit_rule_data *data, entry->rule.filterkey = str;
> break;
> case AUDIT_EXE:
> + case AUDIT_EXE_CHILDREN:
> if (entry->rule.exe || f->val > PATH_MAX)
> goto exit_free;
> str = audit_unpack_string(&bufp, &remain, f->val);
> @@ -643,6 +645,7 @@ static struct audit_rule_data
> *audit_krule_to_data(struct audit_krule *krule) audit_pack_string(&bufp,
> krule->filterkey);
> break;
> case AUDIT_EXE:
> + case AUDIT_EXE_CHILDREN:
> data->buflen += data->values[i] =
> audit_pack_string(&bufp, audit_mark_path(krule->exe));
> break;
> @@ -710,6 +713,7 @@ static int audit_compare_rule(struct audit_krule *a,
> struct audit_krule *b) return 1;
> break;
> case AUDIT_EXE:
> + case AUDIT_EXE_CHILDREN:
> /* both paths exist based on above type compare */
> if (strcmp(audit_mark_path(a->exe),
> audit_mark_path(b->exe)))
> @@ -838,6 +842,7 @@ struct audit_entry *audit_dupe_rule(struct audit_krule
> *old) new->filterkey = fk;
> break;
> case AUDIT_EXE:
> + case AUDIT_EXE_CHILDREN:
> err = audit_dupe_exe(new, old);
> break;
> }
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index e9bac2b..4f2b515 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -469,6 +469,17 @@ static int audit_filter_rules(struct task_struct *tsk,
> case AUDIT_EXE:
> result = audit_exe_compare(tsk, rule->exe);
> break;
> + case AUDIT_EXE_CHILDREN:
> + {
> + struct task_struct *ptsk;
> + for (ptsk = tsk; ptsk->parent->pid > 0; ptsk =
> find_task_by_vpid(ptsk->parent->pid)) { + if
(audit_exe_compare(ptsk,
> rule->exe)) {
> + ++result;
> + break;
> + }
> + }
> + }
> + break;
> case AUDIT_UID:
> result = audit_uid_comparator(cred->uid, f->op, f->uid);
> break;
--
paul moore
security @ redhat
WARNING: multiple messages have this Message-ID (diff)
From: Paul Moore <pmoore@redhat.com>
To: Richard Guy Briggs <rgb@redhat.com>
Cc: linux-audit@redhat.com, linux-kernel@vger.kernel.org,
sgrubb@redhat.com, eparis@redhat.com, peter@hda3.com
Subject: Re: [PATCH V9 3/3] audit: add audit by children of executable path
Date: Thu, 06 Aug 2015 16:24:58 -0400 [thread overview]
Message-ID: <5456503.IfTzUNfidJ@sifl> (raw)
In-Reply-To: <d9b6e7ce17a8ffa71fe756a06922898f54ad78e5.1438801342.git.rgb@redhat.com>
On Wednesday, August 05, 2015 04:29:38 PM Richard Guy Briggs wrote:
> This adds the ability to audit the actions of children of a not-yet-running
> process.
>
> This is a split-out of a heavily modified version of a patch originally
> submitted by Eric Paris with some ideas from Peter Moody.
>
> Cc: Peter Moody <peter@hda3.com>
> Cc: Eric Paris <eparis@redhat.com>
> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> ---
> include/uapi/linux/audit.h | 1 +
> kernel/auditfilter.c | 5 +++++
> kernel/auditsc.c | 11 +++++++++++
> 3 files changed, 17 insertions(+), 0 deletions(-)
I'm still not really comfortable with that loop and since there hasn't been a
really convincing use case I'm going to pass on this patch for right now. If
someone comes up with a *really* compelling case in the future I'll reconsider
it.
> diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> index e2ca600..55a8dec 100644
> --- a/include/uapi/linux/audit.h
> +++ b/include/uapi/linux/audit.h
> @@ -267,6 +267,7 @@
> #define AUDIT_OBJ_GID 110
> #define AUDIT_FIELD_COMPARE 111
> #define AUDIT_EXE 112
> +#define AUDIT_EXE_CHILDREN 113
>
> #define AUDIT_ARG0 200
> #define AUDIT_ARG1 (AUDIT_ARG0+1)
> diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
> index c662638..802f0cc 100644
> --- a/kernel/auditfilter.c
> +++ b/kernel/auditfilter.c
> @@ -406,6 +406,7 @@ static int audit_field_valid(struct audit_entry *entry,
> struct audit_field *f) return -EINVAL;
> break;
> case AUDIT_EXE:
> + case AUDIT_EXE_CHILDREN:
> if (f->op != Audit_equal)
> return -EINVAL;
> if (entry->rule.listnr != AUDIT_FILTER_EXIT)
> @@ -547,6 +548,7 @@ static struct audit_entry *audit_data_to_entry(struct
> audit_rule_data *data, entry->rule.filterkey = str;
> break;
> case AUDIT_EXE:
> + case AUDIT_EXE_CHILDREN:
> if (entry->rule.exe || f->val > PATH_MAX)
> goto exit_free;
> str = audit_unpack_string(&bufp, &remain, f->val);
> @@ -643,6 +645,7 @@ static struct audit_rule_data
> *audit_krule_to_data(struct audit_krule *krule) audit_pack_string(&bufp,
> krule->filterkey);
> break;
> case AUDIT_EXE:
> + case AUDIT_EXE_CHILDREN:
> data->buflen += data->values[i] =
> audit_pack_string(&bufp, audit_mark_path(krule->exe));
> break;
> @@ -710,6 +713,7 @@ static int audit_compare_rule(struct audit_krule *a,
> struct audit_krule *b) return 1;
> break;
> case AUDIT_EXE:
> + case AUDIT_EXE_CHILDREN:
> /* both paths exist based on above type compare */
> if (strcmp(audit_mark_path(a->exe),
> audit_mark_path(b->exe)))
> @@ -838,6 +842,7 @@ struct audit_entry *audit_dupe_rule(struct audit_krule
> *old) new->filterkey = fk;
> break;
> case AUDIT_EXE:
> + case AUDIT_EXE_CHILDREN:
> err = audit_dupe_exe(new, old);
> break;
> }
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index e9bac2b..4f2b515 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -469,6 +469,17 @@ static int audit_filter_rules(struct task_struct *tsk,
> case AUDIT_EXE:
> result = audit_exe_compare(tsk, rule->exe);
> break;
> + case AUDIT_EXE_CHILDREN:
> + {
> + struct task_struct *ptsk;
> + for (ptsk = tsk; ptsk->parent->pid > 0; ptsk =
> find_task_by_vpid(ptsk->parent->pid)) { + if
(audit_exe_compare(ptsk,
> rule->exe)) {
> + ++result;
> + break;
> + }
> + }
> + }
> + break;
> case AUDIT_UID:
> result = audit_uid_comparator(cred->uid, f->op, f->uid);
> break;
--
paul moore
security @ redhat
next prev parent reply other threads:[~2015-08-06 20:24 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-08-05 20:29 [PATCH V9 0/3] audit by executable name Richard Guy Briggs
2015-08-05 20:29 ` Richard Guy Briggs
2015-08-05 20:29 ` [PATCH V9 1/3] audit: clean simple fsnotify implementation Richard Guy Briggs
2015-08-05 20:29 ` Richard Guy Briggs
2015-08-06 20:19 ` Paul Moore
2015-08-06 20:19 ` Paul Moore
2015-08-05 20:29 ` [PATCH V9 2/3] audit: implement audit by executable Richard Guy Briggs
2015-08-05 20:29 ` Richard Guy Briggs
2015-08-06 20:23 ` Paul Moore
2015-08-06 20:23 ` Paul Moore
2015-08-07 6:25 ` Richard Guy Briggs
2015-08-07 6:25 ` Richard Guy Briggs
2015-08-07 14:27 ` Paul Moore
2015-08-05 20:29 ` [PATCH V9 3/3] audit: add audit by children of executable path Richard Guy Briggs
2015-08-06 20:24 ` Paul Moore [this message]
2015-08-06 20:24 ` Paul Moore
2015-08-06 21:08 ` Steve Grubb
2015-08-06 21:08 ` Steve Grubb
2015-08-07 0:07 ` Paul Moore
2015-08-07 0:07 ` Paul Moore
2015-08-07 6:37 ` Richard Guy Briggs
2015-08-07 14:30 ` Paul Moore
2015-08-07 16:03 ` Richard Guy Briggs
2015-08-07 20:47 ` Paul Moore
2015-08-08 5:07 ` Richard Guy Briggs
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5456503.IfTzUNfidJ@sifl \
--to=pmoore@redhat.com \
--cc=linux-audit@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=rgb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.