From mboxrd@z Thu Jan 1 00:00:00 1970 From: ramsdell@mitre.org (John D. Ramsdell) Subject: [PATCH] Reporting file descriptors created by pipe and socketpair Date: 12 Sep 2006 12:07:13 -0400 Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Return-path: Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31]) by int-mx1.corp.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id k8CG7K9N006727 for ; Tue, 12 Sep 2006 12:07:20 -0400 Received: from smtp-mclean.mitre.org (smtp-mclean.mitre.org [192.80.55.71]) by mx1.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id k8CG7KFG015745 for ; Tue, 12 Sep 2006 12:07:20 -0400 Received: from smtp-mclean.mitre.org (localhost.localdomain [127.0.0.1]) by smtp-mclean.mitre.org (8.12.11.20060308/8.12.11) with SMTP id k8CG7EVh012866 for ; Tue, 12 Sep 2006 12:07:14 -0400 Received: from smtp-mclean.mitre.org (localhost.localdomain [127.0.0.1]) by smtp-mclean.mitre.org (Postfix) with ESMTP id 885511BD7A for ; Tue, 12 Sep 2006 12:07:14 -0400 (EDT) Received: from linus.mitre.org (rcf-smtp.mitre.org [129.83.10.1]) by smtp-mclean.mitre.org (8.12.11.20060308/8.12.11) with ESMTP id k8CG7DXw012857 for ; Tue, 12 Sep 2006 12:07:14 -0400 Received: from divan.mitre.org (divan.mitre.org [129.83.10.75]) by linus.mitre.org (8.12.11/8.12.10) with ESMTP id k8CG7Dn7008601 for ; Tue, 12 Sep 2006 12:07:13 -0400 (EDT) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Linux Audit List-Id: linux-audit@redhat.com The polgen tools suggest SELinux policy by analyzing dynamic traces of a running set of related programs. It derives information flow by tracking file descriptors used by a set of programs, and notes which processes performs reads and writes. We would very much like to get our raw data from autrace, however, the current traces it generates lacks some crucial information. The record for the pipe and socketpair system call does not include the file descriptors created upon success. Enclosed is a patch by Mark Workman that remedies this problem. John Signed-off-by: John D. Ramsdell *** a/kernel/auditsc.c 2006-03-20 00:53:29.000000000 -0500 --- b/kernel/auditsc.c 2006-06-26 08:21:56.000000000 -0400 *************** *** 820,825 **** --- 820,846 ---- audit_log_format(ab, " success=%s exit=%ld", (context->return_valid==AUDITSC_SUCCESS)?"yes":"no", context->return_code); + + printk(KERN_INFO "%s auditing what?\n", __FUNCTION__); + + switch (context->major) { + case __NR_socketcall: + if (context->argv[0] == SYS_SOCKETPAIR) + audit_log_format(ab, " descriptor pair=%d,%d", + current->audit_pids[0], + current->audit_pids[1]); + break; + + case __NR_pipe: + audit_log_format(ab, " descriptor pair=%d,%d", + current->audit_pids[0], + current->audit_pids[1]); + break; + + default: break; + } + + audit_log_format(ab, " a0=%lx a1=%lx a2=%lx a3=%lx items=%d" " pid=%d auid=%u uid=%u gid=%u" *** a/fs/pipe.c 2006-03-20 00:53:29.000000000 -0500 --- b/fs/pipe.c 2006-06-26 10:10:15.000000000 -0400 *************** *** 779,786 **** fd_install(i, f1); fd_install(j, f2); ! fd[0] = i; ! fd[1] = j; return 0; close_f12_inode_i_j: --- 779,786 ---- fd_install(i, f1); fd_install(j, f2); ! current->audit_pids[0] = fd[0] = i; ! current->audit_pids[1] = fd[1] = j; return 0; close_f12_inode_i_j: *** a/include/linux/sched.h 2006-03-20 00:53:29.000000000 -0500 --- b/include/linux/sched.h 2006-06-26 08:19:23.000000000 -0400 *************** *** 819,824 **** --- 819,825 ---- void *security; struct audit_context *audit_context; seccomp_t seccomp; + int audit_pids [3]; /* Thread group tracking */ u32 parent_exec_id; *** a/net/socket.c 2006-03-20 00:53:29.000000000 -0500 --- b/net/socket.c 2006-06-26 12:35:23.000000000 -0400 *************** *** 1256,1263 **** err = put_user(fd1, &usockvec[0]); if (!err) err = put_user(fd2, &usockvec[1]); ! if (!err) return 0; sys_close(fd2); sys_close(fd1); --- 1256,1266 ---- err = put_user(fd1, &usockvec[0]); if (!err) err = put_user(fd2, &usockvec[1]); ! if (!err) { ! current->audit_pids[0] = fd1; ! current->audit_pids[1] = fd2; return 0; + } sys_close(fd2); sys_close(fd1);