* [PATCH] Allow ppid filtering on syscall auditing @ 2006-09-28 2:10 Eric Paris 2006-09-28 2:35 ` Linda Knippers 0 siblings, 1 reply; 4+ messages in thread From: Eric Paris @ 2006-09-28 2:10 UTC (permalink / raw) To: linux-audit; +Cc: David Woodhouse Currently ppid filtering on syscall auditing does not appear to work. An easy reproducer would be to do the following: touch ./test auditctl -a entry,always -S chmod -F ppid=[pid of your shell] chmod 000 ./test no audit record will appear! (although !=[pid of your shell] will show all chmod commands from all processes regardless of the ppid) With a little instrumentation I found that ctx->ppid == 0 inside audit_filter_rules(). I originally wanted to set the ppid during the context creation back in something like audit_alloc_context but that didn't work. Because at that point the new process had not forked off so the ppid of the chmod process was actually it's parents parents. Instead I set the ppid in audit_syscall_entry when we are actually building the specific context. Please comment/ack/nak as soon as possible. -Eric kernel/auditsc.c | 1 + 1 file changed, 1 insertion(+) --- linux-2.6.18.i686/kernel/auditsc.c.orig 2006-09-27 21:53:44.000000000 -0400 +++ linux-2.6.18.i686/kernel/auditsc.c 2006-09-27 21:54:05.000000000 -0400 @@ -1116,6 +1116,7 @@ void audit_syscall_entry(int arch, int m context->arch = arch; context->major = major; + context->ppid = sys_getppid(); context->argv[0] = a1; context->argv[1] = a2; context->argv[2] = a3; ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] Allow ppid filtering on syscall auditing 2006-09-28 2:10 [PATCH] Allow ppid filtering on syscall auditing Eric Paris @ 2006-09-28 2:35 ` Linda Knippers 2006-09-28 20:03 ` [PATCH] -V2 " Eric Paris 0 siblings, 1 reply; 4+ messages in thread From: Linda Knippers @ 2006-09-28 2:35 UTC (permalink / raw) To: Eric Paris; +Cc: linux-audit, David Woodhouse Eric Paris wrote: > Currently ppid filtering on syscall auditing does not appear to work. An > easy reproducer would be to do the following: > > touch ./test > auditctl -a entry,always -S chmod -F ppid=[pid of your shell] > chmod 000 ./test > > no audit record will appear! (although !=[pid of your shell] will show > all chmod commands from all processes regardless of the ppid) > > With a little instrumentation I found that ctx->ppid == 0 inside > audit_filter_rules(). I originally wanted to set the ppid during the > context creation back in something like audit_alloc_context but that > didn't work. Because at that point the new process had not forked off > so the ppid of the chmod process was actually it's parents parents. > Instead I set the ppid in audit_syscall_entry when we are actually > building the specific context. > > Please comment/ack/nak as soon as possible. > > -Eric > > kernel/auditsc.c | 1 + > 1 file changed, 1 insertion(+) > > --- linux-2.6.18.i686/kernel/auditsc.c.orig 2006-09-27 21:53:44.000000000 -0400 > +++ linux-2.6.18.i686/kernel/auditsc.c 2006-09-27 21:54:05.000000000 -0400 > @@ -1116,6 +1116,7 @@ void audit_syscall_entry(int arch, int m > > context->arch = arch; > context->major = major; > + context->ppid = sys_getppid(); It looks like context->ppid is also being set in audit_log_exit(), which could overwrite the value assigned here. Should the one in audit_log_exit() be removed? > context->argv[0] = a1; > context->argv[1] = a2; > context->argv[2] = a3; > > > -- > Linux-audit mailing list > Linux-audit@redhat.com > https://www.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH] -V2 Allow ppid filtering on syscall auditing 2006-09-28 2:35 ` Linda Knippers @ 2006-09-28 20:03 ` Eric Paris 2006-09-29 4:08 ` Alexander Viro 0 siblings, 1 reply; 4+ messages in thread From: Eric Paris @ 2006-09-28 20:03 UTC (permalink / raw) To: Linda Knippers; +Cc: linux-audit, David Woodhouse Currently ppid filtering on syscall auditing does not appear to work. An easy reproducer would be to do the following: touch ./test auditctl -a entry,always -S chmod -F ppid=[pid of your shell] chmod 000 ./test no audit record will appear! (although !=[pid of your shell] will show all chmod commands from all processes regardless of the ppid) With a little instrumentation I found that ctx->ppid == 0 inside audit_filter_rules(). I originally wanted to set the ppid during the context creation back in something like audit_alloc_context but that didn't work. Because at that point the new process had not forked off so the ppid of the chmod process was actually it's parents parents. Instead I set the ppid in audit_syscall_entry when we are actually building the specific context. After some looking I did not see a way to get into audit_log_exit without having set the ppid. So I am dropping the set from there and only doing it at the beginning. Please comment/ack/nak as soon as possible. -Eric kernel/auditsc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- linux-2.6.18.i686/kernel/auditsc.c.orig 2006-09-27 21:53:44.000000000 -0400 +++ linux-2.6.18.i686/kernel/auditsc.c 2006-09-28 15:51:44.000000000 -0400 @@ -795,7 +795,6 @@ static void audit_log_exit(struct audit_ /* tsk == current */ context->pid = tsk->pid; - context->ppid = sys_getppid(); /* sic. tsk == current in all cases */ context->uid = tsk->uid; context->gid = tsk->gid; context->euid = tsk->euid; @@ -1116,6 +1115,7 @@ void audit_syscall_entry(int arch, int m context->arch = arch; context->major = major; + context->ppid = sys_getppid(); context->argv[0] = a1; context->argv[1] = a2; context->argv[2] = a3; ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] -V2 Allow ppid filtering on syscall auditing 2006-09-28 20:03 ` [PATCH] -V2 " Eric Paris @ 2006-09-29 4:08 ` Alexander Viro 0 siblings, 0 replies; 4+ messages in thread From: Alexander Viro @ 2006-09-29 4:08 UTC (permalink / raw) To: Eric Paris; +Cc: linux-audit, David Woodhouse On Thu, Sep 28, 2006 at 04:03:06PM -0400, Eric Paris wrote: > After some looking I did not see a way to get into audit_log_exit > without having set the ppid. So I am dropping the set from there and > only doing it at the beginning. > > Please comment/ack/nak as soon as possible. > @@ -1116,6 +1115,7 @@ void audit_syscall_entry(int arch, int m > > context->arch = arch; > context->major = major; > + context->ppid = sys_getppid(); Ehh... That's one hell of an overhead to be had ;-/ How about this? diff --git a/kernel/auditsc.c b/kernel/auditsc.c index fb83c5c..fd77ce4 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -278,8 +278,11 @@ static int audit_filter_rules(struct tas result = audit_comparator(tsk->pid, f->op, f->val); break; case AUDIT_PPID: - if (ctx) + if (ctx) { + if (!ctx->ppid) + ctx->ppid = sys_getppid(); result = audit_comparator(ctx->ppid, f->op, f->val); + } break; case AUDIT_UID: result = audit_comparator(tsk->uid, f->op, f->val); @@ -795,7 +798,8 @@ static void audit_log_exit(struct audit_ /* tsk == current */ context->pid = tsk->pid; - context->ppid = sys_getppid(); /* sic. tsk == current in all cases */ + if (!context->ppid) + context->ppid = sys_getppid(); context->uid = tsk->uid; context->gid = tsk->gid; context->euid = tsk->euid; @@ -1132,6 +1136,7 @@ #endif context->ctime = CURRENT_TIME; context->in_syscall = 1; context->auditable = !!(state == AUDIT_RECORD_CONTEXT); + context->ppid = 0; } /** ^ permalink raw reply related [flat|nested] 4+ messages in thread
end of thread, other threads:[~2006-09-29 4:08 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2006-09-28 2:10 [PATCH] Allow ppid filtering on syscall auditing Eric Paris 2006-09-28 2:35 ` Linda Knippers 2006-09-28 20:03 ` [PATCH] -V2 " Eric Paris 2006-09-29 4:08 ` Alexander Viro
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox