From mboxrd@z Thu Jan 1 00:00:00 1970 From: Eric Paris Subject: [GIT PULL] Audit changes for 3.10 Date: Wed, 08 May 2013 00:25:24 -0400 Message-ID: <1367987124.7858.1.camel@localhost> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="=-6hamwAoGTuA0d3C5guTS" Return-path: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Linus Torvalds Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com --=-6hamwAoGTuA0d3C5guTS Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit Al used to send pull requests every couple of years but he told me to just start pushing them to you directly. The following changes since commit 19f949f52599ba7c3f67a5897ac6be14bfcb1200: Linux 3.8 (2013-02-18 15:58:34 -0800) are available in the git repository at: git://git.infradead.org/users/eparis/audit.git master for you to fetch changes up to 2a0b4be6dd655e24990da1d0811e28b9277f8b12: audit: fix message spacing printing auid (2013-05-08 00:02:19 -0400) Most of the changes are in audit* files so you shouldn't much care. Our touching outside of core audit code is pretty straight forward. A couple of interface changes which hit net/. A simple argument bug calling audit functions in namei.c and the removal of some assembly branch prediction code on ppc. Looks like you are going to have 2 merge failures due to patches which came in through akpm. The first in kernel/audit.c is a simple resolution. My tree is correct deleting those 3 lines. The second in kernel/audit.h is a little worse. You want to take my tree. Remove the #ifdef CONFIG_AUDIT and #endif towards the end of the new code. Then you want to remove the line declaring extern int audit_enabled; I'm attaching my merge resolution commit as a reference. ---------------------------------------------------------------- Andrew Morton (1): auditsc: remove audit_set_context() altogether - fold it into its caller Anton Blanchard (2): audit: Syscall rules are not applied to existing processes on non-x86 powerpc: Remove static branch prediction in 64bit traced syscall path Chen Gang (1): kernel: audit: beautify code, for extern function, better to check its parameters by itself Dmitry Monakhov (1): audit: destroy long filenames correctly Eric Paris (17): audit: use data= not msg= for AUDIT_USER_TTY messages Audit: do not print error when LSMs disabled audit: fix build break when AUDIT_DEBUG == 2 audit: allow checking the type of audit message in the user filter audit: make validity checking generic audit: remove the old depricated kernel interface audit: stop pushing loginid, uid, sessionid as arguments audit: push loginuid and sessionid processing down audit: use a consistent audit helper to log lsm information helper for some session id stuff audit: use spin_lock_irqsave/restore in audit tty code audit: do not needlessly take a spinlock in copy_signal audit: do not needlessly take a lock in tty_audit_exit audit: use spin_lock in audit_receive_msg to process tty logging audit: fix event coverage of AUDIT_ANOM_LINK Revert "audit: move kaudit thread start from auditd registration to kaudit init" audit: fix message spacing printing auid Eric W. Biederman (1): audit: Make testing for a valid loginuid explicit. Gao feng (1): audit: remove duplicate export of audit_enabled Jeff Layton (1): audit: vfs: fix audit_inode call in O_CREAT case of do_last Matvejchikov Ilya (1): audit: improve GID/EGID comparation logic Rakib Mullick (1): auditsc: Use kzalloc instead of kmalloc+memset. Richard Guy Briggs (4): audit: refactor hold queue flush audit: flatten kauditd_thread wait queue code audit: move kaudit thread start from auditd registration to kaudit init audit: add an option to control logging of passwords with pam_tty_audit arch/powerpc/kernel/entry_64.S | 2 +- drivers/tty/tty_audit.c | 104 +++++++++++++++-------------------- fs/namei.c | 2 +- include/linux/audit.h | 48 ++++++++++------ include/linux/sched.h | 1 + include/linux/tty.h | 6 +- include/uapi/linux/audit.h | 4 +- kernel/audit.c | 516 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-------------------------------------------------------- kernel/audit.h | 156 ++++++++++++++++++++++++++++++++++++++++++++++++++++ kernel/auditfilter.c | 360 +++++++++++++++++++++++++++++++++++++----------------------------------------------------------------------------------- kernel/auditsc.c | 421 +++++++++++++++----------------------------------------------------------------------------------------------------------------------------- net/socket.c | 6 +- 12 files changed, 749 insertions(+), 877 deletions(-) --=-6hamwAoGTuA0d3C5guTS Content-Disposition: attachment; filename="tmp.patch" Content-Type: text/x-patch; name="tmp.patch"; charset="UTF-8" Content-Transfer-Encoding: 7bit commit 3f321c3c7f40eb887a4c40320dc555391382cb93 Merge: 9affd6b 82d8da0 Author: Eric Paris Date: Tue May 7 23:09:02 2013 -0400 Merge branch 'audit-for-3.10' into merge-test Conflicts: kernel/audit.c kernel/audit.h diff --cc kernel/audit.c index 0b084fa,f9c6506..fc94ee3 --- a/kernel/audit.c +++ b/kernel/audit.c @@@ -660,17 -646,14 +646,15 @@@ static int audit_receive_msg(struct sk_ /* As soon as there's any sign of userspace auditd, * start kauditd to talk to it */ - if (!kauditd_task) + if (!kauditd_task) { kauditd_task = kthread_run(kauditd_thread, NULL, "kauditd"); - if (IS_ERR(kauditd_task)) { - err = PTR_ERR(kauditd_task); - kauditd_task = NULL; - return err; + if (IS_ERR(kauditd_task)) { + err = PTR_ERR(kauditd_task); + kauditd_task = NULL; + return err; + } } - loginuid = audit_get_loginuid(current); - sessionid = audit_get_sessionid(current); - security_task_getsecid(current, &sid); + seq = nlh->nlmsg_seq; data = nlmsg_data(nlh); diff --cc kernel/audit.h index 11468d9,45c8325..1c95131 --- a/kernel/audit.h +++ b/kernel/audit.h @@@ -59,8 -65,161 +65,158 @@@ struct audit_entry struct audit_krule rule; }; + struct audit_cap_data { + kernel_cap_t permitted; + kernel_cap_t inheritable; + union { + unsigned int fE; /* effective bit of file cap */ + kernel_cap_t effective; /* effective set of process */ + }; + }; + + /* When fs/namei.c:getname() is called, we store the pointer in name and + * we don't let putname() free it (instead we free all of the saved + * pointers at syscall exit time). + * + * Further, in fs/namei.c:path_lookup() we store the inode and device. + */ + struct audit_names { + struct list_head list; /* audit_context->names_list */ + + struct filename *name; + int name_len; /* number of chars to log */ + bool name_put; /* call __putname()? */ + + unsigned long ino; + dev_t dev; + umode_t mode; + kuid_t uid; + kgid_t gid; + dev_t rdev; + u32 osid; + struct audit_cap_data fcap; + unsigned int fcap_ver; + unsigned char type; /* record type */ + /* + * This was an allocated audit_names and not from the array of + * names allocated in the task audit context. Thus this name + * should be freed on syscall exit. + */ + bool should_free; + }; + + /* The per-task audit context. */ + struct audit_context { + int dummy; /* must be the first element */ + int in_syscall; /* 1 if task is in a syscall */ + enum audit_state state, current_state; + unsigned int serial; /* serial number for record */ + int major; /* syscall number */ + struct timespec ctime; /* time of syscall entry */ + unsigned long argv[4]; /* syscall arguments */ + long return_code;/* syscall return code */ + u64 prio; + int return_valid; /* return code is valid */ + /* + * The names_list is the list of all audit_names collected during this + * syscall. The first AUDIT_NAMES entries in the names_list will + * actually be from the preallocated_names array for performance + * reasons. Except during allocation they should never be referenced + * through the preallocated_names array and should only be found/used + * by running the names_list. + */ + struct audit_names preallocated_names[AUDIT_NAMES]; + int name_count; /* total records in names_list */ + struct list_head names_list; /* struct audit_names->list anchor */ + char *filterkey; /* key for rule that triggered record */ + struct path pwd; + struct audit_aux_data *aux; + struct audit_aux_data *aux_pids; + struct sockaddr_storage *sockaddr; + size_t sockaddr_len; + /* Save things to print about task_struct */ + pid_t pid, ppid; + kuid_t uid, euid, suid, fsuid; + kgid_t gid, egid, sgid, fsgid; + unsigned long personality; + int arch; + + pid_t target_pid; + kuid_t target_auid; + kuid_t target_uid; + unsigned int target_sessionid; + u32 target_sid; + char target_comm[TASK_COMM_LEN]; + + struct audit_tree_refs *trees, *first_trees; + struct list_head killed_trees; + int tree_count; + + int type; + union { + struct { + int nargs; + long args[6]; + } socketcall; + struct { + kuid_t uid; + kgid_t gid; + umode_t mode; + u32 osid; + int has_perm; + uid_t perm_uid; + gid_t perm_gid; + umode_t perm_mode; + unsigned long qbytes; + } ipc; + struct { + mqd_t mqdes; + struct mq_attr mqstat; + } mq_getsetattr; + struct { + mqd_t mqdes; + int sigev_signo; + } mq_notify; + struct { + mqd_t mqdes; + size_t msg_len; + unsigned int msg_prio; + struct timespec abs_timeout; + } mq_sendrecv; + struct { + int oflag; + umode_t mode; + struct mq_attr attr; + } mq_open; + struct { + pid_t pid; + struct audit_cap_data cap; + } capset; + struct { + int fd; + int flags; + } mmap; + }; + int fds[2]; + + #if AUDIT_DEBUG + int put_count; + int ino_count; + #endif + }; + -#ifdef CONFIG_AUDIT -extern int audit_enabled; extern int audit_ever_enabled; + extern void audit_copy_inode(struct audit_names *name, + const struct dentry *dentry, + const struct inode *inode); + extern void audit_log_cap(struct audit_buffer *ab, char *prefix, + kernel_cap_t *cap); + extern void audit_log_fcaps(struct audit_buffer *ab, struct audit_names *name); + extern void audit_log_name(struct audit_context *context, + struct audit_names *n, struct path *path, + int record_num, int *call_panic); -#endif + extern int audit_pid; #define AUDIT_INODE_BUCKETS 32 --=-6hamwAoGTuA0d3C5guTS Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --=-6hamwAoGTuA0d3C5guTS--