From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: [PATCH 7/7] audit: audit feature to set loginuid immutable
Date: Mon, 08 Jul 2013 16:34:13 -0400 [thread overview]
Message-ID: <2141171.0lgOghWp8c@x2> (raw)
In-Reply-To: <1369411910-13777-7-git-send-email-eparis@redhat.com>
On Friday, May 24, 2013 12:11:50 PM Eric Paris wrote:
> This adds a new 'audit_feature' bit which allows userspace to set it
> such that the loginuid is absolutely immutable, even if you have
> CAP_AUDIT_CONTROL.
I'm also not sure I like it done this way. What I was thinking about is that
we should set this at boot so that no matter what happens during boot, the
policy is for setting loginuid cannot be messed with. We really do not want
this to be changeable after the system comes up. I'd much rather see this as
audit=4 on the boot prompt (meaning enabled and immutable). This way its clear
to everyone that it can only be changed by rebooting the system and the policy
is in effect for the duration of the session.
-Steve
> Signed-off-by: Eric Paris <eparis@redhat.com>
> ---
> include/uapi/linux/audit.h | 3 ++-
> kernel/audit.c | 3 ++-
> kernel/auditsc.c | 3 +++
> 3 files changed, 7 insertions(+), 2 deletions(-)
>
> diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> index 2963b5a..9539ea9 100644
> --- a/include/uapi/linux/audit.h
> +++ b/include/uapi/linux/audit.h
> @@ -381,7 +381,8 @@ struct audit_features {
> };
>
> #define AUDIT_FEATURE_ONLY_UNSET_LOGINUID 0
> -#define AUDIT_LAST_FEATURE AUDIT_FEATURE_ONLY_UNSET_LOGINUID
> +#define AUDIT_FEATURE_LOGINUID_IMMUTABLE 1
> +#define AUDIT_LAST_FEATURE AUDIT_FEATURE_LOGINUID_IMMUTABLE
>
> #define audit_feature_valid(x) ((x) >= 0 && (x) <= AUDIT_LAST_FEATURE)
> #define AUDIT_FEATURE_TO_MASK(x) (1 << ((x) & 31)) /* mask for __u32 */
> diff --git a/kernel/audit.c b/kernel/audit.c
> index a5c470b..900d61d 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -145,8 +145,9 @@ static struct audit_features af = {.vers =
> AUDIT_FEATURE_VERSION, .features = 0,
> .lock = 0,};
>
> -static char *audit_feature_names[1] = {
> +static char *audit_feature_names[2] = {
> "only_unset_loginuid",
> + "loginuid_immutable",
> };
>
>
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index e5dbbc6..aace3ac 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -1969,6 +1969,9 @@ static int audit_set_loginuid_perm(kuid_t loginuid)
> /* if we are unset, we don't need privs */
> if (!audit_loginuid_set(current))
> return 0;
> + /* if AUDIT_FEATURE_LOGINUID_IMMUTABLE means never ever allow a change*/
> + if (is_audit_feature_set(AUDIT_FEATURE_LOGINUID_IMMUTABLE))
> + return -EPERM;
> /* it is set, you need permission */
> if (!capable(CAP_AUDIT_CONTROL))
> return -EPERM;
next prev parent reply other threads:[~2013-07-08 20:34 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-05-24 16:11 [PATCH 1/7] audit: implement generic feature setting and retrieving Eric Paris
2013-05-24 16:11 ` [PATCH 2/7] selinux: apply selinux checks on new audit message types Eric Paris
2013-05-24 16:11 ` [PATCH 3/7] audit: loginuid functions coding style Eric Paris
2013-05-24 16:11 ` [PATCH 4/7] audit: remove CONFIG_AUDIT_LOGINUID_IMMUTABLE Eric Paris
2013-05-24 16:11 ` [PATCH 5/7] audit: allow unsetting the loginuid (with priv) Eric Paris
2013-05-24 16:11 ` [PATCH 6/7] audit: audit feature to only allow unsetting the loginuid Eric Paris
2013-05-24 16:11 ` [PATCH 7/7] audit: audit feature to set loginuid immutable Eric Paris
2013-07-08 20:34 ` Steve Grubb [this message]
2013-07-08 20:51 ` Eric Paris
2013-07-08 21:26 ` Steve Grubb
2013-07-08 21:32 ` Eric Paris
2013-07-09 22:24 ` Steve Grubb
2013-07-09 23:51 ` LC Bruzenak
2013-07-10 13:46 ` Steve Grubb
2013-07-10 14:32 ` LC Bruzenak
2013-07-10 18:16 ` Eric Paris
2013-07-10 18:51 ` LC Bruzenak
2013-07-10 19:02 ` LC Bruzenak
2013-07-10 19:09 ` Eric Paris
2013-05-24 16:28 ` [PATCH 1/7] audit: implement generic feature setting and retrieving Eric Paris
2013-05-24 20:41 ` William Roberts
2013-05-24 20:56 ` William Roberts
2013-05-30 17:20 ` Richard Guy Briggs
2013-07-08 20:28 ` Steve Grubb
2013-07-08 21:55 ` Eric Paris
2013-07-09 1:18 ` William Roberts
2013-07-09 18:30 ` Steve Grubb
2013-07-09 20:59 ` Eric Paris
2013-07-09 22:08 ` Steve Grubb
2013-11-02 7:26 ` Richard Guy Briggs
2013-11-02 14:44 ` Eric Paris
2014-08-22 21:58 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2141171.0lgOghWp8c@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox