From: Steve Grubb <sgrubb@redhat.com>
To: Richard Guy Briggs <rgb@redhat.com>
Cc: linux-audit@redhat.com, linux-kernel@vger.kernel.org,
pmoore@redhat.com, eparis@redhat.com
Subject: Re: [PATCH V6 0/4] audit by executable name
Date: Wed, 15 Jul 2015 08:28:19 -0400 [thread overview]
Message-ID: <2290951.jxBbQJQ7l8@x2> (raw)
In-Reply-To: <cover.1436823321.git.rgb@redhat.com>
On Tuesday, July 14, 2015 11:50:22 AM Richard Guy Briggs wrote:
> Please see the accompanying userspace patchset:
> https://www.redhat.com/archives/linux-audit/2015-July/thread.html
> [[PATCH V2] 0/2] Log on the future execution of a path
> The userspace interface is not expected to change appreciably unless
> something important has been overlooked. Setting and deleting rules works
> as expected.
>
> If the path does not exist at rule creation time, it will be re-evaluated
> every time there is a change to the parent directory at which point the
> change in device and inode will be noted.
Thanks for doing this. Its a much needed feature.
In looking over it...does this add an AUDIT_VERSION_ define and use it in the
feature mask so that I can tell what kernels support this? I might have missed
it, but I can't find one.
Thanks,
-Steve
> Here's a sample run:
> Test for addition, trigger and deletion of tree executable rule:
> # auditctl -a always,exit -S all -F dir=/tmp -F exe=/usr/bin/touch -F
> key=exetest_tree ----
> time->Sat Jul 11 10:41:50 2015
> type=CONFIG_CHANGE msg=audit(1436629310.720:44711): auid=0 ses=1
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 op="add_rule"
> key="exetest_tree" list=4 res=1 ----
>
> # /usr/bin/touch /tmp/test
> ----
> time->Sat Jul 11 10:41:50 2015
> type=PROCTITLE msg=audit(1436629310.757:44712):
> proctitle=2F7573722F62696E2F746F756368002F746D702F74657374 type=PATH
> msg=audit(1436629310.757:44712): item=1 name="/tmp/test" inode=166932
> dev=00:24 mode=0100644 ouid=0 ogid=0 rdev=00:00
> obj=unconfined_u:object_r:user_tmp_t:s0 nametype=CREATE type=PATH
> msg=audit(1436629310.757:44712): item=0 name="/tmp/" inode=11525 dev=00:24
> mode=041777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmp_t:s0
> nametype=PARENT type=CWD msg=audit(1436629310.757:44712): cwd="/root"
> type=SYSCALL msg=audit(1436629310.757:44712): arch=c000003e syscall=2
> success=yes exit=3 a0=7ffdee2f9e27 a1=941 a2=1b6 a3=691 items=2 ppid=17655
> pid=17762 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> tty=ttyS0 ses=1 comm="touch" exe="/usr/bin/touch"
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> key="exetest_tree" ----
>
> # auditctl -d always,exit -S all -F dir=/tmp -F exe=/usr/bin/touch -F
> key=exetest_tree ----
> time->Sat Jul 11 10:41:50 2015
> type=CONFIG_CHANGE msg=audit(1436629310.839:44713): auid=0 ses=1
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 op="remove_rule"
> key="exetest_tree" list=4 res=1 ----
>
>
> Revision history:
> v6: Explicitly declare prototypes as external.
> Rename audit_dup_exe() to audit_dupe_exe() consistent with rule, watch,
> lsm_field. Rebased on v4.1.
> Rename audit_remove_mark_rule() called from audit_mark_handle_event() to
> audit_autoremove_mark_rule() to avoid confusion with
> audit_remove_{watch,tree}_rule() usage.
> Add audit_remove_mark_rule() to provide similar interface as
> audit_remove_{watch,tree}_rule().
> Simplify stubs to defines.
> Rename audit_free_fsnotify_mark() to audit_fsnotify_free_mark() in
> keeping with the naming convention of inotify_free_mark(),
> dnotify_free_mark(), fanotify_free_mark(), audit_watch_free_mark().
> Return -ENOMEM rather than null in case of memory allocation failure for
> audit_mark in audit_alloc_mark().
> Rename audit_free_mark() to audit_mark_free() to avoid association with
> {i,d,fa}notify_free_mark() and audit_watch_free_mark().
> Clean up exe with similar interface as watch and tree.
> Clean up audit exe mark just before audit_free_rule() rather than in it
> to avoid mutex in software interrupt context.
> Fixed bug in audit_dupe_exe() that returned error rather than valid
> pointer.
>
> v5: Revert patch "Let audit_free_rule() take care of calling
> audit_remove_mark()." since it caused a group mark deadlock.
> https://www.redhat.com/archives/linux-audit/2014-October/msg00024.html
>
> v4: Re-order and squash down fixups
> Fix audit_dup_exe() to copy pathname string before calling
> audit_alloc_mark().
> https://www.redhat.com/archives/linux-audit/2014-August/msg00065.html
>
> v3: Rationalize and rename some function names and clean up get/put and free
> code. Rename several "watch" references to "mark".
> Rename audit_remove_rule() to audit_remove_mark_rule().
> Let audit_free_rule() take care of calling audit_remove_mark().
> Put audit_alloc_mark() arguments in same order as watch, tree and inode.
> Move the access to the entry for audit_match_signal() to the beginning of
> the function in case the entry found is the same one passed in. This will
> enable it to be used by audit_remove_mark_rule().
> https://www.redhat.com/archives/linux-audit/2014-July/msg00000.html
>
> v2: Misguided attempt to add in audit_exe similar to watches
> https://www.redhat.com/archives/linux-audit/2014-June/msg00066.html
>
> v1.5: eparis' switch to fsnotify
> https://www.redhat.com/archives/linux-audit/2014-May/msg00046.html
> https://www.redhat.com/archives/linux-audit/2014-May/msg00066.html
>
> v1: Change to path interface instead of inode
> https://www.redhat.com/archives/linux-audit/2014-May/msg00017.html
>
> v0: Peter Moodie's original patches
> https://www.redhat.com/archives/linux-audit/2012-August/msg00033.html
>
>
> Future step:
> Get full-path notify working.
>
>
> Eric Paris (1):
> audit: implement audit by executable
>
> Richard Guy Briggs (3):
> audit: clean simple fsnotify implementation
> audit: convert audit_exe to audit_fsnotify
> audit: avoid double copying the audit_exe path string
>
> include/linux/audit.h | 1 +
> include/uapi/linux/audit.h | 2 +
> kernel/Makefile | 2 +-
> kernel/audit.h | 33 ++++++
> kernel/audit_exe.c | 50 +++++++++
> kernel/audit_fsnotify.c | 246
> ++++++++++++++++++++++++++++++++++++++++++++ kernel/audit_tree.c |
> 2 +
> kernel/audit_watch.c | 4 +
> kernel/auditfilter.c | 63 +++++++++++-
> kernel/auditsc.c | 16 +++
> 10 files changed, 415 insertions(+), 4 deletions(-)
> create mode 100644 kernel/audit_exe.c
> create mode 100644 kernel/audit_fsnotify.c
next prev parent reply other threads:[~2015-07-15 12:28 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-07-14 15:50 [PATCH V6 0/4] audit by executable name Richard Guy Briggs
2015-07-14 15:50 ` [PATCH V6 1/4] audit: implement audit by executable Richard Guy Briggs
2015-07-17 1:18 ` Paul Moore
2015-07-17 15:33 ` Richard Guy Briggs
2015-07-17 18:24 ` Paul Moore
2015-07-17 20:46 ` Richard Guy Briggs
2015-07-20 15:10 ` Paul Moore
2015-07-17 20:27 ` Richard Guy Briggs
2015-07-14 15:50 ` [PATCH V6 2/4] audit: clean simple fsnotify implementation Richard Guy Briggs
2015-07-17 1:45 ` Paul Moore
2015-08-01 20:03 ` Richard Guy Briggs
2015-07-14 15:50 ` [PATCH V6 3/4] audit: convert audit_exe to audit_fsnotify Richard Guy Briggs
2015-07-17 1:54 ` Paul Moore
2015-07-17 2:02 ` Richard Guy Briggs
2015-07-14 15:50 ` [PATCH V6 4/4] audit: avoid double copying the audit_exe path string Richard Guy Briggs
2015-07-17 1:56 ` Paul Moore
2015-07-17 2:01 ` Richard Guy Briggs
2015-07-17 2:42 ` Paul Moore
2015-07-17 3:01 ` Eric Paris
2015-07-17 3:24 ` Paul Moore
2015-07-17 16:48 ` Richard Guy Briggs
2015-07-17 18:09 ` Paul Moore
2015-07-17 16:18 ` Richard Guy Briggs
2015-07-17 18:01 ` Paul Moore
2015-07-15 12:28 ` Steve Grubb [this message]
2015-07-15 18:23 ` [PATCH V6 0/4] audit by executable name Richard Guy Briggs
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2290951.jxBbQJQ7l8@x2 \
--to=sgrubb@redhat.com \
--cc=eparis@redhat.com \
--cc=linux-audit@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=pmoore@redhat.com \
--cc=rgb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).