From: Paul Moore <pmoore@redhat.com>
To: Richard Guy Briggs <rgb@redhat.com>
Cc: linux-audit@redhat.com, linux-kernel@vger.kernel.org
Subject: Re: [PATCH V9 3/3] audit: add audit by children of executable path
Date: Thu, 06 Aug 2015 16:24:58 -0400 [thread overview]
Message-ID: <5456503.IfTzUNfidJ@sifl> (raw)
In-Reply-To: <d9b6e7ce17a8ffa71fe756a06922898f54ad78e5.1438801342.git.rgb@redhat.com>
On Wednesday, August 05, 2015 04:29:38 PM Richard Guy Briggs wrote:
> This adds the ability to audit the actions of children of a not-yet-running
> process.
>
> This is a split-out of a heavily modified version of a patch originally
> submitted by Eric Paris with some ideas from Peter Moody.
>
> Cc: Peter Moody <peter@hda3.com>
> Cc: Eric Paris <eparis@redhat.com>
> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> ---
> include/uapi/linux/audit.h | 1 +
> kernel/auditfilter.c | 5 +++++
> kernel/auditsc.c | 11 +++++++++++
> 3 files changed, 17 insertions(+), 0 deletions(-)
I'm still not really comfortable with that loop and since there hasn't been a
really convincing use case I'm going to pass on this patch for right now. If
someone comes up with a *really* compelling case in the future I'll reconsider
it.
> diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> index e2ca600..55a8dec 100644
> --- a/include/uapi/linux/audit.h
> +++ b/include/uapi/linux/audit.h
> @@ -267,6 +267,7 @@
> #define AUDIT_OBJ_GID 110
> #define AUDIT_FIELD_COMPARE 111
> #define AUDIT_EXE 112
> +#define AUDIT_EXE_CHILDREN 113
>
> #define AUDIT_ARG0 200
> #define AUDIT_ARG1 (AUDIT_ARG0+1)
> diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
> index c662638..802f0cc 100644
> --- a/kernel/auditfilter.c
> +++ b/kernel/auditfilter.c
> @@ -406,6 +406,7 @@ static int audit_field_valid(struct audit_entry *entry,
> struct audit_field *f) return -EINVAL;
> break;
> case AUDIT_EXE:
> + case AUDIT_EXE_CHILDREN:
> if (f->op != Audit_equal)
> return -EINVAL;
> if (entry->rule.listnr != AUDIT_FILTER_EXIT)
> @@ -547,6 +548,7 @@ static struct audit_entry *audit_data_to_entry(struct
> audit_rule_data *data, entry->rule.filterkey = str;
> break;
> case AUDIT_EXE:
> + case AUDIT_EXE_CHILDREN:
> if (entry->rule.exe || f->val > PATH_MAX)
> goto exit_free;
> str = audit_unpack_string(&bufp, &remain, f->val);
> @@ -643,6 +645,7 @@ static struct audit_rule_data
> *audit_krule_to_data(struct audit_krule *krule) audit_pack_string(&bufp,
> krule->filterkey);
> break;
> case AUDIT_EXE:
> + case AUDIT_EXE_CHILDREN:
> data->buflen += data->values[i] =
> audit_pack_string(&bufp, audit_mark_path(krule->exe));
> break;
> @@ -710,6 +713,7 @@ static int audit_compare_rule(struct audit_krule *a,
> struct audit_krule *b) return 1;
> break;
> case AUDIT_EXE:
> + case AUDIT_EXE_CHILDREN:
> /* both paths exist based on above type compare */
> if (strcmp(audit_mark_path(a->exe),
> audit_mark_path(b->exe)))
> @@ -838,6 +842,7 @@ struct audit_entry *audit_dupe_rule(struct audit_krule
> *old) new->filterkey = fk;
> break;
> case AUDIT_EXE:
> + case AUDIT_EXE_CHILDREN:
> err = audit_dupe_exe(new, old);
> break;
> }
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index e9bac2b..4f2b515 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -469,6 +469,17 @@ static int audit_filter_rules(struct task_struct *tsk,
> case AUDIT_EXE:
> result = audit_exe_compare(tsk, rule->exe);
> break;
> + case AUDIT_EXE_CHILDREN:
> + {
> + struct task_struct *ptsk;
> + for (ptsk = tsk; ptsk->parent->pid > 0; ptsk =
> find_task_by_vpid(ptsk->parent->pid)) { + if
(audit_exe_compare(ptsk,
> rule->exe)) {
> + ++result;
> + break;
> + }
> + }
> + }
> + break;
> case AUDIT_UID:
> result = audit_uid_comparator(cred->uid, f->op, f->uid);
> break;
--
paul moore
security @ redhat
next prev parent reply other threads:[~2015-08-06 20:24 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-08-05 20:29 [PATCH V9 0/3] audit by executable name Richard Guy Briggs
2015-08-05 20:29 ` [PATCH V9 1/3] audit: clean simple fsnotify implementation Richard Guy Briggs
2015-08-06 20:19 ` Paul Moore
2015-08-05 20:29 ` [PATCH V9 2/3] audit: implement audit by executable Richard Guy Briggs
2015-08-06 20:23 ` Paul Moore
2015-08-07 6:25 ` Richard Guy Briggs
2015-08-07 14:27 ` Paul Moore
2015-08-05 20:29 ` [PATCH V9 3/3] audit: add audit by children of executable path Richard Guy Briggs
2015-08-06 20:24 ` Paul Moore [this message]
2015-08-06 21:08 ` Steve Grubb
2015-08-07 0:07 ` Paul Moore
2015-08-07 6:37 ` Richard Guy Briggs
2015-08-07 14:30 ` Paul Moore
2015-08-07 16:03 ` Richard Guy Briggs
2015-08-07 20:47 ` Paul Moore
2015-08-08 5:07 ` Richard Guy Briggs
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5456503.IfTzUNfidJ@sifl \
--to=pmoore@redhat.com \
--cc=linux-audit@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=rgb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).