* Re: How to make sure a specific event is logged with thge proper message type?
From: Steve Grubb @ 2015-07-06 16:01 UTC (permalink / raw)
To: linux-audit
In-Reply-To: <23396023F719ED41888885C3B22D602F0154BB@WPEXCH2010MR11.bur.hydro.qc.ca>
On Monday, July 06, 2015 02:02:32 PM Alarie, Maxime wrote:
> Hi,
>
> I have this rule in audit.rules :
> -w /usr/sbin/useradd -p x -k user_modification
Note that this rule will create a SYSCALL event. To find it later, you would
run:
ausearch --start today -k user_modification
> When I add a user, and do a ausearch -m ADD_USER I get 0 match. Am I
> doing something wrong here? I am using version 1.8.
This event is a user space originating event and it depends on shadow-utils
being correctly patched to generate the events specified in:
http://people.redhat.com/sgrubb/audit/user-account-lifecycle.txt
If it doesn't, you should file a bug report against the shadow-utils package of
your distribution so that they know about the issue.
-Steve
^ permalink raw reply
* We are not trying to get your money; we are just trying to ensure you get effective drugs!
From: Canadian-Meds @ 2015-07-07 21:06 UTC (permalink / raw)
To: bmarson, jvanalte, k12ltsp-list, mazz, linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 921 bytes --]
Wearing the filters must intervals therealong. Proceedings ofthe
interviews, the repeal bills and ng ibong tabong nakita.
Me
ds
6f
or
4M
en
Vi
Ci
Ci
Le
Pr
ag
al
al
vi
op
ra
is
is
tr
ec
S
a
ia
of
t
Ta
bs
$0
$1
$2
$2
$0
9
.6
.5
.5
.4
9
5
0
0
5
Me
ds
8f
or
8W
om
en
Ac
Cl
De
Fe
Fe
om
om
fl
ma
ma
pl
id
uc
le
le
ia
an
C
V
ia
ia
li
gr
s
a
$1
$0
$1
$1
$0
.7
.4
.2
.1
.7
5
5
5
1
2
No
Fa
Vi
An p
st
sa
on re
w
,M
ym sc
or
as
ou ri
ld
te
s pt
wi
rc
de io
de
ar
li n
s
d,
ve re
hi
Ec
ry qu
pp
he
ir
in
ck
ed
g
S
1
2
O pe
00
4/
nl ci
%
7
y al
Au
cu
re i
th
st
li nt
en
om
ab er
ti
er
le ne
c
s
s t
Me
up
up pr
ds
po
pl ic
rt
ie es
rs
>> Enter Here
[-- Attachment #1.2: Type: text/html, Size: 13794 bytes --]
[-- Attachment #2: Type: text/plain, Size: 150 bytes --]
_______________________________________________
K12ltsp-list mailing list
K12ltsp-list@redhat.com
https://www.redhat.com/mailman/listinfo/k12ltsp-list
^ permalink raw reply
* Re: [PATCH 1/1] Added exe field to audit core dump signal log
From: Steve Grubb @ 2015-07-08 20:28 UTC (permalink / raw)
To: Paul Davies C; +Cc: rgb, linux-audit
In-Reply-To: <20131114032657.GA3588@pauldc-Inspiron-1470>
Hello Paul Moore,
Looks like this patch never got picked up. I think we should apply it.
-Steve
On Thursday, November 14, 2013 08:56:57 AM Paul Davies C wrote:
> Currently when the coredump signals are logged by the audit system , the
> actual path to the executable is not logged. Without details of exe , the
> system admin may not have an exact idea on what program failed.
>
> This patch changes the audit_log_task() so that the path to the exe is also
> logged.
>
> Signed-off-by: Paul Davies C <pauldaviesc@gmail.com>
> ---
> kernel/auditsc.c | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index 9845cb3..988de72 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -2353,6 +2353,7 @@ static void audit_log_task(struct audit_buffer *ab)
> kuid_t auid, uid;
> kgid_t gid;
> unsigned int sessionid;
> + struct mm_struct *mm = current->mm;
>
> auid = audit_get_loginuid(current);
> sessionid = audit_get_sessionid(current);
> @@ -2366,6 +2367,12 @@ static void audit_log_task(struct audit_buffer *ab)
> audit_log_task_context(ab);
> audit_log_format(ab, " pid=%d comm=", current->pid);
> audit_log_untrustedstring(ab, current->comm);
> + if (mm) {
> + down_read(&mm->mmap_sem);
> + if (mm->exe_file)
> + audit_log_d_path(ab, " exe=", &mm->exe_file->f_path);
> + up_read(&mm->mmap_sem);
> + }
> }
>
> static void audit_log_abend(struct audit_buffer *ab, char *reason, long
> signr)
^ permalink raw reply
* Re: [PATCH 1/1] Added exe field to audit core dump signal log
From: Paul Moore @ 2015-07-08 20:50 UTC (permalink / raw)
To: Steve Grubb, Paul Davies C; +Cc: rgb, linux-audit
In-Reply-To: <9329673.DzdnucMbcf@x2>
On Wednesday, July 08, 2015 04:28:06 PM Steve Grubb wrote:
> Hello Paul Moore,
>
> Looks like this patch never got picked up. I think we should apply it.
Thanks for finding this; did you run into this problem?
Since this was posted back in 2013 it would be nice if someone could do a
quick sanity test to show that 1) the problem still exists on current kernels
and 2) the patch below fixes it. You get extra credit if you show your work.
The reproducer should be trivial; I'm just dealing with some other issues
these next few days.
> On Thursday, November 14, 2013 08:56:57 AM Paul Davies C wrote:
> > Currently when the coredump signals are logged by the audit system , the
> > actual path to the executable is not logged. Without details of exe , the
> > system admin may not have an exact idea on what program failed.
> >
> > This patch changes the audit_log_task() so that the path to the exe is
> > also
> > logged.
> >
> > Signed-off-by: Paul Davies C <pauldaviesc@gmail.com>
> > ---
> >
> > kernel/auditsc.c | 7 +++++++
> > 1 file changed, 7 insertions(+)
> >
> > diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> > index 9845cb3..988de72 100644
> > --- a/kernel/auditsc.c
> > +++ b/kernel/auditsc.c
> > @@ -2353,6 +2353,7 @@ static void audit_log_task(struct audit_buffer *ab)
> >
> > kuid_t auid, uid;
> > kgid_t gid;
> > unsigned int sessionid;
> >
> > + struct mm_struct *mm = current->mm;
> >
> > auid = audit_get_loginuid(current);
> > sessionid = audit_get_sessionid(current);
> >
> > @@ -2366,6 +2367,12 @@ static void audit_log_task(struct audit_buffer *ab)
> >
> > audit_log_task_context(ab);
> > audit_log_format(ab, " pid=%d comm=", current->pid);
> > audit_log_untrustedstring(ab, current->comm);
> >
> > + if (mm) {
> > + down_read(&mm->mmap_sem);
> > + if (mm->exe_file)
> > + audit_log_d_path(ab, " exe=", &mm->exe_file->f_path);
> > + up_read(&mm->mmap_sem);
> > + }
> >
> > }
> >
> > static void audit_log_abend(struct audit_buffer *ab, char *reason, long
> >
> > signr)
--
paul moore
security @ redhat
^ permalink raw reply
* Re: [PATCH 1/1] Added exe field to audit core dump signal log
From: Steve Grubb @ 2015-07-08 20:58 UTC (permalink / raw)
To: Paul Moore; +Cc: rgb, linux-audit
In-Reply-To: <2278998.3uTL9r8SHj@sifl>
On Wednesday, July 08, 2015 04:50:27 PM Paul Moore wrote:
> On Wednesday, July 08, 2015 04:28:06 PM Steve Grubb wrote:
> > Hello Paul Moore,
> >
> > Looks like this patch never got picked up. I think we should apply it.
>
> Thanks for finding this; did you run into this problem?
I was going through old email trying to clear my backlog and saw this
one marked for follow up at some point.
> Since this was posted back in 2013 it would be nice if someone could do a
> quick sanity test to show that 1) the problem still exists on current
> kernels and
This is the function in question:
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/kernel/auditsc.c?id=refs/tags/v4.2-rc1#n2357
Actually, I missed the call to audit_log_d_path_exe() because I was looking
for exe= in the logging string ...so its already fixed.
Sorry for the noise. :-)
-Steve
> 2) the patch below fixes it. You get extra credit if you show
> your work.
>
> The reproducer should be trivial; I'm just dealing with some other issues
> these next few days.
>
> > On Thursday, November 14, 2013 08:56:57 AM Paul Davies C wrote:
> > > Currently when the coredump signals are logged by the audit system , the
> > > actual path to the executable is not logged. Without details of exe ,
> > > the
> > > system admin may not have an exact idea on what program failed.
> > >
> > > This patch changes the audit_log_task() so that the path to the exe is
> > > also
> > > logged.
> > >
> > > Signed-off-by: Paul Davies C <pauldaviesc@gmail.com>
> > > ---
> > >
> > > kernel/auditsc.c | 7 +++++++
> > > 1 file changed, 7 insertions(+)
> > >
> > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> > > index 9845cb3..988de72 100644
> > > --- a/kernel/auditsc.c
> > > +++ b/kernel/auditsc.c
> > > @@ -2353,6 +2353,7 @@ static void audit_log_task(struct audit_buffer
> > > *ab)
> > >
> > > kuid_t auid, uid;
> > > kgid_t gid;
> > > unsigned int sessionid;
> > >
> > > + struct mm_struct *mm = current->mm;
> > >
> > > auid = audit_get_loginuid(current);
> > > sessionid = audit_get_sessionid(current);
> > >
> > > @@ -2366,6 +2367,12 @@ static void audit_log_task(struct audit_buffer
> > > *ab)
> > >
> > > audit_log_task_context(ab);
> > > audit_log_format(ab, " pid=%d comm=", current->pid);
> > > audit_log_untrustedstring(ab, current->comm);
> > >
> > > + if (mm) {
> > > + down_read(&mm->mmap_sem);
> > > + if (mm->exe_file)
> > > + audit_log_d_path(ab, " exe=", &mm->exe_file->f_path);
> > > + up_read(&mm->mmap_sem);
> > > + }
> > >
> > > }
> > >
> > > static void audit_log_abend(struct audit_buffer *ab, char *reason, long
> > >
> > > signr)
^ permalink raw reply
* Re:
From: Mustapha Abiola @ 2015-07-11 18:37 UTC (permalink / raw)
To: eparis, paul, linux-kernel, linux-audit, mingo
In-Reply-To: <CACy=+DtdZOUT4soNZ=zz+_qhCfM=C8Oa0D5gjRC7QM3nYi4oEw@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 1 bytes --]
[-- Attachment #2: 0001-Fix-redundant-check-against-unsigned-int-in-broken-a.patch --]
[-- Type: application/octet-stream, Size: 930 bytes --]
From 55fae099d46749b73895934aab8c2823c5a23abe Mon Sep 17 00:00:00 2001
From: Mustapha Abiola <hi@mustapha.org>
Date: Sat, 11 Jul 2015 17:01:04 +0000
Subject: [PATCH 1/1] Fix redundant check against unsigned int in broken audit
test fix for exec arg len
Quick patch to fix the needless check of `len` being < 0 as its an
unsigned int.
Signed-off-by: Mustapha Abiola <hi@mustapha.org>
---
kernel/auditsc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index e85bdfd..0012476 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1021,7 +1021,7 @@ static int audit_log_single_execve_arg(struct audit_context *context,
* for strings that are too long, we should not have created
* any.
*/
- if (WARN_ON_ONCE(len < 0 || len > MAX_ARG_STRLEN - 1)) {
+ if (WARN_ON_ONCE(len > MAX_ARG_STRLEN - 1)) {
send_sig(SIGKILL, current, 0);
return -1;
}
--
1.9.1
^ permalink raw reply related
* Subject: [PATCH 1/1] Fix redundant check against unsigned int in broken audit test fix for exec arg len
From: Mustapha Abiola @ 2015-07-12 2:11 UTC (permalink / raw)
To: eparis, paul, linux-kernel, linux-audit, mingo
[-- Attachment #1: Type: text/plain, Size: 947 bytes --]
>From 55fae099d46749b73895934aab8c2823c5a23abe Mon Sep 17 00:00:00 2001
From: Mustapha Abiola <hi@mustapha.org>
Date: Sat, 11 Jul 2015 17:01:04 +0000
Subject: [PATCH 1/1] Fix redundant check against unsigned int in broken audit
test fix for exec arg len
Quick patch to fix the needless check of `len` being < 0 as its an
unsigned int.
Signed-off-by: Mustapha Abiola <hi@mustapha.org>
---
kernel/auditsc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index e85bdfd..0012476 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1021,7 +1021,7 @@ static int audit_log_single_execve_arg(struct
audit_context *context,
* for strings that are too long, we should not have created
* any.
*/
- if (WARN_ON_ONCE(len < 0 || len > MAX_ARG_STRLEN - 1)) {
+ if (WARN_ON_ONCE(len > MAX_ARG_STRLEN - 1)) {
send_sig(SIGKILL, current, 0);
return -1;
}
--
1.9.1
[-- Attachment #2: 0001-Fix-redundant-check-against-unsigned-int-in-broken-a.patch --]
[-- Type: application/octet-stream, Size: 930 bytes --]
From 55fae099d46749b73895934aab8c2823c5a23abe Mon Sep 17 00:00:00 2001
From: Mustapha Abiola <hi@mustapha.org>
Date: Sat, 11 Jul 2015 17:01:04 +0000
Subject: [PATCH 1/1] Fix redundant check against unsigned int in broken audit
test fix for exec arg len
Quick patch to fix the needless check of `len` being < 0 as its an
unsigned int.
Signed-off-by: Mustapha Abiola <hi@mustapha.org>
---
kernel/auditsc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index e85bdfd..0012476 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1021,7 +1021,7 @@ static int audit_log_single_execve_arg(struct audit_context *context,
* for strings that are too long, we should not have created
* any.
*/
- if (WARN_ON_ONCE(len < 0 || len > MAX_ARG_STRLEN - 1)) {
+ if (WARN_ON_ONCE(len > MAX_ARG_STRLEN - 1)) {
send_sig(SIGKILL, current, 0);
return -1;
}
--
1.9.1
^ permalink raw reply related
* Re: Subject: [PATCH 1/1] Fix redundant check against unsigned int in broken audit test fix for exec arg len
From: Paul Moore @ 2015-07-13 20:32 UTC (permalink / raw)
To: Mustapha Abiola; +Cc: eparis, linux-kernel, linux-audit, mingo
In-Reply-To: <CACy=+Ds+pDd8oGg-7rOvZsDeHerRWAey2aYj8T00Ds1y67Z6kg@mail.gmail.com>
On Sunday, July 12, 2015 03:11:09 AM Mustapha Abiola wrote:
> From 55fae099d46749b73895934aab8c2823c5a23abe Mon Sep 17 00:00:00 2001
>
> From: Mustapha Abiola <hi@mustapha.org>
>
> Date: Sat, 11 Jul 2015 17:01:04 +0000
>
> Subject: [PATCH 1/1] Fix redundant check against unsigned int in broken
> audit test fix for exec arg len
>
>
> Quick patch to fix the needless check of `len` being < 0 as its an
>
> unsigned int.
>
>
> Signed-off-by: Mustapha Abiola <hi@mustapha.org>
>
> ---
>
> kernel/auditsc.c | 2 +-
>
> 1 file changed, 1 insertion(+), 1 deletion(-)
Thank you for the patch, but it appears your mail client has mangled the patch
so it does not apply cleanly. As a general rule, you should be able to save
the email and apply it directly to the tree; if not, you are doing something
wrong.
Have you read the notes in the Documentation/SubmittingPatches file, yet? If
not, I suggest taking a look, there is a lot of good information there on
submitting patches to the mailing list.
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
>
> index e85bdfd..0012476 100644
>
> --- a/kernel/auditsc.c
>
> +++ b/kernel/auditsc.c
>
> @@ -1021,7 +1021,7 @@ static int audit_log_single_execve_arg(struct
> audit_context *context,
>
> * for strings that are too long, we should not have created
>
> * any.
>
> */
>
> - if (WARN_ON_ONCE(len < 0 || len > MAX_ARG_STRLEN - 1)) {
>
> + if (WARN_ON_ONCE(len > MAX_ARG_STRLEN - 1)) {
>
> send_sig(SIGKILL, current, 0);
>
> return -1;
>
> }
--
paul moore
www.paul-moore.com
^ permalink raw reply
* Re: Subject: [PATCH 1/1] Fix redundant check against unsigned int in broken audit test fix for exec arg len
From: Richard Guy Briggs @ 2015-07-14 14:24 UTC (permalink / raw)
To: Mustapha Abiola; +Cc: paul, linux-kernel, linux-audit
In-Reply-To: <CACy=+Ds+pDd8oGg-7rOvZsDeHerRWAey2aYj8T00Ds1y67Z6kg@mail.gmail.com>
On 15/07/12, Mustapha Abiola wrote:
> >From 55fae099d46749b73895934aab8c2823c5a23abe Mon Sep 17 00:00:00 2001
> From: Mustapha Abiola <hi@mustapha.org>
> Date: Sat, 11 Jul 2015 17:01:04 +0000
> Subject: [PATCH 1/1] Fix redundant check against unsigned int in broken audit test fix for exec arg len
>
> Quick patch to fix the needless check of `len` being < 0 as its an unsigned int.
If you are able, it is much easier to use "git format-patch ..." and
"git send-email ...". Something in your workflow is double-spacing your
message... I echo Paul's recommendation...
> Signed-off-by: Mustapha Abiola <hi@mustapha.org>
>
> ---
>
> kernel/auditsc.c | 2 +-
>
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
>
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
>
> index e85bdfd..0012476 100644
>
> --- a/kernel/auditsc.c
>
> +++ b/kernel/auditsc.c
>
> @@ -1021,7 +1021,7 @@ static int audit_log_single_execve_arg(struct
> audit_context *context,
>
> * for strings that are too long, we should not have created
>
> * any.
>
> */
>
> - if (WARN_ON_ONCE(len < 0 || len > MAX_ARG_STRLEN - 1)) {
>
> + if (WARN_ON_ONCE(len > MAX_ARG_STRLEN - 1)) {
>
> send_sig(SIGKILL, current, 0);
>
> return -1;
>
> }
>
> --
>
> 1.9.1
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
- RGB
--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
^ permalink raw reply
* [PATCH V6 0/2] audit: rebalance and remove extra layers of watch references
From: Richard Guy Briggs @ 2015-07-14 15:40 UTC (permalink / raw)
To: linux-audit, linux-kernel; +Cc: Richard Guy Briggs, sgrubb, pmoore, eparis
While working on the audit by executable path feature, it was discovered that
watches and parent references were slightly imbalanced and deeper than
necessary.
Only bump up references when they are actually used and decrease when removed.
Richard Guy Briggs (2):
audit: eliminate unnecessary extra layer of watch references
audit: eliminate unnecessary extra layer of watch parent references
kernel/audit_watch.c | 11 ++++-------
kernel/auditfilter.c | 9 ---------
2 files changed, 4 insertions(+), 16 deletions(-)
^ permalink raw reply
* [PATCH V6 1/2] audit: eliminate unnecessary extra layer of watch references
From: Richard Guy Briggs @ 2015-07-14 15:40 UTC (permalink / raw)
To: linux-audit, linux-kernel; +Cc: Richard Guy Briggs
In-Reply-To: <cover.1435723005.git.rgb@redhat.com>
The audit watch count was imbalanced, adding an unnecessary layer of watch
references. Only add the second reference when it is added to a parent.
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
kernel/audit_watch.c | 5 ++---
kernel/auditfilter.c | 9 ---------
2 files changed, 2 insertions(+), 12 deletions(-)
diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c
index 6e30024..f33f54c 100644
--- a/kernel/audit_watch.c
+++ b/kernel/audit_watch.c
@@ -203,7 +203,6 @@ int audit_to_watch(struct audit_krule *krule, char *path, int len, u32 op)
if (IS_ERR(watch))
return PTR_ERR(watch);
- audit_get_watch(watch);
krule->watch = watch;
return 0;
@@ -387,8 +386,7 @@ static void audit_add_to_parent(struct audit_krule *krule,
watch_found = 1;
- /* put krule's and initial refs to temporary watch */
- audit_put_watch(watch);
+ /* put krule's ref to temporary watch */
audit_put_watch(watch);
audit_get_watch(w);
@@ -400,6 +398,7 @@ static void audit_add_to_parent(struct audit_krule *krule,
audit_get_parent(parent);
watch->parent = parent;
+ audit_get_watch(watch);
list_add(&watch->wlist, &parent->watches);
}
list_add(&krule->rlist, &watch->rules);
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 72e1660..74cc077 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -549,8 +549,6 @@ exit_nofree:
return entry;
exit_free:
- if (entry->rule.watch)
- audit_put_watch(entry->rule.watch); /* matches initial get */
if (entry->rule.tree)
audit_put_tree(entry->rule.tree); /* that's the temporary one */
audit_free_rule(entry);
@@ -933,11 +931,7 @@ static inline int audit_add_rule(struct audit_entry *entry)
#endif
mutex_unlock(&audit_filter_mutex);
- return 0;
-
error:
- if (watch)
- audit_put_watch(watch); /* tmp watch, matches initial get */
return err;
}
@@ -945,7 +939,6 @@ error:
static inline int audit_del_rule(struct audit_entry *entry)
{
struct audit_entry *e;
- struct audit_watch *watch = entry->rule.watch;
struct audit_tree *tree = entry->rule.tree;
struct list_head *list;
int ret = 0;
@@ -986,8 +979,6 @@ static inline int audit_del_rule(struct audit_entry *entry)
mutex_unlock(&audit_filter_mutex);
out:
- if (watch)
- audit_put_watch(watch); /* match initial get */
if (tree)
audit_put_tree(tree); /* that's the temporary one */
--
1.7.1
^ permalink raw reply related
* [PATCH V6 2/2] audit: eliminate unnecessary extra layer of watch parent references
From: Richard Guy Briggs @ 2015-07-14 15:40 UTC (permalink / raw)
To: linux-audit, linux-kernel; +Cc: Richard Guy Briggs, sgrubb, pmoore
In-Reply-To: <cover.1435723005.git.rgb@redhat.com>
The audit watch parent count was imbalanced, adding an unnecessary layer of
watch parent references. Decrement the additional parent reference when a
watch is reused, already having a reference to the parent.
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
kernel/audit_watch.c | 6 ++----
1 files changed, 2 insertions(+), 4 deletions(-)
diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c
index f33f54c..8f123d7 100644
--- a/kernel/audit_watch.c
+++ b/kernel/audit_watch.c
@@ -391,11 +391,12 @@ static void audit_add_to_parent(struct audit_krule *krule,
audit_get_watch(w);
krule->watch = watch = w;
+
+ audit_put_parent(parent);
break;
}
if (!watch_found) {
- audit_get_parent(parent);
watch->parent = parent;
audit_get_watch(watch);
@@ -436,9 +437,6 @@ int audit_add_watch(struct audit_krule *krule, struct list_head **list)
audit_add_to_parent(krule, parent);
- /* match get in audit_find_parent or audit_init_parent */
- audit_put_parent(parent);
-
h = audit_hash_ino((u32)watch->ino);
*list = &audit_inode_hash[h];
error:
--
1.7.1
^ permalink raw reply related
* [[PATCH V2] 0/2] Log on the future execution of a path
From: Richard Guy Briggs @ 2015-07-14 15:46 UTC (permalink / raw)
To: linux-audit; +Cc: Richard Guy Briggs, pmoody
This is a part of Peter Moody, my and Eric Paris' work to implement
audit by executable name.
Please see the accompanying kernel patchset:
https://www.redhat.com/archives/linux-audit/2015-July/thread.html
[PATCH V6 0/4] audit by executable name
If the path does not exist at rule creation time, it will be re-evaluated every
time there is a change to the parent directory at which point the change in
device and inode will be noted.
Here's a sample run:
Test for addition, trigger and deletion of tree executable rule:
# auditctl -a always,exit -S all -F dir=/tmp -F exe=/usr/bin/touch -F key=exetest_tree
----
time->Sat Jul 11 10:41:50 2015
type=CONFIG_CHANGE msg=audit(1436629310.720:44711): auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 op="add_rule" key="exetest_tree" list=4 res=1
----
# /usr/bin/touch /tmp/test
----
time->Sat Jul 11 10:41:50 2015
type=PROCTITLE msg=audit(1436629310.757:44712): proctitle=2F7573722F62696E2F746F756368002F746D702F74657374
type=PATH msg=audit(1436629310.757:44712): item=1 name="/tmp/test" inode=166932 dev=00:24 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=CREATE
type=PATH msg=audit(1436629310.757:44712): item=0 name="/tmp/" inode=11525 dev=00:24 mode=041777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=PARENT
type=CWD msg=audit(1436629310.757:44712): cwd="/root"
type=SYSCALL msg=audit(1436629310.757:44712): arch=c000003e syscall=2 success=yes exit=3 a0=7ffdee2f9e27 a1=941 a2=1b6 a3=691 items=2 ppid=17655 pid=17762 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="touch" exe="/usr/bin/touch" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="exetest_tree"
----
# auditctl -d always,exit -S all -F dir=/tmp -F exe=/usr/bin/touch -F key=exetest_tree
----
time->Sat Jul 11 10:41:50 2015
type=CONFIG_CHANGE msg=audit(1436629310.839:44713): auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 op="remove_rule" key="exetest_tree" list=4 res=1
----
Revision history:
v2: Allow exe or exe_children field alone without watch or syscall
v1: change to path interface instead of inode
https://www.redhat.com/archives/linux-audit/2014-May/msg00019.html
v0: Peter Moodie's original patches
https://www.redhat.com/archives/linux-audit/2012-August/msg00034.html
Next step:
Get full-path notify working.
Richard Guy Briggs (2):
userspace: audit: log on the future execution of a path
Allow monitoring of any activity on an executable with a specific
path.
trunk/lib/errormsg.h | 4 ++--
trunk/lib/fieldtab.h | 2 ++
trunk/lib/libaudit.c | 11 ++++++++++-
trunk/lib/libaudit.h | 7 ++++++-
trunk/lib/private.h | 1 +
trunk/src/auditctl-listing.c | 8 +++++++-
trunk/src/auditctl.c | 8 +++++++-
7 files changed, 35 insertions(+), 6 deletions(-)
^ permalink raw reply
* [[PATCH V2] 1/2] userspace: audit: log on the future execution of a path
From: Richard Guy Briggs @ 2015-07-14 15:46 UTC (permalink / raw)
To: linux-audit; +Cc: Richard Guy Briggs, pmoody
In-Reply-To: <1436888809-32238-1-git-send-email-rgb@redhat.com>
Enable creation of rules to monitor for the execution of a path in the future.
For example, to log occurances of touch(1)ing a file in /tmp, use:
-a always,exit -F dir=/tmp -F exe=/usr/sbin/touch -F key=touch_tmp
The command:
touch /tmp/test
should generate a log message that can be verified by:
ausearch --start recent -k touch_tmp
Similarly, use "exe_children=" in the place of "exe=" to detect the case for
any descendent processes.
Based-on-work-by: Peter Moody <pmoody@google.com>
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
trunk/lib/errormsg.h | 2 +-
trunk/lib/fieldtab.h | 2 ++
trunk/lib/libaudit.c | 5 +++++
trunk/lib/libaudit.h | 7 ++++++-
trunk/src/auditctl-listing.c | 8 +++++++-
5 files changed, 21 insertions(+), 3 deletions(-)
diff --git a/trunk/lib/errormsg.h b/trunk/lib/errormsg.h
index a4fea66..8d72bd8 100644
--- a/trunk/lib/errormsg.h
+++ b/trunk/lib/errormsg.h
@@ -51,7 +51,7 @@ static const struct msg_tab err_msgtab[] = {
{ -15, 2, "-F unknown errno -"},
{ -16, 2, "-F unknown file type - " },
{ -17, 1, "can only be used with exit and entry filter list" },
- { -18, 1, "" }, // Unused
+ { -18, 1, "only takes = operator" },
{ -19, 0, "Key field needs a watch or syscall given prior to it" },
{ -20, 2, "-F missing value after operation for" },
{ -21, 2, "-F value should be number for" },
diff --git a/trunk/lib/fieldtab.h b/trunk/lib/fieldtab.h
index dd7474c..c458c32 100644
--- a/trunk/lib/fieldtab.h
+++ b/trunk/lib/fieldtab.h
@@ -66,3 +66,5 @@ _S(AUDIT_ARG3, "a3" )
_S(AUDIT_FILTERKEY, "key" )
+_S(AUDIT_EXE, "exe" )
+_S(AUDIT_EXE_CHILDREN, "exe_children" )
diff --git a/trunk/lib/libaudit.c b/trunk/lib/libaudit.c
index dddfd0b..d7da4ec 100644
--- a/trunk/lib/libaudit.c
+++ b/trunk/lib/libaudit.c
@@ -1395,6 +1395,11 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
case AUDIT_SUBJ_SEN:
case AUDIT_SUBJ_CLR:
case AUDIT_FILTERKEY:
+ case AUDIT_EXE_CHILDREN:
+ case AUDIT_EXE:
+ if ((field == AUDIT_EXE_CHILDREN || field == AUDIT_EXE) &&
+ op != AUDIT_EQUAL)
+ return -18;
if (field == AUDIT_FILTERKEY && !(_audit_syscalladded || _audit_permadded))
return -19;
vlen = strlen(v);
diff --git a/trunk/lib/libaudit.h b/trunk/lib/libaudit.h
index 05ee91e..1d3a697 100644
--- a/trunk/lib/libaudit.h
+++ b/trunk/lib/libaudit.h
@@ -274,6 +274,12 @@ extern "C" {
#ifndef AUDIT_FIELD_COMPARE
#define AUDIT_FIELD_COMPARE 111
#endif
+#ifndef AUDIT_EXE
+#define AUDIT_EXE 112
+#endif
+#ifndef AUDIT_EXE_CHILDREN
+#define AUDIT_EXE_CHILDREN 113
+#endif
#ifndef AUDIT_COMPARE_UID_TO_OBJ_UID
#define AUDIT_COMPARE_UID_TO_OBJ_UID 1
@@ -580,4 +586,3 @@ extern void audit_rule_free_data(struct audit_rule_data *rule);
#endif
#endif
-
diff --git a/trunk/src/auditctl-listing.c b/trunk/src/auditctl-listing.c
index 1dc9729..339dec7 100644
--- a/trunk/src/auditctl-listing.c
+++ b/trunk/src/auditctl-listing.c
@@ -63,7 +63,8 @@ int key_match(const struct audit_rule_data *r)
}
if (((field >= AUDIT_SUBJ_USER && field <= AUDIT_OBJ_LEV_HIGH)
&& field != AUDIT_PPID) || field == AUDIT_WATCH ||
- field == AUDIT_DIR || field == AUDIT_FILTERKEY) {
+ field == AUDIT_DIR || field == AUDIT_FILTERKEY
+ || field == AUDIT_EXE || field == AUDIT_EXE_CHILDREN) {
boffset += r->values[i];
}
}
@@ -357,6 +358,11 @@ static void print_rule(const struct audit_rule_data *r)
&r->buf[boffset]);
boffset += r->values[i];
+ } else if (field == AUDIT_EXE || field == AUDIT_EXE_CHILDREN) {
+ printf(" -F exe%s=%.*s",
+ field == AUDIT_EXE_CHILDREN ? "_children" : "",
+ r->values[i], &r->buf[boffset]);
+ boffset += r->values[i];
} else if (field == AUDIT_FILTERKEY) {
char *rkey, *ptr, *saved=NULL;
if (asprintf(&rkey, "%.*s", r->values[i],
--
1.7.1
^ permalink raw reply related
* [[PATCH V2] 2/2] Allow monitoring of any activity on an executable with a specific path.
From: Richard Guy Briggs @ 2015-07-14 15:46 UTC (permalink / raw)
To: linux-audit; +Cc: Richard Guy Briggs, pmoody
In-Reply-To: <1436888809-32238-1-git-send-email-rgb@redhat.com>
Allow rules to be created that are not accompanied by a file or directory
watch, nor by a syscall specification.
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
trunk/lib/errormsg.h | 2 +-
trunk/lib/libaudit.c | 12 ++++++++----
trunk/lib/private.h | 1 +
trunk/src/auditctl.c | 8 +++++++-
4 files changed, 17 insertions(+), 6 deletions(-)
diff --git a/trunk/lib/errormsg.h b/trunk/lib/errormsg.h
index 8d72bd8..2624567 100644
--- a/trunk/lib/errormsg.h
+++ b/trunk/lib/errormsg.h
@@ -52,7 +52,7 @@ static const struct msg_tab err_msgtab[] = {
{ -16, 2, "-F unknown file type - " },
{ -17, 1, "can only be used with exit and entry filter list" },
{ -18, 1, "only takes = operator" },
- { -19, 0, "Key field needs a watch or syscall given prior to it" },
+ { -19, 0, "Key field needs a watch, syscall or exe path given prior to it" },
{ -20, 2, "-F missing value after operation for" },
{ -21, 2, "-F value should be number for" },
{ -22, 2, "-F missing field name before operator for" },
diff --git a/trunk/lib/libaudit.c b/trunk/lib/libaudit.c
index d7da4ec..b06c76b 100644
--- a/trunk/lib/libaudit.c
+++ b/trunk/lib/libaudit.c
@@ -82,6 +82,7 @@ static const struct nv_list failure_actions[] =
int _audit_permadded = 0;
int _audit_archadded = 0;
int _audit_syscalladded = 0;
+int _audit_exeadded = 0;
unsigned int _audit_elf = 0U;
static struct libaudit_conf config;
@@ -1397,10 +1398,13 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
case AUDIT_FILTERKEY:
case AUDIT_EXE_CHILDREN:
case AUDIT_EXE:
- if ((field == AUDIT_EXE_CHILDREN || field == AUDIT_EXE) &&
- op != AUDIT_EQUAL)
- return -18;
- if (field == AUDIT_FILTERKEY && !(_audit_syscalladded || _audit_permadded))
+ if ((field == AUDIT_EXE_CHILDREN || field == AUDIT_EXE)) {
+ if (op != AUDIT_EQUAL)
+ return -18;
+ _audit_exeadded = 1;
+ }
+ if (field == AUDIT_FILTERKEY
+ && !(_audit_syscalladded || _audit_permadded || _audit_exeadded))
return -19;
vlen = strlen(v);
if (field == AUDIT_FILTERKEY &&
diff --git a/trunk/lib/private.h b/trunk/lib/private.h
index a0e3e35..7d7fd13 100644
--- a/trunk/lib/private.h
+++ b/trunk/lib/private.h
@@ -131,6 +131,7 @@ extern int audit_send_user_message(int fd, int type, hide_t hide_err,
extern int _audit_permadded;
extern int _audit_archadded;
extern int _audit_syscalladded;
+extern int _audit_exeadded;
extern unsigned int _audit_elf;
hidden_proto(audit_send_user_message);
diff --git a/trunk/src/auditctl.c b/trunk/src/auditctl.c
index b084b1a..40e9812 100644
--- a/trunk/src/auditctl.c
+++ b/trunk/src/auditctl.c
@@ -73,6 +73,7 @@ static int reset_vars(void)
_audit_syscalladded = 0;
_audit_permadded = 0;
_audit_archadded = 0;
+ _audit_exeadded = 0;
_audit_elf = 0;
add = AUDIT_FILTER_UNSET;
del = AUDIT_FILTER_UNSET;
@@ -821,6 +822,11 @@ static int setopt(int count, int lineno, char *vars[])
if (rule_new->fields[rule_new->field_count-1] ==
AUDIT_PERM)
_audit_permadded = 1;
+ if ((rule_new->fields[rule_new->field_count-1] ==
+ AUDIT_EXE) ||
+ (rule_new->fields[rule_new->field_count-1] ==
+ AUDIT_EXE_CHILDREN))
+ _audit_exeadded = 1;
}
break;
@@ -908,7 +914,7 @@ static int setopt(int count, int lineno, char *vars[])
}
break;
case 'k':
- if (!(_audit_syscalladded || _audit_permadded ) ||
+ if (!(_audit_syscalladded || _audit_permadded || _audit_exeadded) ||
(add==AUDIT_FILTER_UNSET &&
del==AUDIT_FILTER_UNSET)) {
audit_msg(LOG_ERR,
--
1.7.1
^ permalink raw reply related
* [PATCH V6 0/4] audit by executable name
From: Richard Guy Briggs @ 2015-07-14 15:50 UTC (permalink / raw)
To: linux-audit, linux-kernel; +Cc: Richard Guy Briggs, pmoody
Please see the accompanying userspace patchset:
https://www.redhat.com/archives/linux-audit/2015-July/thread.html
[[PATCH V2] 0/2] Log on the future execution of a path
The userspace interface is not expected to change appreciably unless something
important has been overlooked. Setting and deleting rules works as expected.
If the path does not exist at rule creation time, it will be re-evaluated every
time there is a change to the parent directory at which point the change in
device and inode will be noted.
Here's a sample run:
Test for addition, trigger and deletion of tree executable rule:
# auditctl -a always,exit -S all -F dir=/tmp -F exe=/usr/bin/touch -F key=exetest_tree
----
time->Sat Jul 11 10:41:50 2015
type=CONFIG_CHANGE msg=audit(1436629310.720:44711): auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 op="add_rule" key="exetest_tree" list=4 res=1
----
# /usr/bin/touch /tmp/test
----
time->Sat Jul 11 10:41:50 2015
type=PROCTITLE msg=audit(1436629310.757:44712): proctitle=2F7573722F62696E2F746F756368002F746D702F74657374
type=PATH msg=audit(1436629310.757:44712): item=1 name="/tmp/test" inode=166932 dev=00:24 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=CREATE
type=PATH msg=audit(1436629310.757:44712): item=0 name="/tmp/" inode=11525 dev=00:24 mode=041777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=PARENT
type=CWD msg=audit(1436629310.757:44712): cwd="/root"
type=SYSCALL msg=audit(1436629310.757:44712): arch=c000003e syscall=2 success=yes exit=3 a0=7ffdee2f9e27 a1=941 a2=1b6 a3=691 items=2 ppid=17655 pid=17762 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="touch" exe="/usr/bin/touch" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="exetest_tree"
----
# auditctl -d always,exit -S all -F dir=/tmp -F exe=/usr/bin/touch -F key=exetest_tree
----
time->Sat Jul 11 10:41:50 2015
type=CONFIG_CHANGE msg=audit(1436629310.839:44713): auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 op="remove_rule" key="exetest_tree" list=4 res=1
----
Revision history:
v6: Explicitly declare prototypes as external.
Rename audit_dup_exe() to audit_dupe_exe() consistent with rule, watch, lsm_field.
Rebased on v4.1.
Rename audit_remove_mark_rule() called from audit_mark_handle_event() to
audit_autoremove_mark_rule() to avoid confusion with
audit_remove_{watch,tree}_rule() usage.
Add audit_remove_mark_rule() to provide similar interface as
audit_remove_{watch,tree}_rule().
Simplify stubs to defines.
Rename audit_free_fsnotify_mark() to audit_fsnotify_free_mark() in keeping with
the naming convention of inotify_free_mark(), dnotify_free_mark(),
fanotify_free_mark(), audit_watch_free_mark().
Return -ENOMEM rather than null in case of memory allocation failure for
audit_mark in audit_alloc_mark().
Rename audit_free_mark() to audit_mark_free() to avoid association with
{i,d,fa}notify_free_mark() and audit_watch_free_mark().
Clean up exe with similar interface as watch and tree.
Clean up audit exe mark just before audit_free_rule() rather than in it to
avoid mutex in software interrupt context.
Fixed bug in audit_dupe_exe() that returned error rather than valid pointer.
v5: Revert patch "Let audit_free_rule() take care of calling
audit_remove_mark()." since it caused a group mark deadlock.
https://www.redhat.com/archives/linux-audit/2014-October/msg00024.html
v4: Re-order and squash down fixups
Fix audit_dup_exe() to copy pathname string before calling audit_alloc_mark().
https://www.redhat.com/archives/linux-audit/2014-August/msg00065.html
v3: Rationalize and rename some function names and clean up get/put and free code.
Rename several "watch" references to "mark".
Rename audit_remove_rule() to audit_remove_mark_rule().
Let audit_free_rule() take care of calling audit_remove_mark().
Put audit_alloc_mark() arguments in same order as watch, tree and inode.
Move the access to the entry for audit_match_signal() to the beginning
of the function in case the entry found is the same one passed in.
This will enable it to be used by audit_remove_mark_rule().
https://www.redhat.com/archives/linux-audit/2014-July/msg00000.html
v2: Misguided attempt to add in audit_exe similar to watches
https://www.redhat.com/archives/linux-audit/2014-June/msg00066.html
v1.5: eparis' switch to fsnotify
https://www.redhat.com/archives/linux-audit/2014-May/msg00046.html
https://www.redhat.com/archives/linux-audit/2014-May/msg00066.html
v1: Change to path interface instead of inode
https://www.redhat.com/archives/linux-audit/2014-May/msg00017.html
v0: Peter Moodie's original patches
https://www.redhat.com/archives/linux-audit/2012-August/msg00033.html
Future step:
Get full-path notify working.
Eric Paris (1):
audit: implement audit by executable
Richard Guy Briggs (3):
audit: clean simple fsnotify implementation
audit: convert audit_exe to audit_fsnotify
audit: avoid double copying the audit_exe path string
include/linux/audit.h | 1 +
include/uapi/linux/audit.h | 2 +
kernel/Makefile | 2 +-
kernel/audit.h | 33 ++++++
kernel/audit_exe.c | 50 +++++++++
kernel/audit_fsnotify.c | 246 ++++++++++++++++++++++++++++++++++++++++++++
kernel/audit_tree.c | 2 +
kernel/audit_watch.c | 4 +
kernel/auditfilter.c | 63 +++++++++++-
kernel/auditsc.c | 16 +++
10 files changed, 415 insertions(+), 4 deletions(-)
create mode 100644 kernel/audit_exe.c
create mode 100644 kernel/audit_fsnotify.c
^ permalink raw reply
* [PATCH V6 1/4] audit: implement audit by executable
From: Richard Guy Briggs @ 2015-07-14 15:50 UTC (permalink / raw)
To: linux-audit, linux-kernel; +Cc: Richard Guy Briggs, pmoody
In-Reply-To: <cover.1436823321.git.rgb@redhat.com>
From: Eric Paris <eparis@redhat.com>
This patch implements the ability to filter on the executable. It is
clearly incomplete! This patch adds the inode/dev of the executable at
the moment the rule is loaded. It does not update if the executable is
updated/moved/whatever. That should be added. But at this moment, this
patch works.
RGB: Explicitly declare prototypes as extern.
RGB: Rename audit_dup_exe() to audit_dupe_exe() consistent with rule, watch, lsm_field.
Based-on-user-interface-by: Richard Guy Briggs <rgb@redhat.com>
Based-on-idea-by: Peter Moody <pmoody@google.com>
Cc: pmoody@google.com
Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
include/linux/audit.h | 1 +
include/uapi/linux/audit.h | 2 +
kernel/Makefile | 2 +-
kernel/audit.h | 32 +++++++++++++
kernel/audit_exe.c | 109 ++++++++++++++++++++++++++++++++++++++++++++
kernel/auditfilter.c | 44 ++++++++++++++++++
kernel/auditsc.c | 16 ++++++
7 files changed, 205 insertions(+), 1 deletions(-)
create mode 100644 kernel/audit_exe.c
diff --git a/include/linux/audit.h b/include/linux/audit.h
index c2e7e3a..95463a2 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -59,6 +59,7 @@ struct audit_krule {
struct audit_field *inode_f; /* quick access to an inode field */
struct audit_watch *watch; /* associated watch */
struct audit_tree *tree; /* associated watched tree */
+ struct audit_exe *exe;
struct list_head rlist; /* entry in audit_{watch,tree}.rules list */
struct list_head list; /* for AUDIT_LIST* purposes only */
u64 prio;
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index d3475e1..489aebc 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -266,6 +266,8 @@
#define AUDIT_OBJ_UID 109
#define AUDIT_OBJ_GID 110
#define AUDIT_FIELD_COMPARE 111
+#define AUDIT_EXE 112
+#define AUDIT_EXE_CHILDREN 113
#define AUDIT_ARG0 200
#define AUDIT_ARG1 (AUDIT_ARG0+1)
diff --git a/kernel/Makefile b/kernel/Makefile
index 60c302c..a7ea330 100644
--- a/kernel/Makefile
+++ b/kernel/Makefile
@@ -64,7 +64,7 @@ obj-$(CONFIG_SMP) += stop_machine.o
obj-$(CONFIG_KPROBES_SANITY_TEST) += test_kprobes.o
obj-$(CONFIG_AUDIT) += audit.o auditfilter.o
obj-$(CONFIG_AUDITSYSCALL) += auditsc.o
-obj-$(CONFIG_AUDIT_WATCH) += audit_watch.o
+obj-$(CONFIG_AUDIT_WATCH) += audit_watch.o audit_exe.o
obj-$(CONFIG_AUDIT_TREE) += audit_tree.o
obj-$(CONFIG_GCOV_KERNEL) += gcov/
obj-$(CONFIG_KPROBES) += kprobes.o
diff --git a/kernel/audit.h b/kernel/audit.h
index d641f9b..3aca24f 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -50,6 +50,7 @@ enum audit_state {
/* Rule lists */
struct audit_watch;
+struct audit_exe;
struct audit_tree;
struct audit_chunk;
@@ -269,6 +270,13 @@ extern int audit_add_watch(struct audit_krule *krule, struct list_head **list);
extern void audit_remove_watch_rule(struct audit_krule *krule);
extern char *audit_watch_path(struct audit_watch *watch);
extern int audit_watch_compare(struct audit_watch *watch, unsigned long ino, dev_t dev);
+
+extern int audit_make_exe_rule(struct audit_krule *krule, char *pathname, int len, u32 op);
+extern void audit_remove_exe_rule(struct audit_krule *krule);
+extern char *audit_exe_path(struct audit_exe *exe);
+extern int audit_dupe_exe(struct audit_krule *new, struct audit_krule *old);
+extern int audit_exe_compare(struct task_struct *tsk, struct audit_exe *exe);
+
#else
#define audit_put_watch(w) {}
#define audit_get_watch(w) {}
@@ -278,6 +286,30 @@ extern int audit_watch_compare(struct audit_watch *watch, unsigned long ino, dev
#define audit_watch_path(w) ""
#define audit_watch_compare(w, i, d) 0
+static inline int audit_make_exe_rule(struct audit_krule *krule, char *pathname, int len, u32 op)
+{
+ return -EINVAL;
+}
+static inline void audit_remove_exe_rule(struct audit_krule *krule)
+{
+ BUG();
+ return 0;
+}
+static inline char *audit_exe_path(struct audit_exe *exe)
+{
+ BUG();
+ return "";
+}
+static inline int audit_dupe_exe(struct audit_krule *new, struct audit_krule *old)
+{
+ BUG();
+ return -EINVAL
+}
+static inline int audit_exe_compare(struct task_struct *tsk, struct audit_exe *exe)
+{
+ BUG();
+ return 0;
+}
#endif /* CONFIG_AUDIT_WATCH */
#ifdef CONFIG_AUDIT_TREE
diff --git a/kernel/audit_exe.c b/kernel/audit_exe.c
new file mode 100644
index 0000000..d4cc8b5
--- /dev/null
+++ b/kernel/audit_exe.c
@@ -0,0 +1,109 @@
+/* audit_exe.c -- filtering of audit events
+ *
+ * Copyright 2014-2015 Red Hat, Inc.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ */
+
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+
+#include <linux/kernel.h>
+#include <linux/audit.h>
+#include <linux/mutex.h>
+#include <linux/fs.h>
+#include <linux/namei.h>
+#include <linux/slab.h>
+#include "audit.h"
+
+struct audit_exe {
+ char *pathname;
+ unsigned long ino;
+ dev_t dev;
+};
+
+/* Translate a watch string to kernel respresentation. */
+int audit_make_exe_rule(struct audit_krule *krule, char *pathname, int len, u32 op)
+{
+ struct audit_exe *exe;
+ struct path path;
+ struct dentry *dentry;
+ unsigned long ino;
+ dev_t dev;
+
+ if (pathname[0] != '/' || pathname[len-1] == '/')
+ return -EINVAL;
+
+ dentry = kern_path_locked(pathname, &path);
+ if (IS_ERR(dentry))
+ return PTR_ERR(dentry);
+ mutex_unlock(&path.dentry->d_inode->i_mutex);
+
+ if (!dentry->d_inode)
+ return -ENOENT;
+ dev = dentry->d_inode->i_sb->s_dev;
+ ino = dentry->d_inode->i_ino;
+ dput(dentry);
+
+ exe = kmalloc(sizeof(*exe), GFP_KERNEL);
+ if (!exe)
+ return -ENOMEM;
+ exe->ino = ino;
+ exe->dev = dev;
+ exe->pathname = pathname;
+ krule->exe = exe;
+
+ return 0;
+}
+
+void audit_remove_exe_rule(struct audit_krule *krule)
+{
+ struct audit_exe *exe;
+
+ exe = krule->exe;
+ krule->exe = NULL;
+ kfree(exe->pathname);
+ kfree(exe);
+}
+
+char *audit_exe_path(struct audit_exe *exe)
+{
+ return exe->pathname;
+}
+
+int audit_dupe_exe(struct audit_krule *new, struct audit_krule *old)
+{
+ struct audit_exe *exe;
+
+ exe = kmalloc(sizeof(*exe), GFP_KERNEL);
+ if (!exe)
+ return -ENOMEM;
+
+ exe->pathname = kstrdup(old->exe->pathname, GFP_KERNEL);
+ if (!exe->pathname) {
+ kfree(exe);
+ return -ENOMEM;
+ }
+
+ exe->ino = old->exe->ino;
+ exe->dev = old->exe->dev;
+ new->exe = exe;
+
+ return 0;
+}
+
+int audit_exe_compare(struct task_struct *tsk, struct audit_exe *exe)
+{
+ if (tsk->mm->exe_file->f_inode->i_ino != exe->ino)
+ return 0;
+ if (tsk->mm->exe_file->f_inode->i_sb->s_dev != exe->dev)
+ return 0;
+ return 1;
+}
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 74cc077..09041b2 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -405,6 +405,13 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f)
if (f->val > AUDIT_MAX_FIELD_COMPARE)
return -EINVAL;
break;
+ case AUDIT_EXE:
+ case AUDIT_EXE_CHILDREN:
+ if (f->op != Audit_equal)
+ return -EINVAL;
+ if (entry->rule.listnr != AUDIT_FILTER_EXIT)
+ return -EINVAL;
+ break;
};
return 0;
}
@@ -539,6 +546,23 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
entry->rule.buflen += f->val;
entry->rule.filterkey = str;
break;
+ case AUDIT_EXE:
+ case AUDIT_EXE_CHILDREN:
+ if (entry->rule.exe || f->val > PATH_MAX)
+ goto exit_free;
+ str = audit_unpack_string(&bufp, &remain, f->val);
+ if (IS_ERR(str)) {
+ err = PTR_ERR(str);
+ goto exit_free;
+ }
+ entry->rule.buflen += f->val;
+
+ err = audit_make_exe_rule(&entry->rule, str, f->val, f->op);
+ if (err) {
+ kfree(str);
+ goto exit_free;
+ }
+ break;
}
}
@@ -615,6 +639,11 @@ static struct audit_rule_data *audit_krule_to_data(struct audit_krule *krule)
data->buflen += data->values[i] =
audit_pack_string(&bufp, krule->filterkey);
break;
+ case AUDIT_EXE:
+ case AUDIT_EXE_CHILDREN:
+ data->buflen += data->values[i] =
+ audit_pack_string(&bufp, audit_exe_path(krule->exe));
+ break;
case AUDIT_LOGINUID_SET:
if (krule->pflags & AUDIT_LOGINUID_LEGACY && !f->val) {
data->fields[i] = AUDIT_LOGINUID;
@@ -678,6 +707,13 @@ static int audit_compare_rule(struct audit_krule *a, struct audit_krule *b)
if (strcmp(a->filterkey, b->filterkey))
return 1;
break;
+ case AUDIT_EXE:
+ case AUDIT_EXE_CHILDREN:
+ /* both paths exist based on above type compare */
+ if (strcmp(audit_exe_path(a->exe),
+ audit_exe_path(b->exe)))
+ return 1;
+ break;
case AUDIT_UID:
case AUDIT_EUID:
case AUDIT_SUID:
@@ -799,6 +835,11 @@ struct audit_entry *audit_dupe_rule(struct audit_krule *old)
err = -ENOMEM;
else
new->filterkey = fk;
+ break;
+ case AUDIT_EXE:
+ case AUDIT_EXE_CHILDREN:
+ err = audit_dupe_exe(new, old);
+ break;
}
if (err) {
audit_free_rule(entry);
@@ -965,6 +1006,9 @@ static inline int audit_del_rule(struct audit_entry *entry)
if (e->rule.tree)
audit_remove_tree_rule(&e->rule);
+ if (e->rule.exe)
+ audit_remove_exe_rule(&e->rule);
+
list_del_rcu(&e->list);
list_del(&e->rule.list);
call_rcu(&e->rcu, audit_free_rule_rcu);
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 9fb9d1c..bf745c7 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -48,6 +48,7 @@
#include <asm/types.h>
#include <linux/atomic.h>
#include <linux/fs.h>
+#include <linux/dcache.h>
#include <linux/namei.h>
#include <linux/mm.h>
#include <linux/export.h>
@@ -71,6 +72,7 @@
#include <linux/capability.h>
#include <linux/fs_struct.h>
#include <linux/compat.h>
+#include <linux/sched.h>
#include <linux/ctype.h>
#include <linux/string.h>
#include <uapi/linux/limits.h>
@@ -466,6 +468,20 @@ static int audit_filter_rules(struct task_struct *tsk,
result = audit_comparator(ctx->ppid, f->op, f->val);
}
break;
+ case AUDIT_EXE:
+ result = audit_exe_compare(tsk, rule->exe);
+ break;
+ case AUDIT_EXE_CHILDREN:
+ {
+ struct task_struct *ptsk;
+ for (ptsk = tsk; ptsk->parent->pid > 0; ptsk = find_task_by_vpid(ptsk->parent->pid)) {
+ if (audit_exe_compare(ptsk, rule->exe)) {
+ ++result;
+ break;
+ }
+ }
+ }
+ break;
case AUDIT_UID:
result = audit_uid_comparator(cred->uid, f->op, f->uid);
break;
--
1.7.1
^ permalink raw reply related
* [PATCH V6 2/4] audit: clean simple fsnotify implementation
From: Richard Guy Briggs @ 2015-07-14 15:50 UTC (permalink / raw)
To: linux-audit, linux-kernel; +Cc: Richard Guy Briggs, pmoody
In-Reply-To: <cover.1436823321.git.rgb@redhat.com>
This is to be used to audit by executable rules, but audit watches
should be able to share this code eventually.
At the moment the audit watch code is a lot more complex, that code only
creates one fsnotify watch per parent directory. That 'audit_parent' in
turn has a list of 'audit_watches' which contain the name, ino, dev of
the specific object we care about. This just creates one fsnotify watch
per object we care about. So if you watch 100 inodes in /etc this code
will create 100 fsnotify watches on /etc. The audit_watch code will
instead create 1 fsnotify watch on /etc (the audit_parent) and then 100
individual watches chained from that fsnotify mark.
We should be able to convert the audit_watch code to do one fsnotify
mark per watch and simplify things/remove a whole lot of code. After
that conversion we should be able to convert the audit_fsnotify code to
support that hierarchy if the optimization is necessary.
Signed-off-by: Eric Paris <eparis@redhat.com>
RGB: Move the access to the entry for audit_match_signal() to the beginning of
the function in case the entry found is the same one passed in. This will
enable it to be used by audit_autoremove_mark_rule().
RGB: Rename several "watch" references to "mark".
RGB: Rename audit_remove_rule() to audit_autoremove_mark_rule().
RGB: Put audit_alloc_mark() arguments in same order as watch, tree and inode.
RGB: Remove space from audit log value text in audit_autoremove_mark_rule().
RGB: Explicitly declare prototypes as extern.
RGB: Rename audit_remove_mark_rule() called from audit_mark_handle_event() to
audit_autoremove_mark_rule() to avoid confusion with
audit_remove_{watch,tree}_rule() usage.
RGB: Add audit_remove_mark_rule() to provide similar interface as
audit_remove_{watch,tree}_rule().
RGB: Simplify stubs to defines.
RGB: Rename audit_free_fsnotify_mark() to audit_fsnotify_free_mark() in keeping with
the naming convention of inotify_free_mark(), dnotify_free_mark(),
fanotify_free_mark(), audit_watch_free_mark().
RGB: Return -ENOMEM rather than null in case of memory allocation failure for audit_mark.
RGB: Rename audit_free_mark() to audit_mark_free() to avoid association with
{i,d,fa}notify_free_mark() and audit_watch_free_mark().
Based-on-code-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
kernel/Makefile | 2 +-
kernel/audit.h | 22 ++++
kernel/audit_fsnotify.c | 253 +++++++++++++++++++++++++++++++++++++++++++++++
kernel/auditfilter.c | 5 +-
4 files changed, 279 insertions(+), 3 deletions(-)
create mode 100644 kernel/audit_fsnotify.c
diff --git a/kernel/Makefile b/kernel/Makefile
index a7ea330..397109e 100644
--- a/kernel/Makefile
+++ b/kernel/Makefile
@@ -64,7 +64,7 @@ obj-$(CONFIG_SMP) += stop_machine.o
obj-$(CONFIG_KPROBES_SANITY_TEST) += test_kprobes.o
obj-$(CONFIG_AUDIT) += audit.o auditfilter.o
obj-$(CONFIG_AUDITSYSCALL) += auditsc.o
-obj-$(CONFIG_AUDIT_WATCH) += audit_watch.o audit_exe.o
+obj-$(CONFIG_AUDIT_WATCH) += audit_watch.o audit_exe.o audit_fsnotify.o
obj-$(CONFIG_AUDIT_TREE) += audit_tree.o
obj-$(CONFIG_GCOV_KERNEL) += gcov/
obj-$(CONFIG_KPROBES) += kprobes.o
diff --git a/kernel/audit.h b/kernel/audit.h
index 3aca24f..491bd4b 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -50,6 +50,7 @@ enum audit_state {
/* Rule lists */
struct audit_watch;
+struct audit_fsnotify_mark;
struct audit_exe;
struct audit_tree;
struct audit_chunk;
@@ -253,6 +254,7 @@ struct audit_net {
extern int selinux_audit_rule_update(void);
extern struct mutex audit_filter_mutex;
+extern int audit_del_rule(struct audit_entry *);
extern void audit_free_rule_rcu(struct rcu_head *);
extern struct list_head audit_filter_list[];
@@ -271,6 +273,12 @@ extern void audit_remove_watch_rule(struct audit_krule *krule);
extern char *audit_watch_path(struct audit_watch *watch);
extern int audit_watch_compare(struct audit_watch *watch, unsigned long ino, dev_t dev);
+extern struct audit_fsnotify_mark *audit_alloc_mark(struct audit_krule *krule, char *pathname, int len);
+extern char *audit_mark_path(struct audit_fsnotify_mark *mark);
+extern void audit_remove_mark(struct audit_fsnotify_mark *audit_mark);
+extern void audit_remove_mark_rule(struct audit_krule *krule);
+extern int audit_mark_compare(struct audit_fsnotify_mark *mark, unsigned long ino, dev_t dev);
+
extern int audit_make_exe_rule(struct audit_krule *krule, char *pathname, int len, u32 op);
extern void audit_remove_exe_rule(struct audit_krule *krule);
extern char *audit_exe_path(struct audit_exe *exe);
@@ -286,6 +294,20 @@ extern int audit_exe_compare(struct task_struct *tsk, struct audit_exe *exe);
#define audit_watch_path(w) ""
#define audit_watch_compare(w, i, d) 0
+#define audit_alloc_mark(k, p, l) (ERR_PTR(-EINVAL))
+static inline char *audit_mark_path(struct audit_fsnotify_mark *mark)
+{
+ BUG();
+ return "";
+}
+#define audit_remove_mark(m) BUG()
+#define audit_remove_mark_rule(k) BUG()
+static inline int audit_mark_compare(struct audit_fsnotify_mark *mark, unsigned long ino, dev_t dev)
+{
+ BUG();
+ return 0;
+}
+
static inline int audit_make_exe_rule(struct audit_krule *krule, char *pathname, int len, u32 op)
{
return -EINVAL;
diff --git a/kernel/audit_fsnotify.c b/kernel/audit_fsnotify.c
new file mode 100644
index 0000000..a4e7b16
--- /dev/null
+++ b/kernel/audit_fsnotify.c
@@ -0,0 +1,253 @@
+/* audit_fsnotify.c -- tracking inodes
+ *
+ * Copyright 2003-2009,2014-2015 Red Hat, Inc.
+ * Copyright 2005 Hewlett-Packard Development Company, L.P.
+ * Copyright 2005 IBM Corporation
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ */
+
+#include <linux/kernel.h>
+#include <linux/audit.h>
+#include <linux/kthread.h>
+#include <linux/mutex.h>
+#include <linux/fs.h>
+#include <linux/fsnotify_backend.h>
+#include <linux/namei.h>
+#include <linux/netlink.h>
+#include <linux/sched.h>
+#include <linux/slab.h>
+#include <linux/security.h>
+#include "audit.h"
+
+/*
+ * this mark lives on the parent directory of the inode in question.
+ * but dev, ino, and path are about the child
+ */
+struct audit_fsnotify_mark {
+ dev_t dev; /* associated superblock device */
+ unsigned long ino; /* associated inode number */
+ char *path; /* insertion path */
+ struct fsnotify_mark mark; /* fsnotify mark on the inode */
+ struct audit_krule *rule;
+};
+
+/* fsnotify handle. */
+static struct fsnotify_group *audit_fsnotify_group;
+
+/* fsnotify events we care about. */
+#define AUDIT_FS_EVENTS (FS_MOVE | FS_CREATE | FS_DELETE | FS_DELETE_SELF |\
+ FS_MOVE_SELF | FS_EVENT_ON_CHILD)
+
+static void audit_mark_free(struct audit_fsnotify_mark *audit_mark)
+{
+ kfree(audit_mark->path);
+ kfree(audit_mark);
+}
+
+static void audit_fsnotify_free_mark(struct fsnotify_mark *mark)
+{
+ struct audit_fsnotify_mark *audit_mark;
+
+ audit_mark = container_of(mark, struct audit_fsnotify_mark, mark);
+ audit_mark_free(audit_mark);
+}
+
+#if 0 /* not sure if we need these... */
+static void audit_get_mark(struct audit_fsnotify_mark *audit_mark)
+{
+ if (likely(audit_mark))
+ fsnotify_get_mark(&audit_mark->mark);
+}
+
+static void audit_put_mark(struct audit_fsnotify_mark *audit_mark)
+{
+ if (likely(audit_mark))
+ fsnotify_put_mark(&audit_mark->mark);
+}
+#endif
+
+char *audit_mark_path(struct audit_fsnotify_mark *mark)
+{
+ return mark->path;
+}
+
+int audit_mark_compare(struct audit_fsnotify_mark *mark, unsigned long ino, dev_t dev)
+{
+ if (mark->ino == (unsigned long)-1)
+ return 0;
+ return (mark->ino == ino) && (mark->dev == dev);
+}
+
+struct audit_fsnotify_mark *audit_alloc_mark(struct audit_krule *krule, char *pathname, int len)
+{
+ struct audit_fsnotify_mark *audit_mark;
+ struct path path;
+ struct dentry *dentry;
+ struct inode *inode;
+ unsigned long ino;
+ char *local_pathname;
+ dev_t dev;
+ int ret;
+
+ if (pathname[0] != '/' || pathname[len-1] == '/')
+ return ERR_PTR(-EINVAL);
+
+ dentry = kern_path_locked(pathname, &path);
+ if (IS_ERR(dentry))
+ return (void *)dentry; /* returning an error */
+ inode = path.dentry->d_inode;
+ mutex_unlock(&inode->i_mutex);
+
+ if (!dentry->d_inode) {
+ ino = (unsigned long)-1;
+ dev = (unsigned)-1;
+ } else {
+ dev = dentry->d_inode->i_sb->s_dev;
+ ino = dentry->d_inode->i_ino;
+ }
+
+ audit_mark = ERR_PTR(-ENOMEM);
+ local_pathname = kstrdup(pathname, GFP_KERNEL);
+ if (!local_pathname)
+ goto out;
+
+ audit_mark = kzalloc(sizeof(*audit_mark), GFP_KERNEL);
+ if (unlikely(!audit_mark)) {
+ kfree(local_pathname);
+ audit_mark = ERR_PTR(-ENOMEM);
+ goto out;
+ }
+
+ fsnotify_init_mark(&audit_mark->mark, audit_fsnotify_free_mark);
+ audit_mark->mark.mask = AUDIT_FS_EVENTS;
+ audit_mark->path = local_pathname;
+ audit_mark->ino = ino;
+ audit_mark->dev = dev;
+ audit_mark->rule = krule;
+
+ ret = fsnotify_add_mark(&audit_mark->mark, audit_fsnotify_group, inode, NULL, true);
+ if (ret < 0) {
+ audit_mark_free(audit_mark);
+ audit_mark = ERR_PTR(ret);
+ }
+out:
+ dput(dentry);
+ path_put(&path);
+ return audit_mark;
+}
+
+static void audit_mark_log_rule_change(struct audit_fsnotify_mark *audit_mark, char *op)
+{
+ struct audit_buffer *ab;
+ struct audit_krule *rule = audit_mark->rule;
+ if (!audit_enabled)
+ return;
+ ab = audit_log_start(NULL, GFP_NOFS, AUDIT_CONFIG_CHANGE);
+ if (unlikely(!ab))
+ return;
+ audit_log_format(ab, "auid=%u ses=%u op=",
+ from_kuid(&init_user_ns, audit_get_loginuid(current)),
+ audit_get_sessionid(current));
+ audit_log_string(ab, op);
+ audit_log_format(ab, " path=");
+ audit_log_untrustedstring(ab, audit_mark->path);
+ audit_log_key(ab, rule->filterkey);
+ audit_log_format(ab, " list=%d res=1", rule->listnr);
+ audit_log_end(ab);
+}
+
+static int audit_update_mark(struct audit_fsnotify_mark *audit_mark,
+ struct inode *inode)
+{
+ if (inode) {
+ audit_mark->dev = inode->i_sb->s_dev;
+ audit_mark->ino = inode->i_ino;
+ } else {
+ audit_mark->dev = (unsigned)-1;
+ audit_mark->ino = (unsigned long)-1;
+ }
+ return 0;
+}
+
+void audit_remove_mark(struct audit_fsnotify_mark *audit_mark)
+{
+ fsnotify_destroy_mark(&audit_mark->mark, audit_fsnotify_group);
+ fsnotify_put_mark(&audit_mark->mark);
+}
+
+void audit_remove_mark_rule(struct audit_krule *krule)
+{
+ struct audit_fsnotify_mark *mark = krule->exe;
+
+ audit_remove_mark(mark);
+}
+
+static void audit_autoremove_mark_rule(struct audit_fsnotify_mark *audit_mark)
+{
+ struct audit_krule *rule = audit_mark->rule;
+ struct audit_entry *entry = container_of(rule, struct audit_entry, rule);
+
+ audit_mark_log_rule_change(audit_mark, "autoremove_rule");
+ audit_del_rule(entry);
+}
+
+/* Update mark data in audit rules based on fsnotify events. */
+static int audit_mark_handle_event(struct fsnotify_group *group,
+ struct inode *to_tell,
+ struct fsnotify_mark *inode_mark,
+ struct fsnotify_mark *vfsmount_mark,
+ u32 mask, void *data, int data_type,
+ const unsigned char *dname, u32 cookie)
+{
+ struct audit_fsnotify_mark *audit_mark;
+ struct inode *inode = NULL;
+
+ audit_mark = container_of(inode_mark, struct audit_fsnotify_mark, mark);
+
+ BUG_ON(group != audit_fsnotify_group);
+
+ switch (data_type) {
+ case (FSNOTIFY_EVENT_PATH):
+ inode = ((struct path *)data)->dentry->d_inode;
+ break;
+ case (FSNOTIFY_EVENT_INODE):
+ inode = (struct inode *)data;
+ break;
+ default:
+ BUG();
+ return 0;
+ };
+
+ if (mask & (FS_CREATE|FS_MOVED_TO|FS_DELETE|FS_MOVED_FROM)) {
+ if (audit_compare_dname_path(dname, audit_mark->path, AUDIT_NAME_FULL))
+ return 0;
+ audit_update_mark(audit_mark, inode);
+ } else if (mask & (FS_DELETE_SELF|FS_UNMOUNT|FS_MOVE_SELF))
+ audit_autoremove_mark_rule(audit_mark);
+
+ return 0;
+}
+
+static const struct fsnotify_ops audit_mark_fsnotify_ops = {
+ .handle_event = audit_mark_handle_event,
+};
+
+static int __init audit_fsnotify_init(void)
+{
+ audit_fsnotify_group = fsnotify_alloc_group(&audit_mark_fsnotify_ops);
+ if (IS_ERR(audit_fsnotify_group)) {
+ audit_fsnotify_group = NULL;
+ audit_panic("cannot create audit fsnotify group");
+ }
+ return 0;
+}
+device_initcall(audit_fsnotify_init);
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 09041b2..bbb39ec 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -977,7 +977,7 @@ error:
}
/* Remove an existing rule from filterlist. */
-static inline int audit_del_rule(struct audit_entry *entry)
+int audit_del_rule(struct audit_entry *entry)
{
struct audit_entry *e;
struct audit_tree *tree = entry->rule.tree;
@@ -985,6 +985,7 @@ static inline int audit_del_rule(struct audit_entry *entry)
int ret = 0;
#ifdef CONFIG_AUDITSYSCALL
int dont_count = 0;
+ int match = audit_match_signal(entry);
/* If either of these, don't count towards total */
if (entry->rule.listnr == AUDIT_FILTER_USER ||
@@ -1017,7 +1018,7 @@ static inline int audit_del_rule(struct audit_entry *entry)
if (!dont_count)
audit_n_rules--;
- if (!audit_match_signal(entry))
+ if (!match)
audit_signals--;
#endif
mutex_unlock(&audit_filter_mutex);
--
1.7.1
^ permalink raw reply related
* [PATCH V6 3/4] audit: convert audit_exe to audit_fsnotify
From: Richard Guy Briggs @ 2015-07-14 15:50 UTC (permalink / raw)
To: linux-audit, linux-kernel; +Cc: Richard Guy Briggs, pmoody
In-Reply-To: <cover.1436823321.git.rgb@redhat.com>
Instead of just hard coding the ino and dev of the executable we care
about at the moment the rule is inserted into the kernel, use the new
audit_fsnotify infrastructure. This means that if the inode in question
is unlinked and creat'd (aka updated) the rule will just continue to
work.
Signed-off-by: Eric Paris <eparis@redhat.com>
RGB: Clean up exe with similar interface as watch and tree.
RGB: Clean up audit exe mark just before audit_free_rule() rather than in it to
avoid mutex in software interrupt context.
Based-on-code-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
include/linux/audit.h | 2 +-
kernel/audit.h | 33 +++---------------
kernel/audit_exe.c | 87 +++++++------------------------------------------
kernel/audit_tree.c | 2 +
kernel/audit_watch.c | 4 ++
kernel/auditfilter.c | 28 +++++++++++----
6 files changed, 45 insertions(+), 111 deletions(-)
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 95463a2..aee456f 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -59,7 +59,7 @@ struct audit_krule {
struct audit_field *inode_f; /* quick access to an inode field */
struct audit_watch *watch; /* associated watch */
struct audit_tree *tree; /* associated watched tree */
- struct audit_exe *exe;
+ struct audit_fsnotify_mark *exe;
struct list_head rlist; /* entry in audit_{watch,tree}.rules list */
struct list_head list; /* for AUDIT_LIST* purposes only */
u64 prio;
diff --git a/kernel/audit.h b/kernel/audit.h
index 491bd4b..eeaf054 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -51,7 +51,6 @@ enum audit_state {
/* Rule lists */
struct audit_watch;
struct audit_fsnotify_mark;
-struct audit_exe;
struct audit_tree;
struct audit_chunk;
@@ -279,11 +278,8 @@ extern void audit_remove_mark(struct audit_fsnotify_mark *audit_mark);
extern void audit_remove_mark_rule(struct audit_krule *krule);
extern int audit_mark_compare(struct audit_fsnotify_mark *mark, unsigned long ino, dev_t dev);
-extern int audit_make_exe_rule(struct audit_krule *krule, char *pathname, int len, u32 op);
-extern void audit_remove_exe_rule(struct audit_krule *krule);
-extern char *audit_exe_path(struct audit_exe *exe);
extern int audit_dupe_exe(struct audit_krule *new, struct audit_krule *old);
-extern int audit_exe_compare(struct task_struct *tsk, struct audit_exe *exe);
+extern int audit_exe_compare(struct task_struct *tsk, struct audit_fsnotify_mark *mark);
#else
#define audit_put_watch(w) {}
@@ -302,36 +298,19 @@ static inline char *audit_mark_path(struct audit_fsnotify_mark *mark)
}
#define audit_remove_mark(m) BUG()
#define audit_remove_mark_rule(k) BUG()
-static inline int audit_mark_compare(struct audit_fsnotify_mark *mark, unsigned long ino, dev_t dev)
-{
- BUG();
- return 0;
-}
-static inline int audit_make_exe_rule(struct audit_krule *krule, char *pathname, int len, u32 op)
-{
- return -EINVAL;
-}
-static inline void audit_remove_exe_rule(struct audit_krule *krule)
-{
- BUG();
- return 0;
-}
-static inline char *audit_exe_path(struct audit_exe *exe)
+static inline int audit_exe_compare(struct task_struct *tsk, struct audit_fsnotify_mark *mark)
{
BUG();
- return "";
+ return -EINVAL;
}
+
static inline int audit_dupe_exe(struct audit_krule *new, struct audit_krule *old)
{
BUG();
- return -EINVAL
-}
-static inline int audit_exe_compare(struct task_struct *tsk, struct audit_exe *exe)
-{
- BUG();
- return 0;
+ return -EINVAL;
}
+
#endif /* CONFIG_AUDIT_WATCH */
#ifdef CONFIG_AUDIT_TREE
diff --git a/kernel/audit_exe.c b/kernel/audit_exe.c
index d4cc8b5..75ad4f2 100644
--- a/kernel/audit_exe.c
+++ b/kernel/audit_exe.c
@@ -17,93 +17,30 @@
#include <linux/kernel.h>
#include <linux/audit.h>
-#include <linux/mutex.h>
#include <linux/fs.h>
#include <linux/namei.h>
#include <linux/slab.h>
#include "audit.h"
-struct audit_exe {
- char *pathname;
- unsigned long ino;
- dev_t dev;
-};
-
-/* Translate a watch string to kernel respresentation. */
-int audit_make_exe_rule(struct audit_krule *krule, char *pathname, int len, u32 op)
-{
- struct audit_exe *exe;
- struct path path;
- struct dentry *dentry;
- unsigned long ino;
- dev_t dev;
-
- if (pathname[0] != '/' || pathname[len-1] == '/')
- return -EINVAL;
-
- dentry = kern_path_locked(pathname, &path);
- if (IS_ERR(dentry))
- return PTR_ERR(dentry);
- mutex_unlock(&path.dentry->d_inode->i_mutex);
-
- if (!dentry->d_inode)
- return -ENOENT;
- dev = dentry->d_inode->i_sb->s_dev;
- ino = dentry->d_inode->i_ino;
- dput(dentry);
-
- exe = kmalloc(sizeof(*exe), GFP_KERNEL);
- if (!exe)
- return -ENOMEM;
- exe->ino = ino;
- exe->dev = dev;
- exe->pathname = pathname;
- krule->exe = exe;
-
- return 0;
-}
-
-void audit_remove_exe_rule(struct audit_krule *krule)
-{
- struct audit_exe *exe;
-
- exe = krule->exe;
- krule->exe = NULL;
- kfree(exe->pathname);
- kfree(exe);
-}
-
-char *audit_exe_path(struct audit_exe *exe)
-{
- return exe->pathname;
-}
-
int audit_dupe_exe(struct audit_krule *new, struct audit_krule *old)
{
- struct audit_exe *exe;
-
- exe = kmalloc(sizeof(*exe), GFP_KERNEL);
- if (!exe)
- return -ENOMEM;
+ struct audit_fsnotify_mark *audit_mark;
+ char *pathname;
- exe->pathname = kstrdup(old->exe->pathname, GFP_KERNEL);
- if (!exe->pathname) {
- kfree(exe);
- return -ENOMEM;
- }
+ pathname = audit_mark_path(old->exe);
- exe->ino = old->exe->ino;
- exe->dev = old->exe->dev;
- new->exe = exe;
+ audit_mark = audit_alloc_mark(new, pathname, strlen(pathname));
+ if (IS_ERR(audit_mark))
+ return PTR_ERR(audit_mark);
+ new->exe = audit_mark;
return 0;
}
-int audit_exe_compare(struct task_struct *tsk, struct audit_exe *exe)
+int audit_exe_compare(struct task_struct *tsk, struct audit_fsnotify_mark *mark)
{
- if (tsk->mm->exe_file->f_inode->i_ino != exe->ino)
- return 0;
- if (tsk->mm->exe_file->f_inode->i_sb->s_dev != exe->dev)
- return 0;
- return 1;
+ unsigned long ino = tsk->mm->exe_file->f_inode->i_ino;
+ dev_t dev = tsk->mm->exe_file->f_inode->i_sb->s_dev;
+
+ return audit_mark_compare(mark, ino, dev);
}
diff --git a/kernel/audit_tree.c b/kernel/audit_tree.c
index b0f9877..94ecdab 100644
--- a/kernel/audit_tree.c
+++ b/kernel/audit_tree.c
@@ -479,6 +479,8 @@ static void kill_rules(struct audit_tree *tree)
if (rule->tree) {
/* not a half-baked one */
audit_tree_log_remove_rule(rule);
+ if (entry->rule.exe)
+ audit_remove_mark(entry->rule.exe);
rule->tree = NULL;
list_del_rcu(&entry->list);
list_del(&entry->rule.list);
diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c
index 8f123d7..4aaa393 100644
--- a/kernel/audit_watch.c
+++ b/kernel/audit_watch.c
@@ -312,6 +312,8 @@ static void audit_update_watch(struct audit_parent *parent,
list_replace(&oentry->rule.list,
&nentry->rule.list);
}
+ if (oentry->rule.exe)
+ audit_remove_mark(oentry->rule.exe);
audit_watch_log_rule_change(r, owatch, "updated_rules");
@@ -342,6 +344,8 @@ static void audit_remove_parent_watches(struct audit_parent *parent)
list_for_each_entry_safe(r, nextr, &w->rules, rlist) {
e = container_of(r, struct audit_entry, rule);
audit_watch_log_rule_change(r, w, "remove_rule");
+ if (e->rule.exe)
+ audit_remove_mark(e->rule.exe);
list_del(&r->rlist);
list_del(&r->list);
list_del_rcu(&e->list);
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index bbb39ec..f65c97f 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -426,6 +426,7 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
size_t remain = datasz - sizeof(struct audit_rule_data);
int i;
char *str;
+ struct audit_fsnotify_mark *audit_mark;
entry = audit_to_entry_common(data);
if (IS_ERR(entry))
@@ -557,11 +558,13 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
}
entry->rule.buflen += f->val;
- err = audit_make_exe_rule(&entry->rule, str, f->val, f->op);
- if (err) {
- kfree(str);
+ audit_mark = audit_alloc_mark(&entry->rule, str, f->val);
+ kfree(str);
+ if (IS_ERR(audit_mark)) {
+ err = PTR_ERR(audit_mark);
goto exit_free;
}
+ entry->rule.exe = audit_mark;
break;
}
}
@@ -575,6 +578,8 @@ exit_nofree:
exit_free:
if (entry->rule.tree)
audit_put_tree(entry->rule.tree); /* that's the temporary one */
+ if (entry->rule.exe)
+ audit_remove_mark(entry->rule.exe); /* that's the template one */
audit_free_rule(entry);
return ERR_PTR(err);
}
@@ -642,7 +647,7 @@ static struct audit_rule_data *audit_krule_to_data(struct audit_krule *krule)
case AUDIT_EXE:
case AUDIT_EXE_CHILDREN:
data->buflen += data->values[i] =
- audit_pack_string(&bufp, audit_exe_path(krule->exe));
+ audit_pack_string(&bufp, audit_mark_path(krule->exe));
break;
case AUDIT_LOGINUID_SET:
if (krule->pflags & AUDIT_LOGINUID_LEGACY && !f->val) {
@@ -710,8 +715,8 @@ static int audit_compare_rule(struct audit_krule *a, struct audit_krule *b)
case AUDIT_EXE:
case AUDIT_EXE_CHILDREN:
/* both paths exist based on above type compare */
- if (strcmp(audit_exe_path(a->exe),
- audit_exe_path(b->exe)))
+ if (strcmp(audit_mark_path(a->exe),
+ audit_mark_path(b->exe)))
return 1;
break;
case AUDIT_UID:
@@ -842,6 +847,8 @@ struct audit_entry *audit_dupe_rule(struct audit_krule *old)
break;
}
if (err) {
+ if (new->exe)
+ audit_remove_mark(new->exe);
audit_free_rule(entry);
return ERR_PTR(err);
}
@@ -1008,7 +1015,7 @@ int audit_del_rule(struct audit_entry *entry)
audit_remove_tree_rule(&e->rule);
if (e->rule.exe)
- audit_remove_exe_rule(&e->rule);
+ audit_remove_mark_rule(&e->rule);
list_del_rcu(&e->list);
list_del(&e->rule.list);
@@ -1113,8 +1120,11 @@ int audit_rule_change(int type, __u32 portid, int seq, void *data,
WARN_ON(1);
}
- if (err || type == AUDIT_DEL_RULE)
+ if (err || type == AUDIT_DEL_RULE) {
+ if (entry->rule.exe)
+ audit_remove_mark(entry->rule.exe);
audit_free_rule(entry);
+ }
return err;
}
@@ -1406,6 +1416,8 @@ static int update_lsm_rule(struct audit_krule *r)
return 0;
nentry = audit_dupe_rule(r);
+ if (entry->rule.exe)
+ audit_remove_mark(entry->rule.exe);
if (IS_ERR(nentry)) {
/* save the first error encountered for the
* return value */
--
1.7.1
^ permalink raw reply related
* [PATCH V6 4/4] audit: avoid double copying the audit_exe path string
From: Richard Guy Briggs @ 2015-07-14 15:50 UTC (permalink / raw)
To: linux-audit, linux-kernel; +Cc: Richard Guy Briggs, pmoody
In-Reply-To: <cover.1436823321.git.rgb@redhat.com>
Make this interface consistent with watch and filter key, avoiding the extra
string copy and simply consume the new string pointer.
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
kernel/audit_exe.c | 8 ++++++--
kernel/audit_fsnotify.c | 9 +--------
kernel/auditfilter.c | 2 +-
3 files changed, 8 insertions(+), 11 deletions(-)
diff --git a/kernel/audit_exe.c b/kernel/audit_exe.c
index 75ad4f2..09e4eb4 100644
--- a/kernel/audit_exe.c
+++ b/kernel/audit_exe.c
@@ -27,11 +27,15 @@ int audit_dupe_exe(struct audit_krule *new, struct audit_krule *old)
struct audit_fsnotify_mark *audit_mark;
char *pathname;
- pathname = audit_mark_path(old->exe);
+ pathname = kstrdup(audit_mark_path(old->exe), GFP_KERNEL);
+ if (!pathname)
+ return -ENOMEM;
audit_mark = audit_alloc_mark(new, pathname, strlen(pathname));
- if (IS_ERR(audit_mark))
+ if (IS_ERR(audit_mark)) {
+ kfree(pathname);
return PTR_ERR(audit_mark);
+ }
new->exe = audit_mark;
return 0;
diff --git a/kernel/audit_fsnotify.c b/kernel/audit_fsnotify.c
index a4e7b16..e57e08a 100644
--- a/kernel/audit_fsnotify.c
+++ b/kernel/audit_fsnotify.c
@@ -94,7 +94,6 @@ struct audit_fsnotify_mark *audit_alloc_mark(struct audit_krule *krule, char *pa
struct dentry *dentry;
struct inode *inode;
unsigned long ino;
- char *local_pathname;
dev_t dev;
int ret;
@@ -115,21 +114,15 @@ struct audit_fsnotify_mark *audit_alloc_mark(struct audit_krule *krule, char *pa
ino = dentry->d_inode->i_ino;
}
- audit_mark = ERR_PTR(-ENOMEM);
- local_pathname = kstrdup(pathname, GFP_KERNEL);
- if (!local_pathname)
- goto out;
-
audit_mark = kzalloc(sizeof(*audit_mark), GFP_KERNEL);
if (unlikely(!audit_mark)) {
- kfree(local_pathname);
audit_mark = ERR_PTR(-ENOMEM);
goto out;
}
fsnotify_init_mark(&audit_mark->mark, audit_fsnotify_free_mark);
audit_mark->mark.mask = AUDIT_FS_EVENTS;
- audit_mark->path = local_pathname;
+ audit_mark->path = pathname;
audit_mark->ino = ino;
audit_mark->dev = dev;
audit_mark->rule = krule;
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index f65c97f..f46ed69 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -559,8 +559,8 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
entry->rule.buflen += f->val;
audit_mark = audit_alloc_mark(&entry->rule, str, f->val);
- kfree(str);
if (IS_ERR(audit_mark)) {
+ kfree(str);
err = PTR_ERR(audit_mark);
goto exit_free;
}
--
1.7.1
^ permalink raw reply related
* Re: [PATCH V6 0/4] audit by executable name
From: Steve Grubb @ 2015-07-15 12:28 UTC (permalink / raw)
To: Richard Guy Briggs; +Cc: linux-audit, linux-kernel, pmoore, eparis
In-Reply-To: <cover.1436823321.git.rgb@redhat.com>
On Tuesday, July 14, 2015 11:50:22 AM Richard Guy Briggs wrote:
> Please see the accompanying userspace patchset:
> https://www.redhat.com/archives/linux-audit/2015-July/thread.html
> [[PATCH V2] 0/2] Log on the future execution of a path
> The userspace interface is not expected to change appreciably unless
> something important has been overlooked. Setting and deleting rules works
> as expected.
>
> If the path does not exist at rule creation time, it will be re-evaluated
> every time there is a change to the parent directory at which point the
> change in device and inode will be noted.
Thanks for doing this. Its a much needed feature.
In looking over it...does this add an AUDIT_VERSION_ define and use it in the
feature mask so that I can tell what kernels support this? I might have missed
it, but I can't find one.
Thanks,
-Steve
> Here's a sample run:
> Test for addition, trigger and deletion of tree executable rule:
> # auditctl -a always,exit -S all -F dir=/tmp -F exe=/usr/bin/touch -F
> key=exetest_tree ----
> time->Sat Jul 11 10:41:50 2015
> type=CONFIG_CHANGE msg=audit(1436629310.720:44711): auid=0 ses=1
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 op="add_rule"
> key="exetest_tree" list=4 res=1 ----
>
> # /usr/bin/touch /tmp/test
> ----
> time->Sat Jul 11 10:41:50 2015
> type=PROCTITLE msg=audit(1436629310.757:44712):
> proctitle=2F7573722F62696E2F746F756368002F746D702F74657374 type=PATH
> msg=audit(1436629310.757:44712): item=1 name="/tmp/test" inode=166932
> dev=00:24 mode=0100644 ouid=0 ogid=0 rdev=00:00
> obj=unconfined_u:object_r:user_tmp_t:s0 nametype=CREATE type=PATH
> msg=audit(1436629310.757:44712): item=0 name="/tmp/" inode=11525 dev=00:24
> mode=041777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmp_t:s0
> nametype=PARENT type=CWD msg=audit(1436629310.757:44712): cwd="/root"
> type=SYSCALL msg=audit(1436629310.757:44712): arch=c000003e syscall=2
> success=yes exit=3 a0=7ffdee2f9e27 a1=941 a2=1b6 a3=691 items=2 ppid=17655
> pid=17762 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> tty=ttyS0 ses=1 comm="touch" exe="/usr/bin/touch"
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> key="exetest_tree" ----
>
> # auditctl -d always,exit -S all -F dir=/tmp -F exe=/usr/bin/touch -F
> key=exetest_tree ----
> time->Sat Jul 11 10:41:50 2015
> type=CONFIG_CHANGE msg=audit(1436629310.839:44713): auid=0 ses=1
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 op="remove_rule"
> key="exetest_tree" list=4 res=1 ----
>
>
> Revision history:
> v6: Explicitly declare prototypes as external.
> Rename audit_dup_exe() to audit_dupe_exe() consistent with rule, watch,
> lsm_field. Rebased on v4.1.
> Rename audit_remove_mark_rule() called from audit_mark_handle_event() to
> audit_autoremove_mark_rule() to avoid confusion with
> audit_remove_{watch,tree}_rule() usage.
> Add audit_remove_mark_rule() to provide similar interface as
> audit_remove_{watch,tree}_rule().
> Simplify stubs to defines.
> Rename audit_free_fsnotify_mark() to audit_fsnotify_free_mark() in
> keeping with the naming convention of inotify_free_mark(),
> dnotify_free_mark(), fanotify_free_mark(), audit_watch_free_mark().
> Return -ENOMEM rather than null in case of memory allocation failure for
> audit_mark in audit_alloc_mark().
> Rename audit_free_mark() to audit_mark_free() to avoid association with
> {i,d,fa}notify_free_mark() and audit_watch_free_mark().
> Clean up exe with similar interface as watch and tree.
> Clean up audit exe mark just before audit_free_rule() rather than in it
> to avoid mutex in software interrupt context.
> Fixed bug in audit_dupe_exe() that returned error rather than valid
> pointer.
>
> v5: Revert patch "Let audit_free_rule() take care of calling
> audit_remove_mark()." since it caused a group mark deadlock.
> https://www.redhat.com/archives/linux-audit/2014-October/msg00024.html
>
> v4: Re-order and squash down fixups
> Fix audit_dup_exe() to copy pathname string before calling
> audit_alloc_mark().
> https://www.redhat.com/archives/linux-audit/2014-August/msg00065.html
>
> v3: Rationalize and rename some function names and clean up get/put and free
> code. Rename several "watch" references to "mark".
> Rename audit_remove_rule() to audit_remove_mark_rule().
> Let audit_free_rule() take care of calling audit_remove_mark().
> Put audit_alloc_mark() arguments in same order as watch, tree and inode.
> Move the access to the entry for audit_match_signal() to the beginning of
> the function in case the entry found is the same one passed in. This will
> enable it to be used by audit_remove_mark_rule().
> https://www.redhat.com/archives/linux-audit/2014-July/msg00000.html
>
> v2: Misguided attempt to add in audit_exe similar to watches
> https://www.redhat.com/archives/linux-audit/2014-June/msg00066.html
>
> v1.5: eparis' switch to fsnotify
> https://www.redhat.com/archives/linux-audit/2014-May/msg00046.html
> https://www.redhat.com/archives/linux-audit/2014-May/msg00066.html
>
> v1: Change to path interface instead of inode
> https://www.redhat.com/archives/linux-audit/2014-May/msg00017.html
>
> v0: Peter Moodie's original patches
> https://www.redhat.com/archives/linux-audit/2012-August/msg00033.html
>
>
> Future step:
> Get full-path notify working.
>
>
> Eric Paris (1):
> audit: implement audit by executable
>
> Richard Guy Briggs (3):
> audit: clean simple fsnotify implementation
> audit: convert audit_exe to audit_fsnotify
> audit: avoid double copying the audit_exe path string
>
> include/linux/audit.h | 1 +
> include/uapi/linux/audit.h | 2 +
> kernel/Makefile | 2 +-
> kernel/audit.h | 33 ++++++
> kernel/audit_exe.c | 50 +++++++++
> kernel/audit_fsnotify.c | 246
> ++++++++++++++++++++++++++++++++++++++++++++ kernel/audit_tree.c |
> 2 +
> kernel/audit_watch.c | 4 +
> kernel/auditfilter.c | 63 +++++++++++-
> kernel/auditsc.c | 16 +++
> 10 files changed, 415 insertions(+), 4 deletions(-)
> create mode 100644 kernel/audit_exe.c
> create mode 100644 kernel/audit_fsnotify.c
^ permalink raw reply
* Re: [PATCH V6 0/4] audit by executable name
From: Richard Guy Briggs @ 2015-07-15 18:23 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit, linux-kernel, pmoore, eparis
In-Reply-To: <2290951.jxBbQJQ7l8@x2>
On 15/07/15, Steve Grubb wrote:
> On Tuesday, July 14, 2015 11:50:22 AM Richard Guy Briggs wrote:
> > Please see the accompanying userspace patchset:
> > https://www.redhat.com/archives/linux-audit/2015-July/thread.html
> > [[PATCH V2] 0/2] Log on the future execution of a path
> > The userspace interface is not expected to change appreciably unless
> > something important has been overlooked. Setting and deleting rules works
> > as expected.
> >
> > If the path does not exist at rule creation time, it will be re-evaluated
> > every time there is a change to the parent directory at which point the
> > change in device and inode will be noted.
>
> Thanks for doing this. Its a much needed feature.
>
> In looking over it...does this add an AUDIT_VERSION_ define and use it in the
> feature mask so that I can tell what kernels support this? I might have missed
> it, but I can't find one.
Ah, thanks for catching that! I thought about it several times and even
backported the infrastructure. :-P
> -Steve
>
> > Here's a sample run:
> > Test for addition, trigger and deletion of tree executable rule:
> > # auditctl -a always,exit -S all -F dir=/tmp -F exe=/usr/bin/touch -F
> > key=exetest_tree ----
> > time->Sat Jul 11 10:41:50 2015
> > type=CONFIG_CHANGE msg=audit(1436629310.720:44711): auid=0 ses=1
> > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 op="add_rule"
> > key="exetest_tree" list=4 res=1 ----
> >
> > # /usr/bin/touch /tmp/test
> > ----
> > time->Sat Jul 11 10:41:50 2015
> > type=PROCTITLE msg=audit(1436629310.757:44712):
> > proctitle=2F7573722F62696E2F746F756368002F746D702F74657374 type=PATH
> > msg=audit(1436629310.757:44712): item=1 name="/tmp/test" inode=166932
> > dev=00:24 mode=0100644 ouid=0 ogid=0 rdev=00:00
> > obj=unconfined_u:object_r:user_tmp_t:s0 nametype=CREATE type=PATH
> > msg=audit(1436629310.757:44712): item=0 name="/tmp/" inode=11525 dev=00:24
> > mode=041777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmp_t:s0
> > nametype=PARENT type=CWD msg=audit(1436629310.757:44712): cwd="/root"
> > type=SYSCALL msg=audit(1436629310.757:44712): arch=c000003e syscall=2
> > success=yes exit=3 a0=7ffdee2f9e27 a1=941 a2=1b6 a3=691 items=2 ppid=17655
> > pid=17762 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> > tty=ttyS0 ses=1 comm="touch" exe="/usr/bin/touch"
> > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> > key="exetest_tree" ----
> >
> > # auditctl -d always,exit -S all -F dir=/tmp -F exe=/usr/bin/touch -F
> > key=exetest_tree ----
> > time->Sat Jul 11 10:41:50 2015
> > type=CONFIG_CHANGE msg=audit(1436629310.839:44713): auid=0 ses=1
> > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 op="remove_rule"
> > key="exetest_tree" list=4 res=1 ----
> >
> >
> > Revision history:
> > v6: Explicitly declare prototypes as external.
> > Rename audit_dup_exe() to audit_dupe_exe() consistent with rule, watch,
> > lsm_field. Rebased on v4.1.
> > Rename audit_remove_mark_rule() called from audit_mark_handle_event() to
> > audit_autoremove_mark_rule() to avoid confusion with
> > audit_remove_{watch,tree}_rule() usage.
> > Add audit_remove_mark_rule() to provide similar interface as
> > audit_remove_{watch,tree}_rule().
> > Simplify stubs to defines.
> > Rename audit_free_fsnotify_mark() to audit_fsnotify_free_mark() in
> > keeping with the naming convention of inotify_free_mark(),
> > dnotify_free_mark(), fanotify_free_mark(), audit_watch_free_mark().
> > Return -ENOMEM rather than null in case of memory allocation failure for
> > audit_mark in audit_alloc_mark().
> > Rename audit_free_mark() to audit_mark_free() to avoid association with
> > {i,d,fa}notify_free_mark() and audit_watch_free_mark().
> > Clean up exe with similar interface as watch and tree.
> > Clean up audit exe mark just before audit_free_rule() rather than in it
> > to avoid mutex in software interrupt context.
> > Fixed bug in audit_dupe_exe() that returned error rather than valid
> > pointer.
> >
> > v5: Revert patch "Let audit_free_rule() take care of calling
> > audit_remove_mark()." since it caused a group mark deadlock.
> > https://www.redhat.com/archives/linux-audit/2014-October/msg00024.html
> >
> > v4: Re-order and squash down fixups
> > Fix audit_dup_exe() to copy pathname string before calling
> > audit_alloc_mark().
> > https://www.redhat.com/archives/linux-audit/2014-August/msg00065.html
> >
> > v3: Rationalize and rename some function names and clean up get/put and free
> > code. Rename several "watch" references to "mark".
> > Rename audit_remove_rule() to audit_remove_mark_rule().
> > Let audit_free_rule() take care of calling audit_remove_mark().
> > Put audit_alloc_mark() arguments in same order as watch, tree and inode.
> > Move the access to the entry for audit_match_signal() to the beginning of
> > the function in case the entry found is the same one passed in. This will
> > enable it to be used by audit_remove_mark_rule().
> > https://www.redhat.com/archives/linux-audit/2014-July/msg00000.html
> >
> > v2: Misguided attempt to add in audit_exe similar to watches
> > https://www.redhat.com/archives/linux-audit/2014-June/msg00066.html
> >
> > v1.5: eparis' switch to fsnotify
> > https://www.redhat.com/archives/linux-audit/2014-May/msg00046.html
> > https://www.redhat.com/archives/linux-audit/2014-May/msg00066.html
> >
> > v1: Change to path interface instead of inode
> > https://www.redhat.com/archives/linux-audit/2014-May/msg00017.html
> >
> > v0: Peter Moodie's original patches
> > https://www.redhat.com/archives/linux-audit/2012-August/msg00033.html
> >
> >
> > Future step:
> > Get full-path notify working.
> >
> >
> > Eric Paris (1):
> > audit: implement audit by executable
> >
> > Richard Guy Briggs (3):
> > audit: clean simple fsnotify implementation
> > audit: convert audit_exe to audit_fsnotify
> > audit: avoid double copying the audit_exe path string
> >
> > include/linux/audit.h | 1 +
> > include/uapi/linux/audit.h | 2 +
> > kernel/Makefile | 2 +-
> > kernel/audit.h | 33 ++++++
> > kernel/audit_exe.c | 50 +++++++++
> > kernel/audit_fsnotify.c | 246
> > ++++++++++++++++++++++++++++++++++++++++++++ kernel/audit_tree.c |
> > 2 +
> > kernel/audit_watch.c | 4 +
> > kernel/auditfilter.c | 63 +++++++++++-
> > kernel/auditsc.c | 16 +++
> > 10 files changed, 415 insertions(+), 4 deletions(-)
> > create mode 100644 kernel/audit_exe.c
> > create mode 100644 kernel/audit_fsnotify.c
>
- RGB
--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
^ permalink raw reply
* Re: [PATCH 1/5] Enable cross compiling
From: Steve Grubb @ 2015-07-15 20:38 UTC (permalink / raw)
To: linux-audit
In-Reply-To: <1432818249-17692-2-git-send-email-clayton.shotwell@rockwellcollins.com>
On Thursday, May 28, 2015 08:04:05 AM Clayton Shotwell wrote:
> During the audit build, several lookup tables are generated as header
> files that are then linked in with the executables. This process is done
> by a C application that needs to be able to be run on the host. The
> current Makfile structure tries to build these executables for the
> target instead of the host where they cannot be executed. This patch
> reworks the Makefile structure to build for the correct platform.
>
> This patch is a rework of a patch posted to the audit mailing list at
> the link below.
> https://www.redhat.com/archives/linux-audit/2012-November/msg00000.html
>
> The ax_prog_cc_for_build.m4 file was obtained from GNU at the link
> below.
> http://www.gnu.org/software/autoconf-archive/ax_prog_cc_for_build.html
>
> Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
This patch causes a problem during a normal build:
Making all in lib
make[2]: Entering directory '/home/sgrubb/working/BUILD/audit-2.4.3/lib'
make[2]: *** No rule to make target 'gen_tables.c', needed by
'gen_actiontabs_h'. Stop.
-Steve
^ permalink raw reply
* Re: [PATCH 0/5] Audit Cross Compile Fixes
From: Steve Grubb @ 2015-07-15 20:55 UTC (permalink / raw)
To: linux-audit
In-Reply-To: <1432818249-17692-1-git-send-email-clayton.shotwell@rockwellcollins.com>
On Thursday, May 28, 2015 08:04:04 AM Clayton Shotwell wrote:
> The following are 5 patches that I have been working on for a while to
<snip>
> Any feedback would be greatly appreciated.
>
> Clayton Shotwell (5):
> Enable cross compiling
> Make zos-remote plugin optional
> Default ADDR_NO_RANDOMIZE if not found
> Do not call posix_fallocate() if unavailable
> Fix header detection when cross compiling
I applied 2 - 5. Thanks!
-Steve
^ permalink raw reply
* Audit class/lab
From: Steve Grubb @ 2015-07-15 22:19 UTC (permalink / raw)
To: linux-audit
Hello,
I normally don't put the word out about speeches I give, or things like that.
But I am going to be teaching a hands-on audit class to demonstrate how to
configure, setup rules, and do searching and reporting using the native linux
audit tools.
The lab will be part of the Defence in Depth conference in Washington (Tyson's
Cormers, VA) on Sept 1. Its free, you just have to register. More info:
http://www.redhat.com/en/about/events/2015-defense-depth
I will be going over new features that aids insider threat detection and signs
of intrusion in addition to basics. Bring your questions and problems, let's
talk.
-Steve
^ permalink raw reply
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox