* [PATCH 08/15] tty: audit: Track tty association with dev_t
From: Peter Hurley @ 2015-11-11 2:05 UTC (permalink / raw)
To: Greg Kroah-Hartman; +Cc: linux-audit, Jiri Slaby, Peter Hurley
In-Reply-To: <1447207560-16410-1-git-send-email-peter@hurleysoftware.com>
Use dev_t instead of separate major/minor fields to track tty
audit buffer association.
Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
---
drivers/tty/tty_audit.c | 32 ++++++++++++++------------------
1 file changed, 14 insertions(+), 18 deletions(-)
diff --git a/drivers/tty/tty_audit.c b/drivers/tty/tty_audit.c
index 6b82c3c..50380d8 100644
--- a/drivers/tty/tty_audit.c
+++ b/drivers/tty/tty_audit.c
@@ -16,7 +16,7 @@
struct tty_audit_buf {
atomic_t count;
struct mutex mutex; /* Protects all data below */
- int major, minor; /* The TTY which the data is from */
+ dev_t dev; /* The TTY which the data is from */
unsigned icanon:1;
size_t valid;
unsigned char *data; /* Allocated size N_TTY_BUF_SIZE */
@@ -34,8 +34,7 @@ static struct tty_audit_buf *tty_audit_buf_alloc(void)
goto err_buf;
atomic_set(&buf->count, 1);
mutex_init(&buf->mutex);
- buf->major = 0;
- buf->minor = 0;
+ buf->dev = MKDEV(0, 0);
buf->icanon = 0;
buf->valid = 0;
return buf;
@@ -59,7 +58,7 @@ static void tty_audit_buf_put(struct tty_audit_buf *buf)
tty_audit_buf_free(buf);
}
-static void tty_audit_log(const char *description, int major, int minor,
+static void tty_audit_log(const char *description, dev_t dev,
unsigned char *data, size_t size)
{
struct audit_buffer *ab;
@@ -75,7 +74,7 @@ static void tty_audit_log(const char *description, int major, int minor,
audit_log_format(ab, "%s pid=%u uid=%u auid=%u ses=%u major=%d"
" minor=%d comm=", description, pid, uid,
- loginuid, sessionid, major, minor);
+ loginuid, sessionid, MAJOR(dev), MINOR(dev));
get_task_comm(name, tsk);
audit_log_untrustedstring(ab, name);
audit_log_format(ab, " data=");
@@ -98,7 +97,7 @@ static void tty_audit_buf_push(struct tty_audit_buf *buf)
buf->valid = 0;
return;
}
- tty_audit_log("tty", buf->major, buf->minor, buf->data, buf->valid);
+ tty_audit_log("tty", buf->dev, buf->data, buf->valid);
buf->valid = 0;
}
@@ -141,7 +140,8 @@ void tty_audit_fork(struct signal_struct *sig)
void tty_audit_tiocsti(struct tty_struct *tty, char ch)
{
struct tty_audit_buf *buf;
- int major, minor, should_audit;
+ dev_t dev;
+ int should_audit;
unsigned long flags;
spin_lock_irqsave(¤t->sighand->siglock, flags);
@@ -151,11 +151,10 @@ void tty_audit_tiocsti(struct tty_struct *tty, char ch)
atomic_inc(&buf->count);
spin_unlock_irqrestore(¤t->sighand->siglock, flags);
- major = tty->driver->major;
- minor = tty->driver->minor_start + tty->index;
+ dev = MKDEV(tty->driver->major, tty->driver->minor_start) + tty->index;
if (buf) {
mutex_lock(&buf->mutex);
- if (buf->major == major && buf->minor == minor)
+ if (buf->dev == dev)
tty_audit_buf_push(buf);
mutex_unlock(&buf->mutex);
tty_audit_buf_put(buf);
@@ -167,7 +166,7 @@ void tty_audit_tiocsti(struct tty_struct *tty, char ch)
auid = audit_get_loginuid(current);
sessionid = audit_get_sessionid(current);
- tty_audit_log("ioctl=TIOCSTI", major, minor, &ch, 1);
+ tty_audit_log("ioctl=TIOCSTI", dev, &ch, 1);
}
}
@@ -260,10 +259,10 @@ static struct tty_audit_buf *tty_audit_buf_get(void)
void tty_audit_add_data(struct tty_struct *tty, const void *data, size_t size)
{
struct tty_audit_buf *buf;
- int major, minor;
int audit_log_tty_passwd;
unsigned long flags;
unsigned int icanon = !!L_ICANON(tty);
+ dev_t dev;
if (unlikely(size == 0))
return;
@@ -283,13 +282,10 @@ void tty_audit_add_data(struct tty_struct *tty, const void *data, size_t size)
return;
mutex_lock(&buf->mutex);
- major = tty->driver->major;
- minor = tty->driver->minor_start + tty->index;
- if (buf->major != major || buf->minor != minor
- || buf->icanon != icanon) {
+ dev = MKDEV(tty->driver->major, tty->driver->minor_start) + tty->index;
+ if (buf->dev != dev || buf->icanon != icanon) {
tty_audit_buf_push(buf);
- buf->major = major;
- buf->minor = minor;
+ buf->dev = dev;
buf->icanon = icanon;
}
do {
--
2.6.3
^ permalink raw reply related
* [PATCH 09/15] tty: audit: Handle tty audit enable atomically
From: Peter Hurley @ 2015-11-11 2:05 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: Peter Zijlstra, Ingo Molnar, linux-audit, Jiri Slaby,
Peter Hurley
In-Reply-To: <1447207560-16410-1-git-send-email-peter@hurleysoftware.com>
The audit_tty and audit_tty_log_passwd fields are actually bool
values, so merge into single memory location to access atomically.
NB: audit log operations may still occur after tty audit is disabled
which is consistent with the existing functionality
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
---
drivers/tty/tty_audit.c | 53 ++++++++++++++++++++-----------------------------
include/linux/audit.h | 4 ++++
include/linux/sched.h | 1 -
kernel/audit.c | 25 +++++++++++------------
4 files changed, 38 insertions(+), 45 deletions(-)
diff --git a/drivers/tty/tty_audit.c b/drivers/tty/tty_audit.c
index 50380d8..3d90f88 100644
--- a/drivers/tty/tty_audit.c
+++ b/drivers/tty/tty_audit.c
@@ -131,7 +131,6 @@ void tty_audit_exit(void)
void tty_audit_fork(struct signal_struct *sig)
{
sig->audit_tty = current->signal->audit_tty;
- sig->audit_tty_log_passwd = current->signal->audit_tty_log_passwd;
}
/**
@@ -141,11 +140,9 @@ void tty_audit_tiocsti(struct tty_struct *tty, char ch)
{
struct tty_audit_buf *buf;
dev_t dev;
- int should_audit;
unsigned long flags;
spin_lock_irqsave(¤t->sighand->siglock, flags);
- should_audit = current->signal->audit_tty;
buf = current->signal->tty_audit_buf;
if (buf)
atomic_inc(&buf->count);
@@ -160,7 +157,7 @@ void tty_audit_tiocsti(struct tty_struct *tty, char ch)
tty_audit_buf_put(buf);
}
- if (should_audit && audit_enabled) {
+ if (audit_enabled && (current->signal->audit_tty & AUDIT_TTY_ENABLE)) {
kuid_t auid;
unsigned int sessionid;
@@ -177,29 +174,25 @@ void tty_audit_tiocsti(struct tty_struct *tty, char ch)
*/
int tty_audit_push(void)
{
- struct tty_audit_buf *buf = ERR_PTR(-EPERM);
+ struct tty_audit_buf *buf;
unsigned long flags;
+ if (~current->signal->audit_tty & AUDIT_TTY_ENABLE)
+ return -EPERM;
+
spin_lock_irqsave(¤t->sighand->siglock, flags);
- if (current->signal->audit_tty) {
- buf = current->signal->tty_audit_buf;
- if (buf)
- atomic_inc(&buf->count);
- }
+ buf = current->signal->tty_audit_buf;
+ if (buf)
+ atomic_inc(&buf->count);
spin_unlock_irqrestore(¤t->sighand->siglock, flags);
- /*
- * Return 0 when signal->audit_tty set
- * but current->signal->tty_audit_buf == NULL.
- */
- if (!buf || IS_ERR(buf))
- return PTR_ERR(buf);
-
- mutex_lock(&buf->mutex);
- tty_audit_buf_push(buf);
- mutex_unlock(&buf->mutex);
+ if (buf) {
+ mutex_lock(&buf->mutex);
+ tty_audit_buf_push(buf);
+ mutex_unlock(&buf->mutex);
- tty_audit_buf_put(buf);
+ tty_audit_buf_put(buf);
+ }
return 0;
}
@@ -218,8 +211,6 @@ static struct tty_audit_buf *tty_audit_buf_get(void)
buf = NULL;
buf2 = NULL;
spin_lock_irqsave(¤t->sighand->siglock, flags);
- if (likely(!current->signal->audit_tty))
- goto out;
buf = current->signal->tty_audit_buf;
if (buf) {
atomic_inc(&buf->count);
@@ -233,9 +224,10 @@ static struct tty_audit_buf *tty_audit_buf_get(void)
return NULL;
}
- spin_lock_irqsave(¤t->sighand->siglock, flags);
- if (!current->signal->audit_tty)
+ if (~current->signal->audit_tty & AUDIT_TTY_ENABLE)
goto out;
+
+ spin_lock_irqsave(¤t->sighand->siglock, flags);
buf = current->signal->tty_audit_buf;
if (!buf) {
current->signal->tty_audit_buf = buf2;
@@ -259,9 +251,8 @@ static struct tty_audit_buf *tty_audit_buf_get(void)
void tty_audit_add_data(struct tty_struct *tty, const void *data, size_t size)
{
struct tty_audit_buf *buf;
- int audit_log_tty_passwd;
- unsigned long flags;
unsigned int icanon = !!L_ICANON(tty);
+ unsigned int audit_tty;
dev_t dev;
if (unlikely(size == 0))
@@ -271,10 +262,10 @@ void tty_audit_add_data(struct tty_struct *tty, const void *data, size_t size)
&& tty->driver->subtype == PTY_TYPE_MASTER)
return;
- spin_lock_irqsave(¤t->sighand->siglock, flags);
- audit_log_tty_passwd = current->signal->audit_tty_log_passwd;
- spin_unlock_irqrestore(¤t->sighand->siglock, flags);
- if (!audit_log_tty_passwd && icanon && !L_ECHO(tty))
+ audit_tty = READ_ONCE(current->signal->audit_tty);
+ if (~audit_tty & AUDIT_TTY_ENABLE)
+ return;
+ if ((~audit_tty & AUDIT_TTY_LOG_PASSWD) && icanon && !L_ECHO(tty))
return;
buf = tty_audit_buf_get();
diff --git a/include/linux/audit.h b/include/linux/audit.h
index b2abc99..5ef8862 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -109,6 +109,10 @@ extern int audit_classify_compat_syscall(int abi, unsigned syscall);
/* maximized args number that audit_socketcall can process */
#define AUDITSC_ARGS 6
+/* bit values for ->signal->audit_tty */
+#define AUDIT_TTY_ENABLE BIT(0)
+#define AUDIT_TTY_LOG_PASSWD BIT(1)
+
struct filename;
extern void audit_log_session_info(struct audit_buffer *ab);
diff --git a/include/linux/sched.h b/include/linux/sched.h
index b7b9501..cd1c0a8 100644
--- a/include/linux/sched.h
+++ b/include/linux/sched.h
@@ -759,7 +759,6 @@ struct signal_struct {
#endif
#ifdef CONFIG_AUDIT
unsigned audit_tty;
- unsigned audit_tty_log_passwd;
struct tty_audit_buf *tty_audit_buf;
#endif
#ifdef CONFIG_CGROUPS
diff --git a/kernel/audit.c b/kernel/audit.c
index 63f87aa..ce83589 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1017,20 +1017,19 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
break;
case AUDIT_TTY_GET: {
struct audit_tty_status s;
- struct task_struct *tsk = current;
+ unsigned int t;
- spin_lock(&tsk->sighand->siglock);
- s.enabled = tsk->signal->audit_tty;
- s.log_passwd = tsk->signal->audit_tty_log_passwd;
- spin_unlock(&tsk->sighand->siglock);
+ t = READ_ONCE(current->signal->audit_tty);
+ s.enabled = t & AUDIT_TTY_ENABLE;
+ s.log_passwd = !!(t & AUDIT_TTY_LOG_PASSWD);
audit_send_reply(skb, seq, AUDIT_TTY_GET, 0, 0, &s, sizeof(s));
break;
}
case AUDIT_TTY_SET: {
struct audit_tty_status s, old;
- struct task_struct *tsk = current;
struct audit_buffer *ab;
+ unsigned int t;
memset(&s, 0, sizeof(s));
/* guard against past and future API changes */
@@ -1040,14 +1039,14 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
(s.log_passwd != 0 && s.log_passwd != 1))
err = -EINVAL;
- spin_lock(&tsk->sighand->siglock);
- old.enabled = tsk->signal->audit_tty;
- old.log_passwd = tsk->signal->audit_tty_log_passwd;
- if (!err) {
- tsk->signal->audit_tty = s.enabled;
- tsk->signal->audit_tty_log_passwd = s.log_passwd;
+ if (err)
+ t = READ_ONCE(current->signal->audit_tty);
+ else {
+ t = s.enabled | (-s.log_passwd & AUDIT_TTY_LOG_PASSWD);
+ t = xchg(¤t->signal->audit_tty, t);
}
- spin_unlock(&tsk->sighand->siglock);
+ old.enabled = t & AUDIT_TTY_ENABLE;
+ old.log_passwd = !!(t & AUDIT_TTY_LOG_PASSWD);
audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE);
audit_log_format(ab, " op=tty_set old-enabled=%d new-enabled=%d"
--
2.6.3
^ permalink raw reply related
* [PATCH 10/15] tty: audit: Remove false memory optimization
From: Peter Hurley @ 2015-11-11 2:05 UTC (permalink / raw)
To: Greg Kroah-Hartman; +Cc: linux-audit, Jiri Slaby, Peter Hurley
In-Reply-To: <1447207560-16410-1-git-send-email-peter@hurleysoftware.com>
The tty audit buffer is allocated at first use and not freed until
the process exits. If tty audit is turned off after the audit buffer
has been allocated, no effort is made to release the buffer.
So re-checking if tty audit has just been turned off when tty audit
was just on is false optimization; the likelihood of triggering this
condition is exceedingly small.
Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
---
drivers/tty/tty_audit.c | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/drivers/tty/tty_audit.c b/drivers/tty/tty_audit.c
index 3d90f88..7943984 100644
--- a/drivers/tty/tty_audit.c
+++ b/drivers/tty/tty_audit.c
@@ -200,8 +200,7 @@ int tty_audit_push(void)
* tty_audit_buf_get - Get an audit buffer.
*
* Get an audit buffer, allocate it if necessary. Return %NULL
- * if TTY auditing is disabled or out of memory. Otherwise, return a new
- * reference to the buffer.
+ * if out of memory. Otherwise, return a new reference to the buffer.
*/
static struct tty_audit_buf *tty_audit_buf_get(void)
{
@@ -224,9 +223,6 @@ static struct tty_audit_buf *tty_audit_buf_get(void)
return NULL;
}
- if (~current->signal->audit_tty & AUDIT_TTY_ENABLE)
- goto out;
-
spin_lock_irqsave(¤t->sighand->siglock, flags);
buf = current->signal->tty_audit_buf;
if (!buf) {
--
2.6.3
^ permalink raw reply related
* [PATCH 11/15] tty: audit: Remove tty_audit_buf reference counting
From: Peter Hurley @ 2015-11-11 2:05 UTC (permalink / raw)
To: Greg Kroah-Hartman; +Cc: Oleg Nesterov, linux-audit, Jiri Slaby, Peter Hurley
In-Reply-To: <1447207560-16410-1-git-send-email-peter@hurleysoftware.com>
When tty_audit_exit() is called from do_exit(), the process is
single-threaded. Since the tty_audit_buf is only shared by threads
of a process, no other thread can be concurrently accessing the
tty_audit_buf during or after tty_audit_exit().
Thus, no other thread can be holding an extra tty_audit_buf reference
which would prevent tty_audit_exit() from freeing the tty_audit_buf.
As that is the only purpose of the ref counting, remove the reference
counting and free the tty_audit_buf directly.
Cc: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
---
drivers/tty/tty_audit.c | 47 +++++++----------------------------------------
1 file changed, 7 insertions(+), 40 deletions(-)
diff --git a/drivers/tty/tty_audit.c b/drivers/tty/tty_audit.c
index 7943984..71ba8ba 100644
--- a/drivers/tty/tty_audit.c
+++ b/drivers/tty/tty_audit.c
@@ -14,7 +14,6 @@
#include <linux/tty.h>
struct tty_audit_buf {
- atomic_t count;
struct mutex mutex; /* Protects all data below */
dev_t dev; /* The TTY which the data is from */
unsigned icanon:1;
@@ -32,7 +31,6 @@ static struct tty_audit_buf *tty_audit_buf_alloc(void)
buf->data = kmalloc(N_TTY_BUF_SIZE, GFP_KERNEL);
if (!buf->data)
goto err_buf;
- atomic_set(&buf->count, 1);
mutex_init(&buf->mutex);
buf->dev = MKDEV(0, 0);
buf->icanon = 0;
@@ -52,12 +50,6 @@ static void tty_audit_buf_free(struct tty_audit_buf *buf)
kfree(buf);
}
-static void tty_audit_buf_put(struct tty_audit_buf *buf)
-{
- if (atomic_dec_and_test(&buf->count))
- tty_audit_buf_free(buf);
-}
-
static void tty_audit_log(const char *description, dev_t dev,
unsigned char *data, size_t size)
{
@@ -106,6 +98,9 @@ static void tty_audit_buf_push(struct tty_audit_buf *buf)
*
* Make sure all buffered data is written out and deallocate the buffer.
* Only needs to be called if current->signal->tty_audit_buf != %NULL.
+ *
+ * The process is single-threaded at this point; no other threads share
+ * current->signal.
*/
void tty_audit_exit(void)
{
@@ -116,11 +111,8 @@ void tty_audit_exit(void)
if (!buf)
return;
- mutex_lock(&buf->mutex);
tty_audit_buf_push(buf);
- mutex_unlock(&buf->mutex);
-
- tty_audit_buf_put(buf);
+ tty_audit_buf_free(buf);
}
/**
@@ -140,21 +132,14 @@ void tty_audit_tiocsti(struct tty_struct *tty, char ch)
{
struct tty_audit_buf *buf;
dev_t dev;
- unsigned long flags;
-
- spin_lock_irqsave(¤t->sighand->siglock, flags);
- buf = current->signal->tty_audit_buf;
- if (buf)
- atomic_inc(&buf->count);
- spin_unlock_irqrestore(¤t->sighand->siglock, flags);
dev = MKDEV(tty->driver->major, tty->driver->minor_start) + tty->index;
+ buf = current->signal->tty_audit_buf;
if (buf) {
mutex_lock(&buf->mutex);
if (buf->dev == dev)
tty_audit_buf_push(buf);
mutex_unlock(&buf->mutex);
- tty_audit_buf_put(buf);
}
if (audit_enabled && (current->signal->audit_tty & AUDIT_TTY_ENABLE)) {
@@ -175,23 +160,15 @@ void tty_audit_tiocsti(struct tty_struct *tty, char ch)
int tty_audit_push(void)
{
struct tty_audit_buf *buf;
- unsigned long flags;
if (~current->signal->audit_tty & AUDIT_TTY_ENABLE)
return -EPERM;
- spin_lock_irqsave(¤t->sighand->siglock, flags);
buf = current->signal->tty_audit_buf;
- if (buf)
- atomic_inc(&buf->count);
- spin_unlock_irqrestore(¤t->sighand->siglock, flags);
-
if (buf) {
mutex_lock(&buf->mutex);
tty_audit_buf_push(buf);
mutex_unlock(&buf->mutex);
-
- tty_audit_buf_put(buf);
}
return 0;
}
@@ -207,15 +184,9 @@ static struct tty_audit_buf *tty_audit_buf_get(void)
struct tty_audit_buf *buf, *buf2;
unsigned long flags;
- buf = NULL;
- buf2 = NULL;
- spin_lock_irqsave(¤t->sighand->siglock, flags);
buf = current->signal->tty_audit_buf;
- if (buf) {
- atomic_inc(&buf->count);
- goto out;
- }
- spin_unlock_irqrestore(¤t->sighand->siglock, flags);
+ if (buf)
+ return buf;
buf2 = tty_audit_buf_alloc();
if (buf2 == NULL) {
@@ -230,9 +201,6 @@ static struct tty_audit_buf *tty_audit_buf_get(void)
buf = buf2;
buf2 = NULL;
}
- atomic_inc(&buf->count);
- /* Fall through */
- out:
spin_unlock_irqrestore(¤t->sighand->siglock, flags);
if (buf2)
tty_audit_buf_free(buf2);
@@ -289,5 +257,4 @@ void tty_audit_add_data(struct tty_struct *tty, const void *data, size_t size)
tty_audit_buf_push(buf);
} while (size != 0);
mutex_unlock(&buf->mutex);
- tty_audit_buf_put(buf);
}
--
2.6.3
^ permalink raw reply related
* [PATCH 12/15] tty: audit: Simplify first-use allocation
From: Peter Hurley @ 2015-11-11 2:05 UTC (permalink / raw)
To: Greg Kroah-Hartman; +Cc: linux-audit, Jiri Slaby, Peter Hurley
In-Reply-To: <1447207560-16410-1-git-send-email-peter@hurleysoftware.com>
The first-use tty audit buffer allocation is a potential race
amongst multiple attempts at 'first-use'; only one 'winner' is
acceptable.
The successful buffer assignment occurs if tty_audit_buf == NULL
(which will also be the return from cmpxchg()); otherwise, another
racer 'won' and this buffer allocation is freed.
Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
---
drivers/tty/tty_audit.c | 22 +++++++---------------
1 file changed, 7 insertions(+), 15 deletions(-)
diff --git a/drivers/tty/tty_audit.c b/drivers/tty/tty_audit.c
index 71ba8ba..6e33e41 100644
--- a/drivers/tty/tty_audit.c
+++ b/drivers/tty/tty_audit.c
@@ -181,30 +181,22 @@ int tty_audit_push(void)
*/
static struct tty_audit_buf *tty_audit_buf_get(void)
{
- struct tty_audit_buf *buf, *buf2;
- unsigned long flags;
+ struct tty_audit_buf *buf;
buf = current->signal->tty_audit_buf;
if (buf)
return buf;
- buf2 = tty_audit_buf_alloc();
- if (buf2 == NULL) {
+ buf = tty_audit_buf_alloc();
+ if (buf == NULL) {
audit_log_lost("out of memory in TTY auditing");
return NULL;
}
- spin_lock_irqsave(¤t->sighand->siglock, flags);
- buf = current->signal->tty_audit_buf;
- if (!buf) {
- current->signal->tty_audit_buf = buf2;
- buf = buf2;
- buf2 = NULL;
- }
- spin_unlock_irqrestore(¤t->sighand->siglock, flags);
- if (buf2)
- tty_audit_buf_free(buf2);
- return buf;
+ /* Race to use this buffer, free it if another wins */
+ if (cmpxchg(¤t->signal->tty_audit_buf, NULL, buf) != NULL)
+ tty_audit_buf_free(buf);
+ return current->signal->tty_audit_buf;
}
/**
--
2.6.3
^ permalink raw reply related
* [PATCH 13/15] tty: audit: Check audit enable first
From: Peter Hurley @ 2015-11-11 2:05 UTC (permalink / raw)
To: Greg Kroah-Hartman; +Cc: linux-audit, Jiri Slaby, Peter Hurley
In-Reply-To: <1447207560-16410-1-git-send-email-peter@hurleysoftware.com>
Audit is unlikely to be enabled; check first to exit asap.
Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
---
drivers/tty/tty_audit.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/drivers/tty/tty_audit.c b/drivers/tty/tty_audit.c
index 6e33e41..269e41f 100644
--- a/drivers/tty/tty_audit.c
+++ b/drivers/tty/tty_audit.c
@@ -211,6 +211,10 @@ void tty_audit_add_data(struct tty_struct *tty, const void *data, size_t size)
unsigned int audit_tty;
dev_t dev;
+ audit_tty = READ_ONCE(current->signal->audit_tty);
+ if (~audit_tty & AUDIT_TTY_ENABLE)
+ return;
+
if (unlikely(size == 0))
return;
@@ -218,9 +222,6 @@ void tty_audit_add_data(struct tty_struct *tty, const void *data, size_t size)
&& tty->driver->subtype == PTY_TYPE_MASTER)
return;
- audit_tty = READ_ONCE(current->signal->audit_tty);
- if (~audit_tty & AUDIT_TTY_ENABLE)
- return;
if ((~audit_tty & AUDIT_TTY_LOG_PASSWD) && icanon && !L_ECHO(tty))
return;
--
2.6.3
^ permalink raw reply related
* [PATCH 14/15] tty: audit: Always push audit buffer before TIOCSTI
From: Peter Hurley @ 2015-11-11 2:05 UTC (permalink / raw)
To: Greg Kroah-Hartman; +Cc: linux-audit, Jiri Slaby, Peter Hurley
In-Reply-To: <1447207560-16410-1-git-send-email-peter@hurleysoftware.com>
The data read from another tty may be relevant to the action of
the TIOCSTI ioctl; log the audit buffer immediately.
Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
---
drivers/tty/tty_audit.c | 12 +++---------
1 file changed, 3 insertions(+), 9 deletions(-)
diff --git a/drivers/tty/tty_audit.c b/drivers/tty/tty_audit.c
index 269e41f..fa461dc 100644
--- a/drivers/tty/tty_audit.c
+++ b/drivers/tty/tty_audit.c
@@ -130,19 +130,13 @@ void tty_audit_fork(struct signal_struct *sig)
*/
void tty_audit_tiocsti(struct tty_struct *tty, char ch)
{
- struct tty_audit_buf *buf;
dev_t dev;
dev = MKDEV(tty->driver->major, tty->driver->minor_start) + tty->index;
- buf = current->signal->tty_audit_buf;
- if (buf) {
- mutex_lock(&buf->mutex);
- if (buf->dev == dev)
- tty_audit_buf_push(buf);
- mutex_unlock(&buf->mutex);
- }
+ if (tty_audit_push())
+ return;
- if (audit_enabled && (current->signal->audit_tty & AUDIT_TTY_ENABLE)) {
+ if (audit_enabled) {
kuid_t auid;
unsigned int sessionid;
--
2.6.3
^ permalink raw reply related
* [PATCH 15/15] tty: audit: Poison tty_audit_buf while process exits
From: Peter Hurley @ 2015-11-11 2:06 UTC (permalink / raw)
To: Greg Kroah-Hartman; +Cc: linux-audit, Jiri Slaby, Peter Hurley
In-Reply-To: <1447207560-16410-1-git-send-email-peter@hurleysoftware.com>
Warn if tty_audit_buf use is attempted after tty_audit_exit() has
already freed it.
Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
---
drivers/tty/tty_audit.c | 25 +++++++++++++++++--------
1 file changed, 17 insertions(+), 8 deletions(-)
diff --git a/drivers/tty/tty_audit.c b/drivers/tty/tty_audit.c
index fa461dc..66d53fc 100644
--- a/drivers/tty/tty_audit.c
+++ b/drivers/tty/tty_audit.c
@@ -21,6 +21,15 @@ struct tty_audit_buf {
unsigned char *data; /* Allocated size N_TTY_BUF_SIZE */
};
+static struct tty_audit_buf *tty_audit_buf_ref(void)
+{
+ struct tty_audit_buf *buf;
+
+ buf = current->signal->tty_audit_buf;
+ WARN_ON(buf == ERR_PTR(-ESRCH));
+ return buf;
+}
+
static struct tty_audit_buf *tty_audit_buf_alloc(void)
{
struct tty_audit_buf *buf;
@@ -106,8 +115,7 @@ void tty_audit_exit(void)
{
struct tty_audit_buf *buf;
- buf = current->signal->tty_audit_buf;
- current->signal->tty_audit_buf = NULL;
+ buf = xchg(¤t->signal->tty_audit_buf, ERR_PTR(-ESRCH));
if (!buf)
return;
@@ -158,8 +166,8 @@ int tty_audit_push(void)
if (~current->signal->audit_tty & AUDIT_TTY_ENABLE)
return -EPERM;
- buf = current->signal->tty_audit_buf;
- if (buf) {
+ buf = tty_audit_buf_ref();
+ if (!IS_ERR_OR_NULL(buf)) {
mutex_lock(&buf->mutex);
tty_audit_buf_push(buf);
mutex_unlock(&buf->mutex);
@@ -171,13 +179,14 @@ int tty_audit_push(void)
* tty_audit_buf_get - Get an audit buffer.
*
* Get an audit buffer, allocate it if necessary. Return %NULL
- * if out of memory. Otherwise, return a new reference to the buffer.
+ * if out of memory or ERR_PTR(-ESRCH) if tty_audit_exit() has already
+ * occurred. Otherwise, return a new reference to the buffer.
*/
static struct tty_audit_buf *tty_audit_buf_get(void)
{
struct tty_audit_buf *buf;
- buf = current->signal->tty_audit_buf;
+ buf = tty_audit_buf_ref();
if (buf)
return buf;
@@ -190,7 +199,7 @@ static struct tty_audit_buf *tty_audit_buf_get(void)
/* Race to use this buffer, free it if another wins */
if (cmpxchg(¤t->signal->tty_audit_buf, NULL, buf) != NULL)
tty_audit_buf_free(buf);
- return current->signal->tty_audit_buf;
+ return tty_audit_buf_ref();
}
/**
@@ -220,7 +229,7 @@ void tty_audit_add_data(struct tty_struct *tty, const void *data, size_t size)
return;
buf = tty_audit_buf_get();
- if (!buf)
+ if (IS_ERR_OR_NULL(buf))
return;
mutex_lock(&buf->mutex);
--
2.6.3
^ permalink raw reply related
* Re: [PATCH 03/15] tty: audit: Remove icanon mode from call chain
From: Richard Guy Briggs @ 2015-11-12 19:10 UTC (permalink / raw)
To: Peter Hurley; +Cc: Greg Kroah-Hartman, linux-audit, Jiri Slaby
In-Reply-To: <1447207560-16410-4-git-send-email-peter@hurleysoftware.com>
On 15/11/10, Peter Hurley wrote:
> The tty termios bits cannot change while n_tty_read() is in the
> i/o loop; the termios_rwsem ensures mutual exclusion with termios
> changes in n_tty_set_termios(). Check L_ICANON() directly and
> eliminate icanon parameter.
>
> NB: tty_audit_add_data() => tty_audit_buf_get() => tty_audit_buf_alloc()
> is a single path; ie., tty_audit_buf_get() and tty_audit_buf_alloc()
> have no other callers.
Which tree is this based on? I don't see where the first chunk applies.
> Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
> ---
> drivers/tty/n_tty.c | 6 +++---
> drivers/tty/tty_audit.c | 22 +++++++++-------------
> include/linux/tty.h | 4 ++--
> 3 files changed, 14 insertions(+), 18 deletions(-)
>
> diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
> index b09c0c1..a3ad312 100644
> --- a/drivers/tty/n_tty.c
> +++ b/drivers/tty/n_tty.c
> @@ -163,7 +163,7 @@ static int tty_copy_to_user(struct tty_struct *tty, void __user *to,
> int uncopied;
>
> if (n > size) {
> - tty_audit_add_data(tty, from, size, ldata->icanon);
> + tty_audit_add_data(tty, from, size);
> uncopied = copy_to_user(to, from, size);
> if (uncopied)
> return uncopied;
> @@ -172,7 +172,7 @@ static int tty_copy_to_user(struct tty_struct *tty, void __user *to,
> from = ldata->read_buf;
> }
>
> - tty_audit_add_data(tty, from, n, ldata->icanon);
> + tty_audit_add_data(tty, from, n);
> return copy_to_user(to, from, n);
> }
>
> @@ -2008,7 +2008,7 @@ static int copy_from_read_buf(struct tty_struct *tty,
> retval = copy_to_user(*b, from, n);
> n -= retval;
> is_eof = n == 1 && *from == EOF_CHAR(tty);
> - tty_audit_add_data(tty, from, n, ldata->icanon);
> + tty_audit_add_data(tty, from, n);
> smp_store_release(&ldata->read_tail, ldata->read_tail + n);
> /* Turn single EOF into zero-length read */
> if (L_EXTPROC(tty) && ldata->icanon && is_eof &&
> diff --git a/drivers/tty/tty_audit.c b/drivers/tty/tty_audit.c
> index ead924e..d2a004a 100644
> --- a/drivers/tty/tty_audit.c
> +++ b/drivers/tty/tty_audit.c
> @@ -22,8 +22,7 @@ struct tty_audit_buf {
> unsigned char *data; /* Allocated size N_TTY_BUF_SIZE */
> };
>
> -static struct tty_audit_buf *tty_audit_buf_alloc(int major, int minor,
> - unsigned icanon)
> +static struct tty_audit_buf *tty_audit_buf_alloc(struct tty_struct *tty)
> {
> struct tty_audit_buf *buf;
>
> @@ -35,9 +34,9 @@ static struct tty_audit_buf *tty_audit_buf_alloc(int major, int minor,
> goto err_buf;
> atomic_set(&buf->count, 1);
> mutex_init(&buf->mutex);
> - buf->major = major;
> - buf->minor = minor;
> - buf->icanon = icanon;
> + buf->major = tty->driver->major;
> + buf->minor = tty->driver->minor_start + tty->index;
> + buf->icanon = !!L_ICANON(tty);
> buf->valid = 0;
> return buf;
>
> @@ -216,8 +215,7 @@ int tty_audit_push_current(void)
> * if TTY auditing is disabled or out of memory. Otherwise, return a new
> * reference to the buffer.
> */
> -static struct tty_audit_buf *tty_audit_buf_get(struct tty_struct *tty,
> - unsigned icanon)
> +static struct tty_audit_buf *tty_audit_buf_get(struct tty_struct *tty)
> {
> struct tty_audit_buf *buf, *buf2;
> unsigned long flags;
> @@ -234,9 +232,7 @@ static struct tty_audit_buf *tty_audit_buf_get(struct tty_struct *tty,
> }
> spin_unlock_irqrestore(¤t->sighand->siglock, flags);
>
> - buf2 = tty_audit_buf_alloc(tty->driver->major,
> - tty->driver->minor_start + tty->index,
> - icanon);
> + buf2 = tty_audit_buf_alloc(tty);
> if (buf2 == NULL) {
> audit_log_lost("out of memory in TTY auditing");
> return NULL;
> @@ -265,13 +261,13 @@ static struct tty_audit_buf *tty_audit_buf_get(struct tty_struct *tty,
> *
> * Audit @data of @size from @tty, if necessary.
> */
> -void tty_audit_add_data(struct tty_struct *tty, const void *data,
> - size_t size, unsigned icanon)
> +void tty_audit_add_data(struct tty_struct *tty, const void *data, size_t size)
> {
> struct tty_audit_buf *buf;
> int major, minor;
> int audit_log_tty_passwd;
> unsigned long flags;
> + unsigned int icanon = !!L_ICANON(tty);
>
> if (unlikely(size == 0))
> return;
> @@ -286,7 +282,7 @@ void tty_audit_add_data(struct tty_struct *tty, const void *data,
> if (!audit_log_tty_passwd && icanon && !L_ECHO(tty))
> return;
>
> - buf = tty_audit_buf_get(tty, icanon);
> + buf = tty_audit_buf_get(tty);
> if (!buf)
> return;
>
> diff --git a/include/linux/tty.h b/include/linux/tty.h
> index 70f3a9c1..f8a20a8 100644
> --- a/include/linux/tty.h
> +++ b/include/linux/tty.h
> @@ -603,7 +603,7 @@ extern void n_tty_inherit_ops(struct tty_ldisc_ops *ops);
> /* tty_audit.c */
> #ifdef CONFIG_AUDIT
> extern void tty_audit_add_data(struct tty_struct *tty, const void *data,
> - size_t size, unsigned icanon);
> + size_t size);
> extern void tty_audit_exit(void);
> extern void tty_audit_fork(struct signal_struct *sig);
> extern void tty_audit_tiocsti(struct tty_struct *tty, char ch);
> @@ -611,7 +611,7 @@ extern void tty_audit_push(struct tty_struct *tty);
> extern int tty_audit_push_current(void);
> #else
> static inline void tty_audit_add_data(struct tty_struct *tty, const void *data,
> - size_t size, unsigned icanon)
> + size_t size)
> {
> }
> static inline void tty_audit_tiocsti(struct tty_struct *tty, char ch)
> --
> 2.6.3
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
- RGB
--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
^ permalink raw reply
* Re: [PATCH 03/15] tty: audit: Remove icanon mode from call chain
From: Peter Hurley @ 2015-11-12 19:58 UTC (permalink / raw)
To: Richard Guy Briggs; +Cc: Greg Kroah-Hartman, linux-audit, Jiri Slaby
In-Reply-To: <20151112191032.GA24011@madcap2.tricolour.ca>
On 11/12/2015 02:10 PM, Richard Guy Briggs wrote:
> On 15/11/10, Peter Hurley wrote:
>> The tty termios bits cannot change while n_tty_read() is in the
>> i/o loop; the termios_rwsem ensures mutual exclusion with termios
>> changes in n_tty_set_termios(). Check L_ICANON() directly and
>> eliminate icanon parameter.
>>
>> NB: tty_audit_add_data() => tty_audit_buf_get() => tty_audit_buf_alloc()
>> is a single path; ie., tty_audit_buf_get() and tty_audit_buf_alloc()
>> have no other callers.
>
> Which tree is this based on? I don't see where the first chunk applies.
4.3
but this series requires a -stable fix [1] posted earlier but not in any
tree yet, which I noted in the cover-letter (was easy to overlook).
Regards,
Peter Hurley
[1] https://lkml.org/lkml/2015/11/8/133
^ permalink raw reply
* Re: [PATCH 03/15] tty: audit: Remove icanon mode from call chain
From: Richard Guy Briggs @ 2015-11-13 2:15 UTC (permalink / raw)
To: Peter Hurley; +Cc: Greg Kroah-Hartman, linux-audit, Jiri Slaby
In-Reply-To: <5644EF6D.2030103@hurleysoftware.com>
On 15/11/12, Peter Hurley wrote:
> On 11/12/2015 02:10 PM, Richard Guy Briggs wrote:
> > On 15/11/10, Peter Hurley wrote:
> >> The tty termios bits cannot change while n_tty_read() is in the
> >> i/o loop; the termios_rwsem ensures mutual exclusion with termios
> >> changes in n_tty_set_termios(). Check L_ICANON() directly and
> >> eliminate icanon parameter.
> >>
> >> NB: tty_audit_add_data() => tty_audit_buf_get() => tty_audit_buf_alloc()
> >> is a single path; ie., tty_audit_buf_get() and tty_audit_buf_alloc()
> >> have no other callers.
> >
> > Which tree is this based on? I don't see where the first chunk applies.
>
> 4.3
>
> but this series requires a -stable fix [1] posted earlier but not in any
> tree yet, which I noted in the cover-letter (was easy to overlook).
Ok, found it. It appears to also depend on "n_tty: Uninline
tty_copy_to_user()" [2] which I didn't see mentioned and can't find
upstream. Is that in an upstream tree?
> Regards,
> Peter Hurley
>
> [1] https://lkml.org/lkml/2015/11/8/133
[2] https://lkml.org/lkml/2015/11/8/146
- RGB
--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
^ permalink raw reply
* Re: [PATCH 03/15] tty: audit: Remove icanon mode from call chain
From: Peter Hurley @ 2015-11-13 2:27 UTC (permalink / raw)
To: Richard Guy Briggs; +Cc: Greg Kroah-Hartman, linux-audit, Jiri Slaby
In-Reply-To: <20151113021559.GB24011@madcap2.tricolour.ca>
On 11/12/2015 09:15 PM, Richard Guy Briggs wrote:
> On 15/11/12, Peter Hurley wrote:
>> On 11/12/2015 02:10 PM, Richard Guy Briggs wrote:
>>> On 15/11/10, Peter Hurley wrote:
>>>> The tty termios bits cannot change while n_tty_read() is in the
>>>> i/o loop; the termios_rwsem ensures mutual exclusion with termios
>>>> changes in n_tty_set_termios(). Check L_ICANON() directly and
>>>> eliminate icanon parameter.
>>>>
>>>> NB: tty_audit_add_data() => tty_audit_buf_get() => tty_audit_buf_alloc()
>>>> is a single path; ie., tty_audit_buf_get() and tty_audit_buf_alloc()
>>>> have no other callers.
>>>
>>> Which tree is this based on? I don't see where the first chunk applies.
>>
>> 4.3
>>
>> but this series requires a -stable fix [1] posted earlier but not in any
>> tree yet, which I noted in the cover-letter (was easy to overlook).
>
> Ok, found it. It appears to also depend on "n_tty: Uninline
> tty_copy_to_user()" [2] which I didn't see mentioned and can't find
> upstream.
Sorry, my bad; I overlooked that dependency.
> Is that in an upstream tree?
Not yet. That will end up in Greg's tty-next tree sometime shortly after
the merge window closes.
>> [1] https://lkml.org/lkml/2015/11/8/133
>
> [2] https://lkml.org/lkml/2015/11/8/146
^ permalink raw reply
* Re: [PATCH 00/15] Rework tty audit
From: Peter Hurley @ 2015-11-13 2:31 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: Peter Zijlstra, Oleg Nesterov, Richard Guy Briggs, linux-audit,
Jiri Slaby, Ingo Molnar
In-Reply-To: <1447207560-16410-1-git-send-email-peter@hurleysoftware.com>
On 11/10/2015 09:05 PM, Peter Hurley wrote:
> Hi Greg,
>
> This patch series overhauls tty audit support. The goal was to simplify
> and speed up tty auditing, which was a significant performance hit even
> when disabled.
>
> The main features of this series are:
> * Remove reference counting; the purpose of reference counting the per-
> process tty_audit_buf was to prevent premature deletion if the
> buffer was in-use when tty auditing was exited for the process.
> However, since the process is single-threaded at tty_audit_exit(),
> the buffer cannot be in-use by another thread. Patch 11/15.
> * Remove functionally dead code, such as tty_put_user(). Patch 2/15.
> * Atomically modify tty audit enable/disable flags to support lockless
> read. Patch 9/15.
>
> Cc: Ingo Molnar <mingo@redhat.com>
> Cc: Peter Zijlstra <peterz@infradead.org>
> for patch 9/15 which removes an audit field from the signal_struct.
>
> Cc: Oleg Nesterov <oleg@redhat.com>
> to confirm my understanding of the single-threadedness of
> if (group_dead) tty_audit_exit(), called from do_exit(). Patch 11/15
>
> Requires: "tty: audit: Fix audit source"
and as brought to my attention by Richard Guy Briggs also
Requires: "n_tty: Uninline tty_copy_to_user()"
Apologies for any inconvenience caused.
> Regards,
>
> Peter Hurley (15):
> tty: audit: Early-out pty master reads earlier
> tty: audit: Never audit packet mode
> tty: audit: Remove icanon mode from call chain
> tty: audit: Defer audit buffer association
> tty: audit: Take siglock directly
> tty: audit: Ignore current association for audit push
> tty: audit: Combine push functions
> tty: audit: Track tty association with dev_t
> tty: audit: Handle tty audit enable atomically
> tty: audit: Remove false memory optimization
> tty: audit: Remove tty_audit_buf reference counting
> tty: audit: Simplify first-use allocation
> tty: audit: Check audit enable first
> tty: audit: Always push audit buffer before TIOCSTI
> tty: audit: Poison tty_audit_buf while process exits
>
> drivers/tty/n_tty.c | 25 ++----
> drivers/tty/tty_audit.c | 231 ++++++++++++++----------------------------------
> include/linux/audit.h | 4 +
> include/linux/sched.h | 1 -
> include/linux/tty.h | 12 +--
> kernel/audit.c | 27 +++---
> 6 files changed, 97 insertions(+), 203 deletions(-)
>
^ permalink raw reply
* Re: [PATCH 03/15] tty: audit: Remove icanon mode from call chain
From: Richard Guy Briggs @ 2015-11-13 3:28 UTC (permalink / raw)
To: Peter Hurley; +Cc: Greg Kroah-Hartman, linux-audit, Jiri Slaby
In-Reply-To: <56454A7B.2030203@hurleysoftware.com>
On 15/11/12, Peter Hurley wrote:
> On 11/12/2015 09:15 PM, Richard Guy Briggs wrote:
> > On 15/11/12, Peter Hurley wrote:
> >> On 11/12/2015 02:10 PM, Richard Guy Briggs wrote:
> >>> On 15/11/10, Peter Hurley wrote:
> >>>> The tty termios bits cannot change while n_tty_read() is in the
> >>>> i/o loop; the termios_rwsem ensures mutual exclusion with termios
> >>>> changes in n_tty_set_termios(). Check L_ICANON() directly and
> >>>> eliminate icanon parameter.
> >>>>
> >>>> NB: tty_audit_add_data() => tty_audit_buf_get() => tty_audit_buf_alloc()
> >>>> is a single path; ie., tty_audit_buf_get() and tty_audit_buf_alloc()
> >>>> have no other callers.
> >>>
> >>> Which tree is this based on? I don't see where the first chunk applies.
> >>
> >> 4.3
> >>
> >> but this series requires a -stable fix [1] posted earlier but not in any
> >> tree yet, which I noted in the cover-letter (was easy to overlook).
> >
> > Ok, found it. It appears to also depend on "n_tty: Uninline
> > tty_copy_to_user()" [2] which I didn't see mentioned and can't find
> > upstream.
>
> Sorry, my bad; I overlooked that dependency.
Looks like it also depends on "n_tty: Clarify copy_from_read_buf()" [3].
Any more we should know about? Or should we just wait for GKH's tree?
> > Is that in an upstream tree?
>
> Not yet. That will end up in Greg's tty-next tree sometime shortly after
> the merge window closes.
>
> >> [1] https://lkml.org/lkml/2015/11/8/133
> >
> > [2] https://lkml.org/lkml/2015/11/8/146
[3] https://lkml.org/lkml/2015/11/8/145
- RGB
--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
^ permalink raw reply
* [PATCH] kernel-audit: Delete unnecessary checks before two function calls
From: SF Markus Elfring @ 2015-11-15 11:42 UTC (permalink / raw)
To: Eric Paris, Paul Moore, linux-audit; +Cc: LKML, kernel-janitors, Julia Lawall
In-Reply-To: <5317A59D.4@users.sourceforge.net>
From: Markus Elfring <elfring@users.sourceforge.net>
Date: Sun, 15 Nov 2015 12:38:33 +0100
The functions consume_skb() and kfree_skb() test whether their argument
is NULL and then return immediately.
Thus the tests around their calls are not needed.
This issue was detected by using the Coccinelle software.
Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
---
kernel/audit.c | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 5ffcbd3..1e8e228 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -509,8 +509,7 @@ static void flush_hold_queue(void)
* if auditd just disappeared but we
* dequeued an skb we need to drop ref
*/
- if (skb)
- consume_skb(skb);
+ consume_skb(skb);
}
static int kauditd_thread(void *dummy)
@@ -1232,9 +1231,7 @@ static void audit_buffer_free(struct audit_buffer *ab)
if (!ab)
return;
- if (ab->skb)
- kfree_skb(ab->skb);
-
+ kfree_skb(ab->skb);
spin_lock_irqsave(&audit_freelist_lock, flags);
if (audit_freelist_count > AUDIT_MAXFREE)
kfree(ab);
--
2.6.2
^ permalink raw reply related
* Re: [PATCH 03/15] tty: audit: Remove icanon mode from call chain
From: Peter Hurley @ 2015-11-16 13:25 UTC (permalink / raw)
To: Richard Guy Briggs; +Cc: Greg Kroah-Hartman, linux-audit, Jiri Slaby
In-Reply-To: <20151113032857.GC24011@madcap2.tricolour.ca>
On 11/12/2015 10:28 PM, Richard Guy Briggs wrote:
> On 15/11/12, Peter Hurley wrote:
>> On 11/12/2015 09:15 PM, Richard Guy Briggs wrote:
>>> On 15/11/12, Peter Hurley wrote:
>>>> On 11/12/2015 02:10 PM, Richard Guy Briggs wrote:
>>>>> On 15/11/10, Peter Hurley wrote:
>>>>>> The tty termios bits cannot change while n_tty_read() is in the
>>>>>> i/o loop; the termios_rwsem ensures mutual exclusion with termios
>>>>>> changes in n_tty_set_termios(). Check L_ICANON() directly and
>>>>>> eliminate icanon parameter.
>>>>>>
>>>>>> NB: tty_audit_add_data() => tty_audit_buf_get() => tty_audit_buf_alloc()
>>>>>> is a single path; ie., tty_audit_buf_get() and tty_audit_buf_alloc()
>>>>>> have no other callers.
>>>>>
>>>>> Which tree is this based on? I don't see where the first chunk applies.
>>>>
>>>> 4.3
>>>>
>>>> but this series requires a -stable fix [1] posted earlier but not in any
>>>> tree yet, which I noted in the cover-letter (was easy to overlook).
>>>
>>> Ok, found it. It appears to also depend on "n_tty: Uninline
>>> tty_copy_to_user()" [2] which I didn't see mentioned and can't find
>>> upstream.
>>
>> Sorry, my bad; I overlooked that dependency.
>
> Looks like it also depends on "n_tty: Clarify copy_from_read_buf()" [3].
<sigh>
> Any more we should know about? Or should we just wait for GKH's tree?
Yes, let's just wait until the dependencies are in Greg's tree.
I'll resend the series as v2 then.
Regards,
Peter Hurley
>>> Is that in an upstream tree?
>>
>> Not yet. That will end up in Greg's tty-next tree sometime shortly after
>> the merge window closes.
>>
>>>> [1] https://lkml.org/lkml/2015/11/8/133
>>>
>>> [2] https://lkml.org/lkml/2015/11/8/146
>
> [3] https://lkml.org/lkml/2015/11/8/145
>
> - RGB
^ permalink raw reply
* filtering system calls with auid -1
From: ocakan @ 2015-11-17 9:38 UTC (permalink / raw)
To: linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 4496 bytes --]
Hi!
My aim is to audit only commands executed by root (interactively) and avc
denied messages (selinux)
Some details about my audit-test-system and current audit configuration.
### MY CONFIGURATION:
uname -a:
Linux centos6 2.6.32-573.3.1.el6.x86_64 #1 SMP Thu Aug 13 22:55:16 UTC 2015
x86_64 x86_64 x86_64 GNU/Linux
### cat /proc/cmdline:
ro root=UUID=63f8768a-2eee-4472-8ebc-43372292a93b rd_NO_LUKS
LANG=en_US.UTF-8 KEYBOARDTYPE=pc KEYTABLE=de-latin1-nodeadkeys rd_NO_MD
SYSFONT=latarcyrheb-sun16 rd_NO_LVM rd_NO_DM rhgb audit=1
### rpm -q audit:
audit-2.3.7-5.el6.x86_64
### auditctl -l:
-a never,exit -S all -F auid!=-1
-a never,exit -S all -F auid!=0 -F auid<500
-a always,exit -F arch=x86_64 -S execve -F euid=0 -F key=root-commands
-a always,exit -F arch=i386 -S execve -F euid=0 -F key=root-commands
-a always,exclude -F msgtype=CWD
### auditctl -s:
AUDIT_STATUS: enabled=1 flag=1 pid=4232 rate_limit=0 backlog_limit=8192
lost=0 backlog=0
### /etc/init.d/auditd status:
auditd (pid 4232) is running...
### grep -Hrn loginuid /etc/pam.d/:
/etc/pam.d/login:9:session required pam_loginuid.so
/etc/pam.d/sshd:9:session required pam_loginuid.so
/etc/pam.d/remote:9:session required pam_loginuid.so
/etc/pam.d/ssh-keycat:4:session required pam_loginuid.so
-----
MY QUESTION:
With the above listed configuration I still get audit.log entries with
auid=-1 including cron and anacron entries.
EXAMPLE AUDIT.LOG SNIPPET:
type=USER_ACCT msg=audit(1447748821.214:1369): user pid=5863 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:accounting
acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron
res=success'
type=CRED_ACQ msg=audit(1447748821.214:1370): user pid=5863 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred
acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron
res=success'
type=USER_START msg=audit(1447748821.215:1371): user pid=5863 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open
acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron
res=success'
type=SYSCALL msg=audit(1447748821.215:1372): arch=c000003e syscall=59
success=yes exit=0 a0=7f24d92992d6 a1=7ffdc67f7a90 a2=7f24d9299340 a3=8
items=2 ppid=5863 pid=5865 auid=4294967295 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh"
exe="/bin/bash" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
key="root-commands"
type=EXECVE msg=audit(1447748821.215:1372): argc=3 a0="/bin/sh" a1="-c"
a2=636174202F6574632F736861646F7720263E2F6465762F6E756C6C
type=PATH msg=audit(1447748821.215:1372): item=0 name="/bin/sh"
inode=1045010 dev=08:02 mode=0100755 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:shell_exec_t:s0 nametype=NORMAL
type=PATH msg=audit(1447748821.215:1372): item=1 name=(null) inode=1044483
dev=08:02 mode=0100755 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL
type=SYSCALL msg=audit(1447748821.216:1373): arch=c000003e syscall=59
success=yes exit=0 a0=e388c0 a1=e38e20 a2=e37b00 a3=7ffc3c6a4a20 items=2
ppid=5865 pid=5866 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cat" exe="/bin/cat"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
key="root-commands"
type=EXECVE msg=audit(1447748821.216:1373): argc=2 a0="cat" a1="/etc/shadow"
type=PATH msg=audit(1447748821.216:1373): item=0 name="/bin/cat"
inode=1044629 dev=08:02 mode=0100755 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:bin_t:s0 nametype=NORMAL
type=PATH msg=audit(1447748821.216:1373): item=1 name=(null) inode=1044483
dev=08:02 mode=0100755 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL
type=CRED_DISP msg=audit(1447748821.217:1374): user pid=5863 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred
acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron
res=success'
type=USER_END msg=audit(1447748821.217:1375): user pid=5863 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close
acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron
res=success'
What am I missing or doing wrong? I also tried working with pam_tty_audit
and aureport --tty but that is too detailed as every keypress gets logged.
Cheers,
Orhan
[-- Attachment #1.2: Type: text/html, Size: 5051 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply
* Re: filtering system calls with auid -1
From: Steve Grubb @ 2015-11-17 19:55 UTC (permalink / raw)
To: linux-audit; +Cc: ocakan
In-Reply-To: <CAPOnzUb+smneyL+AEFvr1WiSgGLuUHuCDbJQWmw31da6K9r3yw@mail.gmail.com>
On Tuesday, November 17, 2015 10:38:17 AM ocakan wrote:
> My aim is to audit only commands executed by root (interactively) and avc
> denied messages (selinux)
I have some questions to help clarify. Command executed by root, or the root
user? Root is uid = 0, Root user is uid = 0 && auid >= 500 && auid!= -1. (the
audit system treats all uid as unsigned numbers therefore auid = -1 is a large
unsigned number.)
Also when you say commands, what do you mean? What root types on the console?
What if that is a shell script that in turn executes many other programs and
scripts?
> Some details about my audit-test-system and current audit configuration.
<snip>
> ### auditctl -l:
> -a never,exit -S all -F auid!=-1
This says you want to mark all user processes permanently unauditable.
> -a never,exit -S all -F auid!=0 -F auid<500
I don't think this adds anything because the previous one includes this.
> -a always,exit -F arch=x86_64 -S execve -F euid=0 -F key=root-commands
> -a always,exit -F arch=i386 -S execve -F euid=0 -F key=root-commands
Now you want execve run by anything that's not a user, meaning cron jobs and
system services.
> -a always,exclude -F msgtype=CWD
And this says you don't care about reconstructing relative paths.
> ### auditctl -s:
> AUDIT_STATUS: enabled=1 flag=1 pid=4232 rate_limit=0 backlog_limit=8192
> lost=0 backlog=0
>
> ### /etc/init.d/auditd status:
> auditd (pid 4232) is running...
>
> ### grep -Hrn loginuid /etc/pam.d/:
> /etc/pam.d/login:9:session required pam_loginuid.so
> /etc/pam.d/sshd:9:session required pam_loginuid.so
> /etc/pam.d/remote:9:session required pam_loginuid.so
> /etc/pam.d/ssh-keycat:4:session required pam_loginuid.so
>
> -----
>
> MY QUESTION:
> With the above listed configuration I still get audit.log entries with
> auid=-1 including cron and anacron entries.
Based on your rules, you are getting exactly what you programmed it to do.
> EXAMPLE AUDIT.LOG SNIPPET:
> type=USER_ACCT msg=audit(1447748821.214:1369): user pid=5863 uid=0
> auid=4294967295 ses=4294967295
<snip>
> What am I missing or doing wrong? I also tried working with pam_tty_audit
> and aureport --tty but that is too detailed as every keypress gets logged.
Sudo will log every command run through it. Maybe that is closer? The execve
approach will log everything, but it will also log all subscripts that are run
as a result of what's entered on the command line. That would be:
-a always,exit -F arch=b64 -S execve -F auid>=500 -F auid!=-1 -F uid=0
-a always,exit -F arch=b32 -S execve -F auid>=500 -F auid!=-1 -F uid=0
No other rules.
-Steve
^ permalink raw reply
* Re: filtering system calls with auid -1
From: ocakan @ 2015-11-18 14:54 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit
In-Reply-To: <1860052.RxirLJit12@x2>
[-- Attachment #1.1: Type: text/plain, Size: 4941 bytes --]
Hello Steve!
Thank you for your feedback. Somehow I still do not fully understand how
the filtering with -F works.
Regarding your questions: commands executed by root user, including
subshells, subcmds from script are fine for me.
I altered my audit.rules as you suggested to the following, no other rules:
auditctl -l:
-a always,exit -F arch=x86_64 -S execve -F auid>=500 -F auid!=-1 -F uid=0
-a always,exit -F arch=i386 -S execve -F auid>=500 -F auid!=-1 -F uid=0
I get entries from crond like the following in audit.log:
type=USER_ACCT msg=audit(1447855321.729:306): user pid=25780 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:accounting
acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron
res=success'
type=CRED_ACQ msg=audit(1447855321.731:307): user pid=25780 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred
acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron
res=success'
type=USER_START msg=audit(1447855321.731:308): user pid=25780 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open
acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron
res=success'
type=CRED_DISP msg=audit(1447855321.739:309): user pid=25780 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred
acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron
res=success'
type=USER_END msg=audit(1447855321.739:310): user pid=25780 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close
acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron
res=success'
What I do not get now are commands executed as root user from ptsX/ttyX.
root@myhost ~# cat /etc/passwd # no audit entry
root@myhost ~# service rsyslog stop # no audit entry
root@myhost ~# less /var/log/audit/audit.log # no audit entry
root@myhost ~# iptables -F # NETFILTER_CFG && SYSCALL entry but no EXECVE
entry
Cheers,
Orhan
2015-11-17 20:55 GMT+01:00 Steve Grubb <sgrubb@redhat.com>:
> On Tuesday, November 17, 2015 10:38:17 AM ocakan wrote:
> > My aim is to audit only commands executed by root (interactively) and avc
> > denied messages (selinux)
>
> I have some questions to help clarify. Command executed by root, or the
> root
> user? Root is uid = 0, Root user is uid = 0 && auid >= 500 && auid!= -1.
> (the
> audit system treats all uid as unsigned numbers therefore auid = -1 is a
> large
> unsigned number.)
>
> Also when you say commands, what do you mean? What root types on the
> console?
> What if that is a shell script that in turn executes many other programs
> and
> scripts?
>
>
> > Some details about my audit-test-system and current audit configuration.
>
> <snip>
>
> > ### auditctl -l:
> > -a never,exit -S all -F auid!=-1
>
> This says you want to mark all user processes permanently unauditable.
>
> > -a never,exit -S all -F auid!=0 -F auid<500
>
> I don't think this adds anything because the previous one includes this.
>
> > -a always,exit -F arch=x86_64 -S execve -F euid=0 -F key=root-commands
> > -a always,exit -F arch=i386 -S execve -F euid=0 -F key=root-commands
>
> Now you want execve run by anything that's not a user, meaning cron jobs
> and
> system services.
>
> > -a always,exclude -F msgtype=CWD
>
> And this says you don't care about reconstructing relative paths.
>
>
> > ### auditctl -s:
> > AUDIT_STATUS: enabled=1 flag=1 pid=4232 rate_limit=0 backlog_limit=8192
> > lost=0 backlog=0
> >
> > ### /etc/init.d/auditd status:
> > auditd (pid 4232) is running...
> >
> > ### grep -Hrn loginuid /etc/pam.d/:
> > /etc/pam.d/login:9:session required pam_loginuid.so
> > /etc/pam.d/sshd:9:session required pam_loginuid.so
> > /etc/pam.d/remote:9:session required pam_loginuid.so
> > /etc/pam.d/ssh-keycat:4:session required pam_loginuid.so
> >
> > -----
> >
> > MY QUESTION:
> > With the above listed configuration I still get audit.log entries with
> > auid=-1 including cron and anacron entries.
>
> Based on your rules, you are getting exactly what you programmed it to do.
>
>
> > EXAMPLE AUDIT.LOG SNIPPET:
> > type=USER_ACCT msg=audit(1447748821.214:1369): user pid=5863 uid=0
> > auid=4294967295 ses=4294967295
>
> <snip>
>
> > What am I missing or doing wrong? I also tried working with pam_tty_audit
> > and aureport --tty but that is too detailed as every keypress gets
> logged.
>
> Sudo will log every command run through it. Maybe that is closer? The
> execve
> approach will log everything, but it will also log all subscripts that are
> run
> as a result of what's entered on the command line. That would be:
>
> -a always,exit -F arch=b64 -S execve -F auid>=500 -F auid!=-1 -F uid=0
> -a always,exit -F arch=b32 -S execve -F auid>=500 -F auid!=-1 -F uid=0
>
> No other rules.
>
> -Steve
>
[-- Attachment #1.2: Type: text/html, Size: 6229 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply
* Re: filtering system calls with auid -1
From: Steve Grubb @ 2015-11-18 18:33 UTC (permalink / raw)
To: ocakan; +Cc: linux-audit
In-Reply-To: <CAPOnzUa8itgpBfu04odK29QYAL=nSs4RRYYpR-LoX4_q+T2pvg@mail.gmail.com>
On Wednesday, November 18, 2015 03:54:58 PM ocakan wrote:
> Hello Steve!
>
> Thank you for your feedback. Somehow I still do not fully understand how
> the filtering with -F works.
>
> Regarding your questions: commands executed by root user, including
> subshells, subcmds from script are fine for me.
OK.
> I altered my audit.rules as you suggested to the following, no other rules:
> auditctl -l:
You can add a key to this if you like, -F key=root-commands
> -a always,exit -F arch=x86_64 -S execve -F auid>=500 -F auid!=-1 -F uid=0
> -a always,exit -F arch=i386 -S execve -F auid>=500 -F auid!=-1 -F uid=0
>
> I get entries from crond like the following in audit.log:
Cron entries hit the user filter. If you were using selinux, you could write a
rule like this:
-a user,never -F subj_type=crond_t
> type=USER_ACCT msg=audit(1447855321.729:306): user pid=25780 uid=0
> auid=4294967295 ses=4294967295
> subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:accounting
> acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron
> res=success'
> type=CRED_ACQ msg=audit(1447855321.731:307): user pid=25780 uid=0
> auid=4294967295 ses=4294967295
> subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred
> acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron
> res=success'
> type=USER_START msg=audit(1447855321.731:308): user pid=25780 uid=0
> auid=4294967295 ses=4294967295
> subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open
> acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron
> res=success'
> type=CRED_DISP msg=audit(1447855321.739:309): user pid=25780 uid=0
> auid=4294967295 ses=4294967295
> subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred
> acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron
> res=success'
> type=USER_END msg=audit(1447855321.739:310): user pid=25780 uid=0
> auid=4294967295 ses=4294967295
> subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close
> acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron
> res=success'
>
> What I do not get now are commands executed as root user from ptsX/ttyX.
>
> root@myhost ~# cat /etc/passwd # no audit entry
> root@myhost ~# service rsyslog stop # no audit entry
> root@myhost ~# less /var/log/audit/audit.log # no audit entry
> root@myhost ~# iptables -F # NETFILTER_CFG && SYSCALL entry but no EXECVE
> entry
Check to see what your loginuid is:
# cat /proc/self/loginuid
-Steve
^ permalink raw reply
* Re: [PATCH] kernel-audit: Delete unnecessary checks before two function calls
From: Paul Moore @ 2015-11-19 20:53 UTC (permalink / raw)
To: SF Markus Elfring
Cc: Eric Paris, linux-audit, LKML, kernel-janitors, Julia Lawall
In-Reply-To: <56486FBC.3070103@users.sourceforge.net>
On Sunday, November 15, 2015 12:42:52 PM SF Markus Elfring wrote:
> From: Markus Elfring <elfring@users.sourceforge.net>
> Date: Sun, 15 Nov 2015 12:38:33 +0100
>
> The functions consume_skb() and kfree_skb() test whether their argument
> is NULL and then return immediately.
> Thus the tests around their calls are not needed.
>
> This issue was detected by using the Coccinelle software.
>
> Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
> ---
> kernel/audit.c | 7 ++-----
> 1 file changed, 2 insertions(+), 5 deletions(-)
Merged, thanks.
> diff --git a/kernel/audit.c b/kernel/audit.c
> index 5ffcbd3..1e8e228 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -509,8 +509,7 @@ static void flush_hold_queue(void)
> * if auditd just disappeared but we
> * dequeued an skb we need to drop ref
> */
> - if (skb)
> - consume_skb(skb);
> + consume_skb(skb);
> }
>
> static int kauditd_thread(void *dummy)
> @@ -1232,9 +1231,7 @@ static void audit_buffer_free(struct audit_buffer *ab)
> if (!ab)
> return;
>
> - if (ab->skb)
> - kfree_skb(ab->skb);
> -
> + kfree_skb(ab->skb);
> spin_lock_irqsave(&audit_freelist_lock, flags);
> if (audit_freelist_count > AUDIT_MAXFREE)
> kfree(ab);
--
paul moore
www.paul-moore.com
^ permalink raw reply
* Re: filtering system calls with auid -1
From: ocakan @ 2015-11-19 21:41 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit
In-Reply-To: <1672025.saokxMoU1a@x2>
[-- Attachment #1.1: Type: text/plain, Size: 903 bytes --]
Hello Steve!
OK, the last puzzle peace was loginuid=0 !! -.-
My current audit rules for the use-case "logging root user actions, without
too much noise"
#
# delete all rules
-D
# set backlog_limit, default=320
-b 8192
# do not audit cron jobs
-a user,never -F subj_type=crond_t
-a exit,never -F subj_type=crond_t
# audit root actions from users switching to root
-a always,exit -F arch=x86_64 -S execve -F auid>=500 -F auid!=-1 -F uid=0
-k root-commands
-a always,exit -F arch=i386 -S execve -F auid>=500 -F auid!=-1 -F uid=0 -k
root-commands
# audit root actions with loginuid root
-a always,exit -F arch=x86_64 -S execve -F auid=0 -F uid=0 -k root-commands
-a always,exit -F arch=x86_64 -S execve -F auid=0 -F uid=0 -k root-commands
#EOF
Thank you for the tips. I wonder how you manage doing all that great stuff
and still be able to find time supporting people. Great job!
Best regards,
Orhan
[-- Attachment #1.2: Type: text/html, Size: 1463 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply
* Re: seccomp and audit_enabled
From: Tony Jones @ 2015-11-20 17:51 UTC (permalink / raw)
To: Paul Moore; +Cc: linux-security-module, linux-audit
In-Reply-To: <563D1D6B.8060605@suse.de>
On 11/06/2015 01:36 PM, Tony Jones wrote:
> On 10/13/2015 12:19 PM, Paul Moore wrote:
>
>> Yes, if systemd is involved it enables audit; we've had some
>> discussions with the systemd folks about fixing that, but they haven't
>> gone very far. I'm still a little curious as to why
>> audit_dummy_context() is false in this case, but I haven't looked at
>> how systemd/auditctl start/config the system too closely.
>
> Sorry for the delay here.
>
> A context is allocated by audit_alloc() because there is no uid/gid filter for the task
> but the dummy flag is left false. Because audit has been disabled (manually following systemd enabling),
> dummy never gets set in the syscall entry path (based on !audit_n_rules). So the unlikely(!audit_dummy_context())
> in audit_seccomp succeeds.
>
> Tony
Any comments on this? Current interaction between enabled_enabled and dummy flag seems wrong to me. I can code up
a patch.
Tony
^ permalink raw reply
* Re: seccomp and audit_enabled
From: Paul Moore @ 2015-11-20 21:26 UTC (permalink / raw)
To: Tony Jones; +Cc: linux-security-module, linux-audit
In-Reply-To: <564F5DBE.5020605@suse.de>
On Fri, Nov 20, 2015 at 12:51 PM, Tony Jones <tonyj@suse.de> wrote:
> Any comments on this? Current interaction between enabled_enabled and dummy flag seems wrong to me. I can code up
> a patch.
It's on my todo list for this development cycle, I've just been a
little busy lately with the merge window and now some -rc1 testing.
--
paul moore
www.paul-moore.com
^ permalink raw reply
* ANN: Experimental Fedora Rawhide kernels (selinux-next and audit-next)
From: Paul Moore @ 2015-11-20 21:49 UTC (permalink / raw)
To: selinux, linux-audit; +Cc: linux-security-module
For the past few weeks I've been building experimental Fedora Rawhide kernels
with all of the SELinux and audit kernel patches targeted for linux-next
included. It has worked out reasonably well, and with the exception of getting
a working Linux 4.4-rc1 build this week, it has proven to be relatively easy
to manage. If you would like to help with testing and don't mind the
instability that comes with development kernels, the Fedora COPR repository
link is below.
I've been doing at least one build each week, sometimes more, and I expect to
continue with that frequency. I also perform a quick sanity check on each
successful build, including running the SELinux and audit testsuites; however,
there may be times when the kernel is simply broken, so exercise caution and
please don't run these kernels on anything critical.
* https://copr.fedoraproject.org/coprs/pcmoore/kernel-secnext
--
paul moore
www.paul-moore.com
^ permalink raw reply
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox