Linux-audit Archive on lore.kernel.org
 help / color / mirror / Atom feed
* Re: Auditing network traffic
From: Steve Grubb @ 2016-01-20 18:30 UTC (permalink / raw)
  To: F Rafi; +Cc: linux-audit@redhat.com
In-Reply-To: <CABXp1cuXBeKcGaeYcSiZeKc9AwXwcNZSNLqL3G8d2wrAjhm1NA@mail.gmail.com>

On Wednesday, January 20, 2016 01:05:45 PM F Rafi wrote:
> Perhaps this is of use. My goal was to restrict audit logs to outbound
> connections only to reduce the amount of logs.
> 
> # Outbound connections could indicate exfiltration of data (connect vs
> accept)
> # Log 64 bit processes (a2!=6e filters local unix socket calls)
> 
> -a exit,always -F arch=b64 -S connect -F a2!=110 -k network_outbound64

This is good for TCP connections. There's always UDP where you would need 
sendto and sendmsg. Imagine someone exfiltrating on what seems to be DNS lookup 
requests.

The IPTables AUDIT target is what is really meant to audit information flow in 
or out of the system. I think this is the first discussion on the mail list 
where someone might be trying to use it. I'm hoping this leads to making it 
better.

-Steve


> # Log 32 bit processes (a0=3 means only outbound sys_connect calls)
> 
> -a exit,always -F arch=b32 -S socketcall -F a0=3 -k network_outbound32
> 
> 
> -Farhan
> 
> PS: I'd appreciate if someone could poke holes in this.
> 
> On Wed, Jan 20, 2016 at 10:29 AM, Steve Grubb <sgrubb@redhat.com> wrote:
> > On Wednesday, January 20, 2016 10:18:29 AM Steve Grubb wrote:
> > > > I work on an audisp plugin which audits network traffic – what process
> > > > has send/received data to/from what remote address. So far I see 2
> > > > ways
> > > > of accomplishing that:
> > > > 
> > > > Hook syscalls. First, hook socket call with af_inet/inet6 to get pid
> > 
> > and
> > 
> > > > fd, then read/write/sendto/recvfrom filtered by pid and fd
> > 
> > One other thing, read and write will tell you that a read or write
> > happened.
> > It does not record what was read or written. If you need that, you will
> > have
> > to sniff network traffic. Audit won't be able to help much.
> > 
> > -Steve
> > 
> > --
> > Linux-audit mailing list
> > Linux-audit@redhat.com
> > https://www.redhat.com/mailman/listinfo/linux-audit


--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

^ permalink raw reply

* Re: Auditing network traffic
From: F Rafi @ 2016-01-20 18:05 UTC (permalink / raw)
  To: Steve Grubb; +Cc: linux-audit@redhat.com
In-Reply-To: <3655233.WIOkSfVQiu@x2>


[-- Attachment #1.1: Type: text/plain, Size: 1413 bytes --]

Perhaps this is of use. My goal was to restrict audit logs to outbound
connections only to reduce the amount of logs.

# Outbound connections could indicate exfiltration of data (connect vs
accept)
# Log 64 bit processes (a2!=6e filters local unix socket calls)

-a exit,always -F arch=b64 -S connect -F a2!=110 -k network_outbound64

# Log 32 bit processes (a0=3 means only outbound sys_connect calls)

-a exit,always -F arch=b32 -S socketcall -F a0=3 -k network_outbound32


-Farhan

PS: I'd appreciate if someone could poke holes in this.

On Wed, Jan 20, 2016 at 10:29 AM, Steve Grubb <sgrubb@redhat.com> wrote:

> On Wednesday, January 20, 2016 10:18:29 AM Steve Grubb wrote:
> > > I work on an audisp plugin which audits network traffic – what process
> > > has send/received data to/from what remote address. So far I see 2 ways
> > > of accomplishing that:
> > >
> > > Hook syscalls. First, hook socket call with af_inet/inet6 to get pid
> and
> > > fd, then read/write/sendto/recvfrom filtered by pid and fd
>
> One other thing, read and write will tell you that a read or write
> happened.
> It does not record what was read or written. If you need that, you will
> have
> to sniff network traffic. Audit won't be able to help much.
>
> -Steve
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
>

[-- Attachment #1.2: Type: text/html, Size: 2073 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]



^ permalink raw reply

* Re: Auditing network traffic
From: Steve Grubb @ 2016-01-20 15:29 UTC (permalink / raw)
  To: linux-audit
In-Reply-To: <27424530.ASkzcua8kM@x2>

On Wednesday, January 20, 2016 10:18:29 AM Steve Grubb wrote:
> > I work on an audisp plugin which audits network traffic – what process
> > has send/received data to/from what remote address. So far I see 2 ways
> > of accomplishing that:
> > 
> > Hook syscalls. First, hook socket call with af_inet/inet6 to get pid and
> > fd, then read/write/sendto/recvfrom filtered by pid and fd

One other thing, read and write will tell you that a read or write happened. 
It does not record what was read or written. If you need that, you will have 
to sniff network traffic. Audit won't be able to help much.

-Steve

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

^ permalink raw reply

* Re: Auditing network traffic
From: Steve Grubb @ 2016-01-20 15:18 UTC (permalink / raw)
  To: linux-audit
In-Reply-To: <n7o5eq$4qj$1@ger.gmane.org>

On Wednesday, January 20, 2016 04:26:34 PM Lev Stipakov wrote:
> Hello,
> 
> I work on an audisp plugin which audits network traffic – what process
> has send/received data to/from what remote address. So far I see 2 ways
> of accomplishing that:
> 
> Hook syscalls. First, hook socket call with af_inet/inet6 to get pid and
> fd, then read/write/sendto/recvfrom filtered by pid and fd. I see few
> issues with this appoach:
> 
> 1) Fd can be closed or duped, so I should probably hook close/dup2 calls
> too.

It can also be passed to another process by sendmsg. The process can 
fork/clone changing the pid and then the child access the descriptor. It can 
also call sendfile and there are more writing/reading syscalls.


> Not sure, though, if socket could be closed by kernel without any
> syscall.

exit_group

> As a workaroud, one can just hook read/write and check if fd is
> socket (S_ISSOCK) and also somehow filter out af_unix.

what if its mmap'ed?


> 2) Getting saddr/daddr. Seems that dest addr could be obtained from
> connect call. However I am not sure what is the right way to get that -
> I got two records, first SYSCALL and then SOCKADDR. First one has an
> argument which points to memory location where sockaddr structure lays,
> and second one has ”saddr” field.  Latter looks good, but does SOCKADDR
> event type always follows SYSCALL for connect call? Same for sendto call.

Yes.
 
> Another way of getting network stats is the AUDIT target for netfilter.
> Looks good, no need to worry about fds/addrs. However there is no pid.

I am thinking that would be a good addition. However, there are times when 
there really is no pid. For example, it could be masquerading or doing SNAT.


> What would be the ”best” way to get pid for those records? Anything else
> besides looking into /proc/net/tcp?

That might be the best workaround right now. But adding the pid sounds 
reasonable to me. This way it can be correlated to other system activity. I'd 
have to ask Paul or Richard to comment on feasibility.

-Steve

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

^ permalink raw reply

* Auditing network traffic
From: Lev Stipakov @ 2016-01-20 14:26 UTC (permalink / raw)
  To: linux-audit

Hello,

I work on an audisp plugin which audits network traffic – what process 
has send/received data to/from what remote address. So far I see 2 ways 
of accomplishing that:

Hook syscalls. First, hook socket call with af_inet/inet6 to get pid and 
fd, then read/write/sendto/recvfrom filtered by pid and fd. I see few 
issues with this appoach:

1) Fd can be closed or duped, so I should probably hook close/dup2 calls 
too. Not sure, though, if socket could be closed by kernel without any 
syscall. As a workaroud, one can just hook read/write and check if fd is 
socket (S_ISSOCK) and also somehow filter out af_unix.

2) Getting saddr/daddr. Seems that dest addr could be obtained from 
connect call. However I am not sure what is the right way to get that - 
I got two records, first SYSCALL and then SOCKADDR. First one has an 
argument which points to memory location where sockaddr structure lays, 
and second one has ”saddr” field.  Latter looks good, but does SOCKADDR 
event type always follows SYSCALL for connect call? Same for sendto call.

Another way of getting network stats is the AUDIT target for netfilter. 
Looks good, no need to worry about fds/addrs. However there is no pid. 
What would be the ”best” way to get pid for those records? Anything else 
besides looking into /proc/net/tcp?

-Lev

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

^ permalink raw reply

* Re: [GIT PULL] Audit patches for 4.5
From: Paul Moore @ 2016-01-14 17:32 UTC (permalink / raw)
  To: Stephen Rothwell; +Cc: Linus Torvalds, linux-audit, linux-kernel
In-Reply-To: <20160114112847.54f02a4f@canb.auug.org.au>

On Thursday, January 14, 2016 11:28:47 AM Stephen Rothwell wrote:
> Hi Paul,

Hello.
 
> On Wed, 13 Jan 2016 11:24:29 -0500 Paul Moore <pmoore@redhat.com> wrote:
> > In December I made some changes to how I manage the SELinux and 
> > audit trees:
> >  * https://www.redhat.com/archives/linux-audit/2015-December/msg00019.html
> 
> You may have a problem here, you start with:
> 
> "1. When a new kernel is released, rebase the repository's upstream branch
> to the tagged kernel release (or the latest LSM upstream branch in the case
> of SELinux) and apply the next branch on top of the upstream branch.  Send
> a pull request for the upstream branch to the next level maintainer."
> 
> Linus has repeatedly said to not rebase just before sending a pull
> request unless you hava a good reason - and even then you should let
> the result be tested for a few days before sending a pull request.

Yes, I understand that, trust me I do; I've had exchanges before with Linus on 
this very topic.  I did try following this model for a few release with the 
audit tree (several more when you include the SELinux tree) and from a 
practical point of view it just doesn't work for the trees I'm responsible for 
managing.  Related changes happening upstream, outside the tree, and other 
cross tree efforts meant that we were rebasing at least every other kernel 
release, if not every kernel release to ensure proper behavior and sane 
merges.  Things were worse with the SELinux tree as James would typically 
reject pull requests that didn't pull/merge cleanly.  I'm sure Linus' words 
work for a lot of trees out there, but it didn't work very well for the audit 
or SELinux trees, and I'm speaking as someone who did try to make it work.

As for testing, the whole reason I made the changes I did were to help 
increase testing.  Based on the bugs we've seen over the years, I'm fairly 
confident that not much SELinux/audit testing happens during the development 
(linux-next) and -rcX stages; the current SELinux/audit tree process gives us 
pre-built kernel packages that are tested weekly ... and by more than just me 
(thank goodness).  Also, if you look how the kernel packages are generated 
(see the COPR link I sent previous for the details/scripts), you'll see that 
the SELinux/audit next branches are applied on top of the current -rcX 
release, allowing us to incrementally test a kernel that is *very* close to 
what we are going to see in the merge window.

> He also says that published trees (that people could be developing
> against) should not be rebased (except for exceptional circumstances).

Experience has shown that this is largely not an issue for either the SELinux 
or audit trees as this has proven to not be an issue for the limited number of 
developers involved.  What has proven to be an issue is changes made to the 
SELinux/audit code, or affecting the SELinux/audit code, in other trees which 
we can only resolve if we rebase.

I'm also very forgiving when it comes to merge conflicts in other developer's 
code as a result of the rebases; no one has yet to complain.

> Instead you could do
> 
> 1. When a new kernel is released (i.e. the merge window opens), send a
> pull request for the upstream branch to the next level maintainer.
> After it is merged, then do a fast forward bask merge merge of the
> upstream tree (if necessary).

You lost me on the "fast forward bask merge merge" - no worries, I often think 
faster than I type too ;)

> > ... I will readily admit it isn't a perfect system, in fact it is a
> > step back in some areas, but the changes make it easier for me to get
> > pre-built kernel packages to users who are interested in testing the
> > bleeding edge (the Fedora COPR repository, see below) and it helps me
> > keep up with weekly testing of both the -rcX kernel releases and the
> > changes in the SELinux and audit trees. One of the things I've been
> > trying to work on lately is better, more automated, testing of the
> > SELinux and audit bits in the Linux kernel; unfortunately, some
> > things have had to change a little to help make this happen, but I
> > think the more frequent testing outweighs any disadvantages.
> 
> I don't understand why this testing would require any rebasing.  You
> can just crate a test branch that is Linus' tree and then merge in your
> tree and test that.

Please see my comments above about cross tree changes as well as the COPR 
scripts.  If you have an alternate that works, I'm open to suggestions; just 
please don't say "only rebase when there is a good reason", as the need seems 
to happen often for the audit/SELinux trees.  Maybe I'm cursed, I dunno.

> > The date change is likely a result of moving the patches from
> > audit#next to audit#upstream as part of the process mentioned above.
> 
> I wasn't aware that "git rebase" would change the author dates by
> default (in fact I don;t think it does).  Or do you use some other
> method to move the patches.

Here is what I typically do (or something very similar) using a combination of 
git/stgit:

 NOTE: done in the upstream branch

 # git reset --hard <version tag>
 # stg pick -b next $(stg series -B next --noprefix)

... this isn't a rebase, this resets the upstream to the given kernel version 
tag and then moves/applies/whatever the patches from the next branch on top.  
It is intentionally done this way as this is effectively what I've been 
testing throughout the -rcX cycle ... the patches applied *on*top*.

> In any case, why aren't you just submitting the next branch upstream?

The number one reason is that James tends to reject the pull request if there 
is any merge conflicts.  I try to keep the same process for both the audit and 
SELinux trees; granted this isn't a strict requirement, but it does help my 
sanity.  It also doesn't truly reflect what/how we've been testing during the 
-rcX/development cycle (see my other comments).

> > I haven't updated audit#next yet because I know you try to keep
> > linux-next quiet until -rc1 is released; if that has changed let me
> > know and I'll be happy to update audit#next.
> 
> It hasn't changed, but this is part of what I tell everyone who adds a
> branch to linux-next:
> 
> "Basically, this should be just what you would send to Linus (or ask him
> to fetch)."

As I stated in my last email, there are some unfortunate side-effects of the 
current process, this is one of them.  I believe the increased testing and 
availability far outweighs the negative in this particular case.

> So by "quiet" I mean not adding stuff for the next release and not
> changing stuff around too much.  If you *must* rebase you tree for some
> reason, you should let it simmer in linux-next for a few days before
> asking Linus to pull it.  That way, at least Linus and I will end up
> with the same *commits* and I (and others) won't have to cope with
> unnecessary conflicts caused by different versions of the same
> *patches* (or even just further changes to teh same files in other
> commits.
> 
> > For reference, the Fedora COPR repository can be found below, it was
> > announced back in November, but only to the relevant lists.  Anyone
> > is welcome to give the kernels a try (instructions are provided) and
> > report any problems they find.  I tend to push out an update at least
> > once a week to coincide with the new -rcX release, although the exact
> > day varies due to merge conflicts, build problems, etc.
> > 
> >  * https://copr.fedoraproject.org/coprs/pcmoore/kernel-secnext
> 
> So, I don't see why that requires you to rebase your tree.  That kernel
> source is separate from Linus' in any case (since I assume it contains
> all manner of not-yet-upstreamed or back ported patches).

-- 
paul moore
security @ redhat

^ permalink raw reply

* Re: [GIT PULL] Audit patches for 4.5
From: Stephen Rothwell @ 2016-01-14  0:28 UTC (permalink / raw)
  To: Paul Moore; +Cc: Linus Torvalds, linux-audit, linux-kernel
In-Reply-To: <1633246.WIdWYpcqb3@sifl>

Hi Paul,

On Wed, 13 Jan 2016 11:24:29 -0500 Paul Moore <pmoore@redhat.com> wrote:
>
> In December I made some changes to how I manage the SELinux and audit trees:
> 
>  * https://www.redhat.com/archives/linux-audit/2015-December/msg00019.html

You may have a problem here, you start with:

"1. When a new kernel is released, rebase the repository's upstream branch to 
the tagged kernel release (or the latest LSM upstream branch in the case of 
SELinux) and apply the next branch on top of the upstream branch.  Send a pull 
request for the upstream branch to the next level maintainer."

Linus has repeatedly said to not rebase just before sending a pull
request unless you hava a good reason - and even then you should let
the result be tested for a few days before sending a pull request.  He
also says that published trees (that people could be developing
against) should not be rebased (except for exceptional circumstances).

Instead you could do

1. When a new kernel is released (i.e. the merge window opens), send a
pull request for the upstream branch to the next level maintainer.
After it is merged, then do a fast forward bask merge merge of the
upstream tree (if necessary).

> ... I will readily admit it isn't a perfect system, in fact it is a
> step back in some areas, but the changes make it easier for me to get
> pre-built kernel packages to users who are interested in testing the
> bleeding edge (the Fedora COPR repository, see below) and it helps me
> keep up with weekly testing of both the -rcX kernel releases and the
> changes in the SELinux and audit trees. One of the things I've been
> trying to work on lately is better, more automated, testing of the
> SELinux and audit bits in the Linux kernel; unfortunately, some
> things have had to change a little to help make this happen, but I
> think the more frequent testing outweighs any disadvantages.

I don't understand why this testing would require any rebasing.  You
can just crate a test branch that is Linus' tree and then merge in your
tree and test that.

> The date change is likely a result of moving the patches from
> audit#next to audit#upstream as part of the process mentioned above.

I wasn't aware that "git rebase" would change the author dates by
default (in fact I don;t think it does).  Or do you use some other
method to move the patches.  In any case, why aren't you just
submitting the next branch upstream?

> I haven't updated audit#next yet because I know you try to keep
> linux-next quiet until -rc1 is released; if that has changed let me
> know and I'll be happy to update audit#next.

It hasn't changed, but this is part of what I tell everyone who adds a
branch to linux-next:

"Basically, this should be just what you would send to Linus (or ask him
to fetch)."

So by "quiet" I mean not adding stuff for the next release and not
changing stuff around too much.  If you *must* rebase you tree for some
reason, you should let it simmer in linux-next for a few days before
asking Linus to pull it.  That way, at least Linus and I will end up
with the same *commits* and I (and others) won't have to cope with
unnecessary conflicts caused by different versions of the same
*patches* (or even just further changes to teh same files in other
commits.

> For reference, the Fedora COPR repository can be found below, it was
> announced back in November, but only to the relevant lists.  Anyone
> is welcome to give the kernels a try (instructions are provided) and
> report any problems they find.  I tend to push out an update at least
> once a week to coincide with the new -rcX release, although the exact
> day varies due to merge conflicts, build problems, etc.
> 
>  * https://copr.fedoraproject.org/coprs/pcmoore/kernel-secnext

So, I don't see why that requires you to rebase your tree.  That kernel
source is separate from Linus' in any case (since I assume it contains
all manner of not-yet-upstreamed or back ported patches).

-- 
Cheers,
Stephen Rothwell                    sfr@canb.auug.org.au

^ permalink raw reply

* Re: [GIT PULL] Audit patches for 4.5
From: Paul Moore @ 2016-01-13 16:24 UTC (permalink / raw)
  To: Stephen Rothwell; +Cc: Linus Torvalds, linux-audit, linux-kernel
In-Reply-To: <20160114020325.7f778cda@canb.auug.org.au>

On Thursday, January 14, 2016 02:03:25 AM Stephen Rothwell wrote:
> Hi Paul,
> 
> On Wed, 13 Jan 2016 09:29:55 -0500 Paul Moore <pmoore@redhat.com> wrote:
> > The following changes since commit afd2ff9b7e...:
> >   Linux 4.4 (2016-01-10 15:01:32 -0800)
> > 
> > are available in the git repository at:
> >   git://git.infradead.org/users/pcmoore/audit upstream
> 
> This has all been rebased onto v4.4 (and all the author dates changed) :-(
> 
> And your "next" branch hasn't been updated to match :-(

Hi Stephen,

In December I made some changes to how I manage the SELinux and audit trees:

 * https://www.redhat.com/archives/linux-audit/2015-December/msg00019.html

... I will readily admit it isn't a perfect system, in fact it is a step back 
in some areas, but the changes make it easier for me to get pre-built kernel 
packages to users who are interested in testing the bleeding edge (the Fedora 
COPR repository, see below) and it helps me keep up with weekly testing of 
both the -rcX kernel releases and the changes in the SELinux and audit trees.  
One of the things I've been trying to work on lately is better, more 
automated, testing of the SELinux and audit bits in the Linux kernel; 
unfortunately, some things have had to change a little to help make this 
happen, but I think the more frequent testing outweighs any disadvantages.

The date change is likely a result of moving the patches from audit#next to 
audit#upstream as part of the process mentioned above.  I haven't updated 
audit#next yet because I know you try to keep linux-next quiet until -rc1 is 
released; if that has changed let me know and I'll be happy to update 
audit#next.  Also, if you have any suggestions on how to improve my process, 
I'm always open to new ideas.

For reference, the Fedora COPR repository can be found below, it was announced 
back in November, but only to the relevant lists.  Anyone is welcome to give 
the kernels a try (instructions are provided) and report any problems they 
find.  I tend to push out an update at least once a week to coincide with the 
new -rcX release, although the exact day varies due to merge conflicts, build 
problems, etc.

 * https://copr.fedoraproject.org/coprs/pcmoore/kernel-secnext

Eventually I'd like to do something similar for Debian, Gentoo, distro du 
juor, etc. (I'm hoping if I lower the barrier for testing, more people will 
give it a try) but I'm starting with Fedora Rawhide to get the kinks worked 
out and improve my automation.

-Paul

-- 
paul moore
security @ redhat

^ permalink raw reply

* Re: [GIT PULL] Audit patches for 4.5
From: Stephen Rothwell @ 2016-01-13 15:03 UTC (permalink / raw)
  To: Paul Moore; +Cc: Linus Torvalds, linux-audit, linux-kernel
In-Reply-To: <1490560.yARnk4QFpi@sifl>

Hi Paul,

On Wed, 13 Jan 2016 09:29:55 -0500 Paul Moore <pmoore@redhat.com> wrote:
>
> The following changes since commit afd2ff9b7e1b367172f18ba7f693dfb62bdcb2dc:
> 
>   Linux 4.4 (2016-01-10 15:01:32 -0800)
> 
> are available in the git repository at:
> 
>   git://git.infradead.org/users/pcmoore/audit upstream

This has all been rebased onto v4.4 (and all the author dates changed) :-(

And your "next" branch hasn't been updated to match :-(
-- 
Cheers,
Stephen Rothwell                    sfr@canb.auug.org.au

^ permalink raw reply

* [GIT PULL] Audit patches for 4.5
From: Paul Moore @ 2016-01-13 14:29 UTC (permalink / raw)
  To: Linus Torvalds; +Cc: linux-audit, linux-kernel

Hi Linus,

Seven audit patches for 4.5, all very minor despite the diffstat.  The 
diffstat churn for linux/audit.h can be attributed to needing to reshuffle the 
linux/audit.h header to fix the seccomp auditing issue (see the commit 
description for details).  Besides the seccomp/audit fix, most of the fixes 
are around trying to improve the connection with the audit daemon and a 
Kconfig simplification.  Nothing crazy, and everything passes our little 
audit-testsuite, please pull for 4.5.

Thanks,
-Paul

---
The following changes since commit afd2ff9b7e1b367172f18ba7f693dfb62bdcb2dc:

  Linux 4.4 (2016-01-10 15:01:32 -0800)

are available in the git repository at:

  git://git.infradead.org/users/pcmoore/audit upstream

for you to fetch changes up to cb74ed278f8054fddf79ed930495b9e214f7c7b2:

  audit: always enable syscall auditing when supported and audit is enabled
         (2016-01-13 09:18:55 -0500)

----------------------------------------------------------------
Markus Elfring (1):
      audit: Delete unnecessary checks before two function calls

Paul Moore (3):
      audit: remove audit_backlog_wait_overflow
      audit: force seccomp event logging to honor the audit_enabled flag
      audit: always enable syscall auditing when supported and audit is
             enabled

Richard Guy Briggs (3):
      audit: don't needlessly reset valid wait time
      audit: include auditd's threads in audit_log_start() wait exception
      audit: wake up threads if queue switched from limited to unlimited

 include/linux/audit.h | 204 +++++++++++++++++++++++-----------------------
 init/Kconfig          |  11 +--
 kernel/audit.c        |  17 ++---
 3 files changed, 114 insertions(+), 118 deletions(-)

-- 
paul moore
security @ redhat

^ permalink raw reply

* Re: Use case not covered by the audit library?
From: Steve Grubb @ 2016-01-11 21:12 UTC (permalink / raw)
  To: Gulland, Scott A; +Cc: linux-audit@redhat.com
In-Reply-To: <B41870ED03633F4092CDF476119204DF561D5A23@G4W3225.americas.hpqcorp.net>

On Wednesday, January 06, 2016 08:27:31 PM Gulland, Scott A wrote:
> > What I would suggest in a case like this is to create a small utility that
> > generates the exact report that you want. The auparse library makes that
> > super easy. I can dig up the skeleton code for something like this if you
> > want.
>
> Thanks Steve!   I'd appreciate the skeleton code.   At some point we'll
> probably want to create a custom report capability.   It sounds like
> ausearch really only handles the fields written by the kernel.

Sorry for the delay, I needed to get the 2.5 package out the door.

There is some example code in the audit package and here:
https://fedorahosted.org/audit/browser/trunk/contrib/plugin/audisp-example.c

If you wanted to read from a file, then you change the code to 

        f = fopen("./test.log", "r");
        if (f == NULL) {
                printf("Can't open log\n");
                return 1;
        }

but keep the AUSOURCE_FEED. Then in the loop

                /* Now the event loop */
                 if (!stop && !hup && retval > 0) {
                        if (fgets_unlocked(tmp, MAX_AUDIT_MESSAGE_LENGTH, f)) {
                                auparse_feed(au, tmp, strnlen(tmp,
                                                MAX_AUDIT_MESSAGE_LENGTH));
                        }
                } else if (retval == 0)
                        auparse_flush_feed(au);
                if (feof(f))
                        break;

Then you put the report in the callback function. You can switch between the
types as shown in the handle_event function.

If you want it to run off of logs, then you would need to structure things a
bit different. The aulastlog program shows a good example of that:

https://fedorahosted.org/audit/browser/trunk/tools/aulastlog/aulastlog.c

Hope this helps...

-Steve

^ permalink raw reply

* Re: audit 2.5 released
From: Paul Moore @ 2016-01-11 19:24 UTC (permalink / raw)
  To: linux-audit, Steve Grubb
In-Reply-To: <2874850.AoCptcTU1r@x2>

On Mon, Jan 11, 2016 at 2:14 PM, Steve Grubb <sgrubb@redhat.com> wrote:
> This release adds audit by executable name support if your kernel also
> supports it. The audit by executable names support will allow you to write
> rules that target an exact application so that you can see if it is doing
> something odd. An example rule would look like this:
>
> -a always,exit -F arch=x86_64 -S connect,sendto -F exe=/bin/sh -F key=bash-
> network
>
> I think you will need the 4.4 kernel or later to use this feature.

Linux 4.3 has the necessary support.

 * http://www.paul-moore.com/blog/d/2015/11/linux-v43.html

-- 
paul moore
www.paul-moore.com

^ permalink raw reply

* audit 2.5 released
From: Steve Grubb @ 2016-01-11 19:14 UTC (permalink / raw)
  To: linux-audit

Hello,

I've just released a new version of the audit daemon. It can be downloaded 
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
soon. The ChangeLog is:

- Make augenrules the default method to load audit rules
- Put rules in its own directory and break out rules into groups
- Have auditd do a fsync before closing log
- Make default flush setting larger
- In auparse. terminate the generated strings (Burn Alting)
- In auditd, add incremental_async flushing mode
- Clean up dangling fields in DAEMON events
- Add audit by process name support to auditctl (Richard Briggs)
- Relax permissions on systemd files
- Fix auparse to handle interlaced events (Burn Alting)
- Allow more syslog facilities in audispd-syslog (Aleksander Adamowski)

This release of the audit system represents a break with the past in a couple 
ways. The default way to load rules is now via the augenrules program. And 
this release of the audit package includes entirely new rules for use. The 
nispom and stig rules still exist, but they have been renamed and moved. To 
see the new rules, look in the rules documentation directory. There is a 
README file that explains the new system.

The audit daemon has underwent some major performance improvements. The audit 
daemon moved from a multi-threaded data flow to a singly-threaded data flow with 
asynchronous flushing. This new mode, INCREMENTAL_ASYNC, is now the default 
flush setting. Using it makes the audit daemon log over 90 times faster. (At 
least that what I measured using the XFS file system. YMMV.) The audit daemon's 
internal events were also reviewed and modernized with op= fields. Also, 
because the audit daemon is now singly-threaded for the main data flow, there 
is no need to make a multi-thread-safe copy of libaudit. This means the audit 
daemon binary is significantly smaller.

This release adds audit by executable name support if your kernel also 
supports it. The audit by executable names support will allow you to write 
rules that target an exact application so that you can see if it is doing 
something odd. An example rule would look like this:

-a always,exit -F arch=x86_64 -S connect,sendto -F exe=/bin/sh -F key=bash-
network

I think you will need the 4.4 kernel or later to use this feature.

Also in this release, there is a re-working of the auparse library by Burn 
Alting to handle interlaced audit events. The kernel makes no effort to 
serialize events going to user space, If for some reason two events got 
interlaced where records for each one alternated with the other, the auparse 
library previously considered one event ending and another starting for each 
interlaced record - thus breaking up the event. This release should make all 
tools linking against auparse much more reliable.

There were also a number of other minor cleanups and enhancements.

Please let me know if you run across any problems with this release.

-Steve

^ permalink raw reply

* Re: Patch to add support for more syslog facilities
From: Steve Grubb @ 2016-01-11 17:56 UTC (permalink / raw)
  To: linux-audit
In-Reply-To: <D2B59AD1.FBBE%olo@fb.com>

On Saturday, January 09, 2016 12:56:50 AM Aleksander Adamowski wrote:
> The set of syslog facilities that can be configured for the builting syslog
> plugin is pretty limited (LOG_LOCAL0 - LOG_LOCAL9).
> 
> This patch adds a bunch of other facilities that might make sense for some
> people (like us). Facilities that wouldn¹t make any sense (like LOG_NEWS or
> LOG_LPR) are still left out.

Applied. Thanks!

-Steve

^ permalink raw reply

* Re: [RESEND][PATCH 06/15] tty: audit: Ignore current association for audit push
From: Peter Hurley @ 2016-01-10  7:00 UTC (permalink / raw)
  To: kbuild test robot
  Cc: kbuild-all, Greg Kroah-Hartman, Jiri Slaby, linux-audit,
	linux-kernel
In-Reply-To: <201601101347.te5KPwYI%fengguang.wu@intel.com>

On 01/09/2016 09:36 PM, kbuild test robot wrote:
> Hi Peter,

Thanks for the report. Just re-spun the v2 series with a fix for this.

Regards,
Peter Hurley

> [auto build test ERROR on tty/tty-testing]
> [also build test ERROR on next-20160108]
> [cannot apply to v4.4-rc8]
> [if your patch is applied to the wrong git tree, please drop us a note to help improving the system]
> 
> url:    https://github.com/0day-ci/linux/commits/Peter-Hurley/Rework-tty-audit/20160110-130735
> base:   https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty.git tty-testing
> config: i386-randconfig-s0-201602 (attached as .config)
> reproduce:
>         # save the attached .config to linux build tree
>         make ARCH=i386 
> 
> Note: the linux-review/Peter-Hurley/Rework-tty-audit/20160110-130735 HEAD 3fdd6ed9cf68e96432c554fac7a14ef60e77efc3 builds fine.
>       It only hurts bisectibility.
> 
> All errors (new ones prefixed by >>):
> 
>    drivers/tty/n_tty.c: In function 'canon_copy_from_read_buf':
>>> drivers/tty/n_tty.c:2106:3: error: too few arguments to function 'tty_audit_push'
>       tty_audit_push();
>       ^
>    In file included from drivers/tty/n_tty.c:40:0:
>    include/linux/tty.h:626:20: note: declared here
>     static inline void tty_audit_push(struct tty_struct *tty)
>                        ^
> 
> vim +/tty_audit_push +2106 drivers/tty/n_tty.c
> 
>   2100	
>   2101		if (found) {
>   2102			if (!ldata->push)
>   2103				ldata->line_start = ldata->read_tail;
>   2104			else
>   2105				ldata->push = 0;
>> 2106			tty_audit_push();
>   2107		}
>   2108		return 0;
>   2109	}
> 
> ---
> 0-DAY kernel test infrastructure                Open Source Technology Center
> https://lists.01.org/pipermail/kbuild-all                   Intel Corporation
> 

^ permalink raw reply

* Re: [RESEND][PATCH 06/15] tty: audit: Ignore current association for audit push
From: kbuild test robot @ 2016-01-10  5:36 UTC (permalink / raw)
  Cc: kbuild-all, Greg Kroah-Hartman, Jiri Slaby, linux-audit,
	linux-kernel, Peter Hurley
In-Reply-To: <1452401948-30790-7-git-send-email-peter@hurleysoftware.com>

[-- Attachment #1: Type: text/plain, Size: 1542 bytes --]

Hi Peter,

[auto build test ERROR on tty/tty-testing]
[also build test ERROR on next-20160108]
[cannot apply to v4.4-rc8]
[if your patch is applied to the wrong git tree, please drop us a note to help improving the system]

url:    https://github.com/0day-ci/linux/commits/Peter-Hurley/Rework-tty-audit/20160110-130735
base:   https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty.git tty-testing
config: i386-randconfig-s0-201602 (attached as .config)
reproduce:
        # save the attached .config to linux build tree
        make ARCH=i386 

Note: the linux-review/Peter-Hurley/Rework-tty-audit/20160110-130735 HEAD 3fdd6ed9cf68e96432c554fac7a14ef60e77efc3 builds fine.
      It only hurts bisectibility.

All errors (new ones prefixed by >>):

   drivers/tty/n_tty.c: In function 'canon_copy_from_read_buf':
>> drivers/tty/n_tty.c:2106:3: error: too few arguments to function 'tty_audit_push'
      tty_audit_push();
      ^
   In file included from drivers/tty/n_tty.c:40:0:
   include/linux/tty.h:626:20: note: declared here
    static inline void tty_audit_push(struct tty_struct *tty)
                       ^

vim +/tty_audit_push +2106 drivers/tty/n_tty.c

  2100	
  2101		if (found) {
  2102			if (!ldata->push)
  2103				ldata->line_start = ldata->read_tail;
  2104			else
  2105				ldata->push = 0;
> 2106			tty_audit_push();
  2107		}
  2108		return 0;
  2109	}

---
0-DAY kernel test infrastructure                Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all                   Intel Corporation

[-- Attachment #2: .config.gz --]
[-- Type: application/octet-stream, Size: 23080 bytes --]

^ permalink raw reply

* [RESEND][PATCH 15/15] tty: audit: Poison tty_audit_buf while process exits
From: Peter Hurley @ 2016-01-10  4:59 UTC (permalink / raw)
  To: Greg Kroah-Hartman; +Cc: Jiri Slaby, linux-audit, linux-kernel, Peter Hurley
In-Reply-To: <1452401948-30790-1-git-send-email-peter@hurleysoftware.com>

Warn if tty_audit_buf use is attempted after tty_audit_exit() has
already freed it.

Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
---
 drivers/tty/tty_audit.c | 25 +++++++++++++++++--------
 1 file changed, 17 insertions(+), 8 deletions(-)

diff --git a/drivers/tty/tty_audit.c b/drivers/tty/tty_audit.c
index fa461dc..66d53fc 100644
--- a/drivers/tty/tty_audit.c
+++ b/drivers/tty/tty_audit.c
@@ -21,6 +21,15 @@ struct tty_audit_buf {
 	unsigned char *data;	/* Allocated size N_TTY_BUF_SIZE */
 };
 
+static struct tty_audit_buf *tty_audit_buf_ref(void)
+{
+	struct tty_audit_buf *buf;
+
+	buf = current->signal->tty_audit_buf;
+	WARN_ON(buf == ERR_PTR(-ESRCH));
+	return buf;
+}
+
 static struct tty_audit_buf *tty_audit_buf_alloc(void)
 {
 	struct tty_audit_buf *buf;
@@ -106,8 +115,7 @@ void tty_audit_exit(void)
 {
 	struct tty_audit_buf *buf;
 
-	buf = current->signal->tty_audit_buf;
-	current->signal->tty_audit_buf = NULL;
+	buf = xchg(&current->signal->tty_audit_buf, ERR_PTR(-ESRCH));
 	if (!buf)
 		return;
 
@@ -158,8 +166,8 @@ int tty_audit_push(void)
 	if (~current->signal->audit_tty & AUDIT_TTY_ENABLE)
 		return -EPERM;
 
-	buf = current->signal->tty_audit_buf;
-	if (buf) {
+	buf = tty_audit_buf_ref();
+	if (!IS_ERR_OR_NULL(buf)) {
 		mutex_lock(&buf->mutex);
 		tty_audit_buf_push(buf);
 		mutex_unlock(&buf->mutex);
@@ -171,13 +179,14 @@ int tty_audit_push(void)
  *	tty_audit_buf_get	-	Get an audit buffer.
  *
  *	Get an audit buffer, allocate it if necessary.  Return %NULL
- *	if out of memory.  Otherwise, return a new reference to the buffer.
+ *	if out of memory or ERR_PTR(-ESRCH) if tty_audit_exit() has already
+ *	occurred.  Otherwise, return a new reference to the buffer.
  */
 static struct tty_audit_buf *tty_audit_buf_get(void)
 {
 	struct tty_audit_buf *buf;
 
-	buf = current->signal->tty_audit_buf;
+	buf = tty_audit_buf_ref();
 	if (buf)
 		return buf;
 
@@ -190,7 +199,7 @@ static struct tty_audit_buf *tty_audit_buf_get(void)
 	/* Race to use this buffer, free it if another wins */
 	if (cmpxchg(&current->signal->tty_audit_buf, NULL, buf) != NULL)
 		tty_audit_buf_free(buf);
-	return current->signal->tty_audit_buf;
+	return tty_audit_buf_ref();
 }
 
 /**
@@ -220,7 +229,7 @@ void tty_audit_add_data(struct tty_struct *tty, const void *data, size_t size)
 		return;
 
 	buf = tty_audit_buf_get();
-	if (!buf)
+	if (IS_ERR_OR_NULL(buf))
 		return;
 
 	mutex_lock(&buf->mutex);
-- 
2.7.0

^ permalink raw reply related

* [RESEND][PATCH 14/15] tty: audit: Always push audit buffer before TIOCSTI
From: Peter Hurley @ 2016-01-10  4:59 UTC (permalink / raw)
  To: Greg Kroah-Hartman; +Cc: Jiri Slaby, linux-audit, linux-kernel, Peter Hurley
In-Reply-To: <1452401948-30790-1-git-send-email-peter@hurleysoftware.com>

The data read from another tty may be relevant to the action of
the TIOCSTI ioctl; log the audit buffer immediately.

Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
---
 drivers/tty/tty_audit.c | 12 +++---------
 1 file changed, 3 insertions(+), 9 deletions(-)

diff --git a/drivers/tty/tty_audit.c b/drivers/tty/tty_audit.c
index 269e41f..fa461dc 100644
--- a/drivers/tty/tty_audit.c
+++ b/drivers/tty/tty_audit.c
@@ -130,19 +130,13 @@ void tty_audit_fork(struct signal_struct *sig)
  */
 void tty_audit_tiocsti(struct tty_struct *tty, char ch)
 {
-	struct tty_audit_buf *buf;
 	dev_t dev;
 
 	dev = MKDEV(tty->driver->major, tty->driver->minor_start) + tty->index;
-	buf = current->signal->tty_audit_buf;
-	if (buf) {
-		mutex_lock(&buf->mutex);
-		if (buf->dev == dev)
-			tty_audit_buf_push(buf);
-		mutex_unlock(&buf->mutex);
-	}
+	if (tty_audit_push())
+		return;
 
-	if (audit_enabled && (current->signal->audit_tty & AUDIT_TTY_ENABLE)) {
+	if (audit_enabled) {
 		kuid_t auid;
 		unsigned int sessionid;
 
-- 
2.7.0

^ permalink raw reply related

* [RESEND][PATCH 13/15] tty: audit: Check audit enable first
From: Peter Hurley @ 2016-01-10  4:59 UTC (permalink / raw)
  To: Greg Kroah-Hartman; +Cc: Jiri Slaby, linux-audit, linux-kernel, Peter Hurley
In-Reply-To: <1452401948-30790-1-git-send-email-peter@hurleysoftware.com>

Audit is unlikely to be enabled; check first to exit asap.

Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
---
 drivers/tty/tty_audit.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/drivers/tty/tty_audit.c b/drivers/tty/tty_audit.c
index 6e33e41..269e41f 100644
--- a/drivers/tty/tty_audit.c
+++ b/drivers/tty/tty_audit.c
@@ -211,6 +211,10 @@ void tty_audit_add_data(struct tty_struct *tty, const void *data, size_t size)
 	unsigned int audit_tty;
 	dev_t dev;
 
+	audit_tty = READ_ONCE(current->signal->audit_tty);
+	if (~audit_tty & AUDIT_TTY_ENABLE)
+		return;
+
 	if (unlikely(size == 0))
 		return;
 
@@ -218,9 +222,6 @@ void tty_audit_add_data(struct tty_struct *tty, const void *data, size_t size)
 	    && tty->driver->subtype == PTY_TYPE_MASTER)
 		return;
 
-	audit_tty = READ_ONCE(current->signal->audit_tty);
-	if (~audit_tty & AUDIT_TTY_ENABLE)
-		return;
 	if ((~audit_tty & AUDIT_TTY_LOG_PASSWD) && icanon && !L_ECHO(tty))
 		return;
 
-- 
2.7.0

^ permalink raw reply related

* [RESEND][PATCH 12/15] tty: audit: Simplify first-use allocation
From: Peter Hurley @ 2016-01-10  4:59 UTC (permalink / raw)
  To: Greg Kroah-Hartman; +Cc: Jiri Slaby, linux-audit, linux-kernel, Peter Hurley
In-Reply-To: <1452401948-30790-1-git-send-email-peter@hurleysoftware.com>

The first-use tty audit buffer allocation is a potential race
amongst multiple attempts at 'first-use'; only one 'winner' is
acceptable.

The successful buffer assignment occurs if tty_audit_buf == NULL
(which will also be the return from cmpxchg()); otherwise, another
racer 'won' and this buffer allocation is freed.

Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
---
 drivers/tty/tty_audit.c | 22 +++++++---------------
 1 file changed, 7 insertions(+), 15 deletions(-)

diff --git a/drivers/tty/tty_audit.c b/drivers/tty/tty_audit.c
index 71ba8ba..6e33e41 100644
--- a/drivers/tty/tty_audit.c
+++ b/drivers/tty/tty_audit.c
@@ -181,30 +181,22 @@ int tty_audit_push(void)
  */
 static struct tty_audit_buf *tty_audit_buf_get(void)
 {
-	struct tty_audit_buf *buf, *buf2;
-	unsigned long flags;
+	struct tty_audit_buf *buf;
 
 	buf = current->signal->tty_audit_buf;
 	if (buf)
 		return buf;
 
-	buf2 = tty_audit_buf_alloc();
-	if (buf2 == NULL) {
+	buf = tty_audit_buf_alloc();
+	if (buf == NULL) {
 		audit_log_lost("out of memory in TTY auditing");
 		return NULL;
 	}
 
-	spin_lock_irqsave(&current->sighand->siglock, flags);
-	buf = current->signal->tty_audit_buf;
-	if (!buf) {
-		current->signal->tty_audit_buf = buf2;
-		buf = buf2;
-		buf2 = NULL;
-	}
-	spin_unlock_irqrestore(&current->sighand->siglock, flags);
-	if (buf2)
-		tty_audit_buf_free(buf2);
-	return buf;
+	/* Race to use this buffer, free it if another wins */
+	if (cmpxchg(&current->signal->tty_audit_buf, NULL, buf) != NULL)
+		tty_audit_buf_free(buf);
+	return current->signal->tty_audit_buf;
 }
 
 /**
-- 
2.7.0

^ permalink raw reply related

* [RESEND][PATCH 11/15] tty: audit: Remove tty_audit_buf reference counting
From: Peter Hurley @ 2016-01-10  4:59 UTC (permalink / raw)
  To: Greg Kroah-Hartman; +Cc: Jiri Slaby, linux-audit, linux-kernel, Peter Hurley
In-Reply-To: <1452401948-30790-1-git-send-email-peter@hurleysoftware.com>

When tty_audit_exit() is called from do_exit(), the process is
single-threaded. Since the tty_audit_buf is only shared by threads
of a process, no other thread can be concurrently accessing the
tty_audit_buf during or after tty_audit_exit().

Thus, no other thread can be holding an extra tty_audit_buf reference
which would prevent tty_audit_exit() from freeing the tty_audit_buf.
As that is the only purpose of the ref counting, remove the reference
counting and free the tty_audit_buf directly.

Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
---
 drivers/tty/tty_audit.c | 47 +++++++----------------------------------------
 1 file changed, 7 insertions(+), 40 deletions(-)

diff --git a/drivers/tty/tty_audit.c b/drivers/tty/tty_audit.c
index 7943984..71ba8ba 100644
--- a/drivers/tty/tty_audit.c
+++ b/drivers/tty/tty_audit.c
@@ -14,7 +14,6 @@
 #include <linux/tty.h>
 
 struct tty_audit_buf {
-	atomic_t count;
 	struct mutex mutex;	/* Protects all data below */
 	dev_t dev;		/* The TTY which the data is from */
 	unsigned icanon:1;
@@ -32,7 +31,6 @@ static struct tty_audit_buf *tty_audit_buf_alloc(void)
 	buf->data = kmalloc(N_TTY_BUF_SIZE, GFP_KERNEL);
 	if (!buf->data)
 		goto err_buf;
-	atomic_set(&buf->count, 1);
 	mutex_init(&buf->mutex);
 	buf->dev = MKDEV(0, 0);
 	buf->icanon = 0;
@@ -52,12 +50,6 @@ static void tty_audit_buf_free(struct tty_audit_buf *buf)
 	kfree(buf);
 }
 
-static void tty_audit_buf_put(struct tty_audit_buf *buf)
-{
-	if (atomic_dec_and_test(&buf->count))
-		tty_audit_buf_free(buf);
-}
-
 static void tty_audit_log(const char *description, dev_t dev,
 			  unsigned char *data, size_t size)
 {
@@ -106,6 +98,9 @@ static void tty_audit_buf_push(struct tty_audit_buf *buf)
  *
  *	Make sure all buffered data is written out and deallocate the buffer.
  *	Only needs to be called if current->signal->tty_audit_buf != %NULL.
+ *
+ *	The process is single-threaded at this point; no other threads share
+ *	current->signal.
  */
 void tty_audit_exit(void)
 {
@@ -116,11 +111,8 @@ void tty_audit_exit(void)
 	if (!buf)
 		return;
 
-	mutex_lock(&buf->mutex);
 	tty_audit_buf_push(buf);
-	mutex_unlock(&buf->mutex);
-
-	tty_audit_buf_put(buf);
+	tty_audit_buf_free(buf);
 }
 
 /**
@@ -140,21 +132,14 @@ void tty_audit_tiocsti(struct tty_struct *tty, char ch)
 {
 	struct tty_audit_buf *buf;
 	dev_t dev;
-	unsigned long flags;
-
-	spin_lock_irqsave(&current->sighand->siglock, flags);
-	buf = current->signal->tty_audit_buf;
-	if (buf)
-		atomic_inc(&buf->count);
-	spin_unlock_irqrestore(&current->sighand->siglock, flags);
 
 	dev = MKDEV(tty->driver->major, tty->driver->minor_start) + tty->index;
+	buf = current->signal->tty_audit_buf;
 	if (buf) {
 		mutex_lock(&buf->mutex);
 		if (buf->dev == dev)
 			tty_audit_buf_push(buf);
 		mutex_unlock(&buf->mutex);
-		tty_audit_buf_put(buf);
 	}
 
 	if (audit_enabled && (current->signal->audit_tty & AUDIT_TTY_ENABLE)) {
@@ -175,23 +160,15 @@ void tty_audit_tiocsti(struct tty_struct *tty, char ch)
 int tty_audit_push(void)
 {
 	struct tty_audit_buf *buf;
-	unsigned long flags;
 
 	if (~current->signal->audit_tty & AUDIT_TTY_ENABLE)
 		return -EPERM;
 
-	spin_lock_irqsave(&current->sighand->siglock, flags);
 	buf = current->signal->tty_audit_buf;
-	if (buf)
-		atomic_inc(&buf->count);
-	spin_unlock_irqrestore(&current->sighand->siglock, flags);
-
 	if (buf) {
 		mutex_lock(&buf->mutex);
 		tty_audit_buf_push(buf);
 		mutex_unlock(&buf->mutex);
-
-		tty_audit_buf_put(buf);
 	}
 	return 0;
 }
@@ -207,15 +184,9 @@ static struct tty_audit_buf *tty_audit_buf_get(void)
 	struct tty_audit_buf *buf, *buf2;
 	unsigned long flags;
 
-	buf = NULL;
-	buf2 = NULL;
-	spin_lock_irqsave(&current->sighand->siglock, flags);
 	buf = current->signal->tty_audit_buf;
-	if (buf) {
-		atomic_inc(&buf->count);
-		goto out;
-	}
-	spin_unlock_irqrestore(&current->sighand->siglock, flags);
+	if (buf)
+		return buf;
 
 	buf2 = tty_audit_buf_alloc();
 	if (buf2 == NULL) {
@@ -230,9 +201,6 @@ static struct tty_audit_buf *tty_audit_buf_get(void)
 		buf = buf2;
 		buf2 = NULL;
 	}
-	atomic_inc(&buf->count);
-	/* Fall through */
- out:
 	spin_unlock_irqrestore(&current->sighand->siglock, flags);
 	if (buf2)
 		tty_audit_buf_free(buf2);
@@ -289,5 +257,4 @@ void tty_audit_add_data(struct tty_struct *tty, const void *data, size_t size)
 			tty_audit_buf_push(buf);
 	} while (size != 0);
 	mutex_unlock(&buf->mutex);
-	tty_audit_buf_put(buf);
 }
-- 
2.7.0

^ permalink raw reply related

* [RESEND][PATCH 10/15] tty: audit: Remove false memory optimization
From: Peter Hurley @ 2016-01-10  4:59 UTC (permalink / raw)
  To: Greg Kroah-Hartman; +Cc: Jiri Slaby, linux-audit, linux-kernel, Peter Hurley
In-Reply-To: <1452401948-30790-1-git-send-email-peter@hurleysoftware.com>

The tty audit buffer is allocated at first use and not freed until
the process exits. If tty audit is turned off after the audit buffer
has been allocated, no effort is made to release the buffer.
So re-checking if tty audit has just been turned off when tty audit
was just on is false optimization; the likelihood of triggering this
condition is exceedingly small.

Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
---
 drivers/tty/tty_audit.c | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/drivers/tty/tty_audit.c b/drivers/tty/tty_audit.c
index 3d90f88..7943984 100644
--- a/drivers/tty/tty_audit.c
+++ b/drivers/tty/tty_audit.c
@@ -200,8 +200,7 @@ int tty_audit_push(void)
  *	tty_audit_buf_get	-	Get an audit buffer.
  *
  *	Get an audit buffer, allocate it if necessary.  Return %NULL
- *	if TTY auditing is disabled or out of memory.  Otherwise, return a new
- *	reference to the buffer.
+ *	if out of memory.  Otherwise, return a new reference to the buffer.
  */
 static struct tty_audit_buf *tty_audit_buf_get(void)
 {
@@ -224,9 +223,6 @@ static struct tty_audit_buf *tty_audit_buf_get(void)
 		return NULL;
 	}
 
-	if (~current->signal->audit_tty & AUDIT_TTY_ENABLE)
-		goto out;
-
 	spin_lock_irqsave(&current->sighand->siglock, flags);
 	buf = current->signal->tty_audit_buf;
 	if (!buf) {
-- 
2.7.0

^ permalink raw reply related

* [RESEND][PATCH 09/15] tty: audit: Handle tty audit enable atomically
From: Peter Hurley @ 2016-01-10  4:59 UTC (permalink / raw)
  To: Greg Kroah-Hartman; +Cc: Jiri Slaby, linux-audit, linux-kernel, Peter Hurley
In-Reply-To: <1452401948-30790-1-git-send-email-peter@hurleysoftware.com>

The audit_tty and audit_tty_log_passwd fields are actually bool
values, so merge into single memory location to access atomically.

NB: audit log operations may still occur after tty audit is disabled
which is consistent with the existing functionality

Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
---
 drivers/tty/tty_audit.c | 53 ++++++++++++++++++++-----------------------------
 include/linux/audit.h   |  4 ++++
 include/linux/sched.h   |  1 -
 kernel/audit.c          | 25 +++++++++++------------
 4 files changed, 38 insertions(+), 45 deletions(-)

diff --git a/drivers/tty/tty_audit.c b/drivers/tty/tty_audit.c
index 50380d8..3d90f88 100644
--- a/drivers/tty/tty_audit.c
+++ b/drivers/tty/tty_audit.c
@@ -131,7 +131,6 @@ void tty_audit_exit(void)
 void tty_audit_fork(struct signal_struct *sig)
 {
 	sig->audit_tty = current->signal->audit_tty;
-	sig->audit_tty_log_passwd = current->signal->audit_tty_log_passwd;
 }
 
 /**
@@ -141,11 +140,9 @@ void tty_audit_tiocsti(struct tty_struct *tty, char ch)
 {
 	struct tty_audit_buf *buf;
 	dev_t dev;
-	int should_audit;
 	unsigned long flags;
 
 	spin_lock_irqsave(&current->sighand->siglock, flags);
-	should_audit = current->signal->audit_tty;
 	buf = current->signal->tty_audit_buf;
 	if (buf)
 		atomic_inc(&buf->count);
@@ -160,7 +157,7 @@ void tty_audit_tiocsti(struct tty_struct *tty, char ch)
 		tty_audit_buf_put(buf);
 	}
 
-	if (should_audit && audit_enabled) {
+	if (audit_enabled && (current->signal->audit_tty & AUDIT_TTY_ENABLE)) {
 		kuid_t auid;
 		unsigned int sessionid;
 
@@ -177,29 +174,25 @@ void tty_audit_tiocsti(struct tty_struct *tty, char ch)
  */
 int tty_audit_push(void)
 {
-	struct tty_audit_buf *buf = ERR_PTR(-EPERM);
+	struct tty_audit_buf *buf;
 	unsigned long flags;
 
+	if (~current->signal->audit_tty & AUDIT_TTY_ENABLE)
+		return -EPERM;
+
 	spin_lock_irqsave(&current->sighand->siglock, flags);
-	if (current->signal->audit_tty) {
-		buf = current->signal->tty_audit_buf;
-		if (buf)
-			atomic_inc(&buf->count);
-	}
+	buf = current->signal->tty_audit_buf;
+	if (buf)
+		atomic_inc(&buf->count);
 	spin_unlock_irqrestore(&current->sighand->siglock, flags);
 
-	/*
-	 * Return 0 when signal->audit_tty set
-	 * but current->signal->tty_audit_buf == NULL.
-	 */
-	if (!buf || IS_ERR(buf))
-		return PTR_ERR(buf);
-
-	mutex_lock(&buf->mutex);
-	tty_audit_buf_push(buf);
-	mutex_unlock(&buf->mutex);
+	if (buf) {
+		mutex_lock(&buf->mutex);
+		tty_audit_buf_push(buf);
+		mutex_unlock(&buf->mutex);
 
-	tty_audit_buf_put(buf);
+		tty_audit_buf_put(buf);
+	}
 	return 0;
 }
 
@@ -218,8 +211,6 @@ static struct tty_audit_buf *tty_audit_buf_get(void)
 	buf = NULL;
 	buf2 = NULL;
 	spin_lock_irqsave(&current->sighand->siglock, flags);
-	if (likely(!current->signal->audit_tty))
-		goto out;
 	buf = current->signal->tty_audit_buf;
 	if (buf) {
 		atomic_inc(&buf->count);
@@ -233,9 +224,10 @@ static struct tty_audit_buf *tty_audit_buf_get(void)
 		return NULL;
 	}
 
-	spin_lock_irqsave(&current->sighand->siglock, flags);
-	if (!current->signal->audit_tty)
+	if (~current->signal->audit_tty & AUDIT_TTY_ENABLE)
 		goto out;
+
+	spin_lock_irqsave(&current->sighand->siglock, flags);
 	buf = current->signal->tty_audit_buf;
 	if (!buf) {
 		current->signal->tty_audit_buf = buf2;
@@ -259,9 +251,8 @@ static struct tty_audit_buf *tty_audit_buf_get(void)
 void tty_audit_add_data(struct tty_struct *tty, const void *data, size_t size)
 {
 	struct tty_audit_buf *buf;
-	int audit_log_tty_passwd;
-	unsigned long flags;
 	unsigned int icanon = !!L_ICANON(tty);
+	unsigned int audit_tty;
 	dev_t dev;
 
 	if (unlikely(size == 0))
@@ -271,10 +262,10 @@ void tty_audit_add_data(struct tty_struct *tty, const void *data, size_t size)
 	    && tty->driver->subtype == PTY_TYPE_MASTER)
 		return;
 
-	spin_lock_irqsave(&current->sighand->siglock, flags);
-	audit_log_tty_passwd = current->signal->audit_tty_log_passwd;
-	spin_unlock_irqrestore(&current->sighand->siglock, flags);
-	if (!audit_log_tty_passwd && icanon && !L_ECHO(tty))
+	audit_tty = READ_ONCE(current->signal->audit_tty);
+	if (~audit_tty & AUDIT_TTY_ENABLE)
+		return;
+	if ((~audit_tty & AUDIT_TTY_LOG_PASSWD) && icanon && !L_ECHO(tty))
 		return;
 
 	buf = tty_audit_buf_get();
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 20eba1e..9ed7254 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -109,6 +109,10 @@ extern int audit_classify_compat_syscall(int abi, unsigned syscall);
 /* maximized args number that audit_socketcall can process */
 #define AUDITSC_ARGS		6
 
+/* bit values for ->signal->audit_tty */
+#define AUDIT_TTY_ENABLE	BIT(0)
+#define AUDIT_TTY_LOG_PASSWD	BIT(1)
+
 struct filename;
 
 extern void audit_log_session_info(struct audit_buffer *ab);
diff --git a/include/linux/sched.h b/include/linux/sched.h
index edad7a4..400a738 100644
--- a/include/linux/sched.h
+++ b/include/linux/sched.h
@@ -771,7 +771,6 @@ struct signal_struct {
 #endif
 #ifdef CONFIG_AUDIT
 	unsigned audit_tty;
-	unsigned audit_tty_log_passwd;
 	struct tty_audit_buf *tty_audit_buf;
 #endif
 
diff --git a/kernel/audit.c b/kernel/audit.c
index 270dfb9..dfaa8e7 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1031,20 +1031,19 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
 		break;
 	case AUDIT_TTY_GET: {
 		struct audit_tty_status s;
-		struct task_struct *tsk = current;
+		unsigned int t;
 
-		spin_lock(&tsk->sighand->siglock);
-		s.enabled = tsk->signal->audit_tty;
-		s.log_passwd = tsk->signal->audit_tty_log_passwd;
-		spin_unlock(&tsk->sighand->siglock);
+		t = READ_ONCE(current->signal->audit_tty);
+		s.enabled = t & AUDIT_TTY_ENABLE;
+		s.log_passwd = !!(t & AUDIT_TTY_LOG_PASSWD);
 
 		audit_send_reply(skb, seq, AUDIT_TTY_GET, 0, 0, &s, sizeof(s));
 		break;
 	}
 	case AUDIT_TTY_SET: {
 		struct audit_tty_status s, old;
-		struct task_struct *tsk = current;
 		struct audit_buffer	*ab;
+		unsigned int t;
 
 		memset(&s, 0, sizeof(s));
 		/* guard against past and future API changes */
@@ -1054,14 +1053,14 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
 		    (s.log_passwd != 0 && s.log_passwd != 1))
 			err = -EINVAL;
 
-		spin_lock(&tsk->sighand->siglock);
-		old.enabled = tsk->signal->audit_tty;
-		old.log_passwd = tsk->signal->audit_tty_log_passwd;
-		if (!err) {
-			tsk->signal->audit_tty = s.enabled;
-			tsk->signal->audit_tty_log_passwd = s.log_passwd;
+		if (err)
+			t = READ_ONCE(current->signal->audit_tty);
+		else {
+			t = s.enabled | (-s.log_passwd & AUDIT_TTY_LOG_PASSWD);
+			t = xchg(&current->signal->audit_tty, t);
 		}
-		spin_unlock(&tsk->sighand->siglock);
+		old.enabled = t & AUDIT_TTY_ENABLE;
+		old.log_passwd = !!(t & AUDIT_TTY_LOG_PASSWD);
 
 		audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE);
 		audit_log_format(ab, " op=tty_set old-enabled=%d new-enabled=%d"
-- 
2.7.0

^ permalink raw reply related

* [RESEND][PATCH 08/15] tty: audit: Track tty association with dev_t
From: Peter Hurley @ 2016-01-10  4:59 UTC (permalink / raw)
  To: Greg Kroah-Hartman; +Cc: Jiri Slaby, linux-audit, linux-kernel, Peter Hurley
In-Reply-To: <1452401948-30790-1-git-send-email-peter@hurleysoftware.com>

Use dev_t instead of separate major/minor fields to track tty
audit buffer association.

Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
---
 drivers/tty/tty_audit.c | 32 ++++++++++++++------------------
 1 file changed, 14 insertions(+), 18 deletions(-)

diff --git a/drivers/tty/tty_audit.c b/drivers/tty/tty_audit.c
index 6b82c3c..50380d8 100644
--- a/drivers/tty/tty_audit.c
+++ b/drivers/tty/tty_audit.c
@@ -16,7 +16,7 @@
 struct tty_audit_buf {
 	atomic_t count;
 	struct mutex mutex;	/* Protects all data below */
-	int major, minor;	/* The TTY which the data is from */
+	dev_t dev;		/* The TTY which the data is from */
 	unsigned icanon:1;
 	size_t valid;
 	unsigned char *data;	/* Allocated size N_TTY_BUF_SIZE */
@@ -34,8 +34,7 @@ static struct tty_audit_buf *tty_audit_buf_alloc(void)
 		goto err_buf;
 	atomic_set(&buf->count, 1);
 	mutex_init(&buf->mutex);
-	buf->major = 0;
-	buf->minor = 0;
+	buf->dev = MKDEV(0, 0);
 	buf->icanon = 0;
 	buf->valid = 0;
 	return buf;
@@ -59,7 +58,7 @@ static void tty_audit_buf_put(struct tty_audit_buf *buf)
 		tty_audit_buf_free(buf);
 }
 
-static void tty_audit_log(const char *description, int major, int minor,
+static void tty_audit_log(const char *description, dev_t dev,
 			  unsigned char *data, size_t size)
 {
 	struct audit_buffer *ab;
@@ -75,7 +74,7 @@ static void tty_audit_log(const char *description, int major, int minor,
 
 		audit_log_format(ab, "%s pid=%u uid=%u auid=%u ses=%u major=%d"
 				 " minor=%d comm=", description, pid, uid,
-				 loginuid, sessionid, major, minor);
+				 loginuid, sessionid, MAJOR(dev), MINOR(dev));
 		get_task_comm(name, tsk);
 		audit_log_untrustedstring(ab, name);
 		audit_log_format(ab, " data=");
@@ -98,7 +97,7 @@ static void tty_audit_buf_push(struct tty_audit_buf *buf)
 		buf->valid = 0;
 		return;
 	}
-	tty_audit_log("tty", buf->major, buf->minor, buf->data, buf->valid);
+	tty_audit_log("tty", buf->dev, buf->data, buf->valid);
 	buf->valid = 0;
 }
 
@@ -141,7 +140,8 @@ void tty_audit_fork(struct signal_struct *sig)
 void tty_audit_tiocsti(struct tty_struct *tty, char ch)
 {
 	struct tty_audit_buf *buf;
-	int major, minor, should_audit;
+	dev_t dev;
+	int should_audit;
 	unsigned long flags;
 
 	spin_lock_irqsave(&current->sighand->siglock, flags);
@@ -151,11 +151,10 @@ void tty_audit_tiocsti(struct tty_struct *tty, char ch)
 		atomic_inc(&buf->count);
 	spin_unlock_irqrestore(&current->sighand->siglock, flags);
 
-	major = tty->driver->major;
-	minor = tty->driver->minor_start + tty->index;
+	dev = MKDEV(tty->driver->major, tty->driver->minor_start) + tty->index;
 	if (buf) {
 		mutex_lock(&buf->mutex);
-		if (buf->major == major && buf->minor == minor)
+		if (buf->dev == dev)
 			tty_audit_buf_push(buf);
 		mutex_unlock(&buf->mutex);
 		tty_audit_buf_put(buf);
@@ -167,7 +166,7 @@ void tty_audit_tiocsti(struct tty_struct *tty, char ch)
 
 		auid = audit_get_loginuid(current);
 		sessionid = audit_get_sessionid(current);
-		tty_audit_log("ioctl=TIOCSTI", major, minor, &ch, 1);
+		tty_audit_log("ioctl=TIOCSTI", dev, &ch, 1);
 	}
 }
 
@@ -260,10 +259,10 @@ static struct tty_audit_buf *tty_audit_buf_get(void)
 void tty_audit_add_data(struct tty_struct *tty, const void *data, size_t size)
 {
 	struct tty_audit_buf *buf;
-	int major, minor;
 	int audit_log_tty_passwd;
 	unsigned long flags;
 	unsigned int icanon = !!L_ICANON(tty);
+	dev_t dev;
 
 	if (unlikely(size == 0))
 		return;
@@ -283,13 +282,10 @@ void tty_audit_add_data(struct tty_struct *tty, const void *data, size_t size)
 		return;
 
 	mutex_lock(&buf->mutex);
-	major = tty->driver->major;
-	minor = tty->driver->minor_start + tty->index;
-	if (buf->major != major || buf->minor != minor
-	    || buf->icanon != icanon) {
+	dev = MKDEV(tty->driver->major, tty->driver->minor_start) + tty->index;
+	if (buf->dev != dev || buf->icanon != icanon) {
 		tty_audit_buf_push(buf);
-		buf->major = major;
-		buf->minor = minor;
+		buf->dev = dev;
 		buf->icanon = icanon;
 	}
 	do {
-- 
2.7.0

^ permalink raw reply related

* [RESEND][PATCH 07/15] tty: audit: Combine push functions
From: Peter Hurley @ 2016-01-10  4:59 UTC (permalink / raw)
  To: Greg Kroah-Hartman; +Cc: Jiri Slaby, linux-audit, linux-kernel, Peter Hurley
In-Reply-To: <1452401948-30790-1-git-send-email-peter@hurleysoftware.com>

tty_audit_push() and tty_audit_push_current() perform identical
tasks; eliminate the tty_audit_push() implementation and the
tty_audit_push_current() name.

Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
---
 drivers/tty/tty_audit.c | 35 +++--------------------------------
 include/linux/tty.h     |  8 ++------
 kernel/audit.c          |  2 +-
 3 files changed, 6 insertions(+), 39 deletions(-)

diff --git a/drivers/tty/tty_audit.c b/drivers/tty/tty_audit.c
index 5ae4839..6b82c3c 100644
--- a/drivers/tty/tty_audit.c
+++ b/drivers/tty/tty_audit.c
@@ -172,12 +172,11 @@ void tty_audit_tiocsti(struct tty_struct *tty, char ch)
 }
 
 /**
- * tty_audit_push_current -	Flush current's pending audit data
+ *	tty_audit_push	-	Flush current's pending audit data
  *
- * Try to lock sighand and get a reference to the tty audit buffer if available.
- * Flush the buffer or return an appropriate error code.
+ *	Returns 0 if success, -EPERM if tty audit is disabled
  */
-int tty_audit_push_current(void)
+int tty_audit_push(void)
 {
 	struct tty_audit_buf *buf = ERR_PTR(-EPERM);
 	unsigned long flags;
@@ -309,31 +308,3 @@ void tty_audit_add_data(struct tty_struct *tty, const void *data, size_t size)
 	mutex_unlock(&buf->mutex);
 	tty_audit_buf_put(buf);
 }
-
-/**
- *	tty_audit_push	-	Push buffered data out
- *
- *	Make sure no audit data is pending on the current process.
- */
-void tty_audit_push(void)
-{
-	struct tty_audit_buf *buf;
-	unsigned long flags;
-
-	spin_lock_irqsave(&current->sighand->siglock, flags);
-	if (likely(!current->signal->audit_tty)) {
-		spin_unlock_irqrestore(&current->sighand->siglock, flags);
-		return;
-	}
-	buf = current->signal->tty_audit_buf;
-	if (buf)
-		atomic_inc(&buf->count);
-	spin_unlock_irqrestore(&current->sighand->siglock, flags);
-
-	if (buf) {
-		mutex_lock(&buf->mutex);
-		tty_audit_buf_push(buf);
-		mutex_unlock(&buf->mutex);
-		tty_audit_buf_put(buf);
-	}
-}
diff --git a/include/linux/tty.h b/include/linux/tty.h
index 21e3722..b17f759 100644
--- a/include/linux/tty.h
+++ b/include/linux/tty.h
@@ -608,8 +608,7 @@ extern void tty_audit_add_data(struct tty_struct *tty, const void *data,
 extern void tty_audit_exit(void);
 extern void tty_audit_fork(struct signal_struct *sig);
 extern void tty_audit_tiocsti(struct tty_struct *tty, char ch);
-extern void tty_audit_push(void);
-extern int tty_audit_push_current(void);
+extern int tty_audit_push(void);
 #else
 static inline void tty_audit_add_data(struct tty_struct *tty, const void *data,
 				      size_t size)
@@ -624,10 +623,7 @@ static inline void tty_audit_exit(void)
 static inline void tty_audit_fork(struct signal_struct *sig)
 {
 }
-static inline void tty_audit_push(struct tty_struct *tty)
-{
-}
-static inline int tty_audit_push_current(void)
+static inline int tty_audit_push(void)
 {
 	return 0;
 }
diff --git a/kernel/audit.c b/kernel/audit.c
index 5ffcbd3..270dfb9 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -921,7 +921,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
 		if (err == 1) { /* match or error */
 			err = 0;
 			if (msg_type == AUDIT_USER_TTY) {
-				err = tty_audit_push_current();
+				err = tty_audit_push();
 				if (err)
 					break;
 			}
-- 
2.7.0

^ permalink raw reply related


This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox