Linux-audit Archive on lore.kernel.org
 help / color / mirror / Atom feed
* Re: [PATCH] capabilities: audit capability use
From: Topi Miettinen @ 2016-07-11 19:28 UTC (permalink / raw)
  To: Serge E. Hallyn
  Cc: linux-kernel-u79uwXL29TY76Z2rM5mHXA,
	ebiederm-aS9lmoZGLiVWk0Htik3J/w, pmladek-IBi9RG/b67k,
	luto-DgEjT+Ai2ygdnm+yROfE0A, keescook-F7+t8E8rja9g9hUCZPvPmw,
	Paul Moore, Eric Paris, Tejun Heo, Li Zefan, Johannes Weiner,
	moderated list:AUDIT SUBSYSTEM, open list:CONTROL GROUP (CGROUP),
	open list:CAPABILITIES
In-Reply-To: <0355f70f-8356-f685-d37d-ba28668363a1-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>

On 07/11/16 16:05, Topi Miettinen wrote:
> On 07/11/16 15:25, Serge E. Hallyn wrote:
>> Quoting Topi Miettinen (toiwoton-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org):
>>> There are many basic ways to control processes, including capabilities,
>>> cgroups and resource limits. However, there are far fewer ways to find
>>> out useful values for the limits, except blind trial and error.
>>>
>>> Currently, there is no way to know which capabilities are actually used.
>>> Even the source code is only implicit, in-depth knowledge of each
>>> capability must be used when analyzing a program to judge which
>>> capabilities the program will exercise.
>>>
>>> Generate an audit message at system call exit, when capabilities are used.
>>> This can then be used to configure capability sets for services by a
>>> software developer, maintainer or system administrator.
>>>
>>> Test case demonstrating basic capability monitoring with the new
>>> message types 1330 and 1331 and how the cgroups are displayed (boot to
>>> rdshell):
>>
>> Thanks, Topi, I'll find time this week to look this over in detail.
>>
>> How much chattier does this make the syslog/journald during a regular
>> boot?  I was thinking "this is audit, we can choose what messages
>> will show up", but I guess that' sonly what auditd actually listens to,
>> not what kernel emits?  (sorry i've not looked at audit in a long
>> time).  Drat, that makes it seem like tracepoints would be better
>> after all.  But let's see how much it addes to the noise.
> 
> For example "loadkeys" causes thousands of entries. :-( I'm checking how
> to avoid audit message rate limiting, now some messages are lost.
> 
> It's still too easy to drown the logs with noise. That could be limited
> a lot by emitting a message only when the capability is used for the
> first time. But the question is how to define where to start counting
> (fork, exec, and/or setpcap?). I'm also not sure if that is the right
> way to log, since the first use of a capability could be expected and an
> innocent one, but then the 100th one could be malicious.
> 
> It's also very complex and error-prone to collect a capability mask from
> audit logs, which was my original goal.

What if only a summary of capabilities was logged at task exit? That
should make the log volume reasonable.

-Topi

> 
> -Topi
> 
>>
>>> BusyBox v1.22.1 (Debian 1:1.22.0-19) built-in shell (ash)
>>> Enter 'help' for a list of built-in commands.
>>>
>>> (initramfs) cd /sys/fs
>>> (initramfs) mount -t cgroup2 cgroup cgroup
>>> [   12.343152] audit_printk_skb: 5886 callbacks suppressed
>>> [   12.355214] audit: type=1300 audit(1468234317.100:518): arch=c000003e syscall=165 success=yes exit=0 a0=7fffe1e9ae2d a1=7fffe1e9ae34 a2=7fffe1e9ae25 a3=8000 items=0 ppid=469 pid=470 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="mount" exe="/bin/mount" key=(null)
>>> [   12.414853] audit: type=1327 audit(1468234317.100:518): proctitle=6D6F756E74002D74006367726F757032006367726F7570006367726F7570
>>> [   12.438338] audit: type=1330 audit(1468234317.100:518): cap_used=0000000000200000
>>> [   12.453893] audit: type=1331 audit(1468234317.100:518): cgroups=:/;
>>> (initramfs) cd cgroup
>>> (initramfs) mkdir test; cd test
>>> [   17.335625] audit: type=1300 audit(1468234322.092:519): arch=c000003e syscall=83 success=yes exit=0 a0=7ffddfd75e29 a1=1ff a2=0 a3=1e2 items=0 ppid=469 pid=471 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="mkdir" exe="/bin/mkdir" key=(null)
>>> [   17.392686] audit: type=1327 audit(1468234322.092:519): proctitle=6D6B6469720074657374
>>> [   17.409404] audit: type=1330 audit(1468234322.092:519): cap_used=0000000000000002
>>> [   17.425404] audit: type=1331 audit(1468234322.092:519): cgroups=:/;
>>> (initramfs) echo $$ >cgroup.procs
>>> (initramfs) mknod /dev/z_$$ c 1 2
>>> [   28.385681] audit: type=1300 audit(1468234333.144:520): arch=c000003e syscall=133 success=yes exit=0 a0=7ffe16324e11 a1=21b6 a2=102 a3=5c9 items=0 ppid=469 pid=472 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="mknod" exe="/bin/mknod" key=(null)
>>> [   28.443674] audit: type=1327 audit(1468234333.144:520): proctitle=6D6B6E6F64002F6465762F7A5F343639006300310032
>>> [   28.465888] audit: type=1330 audit(1468234333.144:520): cap_used=0000000008000000
>>> [   28.482080] audit: type=1331 audit(1468234333.144:520): cgroups=:/test;
>>> (initramfs) chown 1234 /dev/z_*
>>> [   34.772992] audit: type=1300 audit(1468234339.532:521): arch=c000003e syscall=92 success=yes exit=0 a0=7ffd0b563e17 a1=4d2 a2=0 a3=60a items=0 ppid=469 pid=473 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="chown" exe="/bin/chown" key=(null)
>>> [   34.828569] audit: type=1327 audit(1468234339.532:521): proctitle=63686F776E0031323334002F6465762F7A5F343639
>>> [   34.848747] audit: type=1330 audit(1468234339.532:521): cap_used=0000000000000001
>>> [   34.864404] audit: type=1331 audit(1468234339.532:521): cgroups=:/test;
>>>
>>> Signed-off-by: Topi Miettinen <toiwoton-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
>>> ---
>>>  include/linux/audit.h      |  4 +++
>>>  include/linux/cgroup.h     |  2 ++
>>>  include/uapi/linux/audit.h |  2 ++
>>>  kernel/audit.c             |  7 +++---
>>>  kernel/audit.h             |  1 +
>>>  kernel/auditsc.c           | 28 ++++++++++++++++++++-
>>>  kernel/capability.c        |  5 ++--
>>>  kernel/cgroup.c            | 62 ++++++++++++++++++++++++++++++++++++++++++++++
>>>  8 files changed, 105 insertions(+), 6 deletions(-)
>>>
>>> diff --git a/include/linux/audit.h b/include/linux/audit.h
>>> index e38e3fc..971cb2e 100644
>>> --- a/include/linux/audit.h
>>> +++ b/include/linux/audit.h
>>> @@ -438,6 +438,8 @@ static inline void audit_mmap_fd(int fd, int flags)
>>>  		__audit_mmap_fd(fd, flags);
>>>  }
>>>  
>>> +extern void audit_log_cap_use(int cap);
>>> +
>>>  extern int audit_n_rules;
>>>  extern int audit_signals;
>>>  #else /* CONFIG_AUDITSYSCALL */
>>> @@ -545,6 +547,8 @@ static inline void audit_mmap_fd(int fd, int flags)
>>>  { }
>>>  static inline void audit_ptrace(struct task_struct *t)
>>>  { }
>>> +static inline void audit_log_cap_use(int cap)
>>> +{ }
>>>  #define audit_n_rules 0
>>>  #define audit_signals 0
>>>  #endif /* CONFIG_AUDITSYSCALL */
>>> diff --git a/include/linux/cgroup.h b/include/linux/cgroup.h
>>> index a20320c..b5dc8aa 100644
>>> --- a/include/linux/cgroup.h
>>> +++ b/include/linux/cgroup.h
>>> @@ -100,6 +100,8 @@ char *task_cgroup_path(struct task_struct *task, char *buf, size_t buflen);
>>>  int cgroupstats_build(struct cgroupstats *stats, struct dentry *dentry);
>>>  int proc_cgroup_show(struct seq_file *m, struct pid_namespace *ns,
>>>  		     struct pid *pid, struct task_struct *tsk);
>>> +struct audit_buffer;
>>> +void audit_cgroup_list(struct audit_buffer *ab);
>>>  
>>>  void cgroup_fork(struct task_struct *p);
>>>  extern int cgroup_can_fork(struct task_struct *p);
>>> diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
>>> index d820aa9..c1ae016 100644
>>> --- a/include/uapi/linux/audit.h
>>> +++ b/include/uapi/linux/audit.h
>>> @@ -111,6 +111,8 @@
>>>  #define AUDIT_PROCTITLE		1327	/* Proctitle emit event */
>>>  #define AUDIT_FEATURE_CHANGE	1328	/* audit log listing feature changes */
>>>  #define AUDIT_REPLACE		1329	/* Replace auditd if this packet unanswerd */
>>> +#define AUDIT_CAPABILITY	1330	/* Record showing capability use */
>>> +#define AUDIT_CGROUP		1331	/* Record showing cgroups */
>>>  
>>>  #define AUDIT_AVC		1400	/* SE Linux avc denial or grant */
>>>  #define AUDIT_SELINUX_ERR	1401	/* Internal SE Linux Errors */
>>> diff --git a/kernel/audit.c b/kernel/audit.c
>>> index 8d528f9..98dd920 100644
>>> --- a/kernel/audit.c
>>> +++ b/kernel/audit.c
>>> @@ -54,6 +54,7 @@
>>>  #include <linux/kthread.h>
>>>  #include <linux/kernel.h>
>>>  #include <linux/syscalls.h>
>>> +#include <linux/cgroup.h>
>>>  
>>>  #include <linux/audit.h>
>>>  
>>> @@ -1682,7 +1683,7 @@ void audit_log_cap(struct audit_buffer *ab, char *prefix, kernel_cap_t *cap)
>>>  {
>>>  	int i;
>>>  
>>> -	audit_log_format(ab, " %s=", prefix);
>>> +	audit_log_format(ab, "%s=", prefix);
>>>  	CAP_FOR_EACH_U32(i) {
>>>  		audit_log_format(ab, "%08x",
>>>  				 cap->cap[CAP_LAST_U32 - i]);
>>> @@ -1696,11 +1697,11 @@ static void audit_log_fcaps(struct audit_buffer *ab, struct audit_names *name)
>>>  	int log = 0;
>>>  
>>>  	if (!cap_isclear(*perm)) {
>>> -		audit_log_cap(ab, "cap_fp", perm);
>>> +		audit_log_cap(ab, " cap_fp", perm);
>>>  		log = 1;
>>>  	}
>>>  	if (!cap_isclear(*inh)) {
>>> -		audit_log_cap(ab, "cap_fi", inh);
>>> +		audit_log_cap(ab, " cap_fi", inh);
>>>  		log = 1;
>>>  	}
>>>  
>>> diff --git a/kernel/audit.h b/kernel/audit.h
>>> index a492f4c..680e8b5 100644
>>> --- a/kernel/audit.h
>>> +++ b/kernel/audit.h
>>> @@ -202,6 +202,7 @@ struct audit_context {
>>>  	};
>>>  	int fds[2];
>>>  	struct audit_proctitle proctitle;
>>> +	kernel_cap_t cap_used;
>>>  };
>>>  
>>>  extern u32 audit_ever_enabled;
>>> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
>>> index 2672d10..32c3813 100644
>>> --- a/kernel/auditsc.c
>>> +++ b/kernel/auditsc.c
>>> @@ -197,7 +197,6 @@ static int audit_match_filetype(struct audit_context *ctx, int val)
>>>   * References in it _are_ dropped - at the same time we free/drop aux stuff.
>>>   */
>>>  
>>> -#ifdef CONFIG_AUDIT_TREE
>>>  static void audit_set_auditable(struct audit_context *ctx)
>>>  {
>>>  	if (!ctx->prio) {
>>> @@ -206,6 +205,7 @@ static void audit_set_auditable(struct audit_context *ctx)
>>>  	}
>>>  }
>>>  
>>> +#ifdef CONFIG_AUDIT_TREE
>>>  static int put_tree_ref(struct audit_context *ctx, struct audit_chunk *chunk)
>>>  {
>>>  	struct audit_tree_refs *p = ctx->trees;
>>> @@ -1439,6 +1439,18 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
>>>  
>>>  	audit_log_proctitle(tsk, context);
>>>  
>>> +	ab = audit_log_start(context, GFP_KERNEL, AUDIT_CAPABILITY);
>>> +	if (ab) {
>>> +		audit_log_cap(ab, "cap_used", &context->cap_used);
>>> +		audit_log_end(ab);
>>> +	}
>>> +	ab = audit_log_start(context, GFP_KERNEL, AUDIT_CGROUP);
>>> +	if (ab) {
>>> +		audit_log_format(ab, "cgroups=");
>>> +		audit_cgroup_list(ab);
>>> +		audit_log_end(ab);
>>> +	}
>>> +
>>>  	/* Send end of event record to help user space know we are finished */
>>>  	ab = audit_log_start(context, GFP_KERNEL, AUDIT_EOE);
>>>  	if (ab)
>>> @@ -2428,3 +2440,17 @@ struct list_head *audit_killed_trees(void)
>>>  		return NULL;
>>>  	return &ctx->killed_trees;
>>>  }
>>> +
>>> +void audit_log_cap_use(int cap)
>>> +{
>>> +	struct audit_context *context = current->audit_context;
>>> +
>>> +	if (context) {
>>> +		cap_raise(context->cap_used, cap);
>>> +		audit_set_auditable(context);
>>> +	} else {
>>> +		audit_log(NULL, GFP_NOFS, AUDIT_CAPABILITY,
>>> +			  "cap_used=%d pid=%d no audit_context",
>>> +			  cap, task_pid_nr(current));
>>> +	}
>>> +}
>>> diff --git a/kernel/capability.c b/kernel/capability.c
>>> index 45432b5..d45d5b1 100644
>>> --- a/kernel/capability.c
>>> +++ b/kernel/capability.c
>>> @@ -366,8 +366,8 @@ bool has_capability_noaudit(struct task_struct *t, int cap)
>>>   * @ns:  The usernamespace we want the capability in
>>>   * @cap: The capability to be tested for
>>>   *
>>> - * Return true if the current task has the given superior capability currently
>>> - * available for use, false if not.
>>> + * Return true if the current task has the given superior capability
>>> + * currently available for use, false if not. Write an audit message.
>>>   *
>>>   * This sets PF_SUPERPRIV on the task if the capability is available on the
>>>   * assumption that it's about to be used.
>>> @@ -380,6 +380,7 @@ bool ns_capable(struct user_namespace *ns, int cap)
>>>  	}
>>>  
>>>  	if (security_capable(current_cred(), ns, cap) == 0) {
>>> +		audit_log_cap_use(cap);
>>>  		current->flags |= PF_SUPERPRIV;
>>>  		return true;
>>>  	}
>>> diff --git a/kernel/cgroup.c b/kernel/cgroup.c
>>> index 75c0ff0..1931679 100644
>>> --- a/kernel/cgroup.c
>>> +++ b/kernel/cgroup.c
>>> @@ -63,6 +63,7 @@
>>>  #include <linux/nsproxy.h>
>>>  #include <linux/proc_ns.h>
>>>  #include <net/sock.h>
>>> +#include <linux/audit.h>
>>>  
>>>  /*
>>>   * pidlists linger the following amount before being destroyed.  The goal
>>> @@ -5789,6 +5790,67 @@ out:
>>>  	return retval;
>>>  }
>>>  
>>> +/*
>>> + * audit_cgroup_list()
>>> + *  - Print task's cgroup paths with audit_log_format()
>>> + *  - Used for capability audit logging
>>> + *  - Otherwise very similar to proc_cgroup_show().
>>> + */
>>> +void audit_cgroup_list(struct audit_buffer *ab)
>>> +{
>>> +	char *buf, *path;
>>> +	struct cgroup_root *root;
>>> +
>>> +	buf = kmalloc(PATH_MAX, GFP_NOFS);
>>> +	if (!buf)
>>> +		return;
>>> +
>>> +	mutex_lock(&cgroup_mutex);
>>> +	spin_lock_irq(&css_set_lock);
>>> +
>>> +	for_each_root(root) {
>>> +		struct cgroup_subsys *ss;
>>> +		struct cgroup *cgrp;
>>> +		int ssid, count = 0;
>>> +
>>> +		if (root == &cgrp_dfl_root && !cgrp_dfl_visible)
>>> +			continue;
>>> +
>>> +		if (root != &cgrp_dfl_root)
>>> +			for_each_subsys(ss, ssid)
>>> +				if (root->subsys_mask & (1 << ssid))
>>> +					audit_log_format(ab, "%s%s",
>>> +							 count++ ? "," : "",
>>> +							 ss->legacy_name);
>>> +		if (strlen(root->name))
>>> +			audit_log_format(ab, "%sname=%s", count ? "," : "",
>>> +					 root->name);
>>> +		audit_log_format(ab, ":");
>>> +
>>> +		cgrp = task_cgroup_from_root(current, root);
>>> +
>>> +		if (cgroup_on_dfl(cgrp) || !(current->flags & PF_EXITING)) {
>>> +			path = cgroup_path_ns_locked(cgrp, buf, PATH_MAX,
>>> +						current->nsproxy->cgroup_ns);
>>> +			if (!path)
>>> +				goto out_unlock;
>>> +		} else
>>> +			path = "/";
>>> +
>>> +		audit_log_format(ab, "%s", path);
>>> +
>>> +		if (cgroup_on_dfl(cgrp) && cgroup_is_dead(cgrp))
>>> +			audit_log_format(ab, " (deleted);");
>>> +		else
>>> +			audit_log_format(ab, ";");
>>> +	}
>>> +
>>> +out_unlock:
>>> +	spin_unlock_irq(&css_set_lock);
>>> +	mutex_unlock(&cgroup_mutex);
>>> +	kfree(buf);
>>> +}
>>> +
>>>  /* Display information about each subsystem and each hierarchy */
>>>  static int proc_cgroupstats_show(struct seq_file *m, void *v)
>>>  {
>>> -- 
>>> 2.8.1
> 

^ permalink raw reply

* Re: Upgrading audit package
From: Steve Grubb @ 2016-07-11 17:17 UTC (permalink / raw)
  To: Bhagwat, Shriniketan Manjunath; +Cc: linux-audit@redhat.com
In-Reply-To: <AT5PR84MB0147DED332FD7CB7115B5B3BFA3F0@AT5PR84MB0147.NAMPRD84.PROD.OUTLOOK.COM>

Hello,

On Monday, July 11, 2016 8:17:50 AM EDT Bhagwat, Shriniketan Manjunath wrote:
> I am using audit in my development environment. My development environment
> is as below.
> 
> RHEL 5.2 with kernel 2.6.32-431.el6.x86_64 and audit-2.2-2.el6.x86_64.
> SUSE 11 SP3 with kernel 3.0.76-0.11-default and audit-1.8-0.30.1
> 
> As I understand the above audit packages I am using in my environment are
> user space audit. I want to upgrade it to the latest version.

RHEL5's last valid audit package would be 1.8. The 2.x branch removed 
functions from the ABI and changed the buffer size which means that you would 
have to recompile everything that has a dependency on audit-libs. If they are 
using any removed functions you would have to patch them to use something 
else.

> If I upgrade the audit packages to latest version 2.6.X will there be any
> issues?

Probably. The audit 2.x release also has a soname number change for libaudit. 
Apps won't be able to find it during startup.

> Linux Audit kernel available with kernel 2.6.32-431.el6.x86_64 and
> 3.0.76-0.11 are compatible with user space audit 2.6.X?

I have never tested that configuration. I will likely work except for the 
missing kernel support. The bigger issue is everything in user space that 
links against libaudit.

> In your opinion what
> is the suitable audit package for my environment to upgrade? If these topics
> are already documented please guide me to the documentation.

Speaking for the RHEL side of things...if its a RHEL5 system, audit-1.8 is the 
end of the line. After that and you are in unknown territory.

-Steve

^ permalink raw reply

* Re: [PATCH] capabilities: audit capability use
From: Tejun Heo @ 2016-07-11 17:09 UTC (permalink / raw)
  To: Topi Miettinen
  Cc: linux-kernel-u79uwXL29TY76Z2rM5mHXA,
	ebiederm-aS9lmoZGLiVWk0Htik3J/w, mladek-IBi9RG/b67k,
	luto-DgEjT+Ai2ygdnm+yROfE0A, serge-A9i7LUbDfNHQT0dZR+AlfA,
	keescook-F7+t8E8rja9g9hUCZPvPmw, Paul Moore, Eric Paris, Li Zefan,
	Johannes Weiner, Serge Hallyn, moderated list:AUDIT SUBSYSTEM,
	open list:CONTROL GROUP (CGROUP), open list:CAPABILITIES
In-Reply-To: <1468235672-3745-1-git-send-email-toiwoton-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>

Hello,

On Mon, Jul 11, 2016 at 02:14:31PM +0300, Topi Miettinen wrote:
> [   28.443674] audit: type=1327 audit(1468234333.144:520): proctitle=6D6B6E6F64002F6465762F7A5F343639006300310032
> [   28.465888] audit: type=1330 audit(1468234333.144:520): cap_used=0000000008000000
> [   28.482080] audit: type=1331 audit(1468234333.144:520): cgroups=:/test;

Please don't put additions of the two different audit types into one
patch and I don't think the cgroup audit logging makes much sense.
Without logging all migrations, it doesn't help auditing all that
much.  Also, printing all cgroup membership like that can be
problematic for audit it can be arbitrarily long.

Thanks.

-- 
tejun

^ permalink raw reply

* Re: [PATCH] capabilities: audit capability use
From: Topi Miettinen @ 2016-07-11 16:05 UTC (permalink / raw)
  To: Serge E. Hallyn
  Cc: linux-kernel-u79uwXL29TY76Z2rM5mHXA,
	ebiederm-aS9lmoZGLiVWk0Htik3J/w, mladek-IBi9RG/b67k,
	luto-DgEjT+Ai2ygdnm+yROfE0A, keescook-F7+t8E8rja9g9hUCZPvPmw,
	Paul Moore, Eric Paris, Tejun Heo, Li Zefan, Johannes Weiner,
	moderated list:AUDIT SUBSYSTEM, open list:CONTROL GROUP (CGROUP),
	open list:CAPABILITIES
In-Reply-To: <20160711152543.GA17459-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>

On 07/11/16 15:25, Serge E. Hallyn wrote:
> Quoting Topi Miettinen (toiwoton-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org):
>> There are many basic ways to control processes, including capabilities,
>> cgroups and resource limits. However, there are far fewer ways to find
>> out useful values for the limits, except blind trial and error.
>>
>> Currently, there is no way to know which capabilities are actually used.
>> Even the source code is only implicit, in-depth knowledge of each
>> capability must be used when analyzing a program to judge which
>> capabilities the program will exercise.
>>
>> Generate an audit message at system call exit, when capabilities are used.
>> This can then be used to configure capability sets for services by a
>> software developer, maintainer or system administrator.
>>
>> Test case demonstrating basic capability monitoring with the new
>> message types 1330 and 1331 and how the cgroups are displayed (boot to
>> rdshell):
> 
> Thanks, Topi, I'll find time this week to look this over in detail.
> 
> How much chattier does this make the syslog/journald during a regular
> boot?  I was thinking "this is audit, we can choose what messages
> will show up", but I guess that' sonly what auditd actually listens to,
> not what kernel emits?  (sorry i've not looked at audit in a long
> time).  Drat, that makes it seem like tracepoints would be better
> after all.  But let's see how much it addes to the noise.

For example "loadkeys" causes thousands of entries. :-( I'm checking how
to avoid audit message rate limiting, now some messages are lost.

It's still too easy to drown the logs with noise. That could be limited
a lot by emitting a message only when the capability is used for the
first time. But the question is how to define where to start counting
(fork, exec, and/or setpcap?). I'm also not sure if that is the right
way to log, since the first use of a capability could be expected and an
innocent one, but then the 100th one could be malicious.

It's also very complex and error-prone to collect a capability mask from
audit logs, which was my original goal.

-Topi

> 
>> BusyBox v1.22.1 (Debian 1:1.22.0-19) built-in shell (ash)
>> Enter 'help' for a list of built-in commands.
>>
>> (initramfs) cd /sys/fs
>> (initramfs) mount -t cgroup2 cgroup cgroup
>> [   12.343152] audit_printk_skb: 5886 callbacks suppressed
>> [   12.355214] audit: type=1300 audit(1468234317.100:518): arch=c000003e syscall=165 success=yes exit=0 a0=7fffe1e9ae2d a1=7fffe1e9ae34 a2=7fffe1e9ae25 a3=8000 items=0 ppid=469 pid=470 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="mount" exe="/bin/mount" key=(null)
>> [   12.414853] audit: type=1327 audit(1468234317.100:518): proctitle=6D6F756E74002D74006367726F757032006367726F7570006367726F7570
>> [   12.438338] audit: type=1330 audit(1468234317.100:518): cap_used=0000000000200000
>> [   12.453893] audit: type=1331 audit(1468234317.100:518): cgroups=:/;
>> (initramfs) cd cgroup
>> (initramfs) mkdir test; cd test
>> [   17.335625] audit: type=1300 audit(1468234322.092:519): arch=c000003e syscall=83 success=yes exit=0 a0=7ffddfd75e29 a1=1ff a2=0 a3=1e2 items=0 ppid=469 pid=471 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="mkdir" exe="/bin/mkdir" key=(null)
>> [   17.392686] audit: type=1327 audit(1468234322.092:519): proctitle=6D6B6469720074657374
>> [   17.409404] audit: type=1330 audit(1468234322.092:519): cap_used=0000000000000002
>> [   17.425404] audit: type=1331 audit(1468234322.092:519): cgroups=:/;
>> (initramfs) echo $$ >cgroup.procs
>> (initramfs) mknod /dev/z_$$ c 1 2
>> [   28.385681] audit: type=1300 audit(1468234333.144:520): arch=c000003e syscall=133 success=yes exit=0 a0=7ffe16324e11 a1=21b6 a2=102 a3=5c9 items=0 ppid=469 pid=472 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="mknod" exe="/bin/mknod" key=(null)
>> [   28.443674] audit: type=1327 audit(1468234333.144:520): proctitle=6D6B6E6F64002F6465762F7A5F343639006300310032
>> [   28.465888] audit: type=1330 audit(1468234333.144:520): cap_used=0000000008000000
>> [   28.482080] audit: type=1331 audit(1468234333.144:520): cgroups=:/test;
>> (initramfs) chown 1234 /dev/z_*
>> [   34.772992] audit: type=1300 audit(1468234339.532:521): arch=c000003e syscall=92 success=yes exit=0 a0=7ffd0b563e17 a1=4d2 a2=0 a3=60a items=0 ppid=469 pid=473 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="chown" exe="/bin/chown" key=(null)
>> [   34.828569] audit: type=1327 audit(1468234339.532:521): proctitle=63686F776E0031323334002F6465762F7A5F343639
>> [   34.848747] audit: type=1330 audit(1468234339.532:521): cap_used=0000000000000001
>> [   34.864404] audit: type=1331 audit(1468234339.532:521): cgroups=:/test;
>>
>> Signed-off-by: Topi Miettinen <toiwoton-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
>> ---
>>  include/linux/audit.h      |  4 +++
>>  include/linux/cgroup.h     |  2 ++
>>  include/uapi/linux/audit.h |  2 ++
>>  kernel/audit.c             |  7 +++---
>>  kernel/audit.h             |  1 +
>>  kernel/auditsc.c           | 28 ++++++++++++++++++++-
>>  kernel/capability.c        |  5 ++--
>>  kernel/cgroup.c            | 62 ++++++++++++++++++++++++++++++++++++++++++++++
>>  8 files changed, 105 insertions(+), 6 deletions(-)
>>
>> diff --git a/include/linux/audit.h b/include/linux/audit.h
>> index e38e3fc..971cb2e 100644
>> --- a/include/linux/audit.h
>> +++ b/include/linux/audit.h
>> @@ -438,6 +438,8 @@ static inline void audit_mmap_fd(int fd, int flags)
>>  		__audit_mmap_fd(fd, flags);
>>  }
>>  
>> +extern void audit_log_cap_use(int cap);
>> +
>>  extern int audit_n_rules;
>>  extern int audit_signals;
>>  #else /* CONFIG_AUDITSYSCALL */
>> @@ -545,6 +547,8 @@ static inline void audit_mmap_fd(int fd, int flags)
>>  { }
>>  static inline void audit_ptrace(struct task_struct *t)
>>  { }
>> +static inline void audit_log_cap_use(int cap)
>> +{ }
>>  #define audit_n_rules 0
>>  #define audit_signals 0
>>  #endif /* CONFIG_AUDITSYSCALL */
>> diff --git a/include/linux/cgroup.h b/include/linux/cgroup.h
>> index a20320c..b5dc8aa 100644
>> --- a/include/linux/cgroup.h
>> +++ b/include/linux/cgroup.h
>> @@ -100,6 +100,8 @@ char *task_cgroup_path(struct task_struct *task, char *buf, size_t buflen);
>>  int cgroupstats_build(struct cgroupstats *stats, struct dentry *dentry);
>>  int proc_cgroup_show(struct seq_file *m, struct pid_namespace *ns,
>>  		     struct pid *pid, struct task_struct *tsk);
>> +struct audit_buffer;
>> +void audit_cgroup_list(struct audit_buffer *ab);
>>  
>>  void cgroup_fork(struct task_struct *p);
>>  extern int cgroup_can_fork(struct task_struct *p);
>> diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
>> index d820aa9..c1ae016 100644
>> --- a/include/uapi/linux/audit.h
>> +++ b/include/uapi/linux/audit.h
>> @@ -111,6 +111,8 @@
>>  #define AUDIT_PROCTITLE		1327	/* Proctitle emit event */
>>  #define AUDIT_FEATURE_CHANGE	1328	/* audit log listing feature changes */
>>  #define AUDIT_REPLACE		1329	/* Replace auditd if this packet unanswerd */
>> +#define AUDIT_CAPABILITY	1330	/* Record showing capability use */
>> +#define AUDIT_CGROUP		1331	/* Record showing cgroups */
>>  
>>  #define AUDIT_AVC		1400	/* SE Linux avc denial or grant */
>>  #define AUDIT_SELINUX_ERR	1401	/* Internal SE Linux Errors */
>> diff --git a/kernel/audit.c b/kernel/audit.c
>> index 8d528f9..98dd920 100644
>> --- a/kernel/audit.c
>> +++ b/kernel/audit.c
>> @@ -54,6 +54,7 @@
>>  #include <linux/kthread.h>
>>  #include <linux/kernel.h>
>>  #include <linux/syscalls.h>
>> +#include <linux/cgroup.h>
>>  
>>  #include <linux/audit.h>
>>  
>> @@ -1682,7 +1683,7 @@ void audit_log_cap(struct audit_buffer *ab, char *prefix, kernel_cap_t *cap)
>>  {
>>  	int i;
>>  
>> -	audit_log_format(ab, " %s=", prefix);
>> +	audit_log_format(ab, "%s=", prefix);
>>  	CAP_FOR_EACH_U32(i) {
>>  		audit_log_format(ab, "%08x",
>>  				 cap->cap[CAP_LAST_U32 - i]);
>> @@ -1696,11 +1697,11 @@ static void audit_log_fcaps(struct audit_buffer *ab, struct audit_names *name)
>>  	int log = 0;
>>  
>>  	if (!cap_isclear(*perm)) {
>> -		audit_log_cap(ab, "cap_fp", perm);
>> +		audit_log_cap(ab, " cap_fp", perm);
>>  		log = 1;
>>  	}
>>  	if (!cap_isclear(*inh)) {
>> -		audit_log_cap(ab, "cap_fi", inh);
>> +		audit_log_cap(ab, " cap_fi", inh);
>>  		log = 1;
>>  	}
>>  
>> diff --git a/kernel/audit.h b/kernel/audit.h
>> index a492f4c..680e8b5 100644
>> --- a/kernel/audit.h
>> +++ b/kernel/audit.h
>> @@ -202,6 +202,7 @@ struct audit_context {
>>  	};
>>  	int fds[2];
>>  	struct audit_proctitle proctitle;
>> +	kernel_cap_t cap_used;
>>  };
>>  
>>  extern u32 audit_ever_enabled;
>> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
>> index 2672d10..32c3813 100644
>> --- a/kernel/auditsc.c
>> +++ b/kernel/auditsc.c
>> @@ -197,7 +197,6 @@ static int audit_match_filetype(struct audit_context *ctx, int val)
>>   * References in it _are_ dropped - at the same time we free/drop aux stuff.
>>   */
>>  
>> -#ifdef CONFIG_AUDIT_TREE
>>  static void audit_set_auditable(struct audit_context *ctx)
>>  {
>>  	if (!ctx->prio) {
>> @@ -206,6 +205,7 @@ static void audit_set_auditable(struct audit_context *ctx)
>>  	}
>>  }
>>  
>> +#ifdef CONFIG_AUDIT_TREE
>>  static int put_tree_ref(struct audit_context *ctx, struct audit_chunk *chunk)
>>  {
>>  	struct audit_tree_refs *p = ctx->trees;
>> @@ -1439,6 +1439,18 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
>>  
>>  	audit_log_proctitle(tsk, context);
>>  
>> +	ab = audit_log_start(context, GFP_KERNEL, AUDIT_CAPABILITY);
>> +	if (ab) {
>> +		audit_log_cap(ab, "cap_used", &context->cap_used);
>> +		audit_log_end(ab);
>> +	}
>> +	ab = audit_log_start(context, GFP_KERNEL, AUDIT_CGROUP);
>> +	if (ab) {
>> +		audit_log_format(ab, "cgroups=");
>> +		audit_cgroup_list(ab);
>> +		audit_log_end(ab);
>> +	}
>> +
>>  	/* Send end of event record to help user space know we are finished */
>>  	ab = audit_log_start(context, GFP_KERNEL, AUDIT_EOE);
>>  	if (ab)
>> @@ -2428,3 +2440,17 @@ struct list_head *audit_killed_trees(void)
>>  		return NULL;
>>  	return &ctx->killed_trees;
>>  }
>> +
>> +void audit_log_cap_use(int cap)
>> +{
>> +	struct audit_context *context = current->audit_context;
>> +
>> +	if (context) {
>> +		cap_raise(context->cap_used, cap);
>> +		audit_set_auditable(context);
>> +	} else {
>> +		audit_log(NULL, GFP_NOFS, AUDIT_CAPABILITY,
>> +			  "cap_used=%d pid=%d no audit_context",
>> +			  cap, task_pid_nr(current));
>> +	}
>> +}
>> diff --git a/kernel/capability.c b/kernel/capability.c
>> index 45432b5..d45d5b1 100644
>> --- a/kernel/capability.c
>> +++ b/kernel/capability.c
>> @@ -366,8 +366,8 @@ bool has_capability_noaudit(struct task_struct *t, int cap)
>>   * @ns:  The usernamespace we want the capability in
>>   * @cap: The capability to be tested for
>>   *
>> - * Return true if the current task has the given superior capability currently
>> - * available for use, false if not.
>> + * Return true if the current task has the given superior capability
>> + * currently available for use, false if not. Write an audit message.
>>   *
>>   * This sets PF_SUPERPRIV on the task if the capability is available on the
>>   * assumption that it's about to be used.
>> @@ -380,6 +380,7 @@ bool ns_capable(struct user_namespace *ns, int cap)
>>  	}
>>  
>>  	if (security_capable(current_cred(), ns, cap) == 0) {
>> +		audit_log_cap_use(cap);
>>  		current->flags |= PF_SUPERPRIV;
>>  		return true;
>>  	}
>> diff --git a/kernel/cgroup.c b/kernel/cgroup.c
>> index 75c0ff0..1931679 100644
>> --- a/kernel/cgroup.c
>> +++ b/kernel/cgroup.c
>> @@ -63,6 +63,7 @@
>>  #include <linux/nsproxy.h>
>>  #include <linux/proc_ns.h>
>>  #include <net/sock.h>
>> +#include <linux/audit.h>
>>  
>>  /*
>>   * pidlists linger the following amount before being destroyed.  The goal
>> @@ -5789,6 +5790,67 @@ out:
>>  	return retval;
>>  }
>>  
>> +/*
>> + * audit_cgroup_list()
>> + *  - Print task's cgroup paths with audit_log_format()
>> + *  - Used for capability audit logging
>> + *  - Otherwise very similar to proc_cgroup_show().
>> + */
>> +void audit_cgroup_list(struct audit_buffer *ab)
>> +{
>> +	char *buf, *path;
>> +	struct cgroup_root *root;
>> +
>> +	buf = kmalloc(PATH_MAX, GFP_NOFS);
>> +	if (!buf)
>> +		return;
>> +
>> +	mutex_lock(&cgroup_mutex);
>> +	spin_lock_irq(&css_set_lock);
>> +
>> +	for_each_root(root) {
>> +		struct cgroup_subsys *ss;
>> +		struct cgroup *cgrp;
>> +		int ssid, count = 0;
>> +
>> +		if (root == &cgrp_dfl_root && !cgrp_dfl_visible)
>> +			continue;
>> +
>> +		if (root != &cgrp_dfl_root)
>> +			for_each_subsys(ss, ssid)
>> +				if (root->subsys_mask & (1 << ssid))
>> +					audit_log_format(ab, "%s%s",
>> +							 count++ ? "," : "",
>> +							 ss->legacy_name);
>> +		if (strlen(root->name))
>> +			audit_log_format(ab, "%sname=%s", count ? "," : "",
>> +					 root->name);
>> +		audit_log_format(ab, ":");
>> +
>> +		cgrp = task_cgroup_from_root(current, root);
>> +
>> +		if (cgroup_on_dfl(cgrp) || !(current->flags & PF_EXITING)) {
>> +			path = cgroup_path_ns_locked(cgrp, buf, PATH_MAX,
>> +						current->nsproxy->cgroup_ns);
>> +			if (!path)
>> +				goto out_unlock;
>> +		} else
>> +			path = "/";
>> +
>> +		audit_log_format(ab, "%s", path);
>> +
>> +		if (cgroup_on_dfl(cgrp) && cgroup_is_dead(cgrp))
>> +			audit_log_format(ab, " (deleted);");
>> +		else
>> +			audit_log_format(ab, ";");
>> +	}
>> +
>> +out_unlock:
>> +	spin_unlock_irq(&css_set_lock);
>> +	mutex_unlock(&cgroup_mutex);
>> +	kfree(buf);
>> +}
>> +
>>  /* Display information about each subsystem and each hierarchy */
>>  static int proc_cgroupstats_show(struct seq_file *m, void *v)
>>  {
>> -- 
>> 2.8.1

^ permalink raw reply

* Re: [PATCH] capabilities: audit capability use
From: Serge E. Hallyn @ 2016-07-11 15:25 UTC (permalink / raw)
  To: Topi Miettinen
  Cc: linux-kernel-u79uwXL29TY76Z2rM5mHXA,
	ebiederm-aS9lmoZGLiVWk0Htik3J/w, mladek-IBi9RG/b67k,
	luto-DgEjT+Ai2ygdnm+yROfE0A, serge-A9i7LUbDfNHQT0dZR+AlfA,
	keescook-F7+t8E8rja9g9hUCZPvPmw, Paul Moore, Eric Paris,
	Tejun Heo, Li Zefan, Johannes Weiner, Serge Hallyn,
	moderated list:AUDIT SUBSYSTEM, open list:CONTROL GROUP (CGROUP),
	open list:CAPABILITIES
In-Reply-To: <1468235672-3745-1-git-send-email-toiwoton-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>

Quoting Topi Miettinen (toiwoton-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org):
> There are many basic ways to control processes, including capabilities,
> cgroups and resource limits. However, there are far fewer ways to find
> out useful values for the limits, except blind trial and error.
> 
> Currently, there is no way to know which capabilities are actually used.
> Even the source code is only implicit, in-depth knowledge of each
> capability must be used when analyzing a program to judge which
> capabilities the program will exercise.
> 
> Generate an audit message at system call exit, when capabilities are used.
> This can then be used to configure capability sets for services by a
> software developer, maintainer or system administrator.
> 
> Test case demonstrating basic capability monitoring with the new
> message types 1330 and 1331 and how the cgroups are displayed (boot to
> rdshell):

Thanks, Topi, I'll find time this week to look this over in detail.

How much chattier does this make the syslog/journald during a regular
boot?  I was thinking "this is audit, we can choose what messages
will show up", but I guess that' sonly what auditd actually listens to,
not what kernel emits?  (sorry i've not looked at audit in a long
time).  Drat, that makes it seem like tracepoints would be better
after all.  But let's see how much it addes to the noise.

> BusyBox v1.22.1 (Debian 1:1.22.0-19) built-in shell (ash)
> Enter 'help' for a list of built-in commands.
> 
> (initramfs) cd /sys/fs
> (initramfs) mount -t cgroup2 cgroup cgroup
> [   12.343152] audit_printk_skb: 5886 callbacks suppressed
> [   12.355214] audit: type=1300 audit(1468234317.100:518): arch=c000003e syscall=165 success=yes exit=0 a0=7fffe1e9ae2d a1=7fffe1e9ae34 a2=7fffe1e9ae25 a3=8000 items=0 ppid=469 pid=470 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="mount" exe="/bin/mount" key=(null)
> [   12.414853] audit: type=1327 audit(1468234317.100:518): proctitle=6D6F756E74002D74006367726F757032006367726F7570006367726F7570
> [   12.438338] audit: type=1330 audit(1468234317.100:518): cap_used=0000000000200000
> [   12.453893] audit: type=1331 audit(1468234317.100:518): cgroups=:/;
> (initramfs) cd cgroup
> (initramfs) mkdir test; cd test
> [   17.335625] audit: type=1300 audit(1468234322.092:519): arch=c000003e syscall=83 success=yes exit=0 a0=7ffddfd75e29 a1=1ff a2=0 a3=1e2 items=0 ppid=469 pid=471 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="mkdir" exe="/bin/mkdir" key=(null)
> [   17.392686] audit: type=1327 audit(1468234322.092:519): proctitle=6D6B6469720074657374
> [   17.409404] audit: type=1330 audit(1468234322.092:519): cap_used=0000000000000002
> [   17.425404] audit: type=1331 audit(1468234322.092:519): cgroups=:/;
> (initramfs) echo $$ >cgroup.procs
> (initramfs) mknod /dev/z_$$ c 1 2
> [   28.385681] audit: type=1300 audit(1468234333.144:520): arch=c000003e syscall=133 success=yes exit=0 a0=7ffe16324e11 a1=21b6 a2=102 a3=5c9 items=0 ppid=469 pid=472 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="mknod" exe="/bin/mknod" key=(null)
> [   28.443674] audit: type=1327 audit(1468234333.144:520): proctitle=6D6B6E6F64002F6465762F7A5F343639006300310032
> [   28.465888] audit: type=1330 audit(1468234333.144:520): cap_used=0000000008000000
> [   28.482080] audit: type=1331 audit(1468234333.144:520): cgroups=:/test;
> (initramfs) chown 1234 /dev/z_*
> [   34.772992] audit: type=1300 audit(1468234339.532:521): arch=c000003e syscall=92 success=yes exit=0 a0=7ffd0b563e17 a1=4d2 a2=0 a3=60a items=0 ppid=469 pid=473 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="chown" exe="/bin/chown" key=(null)
> [   34.828569] audit: type=1327 audit(1468234339.532:521): proctitle=63686F776E0031323334002F6465762F7A5F343639
> [   34.848747] audit: type=1330 audit(1468234339.532:521): cap_used=0000000000000001
> [   34.864404] audit: type=1331 audit(1468234339.532:521): cgroups=:/test;
> 
> Signed-off-by: Topi Miettinen <toiwoton-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
> ---
>  include/linux/audit.h      |  4 +++
>  include/linux/cgroup.h     |  2 ++
>  include/uapi/linux/audit.h |  2 ++
>  kernel/audit.c             |  7 +++---
>  kernel/audit.h             |  1 +
>  kernel/auditsc.c           | 28 ++++++++++++++++++++-
>  kernel/capability.c        |  5 ++--
>  kernel/cgroup.c            | 62 ++++++++++++++++++++++++++++++++++++++++++++++
>  8 files changed, 105 insertions(+), 6 deletions(-)
> 
> diff --git a/include/linux/audit.h b/include/linux/audit.h
> index e38e3fc..971cb2e 100644
> --- a/include/linux/audit.h
> +++ b/include/linux/audit.h
> @@ -438,6 +438,8 @@ static inline void audit_mmap_fd(int fd, int flags)
>  		__audit_mmap_fd(fd, flags);
>  }
>  
> +extern void audit_log_cap_use(int cap);
> +
>  extern int audit_n_rules;
>  extern int audit_signals;
>  #else /* CONFIG_AUDITSYSCALL */
> @@ -545,6 +547,8 @@ static inline void audit_mmap_fd(int fd, int flags)
>  { }
>  static inline void audit_ptrace(struct task_struct *t)
>  { }
> +static inline void audit_log_cap_use(int cap)
> +{ }
>  #define audit_n_rules 0
>  #define audit_signals 0
>  #endif /* CONFIG_AUDITSYSCALL */
> diff --git a/include/linux/cgroup.h b/include/linux/cgroup.h
> index a20320c..b5dc8aa 100644
> --- a/include/linux/cgroup.h
> +++ b/include/linux/cgroup.h
> @@ -100,6 +100,8 @@ char *task_cgroup_path(struct task_struct *task, char *buf, size_t buflen);
>  int cgroupstats_build(struct cgroupstats *stats, struct dentry *dentry);
>  int proc_cgroup_show(struct seq_file *m, struct pid_namespace *ns,
>  		     struct pid *pid, struct task_struct *tsk);
> +struct audit_buffer;
> +void audit_cgroup_list(struct audit_buffer *ab);
>  
>  void cgroup_fork(struct task_struct *p);
>  extern int cgroup_can_fork(struct task_struct *p);
> diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> index d820aa9..c1ae016 100644
> --- a/include/uapi/linux/audit.h
> +++ b/include/uapi/linux/audit.h
> @@ -111,6 +111,8 @@
>  #define AUDIT_PROCTITLE		1327	/* Proctitle emit event */
>  #define AUDIT_FEATURE_CHANGE	1328	/* audit log listing feature changes */
>  #define AUDIT_REPLACE		1329	/* Replace auditd if this packet unanswerd */
> +#define AUDIT_CAPABILITY	1330	/* Record showing capability use */
> +#define AUDIT_CGROUP		1331	/* Record showing cgroups */
>  
>  #define AUDIT_AVC		1400	/* SE Linux avc denial or grant */
>  #define AUDIT_SELINUX_ERR	1401	/* Internal SE Linux Errors */
> diff --git a/kernel/audit.c b/kernel/audit.c
> index 8d528f9..98dd920 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -54,6 +54,7 @@
>  #include <linux/kthread.h>
>  #include <linux/kernel.h>
>  #include <linux/syscalls.h>
> +#include <linux/cgroup.h>
>  
>  #include <linux/audit.h>
>  
> @@ -1682,7 +1683,7 @@ void audit_log_cap(struct audit_buffer *ab, char *prefix, kernel_cap_t *cap)
>  {
>  	int i;
>  
> -	audit_log_format(ab, " %s=", prefix);
> +	audit_log_format(ab, "%s=", prefix);
>  	CAP_FOR_EACH_U32(i) {
>  		audit_log_format(ab, "%08x",
>  				 cap->cap[CAP_LAST_U32 - i]);
> @@ -1696,11 +1697,11 @@ static void audit_log_fcaps(struct audit_buffer *ab, struct audit_names *name)
>  	int log = 0;
>  
>  	if (!cap_isclear(*perm)) {
> -		audit_log_cap(ab, "cap_fp", perm);
> +		audit_log_cap(ab, " cap_fp", perm);
>  		log = 1;
>  	}
>  	if (!cap_isclear(*inh)) {
> -		audit_log_cap(ab, "cap_fi", inh);
> +		audit_log_cap(ab, " cap_fi", inh);
>  		log = 1;
>  	}
>  
> diff --git a/kernel/audit.h b/kernel/audit.h
> index a492f4c..680e8b5 100644
> --- a/kernel/audit.h
> +++ b/kernel/audit.h
> @@ -202,6 +202,7 @@ struct audit_context {
>  	};
>  	int fds[2];
>  	struct audit_proctitle proctitle;
> +	kernel_cap_t cap_used;
>  };
>  
>  extern u32 audit_ever_enabled;
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index 2672d10..32c3813 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -197,7 +197,6 @@ static int audit_match_filetype(struct audit_context *ctx, int val)
>   * References in it _are_ dropped - at the same time we free/drop aux stuff.
>   */
>  
> -#ifdef CONFIG_AUDIT_TREE
>  static void audit_set_auditable(struct audit_context *ctx)
>  {
>  	if (!ctx->prio) {
> @@ -206,6 +205,7 @@ static void audit_set_auditable(struct audit_context *ctx)
>  	}
>  }
>  
> +#ifdef CONFIG_AUDIT_TREE
>  static int put_tree_ref(struct audit_context *ctx, struct audit_chunk *chunk)
>  {
>  	struct audit_tree_refs *p = ctx->trees;
> @@ -1439,6 +1439,18 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
>  
>  	audit_log_proctitle(tsk, context);
>  
> +	ab = audit_log_start(context, GFP_KERNEL, AUDIT_CAPABILITY);
> +	if (ab) {
> +		audit_log_cap(ab, "cap_used", &context->cap_used);
> +		audit_log_end(ab);
> +	}
> +	ab = audit_log_start(context, GFP_KERNEL, AUDIT_CGROUP);
> +	if (ab) {
> +		audit_log_format(ab, "cgroups=");
> +		audit_cgroup_list(ab);
> +		audit_log_end(ab);
> +	}
> +
>  	/* Send end of event record to help user space know we are finished */
>  	ab = audit_log_start(context, GFP_KERNEL, AUDIT_EOE);
>  	if (ab)
> @@ -2428,3 +2440,17 @@ struct list_head *audit_killed_trees(void)
>  		return NULL;
>  	return &ctx->killed_trees;
>  }
> +
> +void audit_log_cap_use(int cap)
> +{
> +	struct audit_context *context = current->audit_context;
> +
> +	if (context) {
> +		cap_raise(context->cap_used, cap);
> +		audit_set_auditable(context);
> +	} else {
> +		audit_log(NULL, GFP_NOFS, AUDIT_CAPABILITY,
> +			  "cap_used=%d pid=%d no audit_context",
> +			  cap, task_pid_nr(current));
> +	}
> +}
> diff --git a/kernel/capability.c b/kernel/capability.c
> index 45432b5..d45d5b1 100644
> --- a/kernel/capability.c
> +++ b/kernel/capability.c
> @@ -366,8 +366,8 @@ bool has_capability_noaudit(struct task_struct *t, int cap)
>   * @ns:  The usernamespace we want the capability in
>   * @cap: The capability to be tested for
>   *
> - * Return true if the current task has the given superior capability currently
> - * available for use, false if not.
> + * Return true if the current task has the given superior capability
> + * currently available for use, false if not. Write an audit message.
>   *
>   * This sets PF_SUPERPRIV on the task if the capability is available on the
>   * assumption that it's about to be used.
> @@ -380,6 +380,7 @@ bool ns_capable(struct user_namespace *ns, int cap)
>  	}
>  
>  	if (security_capable(current_cred(), ns, cap) == 0) {
> +		audit_log_cap_use(cap);
>  		current->flags |= PF_SUPERPRIV;
>  		return true;
>  	}
> diff --git a/kernel/cgroup.c b/kernel/cgroup.c
> index 75c0ff0..1931679 100644
> --- a/kernel/cgroup.c
> +++ b/kernel/cgroup.c
> @@ -63,6 +63,7 @@
>  #include <linux/nsproxy.h>
>  #include <linux/proc_ns.h>
>  #include <net/sock.h>
> +#include <linux/audit.h>
>  
>  /*
>   * pidlists linger the following amount before being destroyed.  The goal
> @@ -5789,6 +5790,67 @@ out:
>  	return retval;
>  }
>  
> +/*
> + * audit_cgroup_list()
> + *  - Print task's cgroup paths with audit_log_format()
> + *  - Used for capability audit logging
> + *  - Otherwise very similar to proc_cgroup_show().
> + */
> +void audit_cgroup_list(struct audit_buffer *ab)
> +{
> +	char *buf, *path;
> +	struct cgroup_root *root;
> +
> +	buf = kmalloc(PATH_MAX, GFP_NOFS);
> +	if (!buf)
> +		return;
> +
> +	mutex_lock(&cgroup_mutex);
> +	spin_lock_irq(&css_set_lock);
> +
> +	for_each_root(root) {
> +		struct cgroup_subsys *ss;
> +		struct cgroup *cgrp;
> +		int ssid, count = 0;
> +
> +		if (root == &cgrp_dfl_root && !cgrp_dfl_visible)
> +			continue;
> +
> +		if (root != &cgrp_dfl_root)
> +			for_each_subsys(ss, ssid)
> +				if (root->subsys_mask & (1 << ssid))
> +					audit_log_format(ab, "%s%s",
> +							 count++ ? "," : "",
> +							 ss->legacy_name);
> +		if (strlen(root->name))
> +			audit_log_format(ab, "%sname=%s", count ? "," : "",
> +					 root->name);
> +		audit_log_format(ab, ":");
> +
> +		cgrp = task_cgroup_from_root(current, root);
> +
> +		if (cgroup_on_dfl(cgrp) || !(current->flags & PF_EXITING)) {
> +			path = cgroup_path_ns_locked(cgrp, buf, PATH_MAX,
> +						current->nsproxy->cgroup_ns);
> +			if (!path)
> +				goto out_unlock;
> +		} else
> +			path = "/";
> +
> +		audit_log_format(ab, "%s", path);
> +
> +		if (cgroup_on_dfl(cgrp) && cgroup_is_dead(cgrp))
> +			audit_log_format(ab, " (deleted);");
> +		else
> +			audit_log_format(ab, ";");
> +	}
> +
> +out_unlock:
> +	spin_unlock_irq(&css_set_lock);
> +	mutex_unlock(&cgroup_mutex);
> +	kfree(buf);
> +}
> +
>  /* Display information about each subsystem and each hierarchy */
>  static int proc_cgroupstats_show(struct seq_file *m, void *v)
>  {
> -- 
> 2.8.1

^ permalink raw reply

* Re: [PATCH 3/3] configure.ac: add subdir-objects
From: Thomas Petazzoni @ 2016-07-11 15:10 UTC (permalink / raw)
  To: Steve Grubb; +Cc: linux-audit
In-Reply-To: <2238710.OHli6nHpfy@x2>

Hello,

On Mon, 11 Jul 2016 10:55:08 -0400, Steve Grubb wrote:

> > Ah, right, that's due to a bug in automake < 1.16 when a variable is
> > used in _SOURCES. I've fixed that in v2 by using a simpler relative
> > path in the Python bindings Makefile.am. Patch coming shortly.
> > 
> > Thanks for spotting the issue,  
> 
>  I always run "make distcheck" when doing a release. If v2 passes this, then 
> all is good.

Well, this raises another issue:

/bin/bash: ../../../../src/.dirstamp: Permission denied

So seems like my v2 is not good to go :-/

Thomas
-- 
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux, Kernel and Android engineering
http://free-electrons.com

^ permalink raw reply

* Re: [PATCH 3/3] configure.ac: add subdir-objects
From: Steve Grubb @ 2016-07-11 14:55 UTC (permalink / raw)
  To: Thomas Petazzoni; +Cc: linux-audit
In-Reply-To: <20160711165205.14723222@free-electrons.com>

On Monday, July 11, 2016 4:52:05 PM EDT Thomas Petazzoni wrote:
> Hello,
> 
> On Wed, 06 Jul 2016 18:47:47 -0400, Steve Grubb wrote:
> > Applying this breaks the build
> > 
> >      am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=:
> >      distdir)
> > 
> > make[4]: Entering directory
> > '/home/sgrubb/working/BUILD/audit/bindings/python/ python2'
> > Makefile:485:
> > ../../../bindings/python/.deps/auparse_la-auparse_python.Plo: No such
> > file or directory
> > make[4]: *** No rule to make target '../../../bindings/python/.deps/
> > auparse_la-auparse_python.Plo'.  Stop.
> 
> Ah, right, that's due to a bug in automake < 1.16 when a variable is
> used in _SOURCES. I've fixed that in v2 by using a simpler relative
> path in the Python bindings Makefile.am. Patch coming shortly.
> 
> Thanks for spotting the issue,

 I always run "make distcheck" when doing a release. If v2 passes this, then 
all is good.

Thanks,
-Steve

^ permalink raw reply

* [PATCH v2] configure.ac: add subdir-objects
From: Thomas Petazzoni @ 2016-07-11 14:52 UTC (permalink / raw)
  To: linux-audit

This allows to avoid the following warning when re-generating the
configure script:

  auparse/Makefile.am:95: warning: source file '../lib/gen_tables.c' is in a subdirectory,
  auparse/Makefile.am:95: but option 'subdir-objects' is disabled

To make this possible and avoid a bug in automake < 1.16, we have to
adjust two Makefile.am, to use a relative path rather in _SOURCES rather
than a path that uses $(top_srcdir). Indeed, $(top_srcdir) was not
properly expanded when used in _SOURCES in automake versions < 1.16.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
---
 bindings/python/python2/Makefile.am | 2 +-
 bindings/python/python3/Makefile.am | 2 +-
 configure.ac                        | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/bindings/python/python2/Makefile.am b/bindings/python/python2/Makefile.am
index 1dcb5bc..208ae66 100644
--- a/bindings/python/python2/Makefile.am
+++ b/bindings/python/python2/Makefile.am
@@ -27,7 +27,7 @@ AM_CPPFLAGS = -I$(top_builddir) -I@PYINCLUDEDIR@
 
 pyexec_LTLIBRARIES = auparse.la
 
-auparse_la_SOURCES = $(top_srcdir)/bindings/python/auparse_python.c
+auparse_la_SOURCES = ../auparse_python.c
 auparse_la_CPPFLAGS = -I$(top_srcdir)/auparse $(AM_CPPFLAGS)
 auparse_la_LDFLAGS = -module -avoid-version -Wl,-z,relro
 auparse_la_LIBADD = ${top_builddir}/auparse/libauparse.la ${top_builddir}/lib/libaudit.la
diff --git a/bindings/python/python3/Makefile.am b/bindings/python/python3/Makefile.am
index edd38e9..93495da 100644
--- a/bindings/python/python3/Makefile.am
+++ b/bindings/python/python3/Makefile.am
@@ -26,7 +26,7 @@ AM_CPPFLAGS = -I$(top_builddir) $(PYTHON3_INCLUDES)
 
 py3exec_LTLIBRARIES = auparse.la
 
-auparse_la_SOURCES = $(top_srcdir)/bindings/python/auparse_python.c
+auparse_la_SOURCES = ../auparse_python.c
 auparse_la_CPPFLAGS = -I$(top_srcdir)/auparse $(AM_CPPFLAGS)
 auparse_la_LDFLAGS = -module -avoid-version -Wl,-z,relro
 auparse_la_LIBADD = ${top_builddir}/auparse/libauparse.la ${top_builddir}/lib/libaudit.la
diff --git a/configure.ac b/configure.ac
index c5e87e7..1118f15 100644
--- a/configure.ac
+++ b/configure.ac
@@ -37,7 +37,7 @@ echo Configuring auditd $VERSION
 
 AC_CONFIG_MACRO_DIR([m4])
 AC_CANONICAL_TARGET
-AM_INIT_AUTOMAKE
+AM_INIT_AUTOMAKE([subdir-objects])
 AM_PROG_LIBTOOL
 AC_SUBST(LIBTOOL_DEPS)
 OLDLIBS="$LIBS"
-- 
2.7.4

^ permalink raw reply related

* Re: [PATCH 3/3] configure.ac: add subdir-objects
From: Thomas Petazzoni @ 2016-07-11 14:52 UTC (permalink / raw)
  To: Steve Grubb; +Cc: linux-audit
In-Reply-To: <1929736.QCCH278Bsg@x2>

Hello,

On Wed, 06 Jul 2016 18:47:47 -0400, Steve Grubb wrote:

> Applying this breaks the build
> 
>      am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)
> make[4]: Entering directory '/home/sgrubb/working/BUILD/audit/bindings/python/
> python2'
> Makefile:485: ../../../bindings/python/.deps/auparse_la-auparse_python.Plo: No 
> such file or directory
> make[4]: *** No rule to make target '../../../bindings/python/.deps/
> auparse_la-auparse_python.Plo'.  Stop.

Ah, right, that's due to a bug in automake < 1.16 when a variable is
used in _SOURCES. I've fixed that in v2 by using a simpler relative
path in the Python bindings Makefile.am. Patch coming shortly.

Thanks for spotting the issue,

Thomas
-- 
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux, Kernel and Android engineering
http://free-electrons.com

^ permalink raw reply

* [PATCH] capabilities: audit capability use
From: Topi Miettinen @ 2016-07-11 11:14 UTC (permalink / raw)
  To: linux-kernel-u79uwXL29TY76Z2rM5mHXA
  Cc: ebiederm-aS9lmoZGLiVWk0Htik3J/w, mladek-IBi9RG/b67k,
	luto-DgEjT+Ai2ygdnm+yROfE0A, serge-A9i7LUbDfNHQT0dZR+AlfA,
	keescook-F7+t8E8rja9g9hUCZPvPmw, Topi Miettinen, Paul Moore,
	Eric Paris, Tejun Heo, Li Zefan, Johannes Weiner, Serge Hallyn,
	moderated list:AUDIT SUBSYSTEM, open list:CONTROL GROUP CGROUP,
	open list:CAPABILITIES

There are many basic ways to control processes, including capabilities,
cgroups and resource limits. However, there are far fewer ways to find
out useful values for the limits, except blind trial and error.

Currently, there is no way to know which capabilities are actually used.
Even the source code is only implicit, in-depth knowledge of each
capability must be used when analyzing a program to judge which
capabilities the program will exercise.

Generate an audit message at system call exit, when capabilities are used.
This can then be used to configure capability sets for services by a
software developer, maintainer or system administrator.

Test case demonstrating basic capability monitoring with the new
message types 1330 and 1331 and how the cgroups are displayed (boot to
rdshell):

BusyBox v1.22.1 (Debian 1:1.22.0-19) built-in shell (ash)
Enter 'help' for a list of built-in commands.

(initramfs) cd /sys/fs
(initramfs) mount -t cgroup2 cgroup cgroup
[   12.343152] audit_printk_skb: 5886 callbacks suppressed
[   12.355214] audit: type=1300 audit(1468234317.100:518): arch=c000003e syscall=165 success=yes exit=0 a0=7fffe1e9ae2d a1=7fffe1e9ae34 a2=7fffe1e9ae25 a3=8000 items=0 ppid=469 pid=470 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="mount" exe="/bin/mount" key=(null)
[   12.414853] audit: type=1327 audit(1468234317.100:518): proctitle=6D6F756E74002D74006367726F757032006367726F7570006367726F7570
[   12.438338] audit: type=1330 audit(1468234317.100:518): cap_used=0000000000200000
[   12.453893] audit: type=1331 audit(1468234317.100:518): cgroups=:/;
(initramfs) cd cgroup
(initramfs) mkdir test; cd test
[   17.335625] audit: type=1300 audit(1468234322.092:519): arch=c000003e syscall=83 success=yes exit=0 a0=7ffddfd75e29 a1=1ff a2=0 a3=1e2 items=0 ppid=469 pid=471 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="mkdir" exe="/bin/mkdir" key=(null)
[   17.392686] audit: type=1327 audit(1468234322.092:519): proctitle=6D6B6469720074657374
[   17.409404] audit: type=1330 audit(1468234322.092:519): cap_used=0000000000000002
[   17.425404] audit: type=1331 audit(1468234322.092:519): cgroups=:/;
(initramfs) echo $$ >cgroup.procs
(initramfs) mknod /dev/z_$$ c 1 2
[   28.385681] audit: type=1300 audit(1468234333.144:520): arch=c000003e syscall=133 success=yes exit=0 a0=7ffe16324e11 a1=21b6 a2=102 a3=5c9 items=0 ppid=469 pid=472 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="mknod" exe="/bin/mknod" key=(null)
[   28.443674] audit: type=1327 audit(1468234333.144:520): proctitle=6D6B6E6F64002F6465762F7A5F343639006300310032
[   28.465888] audit: type=1330 audit(1468234333.144:520): cap_used=0000000008000000
[   28.482080] audit: type=1331 audit(1468234333.144:520): cgroups=:/test;
(initramfs) chown 1234 /dev/z_*
[   34.772992] audit: type=1300 audit(1468234339.532:521): arch=c000003e syscall=92 success=yes exit=0 a0=7ffd0b563e17 a1=4d2 a2=0 a3=60a items=0 ppid=469 pid=473 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="chown" exe="/bin/chown" key=(null)
[   34.828569] audit: type=1327 audit(1468234339.532:521): proctitle=63686F776E0031323334002F6465762F7A5F343639
[   34.848747] audit: type=1330 audit(1468234339.532:521): cap_used=0000000000000001
[   34.864404] audit: type=1331 audit(1468234339.532:521): cgroups=:/test;

Signed-off-by: Topi Miettinen <toiwoton-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
---
 include/linux/audit.h      |  4 +++
 include/linux/cgroup.h     |  2 ++
 include/uapi/linux/audit.h |  2 ++
 kernel/audit.c             |  7 +++---
 kernel/audit.h             |  1 +
 kernel/auditsc.c           | 28 ++++++++++++++++++++-
 kernel/capability.c        |  5 ++--
 kernel/cgroup.c            | 62 ++++++++++++++++++++++++++++++++++++++++++++++
 8 files changed, 105 insertions(+), 6 deletions(-)

diff --git a/include/linux/audit.h b/include/linux/audit.h
index e38e3fc..971cb2e 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -438,6 +438,8 @@ static inline void audit_mmap_fd(int fd, int flags)
 		__audit_mmap_fd(fd, flags);
 }
 
+extern void audit_log_cap_use(int cap);
+
 extern int audit_n_rules;
 extern int audit_signals;
 #else /* CONFIG_AUDITSYSCALL */
@@ -545,6 +547,8 @@ static inline void audit_mmap_fd(int fd, int flags)
 { }
 static inline void audit_ptrace(struct task_struct *t)
 { }
+static inline void audit_log_cap_use(int cap)
+{ }
 #define audit_n_rules 0
 #define audit_signals 0
 #endif /* CONFIG_AUDITSYSCALL */
diff --git a/include/linux/cgroup.h b/include/linux/cgroup.h
index a20320c..b5dc8aa 100644
--- a/include/linux/cgroup.h
+++ b/include/linux/cgroup.h
@@ -100,6 +100,8 @@ char *task_cgroup_path(struct task_struct *task, char *buf, size_t buflen);
 int cgroupstats_build(struct cgroupstats *stats, struct dentry *dentry);
 int proc_cgroup_show(struct seq_file *m, struct pid_namespace *ns,
 		     struct pid *pid, struct task_struct *tsk);
+struct audit_buffer;
+void audit_cgroup_list(struct audit_buffer *ab);
 
 void cgroup_fork(struct task_struct *p);
 extern int cgroup_can_fork(struct task_struct *p);
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index d820aa9..c1ae016 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -111,6 +111,8 @@
 #define AUDIT_PROCTITLE		1327	/* Proctitle emit event */
 #define AUDIT_FEATURE_CHANGE	1328	/* audit log listing feature changes */
 #define AUDIT_REPLACE		1329	/* Replace auditd if this packet unanswerd */
+#define AUDIT_CAPABILITY	1330	/* Record showing capability use */
+#define AUDIT_CGROUP		1331	/* Record showing cgroups */
 
 #define AUDIT_AVC		1400	/* SE Linux avc denial or grant */
 #define AUDIT_SELINUX_ERR	1401	/* Internal SE Linux Errors */
diff --git a/kernel/audit.c b/kernel/audit.c
index 8d528f9..98dd920 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -54,6 +54,7 @@
 #include <linux/kthread.h>
 #include <linux/kernel.h>
 #include <linux/syscalls.h>
+#include <linux/cgroup.h>
 
 #include <linux/audit.h>
 
@@ -1682,7 +1683,7 @@ void audit_log_cap(struct audit_buffer *ab, char *prefix, kernel_cap_t *cap)
 {
 	int i;
 
-	audit_log_format(ab, " %s=", prefix);
+	audit_log_format(ab, "%s=", prefix);
 	CAP_FOR_EACH_U32(i) {
 		audit_log_format(ab, "%08x",
 				 cap->cap[CAP_LAST_U32 - i]);
@@ -1696,11 +1697,11 @@ static void audit_log_fcaps(struct audit_buffer *ab, struct audit_names *name)
 	int log = 0;
 
 	if (!cap_isclear(*perm)) {
-		audit_log_cap(ab, "cap_fp", perm);
+		audit_log_cap(ab, " cap_fp", perm);
 		log = 1;
 	}
 	if (!cap_isclear(*inh)) {
-		audit_log_cap(ab, "cap_fi", inh);
+		audit_log_cap(ab, " cap_fi", inh);
 		log = 1;
 	}
 
diff --git a/kernel/audit.h b/kernel/audit.h
index a492f4c..680e8b5 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -202,6 +202,7 @@ struct audit_context {
 	};
 	int fds[2];
 	struct audit_proctitle proctitle;
+	kernel_cap_t cap_used;
 };
 
 extern u32 audit_ever_enabled;
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 2672d10..32c3813 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -197,7 +197,6 @@ static int audit_match_filetype(struct audit_context *ctx, int val)
  * References in it _are_ dropped - at the same time we free/drop aux stuff.
  */
 
-#ifdef CONFIG_AUDIT_TREE
 static void audit_set_auditable(struct audit_context *ctx)
 {
 	if (!ctx->prio) {
@@ -206,6 +205,7 @@ static void audit_set_auditable(struct audit_context *ctx)
 	}
 }
 
+#ifdef CONFIG_AUDIT_TREE
 static int put_tree_ref(struct audit_context *ctx, struct audit_chunk *chunk)
 {
 	struct audit_tree_refs *p = ctx->trees;
@@ -1439,6 +1439,18 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
 
 	audit_log_proctitle(tsk, context);
 
+	ab = audit_log_start(context, GFP_KERNEL, AUDIT_CAPABILITY);
+	if (ab) {
+		audit_log_cap(ab, "cap_used", &context->cap_used);
+		audit_log_end(ab);
+	}
+	ab = audit_log_start(context, GFP_KERNEL, AUDIT_CGROUP);
+	if (ab) {
+		audit_log_format(ab, "cgroups=");
+		audit_cgroup_list(ab);
+		audit_log_end(ab);
+	}
+
 	/* Send end of event record to help user space know we are finished */
 	ab = audit_log_start(context, GFP_KERNEL, AUDIT_EOE);
 	if (ab)
@@ -2428,3 +2440,17 @@ struct list_head *audit_killed_trees(void)
 		return NULL;
 	return &ctx->killed_trees;
 }
+
+void audit_log_cap_use(int cap)
+{
+	struct audit_context *context = current->audit_context;
+
+	if (context) {
+		cap_raise(context->cap_used, cap);
+		audit_set_auditable(context);
+	} else {
+		audit_log(NULL, GFP_NOFS, AUDIT_CAPABILITY,
+			  "cap_used=%d pid=%d no audit_context",
+			  cap, task_pid_nr(current));
+	}
+}
diff --git a/kernel/capability.c b/kernel/capability.c
index 45432b5..d45d5b1 100644
--- a/kernel/capability.c
+++ b/kernel/capability.c
@@ -366,8 +366,8 @@ bool has_capability_noaudit(struct task_struct *t, int cap)
  * @ns:  The usernamespace we want the capability in
  * @cap: The capability to be tested for
  *
- * Return true if the current task has the given superior capability currently
- * available for use, false if not.
+ * Return true if the current task has the given superior capability
+ * currently available for use, false if not. Write an audit message.
  *
  * This sets PF_SUPERPRIV on the task if the capability is available on the
  * assumption that it's about to be used.
@@ -380,6 +380,7 @@ bool ns_capable(struct user_namespace *ns, int cap)
 	}
 
 	if (security_capable(current_cred(), ns, cap) == 0) {
+		audit_log_cap_use(cap);
 		current->flags |= PF_SUPERPRIV;
 		return true;
 	}
diff --git a/kernel/cgroup.c b/kernel/cgroup.c
index 75c0ff0..1931679 100644
--- a/kernel/cgroup.c
+++ b/kernel/cgroup.c
@@ -63,6 +63,7 @@
 #include <linux/nsproxy.h>
 #include <linux/proc_ns.h>
 #include <net/sock.h>
+#include <linux/audit.h>
 
 /*
  * pidlists linger the following amount before being destroyed.  The goal
@@ -5789,6 +5790,67 @@ out:
 	return retval;
 }
 
+/*
+ * audit_cgroup_list()
+ *  - Print task's cgroup paths with audit_log_format()
+ *  - Used for capability audit logging
+ *  - Otherwise very similar to proc_cgroup_show().
+ */
+void audit_cgroup_list(struct audit_buffer *ab)
+{
+	char *buf, *path;
+	struct cgroup_root *root;
+
+	buf = kmalloc(PATH_MAX, GFP_NOFS);
+	if (!buf)
+		return;
+
+	mutex_lock(&cgroup_mutex);
+	spin_lock_irq(&css_set_lock);
+
+	for_each_root(root) {
+		struct cgroup_subsys *ss;
+		struct cgroup *cgrp;
+		int ssid, count = 0;
+
+		if (root == &cgrp_dfl_root && !cgrp_dfl_visible)
+			continue;
+
+		if (root != &cgrp_dfl_root)
+			for_each_subsys(ss, ssid)
+				if (root->subsys_mask & (1 << ssid))
+					audit_log_format(ab, "%s%s",
+							 count++ ? "," : "",
+							 ss->legacy_name);
+		if (strlen(root->name))
+			audit_log_format(ab, "%sname=%s", count ? "," : "",
+					 root->name);
+		audit_log_format(ab, ":");
+
+		cgrp = task_cgroup_from_root(current, root);
+
+		if (cgroup_on_dfl(cgrp) || !(current->flags & PF_EXITING)) {
+			path = cgroup_path_ns_locked(cgrp, buf, PATH_MAX,
+						current->nsproxy->cgroup_ns);
+			if (!path)
+				goto out_unlock;
+		} else
+			path = "/";
+
+		audit_log_format(ab, "%s", path);
+
+		if (cgroup_on_dfl(cgrp) && cgroup_is_dead(cgrp))
+			audit_log_format(ab, " (deleted);");
+		else
+			audit_log_format(ab, ";");
+	}
+
+out_unlock:
+	spin_unlock_irq(&css_set_lock);
+	mutex_unlock(&cgroup_mutex);
+	kfree(buf);
+}
+
 /* Display information about each subsystem and each hierarchy */
 static int proc_cgroupstats_show(struct seq_file *m, void *v)
 {
-- 
2.8.1

^ permalink raw reply related

* Upgrading audit package
From: Bhagwat, Shriniketan Manjunath @ 2016-07-11  8:17 UTC (permalink / raw)
  To: Steve Grubb; +Cc: linux-audit@redhat.com


[-- Attachment #1.1: Type: text/plain, Size: 770 bytes --]

Hi Steve,

I am using audit in my development environment. My development environment is as below.

RHEL 5.2 with kernel 2.6.32-431.el6.x86_64 and audit-2.2-2.el6.x86_64.
SUSE 11 SP3 with kernel 3.0.76-0.11-default and audit-1.8-0.30.1

As I understand the above audit packages I am using in my environment are user space audit. I want to upgrade it to the latest version.
If I upgrade the audit packages to latest version 2.6.X will there be any issues?
Linux Audit kernel available with kernel 2.6.32-431.el6.x86_64 and 3.0.76-0.11 are compatible with user space audit 2.6.X?
In your opinion what is the suitable audit package for my environment to upgrade?
If these topics are already documented please guide me to the documentation.

Regards,
Ketan


[-- Attachment #1.2: Type: text/html, Size: 2922 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]



^ permalink raw reply

* Re: Missing linker flags when statically linking
From: Laurent Bigonville @ 2016-07-10 17:42 UTC (permalink / raw)
  To: Steve Grubb; +Cc: linux-audit
In-Reply-To: <1510754.00qYpxzr8S@x2>

Le 10/07/16 à 19:18, Steve Grubb a écrit :
> On Sunday, July 10, 2016 10:45:13 AM EDT Laurent Bigonville wrote:
>> Le 09/07/16 à 23:41, Steve Grubb a écrit :
>>> On Saturday, July 9, 2016 11:02:44 PM EDT Laurent Bigonville wrote:
>>>> Apparently the fix is not 100% correct:
>>>>
>>>> The "Libs.private" field should be _after_ the Libs one in the .pc file,
>>>> otherwise the ordering of the libraries is not OK during liking:
>>>>
>>>> -lcap-ng -laudit
>>>>
>>>> it should be: -laudit -lcap-ng instead.
>>> OK, I switched the order.
>> Thanks
>>
>>>> Also any reasons you are using Libs.private instead of Package.private?
>>> Libs.private is used to add flags for static linking. The dynamic linker
>>> shouldn't need a hint since libaudit its already linked to libcap-ng.
>> I was talking about Package*.private* not package itself.
>> Package.private is the equivalent to Libs.private but for libs that also
>> have a .pc file
> Do you mean Requires.private? (I don't see Package.private documented in the
> man page.) That takes a package name which is not available from the m4 macro
> that libcap-ng provides. I think what this means is that I should switch from
> using m4 to pkg-config which means reworking configure.ac and the Makefiles.am
> wherever libcap-ng is used. I'll look into this, but I think in the meantime
> what's in svn generally works. libcap-ng is most likley built with the same
> flags that audit is.

Yes I meant Requires.private.

The audit.pc file is used by 3rd party, so using Requires.private has no 
impact over audit buildsystem I think. I would say that the 2 can be 
changed independently.

^ permalink raw reply

* Re: Missing linker flags when statically linking
From: Steve Grubb @ 2016-07-10 17:18 UTC (permalink / raw)
  To: Laurent Bigonville; +Cc: linux-audit
In-Reply-To: <8e8169d1-647f-4ff2-0003-29fe51fa8488@debian.org>

On Sunday, July 10, 2016 10:45:13 AM EDT Laurent Bigonville wrote:
> Le 09/07/16 à 23:41, Steve Grubb a écrit :
> > On Saturday, July 9, 2016 11:02:44 PM EDT Laurent Bigonville wrote:
> >> Apparently the fix is not 100% correct:
> >> 
> >> The "Libs.private" field should be _after_ the Libs one in the .pc file,
> >> otherwise the ordering of the libraries is not OK during liking:
> >> 
> >> -lcap-ng -laudit
> >> 
> >> it should be: -laudit -lcap-ng instead.
> > 
> > OK, I switched the order.
> 
> Thanks
> 
> >> Also any reasons you are using Libs.private instead of Package.private?
> > 
> > Libs.private is used to add flags for static linking. The dynamic linker
> > shouldn't need a hint since libaudit its already linked to libcap-ng.
> 
> I was talking about Package*.private* not package itself.
> Package.private is the equivalent to Libs.private but for libs that also
> have a .pc file

Do you mean Requires.private? (I don't see Package.private documented in the 
man page.) That takes a package name which is not available from the m4 macro 
that libcap-ng provides. I think what this means is that I should switch from 
using m4 to pkg-config which means reworking configure.ac and the Makefiles.am 
wherever libcap-ng is used. I'll look into this, but I think in the meantime 
what's in svn generally works. libcap-ng is most likley built with the same 
flags that audit is.

-Steve

^ permalink raw reply

* Re: Missing linker flags when statically linking
From: Thomas Petazzoni @ 2016-07-10 12:17 UTC (permalink / raw)
  To: Laurent Bigonville; +Cc: linux-audit
In-Reply-To: <8e8169d1-647f-4ff2-0003-29fe51fa8488@debian.org>

Hello,

On Sun, 10 Jul 2016 10:45:13 +0200, Laurent Bigonville wrote:

> >> Also any reasons you are using Libs.private instead of Package.private?  
> > Libs.private is used to add flags for static linking. The dynamic linker
> > shouldn't need a hint since libaudit its already linked to libcap-ng.  
> 
> I was talking about Package*.private* not package itself. 
> Package.private is the equivalent to Libs.private but for libs that also 
> have a .pc file

Agreed. When possible, Package.private should be preferred over
Libs.private.

Thomas
-- 
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux, Kernel and Android engineering
http://free-electrons.com

^ permalink raw reply

* Re: Missing linker flags when statically linking
From: Laurent Bigonville @ 2016-07-10  8:45 UTC (permalink / raw)
  To: Steve Grubb; +Cc: linux-audit
In-Reply-To: <1593477.8QKBr1tzSR@x2>

Le 09/07/16 à 23:41, Steve Grubb a écrit :
> On Saturday, July 9, 2016 11:02:44 PM EDT Laurent Bigonville wrote:
>> Le 05/07/16 à 14:15, Steve Grubb a écrit :
>>> Hello,
>>>
>>> On Monday, July 4, 2016 2:08:14 PM EDT Laurent Bigonville wrote:
>>>> Apparently the audit.pc file is missing flags to allow libaudit to be
>>>> statically linked (see [0]).
>>>>
>>>> Adding something like "Requires.private: libcap-ng" should fix the
>>>> problem.
>>> OK. Fixed. There will be a new audit package release in a little while
>>> that
>>> has this fixed.
>> Apparently the fix is not 100% correct:
>>
>> The "Libs.private" field should be _after_ the Libs one in the .pc file,
>> otherwise the ordering of the libraries is not OK during liking:
>>
>> -lcap-ng -laudit
>>
>> it should be: -laudit -lcap-ng instead.
> OK, I switched the order.

Thanks

>> Also any reasons you are using Libs.private instead of Package.private?
> Libs.private is used to add flags for static linking. The dynamic linker
> shouldn't need a hint since libaudit its already linked to libcap-ng.

I was talking about Package*.private* not package itself. 
Package.private is the equivalent to Libs.private but for libs that also 
have a .pc file

> Also, anyone packaging up audit 2.6.4 will want to include this patch:
> https://fedorahosted.org/audit/changeset/1340

Thanks, I'll update the pkg in debian soon

^ permalink raw reply

* Re: Missing linker flags when statically linking
From: Steve Grubb @ 2016-07-09 21:41 UTC (permalink / raw)
  To: Laurent Bigonville; +Cc: linux-audit
In-Reply-To: <c48d063c-55c1-ea02-5586-423ed0863264@debian.org>

On Saturday, July 9, 2016 11:02:44 PM EDT Laurent Bigonville wrote:
> Le 05/07/16 à 14:15, Steve Grubb a écrit :
> > Hello,
> > 
> > On Monday, July 4, 2016 2:08:14 PM EDT Laurent Bigonville wrote:
> >> Apparently the audit.pc file is missing flags to allow libaudit to be
> >> statically linked (see [0]).
> >> 
> >> Adding something like "Requires.private: libcap-ng" should fix the
> >> problem.
> > 
> > OK. Fixed. There will be a new audit package release in a little while
> > that
> > has this fixed.
> 
> Apparently the fix is not 100% correct:
> 
> The "Libs.private" field should be _after_ the Libs one in the .pc file,
> otherwise the ordering of the libraries is not OK during liking:
> 
> -lcap-ng -laudit
> 
> it should be: -laudit -lcap-ng instead.

OK, I switched the order.


> Also any reasons you are using Libs.private instead of Package.private?

Libs.private is used to add flags for static linking. The dynamic linker 
shouldn't need a hint since libaudit its already linked to libcap-ng.

Also, anyone packaging up audit 2.6.4 will want to include this patch:
https://fedorahosted.org/audit/changeset/1340

-Steve

^ permalink raw reply

* Re: Missing linker flags when statically linking
From: Laurent Bigonville @ 2016-07-09 21:02 UTC (permalink / raw)
  To: Steve Grubb, linux-audit
In-Reply-To: <11381031.WHaSpXZ8Zn@x2>

Le 05/07/16 à 14:15, Steve Grubb a écrit :
> Hello,
>
> On Monday, July 4, 2016 2:08:14 PM EDT Laurent Bigonville wrote:
>> Apparently the audit.pc file is missing flags to allow libaudit to be
>> statically linked (see [0]).
>>
>> Adding something like "Requires.private: libcap-ng" should fix the problem.
> OK. Fixed. There will be a new audit package release in a little while that
> has this fixed.
Apparently the fix is not 100% correct:

The "Libs.private" field should be _after_ the Libs one in the .pc file, 
otherwise the ordering of the libraries is not OK during liking:

-lcap-ng -laudit

it should be: -laudit -lcap-ng instead.


Also any reasons you are using Libs.private instead of Package.private?

^ permalink raw reply

* Re: [RFC 0/7] netlink: Add allocation flag to netlink_unicast()
From: Masashi Honma @ 2016-07-09  3:54 UTC (permalink / raw)
  To: netdev-u79uwXL29TY76Z2rM5mHXA,
	netfilter-devel-u79uwXL29TY76Z2rM5mHXA,
	linux-wireless-u79uwXL29TY76Z2rM5mHXA,
	linux-rdma-u79uwXL29TY76Z2rM5mHXA,
	linux-audit-H+wXaHxf7aLQT0dZR+AlfA,
	cluster-devel-H+wXaHxf7aLQT0dZR+AlfA
  Cc: davem-fT/PcQaiUtIeIZ0/mPfg9Q, johannes-cdvu00un1VgdHxzADdlk8Q,
	pablo-Cap9r6Oaw4JrovVCs/uTlw, kaber-dcUjhNyLwpNeoWH0uzbU5w,
	kadlec-K40Dz/62t/MgiyqX0sVFJYdd74u8MsAO,
	dledford-H+wXaHxf7aLQT0dZR+AlfA,
	sean.hefty-ral2JQCrhuEAvxtiuMwx3w,
	hal.rosenstock-Re5JQEeQqe8AvxtiuMwx3w,
	paul-r2n+y4ga6xFZroRs9YW3xA, eparis-H+wXaHxf7aLQT0dZR+AlfA,
	zbr-i6C2adt8DTjR7s880joybQ, pshelar-l0M0P4e3n4LQT0dZR+AlfA,
	ccaulfie-H+wXaHxf7aLQT0dZR+AlfA, teigland-H+wXaHxf7aLQT0dZR+AlfA,
	bsingharora-Re5JQEeQqe8AvxtiuMwx3w
In-Reply-To: <1467764916-4983-1-git-send-email-masashi.honma-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>

On 2016年07月06日 09:28, Masashi Honma wrote:
> Though netlink_broadcast() ...

Thanks for reply of David Miller, Eric Dumazet, David Teigrand.

On the basis of their comment, only rtnl_unicast() looks need to add gfp
flag
argument. So I will drop almost of patches except 0005.

I will send patch v2 to more limited destination.

--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply

* Re: [RFC 0/7] netlink: Add allocation flag to netlink_unicast()
From: Masashi Honma @ 2016-07-09  3:52 UTC (permalink / raw)
  To: David Teigland
  Cc: netdev-u79uwXL29TY76Z2rM5mHXA,
	netfilter-devel-u79uwXL29TY76Z2rM5mHXA,
	linux-wireless-u79uwXL29TY76Z2rM5mHXA,
	linux-rdma-u79uwXL29TY76Z2rM5mHXA,
	linux-audit-H+wXaHxf7aLQT0dZR+AlfA,
	cluster-devel-H+wXaHxf7aLQT0dZR+AlfA,
	johannes-cdvu00un1VgdHxzADdlk8Q, pablo-Cap9r6Oaw4JrovVCs/uTlw,
	kaber-dcUjhNyLwpNeoWH0uzbU5w,
	kadlec-K40Dz/62t/MgiyqX0sVFJYdd74u8MsAO,
	dledford-H+wXaHxf7aLQT0dZR+AlfA,
	sean.hefty-ral2JQCrhuEAvxtiuMwx3w,
	hal.rosenstock-Re5JQEeQqe8AvxtiuMwx3w,
	paul-r2n+y4ga6xFZroRs9YW3xA, eparis-H+wXaHxf7aLQT0dZR+AlfA,
	zbr-i6C2adt8DTjR7s880joybQ, pshelar-l0M0P4e3n4LQT0dZR+AlfA,
	ccaulfie-H+wXaHxf7aLQT0dZR+AlfA,
	bsingharora-Re5JQEeQqe8AvxtiuMwx3w
In-Reply-To: <20160708160821.GA2048-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>

On 2016年07月09日 01:08, David Teigland wrote:
> On Thu, Jul 07, 2016 at 09:35:45AM +0900, Masashi Honma wrote:
>> At the fs/dlm/netlink.c#dlm_timeout_warn(),
>> prepare_data allocates buffer with GFP_NOFS
>> and send_data() sends the buffer.
>>
>> But send_data() uses GFP_KERNEL or GFP_ATOMIC inside it.
>> Should it be replaced by GFP_NOFS ?
> That's old code that's never been used so it doesn't really matter.
>
I see. Thank you.

--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply

* audit 2.6.4 released
From: Steve Grubb @ 2016-07-08 16:29 UTC (permalink / raw)
  To: linux-audit

Hello,

I've just released a new version of the audit daemon. It can be downloaded 
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
soon. The ChangeLog is:

- Fix interpretation of saddr fields when using enriched events
- In netlink_handler of auditd, ensure ack_func is initialized to NULL
- Use full path to auditctl in augenrules
- Raise the number of log files auditd allows to 999
- In auditd reconfig, update use_libwrap setting
- Fix memory leak in reconfigure
- Add EHWPOISON definition for errno lookup table if missing (Thomas Petazzoni)
- Better detect struct audit_status existence (Thomas Petazzoni)
- Rework dispatcher protocol 1 to be what it used to be

This is yet another bug fix to the 2.6 major revision. The main bug fixed is an 
uninitialized function pointer that caused auditd to segfault. Another major 
fix is reverting the format of protocol 1 dipatched records. It was 
inadvertantly updated to protocol 2 even though the header was advertising 1. 

This update also fixes a couple small memory leaks that would occur when the 
audit daemon recieved a SIGHUP to reload. This also makes sure that all 
variables get updated on a reconfigure. It was also found that use_libwrap was 
not in auditd.conf even though the man page talked about it.

Please let me know if you run across any problems with this release.

-Steve

^ permalink raw reply

* Re: [RFC 5/7] net: Add allocation flag to rtnl_unicast()
From: Eric Dumazet @ 2016-07-08  4:00 UTC (permalink / raw)
  To: Masashi Honma
  Cc: netdev-u79uwXL29TY76Z2rM5mHXA,
	netfilter-devel-u79uwXL29TY76Z2rM5mHXA,
	linux-wireless-u79uwXL29TY76Z2rM5mHXA,
	linux-rdma-u79uwXL29TY76Z2rM5mHXA,
	linux-audit-H+wXaHxf7aLQT0dZR+AlfA,
	cluster-devel-H+wXaHxf7aLQT0dZR+AlfA,
	davem-fT/PcQaiUtIeIZ0/mPfg9Q, johannes-cdvu00un1VgdHxzADdlk8Q,
	pablo-Cap9r6Oaw4JrovVCs/uTlw, kaber-dcUjhNyLwpNeoWH0uzbU5w,
	kadlec-K40Dz/62t/MgiyqX0sVFJYdd74u8MsAO,
	dledford-H+wXaHxf7aLQT0dZR+AlfA,
	sean.hefty-ral2JQCrhuEAvxtiuMwx3w,
	hal.rosenstock-Re5JQEeQqe8AvxtiuMwx3w,
	paul-r2n+y4ga6xFZroRs9YW3xA, eparis-H+wXaHxf7aLQT0dZR+AlfA,
	zbr-i6C2adt8DTjR7s880joybQ, pshelar-l0M0P4e3n4LQT0dZR+AlfA,
	ccaulfie-H+wXaHxf7aLQT0dZR+AlfA, teigland-H+wXaHxf7aLQT0dZR+AlfA,
	bsingharora-Re5JQEeQqe8AvxtiuMwx3w
In-Reply-To: <577F1AD7.8040800-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>

On Fri, 2016-07-08 at 12:15 +0900, Masashi Honma wrote:
=
> Thanks for comment.
> 
> I have selected GFP flags based on existing code.
> 
> I have selected GFP_ATOMIC in inet6_netconf_get_devconf() because
> skb was allocated with GFP_ATOMIC.

Point is : we should remove GFP_ATOMIC uses as much as we can.

Everytime we see one of them, we should think why it was added
and if this is really needed.

inet6_netconf_get_devconf() is a perfect example of one careless
GFP_ATOMIC usage

https://patchwork.ozlabs.org/patch/646291/






--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply

* Re: [RFC 5/7] net: Add allocation flag to rtnl_unicast()
From: Masashi Honma @ 2016-07-08  3:15 UTC (permalink / raw)
  To: Eric Dumazet
  Cc: netdev, netfilter-devel, linux-wireless, linux-rdma, linux-audit,
	cluster-devel, davem, johannes, pablo, kaber, kadlec, dledford,
	sean.hefty, hal.rosenstock, paul, eparis, zbr, pshelar, ccaulfie,
	teigland, bsingharora
In-Reply-To: <1467946591.1273.45.camel@edumazet-glaptop3.roam.corp.google.com>

On 2016年07月08日 11:56, Eric Dumazet wrote:
>
> Managing to mix GFP_ATOMIC and GFP_KERNEL almost randomly as you did in
> this patch is definitely not good.
>
> Further more, RTNL is a mutex, held in control path, designed to allow
> schedules and waiting for memory under pressure.
>
> We do not want to encourage GFP_ATOMIC usage in control path.
>
> Your patch series gives the wrong signal to developers.
>
>
>

Thanks for comment.

I have selected GFP flags based on existing code.

I have selected GFP_ATOMIC in inet6_netconf_get_devconf() because
skb was allocated with GFP_ATOMIC.

I have used GFP_KERNEL in inet6_rtm_getaddr() by same reason.

 > I will send a patch against net/ipv4/devinet.c so that we remove
 > GFP_ATOMIC usage there.

Thanks. I will modify my patch based on your new code.

^ permalink raw reply

* Re: [RFC 5/7] net: Add allocation flag to rtnl_unicast()
From: Eric Dumazet @ 2016-07-08  2:56 UTC (permalink / raw)
  To: Masashi Honma
  Cc: netdev, netfilter-devel, linux-wireless, linux-rdma, linux-audit,
	cluster-devel, davem, johannes, pablo, kaber, kadlec, dledford,
	sean.hefty, hal.rosenstock, paul, eparis, zbr, pshelar, ccaulfie,
	teigland, bsingharora
In-Reply-To: <1467764916-4983-6-git-send-email-masashi.honma@gmail.com>

On Wed, 2016-07-06 at 09:28 +0900, Masashi Honma wrote:
> Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
> ---


> diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
> index a1f6b7b..2b0b994 100644
> --- a/net/ipv6/addrconf.c
> +++ b/net/ipv6/addrconf.c
> @@ -628,7 +628,7 @@ static int inet6_netconf_get_devconf(struct sk_buff *in_skb,
>  		kfree_skb(skb);
>  		goto errout;
>  	}
> -	err = rtnl_unicast(skb, net, NETLINK_CB(in_skb).portid);
> +	err = rtnl_unicast(skb, net, NETLINK_CB(in_skb).portid, GFP_ATOMIC);
>  errout:
>  	return err;
>  }
> @@ -4824,7 +4824,7 @@ static int inet6_rtm_getaddr(struct sk_buff *in_skb, struct nlmsghdr *nlh)
>  		kfree_skb(skb);
>  		goto errout_ifa;
>  	}
> -	err = rtnl_unicast(skb, net, NETLINK_CB(in_skb).portid);
> +	err = rtnl_unicast(skb, net, NETLINK_CB(in_skb).portid, GFP_KERNEL);
>  errout_ifa:
>  	in6_ifa_put(ifa);
>  errout:


Managing to mix GFP_ATOMIC and GFP_KERNEL almost randomly as you did in
this patch is definitely not good.

Further more, RTNL is a mutex, held in control path, designed to allow
schedules and waiting for memory under pressure.

We do not want to encourage GFP_ATOMIC usage in control path.

Your patch series gives the wrong signal to developers.

I will send a patch against net/ipv4/devinet.c so that we remove
GFP_ATOMIC usage there.

^ permalink raw reply

* Re: Crash when loading the rules
From: Laurent Bigonville @ 2016-07-07  9:35 UTC (permalink / raw)
  To: Steve Grubb; +Cc: linux-audit
In-Reply-To: <22585411.CZ1HLvxr1I@x2>

Le 06/07/16 à 20:13, Steve Grubb a écrit :
> Hello,
>
> I revceived the strace file which made the email too big for the mail list.
> I'm including the important part below.
>
> On Wednesday, July 6, 2016 6:31:00 PM EDT Laurent Bigonville wrote:
>> Le 06/07/16 à 18:23, Steve Grubb a écrit :
>>> So, I'm note sure why you are getting a
>>> core dump. If this is reproducible it might be good to get an strace to see
>>> what is being handed to writev. Or maybe try it from valgrind to see if
>>> that gives additional information.
>> Valgrind is a bit broken in debian unstable due to the compressed debug
>> symbols.
>>
>> I've attached here the output of strace
>
> [pid  1595] write(4</var/log/audit/audit.log>, "type=SYSCALL msg=audit(1467798264.913:1259): arch=c000003e syscall=47 success=yes exit=267 a0=6 a1=7ffe30a5e630 a2=40000040 a3=ffffffff items=0 ppid=1 pid=1108 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"systemd-journal\" exe=\"/lib/systemd/systemd-journald\" subj=system_u:system_r:syslogd_t:s0 key=(null)\n", 364) = 364
> [pid  1595] fstatfs(4</var/log/audit/audit.log>, {f_type=EXT2_SUPER_MAGIC, f_bsize=4096, f_blocks=3838052, f_bfree=1172381, f_bavail=987245, f_files=977280, f_ffree=703441, f_fsid={9930339, 726475040}, f_namelen=255, f_frsize=4096, f_flags=ST_VALID|ST_RELATIME}) = 0
>
> This shows that it made it to write_to_log and then called check_log_file_size
>
> [pid  1595] --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x90430527} ---
> [pid  1602] +++ killed by SIGSEGV (core dumped) +++
> +++ killed by SIGSEGV (core dumped) +++
>
> The traceback is not accurate. We are somewhere else in the code. I am going
> to bet that its crashing on trying to ack because in the netlink path its not
> getting set to NULL. I updated svn with a 1 line fix. Can you either pull the
> new code from svn and try it or add this patch to your build?
>
> https://fedorahosted.org/audit/changeset/1320/trunk/src/auditd.c
>
> Let me know if this does it.

Seems to be OK with that patch,

Thanks

Laurent Bigonville

^ permalink raw reply

* Re: [PATCH 0/3] Misc build fixes
From: Thomas Petazzoni @ 2016-07-07  7:06 UTC (permalink / raw)
  To: Steve Grubb; +Cc: linux-audit
In-Reply-To: <2008682.VKiKRQpury@x2>

Hello,

On Wed, 06 Jul 2016 18:45:28 -0400, Steve Grubb wrote:
> On Wednesday, July 6, 2016 9:08:16 PM EDT Thomas Petazzoni wrote:
> > The first two patches in this series fix misc build issues of audit
> > with old kernel headers.  
> 
> I applied both. The second patch was not complete. You might want to pull 
> what's in svn and make sure everything works for your target OS.

ACK, thanks!

> > The last patch fixes warnings encountered when running autoreconf on
> > audit's configure.ac.
> > 
> > As a side note, are there any plans to switch the audit development to
> > a Git repository? Having to switch back to Subversion is really
> > painful, which is why the patches in this series are Git-formatted.  
> 
> Eventually. I'm using it for a couple other projects and when I feel 
> comfortable I'll switch this over. This is a much more important project than 
> the other two.

Sure. So I guess there's no need to convince you of all the advantages
of Git :)

Best regards,

Thomas
-- 
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux, Kernel and Android engineering
http://free-electrons.com

^ permalink raw reply


This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox