* [PATCH] audit: fix audit_exe_compare using get_mm_exe_file
From: Richard Guy Briggs @ 2016-08-22 15:41 UTC (permalink / raw)
To: linux-audit, linux-kernel
Cc: Richard Guy Briggs, mguzik, ebiederm, oleg, skinsbursky, luto,
sgrubb, pmoore, eparis
Fix original naive attempt to get/lock access to task->mm->exe_file by
using get_mm_exe_file and checking for NULL.
See: https://lkml.org/lkml/2016/7/30/97
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
kernel/audit_watch.c | 13 ++++++++++---
1 files changed, 10 insertions(+), 3 deletions(-)
diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c
index d6709eb..0b29279 100644
--- a/kernel/audit_watch.c
+++ b/kernel/audit_watch.c
@@ -19,6 +19,7 @@
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
+#include <linux/file.h>
#include <linux/kernel.h>
#include <linux/audit.h>
#include <linux/kthread.h>
@@ -540,14 +541,20 @@ int audit_dupe_exe(struct audit_krule *new, struct audit_krule *old)
int audit_exe_compare(struct task_struct *tsk, struct audit_fsnotify_mark *mark)
{
+ struct mm_struct *mm;
struct file *exe_file;
unsigned long ino;
dev_t dev;
- rcu_read_lock();
- exe_file = rcu_dereference(tsk->mm->exe_file);
+ mm = get_task_mm(tsk);
+ if (!mm)
+ return 0;
+ exe_file = get_mm_exe_file(mm);
+ mmput(mm);
+ if (!exe_file)
+ return 0;
ino = exe_file->f_inode->i_ino;
dev = exe_file->f_inode->i_sb->s_dev;
- rcu_read_unlock();
+ fput(exe_file);
return audit_mark_compare(mark, ino, dev);
}
--
1.7.1
^ permalink raw reply related
* Re: [PATCH] prctl: remove one-shot limitation for changing exe link
From: Richard Guy Briggs @ 2016-08-22 15:40 UTC (permalink / raw)
To: Eric W. Biederman
Cc: Mateusz Guzik, Cyrill Gorcunov, Stanislav Kinsburskiy, peterz,
mingo, mhocko, keescook, linux-kernel, bsegall, john.stultz, oleg,
matthltc, akpm, luto, vbabka, xemul, pmoore, linux-audit
In-Reply-To: <87vazlzlxm.fsf@x220.int.ebiederm.org>
On 2016-07-31 13:45, Eric W. Biederman wrote:
> Mateusz Guzik <mguzik@redhat.com> writes:
>
> > On Sat, Jul 30, 2016 at 12:31:40PM -0500, Eric W. Biederman wrote:
> >> So what I am requesting is very simple. That the checks in
> >> prctl_set_mm_exe_file be tightened up to more closely approach what
> >> execve requires. Thus preserving the value of the /proc/[pid]/exe for
> >> the applications that want to use the exe link.
> >>
> >> Once the checks in prctl_set_mm_exe_file are tightened up please feel
> >> free to remove the one shot test.
> >
> > This is more fishy.
> >
> > First of all exe_file is used by the audit subsystem. So someone has to
> > ask audit people what is the significance (if any) of the field.
This was added as part of the ability to audit execution by filename
rather than by inode, the latter of which must exist at the time of the
rule instantiation and can be renamed on disk. The former allows a rule
to be instantiated before the path exists and to follow the path even if
the original inode of the path is replaced.
> > All exe_file users but one use get_mm_exe_file and handle NULL
> > gracefully.
> >
> > Even with the current limit of changing the field once, the user can
> > cause a transient failure of get_mm_exe_file which can fail to increment
> > the refcount before it drops to 0.
> >
> > This transient failure can be used to get a NULL value stored in
> > ->exe_file during fork (in dup_mmap):
> > RCU_INIT_POINTER(mm->exe_file, get_mm_exe_file(oldmm));
> >
> > The one place which is not using get_mm_exe_file to get to the pointer
> > is audit_exe_compare:
> > rcu_read_lock();
> > exe_file = rcu_dereference(tsk->mm->exe_file);
> > ino = exe_file->f_inode->i_ino;
> > dev = exe_file->f_inode->i_sb->s_dev;
> > rcu_read_unlock();
> >
> > This is buggy on 2 accounts:
> > 1. exe_file can be NULL
Agreed, this is a bug.
> > 2. rcu does not protect f_inode
Thank you for pointing this out too.
I'll send a patch to fix this.
> > The issue is made worse with allowing arbitrary number changes.
> >
> > Modifying get_mm_exe_file to retry is trivial and in effect never return
> > NULL is trivial. With arbitrary number of changes allowed this may
> > require some cond_resched() or something.
I agree this sounds like a wise idea.
> > For comments I cc'ed Richard Guy Briggs, who is both an audit person and
> > the author of audit_exe_compare.
>
> That is fair. Keeping the existing users working is what needs to
> happen.
>
> At the same time we have an arbitrary number of possible changes with
> exec, but I guess that works differently because the mm is changed as
> well.
>
> So yes let's bug fix this piece of code and then we can see about
> relaxing constraints.
Ok, please comment on the subsequent patch and I'll get Paul Moore to
push this through the audit tree and also to stable.
> Eric
- RGB
--
Richard Guy Briggs <rgb@redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635
^ permalink raw reply
* Re: The default file for krb5_key_file is missing from the auditd.conf(5) manual
From: Mateusz Piotrowski @ 2016-08-21 19:49 UTC (permalink / raw)
To: linux-audit
In-Reply-To: <642023E9-D9DD-40AA-B4A0-15301F25FA70@FreeBSD.org>
Hello,
On 21 Aug 2016, at 21:00, Mateusz Piotrowski <0mp@freebsd.org> wrote:
> See this line[1]. It lacks the name of the default file.
>
> [1]: https://github.com/linux-audit/audit-userspace/blob/master/docs/auditd.conf.5#L291
I was able to fix this man page. Here's the patch:
>From e0650ae46d13ea9e588d2552c83513c554cf52dd Mon Sep 17 00:00:00 2001
From: Mateusz Piotrowski <mpp302@gmail.com>
Date: Sun, 21 Aug 2016 21:42:00 +0200
Subject: [PATCH] Fix auditd man page.
Related to this email: [The default file for krb5_key_file is missing
from the auditd.conf(5) manual][1]
[1]: https://www.redhat.com/archives/linux-audit/2016-August/msg00056.html.
---
docs/auditd.conf.5 | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/docs/auditd.conf.5 b/docs/auditd.conf.5
index 026a58d..1546b34 100644
--- a/docs/auditd.conf.5
+++ b/docs/auditd.conf.5
@@ -29,7 +29,7 @@ The log format describes how the information should be stored on disk. There are
the audit records will be stored in a format exactly as the kernel sends it. The
.IR ENRICHED
option will resolve all uid, gid, syscall, architecture, and socket address information before writing the event to disk. This aids in making sense of events created on one system but reported/analized on another system.
-The
+The
.I NOLOG
option is now deprecated. If you were setting this format, now you should set
the write_logs option to no.
@@ -256,7 +256,7 @@ events. In this case you would increase the number only large enough to let it
in too.
.TP
.I use_libwrap
-This setting determines whether or not to use tcp_wrappers to discern connection attempts that are from allowed machines. Legal values are either
+This setting determines whether or not to use tcp_wrappers to discern connection attempts that are from allowed machines. Legal values are either
.IR yes ", or " no "
The default value is yes.
.TP
@@ -288,12 +288,11 @@ server's host, as returned by a DNS lookup of its IP address.
.I krb5_key_file
Location of the key for this client's principal.
Note that the key file must be owned by root and mode 0400.
-The default is
+The default is \fI/etc/audit/audit.key\fP.
.TP
.I distribute_network
If set to "yes", network originating events will be distributed to the audit
dispatcher for processing. The default is "no".
-.I /etc/audit/audit.key
.SH NOTES
In a CAPP environment, the audit trail is considered so important that access to system resources must be denied if an audit trail cannot be created. In this environment, it would be suggested that /var/log/audit be on its own partition. This is to ensure that space detection is accurate and that no other process comes along and consumes part of it.
--
2.9.2
^ permalink raw reply related
* The default file for krb5_key_file is missing from the auditd.conf(5) manual
From: Mateusz Piotrowski @ 2016-08-21 19:00 UTC (permalink / raw)
To: linux-audit
Hello,
See this line[1]. It lacks the name of the default file.
As I don't know what the default file is I cannot submit a patch. Hopefully,
someone else can fix this file.
Cheers!
-Mateusz
[1]: https://github.com/linux-audit/audit-userspace/blob/master/docs/auditd.conf.5#L291
^ permalink raw reply
* Re: [PATCH V3 0/3] Add support for session ID user filtering
From: Paul Moore @ 2016-08-19 19:08 UTC (permalink / raw)
To: Richard Guy Briggs, sgrubb; +Cc: linux-audit, linux-kernel
In-Reply-To: <CAHC9VhR_ZOpdd1PWG9mqe=BmfL-10H8tBBc7FemwVeaj3EgnQw@mail.gmail.com>
On Thu, Aug 18, 2016 at 7:53 PM, Paul Moore <paul@paul-moore.com> wrote:
> On Thu, Aug 18, 2016 at 1:43 PM, Richard Guy Briggs <rgb@redhat.com> wrote:
>> https://github.com/linux-audit/audit-kernel/wiki/RFE-Session-ID-User-Filter
>> RFE Session ID User Filter
>>
>> https://github.com/linux-audit/audit-kernel/issues/4
>> RFE: add a session ID filter to the kernel's user filter
>>
>> See also the set of userspace suport patches:
>> Add support for sessionid user filters, sessionid_set and loginuid_set
>> https://www.redhat.com/archives/linux-audit/2016-August/msg00005.html
>> (userspace update expected to be posted 2016-08-18)
>> and the test case:
>> https://github.com/rgbriggs/audit-testsuite/tree/ghak4-test-for-sessionID-user-filter
>>
>> This third patch is expected to have a merge conflict with:
>> "audit: add exclude filter extension to feature bitmap"
>> posted on 2016-08-18.
>>
>> Richard Guy Briggs (3):
>> audit: add support for session ID user filter
>> audit: add AUDIT_SESSIONID_SET support
>> audit: add sessionid filter extension to feature bitmap
>>
>> include/linux/audit.h | 10 ++++++++++
>> include/uapi/linux/audit.h | 6 +++++-
>> kernel/auditfilter.c | 5 +++++
>> kernel/auditsc.c | 6 ++++++
>> 4 files changed, 26 insertions(+), 1 deletions(-)
>
> These patches look fine to me; the only comment I have is that these
> should probably be combined into a single patch to avoid
> cherry-picking of individual pieces, e.g. skipping the feature bitmap
> or AUDIT_SESSION_SET support. I can do that when I merge the patches,
> no need to resend unless you really want to ...
>
> However, the bigger issue is coordination with the userspace patches.
> I really don't like merging kernel patches until Steve OK's the
> corresponding userspace patches.
I went ahead and squashed the patches into one and merged it into the
audit#working-session_filter-v3 branch. Take a look and if anything
looks awry let me know.
I'm also going to start including this patch/branch in my
pcmoore/kernel-secnext Copr builds so it is easier for you/sgrubb to
test the userspace support; once Steve OK's the userspace code I'll
merge this patch(set) into audit#next properly.
* https://github.com/linux-audit/audit-kernel/issues/4
* https://copr.fedorainfracloud.org/coprs/pcmoore/kernel-secnext
--
paul moore
www.paul-moore.com
^ permalink raw reply
* Re: [PATCH V3 0/3] Add support for session ID user filtering
From: Paul Moore @ 2016-08-19 12:22 UTC (permalink / raw)
To: Richard Guy Briggs; +Cc: sgrubb, linux-audit, linux-kernel
In-Reply-To: <20160819043629.GA5983@madcap2.tricolour.ca>
On Fri, Aug 19, 2016 at 12:36 AM, Richard Guy Briggs <rgb@redhat.com> wrote:
> On 2016-08-18 19:53, Paul Moore wrote:
>> These patches look fine to me; the only comment I have is that these
>> should probably be combined into a single patch to avoid
>> cherry-picking of individual pieces, e.g. skipping the feature bitmap
>> or AUDIT_SESSION_SET support. I can do that when I merge the patches,
>> no need to resend unless you really want to ...
>>
>> However, the bigger issue is coordination with the userspace patches.
>> I really don't like merging kernel patches until Steve OK's the
>> corresponding userspace patches.
>
> Well, some thought went in to making the two behave properly in the
> absence of an update of the other. This was the primary reason for the
> re-spin. That part of the process is working, since it was Steve's
> feedback that provoked the respin.
The issues isn't so much in making the different bits behave under
different circumstances - they need to do that period - the issue is
that I don't want to include new functionality in the kernel that
doesn't have a user (or one on the horizon).
--
paul moore
www.paul-moore.com
^ permalink raw reply
* Re: [PATCH V3 0/3] Add support for session ID user filtering
From: Richard Guy Briggs @ 2016-08-19 4:36 UTC (permalink / raw)
To: Paul Moore; +Cc: sgrubb, linux-audit, linux-kernel
In-Reply-To: <CAHC9VhR_ZOpdd1PWG9mqe=BmfL-10H8tBBc7FemwVeaj3EgnQw@mail.gmail.com>
On 2016-08-18 19:53, Paul Moore wrote:
> On Thu, Aug 18, 2016 at 1:43 PM, Richard Guy Briggs <rgb@redhat.com> wrote:
> > https://github.com/linux-audit/audit-kernel/wiki/RFE-Session-ID-User-Filter
> > RFE Session ID User Filter
> >
> > https://github.com/linux-audit/audit-kernel/issues/4
> > RFE: add a session ID filter to the kernel's user filter
> >
> > See also the set of userspace suport patches:
> > Add support for sessionid user filters, sessionid_set and loginuid_set
> > https://www.redhat.com/archives/linux-audit/2016-August/msg00005.html
> > (userspace update expected to be posted 2016-08-18)
> > and the test case:
> > https://github.com/rgbriggs/audit-testsuite/tree/ghak4-test-for-sessionID-user-filter
> >
> > This third patch is expected to have a merge conflict with:
> > "audit: add exclude filter extension to feature bitmap"
> > posted on 2016-08-18.
> >
> > Richard Guy Briggs (3):
> > audit: add support for session ID user filter
> > audit: add AUDIT_SESSIONID_SET support
> > audit: add sessionid filter extension to feature bitmap
> >
> > include/linux/audit.h | 10 ++++++++++
> > include/uapi/linux/audit.h | 6 +++++-
> > kernel/auditfilter.c | 5 +++++
> > kernel/auditsc.c | 6 ++++++
> > 4 files changed, 26 insertions(+), 1 deletions(-)
>
> These patches look fine to me; the only comment I have is that these
> should probably be combined into a single patch to avoid
> cherry-picking of individual pieces, e.g. skipping the feature bitmap
> or AUDIT_SESSION_SET support. I can do that when I merge the patches,
> no need to resend unless you really want to ...
>
> However, the bigger issue is coordination with the userspace patches.
> I really don't like merging kernel patches until Steve OK's the
> corresponding userspace patches.
Well, some thought went in to making the two behave properly in the
absence of an update of the other. This was the primary reason for the
re-spin. That part of the process is working, since it was Steve's
feedback that provoked the respin.
> paul moore
- RGB
--
Richard Guy Briggs <rgb@redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635
^ permalink raw reply
* Re: [PATCH V3 0/3] Add support for session ID user filtering
From: Paul Moore @ 2016-08-18 23:53 UTC (permalink / raw)
To: Richard Guy Briggs, sgrubb; +Cc: linux-audit, linux-kernel
In-Reply-To: <cover.1471541331.git.rgb@redhat.com>
On Thu, Aug 18, 2016 at 1:43 PM, Richard Guy Briggs <rgb@redhat.com> wrote:
> https://github.com/linux-audit/audit-kernel/wiki/RFE-Session-ID-User-Filter
> RFE Session ID User Filter
>
> https://github.com/linux-audit/audit-kernel/issues/4
> RFE: add a session ID filter to the kernel's user filter
>
> See also the set of userspace suport patches:
> Add support for sessionid user filters, sessionid_set and loginuid_set
> https://www.redhat.com/archives/linux-audit/2016-August/msg00005.html
> (userspace update expected to be posted 2016-08-18)
> and the test case:
> https://github.com/rgbriggs/audit-testsuite/tree/ghak4-test-for-sessionID-user-filter
>
> This third patch is expected to have a merge conflict with:
> "audit: add exclude filter extension to feature bitmap"
> posted on 2016-08-18.
>
> Richard Guy Briggs (3):
> audit: add support for session ID user filter
> audit: add AUDIT_SESSIONID_SET support
> audit: add sessionid filter extension to feature bitmap
>
> include/linux/audit.h | 10 ++++++++++
> include/uapi/linux/audit.h | 6 +++++-
> kernel/auditfilter.c | 5 +++++
> kernel/auditsc.c | 6 ++++++
> 4 files changed, 26 insertions(+), 1 deletions(-)
These patches look fine to me; the only comment I have is that these
should probably be combined into a single patch to avoid
cherry-picking of individual pieces, e.g. skipping the feature bitmap
or AUDIT_SESSION_SET support. I can do that when I merge the patches,
no need to resend unless you really want to ...
However, the bigger issue is coordination with the userspace patches.
I really don't like merging kernel patches until Steve OK's the
corresponding userspace patches.
--
paul moore
www.paul-moore.com
^ permalink raw reply
* [userspace PATCH v2 3/3] Check sessionID* fields available in kernel
From: Richard Guy Briggs @ 2016-08-18 18:47 UTC (permalink / raw)
To: linux-audit; +Cc: Richard Guy Briggs
In-Reply-To: <1471546054-4536-1-git-send-email-rgb@redhat.com>
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
trunk/lib/libaudit.c | 8 ++++++--
trunk/lib/libaudit.h | 3 +++
2 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/trunk/lib/libaudit.c b/trunk/lib/libaudit.c
index 5ffb720..a254a01 100644
--- a/trunk/lib/libaudit.c
+++ b/trunk/lib/libaudit.c
@@ -1647,11 +1647,13 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
else
return -21;
break;
+ case AUDIT_SESSIONID_SET:
+ if ((features & AUDIT_FEATURE_BITMAP_SESSIONID_FILTER) == 0)
+ return -30;
+ /* fallthrough */
case AUDIT_LOGINUID_SET:
if(!features)
return -30;
- /* fallthrough */
- case AUDIT_SESSIONID_SET:
if (flags != AUDIT_FILTER_EXCLUDE &&
flags != AUDIT_FILTER_USER &&
flags != AUDIT_FILTER_EXIT)
@@ -1666,6 +1668,8 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
return -32;
break;
case AUDIT_SESSIONID:
+ if ((features & AUDIT_FEATURE_BITMAP_SESSIONID_FILTER) == 0)
+ return -30;
if (flags != AUDIT_FILTER_EXCLUDE &&
flags != AUDIT_FILTER_USER &&
flags != AUDIT_FILTER_EXIT)
diff --git a/trunk/lib/libaudit.h b/trunk/lib/libaudit.h
index f8007c1..14bbf2d 100644
--- a/trunk/lib/libaudit.h
+++ b/trunk/lib/libaudit.h
@@ -281,6 +281,9 @@ extern "C" {
#ifndef AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND
#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND 0x00000008
#endif
+#ifndef AUDIT_FEATURE_BITMAP_SESSIONID_FILTER
+#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER 0x00000010
+#endif
/* Defines for interfield comparison update */
#ifndef AUDIT_OBJ_UID
--
1.7.1
^ permalink raw reply related
* [userspace PATCH v2 2/3] Add sessionid_set option from kernel uapi macro AUDIT_SESSIONID_SET
From: Richard Guy Briggs @ 2016-08-18 18:47 UTC (permalink / raw)
To: linux-audit; +Cc: Richard Guy Briggs
In-Reply-To: <1471546054-4536-1-git-send-email-rgb@redhat.com>
Add sessionid_set field option from kernel uapi macro SESSIONID_SET to
enable specifying that sessionID is set or not in user filters.
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
trunk/lib/fieldtab.h | 1 +
trunk/lib/libaudit.c | 2 ++
trunk/lib/libaudit.h | 4 ++++
3 files changed, 7 insertions(+), 0 deletions(-)
diff --git a/trunk/lib/fieldtab.h b/trunk/lib/fieldtab.h
index 84acc08..eeb951e 100644
--- a/trunk/lib/fieldtab.h
+++ b/trunk/lib/fieldtab.h
@@ -34,6 +34,7 @@ _S(AUDIT_LOGINUID, "loginuid" )
_S(AUDIT_LOGINUID_SET, "auid_set" )
_S(AUDIT_LOGINUID_SET, "loginuid_set" )
_S(AUDIT_SESSIONID, "sessionid" )
+_S(AUDIT_SESSIONID_SET,"sessionid_set")
_S(AUDIT_PERS, "pers" )
_S(AUDIT_ARCH, "arch" )
_S(AUDIT_MSGTYPE, "msgtype" )
diff --git a/trunk/lib/libaudit.c b/trunk/lib/libaudit.c
index 38776f4..5ffb720 100644
--- a/trunk/lib/libaudit.c
+++ b/trunk/lib/libaudit.c
@@ -1650,6 +1650,8 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
case AUDIT_LOGINUID_SET:
if(!features)
return -30;
+ /* fallthrough */
+ case AUDIT_SESSIONID_SET:
if (flags != AUDIT_FILTER_EXCLUDE &&
flags != AUDIT_FILTER_USER &&
flags != AUDIT_FILTER_EXIT)
diff --git a/trunk/lib/libaudit.h b/trunk/lib/libaudit.h
index 95b7a78..f8007c1 100644
--- a/trunk/lib/libaudit.h
+++ b/trunk/lib/libaudit.h
@@ -381,6 +381,10 @@ extern "C" {
#define AUDIT_SESSIONID 25
#endif
+#ifndef AUDIT_SESSIONID_SET
+#define AUDIT_SESSIONID_SET 26
+#endif
+
/* Architectures */
#ifndef EM_ARM
#define EM_ARM 40
--
1.7.1
^ permalink raw reply related
* [userspace PATCH v2 1/3] Add userspace support for session ID user filter.
From: Richard Guy Briggs @ 2016-08-18 18:47 UTC (permalink / raw)
To: linux-audit; +Cc: Richard Guy Briggs
In-Reply-To: <1471546054-4536-1-git-send-email-rgb@redhat.com>
Add support for the session ID user filter by adding the field name
"sessionid" using the kernel defined macro value AUDIT_SESSIONID.
https://github.com/linux-audit/audit-kernel/issues/4
RFE: add a session ID filter to the kernel's user filter
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
trunk/lib/errormsg.h | 1 +
trunk/lib/fieldtab.h | 1 +
trunk/lib/libaudit.c | 11 +++++++++++
trunk/lib/libaudit.h | 4 ++++
4 files changed, 17 insertions(+), 0 deletions(-)
diff --git a/trunk/lib/errormsg.h b/trunk/lib/errormsg.h
index 4a897be..2c6b9fa 100644
--- a/trunk/lib/errormsg.h
+++ b/trunk/lib/errormsg.h
@@ -68,5 +68,6 @@ static const struct msg_tab err_msgtab[] = {
{ -30, 2, "Field option not supported by kernel:" },
{ -31, 1, "can only be used with exit, user and exclude filter lists" },
{ -32, 2, "-F value should be boolean 0 or 1 for" },
+ { -33, 2, "-F value should be positive number for" },
};
#endif
diff --git a/trunk/lib/fieldtab.h b/trunk/lib/fieldtab.h
index 107157d..84acc08 100644
--- a/trunk/lib/fieldtab.h
+++ b/trunk/lib/fieldtab.h
@@ -33,6 +33,7 @@ _S(AUDIT_LOGINUID, "auid" )
_S(AUDIT_LOGINUID, "loginuid" )
_S(AUDIT_LOGINUID_SET, "auid_set" )
_S(AUDIT_LOGINUID_SET, "loginuid_set" )
+_S(AUDIT_SESSIONID, "sessionid" )
_S(AUDIT_PERS, "pers" )
_S(AUDIT_ARCH, "arch" )
_S(AUDIT_MSGTYPE, "msgtype" )
diff --git a/trunk/lib/libaudit.c b/trunk/lib/libaudit.c
index 5ffc38c..38776f4 100644
--- a/trunk/lib/libaudit.c
+++ b/trunk/lib/libaudit.c
@@ -1663,6 +1663,17 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
else
return -32;
break;
+ case AUDIT_SESSIONID:
+ if (flags != AUDIT_FILTER_EXCLUDE &&
+ flags != AUDIT_FILTER_USER &&
+ flags != AUDIT_FILTER_EXIT)
+ return -31;
+ if (isdigit((char)*(v)))
+ rule->values[rule->field_count] =
+ strtol(v, NULL, 0);
+ else
+ return -33;
+ break;
case AUDIT_DEVMAJOR...AUDIT_INODE:
case AUDIT_SUCCESS:
if (flags != AUDIT_FILTER_EXIT)
diff --git a/trunk/lib/libaudit.h b/trunk/lib/libaudit.h
index f77691f..95b7a78 100644
--- a/trunk/lib/libaudit.h
+++ b/trunk/lib/libaudit.h
@@ -377,6 +377,10 @@ extern "C" {
#define AUDIT_LOGINUID_SET 24
#endif
+#ifndef AUDIT_SESSIONID
+#define AUDIT_SESSIONID 25
+#endif
+
/* Architectures */
#ifndef EM_ARM
#define EM_ARM 40
--
1.7.1
^ permalink raw reply related
* [userspace PATCH v2 0/3] Add support for sessionid user filters, sessionid_set
From: Richard Guy Briggs @ 2016-08-18 18:47 UTC (permalink / raw)
To: linux-audit; +Cc: Richard Guy Briggs
Add support for sessionid, sessionid_set (first two patches) and
feature bitmap detection of the kernel feature (third patch) in user
filters. This is to implement issue "ghak4":
https://github.com/linux-audit/audit-kernel/issues/4
https://github.com/linux-audit/audit-kernel/wiki/RFE-Session-ID-User-Filter
This patchset should be added after loginuid_set and exclude filter
extension to avoid merge conflicts.
Richard Guy Briggs (3):
Add userspace support for session ID user filter.
Add sessionid_set option from kernel uapi macro AUDIT_SESSIONID_SET
Check sessionID* fields available in kernel
trunk/lib/errormsg.h | 1 +
trunk/lib/fieldtab.h | 2 ++
trunk/lib/libaudit.c | 17 +++++++++++++++++
trunk/lib/libaudit.h | 11 +++++++++++
4 files changed, 31 insertions(+), 0 deletions(-)
^ permalink raw reply
* [userspace PATCH v2 2/2] Check exclude filter cred extension fields available in kernel
From: Richard Guy Briggs @ 2016-08-18 18:33 UTC (permalink / raw)
To: linux-audit; +Cc: Richard Guy Briggs
In-Reply-To: <1471545200-3742-1-git-send-email-rgb@redhat.com>
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
trunk/lib/errormsg.h | 2 +-
trunk/lib/libaudit.c | 39 ++++++++++++++++++++++-----------------
trunk/lib/libaudit.h | 3 +++
3 files changed, 26 insertions(+), 18 deletions(-)
diff --git a/trunk/lib/errormsg.h b/trunk/lib/errormsg.h
index 84bfdb3..4a897be 100644
--- a/trunk/lib/errormsg.h
+++ b/trunk/lib/errormsg.h
@@ -47,7 +47,7 @@ static const struct msg_tab err_msgtab[] = {
{ -9, 0, "msgtype field can only be used with exclude filter list" },
{ -10, 0, "Failed upgrading rule" },
{ -11, 0, "String value too long" },
- { -12, 0, "Only msgtype field can be used with exclude filter" },
+ { -12, 0, "Only msgtype, uid, gid, auid*, subj* fields can be used with exclude filter" },
{ -13, 1, "only takes = or != operators" },
{ -14, 0, "Permission can only contain \'rwxa\'" },
{ -15, 2, "-F unknown errno -"},
diff --git a/trunk/lib/libaudit.c b/trunk/lib/libaudit.c
index 798b3c8..5ffc38c 100644
--- a/trunk/lib/libaudit.c
+++ b/trunk/lib/libaudit.c
@@ -1401,23 +1401,28 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
return -2;
/* Exclude filter can be used only with MSGTYPE and cred fields */
- if (flags == AUDIT_FILTER_EXCLUDE)
- switch(field) {
- case AUDIT_PID:
- case AUDIT_UID:
- case AUDIT_GID:
- case AUDIT_LOGINUID:
- case AUDIT_LOGINUID_SET:
- case AUDIT_MSGTYPE:
- case AUDIT_SUBJ_USER:
- case AUDIT_SUBJ_ROLE:
- case AUDIT_SUBJ_TYPE:
- case AUDIT_SUBJ_SEN:
- case AUDIT_SUBJ_CLR:
- break;
- default:
- return -12;
- }
+ if (flags == AUDIT_FILTER_EXCLUDE) {
+ if ((features & AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND) == 0) {
+ if (field != AUDIT_MSGTYPE)
+ return -30;
+ } else
+ switch(field) {
+ case AUDIT_PID:
+ case AUDIT_UID:
+ case AUDIT_GID:
+ case AUDIT_LOGINUID:
+ case AUDIT_LOGINUID_SET:
+ case AUDIT_MSGTYPE:
+ case AUDIT_SUBJ_USER:
+ case AUDIT_SUBJ_ROLE:
+ case AUDIT_SUBJ_TYPE:
+ case AUDIT_SUBJ_SEN:
+ case AUDIT_SUBJ_CLR:
+ break;
+ default:
+ return -12;
+ }
+ }
rule->fields[rule->field_count] = field;
rule->fieldflags[rule->field_count] = op;
diff --git a/trunk/lib/libaudit.h b/trunk/lib/libaudit.h
index 0852bcc..f77691f 100644
--- a/trunk/lib/libaudit.h
+++ b/trunk/lib/libaudit.h
@@ -278,6 +278,9 @@ extern "C" {
#ifndef AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH
#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH 0x00000004
#endif
+#ifndef AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND
+#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND 0x00000008
+#endif
/* Defines for interfield comparison update */
#ifndef AUDIT_OBJ_UID
--
1.7.1
^ permalink raw reply related
* [userspace PATCH v2 1/2] exclude filter: add support for user filter fields
From: Richard Guy Briggs @ 2016-08-18 18:33 UTC (permalink / raw)
To: linux-audit; +Cc: Richard Guy Briggs
In-Reply-To: <1471545200-3742-1-git-send-email-rgb@redhat.com>
RFE: add additional fields for use in audit filter exclude rules
https://github.com/linux-audit/audit-kernel/issues/5
Enable the exclude filter to additionally filter on PID, UID, GID, AUID,
LOGINUID_SET, SUBJ_*.
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
trunk/docs/auditctl.8 | 2 +-
trunk/lib/errormsg.h | 2 +-
trunk/lib/libaudit.c | 24 ++++++++++++++++++++----
3 files changed, 22 insertions(+), 6 deletions(-)
diff --git a/trunk/docs/auditctl.8 b/trunk/docs/auditctl.8
index ceb6c40..540ff70 100644
--- a/trunk/docs/auditctl.8
+++ b/trunk/docs/auditctl.8
@@ -76,7 +76,7 @@ Add a rule to the syscall exit list. This list is used upon exit from a system c
Add a rule to the user message filter list. This list is used by the kernel to filter events originating in user space before relaying them to the audit daemon. It should be noted that the only fields that are valid are: uid, auid, gid, pid, subj_user, subj_role, subj_type, subj_sen, subj_clr, and msgtype. All other fields will be treated as non-matching. It should be understood that any event originating from user space from a process that has CAP_AUDIT_WRITE will be recorded into the audit trail. This means that the most likely use for this filter is with rules that have an action of never since nothing has to be done to allow events to be recorded.
.TP
.B exclude
-Add a rule to the event type exclusion filter list. This list is used to filter events that you do not want to see. For example, if you do not want to see any avc messages, you would using this list to record that. The message type that you do not wish to see is given with the msgtype field.
+Add a rule to the event type exclusion filter list. This list is used to filter events that you do not want to see. For example, if you do not want to see any avc messages, you would using this list to record that. Events can be excluded by process ID, user ID, group ID, login user ID, login user ID set, message type or subject context.
.RE
The following describes the valid \fIactions\fP for the rule:
diff --git a/trunk/lib/errormsg.h b/trunk/lib/errormsg.h
index c678315..84bfdb3 100644
--- a/trunk/lib/errormsg.h
+++ b/trunk/lib/errormsg.h
@@ -66,7 +66,7 @@ static const struct msg_tab err_msgtab[] = {
{ -28, 2, "Too many fields in rule:" },
{ -29, 1, "only takes = operator" },
{ -30, 2, "Field option not supported by kernel:" },
- { -31, 1, "can only be used with exit and user filter lists" },
+ { -31, 1, "can only be used with exit, user and exclude filter lists" },
{ -32, 2, "-F value should be boolean 0 or 1 for" },
};
#endif
diff --git a/trunk/lib/libaudit.c b/trunk/lib/libaudit.c
index 236f8bc..798b3c8 100644
--- a/trunk/lib/libaudit.c
+++ b/trunk/lib/libaudit.c
@@ -1400,9 +1400,24 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
if ((field = audit_name_to_field(f)) < 0)
return -2;
- /* Exclude filter can be used only with MSGTYPE field */
- if (flags == AUDIT_FILTER_EXCLUDE && field != AUDIT_MSGTYPE)
- return -12;
+ /* Exclude filter can be used only with MSGTYPE and cred fields */
+ if (flags == AUDIT_FILTER_EXCLUDE)
+ switch(field) {
+ case AUDIT_PID:
+ case AUDIT_UID:
+ case AUDIT_GID:
+ case AUDIT_LOGINUID:
+ case AUDIT_LOGINUID_SET:
+ case AUDIT_MSGTYPE:
+ case AUDIT_SUBJ_USER:
+ case AUDIT_SUBJ_ROLE:
+ case AUDIT_SUBJ_TYPE:
+ case AUDIT_SUBJ_SEN:
+ case AUDIT_SUBJ_CLR:
+ break;
+ default:
+ return -12;
+ }
rule->fields[rule->field_count] = field;
rule->fieldflags[rule->field_count] = op;
@@ -1630,7 +1645,8 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
case AUDIT_LOGINUID_SET:
if(!features)
return -30;
- if (flags != AUDIT_FILTER_USER &&
+ if (flags != AUDIT_FILTER_EXCLUDE &&
+ flags != AUDIT_FILTER_USER &&
flags != AUDIT_FILTER_EXIT)
return -31;
if (isdigit((char)*(v))) {
--
1.7.1
^ permalink raw reply related
* [userspace PATCH v2 0/2] add support for more fields to the exclude filter
From: Richard Guy Briggs @ 2016-08-18 18:33 UTC (permalink / raw)
To: linux-audit; +Cc: Richard Guy Briggs
Add userspace support for the exclude filter extension of subject
credentials, including detection of the feature in the kernel.
This set should be added after loginuid_set support and before sessionID
user filter support to avoid merge conflicts.
Richard Guy Briggs (2):
exclude filter: add support for user filter fields
Check exclude filter cred extension fields available in kernel
trunk/docs/auditctl.8 | 2 +-
trunk/lib/errormsg.h | 4 ++--
trunk/lib/libaudit.c | 29 +++++++++++++++++++++++++----
trunk/lib/libaudit.h | 3 +++
4 files changed, 31 insertions(+), 7 deletions(-)
^ permalink raw reply
* [userspace PATCH v2 2/2] Add user filter option loginuid_set from uapi macro AUDIT_LOGINUID_SET
From: Richard Guy Briggs @ 2016-08-18 18:18 UTC (permalink / raw)
To: linux-audit; +Cc: Richard Guy Briggs
In-Reply-To: <1471544337-3108-1-git-send-email-rgb@redhat.com>
Add macro if not in headers, check for version or feature bitmap.
Check for user or exit list use, check for boolean.
See upstream kernel commits:
780a7654cee8d61819512385e778e4827db4bfbc
041d7b98ffe59c59fdd639931dea7d74f9aa9a59
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
trunk/lib/errormsg.h | 2 ++
trunk/lib/fieldtab.h | 2 ++
trunk/lib/libaudit.c | 15 +++++++++++++++
trunk/lib/libaudit.h | 6 ++++++
4 files changed, 25 insertions(+), 0 deletions(-)
diff --git a/trunk/lib/errormsg.h b/trunk/lib/errormsg.h
index a4602d5..c678315 100644
--- a/trunk/lib/errormsg.h
+++ b/trunk/lib/errormsg.h
@@ -66,5 +66,7 @@ static const struct msg_tab err_msgtab[] = {
{ -28, 2, "Too many fields in rule:" },
{ -29, 1, "only takes = operator" },
{ -30, 2, "Field option not supported by kernel:" },
+ { -31, 1, "can only be used with exit and user filter lists" },
+ { -32, 2, "-F value should be boolean 0 or 1 for" },
};
#endif
diff --git a/trunk/lib/fieldtab.h b/trunk/lib/fieldtab.h
index bf48c95..107157d 100644
--- a/trunk/lib/fieldtab.h
+++ b/trunk/lib/fieldtab.h
@@ -31,6 +31,8 @@ _S(AUDIT_SGID, "sgid" )
_S(AUDIT_FSGID, "fsgid" )
_S(AUDIT_LOGINUID, "auid" )
_S(AUDIT_LOGINUID, "loginuid" )
+_S(AUDIT_LOGINUID_SET, "auid_set" )
+_S(AUDIT_LOGINUID_SET, "loginuid_set" )
_S(AUDIT_PERS, "pers" )
_S(AUDIT_ARCH, "arch" )
_S(AUDIT_MSGTYPE, "msgtype" )
diff --git a/trunk/lib/libaudit.c b/trunk/lib/libaudit.c
index 566b89e..236f8bc 100644
--- a/trunk/lib/libaudit.c
+++ b/trunk/lib/libaudit.c
@@ -1627,6 +1627,21 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
else
return -21;
break;
+ case AUDIT_LOGINUID_SET:
+ if(!features)
+ return -30;
+ if (flags != AUDIT_FILTER_USER &&
+ flags != AUDIT_FILTER_EXIT)
+ return -31;
+ if (isdigit((char)*(v))) {
+ rule->values[rule->field_count] =
+ strtol(v, NULL, 0);
+ if (rule->values[rule->field_count] > 1)
+ return -32;
+ }
+ else
+ return -32;
+ break;
case AUDIT_DEVMAJOR...AUDIT_INODE:
case AUDIT_SUCCESS:
if (flags != AUDIT_FILTER_EXIT)
diff --git a/trunk/lib/libaudit.h b/trunk/lib/libaudit.h
index 9640f17..0852bcc 100644
--- a/trunk/lib/libaudit.h
+++ b/trunk/lib/libaudit.h
@@ -369,6 +369,12 @@ extern "C" {
#define AUDIT_COMPARE_SGID_TO_FSGID 25
#endif
+/* Rule fields */
+#ifndef AUDIT_LOGINUID_SET
+#define AUDIT_LOGINUID_SET 24
+#endif
+
+/* Architectures */
#ifndef EM_ARM
#define EM_ARM 40
#endif
--
1.7.1
^ permalink raw reply related
* [userspace PATCH v2 1/2] get feature list only once
From: Richard Guy Briggs @ 2016-08-18 18:18 UTC (permalink / raw)
To: linux-audit; +Cc: Richard Guy Briggs
In-Reply-To: <1471544337-3108-1-git-send-email-rgb@redhat.com>
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
trunk/lib/libaudit.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/trunk/lib/libaudit.c b/trunk/lib/libaudit.c
index 70b8ea8..566b89e 100644
--- a/trunk/lib/libaudit.c
+++ b/trunk/lib/libaudit.c
@@ -1345,6 +1345,7 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
int vlen;
int offset;
struct audit_rule_data *rule = *rulep;
+ uint32_t features = audit_get_features();
if (f == NULL)
return -1;
@@ -1508,7 +1509,6 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
case AUDIT_FILTERKEY:
case AUDIT_EXE:
if (field == AUDIT_EXE) {
- uint32_t features = audit_get_features();
if ((features & AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH) == 0)
return -30;
if (op != AUDIT_EQUAL)
--
1.7.1
^ permalink raw reply related
* [userspace PATCH v2 0/2] Add support for loginuid_set
From: Richard Guy Briggs @ 2016-08-18 18:18 UTC (permalink / raw)
To: linux-audit; +Cc: Richard Guy Briggs
loginuid_set support should have been added to userspace when it was
added to the kernel around v3.10. Add it before we do similar for
sessionID and sessionID_set.
There will be a number of users of features_bitmap within the same
function (exclude filter extension, sessionID filter), so refactor
audit_rule_fieldpair_data() to put audit_get_features earlier in the
function.
Richard Guy Briggs (2):
get feature list only once
Add user filter option loginuid_set from uapi macro
AUDIT_LOGINUID_SET
trunk/lib/errormsg.h | 2 ++
trunk/lib/fieldtab.h | 2 ++
trunk/lib/libaudit.c | 17 ++++++++++++++++-
trunk/lib/libaudit.h | 6 ++++++
4 files changed, 26 insertions(+), 1 deletions(-)
^ permalink raw reply
* [PATCH V3 3/3] audit: add sessionid filter extension to feature bitmap
From: Richard Guy Briggs @ 2016-08-18 17:43 UTC (permalink / raw)
To: linux-audit, linux-kernel; +Cc: Richard Guy Briggs
In-Reply-To: <cover.1471541331.git.rgb@redhat.com>
Add to the audit feature bitmap to indicate availability of the
extension of the exclude and user filters to include sessionID.
RFE: add a session ID filter to the kernel's user filter
https://github.com/linux-audit/audit-kernel/issues/4
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
include/uapi/linux/audit.h | 4 +++-
1 files changed, 3 insertions(+), 1 deletions(-)
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index a4048bc..d4a9589 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -329,9 +329,11 @@ enum {
#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT 0x00000001
#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME 0x00000002
#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH 0x00000004
+#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER 0x00000010
#define AUDIT_FEATURE_BITMAP_ALL (AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT | \
AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME | \
- AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH)
+ AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH | \
+ AUDIT_FEATURE_BITMAP_SESSIONID_FILTER)
/* deprecated: AUDIT_VERSION_* */
#define AUDIT_VERSION_LATEST AUDIT_FEATURE_BITMAP_ALL
--
1.7.1
^ permalink raw reply related
* [PATCH V3 2/3] audit: add AUDIT_SESSIONID_SET support
From: Richard Guy Briggs @ 2016-08-18 17:43 UTC (permalink / raw)
To: linux-audit, linux-kernel; +Cc: Richard Guy Briggs
In-Reply-To: <cover.1471541331.git.rgb@redhat.com>
Add AUDIT_SESSIONID_SET field to indicate the sessionID is set in
filters rather than depending on an in-band signal to indicate it.
https://github.com/linux-audit/audit-kernel/wiki/RFE-Session-ID-User-Filter
RFE Session ID User Filter
https://github.com/linux-audit/audit-kernel/issues/4
RFE: add a session ID filter to the kernel's user filter
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
include/linux/audit.h | 10 ++++++++++
include/uapi/linux/audit.h | 1 +
kernel/auditfilter.c | 3 +++
kernel/auditsc.c | 7 ++++---
4 files changed, 18 insertions(+), 3 deletions(-)
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 9d4443f..2392442 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -552,6 +552,16 @@ static inline bool audit_loginuid_set(struct task_struct *tsk)
return uid_valid(audit_get_loginuid(tsk));
}
+static inline bool sessionid_valid(unsigned int sessionid)
+{
+ return sessionid != (unsigned int) -1;
+}
+
+static inline bool audit_sessionid_set(struct task_struct *tsk)
+{
+ return sessionid_valid(audit_get_sessionid(tsk));
+}
+
static inline void audit_log_string(struct audit_buffer *ab, const char *buf)
{
audit_log_n_string(ab, buf, strlen(buf));
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index b3140eb..a4048bc 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -253,6 +253,7 @@
#define AUDIT_OBJ_LEV_HIGH 23
#define AUDIT_LOGINUID_SET 24
#define AUDIT_SESSIONID 25 /* Session ID */
+#define AUDIT_SESSIONID_SET 26 /* Session ID set or not */
/* These are ONLY useful when checking
* at syscall exit time (AUDIT_AT_EXIT). */
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 1c60fcf..47eaaba 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -387,6 +387,7 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f)
case AUDIT_FILTERKEY:
break;
case AUDIT_LOGINUID_SET:
+ case AUDIT_SESSIONID_SET:
if ((f->val != 0) && (f->val != 1))
return -EINVAL;
/* FALL THROUGH */
@@ -478,6 +479,8 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
goto exit_free;
break;
case AUDIT_SESSIONID:
+ if (!sessionid_valid(f->val))
+ goto exit_free;
case AUDIT_ARCH:
entry->rule.arch_f = f;
break;
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 52f7a61..4df536b 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -447,7 +447,6 @@ static int audit_filter_rules(struct task_struct *tsk,
const struct cred *cred;
int i, need_sid = 1;
u32 sid;
- unsigned int sessionid;
cred = rcu_dereference_check(tsk->cred, tsk == current || task_creation);
@@ -511,8 +510,7 @@ static int audit_filter_rules(struct task_struct *tsk,
result = audit_gid_comparator(cred->fsgid, f->op, f->gid);
break;
case AUDIT_SESSIONID:
- sessionid = audit_get_sessionid(current);
- result = audit_comparator(sessionid, f->op, f->val);
+ result = audit_comparator(audit_get_sessionid(tsk), f->op, f->val);
break;
case AUDIT_PERS:
result = audit_comparator(tsk->personality, f->op, f->val);
@@ -614,6 +612,9 @@ static int audit_filter_rules(struct task_struct *tsk,
case AUDIT_LOGINUID_SET:
result = audit_comparator(audit_loginuid_set(tsk), f->op, f->val);
break;
+ case AUDIT_SESSIONID_SET:
+ result = audit_comparator(audit_sessionid_set(tsk), f->op, f->val);
+ break;
case AUDIT_SUBJ_USER:
case AUDIT_SUBJ_ROLE:
case AUDIT_SUBJ_TYPE:
--
1.7.1
^ permalink raw reply related
* [PATCH V3 1/3] audit: add support for session ID user filter
From: Richard Guy Briggs @ 2016-08-18 17:43 UTC (permalink / raw)
To: linux-audit, linux-kernel; +Cc: Richard Guy Briggs
In-Reply-To: <cover.1471541331.git.rgb@redhat.com>
Define AUDIT_SESSIONID in the uapi and add support for specifying user
filters based on the session ID.
https://github.com/linux-audit/audit-kernel/issues/4
RFE: add a session ID filter to the kernel's user filter
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
include/uapi/linux/audit.h | 1 +
kernel/auditfilter.c | 2 ++
kernel/auditsc.c | 5 +++++
3 files changed, 8 insertions(+), 0 deletions(-)
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index d820aa9..b3140eb 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -252,6 +252,7 @@
#define AUDIT_OBJ_LEV_LOW 22
#define AUDIT_OBJ_LEV_HIGH 23
#define AUDIT_LOGINUID_SET 24
+#define AUDIT_SESSIONID 25 /* Session ID */
/* These are ONLY useful when checking
* at syscall exit time (AUDIT_AT_EXIT). */
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 85d9cac..1c60fcf 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -363,6 +363,7 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f)
case AUDIT_EXIT:
case AUDIT_SUCCESS:
case AUDIT_INODE:
+ case AUDIT_SESSIONID:
/* bit ops are only useful on syscall args */
if (f->op == Audit_bitmask || f->op == Audit_bittest)
return -EINVAL;
@@ -476,6 +477,7 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
if (!gid_valid(f->gid))
goto exit_free;
break;
+ case AUDIT_SESSIONID:
case AUDIT_ARCH:
entry->rule.arch_f = f;
break;
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index c65af21..52f7a61 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -447,6 +447,7 @@ static int audit_filter_rules(struct task_struct *tsk,
const struct cred *cred;
int i, need_sid = 1;
u32 sid;
+ unsigned int sessionid;
cred = rcu_dereference_check(tsk->cred, tsk == current || task_creation);
@@ -509,6 +510,10 @@ static int audit_filter_rules(struct task_struct *tsk,
case AUDIT_FSGID:
result = audit_gid_comparator(cred->fsgid, f->op, f->gid);
break;
+ case AUDIT_SESSIONID:
+ sessionid = audit_get_sessionid(current);
+ result = audit_comparator(sessionid, f->op, f->val);
+ break;
case AUDIT_PERS:
result = audit_comparator(tsk->personality, f->op, f->val);
break;
--
1.7.1
^ permalink raw reply related
* [PATCH V3 0/3] Add support for session ID user filtering
From: Richard Guy Briggs @ 2016-08-18 17:43 UTC (permalink / raw)
To: linux-audit, linux-kernel; +Cc: Richard Guy Briggs
https://github.com/linux-audit/audit-kernel/wiki/RFE-Session-ID-User-Filter
RFE Session ID User Filter
https://github.com/linux-audit/audit-kernel/issues/4
RFE: add a session ID filter to the kernel's user filter
See also the set of userspace suport patches:
Add support for sessionid user filters, sessionid_set and loginuid_set
https://www.redhat.com/archives/linux-audit/2016-August/msg00005.html
(userspace update expected to be posted 2016-08-18)
and the test case:
https://github.com/rgbriggs/audit-testsuite/tree/ghak4-test-for-sessionID-user-filter
This third patch is expected to have a merge conflict with:
"audit: add exclude filter extension to feature bitmap"
posted on 2016-08-18.
Richard Guy Briggs (3):
audit: add support for session ID user filter
audit: add AUDIT_SESSIONID_SET support
audit: add sessionid filter extension to feature bitmap
include/linux/audit.h | 10 ++++++++++
include/uapi/linux/audit.h | 6 +++++-
kernel/auditfilter.c | 5 +++++
kernel/auditsc.c | 6 ++++++
4 files changed, 26 insertions(+), 1 deletions(-)
^ permalink raw reply
* [PATCH] audit: add exclude filter extension to feature bitmap
From: Richard Guy Briggs @ 2016-08-18 16:05 UTC (permalink / raw)
To: linux-audit, linux-kernel; +Cc: Richard Guy Briggs
Add to the audit feature bitmap to indicate availability of the
extension of the exclude filter to include PID, UID, AUID, GID, SUBJ_*.
RFE: add additional fields for use in audit filter exclude rules
https://github.com/linux-audit/audit-kernel/issues/5
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
include/uapi/linux/audit.h | 4 +++-
1 files changed, 3 insertions(+), 1 deletions(-)
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index d820aa9..76c5e7e 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -327,9 +327,11 @@ enum {
#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT 0x00000001
#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME 0x00000002
#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH 0x00000004
+#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND 0x00000008
#define AUDIT_FEATURE_BITMAP_ALL (AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT | \
AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME | \
- AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH)
+ AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH | \
+ AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND)
/* deprecated: AUDIT_VERSION_* */
#define AUDIT_VERSION_LATEST AUDIT_FEATURE_BITMAP_ALL
--
1.7.1
^ permalink raw reply related
* Re: [PATCH] security: lsm_audit: print pid and tid
From: Paul Moore @ 2016-08-18 12:55 UTC (permalink / raw)
To: Richard Guy Briggs; +Cc: Jeff Vander Stoep, selinux, linux-audit
In-Reply-To: <20160818055627.GH1304@madcap2.tricolour.ca>
On Thu, Aug 18, 2016 at 1:56 AM, Richard Guy Briggs <rgb@redhat.com> wrote:
> On 2016-08-17 16:58, Paul Moore wrote:
>> However, as far as I can see, the biggest problem with this patch is
>> that it adds a field in the middle of a record which will likely cause
>> the audit userspace tools to explode (or so I've been warned in the
>> past). Steve, what say you about the userspace?
>
> Adding fields in the middle isn't necessarily a problem if it doesn't
> confuse the existing scanner, which can skip over fields about which it
> does not care. I've carefully added fields in the middle in the past,
> trying my best to group it logically with the rest of the information as
> has been requested, I think: subject, action, object, result.
I've ranted about this before so I won't do it again here, but
ultimately the problem is that the guidance for userspace
applications/libraries has been that you can expect certain fields in
specific locations.
--
paul moore
www.paul-moore.com
^ permalink raw reply
* Re: [PATCH] security: lsm_audit: print pid and tid
From: Richard Guy Briggs @ 2016-08-18 5:56 UTC (permalink / raw)
To: Paul Moore; +Cc: Jeff Vander Stoep, selinux, linux-audit
In-Reply-To: <CAHC9VhS=odoi8NFFGP36VAMcL_Gbbin+0pyTj-MNcsPZKit0GQ@mail.gmail.com>
On 2016-08-17 16:58, Paul Moore wrote:
> On Tue, Jul 26, 2016 at 10:54 AM, Jeff Vander Stoep <jeffv@google.com> wrote:
> > dump_common_audit_data() currently contains a field for pid, but the
> > value printed is actually the thread ID, tid. Update this value to
> > return the task group ID. Add a new field for tid. With this change
> > the values printed by audit now match the values returned by the
> > getpid() and gettid() syscalls.
> >
> > Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
> > ---
> > security/lsm_audit.c | 7 +++++--
> > 1 file changed, 5 insertions(+), 2 deletions(-)
>
> Hi Jeff,
>
> Have you tested this against the audit-testsuite[1]? We don't have an
> explicit PID test yet, but at least two of the tests do test it as a
> side effect.
>
> Steve, I don't see the thread ID listed in the field dictionary, are
> you okay with using "tid" for this?
There is some naming confusion between userspace and kernel space with
pid vs. tid vs. tgid...
> However, as far as I can see, the biggest problem with this patch is
> that it adds a field in the middle of a record which will likely cause
> the audit userspace tools to explode (or so I've been warned in the
> past). Steve, what say you about the userspace?
Adding fields in the middle isn't necessarily a problem if it doesn't
confuse the existing scanner, which can skip over fields about which it
does not care. I've carefully added fields in the middle in the past,
trying my best to group it logically with the rest of the information as
has been requested, I think: subject, action, object, result.
> [1] https://github.com/linux-audit/audit-testsuite
> [2] https://github.com/linux-audit/audit-documentation/blob/master/specs/fields/field-dictionary.csv
>
> > diff --git a/security/lsm_audit.c b/security/lsm_audit.c
> > index cccbf30..57f26c1 100644
> > --- a/security/lsm_audit.c
> > +++ b/security/lsm_audit.c
> > @@ -220,7 +220,8 @@ static void dump_common_audit_data(struct audit_buffer *ab,
> > */
> > BUILD_BUG_ON(sizeof(a->u) > sizeof(void *)*2);
> >
> > - audit_log_format(ab, " pid=%d comm=", task_pid_nr(current));
> > + audit_log_format(ab, " pid=%d tid=%d comm=", task_tgid_vnr(tsk),
> > + task_pid_vnr(tsk));
> > audit_log_untrustedstring(ab, memcpy(comm, current->comm, sizeof(comm)));
> >
> > switch (a->type) {
> > @@ -294,10 +295,12 @@ static void dump_common_audit_data(struct audit_buffer *ab,
> > case LSM_AUDIT_DATA_TASK: {
> > struct task_struct *tsk = a->u.tsk;
> > if (tsk) {
> > - pid_t pid = task_pid_nr(tsk);
> > + pid_t pid = task_tgid_vnr(tsk);
> > if (pid) {
> > char comm[sizeof(tsk->comm)];
> > audit_log_format(ab, " opid=%d ocomm=", pid);
> > + audit_log_format(ab, " opid=%d otid=%d ocomm=",
> > + pid, task_pid_vnr(tsk));
> > audit_log_untrustedstring(ab,
> > memcpy(comm, tsk->comm, sizeof(comm)));
> > }
>
> --
> paul moore
> www.paul-moore.com
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
- RGB
--
Richard Guy Briggs <rgb@redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635
^ permalink raw reply
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox