From: Kees Cook <keescook@chromium.org>
To: Al Viro <viro@zeniv.linux.org.uk>,
Andrew Morton <akpm@linux-foundation.org>
Cc: linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org,
Eric Paris <eparis@redhat.com>, Matthew Wilcox <matthew@wil.cx>,
Doug Ledford <dledford@redhat.com>,
Joe Korty <joe.korty@ccur.com>,
"Eric W. Biederman" <ebiederm@xmission.com>,
Ingo Molnar <mingo@elte.hu>, David Howells <dhowells@redhat.com>,
James Morris <james.l.morris@oracle.com>,
linux-doc@vger.kernel.org,
Dan Rosenberg <drosenberg@vsecurity.com>,
kernel-hardening@lists.openwall.com,
Kees Cook <keescook@chromium.org>
Subject: [PATCH 2/2] fs: add link restriction audit reporting
Date: Mon, 2 Jul 2012 13:17:14 -0700 [thread overview]
Message-ID: <1341260234-32002-3-git-send-email-keescook@chromium.org> (raw)
In-Reply-To: <1341260234-32002-1-git-send-email-keescook@chromium.org>
Adds audit messages for unexpected link restriction violations so that
system owners will have some sort of potentially actionable information
about misbehaving processes.
Signed-off-by: Kees Cook <keescook@chromium.org>
---
fs/namei.c | 2 ++
include/linux/audit.h | 4 ++++
kernel/audit.c | 21 +++++++++++++++++++++
3 files changed, 27 insertions(+), 0 deletions(-)
diff --git a/fs/namei.c b/fs/namei.c
index 8712c14..6167420 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -682,6 +682,7 @@ static inline int may_follow_link(struct path *link, struct nameidata *nd)
return 0;
path_put(&nd->path);
+ audit_log_link_denied("follow_link", link);
return -EACCES;
}
@@ -750,6 +751,7 @@ static int may_linkat(struct path *link)
capable(CAP_FOWNER))
return 0;
+ audit_log_link_denied("linkat", link);
return -EPERM;
}
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 22f292a..36abf2a 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -130,6 +130,7 @@
#define AUDIT_LAST_KERN_ANOM_MSG 1799
#define AUDIT_ANOM_PROMISCUOUS 1700 /* Device changed promiscuous mode */
#define AUDIT_ANOM_ABEND 1701 /* Process ended abnormally */
+#define AUDIT_ANOM_LINK 1702 /* Suspicious use of file links */
#define AUDIT_INTEGRITY_DATA 1800 /* Data integrity verification */
#define AUDIT_INTEGRITY_METADATA 1801 /* Metadata integrity verification */
#define AUDIT_INTEGRITY_STATUS 1802 /* Integrity enable status */
@@ -687,6 +688,8 @@ extern void audit_log_d_path(struct audit_buffer *ab,
const struct path *path);
extern void audit_log_key(struct audit_buffer *ab,
char *key);
+extern void audit_log_link_denied(const char *operation,
+ struct path *link);
extern void audit_log_lost(const char *message);
#ifdef CONFIG_SECURITY
extern void audit_log_secctx(struct audit_buffer *ab, u32 secid);
@@ -716,6 +719,7 @@ extern int audit_enabled;
#define audit_log_untrustedstring(a,s) do { ; } while (0)
#define audit_log_d_path(b, p, d) do { ; } while (0)
#define audit_log_key(b, k) do { ; } while (0)
+#define audit_log_link_denied(o, l) do { ; } while (0)
#define audit_log_secctx(b,s) do { ; } while (0)
#define audit_enabled 0
#endif
diff --git a/kernel/audit.c b/kernel/audit.c
index 1c7f2c6..fda8bd9 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1450,6 +1450,27 @@ void audit_log_key(struct audit_buffer *ab, char *key)
}
/**
+ * audit_log_link_denied - report a link restriction denial
+ * @operation: specific link opreation
+ * @link: the path that triggered the restriction
+ */
+void audit_log_link_denied(const char *operation, struct path *link)
+{
+ struct audit_buffer *ab;
+
+ ab = audit_log_start(current->audit_context, GFP_KERNEL,
+ AUDIT_ANOM_LINK);
+ audit_log_format(ab, "op=%s action=denied", operation);
+ audit_log_format(ab, " pid=%d comm=", current->pid);
+ audit_log_untrustedstring(ab, current->comm);
+ audit_log_d_path(ab, " path=", link);
+ audit_log_format(ab, " dev=");
+ audit_log_untrustedstring(ab, link->dentry->d_inode->i_sb->s_id);
+ audit_log_format(ab, " ino=%lu", link->dentry->d_inode->i_ino);
+ audit_log_end(ab);
+}
+
+/**
* audit_log_end - end one audit record
* @ab: the audit_buffer
*
--
1.7.0.4
next prev parent reply other threads:[~2012-07-02 20:17 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-07-02 20:17 [PATCH v2012.5 0/2] fs: add link restrictions Kees Cook
2012-07-02 20:17 ` [PATCH 1/2] " Kees Cook
2012-07-02 20:17 ` Kees Cook [this message]
-- strict thread matches above, loose matches on Subject: below --
2012-07-26 0:29 [RESEND][PATCH v2012.5 0/2] " Kees Cook
2012-07-26 0:29 ` [PATCH 2/2] fs: add link restriction audit reporting Kees Cook
2012-06-25 21:05 [PATCH v2012.4 0/2] fs: add link restrictions Kees Cook
2012-06-25 21:05 ` [PATCH 2/2] fs: add link restriction audit reporting Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1341260234-32002-3-git-send-email-keescook@chromium.org \
--to=keescook@chromium.org \
--cc=akpm@linux-foundation.org \
--cc=dhowells@redhat.com \
--cc=dledford@redhat.com \
--cc=drosenberg@vsecurity.com \
--cc=ebiederm@xmission.com \
--cc=eparis@redhat.com \
--cc=james.l.morris@oracle.com \
--cc=joe.korty@ccur.com \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-doc@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=matthew@wil.cx \
--cc=mingo@elte.hu \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).