- 22 Dec, 2014 1 commit
-
-
Paul Moore authored
There is a problem with the audit system when multiple audit records are created for the same path, each with a different path name type. The root cause of the problem is in __audit_inode() when an exact match (both the path name and path name type) is not found for a path name record; the existing code creates a new path name record, but it never sets the path name in this record, leaving it NULL. This patch corrects this problem by assigning the path name to these newly created records. There are many ways to reproduce this problem, but one of the easiest is the following (assuming auditd is running): # mkdir /root/tmp/test # touch /root/tmp/test/567 # auditctl -a always,exit -F dir=/root/tmp/test # touch /root/tmp/test/567 Afterwards, or while the commands above are running, check the audit log and pay special attention to the PATH records. A faulty kernel will display something like the following for the file creation: type=SYSCALL msg=audit(1416957442.025:93): arch=c000003e syscall=2 success=yes exit=3 ... comm="touch" exe="/usr/bin/touch" type=CWD msg=audit(1416957442.025:93): cwd="/root/tmp" type=PATH msg=audit(1416957442.025:93): item=0 name="test/" inode=401409 ... nametype=PARENT type=PATH msg=audit(1416957442.025:93): item=1 name=(null) inode=393804 ... nametype=NORMAL type=PATH msg=audit(1416957442.025:93): item=2 name=(null) inode=393804 ... nametype=NORMAL While a patched kernel will show the following: type=SYSCALL msg=audit(1416955786.566:89): arch=c000003e syscall=2 success=yes exit=3 ... comm="touch" exe="/usr/bin/touch" type=CWD msg=audit(1416955786.566:89): cwd="/root/tmp" type=PATH msg=audit(1416955786.566:89): item=0 name="test/" inode=401409 ... nametype=PARENT type=PATH msg=audit(1416955786.566:89): item=1 name="test/567" inode=393804 ... nametype=NORMAL This issue was brought up by a number of people, but special credit should go to hujianyang@huawei.com for reporting the problem along with an explanation of the problem and a patch. While the original patch did have some problems (see the archive link below), it did demonstrate the problem and helped kickstart the fix presented here. * https://lkml.org/lkml/2014/9/5/66Reported-by:hujianyang <hujianyang@huawei.com> Signed-off-by:
Paul Moore <pmoore@redhat.com> Acked-by:
Richard Guy Briggs <rgb@redhat.com>
-
- 19 Dec, 2014 2 commits
-
-
Richard Guy Briggs authored
Eric Paris explains: Since kauditd_send_multicast_skb() gets called in audit_log_end(), which can come from any context (aka even a sleeping context) GFP_KERNEL can't be used. Since the audit_buffer knows what context it should use, pass that down and use that. See: https://lkml.org/lkml/2014/12/16/542 BUG: sleeping function called from invalid context at mm/slab.c:2849 in_atomic(): 1, irqs_disabled(): 0, pid: 885, name: sulogin 2 locks held by sulogin/885: #0: (&sig->cred_guard_mutex){+.+.+.}, at: [<ffffffff91152e30>] prepare_bprm_creds+0x28/0x8b #1: (tty_files_lock){+.+.+.}, at: [<ffffffff9123e787>] selinux_bprm_committing_creds+0x55/0x22b CPU: 1 PID: 885 Comm: sulogin Not tainted 3.18.0-next-20141216 #30 Hardware name: Dell Inc. Latitude E6530/07Y85M, BIOS A15 06/20/2014 ffff880223744f10 ffff88022410f9b8 ffffffff916ba529 0000000000000375 ffff880223744f10 ffff88022410f9e8 ffffffff91063185 0000000000000006 0000000000000000 0000000000000000 0000000000000000 ffff88022410fa38 Call Trace: [<ffffffff916ba529>] dump_stack+0x50/0xa8 [<ffffffff91063185>] ___might_sleep+0x1b6/0x1be [<ffffffff910632a6>] __might_sleep+0x119/0x128 [<ffffffff91140720>] cache_alloc_debugcheck_before.isra.45+0x1d/0x1f [<ffffffff91141d81>] kmem_cache_alloc+0x43/0x1c9 [<ffffffff914e148d>] __alloc_skb+0x42/0x1a3 [<ffffffff914e2b62>] skb_copy+0x3e/0xa3 [<ffffffff910c263e>] audit_log_end+0x83/0x100 [<ffffffff9123b8d3>] ? avc_audit_pre_callback+0x103/0x103 [<ffffffff91252a73>] common_lsm_audit+0x441/0x450 [<ffffffff9123c163>] slow_avc_audit+0x63/0x67 [<ffffffff9123c42c>] avc_has_perm+0xca/0xe3 [<ffffffff9123dc2d>] inode_has_perm+0x5a/0x65 [<ffffffff9123e7ca>] selinux_bprm_committing_creds+0x98/0x22b [<ffffffff91239e64>] security_bprm_committing_creds+0xe/0x10 [<ffffffff911515e6>] install_exec_creds+0xe/0x79 [<ffffffff911974cf>] load_elf_binary+0xe36/0x10d7 [<ffffffff9115198e>] search_binary_handler+0x81/0x18c [<ffffffff91153376>] do_execveat_common.isra.31+0x4e3/0x7b7 [<ffffffff91153669>] do_execve+0x1f/0x21 [<ffffffff91153967>] SyS_execve+0x25/0x29 [<ffffffff916c61a9>] stub_execve+0x69/0xa0 Cc: stable@vger.kernel.org #v3.16-rc1 Reported-by:
Valdis Kletnieks <Valdis.Kletnieks@vt.edu> Signed-off-by:
-
Paul Moore authored
Commit f1dc4867 ("audit: anchor all pid references in the initial pid namespace") introduced a find_vpid() call when adding/removing audit rules with PID/PPID filters; unfortunately this is problematic as find_vpid() only works if there is a task with the associated PID alive on the system. The following commands demonstrate a simple reproducer. # auditctl -D # auditctl -l # autrace /bin/true # auditctl -l This patch resolves the problem by simply using the PID provided by the user without any additional validation, e.g. no calls to check to see if the task/PID exists. Cc: stable@vger.kernel.org # 3.15 Cc: Richard Guy Briggs <rgb@redhat.com> Signed-off-by:
Eric Paris <eparis@redhat.com> Reviewed-by:
-
- 09 Dec, 2014 1 commit
-
-
Paul Moore authored
-
- 17 Nov, 2014 1 commit
-
-
Richard Guy Briggs authored
The version field defined in the audit status structure was found to have limitations in terms of its expressibility of features supported. This is distict from the get/set features call to be able to command those features that are present. Converting this field from a version number to a feature bitmap will allow distributions to selectively backport and support certain features and will allow upstream to be able to deprecate features in the future. It will allow userspace clients to first query the kernel for which features are actually present and supported. Currently, EINVAL is returned rather than EOPNOTSUP, which isn't helpful in determining if there was an error in the command, or if it simply isn't supported yet. Past features are not represented by this bitmap, but their use may be converted to EOPNOTSUP if needed in the future. Since "version" is too generic to convert with a #define, use a union in the struct status, introducing the member "feature_bitmap" unionized with "version". Convert existing AUDIT_VERSION_* macros over to AUDIT_FEATURE_BITMAP* counterparts, leaving the former for backwards compatibility. Signed-off-by:
-
- 11 Nov, 2014 1 commit
-
-
Miklos Szeredi authored
Audit rules disappear when an inode they watch is evicted from the cache. This is likely not what we want. The guilty commit is "fsnotify: allow marks to not pin inodes in core", which didn't take into account that audit_tree adds watches with a zero mask. Adding any mask should fix this. Fixes: 90b1e7a5 ("fsnotify: allow marks to not pin inodes in core") Signed-off-by:
Miklos Szeredi <mszeredi@suse.cz> Cc: stable@vger.kernel.org # 2.6.36+ Signed-off-by:
-
- 30 Oct, 2014 1 commit
-
-
Richard Guy Briggs authored
Add a space between subj= and feature= fields to make them parsable. Signed-off-by:
-
- 20 Oct, 2014 1 commit
-
-
Paul Moore authored
After a long stint maintaining the audit tree, Eric asked me to step in and handle the day-to-day management of the audit tree. We should also update the linux-audit mailing list entry to better reflect current usage. Signed-off-by:
-
- 10 Oct, 2014 4 commits
-
-
Richard Guy Briggs authored
Rename audit_log_remove_rule() to audit_tree_log_remove_rule() to avoid confusion with watch and mark rule removal/changes. Signed-off-by:
-
Richard Guy Briggs authored
Re-factor audit_rule_change() to reduce the amount of code redundancy and simplify the logic. Signed-off-by:
-
Eric Paris authored
Signed-off-by: -
Richard Guy Briggs authored
Use same rule existence check order as audit_make_tree(), audit_to_watch(), update_lsm_rule() for legibility. Signed-off-by:
-
- 26 Sep, 2014 1 commit
-
-
Guenter Roeck authored
openrisc:defconfig fails to build in next-20140926 with the following error. In file included from arch/openrisc/kernel/signal.c:31:0: ./arch/openrisc/include/asm/syscall.h: In function 'syscall_get_arch': ./arch/openrisc/include/asm/syscall.h:77:9: error: 'EM_OPENRISC' undeclared Fix by moving EM_OPENRISC to include/uapi/linux/elf-em.h. Fixes: ce5d1128 ("ARCH: AUDIT: implement syscall_get_arch for all arches") Cc: Eric Paris <eparis@redhat.com> Cc: Stefan Kristiansson <stefan.kristiansson@saunalahti.fi> Cc: Geert Uytterhoeven <geert@linux-m68k.org> Cc: Stephen Rothwell <sfr@canb.auug.org.au> Signed-off-by:
Guenter Roeck <linux@roeck-us.net> Signed-off-by:
-
- 23 Sep, 2014 26 commits
-
-
Richard Guy Briggs authored
When task->comm is passed directly to audit_log_untrustedstring() without getting a copy or using the task_lock, there is a race that could happen that would output a NULL (\0) in the output string that would effectively truncate the rest of the report text after the comm= field in the audit, losing fields. Use get_task_comm() to get a copy while acquiring the task_lock to prevent this and to prevent the result from being a mixture of old and new values of comm. Signed-off-by:
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by:
-
Richard Guy Briggs authored
open_arg() was added in commit 55669bfa "audit: AUDIT_PERM support" and never used. Remove it. Signed-off-by:
-
Richard Guy Briggs authored
When an AUDIT_GET_FEATURE message is sent from userspace to the kernel, it should reply with a message tagged as an AUDIT_GET_FEATURE type with a struct audit_feature. The current reply is a message tagged as an AUDIT_GET type with a struct audit_feature. This appears to have been a cut-and-paste-eo in commit b0fed402. Reported-by:
Steve Grubb <sgrubb@redhat.com> Signed-off-by:
-
Richard Guy Briggs authored
Report: Looking at your example code in http://people.redhat.com/rbriggs/audit-multicast-listen/audit-multicast-listen.c, it seems that nlmsg_len field in the received messages is supposed to contain the length of the header + payload, but it is always set to the size of the header only, i.e. 16. The example program works, because the printf format specifies the minimum width, not "precision", so it simply prints out the payload until the first zero byte. This isn't too much of a problem, but precludes the use of recvmmsg, iiuc? (gdb) p *(struct nlmsghdr*)nlh $14 = {nlmsg_len = 16, nlmsg_type = 1100, nlmsg_flags = 0, nlmsg_seq = 0, nlmsg_pid = 9910} The only time nlmsg_len would have been updated was at audit_buffer_alloc() inside audit_log_start() and never updated after. It should arguably be done in audit_log_vformat(), but would be more efficient in audit_log_end(). Reported-by:
Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> Signed-off-by:
-
Richard Guy Briggs authored
Since only one of val, uid, gid and lsm* are used at any given time, combine them to reduce the size of the struct audit_field. Signed-off-by: -
Burn Alting authored
Various audit events dealing with adding, removing and updating rules result in invalid values set for the op keys which result in embedded spaces in op= values. The invalid values are op="add rule" set in kernel/auditfilter.c op="remove rule" set in kernel/auditfilter.c op="remove rule" set in kernel/audit_tree.c op="updated rules" set in kernel/audit_watch.c op="remove rule" set in kernel/audit_watch.c Replace the space in the above values with an underscore character ('_'). Coded-by:Burn Alting <burn@swtf.dyndns.org> Signed-off-by:
-
Richard Guy Briggs authored
Since there is already a primitive to do this operation in the atomic_t, use it to simplify audit_serial(). Signed-off-by: -
Fabian Frederick authored
Use kernel.h definition. Cc: Eric Paris <eparis@redhat.com> Cc: Andrew Morton <akpm@linux-foundation.org> Signed-off-by:
Fabian Frederick <fabf@skynet.be> Signed-off-by:
-
Richard Guy Briggs authored
audit_log_fcaps() isn't used outside kernel/audit.c. Reduce its scope. Signed-off-by: -
Richard Guy Briggs authored
audit_net_id isn't used outside kernel/audit.c. Reduce its scope. Signed-off-by: -
Eric Paris authored
The arm64 tree added calls to audit_syscall_entry() and rightly included the syscall number. The interface has since been changed to not need the syscall number. As such, arm64 should no longer pass that value. Signed-off-by: -
AKASHI Takahiro authored
This patch adds auditing functions on entry to or exit from every system call invocation. Acked-by:
AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by:
Catalin Marinas <catalin.marinas@arm.com>
-
Richard Guy Briggs authored
Since the arch is found locally in __audit_syscall_entry(), there is no need to pass it in as a parameter. Delete it from the parameter list. x86* was the only arch to call __audit_syscall_entry() directly and did so from assembly code. Signed-off-by:
-
Eric Paris authored
We are currently embedding the same check from thread_info.h into syscall.h thanks to the way syscall_get_arch() was implemented in the audit tree. Instead create a new function, is_32bit_task() which is similar to that found on the powerpc arch. This simplifies the syscall.h code and makes the build/Kconfig requirements much easier to understand. Signed-off-by: Eric Paris <eparis@redhat.com Acked-by:David S. Miller <davem@davemloft.net> Cc: Stephen Rothwell <sfr@canb.auug.org.au> Cc: sparclinux@vger.kernel.org
-
Stephen Rothwell authored
After merging the audit tree, today's linux-next build (sparc defconfig) failed like this: In file included from include/linux/audit.h:29:0, from mm/mmap.c:33: arch/sparc/include/asm/syscall.h: In function 'syscall_get_arch': arch/sparc/include/asm/syscall.h:131:9: error: 'TIF_32BIT' undeclared (first use in this function) arch/sparc/include/asm/syscall.h:131:9: note: each undeclared identifier is reported only once for each function it appears in And many more ... Caused by commit 374c0c054122 ("ARCH: AUDIT: implement syscall_get_arch for all arches"). This patch wraps the usage of TIF_32BIT in: if defined(__sparc__) && defined(__arch64__) Which solves the build problem. Signed-off-by:Stephen Rothwell <sfr@canb.auug.org.au> Acked-by:
-
Eric Paris authored
Include linux/thread_info.h so we can use is_32_bit_task() cleanly. Then just simplify syscall_get_arch() since is_32_bit_task() works for all configuration options. Suggested-by:
-
Eric Paris authored
avr32 does not have an asm/syscall.h file. We need the syscall_get_arch() definition from that file for all arch's which support CONFIG_AUDITSYSCALL. Obviously avr32 is not one of those arch's. Move the include inside the CONFIG_AUDITSYSCALL such that we only do the include if we need the results. When the syscall_get_arch() call is moved inside __audit_syscall_entry() this include can be dropped entirely. But that is going to require some assembly changes on x86* in a patch that is not ready for the tree... Reported-by:
Paul Gortmaker <paul.gortmaker@windriver.com> Signed-off-by:
-
Richard Guy Briggs authored
The AUDIT_SECCOMP record looks something like this: type=SECCOMP msg=audit(1373478171.953:32775): auid=4325 uid=4325 gid=4325 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0 pid=12381 comm="test" sig=31 syscall=231 compat=0 ip=0x39ea8bca89 code=0x0 In order to determine what syscall 231 maps to, we need to have the arch= field right before it. To see the event, compile this test.c program: ===== int main(void) { return seccomp_load(seccomp_init(SCMP_ACT_KILL)); } ===== gcc -g test.c -o test -lseccomp After running the program, find the record by: ausearch --start recent -m SECCOMP -i Signed-off-by: -
Richard Guy Briggs authored
Since every arch should have syscall_get_arch() defined, stop using the function argument and just collect this ourselves. We do not drop the argument as fixing some code paths (in assembly) to not pass this first argument is non-trivial. The argument will be dropped when that is fixed. Signed-off-by:
-
Eric Paris authored
We have a function where the arch can be queried, syscall_get_arch(). So rather than have every single piece of arch specific code use and/or duplicate syscall_get_arch(), just have the audit code use the syscall_get_arch() code. Based-on-patch-by:
-
Eric Paris authored
For all arches which support audit implement syscall_get_arch() They are all pretty easy and straight forward, stolen from how the call to audit_syscall_entry() determines the arch. Based-on-patch-by:
-
Eric Paris authored
Since Alpha supports syscall audit it now needs to have a syscall.h which implements syscall_get_arch() rather than hard coding this value into audit_syscall_entry(). Based-on-patch-by:
-
Eric Paris authored
This patch defines syscall_get_arch() for the um platform. It adds a new syscall.h header file to define this. It copies the HOST_AUDIT_ARCH definition from ptrace.h. (that definition will be removed when we switch audit to use this new syscall_get_arch() function) Based-on-patch-by:
-
Eric Paris authored
This patch defines syscall_get_arch() for the superh platform. It does so in both syscall_32.h and syscall_64.h. I'm not certain if the implementation in syscall_64.h couldn't just be used in syscall.h as I can't really track the setting of CONFIG_64BIT... This way is safe, but we might be able to combine these if a superh person were able to review... [v2] fixed indentation stoopidity (Sergei Shtylyov) use AUDIT_ARCH_SH instead of EM_SH Based-on-patch-by:
-
Richard Guy Briggs authored
syscall_get_arch() used to take a task as a argument. It now uses current. Fix the doc text. Signed-off-by:
-
Eric Paris authored
The kernel only uses struct audit_rule_data. We dropped support for struct audit_rule a long time ago. Drop the definition in the header file. Signed-off-by:
-
- 03 Aug, 2014 1 commit
-
-
Linus Torvalds authored
-
