|
|
|
/* auditsc.c -- System-call auditing support
|
|
|
|
* Handles all system-call specific auditing features.
|
|
|
|
*
|
|
|
|
* Copyright 2003-2004 Red Hat Inc., Durham, North Carolina.
|
|
|
|
* Copyright 2005 Hewlett-Packard Development Company, L.P.
|
|
|
|
* Copyright (C) 2005, 2006 IBM Corporation
|
|
|
|
* All Rights Reserved.
|
|
|
|
*
|
|
|
|
* This program is free software; you can redistribute it and/or modify
|
|
|
|
* it under the terms of the GNU General Public License as published by
|
|
|
|
* the Free Software Foundation; either version 2 of the License, or
|
|
|
|
* (at your option) any later version.
|
|
|
|
*
|
|
|
|
* This program is distributed in the hope that it will be useful,
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
* GNU General Public License for more details.
|
|
|
|
*
|
|
|
|
* You should have received a copy of the GNU General Public License
|
|
|
|
* along with this program; if not, write to the Free Software
|
|
|
|
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
|
|
|
*
|
|
|
|
* Written by Rickard E. (Rik) Faith <faith@redhat.com>
|
|
|
|
*
|
|
|
|
* Many of the ideas implemented here are from Stephen C. Tweedie,
|
|
|
|
* especially the idea of avoiding a copy by using getname.
|
|
|
|
*
|
|
|
|
* The method for actual interception of syscall entry and exit (not in
|
|
|
|
* this file -- see entry.S) is based on a GPL'd patch written by
|
|
|
|
* okir@suse.de and Copyright 2003 SuSE Linux AG.
|
|
|
|
*
|
|
|
|
* POSIX message queue support added by George Wilson <ltcgcw@us.ibm.com>,
|
|
|
|
* 2006.
|
|
|
|
*
|
[PATCH] Filter rule comparators
Currently, audit only supports the "=" and "!=" operators in the -F
filter rules.
This patch reworks the support for "=" and "!=", and adds support
for ">", ">=", "<", and "<=".
This turned out to be a pretty clean, and simply process. I ended up
using the high order bits of the "field", as suggested by Steve and Amy.
This allowed for no changes whatsoever to the netlink communications.
See the documentation within the patch in the include/linux/audit.h
area, where there is a table that explains the reasoning of the bitmask
assignments clearly.
The patch adds a new function, audit_comparator(left, op, right).
This function will perform the specified comparison (op, which defaults
to "==" for backward compatibility) between two values (left and right).
If the negate bit is on, it will negate whatever that result was. This
value is returned.
Signed-off-by: Dustin Kirkland <dustin.kirkland@us.ibm.com>
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
20 years ago
|
|
|
* The support of additional filter rules compares (>, <, >=, <=) was
|
|
|
|
* added by Dustin Kirkland <dustin.kirkland@us.ibm.com>, 2005.
|
|
|
|
*
|
|
|
|
* Modified by Amy Griffis <amy.griffis@hp.com> to collect additional
|
|
|
|
* filesystem information.
|
|
|
|
*
|
|
|
|
* Subject and object context labeling support added by <danjones@us.ibm.com>
|
|
|
|
* and <dustin.kirkland@us.ibm.com> for LSPP certification compliance.
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include <linux/init.h>
|
|
|
|
#include <asm/types.h>
|
|
|
|
#include <asm/atomic.h>
|
|
|
|
#include <linux/fs.h>
|
|
|
|
#include <linux/namei.h>
|
|
|
|
#include <linux/mm.h>
|
|
|
|
#include <linux/module.h>
|
|
|
|
#include <linux/mount.h>
|
|
|
|
#include <linux/socket.h>
|
|
|
|
#include <linux/mqueue.h>
|
|
|
|
#include <linux/audit.h>
|
|
|
|
#include <linux/personality.h>
|
|
|
|
#include <linux/time.h>
|
|
|
|
#include <linux/netlink.h>
|
|
|
|
#include <linux/compiler.h>
|
|
|
|
#include <asm/unistd.h>
|
|
|
|
#include <linux/security.h>
|
|
|
|
#include <linux/list.h>
|
|
|
|
#include <linux/tty.h>
|
|
|
|
#include <linux/binfmts.h>
|
|
|
|
#include <linux/highmem.h>
|
|
|
|
#include <linux/syscalls.h>
|
[PATCH] audit: watching subtrees
New kind of audit rule predicates: "object is visible in given subtree".
The part that can be sanely implemented, that is. Limitations:
* if you have hardlink from outside of tree, you'd better watch
it too (or just watch the object itself, obviously)
* if you mount something under a watched tree, tell audit
that new chunk should be added to watched subtrees
* if you umount something in a watched tree and it's still mounted
elsewhere, you will get matches on events happening there. New command
tells audit to recalculate the trees, trimming such sources of false
positives.
Note that it's _not_ about path - if something mounted in several places
(multiple mount, bindings, different namespaces, etc.), the match does
_not_ depend on which one we are using for access.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
18 years ago
|
|
|
#include <linux/inotify.h>
|
|
|
|
#include <linux/capability.h>
|
|
|
|
#include <linux/fs_struct.h>
|
|
|
|
|
|
|
|
#include "audit.h"
|
|
|
|
|
|
|
|
/* AUDIT_NAMES is the number of slots we reserve in the audit_context
|
|
|
|
* for saving names from getname(). */
|
|
|
|
#define AUDIT_NAMES 20
|
|
|
|
|
|
|
|
/* Indicates that audit should log the full pathname. */
|
|
|
|
#define AUDIT_NAME_FULL -1
|
|
|
|
|
|
|
|
/* no execve audit message should be longer than this (userspace limits) */
|
|
|
|
#define MAX_EXECVE_AUDIT_LEN 7500
|
|
|
|
|
|
|
|
/* number of audit rules */
|
|
|
|
int audit_n_rules;
|
|
|
|
|
|
|
|
/* determines whether we collect data for signals sent */
|
|
|
|
int audit_signals;
|
|
|
|
|
|
|
|
struct audit_cap_data {
|
|
|
|
kernel_cap_t permitted;
|
|
|
|
kernel_cap_t inheritable;
|
|
|
|
union {
|
|
|
|
unsigned int fE; /* effective bit of a file capability */
|
|
|
|
kernel_cap_t effective; /* effective set of a process */
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
/* When fs/namei.c:getname() is called, we store the pointer in name and
|
|
|
|
* we don't let putname() free it (instead we free all of the saved
|
|
|
|
* pointers at syscall exit time).
|
|
|
|
*
|
|
|
|
* Further, in fs/namei.c:path_lookup() we store the inode and device. */
|
|
|
|
struct audit_names {
|
|
|
|
const char *name;
|
|
|
|
int name_len; /* number of name's characters to log */
|
|
|
|
unsigned name_put; /* call __putname() for this name */
|
|
|
|
unsigned long ino;
|
|
|
|
dev_t dev;
|
|
|
|
umode_t mode;
|
|
|
|
uid_t uid;
|
|
|
|
gid_t gid;
|
|
|
|
dev_t rdev;
|
|
|
|
u32 osid;
|
|
|
|
struct audit_cap_data fcap;
|
|
|
|
unsigned int fcap_ver;
|
|
|
|
};
|
|
|
|
|
|
|
|
struct audit_aux_data {
|
|
|
|
struct audit_aux_data *next;
|
|
|
|
int type;
|
|
|
|
};
|
|
|
|
|
|
|
|
#define AUDIT_AUX_IPCPERM 0
|
|
|
|
|
|
|
|
/* Number of target pids per aux struct. */
|
|
|
|
#define AUDIT_AUX_PIDS 16
|
|
|
|
|
|
|
|
struct audit_aux_data_execve {
|
|
|
|
struct audit_aux_data d;
|
|
|
|
int argc;
|
|
|
|
int envc;
|
|
|
|
struct mm_struct *mm;
|
|
|
|
};
|
|
|
|
|
|
|
|
struct audit_aux_data_pids {
|
|
|
|
struct audit_aux_data d;
|
|
|
|
pid_t target_pid[AUDIT_AUX_PIDS];
|
|
|
|
uid_t target_auid[AUDIT_AUX_PIDS];
|
|
|
|
uid_t target_uid[AUDIT_AUX_PIDS];
|
|
|
|
unsigned int target_sessionid[AUDIT_AUX_PIDS];
|
|
|
|
u32 target_sid[AUDIT_AUX_PIDS];
|
|
|
|
char target_comm[AUDIT_AUX_PIDS][TASK_COMM_LEN];
|
|
|
|
int pid_count;
|
|
|
|
};
|
|
|
|
|
|
|
|
struct audit_aux_data_bprm_fcaps {
|
|
|
|
struct audit_aux_data d;
|
|
|
|
struct audit_cap_data fcap;
|
|
|
|
unsigned int fcap_ver;
|
|
|
|
struct audit_cap_data old_pcap;
|
|
|
|
struct audit_cap_data new_pcap;
|
|
|
|
};
|
|
|
|
|
|
|
|
struct audit_aux_data_capset {
|
|
|
|
struct audit_aux_data d;
|
|
|
|
pid_t pid;
|
|
|
|
struct audit_cap_data cap;
|
|
|
|
};
|
|
|
|
|
[PATCH] audit: watching subtrees
New kind of audit rule predicates: "object is visible in given subtree".
The part that can be sanely implemented, that is. Limitations:
* if you have hardlink from outside of tree, you'd better watch
it too (or just watch the object itself, obviously)
* if you mount something under a watched tree, tell audit
that new chunk should be added to watched subtrees
* if you umount something in a watched tree and it's still mounted
elsewhere, you will get matches on events happening there. New command
tells audit to recalculate the trees, trimming such sources of false
positives.
Note that it's _not_ about path - if something mounted in several places
(multiple mount, bindings, different namespaces, etc.), the match does
_not_ depend on which one we are using for access.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
18 years ago
|
|
|
struct audit_tree_refs {
|
|
|
|
struct audit_tree_refs *next;
|
|
|
|
struct audit_chunk *c[31];
|
|
|
|
};
|
|
|
|
|
|
|
|
/* The per-task audit context. */
|
|
|
|
struct audit_context {
|
|
|
|
int dummy; /* must be the first element */
|
|
|
|
int in_syscall; /* 1 if task is in a syscall */
|
|
|
|
enum audit_state state, current_state;
|
|
|
|
unsigned int serial; /* serial number for record */
|
|
|
|
struct timespec ctime; /* time of syscall entry */
|
|
|
|
int major; /* syscall number */
|
|
|
|
unsigned long argv[4]; /* syscall arguments */
|
|
|
|
int return_valid; /* return code is valid */
|
|
|
|
long return_code;/* syscall return code */
|
|
|
|
u64 prio;
|
|
|
|
int name_count;
|
|
|
|
struct audit_names names[AUDIT_NAMES];
|
|
|
|
char * filterkey; /* key for rule that triggered record */
|
|
|
|
struct path pwd;
|
|
|
|
struct audit_context *previous; /* For nested syscalls */
|
|
|
|
struct audit_aux_data *aux;
|
|
|
|
struct audit_aux_data *aux_pids;
|
|
|
|
struct sockaddr_storage *sockaddr;
|
|
|
|
size_t sockaddr_len;
|
|
|
|
/* Save things to print about task_struct */
|
|
|
|
pid_t pid, ppid;
|
|
|
|
uid_t uid, euid, suid, fsuid;
|
|
|
|
gid_t gid, egid, sgid, fsgid;
|
|
|
|
unsigned long personality;
|
|
|
|
int arch;
|
|
|
|
|
|
|
|
pid_t target_pid;
|
|
|
|
uid_t target_auid;
|
|
|
|
uid_t target_uid;
|
|
|
|
unsigned int target_sessionid;
|
|
|
|
u32 target_sid;
|
|
|
|
char target_comm[TASK_COMM_LEN];
|
|
|
|
|
[PATCH] audit: watching subtrees
New kind of audit rule predicates: "object is visible in given subtree".
The part that can be sanely implemented, that is. Limitations:
* if you have hardlink from outside of tree, you'd better watch
it too (or just watch the object itself, obviously)
* if you mount something under a watched tree, tell audit
that new chunk should be added to watched subtrees
* if you umount something in a watched tree and it's still mounted
elsewhere, you will get matches on events happening there. New command
tells audit to recalculate the trees, trimming such sources of false
positives.
Note that it's _not_ about path - if something mounted in several places
(multiple mount, bindings, different namespaces, etc.), the match does
_not_ depend on which one we are using for access.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
18 years ago
|
|
|
struct audit_tree_refs *trees, *first_trees;
|
|
|
|
int tree_count;
|
|
|
|
|
|
|
|
int type;
|
|
|
|
union {
|
|
|
|
struct {
|
|
|
|
int nargs;
|
|
|
|
long args[6];
|
|
|
|
} socketcall;
|
|
|
|
struct {
|
|
|
|
uid_t uid;
|
|
|
|
gid_t gid;
|
|
|
|
mode_t mode;
|
|
|
|
u32 osid;
|
|
|
|
int has_perm;
|
|
|
|
uid_t perm_uid;
|
|
|
|
gid_t perm_gid;
|
|
|
|
mode_t perm_mode;
|
|
|
|
unsigned long qbytes;
|
|
|
|
} ipc;
|
|
|
|
struct {
|
|
|
|
mqd_t mqdes;
|
|
|
|
struct mq_attr mqstat;
|
|
|
|
} mq_getsetattr;
|
|
|
|
struct {
|
|
|
|
mqd_t mqdes;
|
|
|
|
int sigev_signo;
|
|
|
|
} mq_notify;
|
|
|
|
struct {
|
|
|
|
mqd_t mqdes;
|
|
|
|
size_t msg_len;
|
|
|
|
unsigned int msg_prio;
|
|
|
|
struct timespec abs_timeout;
|
|
|
|
} mq_sendrecv;
|
|
|
|
struct {
|
|
|
|
int oflag;
|
|
|
|
mode_t mode;
|
|
|
|
struct mq_attr attr;
|
|
|
|
} mq_open;
|
|
|
|
struct {
|
|
|
|
pid_t pid;
|
|
|
|
struct audit_cap_data cap;
|
|
|
|
} capset;
|
|
|
|
};
|
|
|
|
int fds[2];
|
|
|
|
|
|
|
|
#if AUDIT_DEBUG
|
|
|
|
int put_count;
|
|
|
|
int ino_count;
|
|
|
|
#endif
|
|
|
|
};
|
|
|
|
|
|
|
|
#define ACC_MODE(x) ("\004\002\006\006"[(x)&O_ACCMODE])
|
|
|
|
static inline int open_arg(int flags, int mask)
|
|
|
|
{
|
|
|
|
int n = ACC_MODE(flags);
|
|
|
|
if (flags & (O_TRUNC | O_CREAT))
|
|
|
|
n |= AUDIT_PERM_WRITE;
|
|
|
|
return n & mask;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int audit_match_perm(struct audit_context *ctx, int mask)
|
|
|
|
{
|
|
|
|
unsigned n;
|
|
|
|
if (unlikely(!ctx))
|
|
|
|
return 0;
|
|
|
|
n = ctx->major;
|
|
|
|
|
|
|
|
switch (audit_classify_syscall(ctx->arch, n)) {
|
|
|
|
case 0: /* native */
|
|
|
|
if ((mask & AUDIT_PERM_WRITE) &&
|
|
|
|
audit_match_class(AUDIT_CLASS_WRITE, n))
|
|
|
|
return 1;
|
|
|
|
if ((mask & AUDIT_PERM_READ) &&
|
|
|
|
audit_match_class(AUDIT_CLASS_READ, n))
|
|
|
|
return 1;
|
|
|
|
if ((mask & AUDIT_PERM_ATTR) &&
|
|
|
|
audit_match_class(AUDIT_CLASS_CHATTR, n))
|
|
|
|
return 1;
|
|
|
|
return 0;
|
|
|
|
case 1: /* 32bit on biarch */
|
|
|
|
if ((mask & AUDIT_PERM_WRITE) &&
|
|
|
|
audit_match_class(AUDIT_CLASS_WRITE_32, n))
|
|
|
|
return 1;
|
|
|
|
if ((mask & AUDIT_PERM_READ) &&
|
|
|
|
audit_match_class(AUDIT_CLASS_READ_32, n))
|
|
|
|
return 1;
|
|
|
|
if ((mask & AUDIT_PERM_ATTR) &&
|
|
|
|
audit_match_class(AUDIT_CLASS_CHATTR_32, n))
|
|
|
|
return 1;
|
|
|
|
return 0;
|
|
|
|
case 2: /* open */
|
|
|
|
return mask & ACC_MODE(ctx->argv[1]);
|
|
|
|
case 3: /* openat */
|
|
|
|
return mask & ACC_MODE(ctx->argv[2]);
|
|
|
|
case 4: /* socketcall */
|
|
|
|
return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND);
|
|
|
|
case 5: /* execve */
|
|
|
|
return mask & AUDIT_PERM_EXEC;
|
|
|
|
default:
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
static int audit_match_filetype(struct audit_context *ctx, int which)
|
|
|
|
{
|
|
|
|
unsigned index = which & ~S_IFMT;
|
|
|
|
mode_t mode = which & S_IFMT;
|
|
|
|
|
|
|
|
if (unlikely(!ctx))
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
if (index >= ctx->name_count)
|
|
|
|
return 0;
|
|
|
|
if (ctx->names[index].ino == -1)
|
|
|
|
return 0;
|
|
|
|
if ((ctx->names[index].mode ^ mode) & S_IFMT)
|
|
|
|
return 0;
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
[PATCH] audit: watching subtrees
New kind of audit rule predicates: "object is visible in given subtree".
The part that can be sanely implemented, that is. Limitations:
* if you have hardlink from outside of tree, you'd better watch
it too (or just watch the object itself, obviously)
* if you mount something under a watched tree, tell audit
that new chunk should be added to watched subtrees
* if you umount something in a watched tree and it's still mounted
elsewhere, you will get matches on events happening there. New command
tells audit to recalculate the trees, trimming such sources of false
positives.
Note that it's _not_ about path - if something mounted in several places
(multiple mount, bindings, different namespaces, etc.), the match does
_not_ depend on which one we are using for access.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
18 years ago
|
|
|
/*
|
|
|
|
* We keep a linked list of fixed-sized (31 pointer) arrays of audit_chunk *;
|
|
|
|
* ->first_trees points to its beginning, ->trees - to the current end of data.
|
|
|
|
* ->tree_count is the number of free entries in array pointed to by ->trees.
|
|
|
|
* Original condition is (NULL, NULL, 0); as soon as it grows we never revert to NULL,
|
|
|
|
* "empty" becomes (p, p, 31) afterwards. We don't shrink the list (and seriously,
|
|
|
|
* it's going to remain 1-element for almost any setup) until we free context itself.
|
|
|
|
* References in it _are_ dropped - at the same time we free/drop aux stuff.
|
|
|
|
*/
|
|
|
|
|
|
|
|
#ifdef CONFIG_AUDIT_TREE
|
|
|
|
static void audit_set_auditable(struct audit_context *ctx)
|
|
|
|
{
|
|
|
|
if (!ctx->prio) {
|
|
|
|
ctx->prio = 1;
|
|
|
|
ctx->current_state = AUDIT_RECORD_CONTEXT;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
[PATCH] audit: watching subtrees
New kind of audit rule predicates: "object is visible in given subtree".
The part that can be sanely implemented, that is. Limitations:
* if you have hardlink from outside of tree, you'd better watch
it too (or just watch the object itself, obviously)
* if you mount something under a watched tree, tell audit
that new chunk should be added to watched subtrees
* if you umount something in a watched tree and it's still mounted
elsewhere, you will get matches on events happening there. New command
tells audit to recalculate the trees, trimming such sources of false
positives.
Note that it's _not_ about path - if something mounted in several places
(multiple mount, bindings, different namespaces, etc.), the match does
_not_ depend on which one we are using for access.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
18 years ago
|
|
|
static int put_tree_ref(struct audit_context *ctx, struct audit_chunk *chunk)
|
|
|
|
{
|
|
|
|
struct audit_tree_refs *p = ctx->trees;
|
|
|
|
int left = ctx->tree_count;
|
|
|
|
if (likely(left)) {
|
|
|
|
p->c[--left] = chunk;
|
|
|
|
ctx->tree_count = left;
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
if (!p)
|
|
|
|
return 0;
|
|
|
|
p = p->next;
|
|
|
|
if (p) {
|
|
|
|
p->c[30] = chunk;
|
|
|
|
ctx->trees = p;
|
|
|
|
ctx->tree_count = 30;
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int grow_tree_refs(struct audit_context *ctx)
|
|
|
|
{
|
|
|
|
struct audit_tree_refs *p = ctx->trees;
|
|
|
|
ctx->trees = kzalloc(sizeof(struct audit_tree_refs), GFP_KERNEL);
|
|
|
|
if (!ctx->trees) {
|
|
|
|
ctx->trees = p;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
if (p)
|
|
|
|
p->next = ctx->trees;
|
|
|
|
else
|
|
|
|
ctx->first_trees = ctx->trees;
|
|
|
|
ctx->tree_count = 31;
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
|
|
|
|
static void unroll_tree_refs(struct audit_context *ctx,
|
|
|
|
struct audit_tree_refs *p, int count)
|
|
|
|
{
|
|
|
|
#ifdef CONFIG_AUDIT_TREE
|
|
|
|
struct audit_tree_refs *q;
|
|
|
|
int n;
|
|
|
|
if (!p) {
|
|
|
|
/* we started with empty chain */
|
|
|
|
p = ctx->first_trees;
|
|
|
|
count = 31;
|
|
|
|
/* if the very first allocation has failed, nothing to do */
|
|
|
|
if (!p)
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
n = count;
|
|
|
|
for (q = p; q != ctx->trees; q = q->next, n = 31) {
|
|
|
|
while (n--) {
|
|
|
|
audit_put_chunk(q->c[n]);
|
|
|
|
q->c[n] = NULL;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
while (n-- > ctx->tree_count) {
|
|
|
|
audit_put_chunk(q->c[n]);
|
|
|
|
q->c[n] = NULL;
|
|
|
|
}
|
|
|
|
ctx->trees = p;
|
|
|
|
ctx->tree_count = count;
|
|
|
|
#endif
|
|
|
|
}
|
|
|
|
|
|
|
|
static void free_tree_refs(struct audit_context *ctx)
|
|
|
|
{
|
|
|
|
struct audit_tree_refs *p, *q;
|
|
|
|
for (p = ctx->first_trees; p; p = q) {
|
|
|
|
q = p->next;
|
|
|
|
kfree(p);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
static int match_tree_refs(struct audit_context *ctx, struct audit_tree *tree)
|
|
|
|
{
|
|
|
|
#ifdef CONFIG_AUDIT_TREE
|
|
|
|
struct audit_tree_refs *p;
|
|
|
|
int n;
|
|
|
|
if (!tree)
|
|
|
|
return 0;
|
|
|
|
/* full ones */
|
|
|
|
for (p = ctx->first_trees; p != ctx->trees; p = p->next) {
|
|
|
|
for (n = 0; n < 31; n++)
|
|
|
|
if (audit_tree_match(p->c[n], tree))
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
/* partial */
|
|
|
|
if (p) {
|
|
|
|
for (n = ctx->tree_count; n < 31; n++)
|
|
|
|
if (audit_tree_match(p->c[n], tree))
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
19 years ago
|
|
|
/* Determine if any context name data matches a rule's watch data */
|
|
|
|
/* Compare a task_struct with an audit_rule. Return 1 on match, 0
|
|
|
|
* otherwise. */
|
|
|
|
static int audit_filter_rules(struct task_struct *tsk,
|
|
|
|
struct audit_krule *rule,
|
|
|
|
struct audit_context *ctx,
|
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
19 years ago
|
|
|
struct audit_names *name,
|
|
|
|
enum audit_state *state)
|
|
|
|
{
|
|
|
|
const struct cred *cred = get_task_cred(tsk);
|
|
|
|
int i, j, need_sid = 1;
|
|
|
|
u32 sid;
|
|
|
|
|
|
|
|
for (i = 0; i < rule->field_count; i++) {
|
|
|
|
struct audit_field *f = &rule->fields[i];
|
|
|
|
int result = 0;
|
|
|
|
|
|
|
|
switch (f->type) {
|
|
|
|
case AUDIT_PID:
|
|
|
|
result = audit_comparator(tsk->pid, f->op, f->val);
|
|
|
|
break;
|
|
|
|
case AUDIT_PPID:
|
|
|
|
if (ctx) {
|
|
|
|
if (!ctx->ppid)
|
|
|
|
ctx->ppid = sys_getppid();
|
|
|
|
result = audit_comparator(ctx->ppid, f->op, f->val);
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
case AUDIT_UID:
|
|
|
|
result = audit_comparator(cred->uid, f->op, f->val);
|
|
|
|
break;
|
|
|
|
case AUDIT_EUID:
|
|
|
|
result = audit_comparator(cred->euid, f->op, f->val);
|
|
|
|
break;
|
|
|
|
case AUDIT_SUID:
|
|
|
|
result = audit_comparator(cred->suid, f->op, f->val);
|
|
|
|
break;
|
|
|
|
case AUDIT_FSUID:
|
|
|
|
result = audit_comparator(cred->fsuid, f->op, f->val);
|
|
|
|
break;
|
|
|
|
case AUDIT_GID:
|
|
|
|
result = audit_comparator(cred->gid, f->op, f->val);
|
|
|
|
break;
|
|
|
|
case AUDIT_EGID:
|
|
|
|
result = audit_comparator(cred->egid, f->op, f->val);
|
|
|
|
break;
|
|
|
|
case AUDIT_SGID:
|
|
|
|
result = audit_comparator(cred->sgid, f->op, f->val);
|
|
|
|
break;
|
|
|
|
case AUDIT_FSGID:
|
|
|
|
result = audit_comparator(cred->fsgid, f->op, f->val);
|
|
|
|
break;
|
|
|
|
case AUDIT_PERS:
|
|
|
|
result = audit_comparator(tsk->personality, f->op, f->val);
|
|
|
|
break;
|
|
|
|
case AUDIT_ARCH:
|
|
|
|
if (ctx)
|
|
|
|
result = audit_comparator(ctx->arch, f->op, f->val);
|
|
|
|
break;
|
|
|
|
|
|
|
|
case AUDIT_EXIT:
|
|
|
|
if (ctx && ctx->return_valid)
|
|
|
|
result = audit_comparator(ctx->return_code, f->op, f->val);
|
|
|
|
break;
|
|
|
|
case AUDIT_SUCCESS:
|
|
|
|
if (ctx && ctx->return_valid) {
|
|
|
|
if (f->val)
|
|
|
|
result = audit_comparator(ctx->return_valid, f->op, AUDITSC_SUCCESS);
|
|
|
|
else
|
|
|
|
result = audit_comparator(ctx->return_valid, f->op, AUDITSC_FAILURE);
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
case AUDIT_DEVMAJOR:
|
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
19 years ago
|
|
|
if (name)
|
|
|
|
result = audit_comparator(MAJOR(name->dev),
|
|
|
|
f->op, f->val);
|
|
|
|
else if (ctx) {
|
|
|
|
for (j = 0; j < ctx->name_count; j++) {
|
|
|
|
if (audit_comparator(MAJOR(ctx->names[j].dev), f->op, f->val)) {
|
|
|
|
++result;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
case AUDIT_DEVMINOR:
|
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
19 years ago
|
|
|
if (name)
|
|
|
|
result = audit_comparator(MINOR(name->dev),
|
|
|
|
f->op, f->val);
|
|
|
|
else if (ctx) {
|
|
|
|
for (j = 0; j < ctx->name_count; j++) {
|
|
|
|
if (audit_comparator(MINOR(ctx->names[j].dev), f->op, f->val)) {
|
|
|
|
++result;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
case AUDIT_INODE:
|
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
19 years ago
|
|
|
if (name)
|
|
|
|
result = (name->ino == f->val);
|
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
19 years ago
|
|
|
else if (ctx) {
|
|
|
|
for (j = 0; j < ctx->name_count; j++) {
|
|
|
|
if (audit_comparator(ctx->names[j].ino, f->op, f->val)) {
|
|
|
|
++result;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
break;
|
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
19 years ago
|
|
|
case AUDIT_WATCH:
|
|
|
|
if (name && rule->watch->ino != (unsigned long)-1)
|
|
|
|
result = (name->dev == rule->watch->dev &&
|
|
|
|
name->ino == rule->watch->ino);
|
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
19 years ago
|
|
|
break;
|
[PATCH] audit: watching subtrees
New kind of audit rule predicates: "object is visible in given subtree".
The part that can be sanely implemented, that is. Limitations:
* if you have hardlink from outside of tree, you'd better watch
it too (or just watch the object itself, obviously)
* if you mount something under a watched tree, tell audit
that new chunk should be added to watched subtrees
* if you umount something in a watched tree and it's still mounted
elsewhere, you will get matches on events happening there. New command
tells audit to recalculate the trees, trimming such sources of false
positives.
Note that it's _not_ about path - if something mounted in several places
(multiple mount, bindings, different namespaces, etc.), the match does
_not_ depend on which one we are using for access.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
18 years ago
|
|
|
case AUDIT_DIR:
|
|
|
|
if (ctx)
|
|
|
|
result = match_tree_refs(ctx, rule->tree);
|
|
|
|
break;
|
|
|
|
case AUDIT_LOGINUID:
|
|
|
|
result = 0;
|
|
|
|
if (ctx)
|
|
|
|
result = audit_comparator(tsk->loginuid, f->op, f->val);
|
|
|
|
break;
|
|
|
|
case AUDIT_SUBJ_USER:
|
|
|
|
case AUDIT_SUBJ_ROLE:
|
|
|
|
case AUDIT_SUBJ_TYPE:
|
|
|
|
case AUDIT_SUBJ_SEN:
|
|
|
|
case AUDIT_SUBJ_CLR:
|
|
|
|
/* NOTE: this may return negative values indicating
|
|
|
|
a temporary error. We simply treat this as a
|
|
|
|
match for now to avoid losing information that
|
|
|
|
may be wanted. An error message will also be
|
|
|
|
logged upon error */
|
|
|
|
if (f->lsm_rule) {
|
|
|
|
if (need_sid) {
|
Audit: use new LSM hooks instead of SELinux exports
Stop using the following exported SELinux interfaces:
selinux_get_inode_sid(inode, sid)
selinux_get_ipc_sid(ipcp, sid)
selinux_get_task_sid(tsk, sid)
selinux_sid_to_string(sid, ctx, len)
kfree(ctx)
and use following generic LSM equivalents respectively:
security_inode_getsecid(inode, secid)
security_ipc_getsecid*(ipcp, secid)
security_task_getsecid(tsk, secid)
security_sid_to_secctx(sid, ctx, len)
security_release_secctx(ctx, len)
Call security_release_secctx only if security_secid_to_secctx
succeeded.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Ahmed S. Darwish <darwish.07@gmail.com>
Acked-by: James Morris <jmorris@namei.org>
Reviewed-by: Paul Moore <paul.moore@hp.com>
17 years ago
|
|
|
security_task_getsecid(tsk, &sid);
|
|
|
|
need_sid = 0;
|
|
|
|
}
|
|
|
|
result = security_audit_rule_match(sid, f->type,
|
|
|
|
f->op,
|
|
|
|
f->lsm_rule,
|
|
|
|
ctx);
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
case AUDIT_OBJ_USER:
|
|
|
|
case AUDIT_OBJ_ROLE:
|
|
|
|
case AUDIT_OBJ_TYPE:
|
|
|
|
case AUDIT_OBJ_LEV_LOW:
|
|
|
|
case AUDIT_OBJ_LEV_HIGH:
|
|
|
|
/* The above note for AUDIT_SUBJ_USER...AUDIT_SUBJ_CLR
|
|
|
|
also applies here */
|
|
|
|
if (f->lsm_rule) {
|
|
|
|
/* Find files that match */
|
|
|
|
if (name) {
|
|
|
|
result = security_audit_rule_match(
|
|
|
|
name->osid, f->type, f->op,
|
|
|
|
f->lsm_rule, ctx);
|
|
|
|
} else if (ctx) {
|
|
|
|
for (j = 0; j < ctx->name_count; j++) {
|
|
|
|
if (security_audit_rule_match(
|
|
|
|
ctx->names[j].osid,
|
|
|
|
f->type, f->op,
|
|
|
|
f->lsm_rule, ctx)) {
|
|
|
|
++result;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
/* Find ipc objects that match */
|
|
|
|
if (!ctx || ctx->type != AUDIT_IPC)
|
|
|
|
break;
|
|
|
|
if (security_audit_rule_match(ctx->ipc.osid,
|
|
|
|
f->type, f->op,
|
|
|
|
f->lsm_rule, ctx))
|
|
|
|
++result;
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
case AUDIT_ARG0:
|
|
|
|
case AUDIT_ARG1:
|
|
|
|
case AUDIT_ARG2:
|
|
|
|
case AUDIT_ARG3:
|
|
|
|
if (ctx)
|
|
|
|
result = audit_comparator(ctx->argv[f->type-AUDIT_ARG0], f->op, f->val);
|
|
|
|
break;
|
|
|
|
case AUDIT_FILTERKEY:
|
|
|
|
/* ignore this field for filtering */
|
|
|
|
result = 1;
|
|
|
|
break;
|
|
|
|
case AUDIT_PERM:
|
|
|
|
result = audit_match_perm(ctx, f->val);
|
|
|
|
break;
|
|
|
|
case AUDIT_FILETYPE:
|
|
|
|
result = audit_match_filetype(ctx, f->val);
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!result) {
|
|
|
|
put_cred(cred);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if (ctx) {
|
|
|
|
if (rule->prio <= ctx->prio)
|
|
|
|
return 0;
|
|
|
|
if (rule->filterkey) {
|
|
|
|
kfree(ctx->filterkey);
|
|
|
|
ctx->filterkey = kstrdup(rule->filterkey, GFP_ATOMIC);
|
|
|
|
}
|
|
|
|
ctx->prio = rule->prio;
|
|
|
|
}
|
|
|
|
switch (rule->action) {
|
|
|
|
case AUDIT_NEVER: *state = AUDIT_DISABLED; break;
|
|
|
|
case AUDIT_ALWAYS: *state = AUDIT_RECORD_CONTEXT; break;
|
|
|
|
}
|
|
|
|
put_cred(cred);
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* At process creation time, we can determine if system-call auditing is
|
|
|
|
* completely disabled for this task. Since we only have the task
|
|
|
|
* structure at this point, we can only check uid and gid.
|
|
|
|
*/
|
|
|
|
static enum audit_state audit_filter_task(struct task_struct *tsk, char **key)
|
|
|
|
{
|
|
|
|
struct audit_entry *e;
|
|
|
|
enum audit_state state;
|
|
|
|
|
|
|
|
rcu_read_lock();
|
|
|
|
list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TASK], list) {
|
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
19 years ago
|
|
|
if (audit_filter_rules(tsk, &e->rule, NULL, NULL, &state)) {
|
|
|
|
if (state == AUDIT_RECORD_CONTEXT)
|
|
|
|
*key = kstrdup(e->rule.filterkey, GFP_ATOMIC);
|
|
|
|
rcu_read_unlock();
|
|
|
|
return state;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
rcu_read_unlock();
|
|
|
|
return AUDIT_BUILD_CONTEXT;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* At syscall entry and exit time, this filter is called if the
|
|
|
|
* audit_state is not low enough that auditing cannot take place, but is
|
|
|
|
* also not high enough that we already know we have to write an audit
|
|
|
|
* record (i.e., the state is AUDIT_SETUP_CONTEXT or AUDIT_BUILD_CONTEXT).
|
|
|
|
*/
|
|
|
|
static enum audit_state audit_filter_syscall(struct task_struct *tsk,
|
|
|
|
struct audit_context *ctx,
|
|
|
|
struct list_head *list)
|
|
|
|
{
|
|
|
|
struct audit_entry *e;
|
|
|
|
enum audit_state state;
|
|
|
|
|
|
|
|
if (audit_pid && tsk->tgid == audit_pid)
|
|
|
|
return AUDIT_DISABLED;
|
|
|
|
|
|
|
|
rcu_read_lock();
|
|
|
|
if (!list_empty(list)) {
|
[PATCH] Filter rule comparators
Currently, audit only supports the "=" and "!=" operators in the -F
filter rules.
This patch reworks the support for "=" and "!=", and adds support
for ">", ">=", "<", and "<=".
This turned out to be a pretty clean, and simply process. I ended up
using the high order bits of the "field", as suggested by Steve and Amy.
This allowed for no changes whatsoever to the netlink communications.
See the documentation within the patch in the include/linux/audit.h
area, where there is a table that explains the reasoning of the bitmask
assignments clearly.
The patch adds a new function, audit_comparator(left, op, right).
This function will perform the specified comparison (op, which defaults
to "==" for backward compatibility) between two values (left and right).
If the negate bit is on, it will negate whatever that result was. This
value is returned.
Signed-off-by: Dustin Kirkland <dustin.kirkland@us.ibm.com>
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
20 years ago
|
|
|
int word = AUDIT_WORD(ctx->major);
|
|
|
|
int bit = AUDIT_BIT(ctx->major);
|
|
|
|
|
|
|
|
list_for_each_entry_rcu(e, list, list) {
|
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
19 years ago
|
|
|
if ((e->rule.mask[word] & bit) == bit &&
|
|
|
|
audit_filter_rules(tsk, &e->rule, ctx, NULL,
|
|
|
|
&state)) {
|
|
|
|
rcu_read_unlock();
|
|
|
|
ctx->current_state = state;
|
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
19 years ago
|
|
|
return state;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
rcu_read_unlock();
|
|
|
|
return AUDIT_BUILD_CONTEXT;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* At syscall exit time, this filter is called if any audit_names[] have been
|
|
|
|
* collected during syscall processing. We only check rules in sublists at hash
|
|
|
|
* buckets applicable to the inode numbers in audit_names[].
|
|
|
|
* Regarding audit_state, same rules apply as for audit_filter_syscall().
|
|
|
|
*/
|
|
|
|
void audit_filter_inodes(struct task_struct *tsk, struct audit_context *ctx)
|
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
19 years ago
|
|
|
{
|
|
|
|
int i;
|
|
|
|
struct audit_entry *e;
|
|
|
|
enum audit_state state;
|
|
|
|
|
|
|
|
if (audit_pid && tsk->tgid == audit_pid)
|
|
|
|
return;
|
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
19 years ago
|
|
|
|
|
|
|
rcu_read_lock();
|
|
|
|
for (i = 0; i < ctx->name_count; i++) {
|
|
|
|
int word = AUDIT_WORD(ctx->major);
|
|
|
|
int bit = AUDIT_BIT(ctx->major);
|
|
|
|
struct audit_names *n = &ctx->names[i];
|
|
|
|
int h = audit_hash_ino((u32)n->ino);
|
|
|
|
struct list_head *list = &audit_inode_hash[h];
|
|
|
|
|
|
|
|
if (list_empty(list))
|
|
|
|
continue;
|
|
|
|
|
|
|
|
list_for_each_entry_rcu(e, list, list) {
|
|
|
|
if ((e->rule.mask[word] & bit) == bit &&
|
|
|
|
audit_filter_rules(tsk, &e->rule, ctx, n, &state)) {
|
[PATCH] Filter rule comparators
Currently, audit only supports the "=" and "!=" operators in the -F
filter rules.
This patch reworks the support for "=" and "!=", and adds support
for ">", ">=", "<", and "<=".
This turned out to be a pretty clean, and simply process. I ended up
using the high order bits of the "field", as suggested by Steve and Amy.
This allowed for no changes whatsoever to the netlink communications.
See the documentation within the patch in the include/linux/audit.h
area, where there is a table that explains the reasoning of the bitmask
assignments clearly.
The patch adds a new function, audit_comparator(left, op, right).
This function will perform the specified comparison (op, which defaults
to "==" for backward compatibility) between two values (left and right).
If the negate bit is on, it will negate whatever that result was. This
value is returned.
Signed-off-by: Dustin Kirkland <dustin.kirkland@us.ibm.com>
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
20 years ago
|
|
|
rcu_read_unlock();
|
|
|
|
ctx->current_state = state;
|
|
|
|
return;
|
[PATCH] Filter rule comparators
Currently, audit only supports the "=" and "!=" operators in the -F
filter rules.
This patch reworks the support for "=" and "!=", and adds support
for ">", ">=", "<", and "<=".
This turned out to be a pretty clean, and simply process. I ended up
using the high order bits of the "field", as suggested by Steve and Amy.
This allowed for no changes whatsoever to the netlink communications.
See the documentation within the patch in the include/linux/audit.h
area, where there is a table that explains the reasoning of the bitmask
assignments clearly.
The patch adds a new function, audit_comparator(left, op, right).
This function will perform the specified comparison (op, which defaults
to "==" for backward compatibility) between two values (left and right).
If the negate bit is on, it will negate whatever that result was. This
value is returned.
Signed-off-by: Dustin Kirkland <dustin.kirkland@us.ibm.com>
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
20 years ago
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
rcu_read_unlock();
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline struct audit_context *audit_get_context(struct task_struct *tsk,
|
|
|
|
int return_valid,
|
|
|
|
long return_code)
|
|
|
|
{
|
|
|
|
struct audit_context *context = tsk->audit_context;
|
|
|
|
|
|
|
|
if (likely(!context))
|
|
|
|
return NULL;
|
|
|
|
context->return_valid = return_valid;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* we need to fix up the return code in the audit logs if the actual
|
|
|
|
* return codes are later going to be fixed up by the arch specific
|
|
|
|
* signal handlers
|
|
|
|
*
|
|
|
|
* This is actually a test for:
|
|
|
|
* (rc == ERESTARTSYS ) || (rc == ERESTARTNOINTR) ||
|
|
|
|
* (rc == ERESTARTNOHAND) || (rc == ERESTART_RESTARTBLOCK)
|
|
|
|
*
|
|
|
|
* but is faster than a bunch of ||
|
|
|
|
*/
|
|
|
|
if (unlikely(return_code <= -ERESTARTSYS) &&
|
|
|
|
(return_code >= -ERESTART_RESTARTBLOCK) &&
|
|
|
|
(return_code != -ENOIOCTLCMD))
|
|
|
|
context->return_code = -EINTR;
|
|
|
|
else
|
|
|
|
context->return_code = return_code;
|
|
|
|
|
|
|
|
if (context->in_syscall && !context->dummy) {
|
|
|
|
audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_EXIT]);
|
|
|
|
audit_filter_inodes(tsk, context);
|
|
|
|
}
|
|
|
|
|
|
|
|
tsk->audit_context = NULL;
|
|
|
|
return context;
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline void audit_free_names(struct audit_context *context)
|
|
|
|
{
|
|
|
|
int i;
|
|
|
|
|
|
|
|
#if AUDIT_DEBUG == 2
|
|
|
|
if (context->put_count + context->ino_count != context->name_count) {
|
|
|
|
printk(KERN_ERR "%s:%d(:%d): major=%d in_syscall=%d"
|
|
|
|
" name_count=%d put_count=%d"
|
|
|
|
" ino_count=%d [NOT freeing]\n",
|
|
|
|
__FILE__, __LINE__,
|
|
|
|
context->serial, context->major, context->in_syscall,
|
|
|
|
context->name_count, context->put_count,
|
|
|
|
context->ino_count);
|
|
|
|
for (i = 0; i < context->name_count; i++) {
|
|
|
|
printk(KERN_ERR "names[%d] = %p = %s\n", i,
|
|
|
|
context->names[i].name,
|
|
|
|
context->names[i].name ?: "(null)");
|
|
|
|
}
|
|
|
|
dump_stack();
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
#if AUDIT_DEBUG
|
|
|
|
context->put_count = 0;
|
|
|
|
context->ino_count = 0;
|
|
|
|
#endif
|
|
|
|
|
|
|
|
for (i = 0; i < context->name_count; i++) {
|
|
|
|
if (context->names[i].name && context->names[i].name_put)
|
|
|
|
__putname(context->names[i].name);
|
|
|
|
}
|
|
|
|
context->name_count = 0;
|
|
|
|
path_put(&context->pwd);
|
|
|
|
context->pwd.dentry = NULL;
|
|
|
|
context->pwd.mnt = NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline void audit_free_aux(struct audit_context *context)
|
|
|
|
{
|
|
|
|
struct audit_aux_data *aux;
|
|
|
|
|
|
|
|
while ((aux = context->aux)) {
|
|
|
|
context->aux = aux->next;
|
|
|
|
kfree(aux);
|
|
|
|
}
|
|
|
|
while ((aux = context->aux_pids)) {
|
|
|
|
context->aux_pids = aux->next;
|
|
|
|
kfree(aux);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline void audit_zero_context(struct audit_context *context,
|
|
|
|
enum audit_state state)
|
|
|
|
{
|
|
|
|
memset(context, 0, sizeof(*context));
|
|
|
|
context->state = state;
|
|
|
|
context->prio = state == AUDIT_RECORD_CONTEXT ? ~0ULL : 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline struct audit_context *audit_alloc_context(enum audit_state state)
|
|
|
|
{
|
|
|
|
struct audit_context *context;
|
|
|
|
|
|
|
|
if (!(context = kmalloc(sizeof(*context), GFP_KERNEL)))
|
|
|
|
return NULL;
|
|
|
|
audit_zero_context(context, state);
|
|
|
|
return context;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* audit_alloc - allocate an audit context block for a task
|
|
|
|
* @tsk: task
|
|
|
|
*
|
|
|
|
* Filter on the task information and allocate a per-task audit context
|
|
|
|
* if necessary. Doing so turns on system call auditing for the
|
|
|
|
* specified task. This is called from copy_process, so no lock is
|
|
|
|
* needed.
|
|
|
|
*/
|
|
|
|
int audit_alloc(struct task_struct *tsk)
|
|
|
|
{
|
|
|
|
struct audit_context *context;
|
|
|
|
enum audit_state state;
|
|
|
|
char *key = NULL;
|
|
|
|
|
|
|
|
if (likely(!audit_ever_enabled))
|
|
|
|
return 0; /* Return if not auditing. */
|
|
|
|
|
|
|
|
state = audit_filter_task(tsk, &key);
|
|
|
|
if (likely(state == AUDIT_DISABLED))
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
if (!(context = audit_alloc_context(state))) {
|
|
|
|
kfree(key);
|
|
|
|
audit_log_lost("out of memory in audit_alloc");
|
|
|
|
return -ENOMEM;
|
|
|
|
}
|
|
|
|
context->filterkey = key;
|
|
|
|
|
|
|
|
tsk->audit_context = context;
|
|
|
|
set_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline void audit_free_context(struct audit_context *context)
|
|
|
|
{
|
|
|
|
struct audit_context *previous;
|
|
|
|
int count = 0;
|
|
|
|
|
|
|
|
do {
|
|
|
|
previous = context->previous;
|
|
|
|
if (previous || (count && count < 10)) {
|
|
|
|
++count;
|
|
|
|
printk(KERN_ERR "audit(:%d): major=%d name_count=%d:"
|
|
|
|
" freeing multiple contexts (%d)\n",
|
|
|
|
context->serial, context->major,
|
|
|
|
context->name_count, count);
|
|
|
|
}
|
|
|
|
audit_free_names(context);
|
[PATCH] audit: watching subtrees
New kind of audit rule predicates: "object is visible in given subtree".
The part that can be sanely implemented, that is. Limitations:
* if you have hardlink from outside of tree, you'd better watch
it too (or just watch the object itself, obviously)
* if you mount something under a watched tree, tell audit
that new chunk should be added to watched subtrees
* if you umount something in a watched tree and it's still mounted
elsewhere, you will get matches on events happening there. New command
tells audit to recalculate the trees, trimming such sources of false
positives.
Note that it's _not_ about path - if something mounted in several places
(multiple mount, bindings, different namespaces, etc.), the match does
_not_ depend on which one we are using for access.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
18 years ago
|
|
|
unroll_tree_refs(context, NULL, 0);
|
|
|
|
free_tree_refs(context);
|
|
|
|
audit_free_aux(context);
|
|
|
|
kfree(context->filterkey);
|
|
|
|
kfree(context->sockaddr);
|
|
|
|
kfree(context);
|
|
|
|
context = previous;
|
|
|
|
} while (context);
|
|
|
|
if (count >= 10)
|
|
|
|
printk(KERN_ERR "audit: freed %d contexts\n", count);
|
|
|
|
}
|
|
|
|
|
|
|
|
void audit_log_task_context(struct audit_buffer *ab)
|
|
|
|
{
|
|
|
|
char *ctx = NULL;
|
|
|
|
unsigned len;
|
|
|
|
int error;
|
|
|
|
u32 sid;
|
|
|
|
|
Audit: use new LSM hooks instead of SELinux exports
Stop using the following exported SELinux interfaces:
selinux_get_inode_sid(inode, sid)
selinux_get_ipc_sid(ipcp, sid)
selinux_get_task_sid(tsk, sid)
selinux_sid_to_string(sid, ctx, len)
kfree(ctx)
and use following generic LSM equivalents respectively:
security_inode_getsecid(inode, secid)
security_ipc_getsecid*(ipcp, secid)
security_task_getsecid(tsk, secid)
security_sid_to_secctx(sid, ctx, len)
security_release_secctx(ctx, len)
Call security_release_secctx only if security_secid_to_secctx
succeeded.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Ahmed S. Darwish <darwish.07@gmail.com>
Acked-by: James Morris <jmorris@namei.org>
Reviewed-by: Paul Moore <paul.moore@hp.com>
17 years ago
|
|
|
security_task_getsecid(current, &sid);
|
|
|
|
if (!sid)
|
|
|
|
return;
|
|
|
|
|
Audit: use new LSM hooks instead of SELinux exports
Stop using the following exported SELinux interfaces:
selinux_get_inode_sid(inode, sid)
selinux_get_ipc_sid(ipcp, sid)
selinux_get_task_sid(tsk, sid)
selinux_sid_to_string(sid, ctx, len)
kfree(ctx)
and use following generic LSM equivalents respectively:
security_inode_getsecid(inode, secid)
security_ipc_getsecid*(ipcp, secid)
security_task_getsecid(tsk, secid)
security_sid_to_secctx(sid, ctx, len)
security_release_secctx(ctx, len)
Call security_release_secctx only if security_secid_to_secctx
succeeded.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Ahmed S. Darwish <darwish.07@gmail.com>
Acked-by: James Morris <jmorris@namei.org>
Reviewed-by: Paul Moore <paul.moore@hp.com>
17 years ago
|
|
|
error = security_secid_to_secctx(sid, &ctx, &len);
|
|
|
|
if (error) {
|
|
|
|
if (error != -EINVAL)
|
|
|
|
goto error_path;
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
audit_log_format(ab, " subj=%s", ctx);
|
Audit: use new LSM hooks instead of SELinux exports
Stop using the following exported SELinux interfaces:
selinux_get_inode_sid(inode, sid)
selinux_get_ipc_sid(ipcp, sid)
selinux_get_task_sid(tsk, sid)
selinux_sid_to_string(sid, ctx, len)
kfree(ctx)
and use following generic LSM equivalents respectively:
security_inode_getsecid(inode, secid)
security_ipc_getsecid*(ipcp, secid)
security_task_getsecid(tsk, secid)
security_sid_to_secctx(sid, ctx, len)
security_release_secctx(ctx, len)
Call security_release_secctx only if security_secid_to_secctx
succeeded.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Ahmed S. Darwish <darwish.07@gmail.com>
Acked-by: James Morris <jmorris@namei.org>
Reviewed-by: Paul Moore <paul.moore@hp.com>
17 years ago
|
|
|
security_release_secctx(ctx, len);
|
|
|
|
return;
|
|
|
|
|
|
|
|
error_path:
|
|
|
|
audit_panic("error in audit_log_task_context");
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
EXPORT_SYMBOL(audit_log_task_context);
|
|
|
|
|
|
|
|
static void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk)
|
|
|
|
{
|
|
|
|
char name[sizeof(tsk->comm)];
|
|
|
|
struct mm_struct *mm = tsk->mm;
|
|
|
|
struct vm_area_struct *vma;
|
|
|
|
|
|
|
|
/* tsk == current */
|
|
|
|
|
|
|
|
get_task_comm(name, tsk);
|
|
|
|
audit_log_format(ab, " comm=");
|
|
|
|
audit_log_untrustedstring(ab, name);
|
|
|
|
|
|
|
|
if (mm) {
|
|
|
|
down_read(&mm->mmap_sem);
|
|
|
|
vma = mm->mmap;
|
|
|
|
while (vma) {
|
|
|
|
if ((vma->vm_flags & VM_EXECUTABLE) &&
|
|
|
|
vma->vm_file) {
|
|
|
|
audit_log_d_path(ab, "exe=",
|
|
|
|
&vma->vm_file->f_path);
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
vma = vma->vm_next;
|
|
|
|
}
|
|
|
|
up_read(&mm->mmap_sem);
|
|
|
|
}
|
|
|
|
audit_log_task_context(ab);
|
|
|
|
}
|
|
|
|
|
|
|
|
static int audit_log_pid_context(struct audit_context *context, pid_t pid,
|
|
|
|
uid_t auid, uid_t uid, unsigned int sessionid,
|
|
|
|
u32 sid, char *comm)
|
|
|
|
{
|
|
|
|
struct audit_buffer *ab;
|
Audit: use new LSM hooks instead of SELinux exports
Stop using the following exported SELinux interfaces:
selinux_get_inode_sid(inode, sid)
selinux_get_ipc_sid(ipcp, sid)
selinux_get_task_sid(tsk, sid)
selinux_sid_to_string(sid, ctx, len)
kfree(ctx)
and use following generic LSM equivalents respectively:
security_inode_getsecid(inode, secid)
security_ipc_getsecid*(ipcp, secid)
security_task_getsecid(tsk, secid)
security_sid_to_secctx(sid, ctx, len)
security_release_secctx(ctx, len)
Call security_release_secctx only if security_secid_to_secctx
succeeded.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Ahmed S. Darwish <darwish.07@gmail.com>
Acked-by: James Morris <jmorris@namei.org>
Reviewed-by: Paul Moore <paul.moore@hp.com>
17 years ago
|
|
|
char *ctx = NULL;
|
|
|
|
u32 len;
|
|
|
|
int rc = 0;
|
|
|
|
|
|
|
|
ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID);
|
|
|
|
if (!ab)
|
|
|
|
return rc;
|
|
|
|
|
|
|
|
audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid, auid,
|
|
|
|
uid, sessionid);
|
Audit: use new LSM hooks instead of SELinux exports
Stop using the following exported SELinux interfaces:
selinux_get_inode_sid(inode, sid)
selinux_get_ipc_sid(ipcp, sid)
selinux_get_task_sid(tsk, sid)
selinux_sid_to_string(sid, ctx, len)
kfree(ctx)
and use following generic LSM equivalents respectively:
security_inode_getsecid(inode, secid)
security_ipc_getsecid*(ipcp, secid)
security_task_getsecid(tsk, secid)
security_sid_to_secctx(sid, ctx, len)
security_release_secctx(ctx, len)
Call security_release_secctx only if security_secid_to_secctx
succeeded.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Ahmed S. Darwish <darwish.07@gmail.com>
Acked-by: James Morris <jmorris@namei.org>
Reviewed-by: Paul Moore <paul.moore@hp.com>
17 years ago
|
|
|
if (security_secid_to_secctx(sid, &ctx, &len)) {
|
|
|
|
audit_log_format(ab, " obj=(none)");
|
|
|
|
rc = 1;
|
Audit: use new LSM hooks instead of SELinux exports
Stop using the following exported SELinux interfaces:
selinux_get_inode_sid(inode, sid)
selinux_get_ipc_sid(ipcp, sid)
selinux_get_task_sid(tsk, sid)
selinux_sid_to_string(sid, ctx, len)
kfree(ctx)
and use following generic LSM equivalents respectively:
security_inode_getsecid(inode, secid)
security_ipc_getsecid*(ipcp, secid)
security_task_getsecid(tsk, secid)
security_sid_to_secctx(sid, ctx, len)
security_release_secctx(ctx, len)
Call security_release_secctx only if security_secid_to_secctx
succeeded.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Ahmed S. Darwish <darwish.07@gmail.com>
Acked-by: James Morris <jmorris@namei.org>
Reviewed-by: Paul Moore <paul.moore@hp.com>
17 years ago
|
|
|
} else {
|
|
|
|
audit_log_format(ab, " obj=%s", ctx);
|
|
|
|
security_release_secctx(ctx, len);
|
|
|
|
}
|
|
|
|
audit_log_format(ab, " ocomm=");
|
|
|
|
audit_log_untrustedstring(ab, comm);
|
|
|
|
audit_log_end(ab);
|
|
|
|
|
|
|
|
return rc;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* to_send and len_sent accounting are very loose estimates. We aren't
|
|
|
|
* really worried about a hard cap to MAX_EXECVE_AUDIT_LEN so much as being
|
|
|
|
* within about 500 bytes (next page boundry)
|
|
|
|
*
|
|
|
|
* why snprintf? an int is up to 12 digits long. if we just assumed when
|
|
|
|
* logging that a[%d]= was going to be 16 characters long we would be wasting
|
|
|
|
* space in every audit message. In one 7500 byte message we can log up to
|
|
|
|
* about 1000 min size arguments. That comes down to about 50% waste of space
|
|
|
|
* if we didn't do the snprintf to find out how long arg_num_len was.
|
|
|
|
*/
|
|
|
|
static int audit_log_single_execve_arg(struct audit_context *context,
|
|
|
|
struct audit_buffer **ab,
|
|
|
|
int arg_num,
|
|
|
|
size_t *len_sent,
|
|
|
|
const char __user *p,
|
|
|
|
char *buf)
|
|
|
|
{
|
|
|
|
char arg_num_len_buf[12];
|
|
|
|
const char __user *tmp_p = p;
|
|
|
|
/* how many digits are in arg_num? 3 is the length of " a=" */
|
|
|
|
size_t arg_num_len = snprintf(arg_num_len_buf, 12, "%d", arg_num) + 3;
|
|
|
|
size_t len, len_left, to_send;
|
|
|
|
size_t max_execve_audit_len = MAX_EXECVE_AUDIT_LEN;
|
|
|
|
unsigned int i, has_cntl = 0, too_long = 0;
|
|
|
|
int ret;
|
|
|
|
|
|
|
|
/* strnlen_user includes the null we don't want to send */
|
|
|
|
len_left = len = strnlen_user(p, MAX_ARG_STRLEN) - 1;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* We just created this mm, if we can't find the strings
|
|
|
|
* we just copied into it something is _very_ wrong. Similar
|
|
|
|
* for strings that are too long, we should not have created
|
|
|
|
* any.
|
|
|
|
*/
|
|
|
|
if (unlikely((len == -1) || len > MAX_ARG_STRLEN - 1)) {
|
|
|
|
WARN_ON(1);
|
|
|
|
send_sig(SIGKILL, current, 0);
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* walk the whole argument looking for non-ascii chars */
|
|
|
|
do {
|
|
|
|
if (len_left > MAX_EXECVE_AUDIT_LEN)
|
|
|
|
to_send = MAX_EXECVE_AUDIT_LEN;
|
|
|
|
else
|
|
|
|
to_send = len_left;
|
|
|
|
ret = copy_from_user(buf, tmp_p, to_send);
|
|
|
|
/*
|
|
|
|
* There is no reason for this copy to be short. We just
|
|
|
|
* copied them here, and the mm hasn't been exposed to user-
|
|
|
|
* space yet.
|
|
|
|
*/
|
|
|
|
if (ret) {
|
|
|
|
WARN_ON(1);
|
|
|
|
send_sig(SIGKILL, current, 0);
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
buf[to_send] = '\0';
|
|
|
|
has_cntl = audit_string_contains_control(buf, to_send);
|
|
|
|
if (has_cntl) {
|
|
|
|
/*
|
|
|
|
* hex messages get logged as 2 bytes, so we can only
|
|
|
|
* send half as much in each message
|
|
|
|
*/
|
|
|
|
max_execve_audit_len = MAX_EXECVE_AUDIT_LEN / 2;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
len_left -= to_send;
|
|
|
|
tmp_p += to_send;
|
|
|
|
} while (len_left > 0);
|
|
|
|
|
|
|
|
len_left = len;
|
|
|
|
|
|
|
|
if (len > max_execve_audit_len)
|
|
|
|
too_long = 1;
|
|
|
|
|
|
|
|
/* rewalk the argument actually logging the message */
|
|
|
|
for (i = 0; len_left > 0; i++) {
|
|
|
|
int room_left;
|
|
|
|
|
|
|
|
if (len_left > max_execve_audit_len)
|
|
|
|
to_send = max_execve_audit_len;
|
|
|
|
else
|
|
|
|
to_send = len_left;
|
|
|
|
|
|
|
|
/* do we have space left to send this argument in this ab? */
|
|
|
|
room_left = MAX_EXECVE_AUDIT_LEN - arg_num_len - *len_sent;
|
|
|
|
if (has_cntl)
|
|
|
|
room_left -= (to_send * 2);
|
|
|
|
else
|
|
|
|
room_left -= to_send;
|
|
|
|
if (room_left < 0) {
|
|
|
|
*len_sent = 0;
|
|
|
|
audit_log_end(*ab);
|
|
|
|
*ab = audit_log_start(context, GFP_KERNEL, AUDIT_EXECVE);
|
|
|
|
if (!*ab)
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* first record needs to say how long the original string was
|
|
|
|
* so we can be sure nothing was lost.
|
|
|
|
*/
|
|
|
|
if ((i == 0) && (too_long))
|
|
|
|
audit_log_format(*ab, " a%d_len=%zu", arg_num,
|
|
|
|
has_cntl ? 2*len : len);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* normally arguments are small enough to fit and we already
|
|
|
|
* filled buf above when we checked for control characters
|
|
|
|
* so don't bother with another copy_from_user
|
|
|
|
*/
|
|
|
|
if (len >= max_execve_audit_len)
|
|
|
|
ret = copy_from_user(buf, p, to_send);
|
|
|
|
else
|
|
|
|
ret = 0;
|
|
|
|
if (ret) {
|
|
|
|
WARN_ON(1);
|
|
|
|
send_sig(SIGKILL, current, 0);
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
buf[to_send] = '\0';
|
|
|
|
|
|
|
|
/* actually log it */
|
|
|
|
audit_log_format(*ab, " a%d", arg_num);
|
|
|
|
if (too_long)
|
|
|
|
audit_log_format(*ab, "[%d]", i);
|
|
|
|
audit_log_format(*ab, "=");
|
|
|
|
if (has_cntl)
|
|
|
|
audit_log_n_hex(*ab, buf, to_send);
|
|
|
|
else
|
|
|
|
audit_log_format(*ab, "\"%s\"", buf);
|
|
|
|
|
|
|
|
p += to_send;
|
|
|
|
len_left -= to_send;
|
|
|
|
*len_sent += arg_num_len;
|
|
|
|
if (has_cntl)
|
|
|
|
*len_sent += to_send * 2;
|
|
|
|
else
|
|
|
|
*len_sent += to_send;
|
|
|
|
}
|
|
|
|
/* include the null we didn't log */
|
|
|
|
return len + 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void audit_log_execve_info(struct audit_context *context,
|
|
|
|
struct audit_buffer **ab,
|
|
|
|
struct audit_aux_data_execve *axi)
|
|
|
|
{
|
|
|
|
int i;
|
|
|
|
size_t len, len_sent = 0;
|
|
|
|
const char __user *p;
|
|
|
|
char *buf;
|
|
|
|
|
|
|
|
if (axi->mm != current->mm)
|
|
|
|
return; /* execve failed, no additional info */
|
|
|
|
|
|
|
|
p = (const char __user *)axi->mm->arg_start;
|
|
|
|
|
|
|
|
audit_log_format(*ab, "argc=%d", axi->argc);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* we need some kernel buffer to hold the userspace args. Just
|
|
|
|
* allocate one big one rather than allocating one of the right size
|
|
|
|
* for every single argument inside audit_log_single_execve_arg()
|
|
|
|
* should be <8k allocation so should be pretty safe.
|
|
|
|
*/
|
|
|
|
buf = kmalloc(MAX_EXECVE_AUDIT_LEN + 1, GFP_KERNEL);
|
|
|
|
if (!buf) {
|
|
|
|
audit_panic("out of memory for argv string\n");
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
for (i = 0; i < axi->argc; i++) {
|
|
|
|
len = audit_log_single_execve_arg(context, ab, i,
|
|
|
|
&len_sent, p, buf);
|
|
|
|
if (len <= 0)
|
|
|
|
break;
|
|
|
|
p += len;
|
|
|
|
}
|
|
|
|
kfree(buf);
|
|
|
|
}
|
|
|
|
|
|
|
|
static void audit_log_cap(struct audit_buffer *ab, char *prefix, kernel_cap_t *cap)
|
|
|
|
{
|
|
|
|
int i;
|
|
|
|
|
|
|
|
audit_log_format(ab, " %s=", prefix);
|
|
|
|
CAP_FOR_EACH_U32(i) {
|
|
|
|
audit_log_format(ab, "%08x", cap->cap[(_KERNEL_CAPABILITY_U32S-1) - i]);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
static void audit_log_fcaps(struct audit_buffer *ab, struct audit_names *name)
|
|
|
|
{
|
|
|
|
kernel_cap_t *perm = &name->fcap.permitted;
|
|
|
|
kernel_cap_t *inh = &name->fcap.inheritable;
|
|
|
|
int log = 0;
|
|
|
|
|
|
|
|
if (!cap_isclear(*perm)) {
|
|
|
|
audit_log_cap(ab, "cap_fp", perm);
|
|
|
|
log = 1;
|
|
|
|
}
|
|
|
|
if (!cap_isclear(*inh)) {
|
|
|
|
audit_log_cap(ab, "cap_fi", inh);
|
|
|
|
log = 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (log)
|
|
|
|
audit_log_format(ab, " cap_fe=%d cap_fver=%x", name->fcap.fE, name->fcap_ver);
|
|
|
|
}
|
|
|
|
|
|
|
|
static void show_special(struct audit_context *context, int *call_panic)
|
|
|
|
{
|
|
|
|
struct audit_buffer *ab;
|
|
|
|
int i;
|
|
|
|
|
|
|
|
ab = audit_log_start(context, GFP_KERNEL, context->type);
|
|
|
|
if (!ab)
|
|
|
|
return;
|
|
|
|
|
|
|
|
switch (context->type) {
|
|
|
|
case AUDIT_SOCKETCALL: {
|
|
|
|
int nargs = context->socketcall.nargs;
|
|
|
|
audit_log_format(ab, "nargs=%d", nargs);
|
|
|
|
for (i = 0; i < nargs; i++)
|
|
|
|
audit_log_format(ab, " a%d=%lx", i,
|
|
|
|
context->socketcall.args[i]);
|
|
|
|
break; }
|
|
|
|
case AUDIT_IPC: {
|
|
|
|
u32 osid = context->ipc.osid;
|
|
|
|
|
|
|
|
audit_log_format(ab, "ouid=%u ogid=%u mode=%#o",
|
|
|
|
context->ipc.uid, context->ipc.gid, context->ipc.mode);
|
|
|
|
if (osid) {
|
|
|
|
char *ctx = NULL;
|
|
|
|
u32 len;
|
|
|
|
if (security_secid_to_secctx(osid, &ctx, &len)) {
|
|
|
|
audit_log_format(ab, " osid=%u", osid);
|
|
|
|
*call_panic = 1;
|
|
|
|
} else {
|
|
|
|
audit_log_format(ab, " obj=%s", ctx);
|
|
|
|
security_release_secctx(ctx, len);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if (context->ipc.has_perm) {
|
|
|
|
audit_log_end(ab);
|
|
|
|
ab = audit_log_start(context, GFP_KERNEL,
|
|
|
|
AUDIT_IPC_SET_PERM);
|
|
|
|
audit_log_format(ab,
|
|
|
|
"qbytes=%lx ouid=%u ogid=%u mode=%#o",
|
|
|
|
context->ipc.qbytes,
|
|
|
|
context->ipc.perm_uid,
|
|
|
|
context->ipc.perm_gid,
|
|
|
|
context->ipc.perm_mode);
|
|
|
|
if (!ab)
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
break; }
|
|
|
|
case AUDIT_MQ_OPEN: {
|
|
|
|
audit_log_format(ab,
|
|
|
|
"oflag=0x%x mode=%#o mq_flags=0x%lx mq_maxmsg=%ld "
|
|
|
|
"mq_msgsize=%ld mq_curmsgs=%ld",
|
|
|
|
context->mq_open.oflag, context->mq_open.mode,
|
|
|
|
context->mq_open.attr.mq_flags,
|
|
|
|
context->mq_open.attr.mq_maxmsg,
|
|
|
|
context->mq_open.attr.mq_msgsize,
|
|
|
|
context->mq_open.attr.mq_curmsgs);
|
|
|
|
break; }
|
|
|
|
case AUDIT_MQ_SENDRECV: {
|
|
|
|
audit_log_format(ab,
|
|
|
|
"mqdes=%d msg_len=%zd msg_prio=%u "
|
|
|
|
"abs_timeout_sec=%ld abs_timeout_nsec=%ld",
|
|
|
|
context->mq_sendrecv.mqdes,
|
|
|
|
context->mq_sendrecv.msg_len,
|
|
|
|
context->mq_sendrecv.msg_prio,
|
|
|
|
context->mq_sendrecv.abs_timeout.tv_sec,
|
|
|
|
context->mq_sendrecv.abs_timeout.tv_nsec);
|
|
|
|
break; }
|
|
|
|
case AUDIT_MQ_NOTIFY: {
|
|
|
|
audit_log_format(ab, "mqdes=%d sigev_signo=%d",
|
|
|
|
context->mq_notify.mqdes,
|
|
|
|
context->mq_notify.sigev_signo);
|
|
|
|
break; }
|
|
|
|
case AUDIT_MQ_GETSETATTR: {
|
|
|
|
struct mq_attr *attr = &context->mq_getsetattr.mqstat;
|
|
|
|
audit_log_format(ab,
|
|
|
|
"mqdes=%d mq_flags=0x%lx mq_maxmsg=%ld mq_msgsize=%ld "
|
|
|
|
"mq_curmsgs=%ld ",
|
|
|
|
context->mq_getsetattr.mqdes,
|
|
|
|
attr->mq_flags, attr->mq_maxmsg,
|
|
|
|
attr->mq_msgsize, attr->mq_curmsgs);
|
|
|
|
break; }
|
|
|
|
case AUDIT_CAPSET: {
|
|
|
|
audit_log_format(ab, "pid=%d", context->capset.pid);
|
|
|
|
audit_log_cap(ab, "cap_pi", &context->capset.cap.inheritable);
|
|
|
|
audit_log_cap(ab, "cap_pp", &context->capset.cap.permitted);
|
|
|
|
audit_log_cap(ab, "cap_pe", &context->capset.cap.effective);
|
|
|
|
break; }
|
|
|
|
}
|
|
|
|
audit_log_end(ab);
|
|
|
|
}
|
|
|
|
|
|
|
|
static void audit_log_exit(struct audit_context *context, struct task_struct *tsk)
|
|
|
|
{
|
|
|
|
const struct cred *cred;
|
|
|
|
int i, call_panic = 0;
|
|
|
|
struct audit_buffer *ab;
|
|
|
|
struct audit_aux_data *aux;
|
|
|
|
const char *tty;
|
|
|
|
|
|
|
|
/* tsk == current */
|
|
|
|
context->pid = tsk->pid;
|
|
|
|
if (!context->ppid)
|
|
|
|
context->ppid = sys_getppid();
|
|
|
|
cred = current_cred();
|
|
|
|
context->uid = cred->uid;
|
|
|
|
context->gid = cred->gid;
|
|
|
|
context->euid = cred->euid;
|
|
|
|
context->suid = cred->suid;
|
|
|
|
context->fsuid = cred->fsuid;
|
|
|
|
context->egid = cred->egid;
|
|
|
|
context->sgid = cred->sgid;
|
|
|
|
context->fsgid = cred->fsgid;
|
|
|
|
context->personality = tsk->personality;
|
|
|
|
|
|
|
|
ab = audit_log_start(context, GFP_KERNEL, AUDIT_SYSCALL);
|
|
|
|
if (!ab)
|
|
|
|
return; /* audit_panic has been called */
|
|
|
|
audit_log_format(ab, "arch=%x syscall=%d",
|
|
|
|
context->arch, context->major);
|
|
|
|
if (context->personality != PER_LINUX)
|
|
|
|
audit_log_format(ab, " per=%lx", context->personality);
|
|
|
|
if (context->return_valid)
|
|
|
|
audit_log_format(ab, " success=%s exit=%ld",
|
|
|
|
(context->return_valid==AUDITSC_SUCCESS)?"yes":"no",
|
|
|
|
context->return_code);
|
|
|
|
|
|
|
|
spin_lock_irq(&tsk->sighand->siglock);
|
|
|
|
if (tsk->signal && tsk->signal->tty && tsk->signal->tty->name)
|
|
|
|
tty = tsk->signal->tty->name;
|
|
|
|
else
|
|
|
|
tty = "(none)";
|
|
|
|
spin_unlock_irq(&tsk->sighand->siglock);
|
|
|
|
|
|
|
|
audit_log_format(ab,
|
|
|
|
" a0=%lx a1=%lx a2=%lx a3=%lx items=%d"
|
|
|
|
" ppid=%d pid=%d auid=%u uid=%u gid=%u"
|
|
|
|
" euid=%u suid=%u fsuid=%u"
|
|
|
|
" egid=%u sgid=%u fsgid=%u tty=%s ses=%u",
|
|
|
|
context->argv[0],
|
|
|
|
context->argv[1],
|
|
|
|
context->argv[2],
|
|
|
|
context->argv[3],
|
|
|
|
context->name_count,
|
|
|
|
context->ppid,
|
|
|
|
context->pid,
|
|
|
|
tsk->loginuid,
|
|
|
|
context->uid,
|
|
|
|
context->gid,
|
|
|
|
context->euid, context->suid, context->fsuid,
|
|
|
|
context->egid, context->sgid, context->fsgid, tty,
|
|
|
|
tsk->sessionid);
|
|
|
|
|
|
|
|
|
|
|
|
audit_log_task_info(ab, tsk);
|
|
|
|
if (context->filterkey) {
|
|
|
|
audit_log_format(ab, " key=");
|
|
|
|
audit_log_untrustedstring(ab, context->filterkey);
|
|
|
|
} else
|
|
|
|
audit_log_format(ab, " key=(null)");
|
|
|
|
audit_log_end(ab);
|
|
|
|
|
|
|
|
for (aux = context->aux; aux; aux = aux->next) {
|
|
|
|
|
|
|
|
ab = audit_log_start(context, GFP_KERNEL, aux->type);
|
|
|
|
if (!ab)
|
|
|
|
continue; /* audit_panic has been called */
|
|
|
|
|
|
|
|
switch (aux->type) {
|
|
|
|
|
|
|
|
case AUDIT_EXECVE: {
|
|
|
|
struct audit_aux_data_execve *axi = (void *)aux;
|
|
|
|
audit_log_execve_info(context, &ab, axi);
|
|
|
|
break; }
|
|
|
|
|
|
|
|
case AUDIT_BPRM_FCAPS: {
|
|
|
|
struct audit_aux_data_bprm_fcaps *axs = (void *)aux;
|
|
|
|
audit_log_format(ab, "fver=%x", axs->fcap_ver);
|
|
|
|
audit_log_cap(ab, "fp", &axs->fcap.permitted);
|
|
|
|
audit_log_cap(ab, "fi", &axs->fcap.inheritable);
|
|
|
|
audit_log_format(ab, " fe=%d", axs->fcap.fE);
|
|
|
|
audit_log_cap(ab, "old_pp", &axs->old_pcap.permitted);
|
|
|
|
audit_log_cap(ab, "old_pi", &axs->old_pcap.inheritable);
|
|
|
|
audit_log_cap(ab, "old_pe", &axs->old_pcap.effective);
|
|
|
|
audit_log_cap(ab, "new_pp", &axs->new_pcap.permitted);
|
|
|
|
audit_log_cap(ab, "new_pi", &axs->new_pcap.inheritable);
|
|
|
|
audit_log_cap(ab, "new_pe", &axs->new_pcap.effective);
|
|
|
|
break; }
|
|
|
|
|
|
|
|
}
|
|
|
|
audit_log_end(ab);
|
|
|
|
}
|
|
|
|
|
|
|
|
if (context->type)
|
|
|
|
show_special(context, &call_panic);
|
|
|
|
|
|
|
|
if (context->fds[0] >= 0) {
|
|
|
|
ab = audit_log_start(context, GFP_KERNEL, AUDIT_FD_PAIR);
|
|
|
|
if (ab) {
|
|
|
|
audit_log_format(ab, "fd0=%d fd1=%d",
|
|
|
|
context->fds[0], context->fds[1]);
|
|
|
|
audit_log_end(ab);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if (context->sockaddr_len) {
|
|
|
|
ab = audit_log_start(context, GFP_KERNEL, AUDIT_SOCKADDR);
|
|
|
|
if (ab) {
|
|
|
|
audit_log_format(ab, "saddr=");
|
|
|
|
audit_log_n_hex(ab, (void *)context->sockaddr,
|
|
|
|
context->sockaddr_len);
|
|
|
|
audit_log_end(ab);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
for (aux = context->aux_pids; aux; aux = aux->next) {
|
|
|
|
struct audit_aux_data_pids *axs = (void *)aux;
|
|
|
|
|
|
|
|
for (i = 0; i < axs->pid_count; i++)
|
|
|
|
if (audit_log_pid_context(context, axs->target_pid[i],
|
|
|
|
axs->target_auid[i],
|
|
|
|
axs->target_uid[i],
|
|
|
|
axs->target_sessionid[i],
|
|
|
|
axs->target_sid[i],
|
|
|
|
axs->target_comm[i]))
|
|
|
|
call_panic = 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (context->target_pid &&
|
|
|
|
audit_log_pid_context(context, context->target_pid,
|
|
|
|
context->target_auid, context->target_uid,
|
|
|
|
context->target_sessionid,
|
|
|
|
context->target_sid, context->target_comm))
|
|
|
|
call_panic = 1;
|
|
|
|
|
|
|
|
if (context->pwd.dentry && context->pwd.mnt) {
|
|
|
|
ab = audit_log_start(context, GFP_KERNEL, AUDIT_CWD);
|
|
|
|
if (ab) {
|
|
|
|
audit_log_d_path(ab, "cwd=", &context->pwd);
|
|
|
|
audit_log_end(ab);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
for (i = 0; i < context->name_count; i++) {
|
|
|
|
struct audit_names *n = &context->names[i];
|
|
|
|
|
|
|
|
ab = audit_log_start(context, GFP_KERNEL, AUDIT_PATH);
|
|
|
|
if (!ab)
|
|
|
|
continue; /* audit_panic has been called */
|
|
|
|
|
|
|
|
audit_log_format(ab, "item=%d", i);
|
|
|
|
|
|
|
|
if (n->name) {
|
|
|
|
switch(n->name_len) {
|
|
|
|
case AUDIT_NAME_FULL:
|
|
|
|
/* log the full path */
|
|
|
|
audit_log_format(ab, " name=");
|
|
|
|
audit_log_untrustedstring(ab, n->name);
|
|
|
|
break;
|
|
|
|
case 0:
|
|
|
|
/* name was specified as a relative path and the
|
|
|
|
* directory component is the cwd */
|
|
|
|
audit_log_d_path(ab, "name=", &context->pwd);
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
/* log the name's directory component */
|
|
|
|
audit_log_format(ab, " name=");
|
|
|
|
audit_log_n_untrustedstring(ab, n->name,
|
|
|
|
n->name_len);
|
|
|
|
}
|
|
|
|
} else
|
|
|
|
audit_log_format(ab, " name=(null)");
|
|
|
|
|
|
|
|
if (n->ino != (unsigned long)-1) {
|
|
|
|
audit_log_format(ab, " inode=%lu"
|
|
|
|
" dev=%02x:%02x mode=%#o"
|
|
|
|
" ouid=%u ogid=%u rdev=%02x:%02x",
|
|
|
|
n->ino,
|
|
|
|
MAJOR(n->dev),
|
|
|
|
MINOR(n->dev),
|
|
|
|
n->mode,
|
|
|
|
n->uid,
|
|
|
|
n->gid,
|
|
|
|
MAJOR(n->rdev),
|
|
|
|
MINOR(n->rdev));
|
|
|
|
}
|
|
|
|
if (n->osid != 0) {
|
|
|
|
char *ctx = NULL;
|
|
|
|
u32 len;
|
Audit: use new LSM hooks instead of SELinux exports
Stop using the following exported SELinux interfaces:
selinux_get_inode_sid(inode, sid)
selinux_get_ipc_sid(ipcp, sid)
selinux_get_task_sid(tsk, sid)
selinux_sid_to_string(sid, ctx, len)
kfree(ctx)
and use following generic LSM equivalents respectively:
security_inode_getsecid(inode, secid)
security_ipc_getsecid*(ipcp, secid)
security_task_getsecid(tsk, secid)
security_sid_to_secctx(sid, ctx, len)
security_release_secctx(ctx, len)
Call security_release_secctx only if security_secid_to_secctx
succeeded.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Ahmed S. Darwish <darwish.07@gmail.com>
Acked-by: James Morris <jmorris@namei.org>
Reviewed-by: Paul Moore <paul.moore@hp.com>
17 years ago
|
|
|
if (security_secid_to_secctx(
|
|
|
|
n->osid, &ctx, &len)) {
|
|
|
|
audit_log_format(ab, " osid=%u", n->osid);
|
|
|
|
call_panic = 2;
|
Audit: use new LSM hooks instead of SELinux exports
Stop using the following exported SELinux interfaces:
selinux_get_inode_sid(inode, sid)
selinux_get_ipc_sid(ipcp, sid)
selinux_get_task_sid(tsk, sid)
selinux_sid_to_string(sid, ctx, len)
kfree(ctx)
and use following generic LSM equivalents respectively:
security_inode_getsecid(inode, secid)
security_ipc_getsecid*(ipcp, secid)
security_task_getsecid(tsk, secid)
security_sid_to_secctx(sid, ctx, len)
security_release_secctx(ctx, len)
Call security_release_secctx only if security_secid_to_secctx
succeeded.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Ahmed S. Darwish <darwish.07@gmail.com>
Acked-by: James Morris <jmorris@namei.org>
Reviewed-by: Paul Moore <paul.moore@hp.com>
17 years ago
|
|
|
} else {
|
|
|
|
audit_log_format(ab, " obj=%s", ctx);
|
Audit: use new LSM hooks instead of SELinux exports
Stop using the following exported SELinux interfaces:
selinux_get_inode_sid(inode, sid)
selinux_get_ipc_sid(ipcp, sid)
selinux_get_task_sid(tsk, sid)
selinux_sid_to_string(sid, ctx, len)
kfree(ctx)
and use following generic LSM equivalents respectively:
security_inode_getsecid(inode, secid)
security_ipc_getsecid*(ipcp, secid)
security_task_getsecid(tsk, secid)
security_sid_to_secctx(sid, ctx, len)
security_release_secctx(ctx, len)
Call security_release_secctx only if security_secid_to_secctx
succeeded.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Ahmed S. Darwish <darwish.07@gmail.com>
Acked-by: James Morris <jmorris@namei.org>
Reviewed-by: Paul Moore <paul.moore@hp.com>
17 years ago
|
|
|
security_release_secctx(ctx, len);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
audit_log_fcaps(ab, n);
|
|
|
|
|
|
|
|
audit_log_end(ab);
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Send end of event record to help user space know we are finished */
|
|
|
|
ab = audit_log_start(context, GFP_KERNEL, AUDIT_EOE);
|
|
|
|
if (ab)
|
|
|
|
audit_log_end(ab);
|
|
|
|
if (call_panic)
|
|
|
|
audit_panic("error converting sid to string");
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* audit_free - free a per-task audit context
|
|
|
|
* @tsk: task whose audit context block to free
|
|
|
|
*
|
|
|
|
* Called from copy_process and do_exit
|
|
|
|
*/
|
|
|
|
void audit_free(struct task_struct *tsk)
|
|
|
|
{
|
|
|
|
struct audit_context *context;
|
|
|
|
|
|
|
|
context = audit_get_context(tsk, 0, 0);
|
|
|
|
if (likely(!context))
|
|
|
|
return;
|
|
|
|
|
|
|
|
/* Check for system calls that do not go through the exit
|
|
|
|
* function (e.g., exit_group), then free context block.
|
|
|
|
* We use GFP_ATOMIC here because we might be doing this
|
|
|
|
* in the context of the idle thread */
|
|
|
|
/* that can happen only if we are called from do_exit() */
|
|
|
|
if (context->in_syscall && context->current_state == AUDIT_RECORD_CONTEXT)
|
|
|
|
audit_log_exit(context, tsk);
|
|
|
|
|
|
|
|
audit_free_context(context);
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* audit_syscall_entry - fill in an audit record at syscall entry
|
|
|
|
* @arch: architecture type
|
|
|
|
* @major: major syscall type (function)
|
|
|
|
* @a1: additional syscall register 1
|
|
|
|
* @a2: additional syscall register 2
|
|
|
|
* @a3: additional syscall register 3
|
|
|
|
* @a4: additional syscall register 4
|
|
|
|
*
|
|
|
|
* Fill in audit context at syscall entry. This only happens if the
|
|
|
|
* audit context was created when the task was created and the state or
|
|
|
|
* filters demand the audit context be built. If the state from the
|
|
|
|
* per-task filter or from the per-syscall filter is AUDIT_RECORD_CONTEXT,
|
|
|
|
* then the record will be written at syscall exit time (otherwise, it
|
|
|
|
* will only be written if another part of the kernel requests that it
|
|
|
|
* be written).
|
|
|
|
*/
|
|
|
|
void audit_syscall_entry(int arch, int major,
|
|
|
|
unsigned long a1, unsigned long a2,
|
|
|
|
unsigned long a3, unsigned long a4)
|
|
|
|
{
|
|
|
|
struct task_struct *tsk = current;
|
|
|
|
struct audit_context *context = tsk->audit_context;
|
|
|
|
enum audit_state state;
|
|
|
|
|
|
|
|
if (unlikely(!context))
|
|
|
|
return;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* This happens only on certain architectures that make system
|
|
|
|
* calls in kernel_thread via the entry.S interface, instead of
|
|
|
|
* with direct calls. (If you are porting to a new
|
|
|
|
* architecture, hitting this condition can indicate that you
|
|
|
|
* got the _exit/_leave calls backward in entry.S.)
|
|
|
|
*
|
|
|
|
* i386 no
|
|
|
|
* x86_64 no
|
|
|
|
* ppc64 yes (see arch/powerpc/platforms/iseries/misc.S)
|
|
|
|
*
|
|
|
|
* This also happens with vm86 emulation in a non-nested manner
|
|
|
|
* (entries without exits), so this case must be caught.
|
|
|
|
*/
|
|
|
|
if (context->in_syscall) {
|
|
|
|
struct audit_context *newctx;
|
|
|
|
|
|
|
|
#if AUDIT_DEBUG
|
|
|
|
printk(KERN_ERR
|
|
|
|
"audit(:%d) pid=%d in syscall=%d;"
|
|
|
|
" entering syscall=%d\n",
|
|
|
|
context->serial, tsk->pid, context->major, major);
|
|
|
|
#endif
|
|
|
|
newctx = audit_alloc_context(context->state);
|
|
|
|
if (newctx) {
|
|
|
|
newctx->previous = context;
|
|
|
|
context = newctx;
|
|
|
|
tsk->audit_context = newctx;
|
|
|
|
} else {
|
|
|
|
/* If we can't alloc a new context, the best we
|
|
|
|
* can do is to leak memory (any pending putname
|
|
|
|
* will be lost). The only other alternative is
|
|
|
|
* to abandon auditing. */
|
|
|
|
audit_zero_context(context, context->state);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
BUG_ON(context->in_syscall || context->name_count);
|
|
|
|
|
|
|
|
if (!audit_enabled)
|
|
|
|
return;
|
|
|
|
|
|
|
|
context->arch = arch;
|
|
|
|
context->major = major;
|
|
|
|
context->argv[0] = a1;
|
|
|
|
context->argv[1] = a2;
|
|
|
|
context->argv[2] = a3;
|
|
|
|
context->argv[3] = a4;
|
|
|
|
|
|
|
|
state = context->state;
|
|
|
|
context->dummy = !audit_n_rules;
|
|
|
|
if (!context->dummy && state == AUDIT_BUILD_CONTEXT) {
|
|
|
|
context->prio = 0;
|
|
|
|
state = audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_ENTRY]);
|
|
|
|
}
|
|
|
|
if (likely(state == AUDIT_DISABLED))
|
|
|
|
return;
|
|
|
|
|
|
|
|
context->serial = 0;
|
|
|
|
context->ctime = CURRENT_TIME;
|
|
|
|
context->in_syscall = 1;
|
|
|
|
context->current_state = state;
|
|
|
|
context->ppid = 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
void audit_finish_fork(struct task_struct *child)
|
|
|
|
{
|
|
|
|
struct audit_context *ctx = current->audit_context;
|
|
|
|
struct audit_context *p = child->audit_context;
|
|
|
|
if (!p || !ctx)
|
|
|
|
return;
|
|
|
|
if (!ctx->in_syscall || ctx->current_state != AUDIT_RECORD_CONTEXT)
|
|
|
|
return;
|
|
|
|
p->arch = ctx->arch;
|
|
|
|
p->major = ctx->major;
|
|
|
|
memcpy(p->argv, ctx->argv, sizeof(ctx->argv));
|
|
|
|
p->ctime = ctx->ctime;
|
|
|
|
p->dummy = ctx->dummy;
|
|
|
|
p->in_syscall = ctx->in_syscall;
|
|
|
|
p->filterkey = kstrdup(ctx->filterkey, GFP_KERNEL);
|
|
|
|
p->ppid = current->pid;
|
|
|
|
p->prio = ctx->prio;
|
|
|
|
p->current_state = ctx->current_state;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* audit_syscall_exit - deallocate audit context after a system call
|
|
|
|
* @valid: success/failure flag
|
|
|
|
* @return_code: syscall return value
|
|
|
|
*
|
|
|
|
* Tear down after system call. If the audit context has been marked as
|
|
|
|
* auditable (either because of the AUDIT_RECORD_CONTEXT state from
|
|
|
|
* filtering, or because some other part of the kernel write an audit
|
|
|
|
* message), then write out the syscall information. In call cases,
|
|
|
|
* free the names stored from getname().
|
|
|
|
*/
|
|
|
|
void audit_syscall_exit(int valid, long return_code)
|
|
|
|
{
|
|
|
|
struct task_struct *tsk = current;
|
|
|
|
struct audit_context *context;
|
|
|
|
|
|
|
|
context = audit_get_context(tsk, valid, return_code);
|
|
|
|
|
|
|
|
if (likely(!context))
|
|
|
|
return;
|
|
|
|
|
|
|
|
if (context->in_syscall && context->current_state == AUDIT_RECORD_CONTEXT)
|
|
|
|
audit_log_exit(context, tsk);
|
|
|
|
|
|
|
|
context->in_syscall = 0;
|
|
|
|
context->prio = context->state == AUDIT_RECORD_CONTEXT ? ~0ULL : 0;
|
|
|
|
|
|
|
|
if (context->previous) {
|
|
|
|
struct audit_context *new_context = context->previous;
|
|
|
|
context->previous = NULL;
|
|
|
|
audit_free_context(context);
|
|
|
|
tsk->audit_context = new_context;
|
|
|
|
} else {
|
|
|
|
audit_free_names(context);
|
[PATCH] audit: watching subtrees
New kind of audit rule predicates: "object is visible in given subtree".
The part that can be sanely implemented, that is. Limitations:
* if you have hardlink from outside of tree, you'd better watch
it too (or just watch the object itself, obviously)
* if you mount something under a watched tree, tell audit
that new chunk should be added to watched subtrees
* if you umount something in a watched tree and it's still mounted
elsewhere, you will get matches on events happening there. New command
tells audit to recalculate the trees, trimming such sources of false
positives.
Note that it's _not_ about path - if something mounted in several places
(multiple mount, bindings, different namespaces, etc.), the match does
_not_ depend on which one we are using for access.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
18 years ago
|
|
|
unroll_tree_refs(context, NULL, 0);
|
|
|
|
audit_free_aux(context);
|
|
|
|
context->aux = NULL;
|
|
|
|
context->aux_pids = NULL;
|
|
|
|
context->target_pid = 0;
|
|
|
|
context->target_sid = 0;
|
|
|
|
context->sockaddr_len = 0;
|
|
|
|
context->type = 0;
|
|
|
|
context->fds[0] = -1;
|
|
|
|
if (context->state != AUDIT_RECORD_CONTEXT) {
|
|
|
|
kfree(context->filterkey);
|
|
|
|
context->filterkey = NULL;
|
|
|
|
}
|
|
|
|
tsk->audit_context = context;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
[PATCH] audit: watching subtrees
New kind of audit rule predicates: "object is visible in given subtree".
The part that can be sanely implemented, that is. Limitations:
* if you have hardlink from outside of tree, you'd better watch
it too (or just watch the object itself, obviously)
* if you mount something under a watched tree, tell audit
that new chunk should be added to watched subtrees
* if you umount something in a watched tree and it's still mounted
elsewhere, you will get matches on events happening there. New command
tells audit to recalculate the trees, trimming such sources of false
positives.
Note that it's _not_ about path - if something mounted in several places
(multiple mount, bindings, different namespaces, etc.), the match does
_not_ depend on which one we are using for access.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
18 years ago
|
|
|
static inline void handle_one(const struct inode *inode)
|
|
|
|
{
|
|
|
|
#ifdef CONFIG_AUDIT_TREE
|
|
|
|
struct audit_context *context;
|
|
|
|
struct audit_tree_refs *p;
|
|
|
|
struct audit_chunk *chunk;
|
|
|
|
int count;
|
|
|
|
if (likely(list_empty(&inode->inotify_watches)))
|
|
|
|
return;
|
|
|
|
context = current->audit_context;
|
|
|
|
p = context->trees;
|
|
|
|
count = context->tree_count;
|
|
|
|
rcu_read_lock();
|
|
|
|
chunk = audit_tree_lookup(inode);
|
|
|
|
rcu_read_unlock();
|
|
|
|
if (!chunk)
|
|
|
|
return;
|
|
|
|
if (likely(put_tree_ref(context, chunk)))
|
|
|
|
return;
|
|
|
|
if (unlikely(!grow_tree_refs(context))) {
|
|
|
|
printk(KERN_WARNING "out of memory, audit has lost a tree reference\n");
|
[PATCH] audit: watching subtrees
New kind of audit rule predicates: "object is visible in given subtree".
The part that can be sanely implemented, that is. Limitations:
* if you have hardlink from outside of tree, you'd better watch
it too (or just watch the object itself, obviously)
* if you mount something under a watched tree, tell audit
that new chunk should be added to watched subtrees
* if you umount something in a watched tree and it's still mounted
elsewhere, you will get matches on events happening there. New command
tells audit to recalculate the trees, trimming such sources of false
positives.
Note that it's _not_ about path - if something mounted in several places
(multiple mount, bindings, different namespaces, etc.), the match does
_not_ depend on which one we are using for access.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
18 years ago
|
|
|
audit_set_auditable(context);
|
|
|
|
audit_put_chunk(chunk);
|
|
|
|
unroll_tree_refs(context, p, count);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
put_tree_ref(context, chunk);
|
|
|
|
#endif
|
|
|
|
}
|
|
|
|
|
|
|
|
static void handle_path(const struct dentry *dentry)
|
|
|
|
{
|
|
|
|
#ifdef CONFIG_AUDIT_TREE
|
|
|
|
struct audit_context *context;
|
|
|
|
struct audit_tree_refs *p;
|
|
|
|
const struct dentry *d, *parent;
|
|
|
|
struct audit_chunk *drop;
|
|
|
|
unsigned long seq;
|
|
|
|
int count;
|
|
|
|
|
|
|
|
context = current->audit_context;
|
|
|
|
p = context->trees;
|
|
|
|
count = context->tree_count;
|
|
|
|
retry:
|
|
|
|
drop = NULL;
|
|
|
|
d = dentry;
|
|
|
|
rcu_read_lock();
|
|
|
|
seq = read_seqbegin(&rename_lock);
|
|
|
|
for(;;) {
|
|
|
|
struct inode *inode = d->d_inode;
|
|
|
|
if (inode && unlikely(!list_empty(&inode->inotify_watches))) {
|
|
|
|
struct audit_chunk *chunk;
|
|
|
|
chunk = audit_tree_lookup(inode);
|
|
|
|
if (chunk) {
|
|
|
|
if (unlikely(!put_tree_ref(context, chunk))) {
|
|
|
|
drop = chunk;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
parent = d->d_parent;
|
|
|
|
if (parent == d)
|
|
|
|
break;
|
|
|
|
d = parent;
|
|
|
|
}
|
|
|
|
if (unlikely(read_seqretry(&rename_lock, seq) || drop)) { /* in this order */
|
|
|
|
rcu_read_unlock();
|
|
|
|
if (!drop) {
|
|
|
|
/* just a race with rename */
|
|
|
|
unroll_tree_refs(context, p, count);
|
|
|
|
goto retry;
|
|
|
|
}
|
|
|
|
audit_put_chunk(drop);
|
|
|
|
if (grow_tree_refs(context)) {
|
|
|
|
/* OK, got more space */
|
|
|
|
unroll_tree_refs(context, p, count);
|
|
|
|
goto retry;
|
|
|
|
}
|
|
|
|
/* too bad */
|
|
|
|
printk(KERN_WARNING
|
|
|
|
"out of memory, audit has lost a tree reference\n");
|
[PATCH] audit: watching subtrees
New kind of audit rule predicates: "object is visible in given subtree".
The part that can be sanely implemented, that is. Limitations:
* if you have hardlink from outside of tree, you'd better watch
it too (or just watch the object itself, obviously)
* if you mount something under a watched tree, tell audit
that new chunk should be added to watched subtrees
* if you umount something in a watched tree and it's still mounted
elsewhere, you will get matches on events happening there. New command
tells audit to recalculate the trees, trimming such sources of false
positives.
Note that it's _not_ about path - if something mounted in several places
(multiple mount, bindings, different namespaces, etc.), the match does
_not_ depend on which one we are using for access.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
18 years ago
|
|
|
unroll_tree_refs(context, p, count);
|
|
|
|
audit_set_auditable(context);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
rcu_read_unlock();
|
|
|
|
#endif
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* audit_getname - add a name to the list
|
|
|
|
* @name: name to add
|
|
|
|
*
|
|
|
|
* Add a name to the list of audit names for this context.
|
|
|
|
* Called from fs/namei.c:getname().
|
|
|
|
*/
|
|
|
|
void __audit_getname(const char *name)
|
|
|
|
{
|
|
|
|
struct audit_context *context = current->audit_context;
|
|
|
|
|
|
|
|
if (IS_ERR(name) || !name)
|
|
|
|
return;
|
|
|
|
|
|
|
|
if (!context->in_syscall) {
|
|
|
|
#if AUDIT_DEBUG == 2
|
|
|
|
printk(KERN_ERR "%s:%d(:%d): ignoring getname(%p)\n",
|
|
|
|
__FILE__, __LINE__, context->serial, name);
|
|
|
|
dump_stack();
|
|
|
|
#endif
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
BUG_ON(context->name_count >= AUDIT_NAMES);
|
|
|
|
context->names[context->name_count].name = name;
|
|
|
|
context->names[context->name_count].name_len = AUDIT_NAME_FULL;
|
|
|
|
context->names[context->name_count].name_put = 1;
|
|
|
|
context->names[context->name_count].ino = (unsigned long)-1;
|
|
|
|
context->names[context->name_count].osid = 0;
|
|
|
|
++context->name_count;
|
|
|
|
if (!context->pwd.dentry) {
|
|
|
|
read_lock(¤t->fs->lock);
|
|
|
|
context->pwd = current->fs->pwd;
|
|
|
|
path_get(¤t->fs->pwd);
|
|
|
|
read_unlock(¤t->fs->lock);
|
|
|
|
}
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
/* audit_putname - intercept a putname request
|
|
|
|
* @name: name to intercept and delay for putname
|
|
|
|
*
|
|
|
|
* If we have stored the name from getname in the audit context,
|
|
|
|
* then we delay the putname until syscall exit.
|
|
|
|
* Called from include/linux/fs.h:putname().
|
|
|
|
*/
|
|
|
|
void audit_putname(const char *name)
|
|
|
|
{
|
|
|
|
struct audit_context *context = current->audit_context;
|
|
|
|
|
|
|
|
BUG_ON(!context);
|
|
|
|
if (!context->in_syscall) {
|
|
|
|
#if AUDIT_DEBUG == 2
|
|
|
|
printk(KERN_ERR "%s:%d(:%d): __putname(%p)\n",
|
|
|
|
__FILE__, __LINE__, context->serial, name);
|
|
|
|
if (context->name_count) {
|
|
|
|
int i;
|
|
|
|
for (i = 0; i < context->name_count; i++)
|
|
|
|
printk(KERN_ERR "name[%d] = %p = %s\n", i,
|
|
|
|
context->names[i].name,
|
|
|
|
context->names[i].name ?: "(null)");
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
__putname(name);
|
|
|
|
}
|
|
|
|
#if AUDIT_DEBUG
|
|
|
|
else {
|
|
|
|
++context->put_count;
|
|
|
|
if (context->put_count > context->name_count) {
|
|
|
|
printk(KERN_ERR "%s:%d(:%d): major=%d"
|
|
|
|
" in_syscall=%d putname(%p) name_count=%d"
|
|
|
|
" put_count=%d\n",
|
|
|
|
__FILE__, __LINE__,
|
|
|
|
context->serial, context->major,
|
|
|
|
context->in_syscall, name, context->name_count,
|
|
|
|
context->put_count);
|
|
|
|
dump_stack();
|
|
|
|
}
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
}
|
|
|
|
|
|
|
|
static int audit_inc_name_count(struct audit_context *context,
|
|
|
|
const struct inode *inode)
|
|
|
|
{
|
|
|
|
if (context->name_count >= AUDIT_NAMES) {
|
|
|
|
if (inode)
|
|
|
|
printk(KERN_DEBUG "name_count maxed, losing inode data: "
|
|
|
|
"dev=%02x:%02x, inode=%lu\n",
|
|
|
|
MAJOR(inode->i_sb->s_dev),
|
|
|
|
MINOR(inode->i_sb->s_dev),
|
|
|
|
inode->i_ino);
|
|
|
|
|
|
|
|
else
|
|
|
|
printk(KERN_DEBUG "name_count maxed, losing inode data\n");
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
context->name_count++;
|
|
|
|
#if AUDIT_DEBUG
|
|
|
|
context->ino_count++;
|
|
|
|
#endif
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static inline int audit_copy_fcaps(struct audit_names *name, const struct dentry *dentry)
|
|
|
|
{
|
|
|
|
struct cpu_vfs_cap_data caps;
|
|
|
|
int rc;
|
|
|
|
|
|
|
|
memset(&name->fcap.permitted, 0, sizeof(kernel_cap_t));
|
|
|
|
memset(&name->fcap.inheritable, 0, sizeof(kernel_cap_t));
|
|
|
|
name->fcap.fE = 0;
|
|
|
|
name->fcap_ver = 0;
|
|
|
|
|
|
|
|
if (!dentry)
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
rc = get_vfs_caps_from_disk(dentry, &caps);
|
|
|
|
if (rc)
|
|
|
|
return rc;
|
|
|
|
|
|
|
|
name->fcap.permitted = caps.permitted;
|
|
|
|
name->fcap.inheritable = caps.inheritable;
|
|
|
|
name->fcap.fE = !!(caps.magic_etc & VFS_CAP_FLAGS_EFFECTIVE);
|
|
|
|
name->fcap_ver = (caps.magic_etc & VFS_CAP_REVISION_MASK) >> VFS_CAP_REVISION_SHIFT;
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/* Copy inode data into an audit_names. */
|
|
|
|
static void audit_copy_inode(struct audit_names *name, const struct dentry *dentry,
|
|
|
|
const struct inode *inode)
|
|
|
|
{
|
|
|
|
name->ino = inode->i_ino;
|
|
|
|
name->dev = inode->i_sb->s_dev;
|
|
|
|
name->mode = inode->i_mode;
|
|
|
|
name->uid = inode->i_uid;
|
|
|
|
name->gid = inode->i_gid;
|
|
|
|
name->rdev = inode->i_rdev;
|
Audit: use new LSM hooks instead of SELinux exports
Stop using the following exported SELinux interfaces:
selinux_get_inode_sid(inode, sid)
selinux_get_ipc_sid(ipcp, sid)
selinux_get_task_sid(tsk, sid)
selinux_sid_to_string(sid, ctx, len)
kfree(ctx)
and use following generic LSM equivalents respectively:
security_inode_getsecid(inode, secid)
security_ipc_getsecid*(ipcp, secid)
security_task_getsecid(tsk, secid)
security_sid_to_secctx(sid, ctx, len)
security_release_secctx(ctx, len)
Call security_release_secctx only if security_secid_to_secctx
succeeded.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Ahmed S. Darwish <darwish.07@gmail.com>
Acked-by: James Morris <jmorris@namei.org>
Reviewed-by: Paul Moore <paul.moore@hp.com>
17 years ago
|
|
|
security_inode_getsecid(inode, &name->osid);
|
|
|
|
audit_copy_fcaps(name, dentry);
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* audit_inode - store the inode and device from a lookup
|
|
|
|
* @name: name being audited
|
|
|
|
* @dentry: dentry being audited
|
|
|
|
*
|
|
|
|
* Called from fs/namei.c:path_lookup().
|
|
|
|
*/
|
|
|
|
void __audit_inode(const char *name, const struct dentry *dentry)
|
|
|
|
{
|
|
|
|
int idx;
|
|
|
|
struct audit_context *context = current->audit_context;
|
[PATCH] audit: watching subtrees
New kind of audit rule predicates: "object is visible in given subtree".
The part that can be sanely implemented, that is. Limitations:
* if you have hardlink from outside of tree, you'd better watch
it too (or just watch the object itself, obviously)
* if you mount something under a watched tree, tell audit
that new chunk should be added to watched subtrees
* if you umount something in a watched tree and it's still mounted
elsewhere, you will get matches on events happening there. New command
tells audit to recalculate the trees, trimming such sources of false
positives.
Note that it's _not_ about path - if something mounted in several places
(multiple mount, bindings, different namespaces, etc.), the match does
_not_ depend on which one we are using for access.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
18 years ago
|
|
|
const struct inode *inode = dentry->d_inode;
|
|
|
|
|
|
|
|
if (!context->in_syscall)
|
|
|
|
return;
|
|
|
|
if (context->name_count
|
|
|
|
&& context->names[context->name_count-1].name
|
|
|
|
&& context->names[context->name_count-1].name == name)
|
|
|
|
idx = context->name_count - 1;
|
|
|
|
else if (context->name_count > 1
|
|
|
|
&& context->names[context->name_count-2].name
|
|
|
|
&& context->names[context->name_count-2].name == name)
|
|
|
|
idx = context->name_count - 2;
|
|
|
|
else {
|
|
|
|
/* FIXME: how much do we care about inodes that have no
|
|
|
|
* associated name? */
|
|
|
|
if (audit_inc_name_count(context, inode))
|
|
|
|
return;
|
|
|
|
idx = context->name_count - 1;
|
|
|
|
context->names[idx].name = NULL;
|
|
|
|
}
|
[PATCH] audit: watching subtrees
New kind of audit rule predicates: "object is visible in given subtree".
The part that can be sanely implemented, that is. Limitations:
* if you have hardlink from outside of tree, you'd better watch
it too (or just watch the object itself, obviously)
* if you mount something under a watched tree, tell audit
that new chunk should be added to watched subtrees
* if you umount something in a watched tree and it's still mounted
elsewhere, you will get matches on events happening there. New command
tells audit to recalculate the trees, trimming such sources of false
positives.
Note that it's _not_ about path - if something mounted in several places
(multiple mount, bindings, different namespaces, etc.), the match does
_not_ depend on which one we are using for access.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
18 years ago
|
|
|
handle_path(dentry);
|
|
|
|
audit_copy_inode(&context->names[idx], dentry, inode);
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* audit_inode_child - collect inode info for created/removed objects
|
|
|
|
* @dname: inode's dentry name
|
|
|
|
* @dentry: dentry being audited
|
|
|
|
* @parent: inode of dentry parent
|
|
|
|
*
|
|
|
|
* For syscalls that create or remove filesystem objects, audit_inode
|
|
|
|
* can only collect information for the filesystem object's parent.
|
|
|
|
* This call updates the audit context with the child's information.
|
|
|
|
* Syscalls that create a new filesystem object must be hooked after
|
|
|
|
* the object is created. Syscalls that remove a filesystem object
|
|
|
|
* must be hooked prior, in order to capture the target inode during
|
|
|
|
* unsuccessful attempts.
|
|
|
|
*/
|
|
|
|
void __audit_inode_child(const char *dname, const struct dentry *dentry,
|
|
|
|
const struct inode *parent)
|
|
|
|
{
|
|
|
|
int idx;
|
|
|
|
struct audit_context *context = current->audit_context;
|
|
|
|
const char *found_parent = NULL, *found_child = NULL;
|
|
|
|
const struct inode *inode = dentry->d_inode;
|
|
|
|
int dirlen = 0;
|
|
|
|
|
|
|
|
if (!context->in_syscall)
|
|
|
|
return;
|
|
|
|
|
[PATCH] audit: watching subtrees
New kind of audit rule predicates: "object is visible in given subtree".
The part that can be sanely implemented, that is. Limitations:
* if you have hardlink from outside of tree, you'd better watch
it too (or just watch the object itself, obviously)
* if you mount something under a watched tree, tell audit
that new chunk should be added to watched subtrees
* if you umount something in a watched tree and it's still mounted
elsewhere, you will get matches on events happening there. New command
tells audit to recalculate the trees, trimming such sources of false
positives.
Note that it's _not_ about path - if something mounted in several places
(multiple mount, bindings, different namespaces, etc.), the match does
_not_ depend on which one we are using for access.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
18 years ago
|
|
|
if (inode)
|
|
|
|
handle_one(inode);
|
|
|
|
/* determine matching parent */
|
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
19 years ago
|
|
|
if (!dname)
|
|
|
|
goto add_names;
|
|
|
|
|
|
|
|
/* parent is more likely, look for it first */
|
|
|
|
for (idx = 0; idx < context->name_count; idx++) {
|
|
|
|
struct audit_names *n = &context->names[idx];
|
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
19 years ago
|
|
|
|
|
|
|
if (!n->name)
|
|
|
|
continue;
|
|
|
|
|
|
|
|
if (n->ino == parent->i_ino &&
|
|
|
|
!audit_compare_dname_path(dname, n->name, &dirlen)) {
|
|
|
|
n->name_len = dirlen; /* update parent data in place */
|
|
|
|
found_parent = n->name;
|
|
|
|
goto add_names;
|
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
19 years ago
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/* no matching parent, look for matching child */
|
|
|
|
for (idx = 0; idx < context->name_count; idx++) {
|
|
|
|
struct audit_names *n = &context->names[idx];
|
|
|
|
|
|
|
|
if (!n->name)
|
|
|
|
continue;
|
|
|
|
|
|
|
|
/* strcmp() is the more likely scenario */
|
|
|
|
if (!strcmp(dname, n->name) ||
|
|
|
|
!audit_compare_dname_path(dname, n->name, &dirlen)) {
|
|
|
|
if (inode)
|
|
|
|
audit_copy_inode(n, NULL, inode);
|
|
|
|
else
|
|
|
|
n->ino = (unsigned long)-1;
|
|
|
|
found_child = n->name;
|
|
|
|
goto add_names;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
add_names:
|
|
|
|
if (!found_parent) {
|
|
|
|
if (audit_inc_name_count(context, parent))
|
|
|
|
return;
|
|
|
|
idx = context->name_count - 1;
|
|
|
|
context->names[idx].name = NULL;
|
|
|
|
audit_copy_inode(&context->names[idx], NULL, parent);
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!found_child) {
|
|
|
|
if (audit_inc_name_count(context, inode))
|
|
|
|
return;
|
|
|
|
idx = context->name_count - 1;
|
|
|
|
|
|
|
|
/* Re-use the name belonging to the slot for a matching parent
|
|
|
|
* directory. All names for this context are relinquished in
|
|
|
|
* audit_free_names() */
|
|
|
|
if (found_parent) {
|
|
|
|
context->names[idx].name = found_parent;
|
|
|
|
context->names[idx].name_len = AUDIT_NAME_FULL;
|
|
|
|
/* don't call __putname() */
|
|
|
|
context->names[idx].name_put = 0;
|
|
|
|
} else {
|
|
|
|
context->names[idx].name = NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (inode)
|
|
|
|
audit_copy_inode(&context->names[idx], NULL, inode);
|
|
|
|
else
|
|
|
|
context->names[idx].ino = (unsigned long)-1;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(__audit_inode_child);
|
|
|
|
|
|
|
|
/**
|
|
|
|
* auditsc_get_stamp - get local copies of audit_context values
|
|
|
|
* @ctx: audit_context for the task
|
|
|
|
* @t: timespec to store time recorded in the audit_context
|
|
|
|
* @serial: serial value that is recorded in the audit_context
|
|
|
|
*
|
|
|
|
* Also sets the context as auditable.
|
|
|
|
*/
|
|
|
|
int auditsc_get_stamp(struct audit_context *ctx,
|
|
|
|
struct timespec *t, unsigned int *serial)
|
|
|
|
{
|
|
|
|
if (!ctx->in_syscall)
|
|
|
|
return 0;
|
|
|
|
if (!ctx->serial)
|
|
|
|
ctx->serial = audit_serial();
|
|
|
|
t->tv_sec = ctx->ctime.tv_sec;
|
|
|
|
t->tv_nsec = ctx->ctime.tv_nsec;
|
|
|
|
*serial = ctx->serial;
|
|
|
|
if (!ctx->prio) {
|
|
|
|
ctx->prio = 1;
|
|
|
|
ctx->current_state = AUDIT_RECORD_CONTEXT;
|
|
|
|
}
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* global counter which is incremented every time something logs in */
|
|
|
|
static atomic_t session_id = ATOMIC_INIT(0);
|
|
|
|
|
|
|
|
/**
|
|
|
|
* audit_set_loginuid - set a task's audit_context loginuid
|
|
|
|
* @task: task whose audit context is being modified
|
|
|
|
* @loginuid: loginuid value
|
|
|
|
*
|
|
|
|
* Returns 0.
|
|
|
|
*
|
|
|
|
* Called (set) from fs/proc/base.c::proc_loginuid_write().
|
|
|
|
*/
|
|
|
|
int audit_set_loginuid(struct task_struct *task, uid_t loginuid)
|
|
|
|
{
|
|
|
|
unsigned int sessionid = atomic_inc_return(&session_id);
|
|
|
|
struct audit_context *context = task->audit_context;
|
|
|
|
|
|
|
|
if (context && context->in_syscall) {
|
|
|
|
struct audit_buffer *ab;
|
|
|
|
|
|
|
|
ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN);
|
|
|
|
if (ab) {
|
|
|
|
audit_log_format(ab, "login pid=%d uid=%u "
|
|
|
|
"old auid=%u new auid=%u"
|
|
|
|
" old ses=%u new ses=%u",
|
|
|
|
task->pid, task_uid(task),
|
|
|
|
task->loginuid, loginuid,
|
|
|
|
task->sessionid, sessionid);
|
|
|
|
audit_log_end(ab);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
task->sessionid = sessionid;
|
|
|
|
task->loginuid = loginuid;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* __audit_mq_open - record audit data for a POSIX MQ open
|
|
|
|
* @oflag: open flag
|
|
|
|
* @mode: mode bits
|
|
|
|
* @attr: queue attributes
|
|
|
|
*
|
|
|
|
*/
|
|
|
|
void __audit_mq_open(int oflag, mode_t mode, struct mq_attr *attr)
|
|
|
|
{
|
|
|
|
struct audit_context *context = current->audit_context;
|
|
|
|
|
|
|
|
if (attr)
|
|
|
|
memcpy(&context->mq_open.attr, attr, sizeof(struct mq_attr));
|
|
|
|
else
|
|
|
|
memset(&context->mq_open.attr, 0, sizeof(struct mq_attr));
|
|
|
|
|
|
|
|
context->mq_open.oflag = oflag;
|
|
|
|
context->mq_open.mode = mode;
|
|
|
|
|
|
|
|
context->type = AUDIT_MQ_OPEN;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* __audit_mq_sendrecv - record audit data for a POSIX MQ timed send/receive
|
|
|
|
* @mqdes: MQ descriptor
|
|
|
|
* @msg_len: Message length
|
|
|
|
* @msg_prio: Message priority
|
|
|
|
* @abs_timeout: Message timeout in absolute time
|
|
|
|
*
|
|
|
|
*/
|
|
|
|
void __audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio,
|
|
|
|
const struct timespec *abs_timeout)
|
|
|
|
{
|
|
|
|
struct audit_context *context = current->audit_context;
|
|
|
|
struct timespec *p = &context->mq_sendrecv.abs_timeout;
|
|
|
|
|
|
|
|
if (abs_timeout)
|
|
|
|
memcpy(p, abs_timeout, sizeof(struct timespec));
|
|
|
|
else
|
|
|
|
memset(p, 0, sizeof(struct timespec));
|
|
|
|
|
|
|
|
context->mq_sendrecv.mqdes = mqdes;
|
|
|
|
context->mq_sendrecv.msg_len = msg_len;
|
|
|
|
context->mq_sendrecv.msg_prio = msg_prio;
|
|
|
|
|
|
|
|
context->type = AUDIT_MQ_SENDRECV;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* __audit_mq_notify - record audit data for a POSIX MQ notify
|
|
|
|
* @mqdes: MQ descriptor
|
|
|
|
* @notification: Notification event
|
|
|
|
*
|
|
|
|
*/
|
|
|
|
|
|
|
|
void __audit_mq_notify(mqd_t mqdes, const struct sigevent *notification)
|
|
|
|
{
|
|
|
|
struct audit_context *context = current->audit_context;
|
|
|
|
|
|
|
|
if (notification)
|
|
|
|
context->mq_notify.sigev_signo = notification->sigev_signo;
|
|
|
|
else
|
|
|
|
context->mq_notify.sigev_signo = 0;
|
|
|
|
|
|
|
|
context->mq_notify.mqdes = mqdes;
|
|
|
|
context->type = AUDIT_MQ_NOTIFY;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* __audit_mq_getsetattr - record audit data for a POSIX MQ get/set attribute
|
|
|
|
* @mqdes: MQ descriptor
|
|
|
|
* @mqstat: MQ flags
|
|
|
|
*
|
|
|
|
*/
|
|
|
|
void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat)
|
|
|
|
{
|
|
|
|
struct audit_context *context = current->audit_context;
|
|
|
|
context->mq_getsetattr.mqdes = mqdes;
|
|
|
|
context->mq_getsetattr.mqstat = *mqstat;
|
|
|
|
context->type = AUDIT_MQ_GETSETATTR;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* audit_ipc_obj - record audit data for ipc object
|
|
|
|
* @ipcp: ipc permissions
|
|
|
|
*
|
|
|
|
*/
|
|
|
|
void __audit_ipc_obj(struct kern_ipc_perm *ipcp)
|
|
|
|
{
|
|
|
|
struct audit_context *context = current->audit_context;
|
|
|
|
context->ipc.uid = ipcp->uid;
|
|
|
|
context->ipc.gid = ipcp->gid;
|
|
|
|
context->ipc.mode = ipcp->mode;
|
|
|
|
context->ipc.has_perm = 0;
|
|
|
|
security_ipc_getsecid(ipcp, &context->ipc.osid);
|
|
|
|
context->type = AUDIT_IPC;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* audit_ipc_set_perm - record audit data for new ipc permissions
|
|
|
|
* @qbytes: msgq bytes
|
|
|
|
* @uid: msgq user id
|
|
|
|
* @gid: msgq group id
|
|
|
|
* @mode: msgq mode (permissions)
|
|
|
|
*
|
|
|
|
* Called only after audit_ipc_obj().
|
|
|
|
*/
|
|
|
|
void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode)
|
|
|
|
{
|
|
|
|
struct audit_context *context = current->audit_context;
|
|
|
|
|
|
|
|
context->ipc.qbytes = qbytes;
|
|
|
|
context->ipc.perm_uid = uid;
|
|
|
|
context->ipc.perm_gid = gid;
|
|
|
|
context->ipc.perm_mode = mode;
|
|
|
|
context->ipc.has_perm = 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
int audit_bprm(struct linux_binprm *bprm)
|
|
|
|
{
|
|
|
|
struct audit_aux_data_execve *ax;
|
|
|
|
struct audit_context *context = current->audit_context;
|
|
|
|
|
|
|
|
if (likely(!audit_enabled || !context || context->dummy))
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
ax = kmalloc(sizeof(*ax), GFP_KERNEL);
|
|
|
|
if (!ax)
|
|
|
|
return -ENOMEM;
|
|
|
|
|
|
|
|
ax->argc = bprm->argc;
|
|
|
|
ax->envc = bprm->envc;
|
|
|
|
ax->mm = bprm->mm;
|
|
|
|
ax->d.type = AUDIT_EXECVE;
|
|
|
|
ax->d.next = context->aux;
|
|
|
|
context->aux = (void *)ax;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
* audit_socketcall - record audit data for sys_socketcall
|
|
|
|
* @nargs: number of args
|
|
|
|
* @args: args array
|
|
|
|
*
|
|
|
|
*/
|
|
|
|
void audit_socketcall(int nargs, unsigned long *args)
|
|
|
|
{
|
|
|
|
struct audit_context *context = current->audit_context;
|
|
|
|
|
|
|
|
if (likely(!context || context->dummy))
|
|
|
|
return;
|
|
|
|
|
|
|
|
context->type = AUDIT_SOCKETCALL;
|
|
|
|
context->socketcall.nargs = nargs;
|
|
|
|
memcpy(context->socketcall.args, args, nargs * sizeof(unsigned long));
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* __audit_fd_pair - record audit data for pipe and socketpair
|
|
|
|
* @fd1: the first file descriptor
|
|
|
|
* @fd2: the second file descriptor
|
|
|
|
*
|
|
|
|
*/
|
|
|
|
void __audit_fd_pair(int fd1, int fd2)
|
|
|
|
{
|
|
|
|
struct audit_context *context = current->audit_context;
|
|
|
|
context->fds[0] = fd1;
|
|
|
|
context->fds[1] = fd2;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* audit_sockaddr - record audit data for sys_bind, sys_connect, sys_sendto
|
|
|
|
* @len: data length in user space
|
|
|
|
* @a: data address in kernel space
|
|
|
|
*
|
|
|
|
* Returns 0 for success or NULL context or < 0 on error.
|
|
|
|
*/
|
|
|
|
int audit_sockaddr(int len, void *a)
|
|
|
|
{
|
|
|
|
struct audit_context *context = current->audit_context;
|
|
|
|
|
|
|
|
if (likely(!context || context->dummy))
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
if (!context->sockaddr) {
|
|
|
|
void *p = kmalloc(sizeof(struct sockaddr_storage), GFP_KERNEL);
|
|
|
|
if (!p)
|
|
|
|
return -ENOMEM;
|
|
|
|
context->sockaddr = p;
|
|
|
|
}
|
|
|
|
|
|
|
|
context->sockaddr_len = len;
|
|
|
|
memcpy(context->sockaddr, a, len);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
void __audit_ptrace(struct task_struct *t)
|
|
|
|
{
|
|
|
|
struct audit_context *context = current->audit_context;
|
|
|
|
|
|
|
|
context->target_pid = t->pid;
|
|
|
|
context->target_auid = audit_get_loginuid(t);
|
|
|
|
context->target_uid = task_uid(t);
|
|
|
|
context->target_sessionid = audit_get_sessionid(t);
|
Audit: use new LSM hooks instead of SELinux exports
Stop using the following exported SELinux interfaces:
selinux_get_inode_sid(inode, sid)
selinux_get_ipc_sid(ipcp, sid)
selinux_get_task_sid(tsk, sid)
selinux_sid_to_string(sid, ctx, len)
kfree(ctx)
and use following generic LSM equivalents respectively:
security_inode_getsecid(inode, secid)
security_ipc_getsecid*(ipcp, secid)
security_task_getsecid(tsk, secid)
security_sid_to_secctx(sid, ctx, len)
security_release_secctx(ctx, len)
Call security_release_secctx only if security_secid_to_secctx
succeeded.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Ahmed S. Darwish <darwish.07@gmail.com>
Acked-by: James Morris <jmorris@namei.org>
Reviewed-by: Paul Moore <paul.moore@hp.com>
17 years ago
|
|
|
security_task_getsecid(t, &context->target_sid);
|
|
|
|
memcpy(context->target_comm, t->comm, TASK_COMM_LEN);
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* audit_signal_info - record signal info for shutting down audit subsystem
|
|
|
|
* @sig: signal value
|
|
|
|
* @t: task being signaled
|
|
|
|
*
|
|
|
|
* If the audit subsystem is being terminated, record the task (pid)
|
|
|
|
* and uid that is doing that.
|
|
|
|
*/
|
|
|
|
int __audit_signal_info(int sig, struct task_struct *t)
|
|
|
|
{
|
|
|
|
struct audit_aux_data_pids *axp;
|
|
|
|
struct task_struct *tsk = current;
|
|
|
|
struct audit_context *ctx = tsk->audit_context;
|
|
|
|
uid_t uid = current_uid(), t_uid = task_uid(t);
|
|
|
|
|
|
|
|
if (audit_pid && t->tgid == audit_pid) {
|
|
|
|
if (sig == SIGTERM || sig == SIGHUP || sig == SIGUSR1 || sig == SIGUSR2) {
|
|
|
|
audit_sig_pid = tsk->pid;
|
|
|
|
if (tsk->loginuid != -1)
|
|
|
|
audit_sig_uid = tsk->loginuid;
|
|
|
|
else
|
|
|
|
audit_sig_uid = uid;
|
Audit: use new LSM hooks instead of SELinux exports
Stop using the following exported SELinux interfaces:
selinux_get_inode_sid(inode, sid)
selinux_get_ipc_sid(ipcp, sid)
selinux_get_task_sid(tsk, sid)
selinux_sid_to_string(sid, ctx, len)
kfree(ctx)
and use following generic LSM equivalents respectively:
security_inode_getsecid(inode, secid)
security_ipc_getsecid*(ipcp, secid)
security_task_getsecid(tsk, secid)
security_sid_to_secctx(sid, ctx, len)
security_release_secctx(ctx, len)
Call security_release_secctx only if security_secid_to_secctx
succeeded.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Ahmed S. Darwish <darwish.07@gmail.com>
Acked-by: James Morris <jmorris@namei.org>
Reviewed-by: Paul Moore <paul.moore@hp.com>
17 years ago
|
|
|
security_task_getsecid(tsk, &audit_sig_sid);
|
|
|
|
}
|
|
|
|
if (!audit_signals || audit_dummy_context())
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* optimize the common case by putting first signal recipient directly
|
|
|
|
* in audit_context */
|
|
|
|
if (!ctx->target_pid) {
|
|
|
|
ctx->target_pid = t->tgid;
|
|
|
|
ctx->target_auid = audit_get_loginuid(t);
|
|
|
|
ctx->target_uid = t_uid;
|
|
|
|
ctx->target_sessionid = audit_get_sessionid(t);
|
Audit: use new LSM hooks instead of SELinux exports
Stop using the following exported SELinux interfaces:
selinux_get_inode_sid(inode, sid)
selinux_get_ipc_sid(ipcp, sid)
selinux_get_task_sid(tsk, sid)
selinux_sid_to_string(sid, ctx, len)
kfree(ctx)
and use following generic LSM equivalents respectively:
security_inode_getsecid(inode, secid)
security_ipc_getsecid*(ipcp, secid)
security_task_getsecid(tsk, secid)
security_sid_to_secctx(sid, ctx, len)
security_release_secctx(ctx, len)
Call security_release_secctx only if security_secid_to_secctx
succeeded.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Ahmed S. Darwish <darwish.07@gmail.com>
Acked-by: James Morris <jmorris@namei.org>
Reviewed-by: Paul Moore <paul.moore@hp.com>
17 years ago
|
|
|
security_task_getsecid(t, &ctx->target_sid);
|
|
|
|
memcpy(ctx->target_comm, t->comm, TASK_COMM_LEN);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
axp = (void *)ctx->aux_pids;
|
|
|
|
if (!axp || axp->pid_count == AUDIT_AUX_PIDS) {
|
|
|
|
axp = kzalloc(sizeof(*axp), GFP_ATOMIC);
|
|
|
|
if (!axp)
|
|
|
|
return -ENOMEM;
|
|
|
|
|
|
|
|
axp->d.type = AUDIT_OBJ_PID;
|
|
|
|
axp->d.next = ctx->aux_pids;
|
|
|
|
ctx->aux_pids = (void *)axp;
|
|
|
|
}
|
|
|
|
BUG_ON(axp->pid_count >= AUDIT_AUX_PIDS);
|
|
|
|
|
|
|
|
axp->target_pid[axp->pid_count] = t->tgid;
|
|
|
|
axp->target_auid[axp->pid_count] = audit_get_loginuid(t);
|
|
|
|
axp->target_uid[axp->pid_count] = t_uid;
|
|
|
|
axp->target_sessionid[axp->pid_count] = audit_get_sessionid(t);
|
Audit: use new LSM hooks instead of SELinux exports
Stop using the following exported SELinux interfaces:
selinux_get_inode_sid(inode, sid)
selinux_get_ipc_sid(ipcp, sid)
selinux_get_task_sid(tsk, sid)
selinux_sid_to_string(sid, ctx, len)
kfree(ctx)
and use following generic LSM equivalents respectively:
security_inode_getsecid(inode, secid)
security_ipc_getsecid*(ipcp, secid)
security_task_getsecid(tsk, secid)
security_sid_to_secctx(sid, ctx, len)
security_release_secctx(ctx, len)
Call security_release_secctx only if security_secid_to_secctx
succeeded.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Ahmed S. Darwish <darwish.07@gmail.com>
Acked-by: James Morris <jmorris@namei.org>
Reviewed-by: Paul Moore <paul.moore@hp.com>
17 years ago
|
|
|
security_task_getsecid(t, &axp->target_sid[axp->pid_count]);
|
|
|
|
memcpy(axp->target_comm[axp->pid_count], t->comm, TASK_COMM_LEN);
|
|
|
|
axp->pid_count++;
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* __audit_log_bprm_fcaps - store information about a loading bprm and relevant fcaps
|
CRED: Inaugurate COW credentials
Inaugurate copy-on-write credentials management. This uses RCU to manage the
credentials pointer in the task_struct with respect to accesses by other tasks.
A process may only modify its own credentials, and so does not need locking to
access or modify its own credentials.
A mutex (cred_replace_mutex) is added to the task_struct to control the effect
of PTRACE_ATTACHED on credential calculations, particularly with respect to
execve().
With this patch, the contents of an active credentials struct may not be
changed directly; rather a new set of credentials must be prepared, modified
and committed using something like the following sequence of events:
struct cred *new = prepare_creds();
int ret = blah(new);
if (ret < 0) {
abort_creds(new);
return ret;
}
return commit_creds(new);
There are some exceptions to this rule: the keyrings pointed to by the active
credentials may be instantiated - keyrings violate the COW rule as managing
COW keyrings is tricky, given that it is possible for a task to directly alter
the keys in a keyring in use by another task.
To help enforce this, various pointers to sets of credentials, such as those in
the task_struct, are declared const. The purpose of this is compile-time
discouragement of altering credentials through those pointers. Once a set of
credentials has been made public through one of these pointers, it may not be
modified, except under special circumstances:
(1) Its reference count may incremented and decremented.
(2) The keyrings to which it points may be modified, but not replaced.
The only safe way to modify anything else is to create a replacement and commit
using the functions described in Documentation/credentials.txt (which will be
added by a later patch).
This patch and the preceding patches have been tested with the LTP SELinux
testsuite.
This patch makes several logical sets of alteration:
(1) execve().
This now prepares and commits credentials in various places in the
security code rather than altering the current creds directly.
(2) Temporary credential overrides.
do_coredump() and sys_faccessat() now prepare their own credentials and
temporarily override the ones currently on the acting thread, whilst
preventing interference from other threads by holding cred_replace_mutex
on the thread being dumped.
This will be replaced in a future patch by something that hands down the
credentials directly to the functions being called, rather than altering
the task's objective credentials.
(3) LSM interface.
A number of functions have been changed, added or removed:
(*) security_capset_check(), ->capset_check()
(*) security_capset_set(), ->capset_set()
Removed in favour of security_capset().
(*) security_capset(), ->capset()
New. This is passed a pointer to the new creds, a pointer to the old
creds and the proposed capability sets. It should fill in the new
creds or return an error. All pointers, barring the pointer to the
new creds, are now const.
(*) security_bprm_apply_creds(), ->bprm_apply_creds()
Changed; now returns a value, which will cause the process to be
killed if it's an error.
(*) security_task_alloc(), ->task_alloc_security()
Removed in favour of security_prepare_creds().
(*) security_cred_free(), ->cred_free()
New. Free security data attached to cred->security.
(*) security_prepare_creds(), ->cred_prepare()
New. Duplicate any security data attached to cred->security.
(*) security_commit_creds(), ->cred_commit()
New. Apply any security effects for the upcoming installation of new
security by commit_creds().
(*) security_task_post_setuid(), ->task_post_setuid()
Removed in favour of security_task_fix_setuid().
(*) security_task_fix_setuid(), ->task_fix_setuid()
Fix up the proposed new credentials for setuid(). This is used by
cap_set_fix_setuid() to implicitly adjust capabilities in line with
setuid() changes. Changes are made to the new credentials, rather
than the task itself as in security_task_post_setuid().
(*) security_task_reparent_to_init(), ->task_reparent_to_init()
Removed. Instead the task being reparented to init is referred
directly to init's credentials.
NOTE! This results in the loss of some state: SELinux's osid no
longer records the sid of the thread that forked it.
(*) security_key_alloc(), ->key_alloc()
(*) security_key_permission(), ->key_permission()
Changed. These now take cred pointers rather than task pointers to
refer to the security context.
(4) sys_capset().
This has been simplified and uses less locking. The LSM functions it
calls have been merged.
(5) reparent_to_kthreadd().
This gives the current thread the same credentials as init by simply using
commit_thread() to point that way.
(6) __sigqueue_alloc() and switch_uid()
__sigqueue_alloc() can't stop the target task from changing its creds
beneath it, so this function gets a reference to the currently applicable
user_struct which it then passes into the sigqueue struct it returns if
successful.
switch_uid() is now called from commit_creds(), and possibly should be
folded into that. commit_creds() should take care of protecting
__sigqueue_alloc().
(7) [sg]et[ug]id() and co and [sg]et_current_groups.
The set functions now all use prepare_creds(), commit_creds() and
abort_creds() to build and check a new set of credentials before applying
it.
security_task_set[ug]id() is called inside the prepared section. This
guarantees that nothing else will affect the creds until we've finished.
The calling of set_dumpable() has been moved into commit_creds().
Much of the functionality of set_user() has been moved into
commit_creds().
The get functions all simply access the data directly.
(8) security_task_prctl() and cap_task_prctl().
security_task_prctl() has been modified to return -ENOSYS if it doesn't
want to handle a function, or otherwise return the return value directly
rather than through an argument.
Additionally, cap_task_prctl() now prepares a new set of credentials, even
if it doesn't end up using it.
(9) Keyrings.
A number of changes have been made to the keyrings code:
(a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have
all been dropped and built in to the credentials functions directly.
They may want separating out again later.
(b) key_alloc() and search_process_keyrings() now take a cred pointer
rather than a task pointer to specify the security context.
(c) copy_creds() gives a new thread within the same thread group a new
thread keyring if its parent had one, otherwise it discards the thread
keyring.
(d) The authorisation key now points directly to the credentials to extend
the search into rather pointing to the task that carries them.
(e) Installing thread, process or session keyrings causes a new set of
credentials to be created, even though it's not strictly necessary for
process or session keyrings (they're shared).
(10) Usermode helper.
The usermode helper code now carries a cred struct pointer in its
subprocess_info struct instead of a new session keyring pointer. This set
of credentials is derived from init_cred and installed on the new process
after it has been cloned.
call_usermodehelper_setup() allocates the new credentials and
call_usermodehelper_freeinfo() discards them if they haven't been used. A
special cred function (prepare_usermodeinfo_creds()) is provided
specifically for call_usermodehelper_setup() to call.
call_usermodehelper_setkeys() adjusts the credentials to sport the
supplied keyring as the new session keyring.
(11) SELinux.
SELinux has a number of changes, in addition to those to support the LSM
interface changes mentioned above:
(a) selinux_setprocattr() no longer does its check for whether the
current ptracer can access processes with the new SID inside the lock
that covers getting the ptracer's SID. Whilst this lock ensures that
the check is done with the ptracer pinned, the result is only valid
until the lock is released, so there's no point doing it inside the
lock.
(12) is_single_threaded().
This function has been extracted from selinux_setprocattr() and put into
a file of its own in the lib/ directory as join_session_keyring() now
wants to use it too.
The code in SELinux just checked to see whether a task shared mm_structs
with other tasks (CLONE_VM), but that isn't good enough. We really want
to know if they're part of the same thread group (CLONE_THREAD).
(13) nfsd.
The NFS server daemon now has to use the COW credentials to set the
credentials it is going to use. It really needs to pass the credentials
down to the functions it calls, but it can't do that until other patches
in this series have been applied.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: James Morris <jmorris@namei.org>
16 years ago
|
|
|
* @bprm: pointer to the bprm being processed
|
|
|
|
* @new: the proposed new credentials
|
|
|
|
* @old: the old credentials
|
|
|
|
*
|
|
|
|
* Simply check if the proc already has the caps given by the file and if not
|
|
|
|
* store the priv escalation info for later auditing at the end of the syscall
|
|
|
|
*
|
|
|
|
* -Eric
|
|
|
|
*/
|
CRED: Inaugurate COW credentials
Inaugurate copy-on-write credentials management. This uses RCU to manage the
credentials pointer in the task_struct with respect to accesses by other tasks.
A process may only modify its own credentials, and so does not need locking to
access or modify its own credentials.
A mutex (cred_replace_mutex) is added to the task_struct to control the effect
of PTRACE_ATTACHED on credential calculations, particularly with respect to
execve().
With this patch, the contents of an active credentials struct may not be
changed directly; rather a new set of credentials must be prepared, modified
and committed using something like the following sequence of events:
struct cred *new = prepare_creds();
int ret = blah(new);
if (ret < 0) {
abort_creds(new);
return ret;
}
return commit_creds(new);
There are some exceptions to this rule: the keyrings pointed to by the active
credentials may be instantiated - keyrings violate the COW rule as managing
COW keyrings is tricky, given that it is possible for a task to directly alter
the keys in a keyring in use by another task.
To help enforce this, various pointers to sets of credentials, such as those in
the task_struct, are declared const. The purpose of this is compile-time
discouragement of altering credentials through those pointers. Once a set of
credentials has been made public through one of these pointers, it may not be
modified, except under special circumstances:
(1) Its reference count may incremented and decremented.
(2) The keyrings to which it points may be modified, but not replaced.
The only safe way to modify anything else is to create a replacement and commit
using the functions described in Documentation/credentials.txt (which will be
added by a later patch).
This patch and the preceding patches have been tested with the LTP SELinux
testsuite.
This patch makes several logical sets of alteration:
(1) execve().
This now prepares and commits credentials in various places in the
security code rather than altering the current creds directly.
(2) Temporary credential overrides.
do_coredump() and sys_faccessat() now prepare their own credentials and
temporarily override the ones currently on the acting thread, whilst
preventing interference from other threads by holding cred_replace_mutex
on the thread being dumped.
This will be replaced in a future patch by something that hands down the
credentials directly to the functions being called, rather than altering
the task's objective credentials.
(3) LSM interface.
A number of functions have been changed, added or removed:
(*) security_capset_check(), ->capset_check()
(*) security_capset_set(), ->capset_set()
Removed in favour of security_capset().
(*) security_capset(), ->capset()
New. This is passed a pointer to the new creds, a pointer to the old
creds and the proposed capability sets. It should fill in the new
creds or return an error. All pointers, barring the pointer to the
new creds, are now const.
(*) security_bprm_apply_creds(), ->bprm_apply_creds()
Changed; now returns a value, which will cause the process to be
killed if it's an error.
(*) security_task_alloc(), ->task_alloc_security()
Removed in favour of security_prepare_creds().
(*) security_cred_free(), ->cred_free()
New. Free security data attached to cred->security.
(*) security_prepare_creds(), ->cred_prepare()
New. Duplicate any security data attached to cred->security.
(*) security_commit_creds(), ->cred_commit()
New. Apply any security effects for the upcoming installation of new
security by commit_creds().
(*) security_task_post_setuid(), ->task_post_setuid()
Removed in favour of security_task_fix_setuid().
(*) security_task_fix_setuid(), ->task_fix_setuid()
Fix up the proposed new credentials for setuid(). This is used by
cap_set_fix_setuid() to implicitly adjust capabilities in line with
setuid() changes. Changes are made to the new credentials, rather
than the task itself as in security_task_post_setuid().
(*) security_task_reparent_to_init(), ->task_reparent_to_init()
Removed. Instead the task being reparented to init is referred
directly to init's credentials.
NOTE! This results in the loss of some state: SELinux's osid no
longer records the sid of the thread that forked it.
(*) security_key_alloc(), ->key_alloc()
(*) security_key_permission(), ->key_permission()
Changed. These now take cred pointers rather than task pointers to
refer to the security context.
(4) sys_capset().
This has been simplified and uses less locking. The LSM functions it
calls have been merged.
(5) reparent_to_kthreadd().
This gives the current thread the same credentials as init by simply using
commit_thread() to point that way.
(6) __sigqueue_alloc() and switch_uid()
__sigqueue_alloc() can't stop the target task from changing its creds
beneath it, so this function gets a reference to the currently applicable
user_struct which it then passes into the sigqueue struct it returns if
successful.
switch_uid() is now called from commit_creds(), and possibly should be
folded into that. commit_creds() should take care of protecting
__sigqueue_alloc().
(7) [sg]et[ug]id() and co and [sg]et_current_groups.
The set functions now all use prepare_creds(), commit_creds() and
abort_creds() to build and check a new set of credentials before applying
it.
security_task_set[ug]id() is called inside the prepared section. This
guarantees that nothing else will affect the creds until we've finished.
The calling of set_dumpable() has been moved into commit_creds().
Much of the functionality of set_user() has been moved into
commit_creds().
The get functions all simply access the data directly.
(8) security_task_prctl() and cap_task_prctl().
security_task_prctl() has been modified to return -ENOSYS if it doesn't
want to handle a function, or otherwise return the return value directly
rather than through an argument.
Additionally, cap_task_prctl() now prepares a new set of credentials, even
if it doesn't end up using it.
(9) Keyrings.
A number of changes have been made to the keyrings code:
(a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have
all been dropped and built in to the credentials functions directly.
They may want separating out again later.
(b) key_alloc() and search_process_keyrings() now take a cred pointer
rather than a task pointer to specify the security context.
(c) copy_creds() gives a new thread within the same thread group a new
thread keyring if its parent had one, otherwise it discards the thread
keyring.
(d) The authorisation key now points directly to the credentials to extend
the search into rather pointing to the task that carries them.
(e) Installing thread, process or session keyrings causes a new set of
credentials to be created, even though it's not strictly necessary for
process or session keyrings (they're shared).
(10) Usermode helper.
The usermode helper code now carries a cred struct pointer in its
subprocess_info struct instead of a new session keyring pointer. This set
of credentials is derived from init_cred and installed on the new process
after it has been cloned.
call_usermodehelper_setup() allocates the new credentials and
call_usermodehelper_freeinfo() discards them if they haven't been used. A
special cred function (prepare_usermodeinfo_creds()) is provided
specifically for call_usermodehelper_setup() to call.
call_usermodehelper_setkeys() adjusts the credentials to sport the
supplied keyring as the new session keyring.
(11) SELinux.
SELinux has a number of changes, in addition to those to support the LSM
interface changes mentioned above:
(a) selinux_setprocattr() no longer does its check for whether the
current ptracer can access processes with the new SID inside the lock
that covers getting the ptracer's SID. Whilst this lock ensures that
the check is done with the ptracer pinned, the result is only valid
until the lock is released, so there's no point doing it inside the
lock.
(12) is_single_threaded().
This function has been extracted from selinux_setprocattr() and put into
a file of its own in the lib/ directory as join_session_keyring() now
wants to use it too.
The code in SELinux just checked to see whether a task shared mm_structs
with other tasks (CLONE_VM), but that isn't good enough. We really want
to know if they're part of the same thread group (CLONE_THREAD).
(13) nfsd.
The NFS server daemon now has to use the COW credentials to set the
credentials it is going to use. It really needs to pass the credentials
down to the functions it calls, but it can't do that until other patches
in this series have been applied.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: James Morris <jmorris@namei.org>
16 years ago
|
|
|
int __audit_log_bprm_fcaps(struct linux_binprm *bprm,
|
|
|
|
const struct cred *new, const struct cred *old)
|
|
|
|
{
|
|
|
|
struct audit_aux_data_bprm_fcaps *ax;
|
|
|
|
struct audit_context *context = current->audit_context;
|
|
|
|
struct cpu_vfs_cap_data vcaps;
|
|
|
|
struct dentry *dentry;
|
|
|
|
|
|
|
|
ax = kmalloc(sizeof(*ax), GFP_KERNEL);
|
|
|
|
if (!ax)
|
CRED: Inaugurate COW credentials
Inaugurate copy-on-write credentials management. This uses RCU to manage the
credentials pointer in the task_struct with respect to accesses by other tasks.
A process may only modify its own credentials, and so does not need locking to
access or modify its own credentials.
A mutex (cred_replace_mutex) is added to the task_struct to control the effect
of PTRACE_ATTACHED on credential calculations, particularly with respect to
execve().
With this patch, the contents of an active credentials struct may not be
changed directly; rather a new set of credentials must be prepared, modified
and committed using something like the following sequence of events:
struct cred *new = prepare_creds();
int ret = blah(new);
if (ret < 0) {
abort_creds(new);
return ret;
}
return commit_creds(new);
There are some exceptions to this rule: the keyrings pointed to by the active
credentials may be instantiated - keyrings violate the COW rule as managing
COW keyrings is tricky, given that it is possible for a task to directly alter
the keys in a keyring in use by another task.
To help enforce this, various pointers to sets of credentials, such as those in
the task_struct, are declared const. The purpose of this is compile-time
discouragement of altering credentials through those pointers. Once a set of
credentials has been made public through one of these pointers, it may not be
modified, except under special circumstances:
(1) Its reference count may incremented and decremented.
(2) The keyrings to which it points may be modified, but not replaced.
The only safe way to modify anything else is to create a replacement and commit
using the functions described in Documentation/credentials.txt (which will be
added by a later patch).
This patch and the preceding patches have been tested with the LTP SELinux
testsuite.
This patch makes several logical sets of alteration:
(1) execve().
This now prepares and commits credentials in various places in the
security code rather than altering the current creds directly.
(2) Temporary credential overrides.
do_coredump() and sys_faccessat() now prepare their own credentials and
temporarily override the ones currently on the acting thread, whilst
preventing interference from other threads by holding cred_replace_mutex
on the thread being dumped.
This will be replaced in a future patch by something that hands down the
credentials directly to the functions being called, rather than altering
the task's objective credentials.
(3) LSM interface.
A number of functions have been changed, added or removed:
(*) security_capset_check(), ->capset_check()
(*) security_capset_set(), ->capset_set()
Removed in favour of security_capset().
(*) security_capset(), ->capset()
New. This is passed a pointer to the new creds, a pointer to the old
creds and the proposed capability sets. It should fill in the new
creds or return an error. All pointers, barring the pointer to the
new creds, are now const.
(*) security_bprm_apply_creds(), ->bprm_apply_creds()
Changed; now returns a value, which will cause the process to be
killed if it's an error.
(*) security_task_alloc(), ->task_alloc_security()
Removed in favour of security_prepare_creds().
(*) security_cred_free(), ->cred_free()
New. Free security data attached to cred->security.
(*) security_prepare_creds(), ->cred_prepare()
New. Duplicate any security data attached to cred->security.
(*) security_commit_creds(), ->cred_commit()
New. Apply any security effects for the upcoming installation of new
security by commit_creds().
(*) security_task_post_setuid(), ->task_post_setuid()
Removed in favour of security_task_fix_setuid().
(*) security_task_fix_setuid(), ->task_fix_setuid()
Fix up the proposed new credentials for setuid(). This is used by
cap_set_fix_setuid() to implicitly adjust capabilities in line with
setuid() changes. Changes are made to the new credentials, rather
than the task itself as in security_task_post_setuid().
(*) security_task_reparent_to_init(), ->task_reparent_to_init()
Removed. Instead the task being reparented to init is referred
directly to init's credentials.
NOTE! This results in the loss of some state: SELinux's osid no
longer records the sid of the thread that forked it.
(*) security_key_alloc(), ->key_alloc()
(*) security_key_permission(), ->key_permission()
Changed. These now take cred pointers rather than task pointers to
refer to the security context.
(4) sys_capset().
This has been simplified and uses less locking. The LSM functions it
calls have been merged.
(5) reparent_to_kthreadd().
This gives the current thread the same credentials as init by simply using
commit_thread() to point that way.
(6) __sigqueue_alloc() and switch_uid()
__sigqueue_alloc() can't stop the target task from changing its creds
beneath it, so this function gets a reference to the currently applicable
user_struct which it then passes into the sigqueue struct it returns if
successful.
switch_uid() is now called from commit_creds(), and possibly should be
folded into that. commit_creds() should take care of protecting
__sigqueue_alloc().
(7) [sg]et[ug]id() and co and [sg]et_current_groups.
The set functions now all use prepare_creds(), commit_creds() and
abort_creds() to build and check a new set of credentials before applying
it.
security_task_set[ug]id() is called inside the prepared section. This
guarantees that nothing else will affect the creds until we've finished.
The calling of set_dumpable() has been moved into commit_creds().
Much of the functionality of set_user() has been moved into
commit_creds().
The get functions all simply access the data directly.
(8) security_task_prctl() and cap_task_prctl().
security_task_prctl() has been modified to return -ENOSYS if it doesn't
want to handle a function, or otherwise return the return value directly
rather than through an argument.
Additionally, cap_task_prctl() now prepares a new set of credentials, even
if it doesn't end up using it.
(9) Keyrings.
A number of changes have been made to the keyrings code:
(a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have
all been dropped and built in to the credentials functions directly.
They may want separating out again later.
(b) key_alloc() and search_process_keyrings() now take a cred pointer
rather than a task pointer to specify the security context.
(c) copy_creds() gives a new thread within the same thread group a new
thread keyring if its parent had one, otherwise it discards the thread
keyring.
(d) The authorisation key now points directly to the credentials to extend
the search into rather pointing to the task that carries them.
(e) Installing thread, process or session keyrings causes a new set of
credentials to be created, even though it's not strictly necessary for
process or session keyrings (they're shared).
(10) Usermode helper.
The usermode helper code now carries a cred struct pointer in its
subprocess_info struct instead of a new session keyring pointer. This set
of credentials is derived from init_cred and installed on the new process
after it has been cloned.
call_usermodehelper_setup() allocates the new credentials and
call_usermodehelper_freeinfo() discards them if they haven't been used. A
special cred function (prepare_usermodeinfo_creds()) is provided
specifically for call_usermodehelper_setup() to call.
call_usermodehelper_setkeys() adjusts the credentials to sport the
supplied keyring as the new session keyring.
(11) SELinux.
SELinux has a number of changes, in addition to those to support the LSM
interface changes mentioned above:
(a) selinux_setprocattr() no longer does its check for whether the
current ptracer can access processes with the new SID inside the lock
that covers getting the ptracer's SID. Whilst this lock ensures that
the check is done with the ptracer pinned, the result is only valid
until the lock is released, so there's no point doing it inside the
lock.
(12) is_single_threaded().
This function has been extracted from selinux_setprocattr() and put into
a file of its own in the lib/ directory as join_session_keyring() now
wants to use it too.
The code in SELinux just checked to see whether a task shared mm_structs
with other tasks (CLONE_VM), but that isn't good enough. We really want
to know if they're part of the same thread group (CLONE_THREAD).
(13) nfsd.
The NFS server daemon now has to use the COW credentials to set the
credentials it is going to use. It really needs to pass the credentials
down to the functions it calls, but it can't do that until other patches
in this series have been applied.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: James Morris <jmorris@namei.org>
16 years ago
|
|
|
return -ENOMEM;
|
|
|
|
|
|
|
|
ax->d.type = AUDIT_BPRM_FCAPS;
|
|
|
|
ax->d.next = context->aux;
|
|
|
|
context->aux = (void *)ax;
|
|
|
|
|
|
|
|
dentry = dget(bprm->file->f_dentry);
|
|
|
|
get_vfs_caps_from_disk(dentry, &vcaps);
|
|
|
|
dput(dentry);
|
|
|
|
|
|
|
|
ax->fcap.permitted = vcaps.permitted;
|
|
|
|
ax->fcap.inheritable = vcaps.inheritable;
|
|
|
|
ax->fcap.fE = !!(vcaps.magic_etc & VFS_CAP_FLAGS_EFFECTIVE);
|
|
|
|
ax->fcap_ver = (vcaps.magic_etc & VFS_CAP_REVISION_MASK) >> VFS_CAP_REVISION_SHIFT;
|
|
|
|
|
CRED: Inaugurate COW credentials
Inaugurate copy-on-write credentials management. This uses RCU to manage the
credentials pointer in the task_struct with respect to accesses by other tasks.
A process may only modify its own credentials, and so does not need locking to
access or modify its own credentials.
A mutex (cred_replace_mutex) is added to the task_struct to control the effect
of PTRACE_ATTACHED on credential calculations, particularly with respect to
execve().
With this patch, the contents of an active credentials struct may not be
changed directly; rather a new set of credentials must be prepared, modified
and committed using something like the following sequence of events:
struct cred *new = prepare_creds();
int ret = blah(new);
if (ret < 0) {
abort_creds(new);
return ret;
}
return commit_creds(new);
There are some exceptions to this rule: the keyrings pointed to by the active
credentials may be instantiated - keyrings violate the COW rule as managing
COW keyrings is tricky, given that it is possible for a task to directly alter
the keys in a keyring in use by another task.
To help enforce this, various pointers to sets of credentials, such as those in
the task_struct, are declared const. The purpose of this is compile-time
discouragement of altering credentials through those pointers. Once a set of
credentials has been made public through one of these pointers, it may not be
modified, except under special circumstances:
(1) Its reference count may incremented and decremented.
(2) The keyrings to which it points may be modified, but not replaced.
The only safe way to modify anything else is to create a replacement and commit
using the functions described in Documentation/credentials.txt (which will be
added by a later patch).
This patch and the preceding patches have been tested with the LTP SELinux
testsuite.
This patch makes several logical sets of alteration:
(1) execve().
This now prepares and commits credentials in various places in the
security code rather than altering the current creds directly.
(2) Temporary credential overrides.
do_coredump() and sys_faccessat() now prepare their own credentials and
temporarily override the ones currently on the acting thread, whilst
preventing interference from other threads by holding cred_replace_mutex
on the thread being dumped.
This will be replaced in a future patch by something that hands down the
credentials directly to the functions being called, rather than altering
the task's objective credentials.
(3) LSM interface.
A number of functions have been changed, added or removed:
(*) security_capset_check(), ->capset_check()
(*) security_capset_set(), ->capset_set()
Removed in favour of security_capset().
(*) security_capset(), ->capset()
New. This is passed a pointer to the new creds, a pointer to the old
creds and the proposed capability sets. It should fill in the new
creds or return an error. All pointers, barring the pointer to the
new creds, are now const.
(*) security_bprm_apply_creds(), ->bprm_apply_creds()
Changed; now returns a value, which will cause the process to be
killed if it's an error.
(*) security_task_alloc(), ->task_alloc_security()
Removed in favour of security_prepare_creds().
(*) security_cred_free(), ->cred_free()
New. Free security data attached to cred->security.
(*) security_prepare_creds(), ->cred_prepare()
New. Duplicate any security data attached to cred->security.
(*) security_commit_creds(), ->cred_commit()
New. Apply any security effects for the upcoming installation of new
security by commit_creds().
(*) security_task_post_setuid(), ->task_post_setuid()
Removed in favour of security_task_fix_setuid().
(*) security_task_fix_setuid(), ->task_fix_setuid()
Fix up the proposed new credentials for setuid(). This is used by
cap_set_fix_setuid() to implicitly adjust capabilities in line with
setuid() changes. Changes are made to the new credentials, rather
than the task itself as in security_task_post_setuid().
(*) security_task_reparent_to_init(), ->task_reparent_to_init()
Removed. Instead the task being reparented to init is referred
directly to init's credentials.
NOTE! This results in the loss of some state: SELinux's osid no
longer records the sid of the thread that forked it.
(*) security_key_alloc(), ->key_alloc()
(*) security_key_permission(), ->key_permission()
Changed. These now take cred pointers rather than task pointers to
refer to the security context.
(4) sys_capset().
This has been simplified and uses less locking. The LSM functions it
calls have been merged.
(5) reparent_to_kthreadd().
This gives the current thread the same credentials as init by simply using
commit_thread() to point that way.
(6) __sigqueue_alloc() and switch_uid()
__sigqueue_alloc() can't stop the target task from changing its creds
beneath it, so this function gets a reference to the currently applicable
user_struct which it then passes into the sigqueue struct it returns if
successful.
switch_uid() is now called from commit_creds(), and possibly should be
folded into that. commit_creds() should take care of protecting
__sigqueue_alloc().
(7) [sg]et[ug]id() and co and [sg]et_current_groups.
The set functions now all use prepare_creds(), commit_creds() and
abort_creds() to build and check a new set of credentials before applying
it.
security_task_set[ug]id() is called inside the prepared section. This
guarantees that nothing else will affect the creds until we've finished.
The calling of set_dumpable() has been moved into commit_creds().
Much of the functionality of set_user() has been moved into
commit_creds().
The get functions all simply access the data directly.
(8) security_task_prctl() and cap_task_prctl().
security_task_prctl() has been modified to return -ENOSYS if it doesn't
want to handle a function, or otherwise return the return value directly
rather than through an argument.
Additionally, cap_task_prctl() now prepares a new set of credentials, even
if it doesn't end up using it.
(9) Keyrings.
A number of changes have been made to the keyrings code:
(a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have
all been dropped and built in to the credentials functions directly.
They may want separating out again later.
(b) key_alloc() and search_process_keyrings() now take a cred pointer
rather than a task pointer to specify the security context.
(c) copy_creds() gives a new thread within the same thread group a new
thread keyring if its parent had one, otherwise it discards the thread
keyring.
(d) The authorisation key now points directly to the credentials to extend
the search into rather pointing to the task that carries them.
(e) Installing thread, process or session keyrings causes a new set of
credentials to be created, even though it's not strictly necessary for
process or session keyrings (they're shared).
(10) Usermode helper.
The usermode helper code now carries a cred struct pointer in its
subprocess_info struct instead of a new session keyring pointer. This set
of credentials is derived from init_cred and installed on the new process
after it has been cloned.
call_usermodehelper_setup() allocates the new credentials and
call_usermodehelper_freeinfo() discards them if they haven't been used. A
special cred function (prepare_usermodeinfo_creds()) is provided
specifically for call_usermodehelper_setup() to call.
call_usermodehelper_setkeys() adjusts the credentials to sport the
supplied keyring as the new session keyring.
(11) SELinux.
SELinux has a number of changes, in addition to those to support the LSM
interface changes mentioned above:
(a) selinux_setprocattr() no longer does its check for whether the
current ptracer can access processes with the new SID inside the lock
that covers getting the ptracer's SID. Whilst this lock ensures that
the check is done with the ptracer pinned, the result is only valid
until the lock is released, so there's no point doing it inside the
lock.
(12) is_single_threaded().
This function has been extracted from selinux_setprocattr() and put into
a file of its own in the lib/ directory as join_session_keyring() now
wants to use it too.
The code in SELinux just checked to see whether a task shared mm_structs
with other tasks (CLONE_VM), but that isn't good enough. We really want
to know if they're part of the same thread group (CLONE_THREAD).
(13) nfsd.
The NFS server daemon now has to use the COW credentials to set the
credentials it is going to use. It really needs to pass the credentials
down to the functions it calls, but it can't do that until other patches
in this series have been applied.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: James Morris <jmorris@namei.org>
16 years ago
|
|
|
ax->old_pcap.permitted = old->cap_permitted;
|
|
|
|
ax->old_pcap.inheritable = old->cap_inheritable;
|
|
|
|
ax->old_pcap.effective = old->cap_effective;
|
|
|
|
|
CRED: Inaugurate COW credentials
Inaugurate copy-on-write credentials management. This uses RCU to manage the
credentials pointer in the task_struct with respect to accesses by other tasks.
A process may only modify its own credentials, and so does not need locking to
access or modify its own credentials.
A mutex (cred_replace_mutex) is added to the task_struct to control the effect
of PTRACE_ATTACHED on credential calculations, particularly with respect to
execve().
With this patch, the contents of an active credentials struct may not be
changed directly; rather a new set of credentials must be prepared, modified
and committed using something like the following sequence of events:
struct cred *new = prepare_creds();
int ret = blah(new);
if (ret < 0) {
abort_creds(new);
return ret;
}
return commit_creds(new);
There are some exceptions to this rule: the keyrings pointed to by the active
credentials may be instantiated - keyrings violate the COW rule as managing
COW keyrings is tricky, given that it is possible for a task to directly alter
the keys in a keyring in use by another task.
To help enforce this, various pointers to sets of credentials, such as those in
the task_struct, are declared const. The purpose of this is compile-time
discouragement of altering credentials through those pointers. Once a set of
credentials has been made public through one of these pointers, it may not be
modified, except under special circumstances:
(1) Its reference count may incremented and decremented.
(2) The keyrings to which it points may be modified, but not replaced.
The only safe way to modify anything else is to create a replacement and commit
using the functions described in Documentation/credentials.txt (which will be
added by a later patch).
This patch and the preceding patches have been tested with the LTP SELinux
testsuite.
This patch makes several logical sets of alteration:
(1) execve().
This now prepares and commits credentials in various places in the
security code rather than altering the current creds directly.
(2) Temporary credential overrides.
do_coredump() and sys_faccessat() now prepare their own credentials and
temporarily override the ones currently on the acting thread, whilst
preventing interference from other threads by holding cred_replace_mutex
on the thread being dumped.
This will be replaced in a future patch by something that hands down the
credentials directly to the functions being called, rather than altering
the task's objective credentials.
(3) LSM interface.
A number of functions have been changed, added or removed:
(*) security_capset_check(), ->capset_check()
(*) security_capset_set(), ->capset_set()
Removed in favour of security_capset().
(*) security_capset(), ->capset()
New. This is passed a pointer to the new creds, a pointer to the old
creds and the proposed capability sets. It should fill in the new
creds or return an error. All pointers, barring the pointer to the
new creds, are now const.
(*) security_bprm_apply_creds(), ->bprm_apply_creds()
Changed; now returns a value, which will cause the process to be
killed if it's an error.
(*) security_task_alloc(), ->task_alloc_security()
Removed in favour of security_prepare_creds().
(*) security_cred_free(), ->cred_free()
New. Free security data attached to cred->security.
(*) security_prepare_creds(), ->cred_prepare()
New. Duplicate any security data attached to cred->security.
(*) security_commit_creds(), ->cred_commit()
New. Apply any security effects for the upcoming installation of new
security by commit_creds().
(*) security_task_post_setuid(), ->task_post_setuid()
Removed in favour of security_task_fix_setuid().
(*) security_task_fix_setuid(), ->task_fix_setuid()
Fix up the proposed new credentials for setuid(). This is used by
cap_set_fix_setuid() to implicitly adjust capabilities in line with
setuid() changes. Changes are made to the new credentials, rather
than the task itself as in security_task_post_setuid().
(*) security_task_reparent_to_init(), ->task_reparent_to_init()
Removed. Instead the task being reparented to init is referred
directly to init's credentials.
NOTE! This results in the loss of some state: SELinux's osid no
longer records the sid of the thread that forked it.
(*) security_key_alloc(), ->key_alloc()
(*) security_key_permission(), ->key_permission()
Changed. These now take cred pointers rather than task pointers to
refer to the security context.
(4) sys_capset().
This has been simplified and uses less locking. The LSM functions it
calls have been merged.
(5) reparent_to_kthreadd().
This gives the current thread the same credentials as init by simply using
commit_thread() to point that way.
(6) __sigqueue_alloc() and switch_uid()
__sigqueue_alloc() can't stop the target task from changing its creds
beneath it, so this function gets a reference to the currently applicable
user_struct which it then passes into the sigqueue struct it returns if
successful.
switch_uid() is now called from commit_creds(), and possibly should be
folded into that. commit_creds() should take care of protecting
__sigqueue_alloc().
(7) [sg]et[ug]id() and co and [sg]et_current_groups.
The set functions now all use prepare_creds(), commit_creds() and
abort_creds() to build and check a new set of credentials before applying
it.
security_task_set[ug]id() is called inside the prepared section. This
guarantees that nothing else will affect the creds until we've finished.
The calling of set_dumpable() has been moved into commit_creds().
Much of the functionality of set_user() has been moved into
commit_creds().
The get functions all simply access the data directly.
(8) security_task_prctl() and cap_task_prctl().
security_task_prctl() has been modified to return -ENOSYS if it doesn't
want to handle a function, or otherwise return the return value directly
rather than through an argument.
Additionally, cap_task_prctl() now prepares a new set of credentials, even
if it doesn't end up using it.
(9) Keyrings.
A number of changes have been made to the keyrings code:
(a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have
all been dropped and built in to the credentials functions directly.
They may want separating out again later.
(b) key_alloc() and search_process_keyrings() now take a cred pointer
rather than a task pointer to specify the security context.
(c) copy_creds() gives a new thread within the same thread group a new
thread keyring if its parent had one, otherwise it discards the thread
keyring.
(d) The authorisation key now points directly to the credentials to extend
the search into rather pointing to the task that carries them.
(e) Installing thread, process or session keyrings causes a new set of
credentials to be created, even though it's not strictly necessary for
process or session keyrings (they're shared).
(10) Usermode helper.
The usermode helper code now carries a cred struct pointer in its
subprocess_info struct instead of a new session keyring pointer. This set
of credentials is derived from init_cred and installed on the new process
after it has been cloned.
call_usermodehelper_setup() allocates the new credentials and
call_usermodehelper_freeinfo() discards them if they haven't been used. A
special cred function (prepare_usermodeinfo_creds()) is provided
specifically for call_usermodehelper_setup() to call.
call_usermodehelper_setkeys() adjusts the credentials to sport the
supplied keyring as the new session keyring.
(11) SELinux.
SELinux has a number of changes, in addition to those to support the LSM
interface changes mentioned above:
(a) selinux_setprocattr() no longer does its check for whether the
current ptracer can access processes with the new SID inside the lock
that covers getting the ptracer's SID. Whilst this lock ensures that
the check is done with the ptracer pinned, the result is only valid
until the lock is released, so there's no point doing it inside the
lock.
(12) is_single_threaded().
This function has been extracted from selinux_setprocattr() and put into
a file of its own in the lib/ directory as join_session_keyring() now
wants to use it too.
The code in SELinux just checked to see whether a task shared mm_structs
with other tasks (CLONE_VM), but that isn't good enough. We really want
to know if they're part of the same thread group (CLONE_THREAD).
(13) nfsd.
The NFS server daemon now has to use the COW credentials to set the
credentials it is going to use. It really needs to pass the credentials
down to the functions it calls, but it can't do that until other patches
in this series have been applied.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: James Morris <jmorris@namei.org>
16 years ago
|
|
|
ax->new_pcap.permitted = new->cap_permitted;
|
|
|
|
ax->new_pcap.inheritable = new->cap_inheritable;
|
|
|
|
ax->new_pcap.effective = new->cap_effective;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* __audit_log_capset - store information about the arguments to the capset syscall
|
CRED: Inaugurate COW credentials
Inaugurate copy-on-write credentials management. This uses RCU to manage the
credentials pointer in the task_struct with respect to accesses by other tasks.
A process may only modify its own credentials, and so does not need locking to
access or modify its own credentials.
A mutex (cred_replace_mutex) is added to the task_struct to control the effect
of PTRACE_ATTACHED on credential calculations, particularly with respect to
execve().
With this patch, the contents of an active credentials struct may not be
changed directly; rather a new set of credentials must be prepared, modified
and committed using something like the following sequence of events:
struct cred *new = prepare_creds();
int ret = blah(new);
if (ret < 0) {
abort_creds(new);
return ret;
}
return commit_creds(new);
There are some exceptions to this rule: the keyrings pointed to by the active
credentials may be instantiated - keyrings violate the COW rule as managing
COW keyrings is tricky, given that it is possible for a task to directly alter
the keys in a keyring in use by another task.
To help enforce this, various pointers to sets of credentials, such as those in
the task_struct, are declared const. The purpose of this is compile-time
discouragement of altering credentials through those pointers. Once a set of
credentials has been made public through one of these pointers, it may not be
modified, except under special circumstances:
(1) Its reference count may incremented and decremented.
(2) The keyrings to which it points may be modified, but not replaced.
The only safe way to modify anything else is to create a replacement and commit
using the functions described in Documentation/credentials.txt (which will be
added by a later patch).
This patch and the preceding patches have been tested with the LTP SELinux
testsuite.
This patch makes several logical sets of alteration:
(1) execve().
This now prepares and commits credentials in various places in the
security code rather than altering the current creds directly.
(2) Temporary credential overrides.
do_coredump() and sys_faccessat() now prepare their own credentials and
temporarily override the ones currently on the acting thread, whilst
preventing interference from other threads by holding cred_replace_mutex
on the thread being dumped.
This will be replaced in a future patch by something that hands down the
credentials directly to the functions being called, rather than altering
the task's objective credentials.
(3) LSM interface.
A number of functions have been changed, added or removed:
(*) security_capset_check(), ->capset_check()
(*) security_capset_set(), ->capset_set()
Removed in favour of security_capset().
(*) security_capset(), ->capset()
New. This is passed a pointer to the new creds, a pointer to the old
creds and the proposed capability sets. It should fill in the new
creds or return an error. All pointers, barring the pointer to the
new creds, are now const.
(*) security_bprm_apply_creds(), ->bprm_apply_creds()
Changed; now returns a value, which will cause the process to be
killed if it's an error.
(*) security_task_alloc(), ->task_alloc_security()
Removed in favour of security_prepare_creds().
(*) security_cred_free(), ->cred_free()
New. Free security data attached to cred->security.
(*) security_prepare_creds(), ->cred_prepare()
New. Duplicate any security data attached to cred->security.
(*) security_commit_creds(), ->cred_commit()
New. Apply any security effects for the upcoming installation of new
security by commit_creds().
(*) security_task_post_setuid(), ->task_post_setuid()
Removed in favour of security_task_fix_setuid().
(*) security_task_fix_setuid(), ->task_fix_setuid()
Fix up the proposed new credentials for setuid(). This is used by
cap_set_fix_setuid() to implicitly adjust capabilities in line with
setuid() changes. Changes are made to the new credentials, rather
than the task itself as in security_task_post_setuid().
(*) security_task_reparent_to_init(), ->task_reparent_to_init()
Removed. Instead the task being reparented to init is referred
directly to init's credentials.
NOTE! This results in the loss of some state: SELinux's osid no
longer records the sid of the thread that forked it.
(*) security_key_alloc(), ->key_alloc()
(*) security_key_permission(), ->key_permission()
Changed. These now take cred pointers rather than task pointers to
refer to the security context.
(4) sys_capset().
This has been simplified and uses less locking. The LSM functions it
calls have been merged.
(5) reparent_to_kthreadd().
This gives the current thread the same credentials as init by simply using
commit_thread() to point that way.
(6) __sigqueue_alloc() and switch_uid()
__sigqueue_alloc() can't stop the target task from changing its creds
beneath it, so this function gets a reference to the currently applicable
user_struct which it then passes into the sigqueue struct it returns if
successful.
switch_uid() is now called from commit_creds(), and possibly should be
folded into that. commit_creds() should take care of protecting
__sigqueue_alloc().
(7) [sg]et[ug]id() and co and [sg]et_current_groups.
The set functions now all use prepare_creds(), commit_creds() and
abort_creds() to build and check a new set of credentials before applying
it.
security_task_set[ug]id() is called inside the prepared section. This
guarantees that nothing else will affect the creds until we've finished.
The calling of set_dumpable() has been moved into commit_creds().
Much of the functionality of set_user() has been moved into
commit_creds().
The get functions all simply access the data directly.
(8) security_task_prctl() and cap_task_prctl().
security_task_prctl() has been modified to return -ENOSYS if it doesn't
want to handle a function, or otherwise return the return value directly
rather than through an argument.
Additionally, cap_task_prctl() now prepares a new set of credentials, even
if it doesn't end up using it.
(9) Keyrings.
A number of changes have been made to the keyrings code:
(a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have
all been dropped and built in to the credentials functions directly.
They may want separating out again later.
(b) key_alloc() and search_process_keyrings() now take a cred pointer
rather than a task pointer to specify the security context.
(c) copy_creds() gives a new thread within the same thread group a new
thread keyring if its parent had one, otherwise it discards the thread
keyring.
(d) The authorisation key now points directly to the credentials to extend
the search into rather pointing to the task that carries them.
(e) Installing thread, process or session keyrings causes a new set of
credentials to be created, even though it's not strictly necessary for
process or session keyrings (they're shared).
(10) Usermode helper.
The usermode helper code now carries a cred struct pointer in its
subprocess_info struct instead of a new session keyring pointer. This set
of credentials is derived from init_cred and installed on the new process
after it has been cloned.
call_usermodehelper_setup() allocates the new credentials and
call_usermodehelper_freeinfo() discards them if they haven't been used. A
special cred function (prepare_usermodeinfo_creds()) is provided
specifically for call_usermodehelper_setup() to call.
call_usermodehelper_setkeys() adjusts the credentials to sport the
supplied keyring as the new session keyring.
(11) SELinux.
SELinux has a number of changes, in addition to those to support the LSM
interface changes mentioned above:
(a) selinux_setprocattr() no longer does its check for whether the
current ptracer can access processes with the new SID inside the lock
that covers getting the ptracer's SID. Whilst this lock ensures that
the check is done with the ptracer pinned, the result is only valid
until the lock is released, so there's no point doing it inside the
lock.
(12) is_single_threaded().
This function has been extracted from selinux_setprocattr() and put into
a file of its own in the lib/ directory as join_session_keyring() now
wants to use it too.
The code in SELinux just checked to see whether a task shared mm_structs
with other tasks (CLONE_VM), but that isn't good enough. We really want
to know if they're part of the same thread group (CLONE_THREAD).
(13) nfsd.
The NFS server daemon now has to use the COW credentials to set the
credentials it is going to use. It really needs to pass the credentials
down to the functions it calls, but it can't do that until other patches
in this series have been applied.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: James Morris <jmorris@namei.org>
16 years ago
|
|
|
* @pid: target pid of the capset call
|
|
|
|
* @new: the new credentials
|
|
|
|
* @old: the old (current) credentials
|
|
|
|
*
|
|
|
|
* Record the aguments userspace sent to sys_capset for later printing by the
|
|
|
|
* audit system if applicable
|
|
|
|
*/
|
|
|
|
void __audit_log_capset(pid_t pid,
|
CRED: Inaugurate COW credentials
Inaugurate copy-on-write credentials management. This uses RCU to manage the
credentials pointer in the task_struct with respect to accesses by other tasks.
A process may only modify its own credentials, and so does not need locking to
access or modify its own credentials.
A mutex (cred_replace_mutex) is added to the task_struct to control the effect
of PTRACE_ATTACHED on credential calculations, particularly with respect to
execve().
With this patch, the contents of an active credentials struct may not be
changed directly; rather a new set of credentials must be prepared, modified
and committed using something like the following sequence of events:
struct cred *new = prepare_creds();
int ret = blah(new);
if (ret < 0) {
abort_creds(new);
return ret;
}
return commit_creds(new);
There are some exceptions to this rule: the keyrings pointed to by the active
credentials may be instantiated - keyrings violate the COW rule as managing
COW keyrings is tricky, given that it is possible for a task to directly alter
the keys in a keyring in use by another task.
To help enforce this, various pointers to sets of credentials, such as those in
the task_struct, are declared const. The purpose of this is compile-time
discouragement of altering credentials through those pointers. Once a set of
credentials has been made public through one of these pointers, it may not be
modified, except under special circumstances:
(1) Its reference count may incremented and decremented.
(2) The keyrings to which it points may be modified, but not replaced.
The only safe way to modify anything else is to create a replacement and commit
using the functions described in Documentation/credentials.txt (which will be
added by a later patch).
This patch and the preceding patches have been tested with the LTP SELinux
testsuite.
This patch makes several logical sets of alteration:
(1) execve().
This now prepares and commits credentials in various places in the
security code rather than altering the current creds directly.
(2) Temporary credential overrides.
do_coredump() and sys_faccessat() now prepare their own credentials and
temporarily override the ones currently on the acting thread, whilst
preventing interference from other threads by holding cred_replace_mutex
on the thread being dumped.
This will be replaced in a future patch by something that hands down the
credentials directly to the functions being called, rather than altering
the task's objective credentials.
(3) LSM interface.
A number of functions have been changed, added or removed:
(*) security_capset_check(), ->capset_check()
(*) security_capset_set(), ->capset_set()
Removed in favour of security_capset().
(*) security_capset(), ->capset()
New. This is passed a pointer to the new creds, a pointer to the old
creds and the proposed capability sets. It should fill in the new
creds or return an error. All pointers, barring the pointer to the
new creds, are now const.
(*) security_bprm_apply_creds(), ->bprm_apply_creds()
Changed; now returns a value, which will cause the process to be
killed if it's an error.
(*) security_task_alloc(), ->task_alloc_security()
Removed in favour of security_prepare_creds().
(*) security_cred_free(), ->cred_free()
New. Free security data attached to cred->security.
(*) security_prepare_creds(), ->cred_prepare()
New. Duplicate any security data attached to cred->security.
(*) security_commit_creds(), ->cred_commit()
New. Apply any security effects for the upcoming installation of new
security by commit_creds().
(*) security_task_post_setuid(), ->task_post_setuid()
Removed in favour of security_task_fix_setuid().
(*) security_task_fix_setuid(), ->task_fix_setuid()
Fix up the proposed new credentials for setuid(). This is used by
cap_set_fix_setuid() to implicitly adjust capabilities in line with
setuid() changes. Changes are made to the new credentials, rather
than the task itself as in security_task_post_setuid().
(*) security_task_reparent_to_init(), ->task_reparent_to_init()
Removed. Instead the task being reparented to init is referred
directly to init's credentials.
NOTE! This results in the loss of some state: SELinux's osid no
longer records the sid of the thread that forked it.
(*) security_key_alloc(), ->key_alloc()
(*) security_key_permission(), ->key_permission()
Changed. These now take cred pointers rather than task pointers to
refer to the security context.
(4) sys_capset().
This has been simplified and uses less locking. The LSM functions it
calls have been merged.
(5) reparent_to_kthreadd().
This gives the current thread the same credentials as init by simply using
commit_thread() to point that way.
(6) __sigqueue_alloc() and switch_uid()
__sigqueue_alloc() can't stop the target task from changing its creds
beneath it, so this function gets a reference to the currently applicable
user_struct which it then passes into the sigqueue struct it returns if
successful.
switch_uid() is now called from commit_creds(), and possibly should be
folded into that. commit_creds() should take care of protecting
__sigqueue_alloc().
(7) [sg]et[ug]id() and co and [sg]et_current_groups.
The set functions now all use prepare_creds(), commit_creds() and
abort_creds() to build and check a new set of credentials before applying
it.
security_task_set[ug]id() is called inside the prepared section. This
guarantees that nothing else will affect the creds until we've finished.
The calling of set_dumpable() has been moved into commit_creds().
Much of the functionality of set_user() has been moved into
commit_creds().
The get functions all simply access the data directly.
(8) security_task_prctl() and cap_task_prctl().
security_task_prctl() has been modified to return -ENOSYS if it doesn't
want to handle a function, or otherwise return the return value directly
rather than through an argument.
Additionally, cap_task_prctl() now prepares a new set of credentials, even
if it doesn't end up using it.
(9) Keyrings.
A number of changes have been made to the keyrings code:
(a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have
all been dropped and built in to the credentials functions directly.
They may want separating out again later.
(b) key_alloc() and search_process_keyrings() now take a cred pointer
rather than a task pointer to specify the security context.
(c) copy_creds() gives a new thread within the same thread group a new
thread keyring if its parent had one, otherwise it discards the thread
keyring.
(d) The authorisation key now points directly to the credentials to extend
the search into rather pointing to the task that carries them.
(e) Installing thread, process or session keyrings causes a new set of
credentials to be created, even though it's not strictly necessary for
process or session keyrings (they're shared).
(10) Usermode helper.
The usermode helper code now carries a cred struct pointer in its
subprocess_info struct instead of a new session keyring pointer. This set
of credentials is derived from init_cred and installed on the new process
after it has been cloned.
call_usermodehelper_setup() allocates the new credentials and
call_usermodehelper_freeinfo() discards them if they haven't been used. A
special cred function (prepare_usermodeinfo_creds()) is provided
specifically for call_usermodehelper_setup() to call.
call_usermodehelper_setkeys() adjusts the credentials to sport the
supplied keyring as the new session keyring.
(11) SELinux.
SELinux has a number of changes, in addition to those to support the LSM
interface changes mentioned above:
(a) selinux_setprocattr() no longer does its check for whether the
current ptracer can access processes with the new SID inside the lock
that covers getting the ptracer's SID. Whilst this lock ensures that
the check is done with the ptracer pinned, the result is only valid
until the lock is released, so there's no point doing it inside the
lock.
(12) is_single_threaded().
This function has been extracted from selinux_setprocattr() and put into
a file of its own in the lib/ directory as join_session_keyring() now
wants to use it too.
The code in SELinux just checked to see whether a task shared mm_structs
with other tasks (CLONE_VM), but that isn't good enough. We really want
to know if they're part of the same thread group (CLONE_THREAD).
(13) nfsd.
The NFS server daemon now has to use the COW credentials to set the
credentials it is going to use. It really needs to pass the credentials
down to the functions it calls, but it can't do that until other patches
in this series have been applied.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: James Morris <jmorris@namei.org>
16 years ago
|
|
|
const struct cred *new, const struct cred *old)
|
|
|
|
{
|
|
|
|
struct audit_context *context = current->audit_context;
|
|
|
|
context->capset.pid = pid;
|
|
|
|
context->capset.cap.effective = new->cap_effective;
|
|
|
|
context->capset.cap.inheritable = new->cap_effective;
|
|
|
|
context->capset.cap.permitted = new->cap_permitted;
|
|
|
|
context->type = AUDIT_CAPSET;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* audit_core_dumps - record information about processes that end abnormally
|
|
|
|
* @signr: signal value
|
|
|
|
*
|
|
|
|
* If a process ends with a core dump, something fishy is going on and we
|
|
|
|
* should record the event for investigation.
|
|
|
|
*/
|
|
|
|
void audit_core_dumps(long signr)
|
|
|
|
{
|
|
|
|
struct audit_buffer *ab;
|
|
|
|
u32 sid;
|
|
|
|
uid_t auid = audit_get_loginuid(current), uid;
|
|
|
|
gid_t gid;
|
|
|
|
unsigned int sessionid = audit_get_sessionid(current);
|
|
|
|
|
|
|
|
if (!audit_enabled)
|
|
|
|
return;
|
|
|
|
|
|
|
|
if (signr == SIGQUIT) /* don't care for those */
|
|
|
|
return;
|
|
|
|
|
|
|
|
ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND);
|
|
|
|
current_uid_gid(&uid, &gid);
|
|
|
|
audit_log_format(ab, "auid=%u uid=%u gid=%u ses=%u",
|
|
|
|
auid, uid, gid, sessionid);
|
Audit: use new LSM hooks instead of SELinux exports
Stop using the following exported SELinux interfaces:
selinux_get_inode_sid(inode, sid)
selinux_get_ipc_sid(ipcp, sid)
selinux_get_task_sid(tsk, sid)
selinux_sid_to_string(sid, ctx, len)
kfree(ctx)
and use following generic LSM equivalents respectively:
security_inode_getsecid(inode, secid)
security_ipc_getsecid*(ipcp, secid)
security_task_getsecid(tsk, secid)
security_sid_to_secctx(sid, ctx, len)
security_release_secctx(ctx, len)
Call security_release_secctx only if security_secid_to_secctx
succeeded.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Ahmed S. Darwish <darwish.07@gmail.com>
Acked-by: James Morris <jmorris@namei.org>
Reviewed-by: Paul Moore <paul.moore@hp.com>
17 years ago
|
|
|
security_task_getsecid(current, &sid);
|
|
|
|
if (sid) {
|
|
|
|
char *ctx = NULL;
|
|
|
|
u32 len;
|
|
|
|
|
Audit: use new LSM hooks instead of SELinux exports
Stop using the following exported SELinux interfaces:
selinux_get_inode_sid(inode, sid)
selinux_get_ipc_sid(ipcp, sid)
selinux_get_task_sid(tsk, sid)
selinux_sid_to_string(sid, ctx, len)
kfree(ctx)
and use following generic LSM equivalents respectively:
security_inode_getsecid(inode, secid)
security_ipc_getsecid*(ipcp, secid)
security_task_getsecid(tsk, secid)
security_sid_to_secctx(sid, ctx, len)
security_release_secctx(ctx, len)
Call security_release_secctx only if security_secid_to_secctx
succeeded.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Ahmed S. Darwish <darwish.07@gmail.com>
Acked-by: James Morris <jmorris@namei.org>
Reviewed-by: Paul Moore <paul.moore@hp.com>
17 years ago
|
|
|
if (security_secid_to_secctx(sid, &ctx, &len))
|
|
|
|
audit_log_format(ab, " ssid=%u", sid);
|
Audit: use new LSM hooks instead of SELinux exports
Stop using the following exported SELinux interfaces:
selinux_get_inode_sid(inode, sid)
selinux_get_ipc_sid(ipcp, sid)
selinux_get_task_sid(tsk, sid)
selinux_sid_to_string(sid, ctx, len)
kfree(ctx)
and use following generic LSM equivalents respectively:
security_inode_getsecid(inode, secid)
security_ipc_getsecid*(ipcp, secid)
security_task_getsecid(tsk, secid)
security_sid_to_secctx(sid, ctx, len)
security_release_secctx(ctx, len)
Call security_release_secctx only if security_secid_to_secctx
succeeded.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Ahmed S. Darwish <darwish.07@gmail.com>
Acked-by: James Morris <jmorris@namei.org>
Reviewed-by: Paul Moore <paul.moore@hp.com>
17 years ago
|
|
|
else {
|
|
|
|
audit_log_format(ab, " subj=%s", ctx);
|
Audit: use new LSM hooks instead of SELinux exports
Stop using the following exported SELinux interfaces:
selinux_get_inode_sid(inode, sid)
selinux_get_ipc_sid(ipcp, sid)
selinux_get_task_sid(tsk, sid)
selinux_sid_to_string(sid, ctx, len)
kfree(ctx)
and use following generic LSM equivalents respectively:
security_inode_getsecid(inode, secid)
security_ipc_getsecid*(ipcp, secid)
security_task_getsecid(tsk, secid)
security_sid_to_secctx(sid, ctx, len)
security_release_secctx(ctx, len)
Call security_release_secctx only if security_secid_to_secctx
succeeded.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Ahmed S. Darwish <darwish.07@gmail.com>
Acked-by: James Morris <jmorris@namei.org>
Reviewed-by: Paul Moore <paul.moore@hp.com>
17 years ago
|
|
|
security_release_secctx(ctx, len);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
audit_log_format(ab, " pid=%d comm=", current->pid);
|
|
|
|
audit_log_untrustedstring(ab, current->comm);
|
|
|
|
audit_log_format(ab, " sig=%ld", signr);
|
|
|
|
audit_log_end(ab);
|
|
|
|
}
|