1. 02 8月, 2008 2 次提交
  2. 25 6月, 2008 2 次提交
  3. 17 5月, 2008 1 次提交
  4. 28 4月, 2008 6 次提交
    • P
      [patch 2/2] Use find_task_by_vpid in audit code · 4a761b8c
      Pavel Emelyanov 提交于
      The pid to lookup a task by is passed inside audit code via netlink message.
      
      Thanks to Denis Lunev, netlink packets are now (since 2.6.24) _always_
      processed in the context of the sending task.  So this is correct to lookup
      the task with find_task_by_vpid() here.
      Signed-off-by: NPavel Emelyanov <xemul@openvz.org>
      Cc: "Eric W. Biederman" <ebiederm@xmission.com>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      4a761b8c
    • H
      [PATCH 2/2] audit: fix sparse shadowed variable warnings · 7719e437
      Harvey Harrison 提交于
      Use msglen as the identifier.
      kernel/audit.c:724:10: warning: symbol 'len' shadows an earlier one
      kernel/audit.c:575:8: originally declared here
      
      Don't use ino_f to check the inode field at the end of the functions.
      kernel/auditfilter.c:429:22: warning: symbol 'f' shadows an earlier one
      kernel/auditfilter.c:420:21: originally declared here
      kernel/auditfilter.c:542:22: warning: symbol 'f' shadows an earlier one
      kernel/auditfilter.c:529:21: originally declared here
      
      i always used as a counter for a for loop and initialized to zero before
      use.  Eliminate the inner i variables.
      kernel/auditsc.c:1295:8: warning: symbol 'i' shadows an earlier one
      kernel/auditsc.c:1152:6: originally declared here
      kernel/auditsc.c:1320:7: warning: symbol 'i' shadows an earlier one
      kernel/auditsc.c:1152:6: originally declared here
      Signed-off-by: NHarvey Harrison <harvey.harrison@gmail.com>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      7719e437
    • E
      Audit: standardize string audit interfaces · b556f8ad
      Eric Paris 提交于
      This patch standardized the string auditing interfaces.  No userspace
      changes will be visible and this is all just cleanup and consistancy
      work.  We have the following string audit interfaces to use:
      
      void audit_log_n_hex(struct audit_buffer *ab, const unsigned char *buf, size_t len);
      
      void audit_log_n_string(struct audit_buffer *ab, const char *buf, size_t n);
      void audit_log_string(struct audit_buffer *ab, const char *buf);
      
      void audit_log_n_untrustedstring(struct audit_buffer *ab, const char *string, size_t n);
      void audit_log_untrustedstring(struct audit_buffer *ab, const char *string);
      
      This may be the first step to possibly fixing some of the issues that
      people have with the string output from the kernel audit system.  But we
      still don't have an agreed upon solution to that problem.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      b556f8ad
    • E
      Audit: stop deadlock from signals under load · f09ac9db
      Eric Paris 提交于
      A deadlock is possible between kauditd and auditd under load if auditd
      receives a signal.  When auditd receives a signal it sends a netlink
      message to the kernel asking for information about the sender of the
      signal.  In that same context the audit system will attempt to send a
      netlink message back to the userspace auditd.  If kauditd has already
      filled the socket buffer (see netlink_attachskb()) auditd will now put
      itself to sleep waiting for room to send the message.  Since auditd is
      responsible for draining that socket we have a deadlock.  The fix, since
      the response from the kernel does not need to be synchronous is to send
      the signal information back to auditd in a separate thread.  And thus
      auditd can continue to drain the audit queue normally.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      f09ac9db
    • E
      Audit: save audit_backlog_limit audit messages in case auditd comes back · f3d357b0
      Eric Paris 提交于
      This patch causes the kernel audit subsystem to store up to
      audit_backlog_limit messages for use by auditd if it ever appears
      sometime in the future in userspace.  This is useful to collect audit
      messages during bootup and even when auditd is stopped.  This is NOT a
      reliable mechanism, it does not ever call audit_panic, nor should it.
      audit_log_lost()/audit_panic() are called during the normal delivery
      mechanism.  The messages are still sent to printk/syslog as usual and if
      too many messages appear to be queued they will be silently discarded.
      
      I liked doing it by default, but this patch only uses the queue in
      question if it was booted with audit=1 or if the kernel was built
      enabling audit by default.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      f3d357b0
    • E
      Audit: collect sessionid in netlink messages · 2532386f
      Eric Paris 提交于
      Previously I added sessionid output to all audit messages where it was
      available but we still didn't know the sessionid of the sender of
      netlink messages.  This patch adds that information to netlink messages
      so we can audit who sent netlink messages.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      2532386f
  5. 19 4月, 2008 2 次提交
  6. 29 3月, 2008 1 次提交
  7. 21 3月, 2008 1 次提交
    • P
      audit: netlink socket can be auto-bound to pid other than current->pid (v2) · 75c0371a
      Pavel Emelyanov 提交于
      From:	Pavel Emelyanov <xemul@openvz.org>
      
      This patch is based on the one from Thomas.
      
      The kauditd_thread() calls the netlink_unicast() and passes 
      the audit_pid to it. The audit_pid, in turn, is received from 
      the user space and the tool (I've checked the audit v1.6.9) 
      uses getpid() to pass one in the kernel. Besides, this tool 
      doesn't bind the netlink socket to this id, but simply creates 
      it allowing the kernel to auto-bind one.
      
      That's the preamble.
      
      The problem is that netlink_autobind() _does_not_ guarantees
      that the socket will be auto-bound to the current pid. Instead
      it uses the current pid as a hint to start looking for a free
      id. So, in case of conflict, the audit messages can be sent
      to a wrong socket. This can happen (it's unlikely, but can be)
      in case some task opens more than one netlink sockets and then
      the audit one starts - in this case the audit's pid can be busy
      and its socket will be bound to another id.
      
      The proposal is to introduce an audit_nlk_pid in audit subsys,
      that will point to the netlink socket to send packets to. It
      will most often be equal to audit_pid. The socket id can be 
      got from the skb's netlink CB right in the audit_receive_msg.
      The audit_nlk_pid reset to 0 is not required, since all the
      decisions are taken based on audit_pid value only.
      
      Later, if the audit tools will bind the socket themselves, the
      kernel will have to provide a way to setup the audit_nlk_pid
      as well.
      
      A good side effect of this patch is that audit_pid can later 
      be converted to struct pid, as it is not longer safe to use 
      pid_t-s in the presence of pid namespaces. But audit code still 
      uses the tgid from task_struct in the audit_signal_info and in
      the audit_filter_syscall.
      Signed-off-by: NThomas Graf <tgraf@suug.ch>
      Signed-off-by: NPavel Emelyanov <xemul@openvz.org>
      Acked-by: NEric Paris <eparis@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      75c0371a
  8. 01 3月, 2008 2 次提交
    • S
      [PATCH] drop EOE records from printk · 8d07a67c
      Steve Grubb 提交于
      Hi,
      
      While we are looking at the printk issue, I see that its printk'ing the EOE
      (end of event) records which is really not something that we need in syslog.
      Its really intended for the realtime audit event stream handled by the audit
      daemon. So, lets avoid printk'ing that record type.
      Signed-off-by: NSteve Grubb <sgrubb@redhat.com>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      8d07a67c
    • E
      [RFC] AUDIT: do not panic when printk loses messages · b29ee87e
      Eric Paris 提交于
      On the latest kernels if one was to load about 15 rules, set the failure
      state to panic, and then run service auditd stop the kernel will panic.
      This is because auditd stops, then the script deletes all of the rules.
      These deletions are sent as audit messages out of the printk kernel
      interface which is already known to be lossy.  These will overun the
      default kernel rate limiting (10 really fast messages) and will call
      audit_panic().  The same effect can happen if a slew of avc's come
      through while auditd is stopped.
      
      This can be fixed a number of ways but this patch fixes the problem by
      just not panicing if auditd is not running.  We know printk is lossy and
      if the user chooses to set the failure mode to panic and tries to use
      printk we can't make any promises no matter how hard we try, so why try?
      At least in this way we continue to get lost message accounting and will
      eventually know that things went bad.
      
      The other change is to add a new call to audit_log_lost() if auditd
      disappears.  We already pulled the skb off the queue and couldn't send
      it so that message is lost.  At least this way we will account for the
      last message and panic if the machine is configured to panic.  This code
      path should only be run if auditd dies for unforeseen reasons.  If
      auditd closes correctly audit_pid will get set to 0 and we won't walk
      this code path.
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      b29ee87e
  9. 15 2月, 2008 2 次提交
  10. 02 2月, 2008 8 次提交
  11. 01 2月, 2008 1 次提交
  12. 21 10月, 2007 1 次提交
    • A
      [PATCH] audit: watching subtrees · 74c3cbe3
      Al Viro 提交于
      New kind of audit rule predicates: "object is visible in given subtree".
      The part that can be sanely implemented, that is.  Limitations:
      	* if you have hardlink from outside of tree, you'd better watch
      it too (or just watch the object itself, obviously)
      	* if you mount something under a watched tree, tell audit
      that new chunk should be added to watched subtrees
      	* if you umount something in a watched tree and it's still mounted
      elsewhere, you will get matches on events happening there.  New command
      tells audit to recalculate the trees, trimming such sources of false
      positives.
      
      Note that it's _not_ about path - if something mounted in several places
      (multiple mount, bindings, different namespaces, etc.), the match does
      _not_ depend on which one we are using for access.
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      74c3cbe3
  13. 19 10月, 2007 1 次提交
  14. 11 10月, 2007 2 次提交
    • D
      [NET]: make netlink user -> kernel interface synchronious · cd40b7d3
      Denis V. Lunev 提交于
      This patch make processing netlink user -> kernel messages synchronious.
      This change was inspired by the talk with Alexey Kuznetsov about current
      netlink messages processing. He says that he was badly wrong when introduced 
      asynchronious user -> kernel communication.
      
      The call netlink_unicast is the only path to send message to the kernel
      netlink socket. But, unfortunately, it is also used to send data to the
      user.
      
      Before this change the user message has been attached to the socket queue
      and sk->sk_data_ready was called. The process has been blocked until all
      pending messages were processed. The bad thing is that this processing
      may occur in the arbitrary process context.
      
      This patch changes nlk->data_ready callback to get 1 skb and force packet
      processing right in the netlink_unicast.
      
      Kernel -> user path in netlink_unicast remains untouched.
      
      EINTR processing for in netlink_run_queue was changed. It forces rtnl_lock
      drop, but the process remains in the cycle until the message will be fully
      processed. So, there is no need to use this kludges now.
      Signed-off-by: NDenis V. Lunev <den@openvz.org>
      Acked-by: NAlexey Kuznetsov <kuznet@ms2.inr.ac.ru>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      cd40b7d3
    • E
      [NET]: Support multiple network namespaces with netlink · b4b51029
      Eric W. Biederman 提交于
      Each netlink socket will live in exactly one network namespace,
      this includes the controlling kernel sockets.
      
      This patch updates all of the existing netlink protocols
      to only support the initial network namespace.  Request
      by clients in other namespaces will get -ECONREFUSED.
      As they would if the kernel did not have the support for
      that netlink protocol compiled in.
      
      As each netlink protocol is updated to be multiple network
      namespace safe it can register multiple kernel sockets
      to acquire a presence in the rest of the network namespaces.
      
      The implementation in af_netlink is a simple filter implementation
      at hash table insertion and hash table look up time.
      Signed-off-by: NEric W. Biederman <ebiederm@xmission.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      b4b51029
  15. 18 7月, 2007 1 次提交
    • R
      Freezer: make kernel threads nonfreezable by default · 83144186
      Rafael J. Wysocki 提交于
      Currently, the freezer treats all tasks as freezable, except for the kernel
      threads that explicitly set the PF_NOFREEZE flag for themselves.  This
      approach is problematic, since it requires every kernel thread to either
      set PF_NOFREEZE explicitly, or call try_to_freeze(), even if it doesn't
      care for the freezing of tasks at all.
      
      It seems better to only require the kernel threads that want to or need to
      be frozen to use some freezer-related code and to remove any
      freezer-related code from the other (nonfreezable) kernel threads, which is
      done in this patch.
      
      The patch causes all kernel threads to be nonfreezable by default (ie.  to
      have PF_NOFREEZE set by default) and introduces the set_freezable()
      function that should be called by the freezable kernel threads in order to
      unset PF_NOFREEZE.  It also makes all of the currently freezable kernel
      threads call set_freezable(), so it shouldn't cause any (intentional)
      change of behaviour to appear.  Additionally, it updates documentation to
      describe the freezing of tasks more accurately.
      
      [akpm@linux-foundation.org: build fixes]
      Signed-off-by: NRafael J. Wysocki <rjw@sisk.pl>
      Acked-by: NNigel Cunningham <nigel@nigel.suspend2.net>
      Cc: Pavel Machek <pavel@ucw.cz>
      Cc: Oleg Nesterov <oleg@tv-sign.ru>
      Cc: Gautham R Shenoy <ego@in.ibm.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      83144186
  16. 17 7月, 2007 1 次提交
    • M
      Audit: add TTY input auditing · 522ed776
      Miloslav Trmac 提交于
      Add TTY input auditing, used to audit system administrator's actions.  This is
      required by various security standards such as DCID 6/3 and PCI to provide
      non-repudiation of administrator's actions and to allow a review of past
      actions if the administrator seems to overstep their duties or if the system
      becomes misconfigured for unknown reasons.  These requirements do not make it
      necessary to audit TTY output as well.
      
      Compared to an user-space keylogger, this approach records TTY input using the
      audit subsystem, correlated with other audit events, and it is completely
      transparent to the user-space application (e.g.  the console ioctls still
      work).
      
      TTY input auditing works on a higher level than auditing all system calls
      within the session, which would produce an overwhelming amount of mostly
      useless audit events.
      
      Add an "audit_tty" attribute, inherited across fork ().  Data read from TTYs
      by process with the attribute is sent to the audit subsystem by the kernel.
      The audit netlink interface is extended to allow modifying the audit_tty
      attribute, and to allow sending explanatory audit events from user-space (for
      example, a shell might send an event containing the final command, after the
      interactive command-line editing and history expansion is performed, which
      might be difficult to decipher from the TTY input alone).
      
      Because the "audit_tty" attribute is inherited across fork (), it would be set
      e.g.  for sshd restarted within an audited session.  To prevent this, the
      audit_tty attribute is cleared when a process with no open TTY file
      descriptors (e.g.  after daemon startup) opens a TTY.
      
      See https://www.redhat.com/archives/linux-audit/2007-June/msg00000.html for a
      more detailed rationale document for an older version of this patch.
      
      [akpm@linux-foundation.org: build fix]
      Signed-off-by: NMiloslav Trmac <mitr@redhat.com>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
      Cc: Paul Fulghum <paulkf@microgate.com>
      Cc: Casey Schaufler <casey@schaufler-ca.com>
      Cc: Steve Grubb <sgrubb@redhat.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      522ed776
  17. 09 5月, 2007 1 次提交
  18. 26 4月, 2007 3 次提交
  19. 18 2月, 2007 1 次提交
    • S
      [PATCH] audit config lockdown · 6a01b07f
      Steve Grubb 提交于
      The following patch adds a new mode to the audit system. It uses the
      audit_enabled config option to introduce the idea of audit enabled, but
      configuration is immutable. Any attempt to change the configuration
      while in this mode is audited. To change the audit rules, you'd need to
      reboot the machine.
      
      To use this option, you'd need a modified version of auditctl and use "-e 2".
      This is intended to go at the end of the audit.rules file for people that
      want an immutable configuration.
      
      This patch also adds "res=" to a number of configuration commands that did not
      have it before.
      Signed-off-by: NSteve Grubb <sgrubb@redhat.com>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      6a01b07f
  20. 08 12月, 2006 1 次提交