1. 18 1月, 2012 7 次提交
    • E
      audit: drop some potentially inadvisable likely notations · 56179a6e
      Eric Paris 提交于
      The audit code makes heavy use of likely() and unlikely() macros, but they
      don't always make sense.  Drop any that seem questionable and let the
      computer do it's thing.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      56179a6e
    • E
      audit: inline audit_syscall_entry to reduce burden on archs · b05d8447
      Eric Paris 提交于
      Every arch calls:
      
      if (unlikely(current->audit_context))
      	audit_syscall_entry()
      
      which requires knowledge about audit (the existance of audit_context) in
      the arch code.  Just do it all in static inline in audit.h so that arch's
      can remain blissfully ignorant.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      b05d8447
    • E
      Audit: push audit success and retcode into arch ptrace.h · d7e7528b
      Eric Paris 提交于
      The audit system previously expected arches calling to audit_syscall_exit to
      supply as arguments if the syscall was a success and what the return code was.
      Audit also provides a helper AUDITSC_RESULT which was supposed to simplify things
      by converting from negative retcodes to an audit internal magic value stating
      success or failure.  This helper was wrong and could indicate that a valid
      pointer returned to userspace was a failed syscall.  The fix is to fix the
      layering foolishness.  We now pass audit_syscall_exit a struct pt_reg and it
      in turns calls back into arch code to collect the return value and to
      determine if the syscall was a success or failure.  We also define a generic
      is_syscall_success() macro which determines success/failure based on if the
      value is < -MAX_ERRNO.  This works for arches like x86 which do not use a
      separate mechanism to indicate syscall failure.
      
      We make both the is_syscall_success() and regs_return_value() static inlines
      instead of macros.  The reason is because the audit function must take a void*
      for the regs.  (uml calls theirs struct uml_pt_regs instead of just struct
      pt_regs so audit_syscall_exit can't take a struct pt_regs).  Since the audit
      function takes a void* we need to use static inlines to cast it back to the
      arch correct structure to dereference it.
      
      The other major change is that on some arches, like ia64, MIPS and ppc, we
      change regs_return_value() to give us the negative value on syscall failure.
      THE only other user of this macro, kretprobe_example.c, won't notice and it
      makes the value signed consistently for the audit functions across all archs.
      
      In arch/sh/kernel/ptrace_64.c I see that we were using regs[9] in the old
      audit code as the return value.  But the ptrace_64.h code defined the macro
      regs_return_value() as regs[3].  I have no idea which one is correct, but this
      patch now uses the regs_return_value() function, so it now uses regs[3].
      
      For powerpc we previously used regs->result but now use the
      regs_return_value() function which uses regs->gprs[3].  regs->gprs[3] is
      always positive so the regs_return_value(), much like ia64 makes it negative
      before calling the audit code when appropriate.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      Acked-by: H. Peter Anvin <hpa@zytor.com> [for x86 portion]
      Acked-by: Tony Luck <tony.luck@intel.com> [for ia64]
      Acked-by: Richard Weinberger <richard@nod.at> [for uml]
      Acked-by: David S. Miller <davem@davemloft.net> [for sparc]
      Acked-by: Ralf Baechle <ralf@linux-mips.org> [for mips]
      Acked-by: Benjamin Herrenschmidt <benh@kernel.crashing.org> [for ppc]
      d7e7528b
    • E
      seccomp: audit abnormal end to a process due to seccomp · 85e7bac3
      Eric Paris 提交于
      The audit system likes to collect information about processes that end
      abnormally (SIGSEGV) as this may me useful intrusion detection information.
      This patch adds audit support to collect information when seccomp forces a
      task to exit because of misbehavior in a similar way.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      85e7bac3
    • E
      audit: check current inode and containing object when filtering on major and minor · 16c174bd
      Eric Paris 提交于
      The audit system has the ability to filter on the major and minor number of
      the device containing the inode being operated upon.  Lets say that
      /dev/sda1 has major,minor 8,1 and that we mount /dev/sda1 on /boot.  Now lets
      say we add a watch with a filter on 8,1.  If we proceed to open an inode
      inside /boot, such as /vboot/vmlinuz, we will match the major,minor filter.
      
      Lets instead assume that one were to use a tool like debugfs and were to
      open /dev/sda1 directly and to modify it's contents.  We might hope that
      this would also be logged, but it isn't.  The rules will check the
      major,minor of the device containing /dev/sda1.  In other words the rule
      would match on the major/minor of the tmpfs mounted at /dev.
      
      I believe these rules should trigger on either device.  The man page is
      devoid of useful information about the intended semantics.  It only seems
      logical that if you want to know everything that happened on a major,minor
      that would include things that happened to the device itself...
      Signed-off-by: NEric Paris <eparis@redhat.com>
      16c174bd
    • E
      audit: dynamically allocate audit_names when not enough space is in the names array · 5195d8e2
      Eric Paris 提交于
      This patch does 2 things.  First it reduces the number of audit_names
      allocated in every audit context from 20 to 5.  5 should be enough for all
      'normal' syscalls (rename being the worst).  Some syscalls can still touch
      more the 5 inodes such as mount.  When rpc filesystem is mounted it will
      create inodes and those can exceed 5.  To handle that problem this patch will
      dynamically allocate audit_names if it needs more than 5.  This should
      decrease the typicall memory usage while still supporting all the possible
      kernel operations.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      5195d8e2
    • E
      audit: make filetype matching consistent with other filters · 5ef30ee5
      Eric Paris 提交于
      Every other filter that matches part of the inodes list collected by audit
      will match against any of the inodes on that list.  The filetype matching
      however had a strange way of doing things.  It allowed userspace to
      indicated if it should match on the first of the second name collected by
      the kernel.  Name collection ordering seems like a kernel internal and
      making userspace rules get that right just seems like a bad idea.  As it
      turns out the userspace audit writers had no idea it was doing this and
      thus never overloaded the value field.  The kernel always checked the first
      name collected which for the tested rules was always correct.
      
      This patch just makes the filetype matching like the major, minor, inode,
      and LSM rules in that it will match against any of the names collected.  It
      also changes the rule validation to reject the old unused rule types.
      
      Noone knew it was there.  Noone used it.  Why keep around the extra code?
      Signed-off-by: NEric Paris <eparis@redhat.com>
      5ef30ee5
  2. 04 1月, 2012 3 次提交
  3. 31 10月, 2011 1 次提交
  4. 27 7月, 2011 1 次提交
  5. 27 4月, 2011 1 次提交
    • T
      audit: acquire creds selectively to reduce atomic op overhead · f5629883
      Tony Jones 提交于
      Commit c69e8d9c ("CRED: Use RCU to access another task's creds and to
      release a task's own creds") added calls to get_task_cred and put_cred in
      audit_filter_rules.  Profiling with a large number of audit rules active
      on the exit chain shows that we are spending upto 48% in this routine for
      syscall intensive tests, most of which is in the atomic ops.
      
      1. The code should be accessing tsk->cred rather than tsk->real_cred.
      2. Since tsk is current (or tsk is being created by copy_process) access to
      tsk->cred without rcu read lock is possible.  At the request of the audit
      maintainer, a new flag has been added to audit_filter_rules in order to make
      this explicit and guide future code.
      Signed-off-by: NTony Jones <tonyj@suse.de>
      Acked-by: NEric Paris <eparis@redhat.com>
      Signed-off-by: NJiri Kosina <jkosina@suse.cz>
      f5629883
  6. 31 3月, 2011 1 次提交
  7. 30 10月, 2010 1 次提交
    • A
      audit mmap · 120a795d
      Al Viro 提交于
      Normal syscall audit doesn't catch 5th argument of syscall.  It also
      doesn't catch the contents of userland structures pointed to be
      syscall argument, so for both old and new mmap(2) ABI it doesn't
      record the descriptor we are mapping.  For old one it also misses
      flags.
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      120a795d
  8. 11 8月, 2010 1 次提交
  9. 28 7月, 2010 4 次提交
  10. 06 4月, 2010 1 次提交
    • E
      audit: preface audit printk with audit · 449cedf0
      Eric Paris 提交于
      There have been a number of reports of people seeing the message:
      "name_count maxed, losing inode data: dev=00:05, inode=3185"
      in dmesg.  These usually lead to people reporting problems to the filesystem
      group who are in turn clueless what they mean.
      
      Eventually someone finds me and I explain what is going on and that
      these come from the audit system.  The basics of the problem is that the
      audit subsystem never expects a single syscall to 'interact' (for some
      wish washy meaning of interact) with more than 20 inodes.  But in fact
      some operations like loading kernel modules can cause changes to lots of
      inodes in debugfs.
      
      There are a couple real fixes being bandied about including removing the
      fixed compile time limit of 20 or not auditing changes in debugfs (or
      both) but neither are small and obvious so I am not sending them for
      immediate inclusion (I hope Al forwards a real solution next devel
      window).
      
      In the meantime this patch simply adds 'audit' to the beginning of the
      crap message so if a user sees it, they come blame me first and we can
      talk about what it means and make sure we understand all of the reasons
      it can happen and make sure this gets solved correctly in the long run.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      449cedf0
  11. 30 3月, 2010 1 次提交
    • T
      include cleanup: Update gfp.h and slab.h includes to prepare for breaking... · 5a0e3ad6
      Tejun Heo 提交于
      include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h
      
      percpu.h is included by sched.h and module.h and thus ends up being
      included when building most .c files.  percpu.h includes slab.h which
      in turn includes gfp.h making everything defined by the two files
      universally available and complicating inclusion dependencies.
      
      percpu.h -> slab.h dependency is about to be removed.  Prepare for
      this change by updating users of gfp and slab facilities include those
      headers directly instead of assuming availability.  As this conversion
      needs to touch large number of source files, the following script is
      used as the basis of conversion.
      
        http://userweb.kernel.org/~tj/misc/slabh-sweep.py
      
      The script does the followings.
      
      * Scan files for gfp and slab usages and update includes such that
        only the necessary includes are there.  ie. if only gfp is used,
        gfp.h, if slab is used, slab.h.
      
      * When the script inserts a new include, it looks at the include
        blocks and try to put the new include such that its order conforms
        to its surrounding.  It's put in the include block which contains
        core kernel includes, in the same order that the rest are ordered -
        alphabetical, Christmas tree, rev-Xmas-tree or at the end if there
        doesn't seem to be any matching order.
      
      * If the script can't find a place to put a new include (mostly
        because the file doesn't have fitting include block), it prints out
        an error message indicating which .h file needs to be added to the
        file.
      
      The conversion was done in the following steps.
      
      1. The initial automatic conversion of all .c files updated slightly
         over 4000 files, deleting around 700 includes and adding ~480 gfp.h
         and ~3000 slab.h inclusions.  The script emitted errors for ~400
         files.
      
      2. Each error was manually checked.  Some didn't need the inclusion,
         some needed manual addition while adding it to implementation .h or
         embedding .c file was more appropriate for others.  This step added
         inclusions to around 150 files.
      
      3. The script was run again and the output was compared to the edits
         from #2 to make sure no file was left behind.
      
      4. Several build tests were done and a couple of problems were fixed.
         e.g. lib/decompress_*.c used malloc/free() wrappers around slab
         APIs requiring slab.h to be added manually.
      
      5. The script was run on all .h files but without automatically
         editing them as sprinkling gfp.h and slab.h inclusions around .h
         files could easily lead to inclusion dependency hell.  Most gfp.h
         inclusion directives were ignored as stuff from gfp.h was usually
         wildly available and often used in preprocessor macros.  Each
         slab.h inclusion directive was examined and added manually as
         necessary.
      
      6. percpu.h was updated not to include slab.h.
      
      7. Build test were done on the following configurations and failures
         were fixed.  CONFIG_GCOV_KERNEL was turned off for all tests (as my
         distributed build env didn't work with gcov compiles) and a few
         more options had to be turned off depending on archs to make things
         build (like ipr on powerpc/64 which failed due to missing writeq).
      
         * x86 and x86_64 UP and SMP allmodconfig and a custom test config.
         * powerpc and powerpc64 SMP allmodconfig
         * sparc and sparc64 SMP allmodconfig
         * ia64 SMP allmodconfig
         * s390 SMP allmodconfig
         * alpha SMP allmodconfig
         * um on x86_64 SMP allmodconfig
      
      8. percpu.h modifications were reverted so that it could be applied as
         a separate patch and serve as bisection point.
      
      Given the fact that I had only a couple of failures from tests on step
      6, I'm fairly confident about the coverage of this conversion patch.
      If there is a breakage, it's likely to be something in one of the arch
      headers which should be easily discoverable easily on most builds of
      the specific arch.
      Signed-off-by: NTejun Heo <tj@kernel.org>
      Guess-its-ok-by: NChristoph Lameter <cl@linux-foundation.org>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: Lee Schermerhorn <Lee.Schermerhorn@hp.com>
      5a0e3ad6
  12. 09 2月, 2010 1 次提交
  13. 23 12月, 2009 1 次提交
  14. 24 9月, 2009 1 次提交
  15. 24 6月, 2009 4 次提交
    • A
      Fix rule eviction order for AUDIT_DIR · 916d7576
      Al Viro 提交于
      If syscall removes the root of subtree being watched, we
      definitely do not want the rules refering that subtree
      to be destroyed without the syscall in question having
      a chance to match them.
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      916d7576
    • E
      Audit: clean up all op= output to include string quoting · 9d960985
      Eric Paris 提交于
      A number of places in the audit system we send an op= followed by a string
      that includes spaces.  Somehow this works but it's just wrong.  This patch
      moves all of those that I could find to be quoted.
      
      Example:
      
      Change From: type=CONFIG_CHANGE msg=audit(1244666690.117:31): auid=0 ses=1
      subj=unconfined_u:unconfined_r:auditctl_t:s0-s0:c0.c1023 op=remove rule
      key="number2" list=4 res=0
      
      Change To: type=CONFIG_CHANGE msg=audit(1244666690.117:31): auid=0 ses=1
      subj=unconfined_u:unconfined_r:auditctl_t:s0-s0:c0.c1023 op="remove rule"
      key="number2" list=4 res=0
      Signed-off-by: NEric Paris <eparis@redhat.com>
      9d960985
    • E
      audit: seperate audit inode watches into a subfile · cfcad62c
      Eric Paris 提交于
      In preparation for converting audit to use fsnotify instead of inotify we
      seperate the inode watching code into it's own file.  This is similar to
      how the audit tree watching code is already seperated into audit_tree.c
      Signed-off-by: NEric Paris <eparis@redhat.com>
      cfcad62c
    • E
      Audit: better estimation of execve record length · b87ce6e4
      Eric Paris 提交于
      The audit execve record splitting code estimates the length of the message
      generated.  But it forgot to include the "" that wrap each string in its
      estimation.  This means that execve messages with lots of tiny (1-2 byte)
      arguments could still cause records greater than 8k to be emitted.  Simply
      fix the estimate.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      b87ce6e4
  16. 06 4月, 2009 5 次提交
    • E
      Audit: remove spaces from audit_log_d_path · def57543
      Eric Paris 提交于
      audit_log_d_path had spaces in the strings which would be emitted on the
      error paths.  This patch simply replaces those spaces with an _ or removes
      the needless spaces entirely.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      def57543
    • E
      audit: audit_set_auditable defined but not used · 679173b7
      Eric Paris 提交于
      after 0590b933 audit_set_auditable() is now only
      used by the audit tree code.  If CONFIG_AUDIT_TREE is unset it will be defined
      but unused.  This patch simply moves the function inside a CONFIG_AUDIT_TREE
      block.
      
      cc1: warnings being treated as errors
      /home/acme_unencrypted/git/linux-2.6-tip/kernel/auditsc.c:745: error: ‘audit_set_auditable’ defined but not used
      make[2]: *** [kernel/auditsc.o] Error 1
      make[1]: *** [kernel] Error 2
      make[1]: *** Waiting for unfinished jobs....
      Signed-off-by: NEric Paris <eparis@redhat.com>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      679173b7
    • P
      audit: Fix possible return value truncation in audit_get_context() · 6d208da8
      Paul Moore 提交于
      The audit subsystem treats syscall return codes as type long, unfortunately
      the audit_get_context() function mistakenly converts the return code to an
      int type in the parameters which could cause problems on systems where the
      sizeof(int) != sizeof(long).
      Signed-off-by: NPaul Moore <paul.moore@hp.com>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      6d208da8
    • R
      auditsc: fix kernel-doc notation · 6b962559
      Randy Dunlap 提交于
      Fix auditsc kernel-doc notation:
      
      Warning(linux-2.6.28-git7//kernel/auditsc.c:2156): No description found for parameter 'attr'
      Warning(linux-2.6.28-git7//kernel/auditsc.c:2156): Excess function parameter 'u_attr' description in '__audit_mq_open'
      Warning(linux-2.6.28-git7//kernel/auditsc.c:2204): No description found for parameter 'notification'
      Warning(linux-2.6.28-git7//kernel/auditsc.c:2204): Excess function parameter 'u_notification' description in '__audit_mq_notify'
      Signed-off-by: NRandy Dunlap <randy.dunlap@oracle.com>
      cc:	Al Viro <viro@zeniv.linux.org.uk>
      cc:	Eric Paris <eparis@redhat.com>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      6b962559
    • J
      audit: EXECVE record - removed bogus newline · ca96a895
      Jiri Pirko 提交于
      (updated)
      Added hunk that changes the comment, the rest is the same.
      
      EXECVE records contain a newline after every argument. auditd converts
      "\n" to " " so you cannot see newlines even in raw logs, but they're
      there nevertheless. If you're not using auditd, you need to work round
      them. These '\n' chars are can be easily replaced by spaces when
      creating record in kernel. Note there is no need for trailing '\n' in
      an audit record.
      
      record before this patch:
      "type=EXECVE msg=audit(1231421801.566:31): argc=4 a0=\"./test\"\na1=\"a\"\na2=\"b\"\na3=\"c\"\n"
      
      record after this patch:
      "type=EXECVE msg=audit(1231421801.566:31): argc=4 a0=\"./test\" a1=\"a\" a2=\"b\" a3=\"c\""
      Signed-off-by: NJiri Pirko <jpirko@redhat.com>
      Acked-by: NEric Paris <eparis@redhat.com>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      ca96a895
  17. 01 4月, 2009 1 次提交
  18. 05 1月, 2009 5 次提交