This patch extends existing audit records with subject/object context
information. Audit records associated with filesystem inodes, ipc, and
tasks now contain SELinux label information in the field "subj" if the
item is performing the action, or in "obj" if the item is the receiver
of an action.

These labels are collected via hooks in SELinux and appended to the
appropriate record in the audit code.

This additional information is required for Common Criteria Labeled
Security Protection Profile (LSPP).

[AV: fixed kmalloc flags use]
[folded leak fixes]
[folded cleanup from akpm (kfree(NULL)]
[folded audit_inode_context() leak fix]
[folded akpm's fix for audit_ipc_perm() definition in case of !CONFIG_AUDIT]
Signed-off-by: NDustin Kirkland <dustin.kirkland@us.ibm.com>
Signed-off-by: NDavid Woodhouse <dwmw2@infradead.org>
Signed-off-by: NAndrew Morton <akpm@osdl.org>
Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>

    - Add a new, 5th filter called "exclude".
    - And add a new field AUDIT_MSGTYPE.
    - Define a new function audit_filter_exclude() that takes a message type
      as input and examines all rules in the filter.  It returns '1' if the
      message is to be excluded, and '0' otherwise.
    - Call the audit_filter_exclude() function near the top of
      audit_log_start() just after asserting audit_initialized.  If the
      message type is not to be audited, return NULL very early, before
      doing a lot of work.
[combined with followup fix for bug in original patch, Nov 4, same author]
[combined with later renaming AUDIT_FILTER_EXCLUDE->AUDIT_FILTER_TYPE
and audit_filter_exclude() -> audit_filter_type()]
Signed-off-by: NDustin Kirkland <dustin.kirkland@us.ibm.com>
Signed-off-by: NDavid Woodhouse <dwmw2@infradead.org>
Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>

This patch augments the collection of inode info during syscall
processing. It represents part of the functionality that was provided
by the auditfs patch included in RHEL4.

Specifically, it:

- Collects information for target inodes created or removed during
  syscalls.  Previous code only collects information for the target
  inode's parent.

- Adds the audit_inode() hook to syscalls that operate on a file
  descriptor (e.g. fchown), enabling audit to do inode filtering for
  these calls.

- Modifies filtering code to check audit context for either an inode #
  or a parent inode # matching a given rule.

- Modifies logging to provide inode # for both parent and child.

- Protect debug info from NULL audit_names.name.

[AV: folded a later typo fix from the same author]
Signed-off-by: NAmy Griffis <amy.griffis@hp.com>
Signed-off-by: NDavid Woodhouse <dwmw2@infradead.org>
Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>

The audit hooks (to be added shortly) will want to see dentry->d_inode
too, not just the name.
Signed-off-by: NAmy Griffis <amy.griffis@hp.com>
Signed-off-by: NDavid Woodhouse <dwmw2@infradead.org>

Currently, audit only supports the "=" and "!=" operators in the -F
filter rules.

This patch reworks the support for "=" and "!=", and adds support
for ">", ">=", "<", and "<=".

This turned out to be a pretty clean, and simply process.  I ended up
using the high order bits of the "field", as suggested by Steve and Amy.
This allowed for no changes whatsoever to the netlink communications.
See the documentation within the patch in the include/linux/audit.h
area, where there is a table that explains the reasoning of the bitmask
assignments clearly.

The patch adds a new function, audit_comparator(left, op, right).
This function will perform the specified comparison (op, which defaults
to "==" for backward compatibility) between two values (left and right).
If the negate bit is on, it will negate whatever that result was.  This
value is returned.
Signed-off-by: NDustin Kirkland <dustin.kirkland@us.ibm.com>
Signed-off-by: NDavid Woodhouse <dwmw2@infradead.org>

- add kerneldoc for non-static functions;
- don't init static data to 0;
- limit lines to < 80 columns;
- fix long-format style;
- delete whitespace at end of some lines;

(chrisw: resend and update to current audit-2.6 tree)
Signed-off-by: NRandy Dunlap <rdunlap@xenotime.net>
Signed-off-by: NChris Wright <chrisw@osdl.org>
Signed-off-by: NDavid Woodhouse <dwmw2@infradead.org>

hi,

The motivation behind the patch below was to address messages in
/var/log/messages such as:

Jan 31 10:54:15 mets kernel: audit(:0): major=252 name_count=0: freeing
multiple contexts (1)
Jan 31 10:54:15 mets kernel: audit(:0): major=113 name_count=0: freeing
multiple contexts (2)

I can reproduce by running 'get-edid' from:
http://john.fremlin.de/programs/linux/read-edid/.

These messages come about in the log b/c the vm86 calls do not exit via
the normal system call exit paths and thus do not call
'audit_syscall_exit'. The next system call will then free the context for
itself and for the vm86 context, thus generating the above messages. This
patch addresses the issue by simply adding a call to 'audit_syscall_exit'
from the vm86 code.

Besides fixing the above error messages the patch also now allows vm86
system calls to become auditable. This is useful since strace does not
appear to properly record the return values from sys_vm86.

I think this patch is also a step in the right direction in terms of
cleaning up some core auditing code. If we can correct any other paths
that do not properly call the audit exit and entries points, then we can
also eliminate the notion of context chaining.

I've tested this patch by verifying that the log messages no longer
appear, and that the audit records for sys_vm86 appear to be correct.
Also, 'read_edid' produces itentical output.

thanks,

-Jason
Signed-off-by: NJason Baron <jbaron@redhat.com>
Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>

audit_log_exit() is called from atomic contexts and gets explicit
gfp_mask argument; it should use it for all allocations rather
than doing some with gfp_mask and some with GFP_KERNEL.
Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>

EDAC requires a way to scrub memory if an ECC error is found and the chipset
does not do the work automatically.  That means rewriting memory locations
atomically with respect to all CPUs _and_ bus masters.  That means we can't
use atomic_add(foo, 0) as it gets optimised for non-SMP

This adds a function to include/asm-foo/atomic.h for the platforms currently
supported which implements a scrub of a mapped block.

It also adjusts a few other files include order where atomic.h is included
before types.h as this now causes an error as atomic_scrub uses u32.
Signed-off-by: NAlan Cox <alan@redhat.com>
Signed-off-by: NAndrew Morton <akpm@osdl.org>
Signed-off-by: NLinus Torvalds <torvalds@osdl.org>

Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
Signed-off-by: NLinus Torvalds <torvalds@osdl.org>

Signed-off-by: NDavid Woodhouse <dwmw2@infradead.org>

The following patch against audit.81 prevents duplicate syscall rules in
a given filter list by walking the list on each rule add.

I also removed the unused struct audit_entry in audit.c and made the
static inlines in auditsc.c consistent.
Signed-off-by: NAmy Griffis <amy.griffis@hp.com>
Signed-off-by: NDavid Woodhouse <dwmw2@infradead.org>

It was showing up fairly high on profiles even when no rules were set.
Make sure the common path stays as fast as possible.
Signed-off-by: NDavid Woodhouse <dwmw2@infradead.org>

Signed-off-by: NDavid Woodhouse <dwmw2@infradead.org>

... by generating serial numbers only if an audit context is actually
_used_, rather than doing so at syscall entry even when the context
isn't necessarily marked auditable.
Signed-off-by: NDavid Woodhouse <dwmw2@infradead.org>

We didn't rename it to audit_tgid after all. Except once... Doh.
Signed-off-by: NDavid Woodhouse <dwmw2@infradead.org>

When we flush a pending syscall audit record due to audit_free(), we
might be doing that in the context of the idle thread. So use GFP_ATOMIC
Signed-off-by: NDavid Woodhouse <dwmw2@infradead.org>

and not just the one thread.
Signed-off-by: NDavid Woodhouse <dwmw2@infradead.org>

The pid in the audit context isn't always set up. Use tsk->pid when 
checking whether it's auditd in audit_filter_syscall(), instead of 
ctx->pid. Remove a band-aid which did the same elsewhere.
Signed-off-by: NDavid Woodhouse <dwmw2@infradead.org>

Don't look up the task by its pid and then use the syscall filtering
helper. Just implement our own filter helper which operates solely on
the information in the netlink_skb_parms. 
Signed-off-by: NDavid Woodhouse <dwmw2@infradead.org>

When the task refcounting was added to audit_filter_rules() it became
more of a problem that this function was violating the 'only one 
return from each function' rule. In fixing it to use a variable to store 
'ret' I stupidly neglected to actually change the 'return 1;' at the 
end. This makes it not work very well.
Signed-off-by: NDavid Woodhouse <dwmw2@infradead.org>

Signed-off-by: NDavid Woodhouse <dwmw2@infradead.org>

Add a gfp_mask to audit_log_start() and audit_log(), to reduce the
amount of GFP_ATOMIC allocation -- most of it doesn't need to be 
GFP_ATOMIC. Also if the mask includes __GFP_WAIT, then wait up to
60 seconds for the auditd backlog to clear instead of immediately 
abandoning the message. 

The timeout should probably be made configurable, but for now it'll 
suffice that it only happens if auditd is actually running.
Signed-off-by: NDavid Woodhouse <dwmw2@infradead.org>

Also exempt USER_AVC message from being discarded to preserve 
existing behaviour for SE Linux.
Signed-off-by: NDavid Woodhouse <dwmw2@infradead.org>

If we have enough rules to fill the netlink buffer space, it'll 
deadlock because auditctl isn't ever actually going to read from the 
socket until we return, and we aren't going to return until it 
reads... so we spawn a kernel thread to spew out the list and then
exit.
Signed-off-by: NDavid Woodhouse <dwmw2@infradead.org>

When LOOKUP_PARENT is used, the inode which results is not the inode
found at the pathname. Report the flags so that this doesn't generate
misleading audit records.
Signed-off-by: NDavid Woodhouse <dwmw2@infradead.org>

We were only avoiding it on syscall exit before; now stop _everything_.
Signed-off-by: NDavid Woodhouse <dwmw2@infradead.org>

Turn the field from a bitmask to an enumeration and add a list to allow 
filtering of messages generated by userspace. We also define a list for 
file system watches in anticipation of that feature.
Signed-off-by: NDavid Woodhouse <dwmw2@infradead.org>

Signed-off-by: NDavid Woodhouse <dwmw2@infradead.org>

While they were all just simple blobs it made sense to just free them
as we walked through and logged them. Now that there are pointers to
other objects which need refcounting, we might as well revert to
_only_ logging them in audit_log_exit(), and put the code to free them
properly in only one place -- in audit_free_aux().
Signed-off-by: NDavid Woodhouse <dwmw2@infradead.org>
----------------------------------------------------------

It comes from the user; it needs to be escaped.
Signed-off-by: NDavid Woodhouse <dwmw2@infradead.org>

These changes make processing of audit logs easier. Based on a patch
from Steve Grubb <sgrubb@redhat.com>
Signed-off-by: NDavid Woodhouse <dwmw2@infradead.org>

Move audit_serial() into audit.c and use it to generate serial numbers 
on messages even when there is no audit context from syscall auditing.  
This allows us to disambiguate audit records when more than one is 
generated in the same millisecond.

Based on a patch by Steve Grubb after he observed the problem.
Signed-off-by: NDavid Woodhouse <dwmw2@infradead.org>

The attached patch changes all occurrences of loginuid to auid. It also 
changes everything to %u that is an unsigned type.
Signed-off-by: NSteve Grubb <sgrubb@redhat.com>
Signed-off-by: NDavid Woodhouse <dwmw2@infradead.org>

This patch changes the SELinux AVC to defer logging of paths to the audit
framework upon syscall exit, by saving a reference to the (dentry,vfsmount)
pair in an auxiliary audit item on the current audit context for processing
by audit_log_exit.
Signed-off-by: NStephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: NDavid Woodhouse <dwmw2@infradead.org>

Nobody does. Really, it gets very silly if auditd is recording its
own actions.
Signed-off-by: NDavid Woodhouse <dwmw2@infradead.org>

Signed-off-by: NDavid Woodhouse <dwmw2@infradead.org>

I'm going through the kernel code and have a patch that corrects 
several spelling errors in comments.

From: Steve Grubb <sgrubb@redhat.com>
Signed-off-by: NDavid Woodhouse <dwmw2@infradead.org>

This patch adds more messages types to the audit subsystem so that audit 
analysis is quicker, intuitive, and more useful.
Signed-off-by: NSteve Grubb <sgrubb@redhat.com>
---
I forgot one type in the big patch. I need to add one for user space 
originating SE Linux avc messages. This is used by dbus and nscd.

-Steve
---
Updated to 2.6.12-rc4-mm1.
-dwmw2
Signed-off-by: NDavid Woodhouse <dwmw2@infradead.org>

Add audit_log_type to allow callers to specify type and pid when logging.
Convert audit_log to wrapper around audit_log_type.  Could have
converted all audit_log callers directly, but common case is default
of type AUDIT_KERNEL and pid 0.  Update audit_log_start to take type
and pid values when creating a new audit_buffer.  Move sequences that
did audit_log_start, audit_log_format, audit_set_type, audit_log_end,
to simply call audit_log_type directly.  This obsoletes audit_set_type
and audit_set_pid, so remove them.
Signed-off-by: NChris Wright <chrisw@osdl.org>
Signed-off-by: NDavid Woodhouse <dwmw2@infradead.org>