提交 a51d9eaa 编写于 作者: K Kees Cook 提交者: Al Viro

fs: add link restriction audit reporting

Adds audit messages for unexpected link restriction violations so that
system owners will have some sort of potentially actionable information
about misbehaving processes.
Signed-off-by: NKees Cook <keescook@chromium.org>
Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
上级 800179c9
...@@ -692,6 +692,7 @@ static inline int may_follow_link(struct path *link, struct nameidata *nd) ...@@ -692,6 +692,7 @@ static inline int may_follow_link(struct path *link, struct nameidata *nd)
path_put_conditional(link, nd); path_put_conditional(link, nd);
path_put(&nd->path); path_put(&nd->path);
audit_log_link_denied("follow_link", link);
return -EACCES; return -EACCES;
} }
...@@ -760,6 +761,7 @@ static int may_linkat(struct path *link) ...@@ -760,6 +761,7 @@ static int may_linkat(struct path *link)
capable(CAP_FOWNER)) capable(CAP_FOWNER))
return 0; return 0;
audit_log_link_denied("linkat", link);
return -EPERM; return -EPERM;
} }
......
...@@ -130,6 +130,7 @@ ...@@ -130,6 +130,7 @@
#define AUDIT_LAST_KERN_ANOM_MSG 1799 #define AUDIT_LAST_KERN_ANOM_MSG 1799
#define AUDIT_ANOM_PROMISCUOUS 1700 /* Device changed promiscuous mode */ #define AUDIT_ANOM_PROMISCUOUS 1700 /* Device changed promiscuous mode */
#define AUDIT_ANOM_ABEND 1701 /* Process ended abnormally */ #define AUDIT_ANOM_ABEND 1701 /* Process ended abnormally */
#define AUDIT_ANOM_LINK 1702 /* Suspicious use of file links */
#define AUDIT_INTEGRITY_DATA 1800 /* Data integrity verification */ #define AUDIT_INTEGRITY_DATA 1800 /* Data integrity verification */
#define AUDIT_INTEGRITY_METADATA 1801 /* Metadata integrity verification */ #define AUDIT_INTEGRITY_METADATA 1801 /* Metadata integrity verification */
#define AUDIT_INTEGRITY_STATUS 1802 /* Integrity enable status */ #define AUDIT_INTEGRITY_STATUS 1802 /* Integrity enable status */
...@@ -687,6 +688,8 @@ extern void audit_log_d_path(struct audit_buffer *ab, ...@@ -687,6 +688,8 @@ extern void audit_log_d_path(struct audit_buffer *ab,
const struct path *path); const struct path *path);
extern void audit_log_key(struct audit_buffer *ab, extern void audit_log_key(struct audit_buffer *ab,
char *key); char *key);
extern void audit_log_link_denied(const char *operation,
struct path *link);
extern void audit_log_lost(const char *message); extern void audit_log_lost(const char *message);
#ifdef CONFIG_SECURITY #ifdef CONFIG_SECURITY
extern void audit_log_secctx(struct audit_buffer *ab, u32 secid); extern void audit_log_secctx(struct audit_buffer *ab, u32 secid);
...@@ -716,6 +719,7 @@ extern int audit_enabled; ...@@ -716,6 +719,7 @@ extern int audit_enabled;
#define audit_log_untrustedstring(a,s) do { ; } while (0) #define audit_log_untrustedstring(a,s) do { ; } while (0)
#define audit_log_d_path(b, p, d) do { ; } while (0) #define audit_log_d_path(b, p, d) do { ; } while (0)
#define audit_log_key(b, k) do { ; } while (0) #define audit_log_key(b, k) do { ; } while (0)
#define audit_log_link_denied(o, l) do { ; } while (0)
#define audit_log_secctx(b,s) do { ; } while (0) #define audit_log_secctx(b,s) do { ; } while (0)
#define audit_enabled 0 #define audit_enabled 0
#endif #endif
......
...@@ -1449,6 +1449,27 @@ void audit_log_key(struct audit_buffer *ab, char *key) ...@@ -1449,6 +1449,27 @@ void audit_log_key(struct audit_buffer *ab, char *key)
audit_log_format(ab, "(null)"); audit_log_format(ab, "(null)");
} }
/**
* audit_log_link_denied - report a link restriction denial
* @operation: specific link opreation
* @link: the path that triggered the restriction
*/
void audit_log_link_denied(const char *operation, struct path *link)
{
struct audit_buffer *ab;
ab = audit_log_start(current->audit_context, GFP_KERNEL,
AUDIT_ANOM_LINK);
audit_log_format(ab, "op=%s action=denied", operation);
audit_log_format(ab, " pid=%d comm=", current->pid);
audit_log_untrustedstring(ab, current->comm);
audit_log_d_path(ab, " path=", link);
audit_log_format(ab, " dev=");
audit_log_untrustedstring(ab, link->dentry->d_inode->i_sb->s_id);
audit_log_format(ab, " ino=%lu", link->dentry->d_inode->i_ino);
audit_log_end(ab);
}
/** /**
* audit_log_end - end one audit record * audit_log_end - end one audit record
* @ab: the audit_buffer * @ab: the audit_buffer
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册