1. 21 10月, 2007 1 次提交
    • A
      [PATCH] audit: watching subtrees · 74c3cbe3
      Al Viro 提交于
      New kind of audit rule predicates: "object is visible in given subtree".
      The part that can be sanely implemented, that is.  Limitations:
      	* if you have hardlink from outside of tree, you'd better watch
      it too (or just watch the object itself, obviously)
      	* if you mount something under a watched tree, tell audit
      that new chunk should be added to watched subtrees
      	* if you umount something in a watched tree and it's still mounted
      elsewhere, you will get matches on events happening there.  New command
      tells audit to recalculate the trees, trimming such sources of false
      positives.
      
      Note that it's _not_ about path - if something mounted in several places
      (multiple mount, bindings, different namespaces, etc.), the match does
      _not_ depend on which one we are using for access.
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      74c3cbe3
  2. 19 10月, 2007 1 次提交
  3. 22 7月, 2007 2 次提交
  4. 18 7月, 2007 1 次提交
    • J
      kernel/auditfilter: kill bogus uninit'd-var compiler warning · 6f686d3d
      Jeff Garzik 提交于
      Kill this warning...
      
      kernel/auditfilter.c: In function ‘audit_receive_filter’:
      kernel/auditfilter.c:1213: warning: ‘ndw’ may be used uninitialized in this function
      kernel/auditfilter.c:1213: warning: ‘ndp’ may be used uninitialized in this function
      
      ...with a simplification of the code.  audit_put_nd() can accept NULL
      arguments, just like kfree().  It is cleaner to init two existing vars
      to NULL, remove the redundant test variable 'putnd_needed' branches, and call
      audit_put_nd() directly.
      
      As a desired side effect, the warning goes away.
      Signed-off-by: NJeff Garzik <jeff@garzik.org>
      6f686d3d
  5. 24 6月, 2007 1 次提交
  6. 16 5月, 2007 1 次提交
  7. 11 5月, 2007 1 次提交
    • A
      [PATCH] audit signal recipients · e54dc243
      Amy Griffis 提交于
      When auditing syscalls that send signals, log the pid and security
      context for each target process. Optimize the data collection by
      adding a counter for signal-related rules, and avoiding allocating an
      aux struct unless we have more than one target process. For process
      groups, collect pid/context data in blocks of 16. Move the
      audit_signal_info() hook up in check_kill_permission() so we audit
      attempts where permission is denied.
      Signed-off-by: NAmy Griffis <amy.griffis@hp.com>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      e54dc243
  8. 18 2月, 2007 1 次提交
  9. 12 2月, 2007 1 次提交
  10. 23 12月, 2006 1 次提交
  11. 08 12月, 2006 1 次提交
  12. 04 10月, 2006 1 次提交
    • E
      [PATCH] arch filter lists with < or > should not be accepted · 4b8a311b
      Eric Paris 提交于
      Currently the kernel audit system represents arch's as numbers and will
      gladly accept comparisons between archs using >, <, >=, <= when the only
      thing that makes sense is = or !=.  I'm told that the next revision of
      auditctl will do this checking but this will provide enforcement in the
      kernel even for old userspace.  A simple command to show the issue would
      be to run
      
      auditctl -d entry,always -F arch>i686 -S chmod
      
      with this patch the kernel will reject this with -EINVAL
      
      Please comment/ack/nak as soon as possible.
      
      -Eric
      
       kernel/auditfilter.c |    9 ++++++++-
       1 file changed, 8 insertions(+), 1 deletion(-)
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      4b8a311b
  13. 26 9月, 2006 1 次提交
  14. 12 9月, 2006 3 次提交
  15. 03 8月, 2006 2 次提交
  16. 01 7月, 2006 4 次提交
    • A
      [PATCH] audit syscall classes · b915543b
      Al Viro 提交于
      Allow to tie upper bits of syscall bitmap in audit rules to kernel-defined
      sets of syscalls.  Infrastructure, a couple of classes (with 32bit counterparts
      for biarch targets) and actual tie-in on i386, amd64 and ia64.
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      b915543b
    • D
      [PATCH] audit: support for object context filters · 6e5a2d1d
      Darrel Goeddel 提交于
      This patch introduces object audit filters based on the elements
      of the SELinux context.
      Signed-off-by: NDarrel Goeddel <dgoeddel@trustedcs.com>
      Acked-by: NStephen Smalley <sds@tycho.nsa.gov>
      
       kernel/auditfilter.c           |   25 +++++++++++++++++++++++++
       kernel/auditsc.c               |   40 ++++++++++++++++++++++++++++++++++++++++
       security/selinux/ss/services.c |   18 +++++++++++++++++-
       3 files changed, 82 insertions(+), 1 deletion(-)
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      6e5a2d1d
    • D
      [PATCH] audit: rename AUDIT_SE_* constants · 3a6b9f85
      Darrel Goeddel 提交于
      This patch renames some audit constant definitions and adds
      additional definitions used by the following patch.  The renaming
      avoids ambiguity with respect to the new definitions.
      Signed-off-by: NDarrel Goeddel <dgoeddel@trustedcs.com>
      
       include/linux/audit.h          |   15 ++++++++----
       kernel/auditfilter.c           |   50 ++++++++++++++++++++---------------------
       kernel/auditsc.c               |   10 ++++----
       security/selinux/ss/services.c |   32 +++++++++++++-------------
       4 files changed, 56 insertions(+), 51 deletions(-)
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      3a6b9f85
    • A
      [PATCH] add rule filterkey · 5adc8a6a
      Amy Griffis 提交于
      Add support for a rule key, which can be used to tie audit records to audit
      rules.  This is useful when a watched file is accessed through a link or
      symlink, as well as for general audit log analysis.
      
      Because this patch uses a string key instead of an integer key, there is a bit
      of extra overhead to do the kstrdup() when a rule fires.  However, we're also
      allocating memory for the audit record buffer, so it's probably not that
      significant.  I went ahead with a string key because it seems more
      user-friendly.
      
      Note that the user must ensure that filterkeys are unique.  The kernel only
      checks for duplicate rules.
      Signed-off-by: NAmy Griffis <amy.griffis@hpd.com>
      5adc8a6a
  17. 20 6月, 2006 7 次提交
    • A
      [PATCH] log more info for directory entry change events · 9c937dcc
      Amy Griffis 提交于
      When an audit event involves changes to a directory entry, include
      a PATH record for the directory itself.  A few other notable changes:
      
          - fixed audit_inode_child() hooks in fsnotify_move()
          - removed unused flags arg from audit_inode()
          - added audit log routines for logging a portion of a string
      
      Here's some sample output.
      
      before patch:
      type=SYSCALL msg=audit(1149821605.320:26): arch=40000003 syscall=39 success=yes exit=0 a0=bf8d3c7c a1=1ff a2=804e1b8 a3=bf8d3c7c items=1 ppid=739 pid=800 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 comm="mkdir" exe="/bin/mkdir" subj=root:system_r:unconfined_t:s0-s0:c0.c255
      type=CWD msg=audit(1149821605.320:26):  cwd="/root"
      type=PATH msg=audit(1149821605.320:26): item=0 name="foo" parent=164068 inode=164010 dev=03:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=root:object_r:user_home_t:s0
      
      after patch:
      type=SYSCALL msg=audit(1149822032.332:24): arch=40000003 syscall=39 success=yes exit=0 a0=bfdd9c7c a1=1ff a2=804e1b8 a3=bfdd9c7c items=2 ppid=714 pid=777 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 comm="mkdir" exe="/bin/mkdir" subj=root:system_r:unconfined_t:s0-s0:c0.c255
      type=CWD msg=audit(1149822032.332:24):  cwd="/root"
      type=PATH msg=audit(1149822032.332:24): item=0 name="/root" inode=164068 dev=03:00 mode=040750 ouid=0 ogid=0 rdev=00:00 obj=root:object_r:user_home_dir_t:s0
      type=PATH msg=audit(1149822032.332:24): item=1 name="foo" inode=164010 dev=03:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=root:object_r:user_home_t:s0
      Signed-off-by: NAmy Griffis <amy.griffis@hp.com>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      9c937dcc
    • A
      [PATCH] fix AUDIT_FILTER_PREPEND handling · 6a2bceec
      Amy Griffis 提交于
      Clear AUDIT_FILTER_PREPEND flag after adding rule to list.  This
      fixes three problems when a rule is added with the -A syntax:
      
          - auditctl displays filter list as "(null)"
          - the rule cannot be removed using -d
          - a duplicate rule can be added with -a
      Signed-off-by: NAmy Griffis <amy.griffis@hp.com>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      6a2bceec
    • A
      [PATCH] validate rule fields' types · 0a73dccc
      Al Viro 提交于
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      0a73dccc
    • A
      [PATCH] audit: path-based rules · f368c07d
      Amy Griffis 提交于
      In this implementation, audit registers inotify watches on the parent
      directories of paths specified in audit rules.  When audit's inotify
      event handler is called, it updates any affected rules based on the
      filesystem event.  If the parent directory is renamed, removed, or its
      filesystem is unmounted, audit removes all rules referencing that
      inotify watch.
      
      To keep things simple, this implementation limits location-based
      auditing to the directory entries in an existing directory.  Given
      a path-based rule for /foo/bar/passwd, the following table applies:
      
          passwd modified -- audit event logged
          passwd replaced -- audit event logged, rules list updated
          bar renamed     -- rule removed
          foo renamed     -- untracked, meaning that the rule now applies to
      		       the new location
      
      Audit users typically want to have many rules referencing filesystem
      objects, which can significantly impact filtering performance.  This
      patch also adds an inode-number-based rule hash to mitigate this
      situation.
      
      The patch is relative to the audit git tree:
      http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
      and uses the inotify kernel API:
      http://lkml.org/lkml/2006/6/1/145Signed-off-by: NAmy Griffis <amy.griffis@hp.com>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      f368c07d
    • A
      [PATCH] deprecate AUDIT_POSSBILE · 014149cc
      Al Viro 提交于
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      014149cc
    • A
      [PATCH] fix audit_krule_to_{rule,data} return values · 0a3b483e
      Amy Griffis 提交于
      Don't return -ENOMEM when callers of these functions are checking for
      a NULL return.  Bug noticed by Serge Hallyn.
      Signed-off-by: NAmy Griffis <amy.griffis@hp.com>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      0a3b483e
    • A
      [PATCH] fix deadlocks in AUDIT_LIST/AUDIT_LIST_RULES · 9044e6bc
      Al Viro 提交于
      We should not send a pile of replies while holding audit_netlink_mutex
      since we hold the same mutex when we receive commands.  As the result,
      we can get blocked while sending and sit there holding the mutex while
      auditctl is unable to send the next command and get around to receiving
      what we'd sent.
      
      Solution: create skb and put them into a queue instead of sending;
      once we are done, send what we've got on the list.  The former can
      be done synchronously while we are handling AUDIT_LIST or AUDIT_LIST_RULES;
      we are holding audit_netlink_mutex at that point.  The latter is done
      asynchronously and without messing with audit_netlink_mutex.
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      9044e6bc
  18. 01 5月, 2006 2 次提交
  19. 21 3月, 2006 6 次提交
    • I
      [PATCH] sem2mutex: audit_netlink_sem · 5a0bbce5
      Ingo Molnar 提交于
      Semaphore to mutex conversion.
      
      The conversion was generated via scripts, and the result was validated
      automatically via a script as well.
      Signed-off-by: NIngo Molnar <mingo@elte.hu>
      Cc: David Woodhouse <dwmw2@infradead.org>
      Signed-off-by: NAndrew Morton <akpm@osdl.org>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      5a0bbce5
    • D
      [PATCH] Fix audit operators · d9d9ec6e
      Dustin Kirkland 提交于
      Darrel Goeddel initiated a discussion on IRC regarding the possibility
      of audit_comparator() returning -EINVAL signaling an invalid operator.
      
      It is possible when creating the rule to assure that the operator is one
      of the 6 sane values.  Here's a snip from include/linux/audit.h  Note
      that 0 (nonsense) and 7 (all operators) are not valid values for an
      operator.
      
      ...
      
      /* These are the supported operators.
       *      4  2  1
       *      =  >  <
       *      -------
       *      0  0  0         0       nonsense
       *      0  0  1         1       <
       *      0  1  0         2       >
       *      0  1  1         3       !=
       *      1  0  0         4       =
       *      1  0  1         5       <=
       *      1  1  0         6       >=
       *      1  1  1         7       all operators
       */
      ...
      
      Furthermore, prior to adding these extended operators, flagging the
      AUDIT_NEGATE bit implied !=, and otherwise == was assumed.
      
      The following code forces the operator to be != if the AUDIT_NEGATE bit
      was flipped on.  And if no operator was specified, == is assumed.  The
      only invalid condition is if the AUDIT_NEGATE bit is off and all of the
      AUDIT_EQUAL, AUDIT_LESS_THAN, and AUDIT_GREATER_THAN bits are
      on--clearly a nonsensical operator.
      
      Now that this is handled at rule insertion time, the default -EINVAL
      return of audit_comparator() is eliminated such that the function can
      only return 1 or 0.
      
      If this is acceptable, let's get this applied to the current tree.
      
      :-Dustin
      
      --
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      (cherry picked from 9bf0a8e137040f87d1b563336d4194e38fb2ba1a commit)
      d9d9ec6e
    • S
      [PATCH] add/remove rule update · 5d330108
      Steve Grubb 提交于
      Hi,
      
      The following patch adds a little more information to the add/remove rule message emitted
      by the kernel.
      Signed-off-by: NSteve Grubb <sgrubb@redhat.com>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      5d330108
    • A
      [PATCH] audit string fields interface + consumer · 93315ed6
      Amy Griffis 提交于
      Updated patch to dynamically allocate audit rule fields in kernel's
      internal representation.  Added unlikely() calls for testing memory
      allocation result.
      
      Amy Griffis wrote:     [Wed Jan 11 2006, 02:02:31PM EST]
      > Modify audit's kernel-userspace interface to allow the specification
      > of string fields in audit rules.
      >
      > Signed-off-by: Amy Griffis <amy.griffis@hp.com>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      (cherry picked from 5ffc4a863f92351b720fe3e9c5cd647accff9e03 commit)
      93315ed6
    • D
    • D
      [PATCH] Fix audit record filtering with !CONFIG_AUDITSYSCALL · fe7752ba
      David Woodhouse 提交于
      This fixes the per-user and per-message-type filtering when syscall
      auditing isn't enabled.
      
      [AV: folded followup fix from the same author]
      Signed-off-by: NDavid Woodhouse <dwmw2@infradead.org>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      fe7752ba