- 20 Jun, 2006 5 commits
-
-
Linda Knippers authored
The following patch addresses most of the issues with the IPC_SET_PERM records as described in: https://www.redhat.com/archives/linux-audit/2006-May/msg00010.html and addresses the comments I received on the record field names. To summarize, I made the following changes: 1. Changed sys_msgctl() and semctl_down() so that an IPC_SET_PERM record is emitted in the failure case as well as the success case. This matches the behavior in sys_shmctl(). I could simplify the code in sys_msgctl() and semctl_down() slightly but it would mean that in some error cases we could get an IPC_SET_PERM record without an IPC record and that seemed odd. 2. No change to the IPC record type, given no feedback on the backward compatibility question. 3. Removed the qbytes field from the IPC record. It wasn't being set and when audit_ipc_obj() is called from ipcperms(), the information isn't available. If we want the information in the IPC record, more extensive changes will be necessary. Since it only applies to message queues and it isn't really permission related, it doesn't seem worth it. 4. Removed the obj field from the IPC_SET_PERM record. This means that the kern_ipc_perm argument is no longer needed. 5. Removed the spaces and renamed the IPC_SET_PERM field names. Replaced iuid and igid fields with ouid and ogid in the IPC record. I tested this with the lspp.22 kernel on an x86_64 box. I believe it applies cleanly on the latest kernel. -- ljk Signed-off-by:
Linda Knippers <linda.knippers@hp.com> Signed-off-by:
Al Viro <viro@zeniv.linux.org.uk>
-
Al Viro authored
Signed-off-by:
Al Viro <viro@zeniv.linux.org.uk>
-
Al Viro authored
Signed-off-by:
Al Viro <viro@zeniv.linux.org.uk>
-
Al Viro authored
Signed-off-by:
Al Viro <viro@zeniv.linux.org.uk>
-
Al Viro authored
... no need to provide a stub; note that extern is already gone from include/linux/audit.h Signed-off-by:
Al Viro <viro@zeniv.linux.org.uk>
-
- 01 May, 2006 4 commits
-
-
Steve Grubb authored
1) The audit_ipc_perms() function has been split into two different functions: - audit_ipc_obj() - audit_ipc_set_perm() There's a key shift here... The audit_ipc_obj() collects the uid, gid, mode, and SElinux context label of the current ipc object. This audit_ipc_obj() hook is now found in several places. Most notably, it is hooked in ipcperms(), which is called in various places around the ipc code permforming a MAC check. Additionally there are several places where *checkid() is used to validate that an operation is being performed on a valid object while not necessarily having a nearby ipcperms() call. In these locations, audit_ipc_obj() is called to ensure that the information is captured by the audit system. The audit_set_new_perm() function is called any time the permissions on the ipc object changes. In this case, the NEW permissions are recorded (and note that an audit_ipc_obj() call exists just a few lines before each instance). 2) Support ...
-
Steve Grubb authored
Hi, The patch below builds upon the patch sent earlier and adds subject label to all audit events generated via the netlink interface. It also cleans up a few other minor things. Signed-off-by:
Steve Grubb <sgrubb@redhat.com> Signed-off-by:
Al Viro <viro@zeniv.linux.org.uk>
-
Darrel Goeddel authored
The following patch provides selinux interfaces that will allow the audit system to perform filtering based on the process context (user, role, type, sensitivity, and clearance). These interfaces will allow the selinux module to perform efficient matches based on lower level selinux constructs, rather than relying on context retrievals and string comparisons within the audit module. It also allows for dominance checks on the mls portion of the contexts that are impossible with only string comparisons. Signed-off-by:
Darrel Goeddel <dgoeddel@trustedcs.com> Signed-off-by:
Al Viro <viro@zeniv.linux.org.uk>
-
Al Viro authored
... it's always current, and that's a good thing - allows simpler locking. Signed-off-by:
Al Viro <viro@zeniv.linux.org.uk>
-
- 20 Mar, 2006 10 commits
-
-
Steve Grubb authored
Hi, When a network interface goes into promiscuous mode, its an important security issue. The attached patch is intended to capture that action and send an event to the audit system. The patch carves out a new block of numbers for kernel detected anomalies. These are events that may indicate suspicious activity. Other examples of potential kernel anomalies would be: exceeding disk quota, rlimit violations, changes to syscall entry table. Signed-off-by:
Steve Grubb <sgrubb@redhat.com> Signed-off-by:
Al Viro <viro@zeniv.linux.org.uk>
-
Steve Grubb authored
Hi, The following patch adds a little more information to the add/remove rule message emitted by the kernel. Signed-off-by:
Steve Grubb <sgrubb@redhat.com> Signed-off-by:
Al Viro <viro@zeniv.linux.org.uk>
-
Amy Griffis authored
Updated patch to dynamically allocate audit rule fields in kernel's internal representation. Added unlikely() calls for testing memory allocation result. Amy Griffis wrote: [Wed Jan 11 2006, 02:02:31PM EST] > Modify audit's kernel-userspace interface to allow the specification > of string fields in audit rules. > > Signed-off-by: Amy Griffis <amy.griffis@hp.com> Signed-off-by:
Al Viro <viro@zeniv.linux.org.uk> (cherry picked from 5ffc4a863f92351b720fe3e9c5cd647accff9e03 commit)
-
Steve Grubb authored
Attached is a patch that hardwires important SE Linux events to the audit system. Please Apply. Signed-off-by:
Steve Grubb <sgrubb@redhat.com> Acked-by:
Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by:
David Woodhouse <dwmw2@infradead.org>
-
David Woodhouse authored
This fixes the per-user and per-message-type filtering when syscall auditing isn't enabled. [AV: folded followup fix from the same author] Signed-off-by:
David Woodhouse <dwmw2@infradead.org> Signed-off-by:
Al Viro <viro@zeniv.linux.org.uk>
-
Dustin Kirkland authored
This patch extends existing audit records with subject/object context information. Audit records associated with filesystem inodes, ipc, and tasks now contain SELinux label information in the field "subj" if the item is performing the action, or in "obj" if the item is the receiver of an action. These labels are collected via hooks in SELinux and appended to the appropriate record in the audit code. This additional information is required for Common Criteria Labeled Security Protection Profile (LSPP). [AV: fixed kmalloc flags use] [folded leak fixes] [folded cleanup from akpm (kfree(NULL)] [folded audit_inode_context() leak fix] [folded akpm's fix for audit_ipc_perm() definition in case of !CONFIG_AUDIT] Signed-off-by:
Dustin Kirkland <dustin.kirkland@us.ibm.com> Signed-off-by:
David Woodhouse <dwmw2@infradead.org> Signed-off-by:
Andrew Morton <akpm@osdl.org> Signed-off-by:
Al Viro <viro@zeniv.linux.org.uk>
-
Dustin Kirkland authored
- Add a new, 5th filter called "exclude". - And add a new field AUDIT_MSGTYPE. - Define a new function audit_filter_exclude() that takes a message type as input and examines all rules in the filter. It returns '1' if the message is to be excluded, and '0' otherwise. - Call the audit_filter_exclude() function near the top of audit_log_start() just after asserting audit_initialized. If the message type is not to be audited, return NULL very early, before doing a lot of work. [combined with followup fix for bug in original patch, Nov 4, same author] [combined with later renaming AUDIT_FILTER_EXCLUDE->AUDIT_FILTER_TYPE and audit_filter_exclude() -> audit_filter_type()] Signed-off-by:
Dustin Kirkland <dustin.kirkland@us.ibm.com> Signed-off-by:
David Woodhouse <dwmw2@infradead.org> Signed-off-by:
Al Viro <viro@zeniv.linux.org.uk>
-
Amy Griffis authored
This patch augments the collection of inode info during syscall processing. It represents part of the functionality that was provided by the auditfs patch included in RHEL4. Specifically, it: - Collects information for target inodes created or removed during syscalls. Previous code only collects information for the target inode's parent. - Adds the audit_inode() hook to syscalls that operate on a file descriptor (e.g. fchown), enabling audit to do inode filtering for these calls. - Modifies filtering code to check audit context for either an inode # or a parent inode # matching a given rule. - Modifies logging to provide inode # for both parent and child. - Protect debug info from NULL audit_names.name. [AV: folded a later typo fix from the same author] Signed-off-by:
Amy Griffis <amy.griffis@hp.com> Signed-off-by:
David Woodhouse <dwmw2@infradead.org> Signed-off-by:
Al Viro <viro@zeniv.linux.org.uk>
-
Steve Grubb authored
The attached patch updates various items for the new user space messages. Please apply. Signed-off-by:
Steve Grubb <sgrubb@redhat.com> Signed-off-by:
David Woodhouse <dwmw2@infradead.org>
-
Dustin Kirkland authored
Currently, audit only supports the "=" and "!=" operators in the -F filter rules. This patch reworks the support for "=" and "!=", and adds support for ">", ">=", "<", and "<=". This turned out to be a pretty clean, and simply process. I ended up using the high order bits of the "field", as suggested by Steve and Amy. This allowed for no changes whatsoever to the netlink communications. See the documentation within the patch in the include/linux/audit.h area, where there is a table that explains the reasoning of the bitmask assignments clearly. The patch adds a new function, audit_comparator(left, op, right). This function will perform the specified comparison (op, which defaults to "==" for backward compatibility) between two values (left and right). If the negate bit is on, it will negate whatever that result was. This value is returned. Signed-off-by:
Dustin Kirkland <dustin.kirkland@us.ibm.com> Signed-off-by:
David Woodhouse <dwmw2@infradead.org>
-
- 28 Oct, 2005 1 commit
-
-
Al Viro authored
Signed-off-by:
Al Viro <viro@zeniv.linux.org.uk> Signed-off-by:
Linus Torvalds <torvalds@osdl.org>
-
- 10 Jul, 2005 1 commit
-
-
David S. Miller authored
Signed-off-by:
David S. Miller <davem@davemloft.net>
-
- 02 Jul, 2005 2 commits
-
-
David Woodhouse authored
audit_log() also takes an extra argument, although it's a vararg function so the compiler didn't really notice. Signed-off-by:
David Woodhouse <dwmw2@infradead.org>
-
Badari Pulavarty authored
audit_log_start() seems to take 3 arguments, but its defined to take only 2 when AUDIT is turned off. security/selinux/avc.c:553:75: macro "audit_log_start" passed 3 arguments, but takes just 2 Signed-off-by:
Andrew Morton <akpm@osdl.org> Signed-off-by:
David Woodhouse <dwmw2@infradead.org>
-
- 24 Jun, 2005 1 commit
-
-
David Woodhouse authored
Don't look up the task by its pid and then use the syscall filtering helper. Just implement our own filter helper which operates solely on the information in the netlink_skb_parms. Signed-off-by:
David Woodhouse <dwmw2@infradead.org>
-
- 22 Jun, 2005 2 commits
-
-
David Woodhouse authored
Add a gfp_mask to audit_log_start() and audit_log(), to reduce the amount of GFP_ATOMIC allocation -- most of it doesn't need to be GFP_ATOMIC. Also if the mask includes __GFP_WAIT, then wait up to 60 seconds for the auditd backlog to clear instead of immediately abandoning the message. The timeout should probably be made configurable, but for now it'll suffice that it only happens if auditd is actually running. Signed-off-by:
David Woodhouse <dwmw2@infradead.org>
-
David Woodhouse authored
Also exempt USER_AVC message from being discarded to preserve existing behaviour for SE Linux. Signed-off-by:
David Woodhouse <dwmw2@infradead.org>
-
- 21 Jun, 2005 1 commit
-
-
David Woodhouse authored
If we have enough rules to fill the netlink buffer space, it'll deadlock because auditctl isn't ever actually going to read from the socket until we return, and we aren't going to return until it reads... so we spawn a kernel thread to spew out the list and then exit. Signed-off-by:
David Woodhouse <dwmw2@infradead.org>
-
- 20 Jun, 2005 1 commit
-
-
David Woodhouse authored
When LOOKUP_PARENT is used, the inode which results is not the inode found at the pathname. Report the flags so that this doesn't generate misleading audit records. Signed-off-by:
David Woodhouse <dwmw2@infradead.org>
-
- 19 Jun, 2005 1 commit
-
-
David Woodhouse authored
Turn the field from a bitmask to an enumeration and add a list to allow filtering of messages generated by userspace. We also define a list for file system watches in anticipation of that feature. Signed-off-by:
David Woodhouse <dwmw2@infradead.org>
-
- 27 May, 2005 1 commit
-
-
David Woodhouse authored
Signed-off-by:
David Woodhouse <dwmw2@infradead.org>
-
- 21 May, 2005 1 commit
-
-
David Woodhouse authored
Move audit_serial() into audit.c and use it to generate serial numbers on messages even when there is no audit context from syscall auditing. This allows us to disambiguate audit records when more than one is generated in the same millisecond. Based on a patch by Steve Grubb after he observed the problem. Signed-off-by:
David Woodhouse <dwmw2@infradead.org>
-
- 20 May, 2005 1 commit
-
-
Stephen Smalley authored
This patch changes the SELinux AVC to defer logging of paths to the audit framework upon syscall exit, by saving a reference to the (dentry,vfsmount) pair in an auxiliary audit item on the current audit context for processing by audit_log_exit. Signed-off-by:
Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by:
David Woodhouse <dwmw2@infradead.org>
-
- 18 May, 2005 1 commit
-
-
David Woodhouse authored
It's silly to have to add explicit entries for new userspace messages as we invent them. Just treat all messages in the user range the same. Signed-off-by:
David Woodhouse <dwmw2@infradead.org>
-
- 17 May, 2005 1 commit
-
-
David Woodhouse authored
Signed-off-by:
David Woodhouse <dwmw2@infradead.org>
-
- 13 May, 2005 2 commits
-
-
Steve Grubb authored
I'm going through the kernel code and have a patch that corrects several spelling errors in comments. From: Steve Grubb <sgrubb@redhat.com> Signed-off-by:
David Woodhouse <dwmw2@infradead.org>
-
Steve Grubb authored
This patch adds more messages types to the audit subsystem so that audit analysis is quicker, intuitive, and more useful. Signed-off-by:
Steve Grubb <sgrubb@redhat.com> --- I forgot one type in the big patch. I need to add one for user space originating SE Linux avc messages. This is used by dbus and nscd. -Steve --- Updated to 2.6.12-rc4-mm1. -dwmw2 Signed-off-by:
David Woodhouse <dwmw2@infradead.org>
-
- 11 May, 2005 2 commits
-
-
Chris Wright authored
Add audit_log_type to allow callers to specify type and pid when logging. Convert audit_log to wrapper around audit_log_type. Could have converted all audit_log callers directly, but common case is default of type AUDIT_KERNEL and pid 0. Update audit_log_start to take type and pid values when creating a new audit_buffer. Move sequences that did audit_log_start, audit_log_format, audit_set_type, audit_log_end, to simply call audit_log_type directly. This obsoletes audit_set_type and audit_set_pid, so remove them. Signed-off-by:
Chris Wright <chrisw@osdl.org> Signed-off-by:
David Woodhouse <dwmw2@infradead.org>
-
Chris Wright authored
Remove code conditionally dependent on CONFIG_AUDITSYSCALL from audit.c. Move these dependencies to audit.h with the rest. Signed-off-by:
Chris Wright <chrisw@osdl.org> Signed-off-by:
David Woodhouse <dwmw2@infradead.org>
-
- 06 May, 2005 1 commit
-
-
Steve Grubb authored
shutdown credential information. It creates a new message type AUDIT_TERM_INFO, which is used by the audit daemon to query who issued the shutdown. It requires the placement of a hook function that gathers the information. The hook is after the DAC & MAC checks and before the function returns. Racing threads could overwrite the uid & pid - but they would have to be root and have policy that allows signalling the audit daemon. That should be a manageable risk. The userspace component will be released later in audit 0.7.2. When it receives the TERM signal, it queries the kernel for shutdown information. When it receives it, it writes the message and exits. The message looks like this: type=DAEMON msg=auditd(1114551182.000) auditd normal halt, sending pid=2650 uid=525, auditd pid=1685 Signed-off-by:
Steve Grubb <sgrubb@redhat.com> Signed-off-by:
David Woodhouse <dwmw2@infradead.org>
-
- 29 Apr, 2005 1 commit
-
-
Steve Grubb authored
Attached is a new patch that solves the issue of getting valid credentials into the LOGIN message. The current code was assuming that the audit context had already been copied. This is not always the case for LOGIN messages. To solve the problem, the patch passes the task struct to the function that emits the message where it can get valid credentials. Signed-off-by:
Steve Grubb <sgrubb@redhat.com> Signed-off-by:
David Woodhouse <dwmw2@infradead.org>
-