From 5b9a4262232d632c28990fcdf4f36d0e0ade5f18 Mon Sep 17 00:00:00 2001 From: Steve Grubb Date: Tue, 29 May 2007 10:38:18 -0400 Subject: [PATCH] Make IPC mode consistent The mode fields for IPC records are not consistent. Some are hex, others are octal. This patch makes them all octal. Signed-off-by: Steve Grubb Signed-off-by: Al Viro diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 145cbb7..f5e917e 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -995,7 +995,7 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts case AUDIT_IPC: { struct audit_aux_data_ipcctl *axi = (void *)aux; audit_log_format(ab, - "ouid=%u ogid=%u mode=%x", + "ouid=%u ogid=%u mode=%#o", axi->uid, axi->gid, axi->mode); if (axi->osid != 0) { char *ctx = NULL; @@ -1014,7 +1014,7 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts case AUDIT_IPC_SET_PERM: { struct audit_aux_data_ipcctl *axi = (void *)aux; audit_log_format(ab, - "qbytes=%lx ouid=%u ogid=%u mode=%x", + "qbytes=%lx ouid=%u ogid=%u mode=%#o", axi->qbytes, axi->uid, axi->gid, axi->mode); break; } -- cgit v0.10.2 From c926e4f432af0f61ac2b9b637fb51a4871a3fc91 Mon Sep 17 00:00:00 2001 From: Klaus Weidner Date: Wed, 16 May 2007 17:45:42 -0500 Subject: [PATCH] audit: fix broken class-based syscall audit The sanity check in audit_match_class() is wrong. We are able to audit 2048 syscalls but in audit_match_class() we were accidentally using sizeof(_u32) instead of number of bits in _u32 when deciding how many syscalls were valid. On ia64 in particular we were hitting syscall numbers over the (wrong) limit of 256. Fixing the audit_match_class check takes care of the problem. Signed-off-by: Klaus Weidner Signed-off-by: Al Viro diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index 1bf093d..0ea96ba 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -304,7 +304,7 @@ int __init audit_register_class(int class, unsigned *list) int audit_match_class(int class, unsigned syscall) { - if (unlikely(syscall >= AUDIT_BITMASK_SIZE * sizeof(__u32))) + if (unlikely(syscall >= AUDIT_BITMASK_SIZE * 32)) return 0; if (unlikely(class >= AUDIT_SYSCALL_CLASSES || !classes[class])) return 0; -- cgit v0.10.2 From 74f2345b6be1410f824cb7dd638d2c10a9709379 Mon Sep 17 00:00:00 2001 From: Eric Paris Date: Mon, 4 Jun 2007 17:00:14 -0400 Subject: [PATCH] allow audit filtering on bit & operations Right now the audit filter can match on = != > < >= blah blah blah. This allow the filter to also look at bitwise AND operations, & Signed-off-by: Eric Paris Signed-off-by: Al Viro diff --git a/include/linux/audit.h b/include/linux/audit.h index 8ca7ca0..a35859a 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -161,7 +161,7 @@ * are currently used in an audit field constant understood by the kernel. * If you are adding a new #define AUDIT_, please ensure that * AUDIT_UNUSED_BITS is updated if need be. */ -#define AUDIT_UNUSED_BITS 0x0FFFFC00 +#define AUDIT_UNUSED_BITS 0x07FFFC00 /* Rule fields */ @@ -213,25 +213,29 @@ #define AUDIT_NEGATE 0x80000000 /* These are the supported operators. - * 4 2 1 - * = > < - * ------- - * 0 0 0 0 nonsense - * 0 0 1 1 < - * 0 1 0 2 > - * 0 1 1 3 != - * 1 0 0 4 = - * 1 0 1 5 <= - * 1 1 0 6 >= - * 1 1 1 7 all operators + * 4 2 1 8 + * = > < ? + * ---------- + * 0 0 0 0 00 nonsense + * 0 0 0 1 08 & bit mask + * 0 0 1 0 10 < + * 0 1 0 0 20 > + * 0 1 1 0 30 != + * 1 0 0 0 40 = + * 1 0 0 1 48 &= bit test + * 1 0 1 0 50 <= + * 1 1 0 0 60 >= + * 1 1 1 1 78 all operators */ +#define AUDIT_BIT_MASK 0x08000000 #define AUDIT_LESS_THAN 0x10000000 #define AUDIT_GREATER_THAN 0x20000000 #define AUDIT_NOT_EQUAL 0x30000000 #define AUDIT_EQUAL 0x40000000 +#define AUDIT_BIT_TEST (AUDIT_BIT_MASK|AUDIT_EQUAL) #define AUDIT_LESS_THAN_OR_EQUAL (AUDIT_LESS_THAN|AUDIT_EQUAL) #define AUDIT_GREATER_THAN_OR_EQUAL (AUDIT_GREATER_THAN|AUDIT_EQUAL) -#define AUDIT_OPERATORS (AUDIT_EQUAL|AUDIT_NOT_EQUAL) +#define AUDIT_OPERATORS (AUDIT_EQUAL|AUDIT_NOT_EQUAL|AUDIT_BIT_MASK) /* Status symbols */ /* Mask values */ diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index 0ea96ba..359645c 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -456,6 +456,13 @@ static struct audit_entry *audit_rule_to_entry(struct audit_rule *rule) case AUDIT_DEVMINOR: case AUDIT_EXIT: case AUDIT_SUCCESS: + /* bit ops are only useful on syscall args */ + if (f->op == AUDIT_BIT_MASK || + f->op == AUDIT_BIT_TEST) { + err = -EINVAL; + goto exit_free; + } + break; case AUDIT_ARG0: case AUDIT_ARG1: case AUDIT_ARG2: @@ -1566,6 +1573,10 @@ int audit_comparator(const u32 left, const u32 op, const u32 right) return (left > right); case AUDIT_GREATER_THAN_OR_EQUAL: return (left >= right); + case AUDIT_BIT_MASK: + return (left & right); + case AUDIT_BIT_TEST: + return ((left & right) == right); } BUG(); return 0; -- cgit v0.10.2 From 4259fa01a2d2aa3e589b34ba7624080232d9c1ff Mon Sep 17 00:00:00 2001 From: Al Viro Date: Thu, 7 Jun 2007 11:13:31 -0400 Subject: [PATCH] get rid of AVC_PATH postponed treatment Selinux folks had been complaining about the lack of AVC_PATH records when audit is disabled. I must admit my stupidity - I assumed that avc_audit() really couldn't use audit_log_d_path() because of deadlocks (== could be called with dcache_lock or vfsmount_lock held). Shouldn't have made that assumption - it never gets called that way. It _is_ called under spinlocks, but not those. Since audit_log_d_path() uses ab->gfp_mask for allocations, kmalloc() in there is not a problem. IOW, the simple fix is sufficient: let's rip AUDIT_AVC_PATH out and simply generate pathname as part of main record. It's trivial to do. Signed-off-by: Al Viro Acked-by: James Morris diff --git a/include/linux/audit.h b/include/linux/audit.h index a35859a..4bbd860 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -411,7 +411,6 @@ extern int audit_bprm(struct linux_binprm *bprm); extern int audit_socketcall(int nargs, unsigned long *args); extern int audit_sockaddr(int len, void *addr); extern int __audit_fd_pair(int fd1, int fd2); -extern int audit_avc_path(struct dentry *dentry, struct vfsmount *mnt); extern int audit_set_macxattr(const char *name); extern int __audit_mq_open(int oflag, mode_t mode, struct mq_attr __user *u_attr); extern int __audit_mq_timedsend(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, const struct timespec __user *u_abs_timeout); @@ -491,7 +490,6 @@ extern int audit_signals; #define audit_socketcall(n,a) ({ 0; }) #define audit_fd_pair(n,a) ({ 0; }) #define audit_sockaddr(len, addr) ({ 0; }) -#define audit_avc_path(dentry, mnt) ({ 0; }) #define audit_set_macxattr(n) do { ; } while (0) #define audit_mq_open(o,m,a) ({ 0; }) #define audit_mq_timedsend(d,l,p,t) ({ 0; }) diff --git a/kernel/auditsc.c b/kernel/auditsc.c index f5e917e..bde1124 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -173,12 +173,6 @@ struct audit_aux_data_fd_pair { int fd[2]; }; -struct audit_aux_data_path { - struct audit_aux_data d; - struct dentry *dentry; - struct vfsmount *mnt; -}; - struct audit_aux_data_pids { struct audit_aux_data d; pid_t target_pid[AUDIT_AUX_PIDS]; @@ -654,12 +648,6 @@ static inline void audit_free_aux(struct audit_context *context) struct audit_aux_data *aux; while ((aux = context->aux)) { - if (aux->type == AUDIT_AVC_PATH) { - struct audit_aux_data_path *axi = (void *)aux; - dput(axi->dentry); - mntput(axi->mnt); - } - context->aux = aux->next; kfree(aux); } @@ -1038,11 +1026,6 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts audit_log_hex(ab, axs->a, axs->len); break; } - case AUDIT_AVC_PATH: { - struct audit_aux_data_path *axi = (void *)aux; - audit_log_d_path(ab, "path=", axi->dentry, axi->mnt); - break; } - case AUDIT_FD_PAIR: { struct audit_aux_data_fd_pair *axs = (void *)aux; audit_log_format(ab, "fd0=%d fd1=%d", axs->fd[0], axs->fd[1]); @@ -1991,36 +1974,6 @@ void __audit_ptrace(struct task_struct *t) } /** - * audit_avc_path - record the granting or denial of permissions - * @dentry: dentry to record - * @mnt: mnt to record - * - * Returns 0 for success or NULL context or < 0 on error. - * - * Called from security/selinux/avc.c::avc_audit() - */ -int audit_avc_path(struct dentry *dentry, struct vfsmount *mnt) -{ - struct audit_aux_data_path *ax; - struct audit_context *context = current->audit_context; - - if (likely(!context)) - return 0; - - ax = kmalloc(sizeof(*ax), GFP_ATOMIC); - if (!ax) - return -ENOMEM; - - ax->dentry = dget(dentry); - ax->mnt = mntget(mnt); - - ax->d.type = AUDIT_AVC_PATH; - ax->d.next = context->aux; - context->aux = (void *)ax; - return 0; -} - -/** * audit_signal_info - record signal info for shutting down audit subsystem * @sig: signal value * @t: task being signaled diff --git a/security/selinux/avc.c b/security/selinux/avc.c index ecd0673..0e69adf 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -570,10 +570,12 @@ void avc_audit(u32 ssid, u32 tsid, case AVC_AUDIT_DATA_FS: if (a->u.fs.dentry) { struct dentry *dentry = a->u.fs.dentry; - if (a->u.fs.mnt) - audit_avc_path(dentry, a->u.fs.mnt); - audit_log_format(ab, " name="); - audit_log_untrustedstring(ab, dentry->d_name.name); + if (a->u.fs.mnt) { + audit_log_d_path(ab, "path=", dentry, a->u.fs.mnt); + } else { + audit_log_format(ab, " name="); + audit_log_untrustedstring(ab, dentry->d_name.name); + } inode = dentry->d_inode; } else if (a->u.fs.inode) { struct dentry *dentry; @@ -624,9 +626,8 @@ void avc_audit(u32 ssid, u32 tsid, case AF_UNIX: u = unix_sk(sk); if (u->dentry) { - audit_avc_path(u->dentry, u->mnt); - audit_log_format(ab, " name="); - audit_log_untrustedstring(ab, u->dentry->d_name.name); + audit_log_d_path(ab, "path=", + u->dentry, u->mnt); break; } if (!u->addr) -- cgit v0.10.2