From b50eba7e2d534762a19a7207dda012f09302a8d2 Mon Sep 17 00:00:00 2001 From: Richard Guy Briggs Date: Mon, 16 Sep 2013 18:20:42 -0400 Subject: audit: format user messages to size of MAX_AUDIT_MESSAGE_LENGTH Messages of type AUDIT_USER_TTY were being formatted to 1024 octets, truncating messages approaching MAX_AUDIT_MESSAGE_LENGTH (8970 octets). Set the formatting to 8560 characters, given maximum estimates for prefix and suffix budgets. See the problem discussion: https://www.redhat.com/archives/linux-audit/2009-January/msg00030.html And the new size rationale: https://www.redhat.com/archives/linux-audit/2013-September/msg00016.html Test ~8k messages with: auditctl -m "$(for i in $(seq -w 001 820);do echo -n "${i}0______";done)" Reported-by: LC Bruzenak Reported-by: Justin Stephenson Signed-off-by: Richard Guy Briggs Signed-off-by: Eric Paris diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h index 75cef3f..5dfcd85 100644 --- a/include/uapi/linux/audit.h +++ b/include/uapi/linux/audit.h @@ -358,6 +358,12 @@ enum { #define AUDIT_PERM_READ 4 #define AUDIT_PERM_ATTR 8 +/* MAX_AUDIT_MESSAGE_LENGTH is set in audit:lib/libaudit.h as: + * 8970 // PATH_MAX*2+CONTEXT_SIZE*2+11+256+1 + * max header+body+tailer: 44 + 29 + 32 + 262 + 7 + pad + */ +#define AUDIT_MESSAGE_TEXT_MAX 8560 + struct audit_status { __u32 mask; /* Bit mask for valid entries */ __u32 enabled; /* 1 = enabled, 0 = disabled */ diff --git a/kernel/audit.c b/kernel/audit.c index 91e53d0..dd63d2f 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -715,7 +715,8 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) } audit_log_common_recv_msg(&ab, msg_type); if (msg_type != AUDIT_USER_TTY) - audit_log_format(ab, " msg='%.1024s'", + audit_log_format(ab, " msg='%.*s'", + AUDIT_MESSAGE_TEXT_MAX, (char *)data); else { int size; -- cgit v0.10.2 From 47145705e3e2894b6c73846b67734726c5d7173c Mon Sep 17 00:00:00 2001 From: "Ilya V. Matveychikov" Date: Sun, 29 Sep 2013 15:53:40 +0400 Subject: audit: remove duplicate inclusion of the netlink header Signed-off-by: Ilya V. Matveychikov Signed-off-by: Richard Guy Briggs Signed-off-by: Eric Paris diff --git a/kernel/audit.c b/kernel/audit.c index dd63d2f..97c1ab9 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -60,7 +60,6 @@ #ifdef CONFIG_SECURITY #include #endif -#include #include #include #include -- cgit v0.10.2 From b8f89caafeb55fba75b74bea25adc4e4cd91be67 Mon Sep 17 00:00:00 2001 From: Richard Guy Briggs Date: Wed, 18 Sep 2013 11:17:43 -0400 Subject: audit: remove newline accidentally added during session id helper refactor A newline was accidentally added during session ID helper refactorization in commit 4d3fb709. This needlessly uses up buffer space, messes up syslog formatting and makes userspace processing less efficient. Remove it. Signed-off-by: Richard Guy Briggs Acked-by: Eric Paris Signed-off-by: Eric Paris diff --git a/kernel/audit.c b/kernel/audit.c index 97c1ab9..9069965 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -1388,7 +1388,7 @@ void audit_log_session_info(struct audit_buffer *ab) u32 sessionid = audit_get_sessionid(current); uid_t auid = from_kuid(&init_user_ns, audit_get_loginuid(current)); - audit_log_format(ab, " auid=%u ses=%u\n", auid, sessionid); + audit_log_format(ab, " auid=%u ses=%u", auid, sessionid); } void audit_log_key(struct audit_buffer *ab, char *key) -- cgit v0.10.2 From af0e493d304262162dcc0e0b39ee47b12461d003 Mon Sep 17 00:00:00 2001 From: Gao feng Date: Mon, 23 Sep 2013 15:55:44 +0800 Subject: Audit: remove duplicate comments Remove it. Signed-off-by: Gao feng Signed-off-by: Richard Guy Briggs Signed-off-by: Eric Paris diff --git a/kernel/audit.c b/kernel/audit.c index 9069965..02b1b78 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -1067,13 +1067,6 @@ static void wait_for_auditd(unsigned long sleep_time) remove_wait_queue(&audit_backlog_wait, &wait); } -/* Obtain an audit buffer. This routine does locking to obtain the - * audit buffer, but then no locking is required for calls to - * audit_log_*format. If the tsk is a task that is currently in a - * syscall, then the syscall is marked as auditable and an audit record - * will be written at syscall exit. If there is no associated task, tsk - * should be NULL. */ - /** * audit_log_start - obtain an audit buffer * @ctx: audit_context (may be NULL) -- cgit v0.10.2 From d48d805122e39c066898df2e460875d3aaf60508 Mon Sep 17 00:00:00 2001 From: Oleg Nesterov Date: Sun, 15 Sep 2013 19:11:09 +0200 Subject: audit_alloc: clear TIF_SYSCALL_AUDIT if !audit_context If audit_filter_task() nacks the new thread it makes sense to clear TIF_SYSCALL_AUDIT which can be copied from parent by dup_task_struct(). A wrong TIF_SYSCALL_AUDIT is not really bad but it triggers the "slow" audit paths in entry.S to ensure the task can not miss audit_syscall_*() calls, this is pointless if the task has no ->audit_context. Signed-off-by: Oleg Nesterov Acked-by: Steve Grubb Acked-by: Eric Paris Signed-off-by: Richard Guy Briggs Signed-off-by: Eric Paris diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 9845cb3..95293ab 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -943,8 +943,10 @@ int audit_alloc(struct task_struct *tsk) return 0; /* Return if not auditing. */ state = audit_filter_task(tsk, &key); - if (state == AUDIT_DISABLED) + if (state == AUDIT_DISABLED) { + clear_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT); return 0; + } if (!(context = audit_alloc_context(state))) { kfree(key); -- cgit v0.10.2 From 0868a5e150bc4c47e7a003367cd755811eb41e0b Mon Sep 17 00:00:00 2001 From: Tyler Hicks Date: Thu, 25 Jul 2013 18:02:55 -0700 Subject: audit: printk USER_AVC messages when audit isn't enabled When the audit=1 kernel parameter is absent and auditd is not running, AUDIT_USER_AVC messages are being silently discarded. AUDIT_USER_AVC messages should be sent to userspace using printk(), as mentioned in the commit message of 4a4cd633 ("AUDIT: Optimise the audit-disabled case for discarding user messages"). When audit_enabled is 0, audit_receive_msg() discards all user messages except for AUDIT_USER_AVC messages. However, audit_log_common_recv_msg() refuses to allocate an audit_buffer if audit_enabled is 0. The fix is to special case AUDIT_USER_AVC messages in both functions. It looks like commit 50397bd1 ("[AUDIT] clean up audit_receive_msg()") introduced this bug. Cc: # v2.6.25+ Signed-off-by: Tyler Hicks Cc: Al Viro Cc: Eric Paris Cc: linux-audit@redhat.com Acked-by: Kees Cook Signed-off-by: Richard Guy Briggs Signed-off-by: Eric Paris diff --git a/kernel/audit.c b/kernel/audit.c index 02b1b78..74550ff 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -612,7 +612,7 @@ static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type) int rc = 0; uid_t uid = from_kuid(&init_user_ns, current_uid()); - if (!audit_enabled) { + if (!audit_enabled && msg_type != AUDIT_USER_AVC) { *ab = NULL; return rc; } -- cgit v0.10.2 From 42f74461a5b60cf6b42887e6d2ff5b7be4abf1ca Mon Sep 17 00:00:00 2001 From: Richard Guy Briggs Date: Mon, 20 May 2013 15:08:18 -0400 Subject: audit: change decimal constant to macro for invalid uid SFR reported this 2013-05-15: > After merging the final tree, today's linux-next build (i386 defconfig) > produced this warning: > > kernel/auditfilter.c: In function 'audit_data_to_entry': > kernel/auditfilter.c:426:3: warning: this decimal constant is unsigned only > in ISO C90 [enabled by default] > > Introduced by commit 780a7654cee8 ("audit: Make testing for a valid > loginuid explicit") from Linus' tree. Replace this decimal constant in the code with a macro to make it more readable (add to the unsigned cast to quiet the warning). Cc: Stephen Rothwell Cc: "Eric W. Biederman" Signed-off-by: Richard Guy Briggs Signed-off-by: Eric Paris diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h index 5dfcd85..c1f0fce 100644 --- a/include/uapi/linux/audit.h +++ b/include/uapi/linux/audit.h @@ -380,6 +380,8 @@ struct audit_tty_status { __u32 log_passwd; /* 1 = enabled, 0 = disabled */ }; +#define AUDIT_UID_UNSET (unsigned int)-1 + /* audit_rule_data supports filter rules with both integer and string * fields. It corresponds with AUDIT_ADD_RULE, AUDIT_DEL_RULE and * AUDIT_LIST_RULES requests. diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index f7aee8b..8a344ce 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -423,7 +423,7 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data, f->lsm_rule = NULL; /* Support legacy tests for a valid loginuid */ - if ((f->type == AUDIT_LOGINUID) && (f->val == ~0U)) { + if ((f->type == AUDIT_LOGINUID) && (f->val == AUDIT_UID_UNSET)) { f->type = AUDIT_LOGINUID_SET; f->val = 0; } -- cgit v0.10.2 From b0fed40214ce79ef70d97584ebdf13f89786da0e Mon Sep 17 00:00:00 2001 From: Eric Paris Date: Wed, 22 May 2013 12:54:49 -0400 Subject: audit: implement generic feature setting and retrieving The audit_status structure was not designed with extensibility in mind. Define a new AUDIT_SET_FEATURE message type which takes a new structure of bits where things can be enabled/disabled/locked one at a time. This structure should be able to grow in the future while maintaining forward and backward compatibility (based loosly on the ideas from capabilities and prctl) This does not actually add any features, but is just infrastructure to allow new on/off types of audit system features. Signed-off-by: Eric Paris Signed-off-by: Richard Guy Briggs Signed-off-by: Eric Paris diff --git a/include/linux/audit.h b/include/linux/audit.h index 729a4d1..7b31bec 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -73,6 +73,8 @@ struct audit_field { void *lsm_rule; }; +extern int is_audit_feature_set(int which); + extern int __init audit_register_class(int class, unsigned *list); extern int audit_classify_syscall(int abi, unsigned syscall); extern int audit_classify_arch(int arch); diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h index c1f0fce..9eddf2c 100644 --- a/include/uapi/linux/audit.h +++ b/include/uapi/linux/audit.h @@ -68,6 +68,9 @@ #define AUDIT_MAKE_EQUIV 1015 /* Append to watched tree */ #define AUDIT_TTY_GET 1016 /* Get TTY auditing status */ #define AUDIT_TTY_SET 1017 /* Set TTY auditing status */ +#define AUDIT_SET_FEATURE 1018 /* Turn an audit feature on or off */ +#define AUDIT_GET_FEATURE 1019 /* Get which features are enabled */ +#define AUDIT_FEATURE_CHANGE 1020 /* audit log listing feature changes */ #define AUDIT_FIRST_USER_MSG 1100 /* Userspace messages mostly uninteresting to kernel */ #define AUDIT_USER_AVC 1107 /* We filter this differently */ @@ -375,6 +378,19 @@ struct audit_status { __u32 backlog; /* messages waiting in queue */ }; +struct audit_features { +#define AUDIT_FEATURE_VERSION 1 + __u32 vers; + __u32 mask; /* which bits we are dealing with */ + __u32 features; /* which feature to enable/disable */ + __u32 lock; /* which features to lock */ +}; + +#define AUDIT_LAST_FEATURE -1 + +#define audit_feature_valid(x) ((x) >= 0 && (x) <= AUDIT_LAST_FEATURE) +#define AUDIT_FEATURE_TO_MASK(x) (1 << ((x) & 31)) /* mask for __u32 */ + struct audit_tty_status { __u32 enabled; /* 1 = enabled, 0 = disabled */ __u32 log_passwd; /* 1 = enabled, 0 = disabled */ diff --git a/kernel/audit.c b/kernel/audit.c index 74550ff..29ee6a4 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -139,6 +139,15 @@ static struct task_struct *kauditd_task; static DECLARE_WAIT_QUEUE_HEAD(kauditd_wait); static DECLARE_WAIT_QUEUE_HEAD(audit_backlog_wait); +static struct audit_features af = {.vers = AUDIT_FEATURE_VERSION, + .mask = -1, + .features = 0, + .lock = 0,}; + +static char *audit_feature_names[0] = { +}; + + /* Serialize requests from userspace. */ DEFINE_MUTEX(audit_cmd_mutex); @@ -583,6 +592,8 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type) return -EOPNOTSUPP; case AUDIT_GET: case AUDIT_SET: + case AUDIT_GET_FEATURE: + case AUDIT_SET_FEATURE: case AUDIT_LIST_RULES: case AUDIT_ADD_RULE: case AUDIT_DEL_RULE: @@ -627,6 +638,94 @@ static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type) return rc; } +int is_audit_feature_set(int i) +{ + return af.features & AUDIT_FEATURE_TO_MASK(i); +} + + +static int audit_get_feature(struct sk_buff *skb) +{ + u32 seq; + + seq = nlmsg_hdr(skb)->nlmsg_seq; + + audit_send_reply(NETLINK_CB(skb).portid, seq, AUDIT_GET, 0, 0, + &af, sizeof(af)); + + return 0; +} + +static void audit_log_feature_change(int which, u32 old_feature, u32 new_feature, + u32 old_lock, u32 new_lock, int res) +{ + struct audit_buffer *ab; + + ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_FEATURE_CHANGE); + audit_log_format(ab, "feature=%s new=%d old=%d old_lock=%d new_lock=%d res=%d", + audit_feature_names[which], !!old_feature, !!new_feature, + !!old_lock, !!new_lock, res); + audit_log_end(ab); +} + +static int audit_set_feature(struct sk_buff *skb) +{ + struct audit_features *uaf; + int i; + + BUILD_BUG_ON(AUDIT_LAST_FEATURE + 1 > sizeof(audit_feature_names)/sizeof(audit_feature_names[0])); + uaf = nlmsg_data(nlmsg_hdr(skb)); + + /* if there is ever a version 2 we should handle that here */ + + for (i = 0; i <= AUDIT_LAST_FEATURE; i++) { + u32 feature = AUDIT_FEATURE_TO_MASK(i); + u32 old_feature, new_feature, old_lock, new_lock; + + /* if we are not changing this feature, move along */ + if (!(feature & uaf->mask)) + continue; + + old_feature = af.features & feature; + new_feature = uaf->features & feature; + new_lock = (uaf->lock | af.lock) & feature; + old_lock = af.lock & feature; + + /* are we changing a locked feature? */ + if ((af.lock & feature) && (new_feature != old_feature)) { + audit_log_feature_change(i, old_feature, new_feature, + old_lock, new_lock, 0); + return -EPERM; + } + } + /* nothing invalid, do the changes */ + for (i = 0; i <= AUDIT_LAST_FEATURE; i++) { + u32 feature = AUDIT_FEATURE_TO_MASK(i); + u32 old_feature, new_feature, old_lock, new_lock; + + /* if we are not changing this feature, move along */ + if (!(feature & uaf->mask)) + continue; + + old_feature = af.features & feature; + new_feature = uaf->features & feature; + old_lock = af.lock & feature; + new_lock = (uaf->lock | af.lock) & feature; + + if (new_feature != old_feature) + audit_log_feature_change(i, old_feature, new_feature, + old_lock, new_lock, 1); + + if (new_feature) + af.features |= feature; + else + af.features &= ~feature; + af.lock |= new_lock; + } + + return 0; +} + static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) { u32 seq; @@ -698,6 +797,16 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) if (status_get->mask & AUDIT_STATUS_BACKLOG_LIMIT) err = audit_set_backlog_limit(status_get->backlog_limit); break; + case AUDIT_GET_FEATURE: + err = audit_get_feature(skb); + if (err) + return err; + break; + case AUDIT_SET_FEATURE: + err = audit_set_feature(skb); + if (err) + return err; + break; case AUDIT_USER: case AUDIT_FIRST_USER_MSG ... AUDIT_LAST_USER_MSG: case AUDIT_FIRST_USER_MSG2 ... AUDIT_LAST_USER_MSG2: -- cgit v0.10.2 From b805b198dc74b73aabb6969a3db734c71c05c88c Mon Sep 17 00:00:00 2001 From: Eric Paris Date: Fri, 24 May 2013 12:09:50 -0400 Subject: selinux: apply selinux checks on new audit message types We use the read check to get the feature set (like AUDIT_GET) and the write check to set the features (like AUDIT_SET). Signed-off-by: Eric Paris Signed-off-by: Richard Guy Briggs Signed-off-by: Eric Paris diff --git a/security/selinux/nlmsgtab.c b/security/selinux/nlmsgtab.c index 855e464..332ac8a 100644 --- a/security/selinux/nlmsgtab.c +++ b/security/selinux/nlmsgtab.c @@ -116,6 +116,8 @@ static struct nlmsg_perm nlmsg_audit_perms[] = { AUDIT_MAKE_EQUIV, NETLINK_AUDIT_SOCKET__NLMSG_WRITE }, { AUDIT_TTY_GET, NETLINK_AUDIT_SOCKET__NLMSG_READ }, { AUDIT_TTY_SET, NETLINK_AUDIT_SOCKET__NLMSG_TTY_AUDIT }, + { AUDIT_GET_FEATURE, NETLINK_AUDIT_SOCKET__NLMSG_READ }, + { AUDIT_SET_FEATURE, NETLINK_AUDIT_SOCKET__NLMSG_WRITE }, }; -- cgit v0.10.2 From da0a610497ce193782c8df4a33fee7fce030cb99 Mon Sep 17 00:00:00 2001 From: Eric Paris Date: Fri, 24 May 2013 08:58:31 -0400 Subject: audit: loginuid functions coding style This is just a code rework. It makes things more readable. It does not make any functional changes. It does change the log messages to include both the old session id as well the new and it includes a new res field, which means we get messages even when the user did not have permission to change the loginuid. Signed-off-by: Eric Paris Signed-off-by: Richard Guy Briggs Signed-off-by: Eric Paris diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 95293ab..7268467 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -1966,6 +1966,39 @@ int auditsc_get_stamp(struct audit_context *ctx, /* global counter which is incremented every time something logs in */ static atomic_t session_id = ATOMIC_INIT(0); +static int audit_set_loginuid_perm(kuid_t loginuid) +{ +#ifdef CONFIG_AUDIT_LOGINUID_IMMUTABLE + /* if we are unset, we don't need privs */ + if (!audit_loginuid_set(current)) + return 0; +#else /* CONFIG_AUDIT_LOGINUID_IMMUTABLE */ + if (capable(CAP_AUDIT_CONTROL)) + return 0; +#endif /* CONFIG_AUDIT_LOGINUID_IMMUTABLE */ + return -EPERM; +} + +static void audit_log_set_loginuid(kuid_t koldloginuid, kuid_t kloginuid, + unsigned int oldsessionid, unsigned int sessionid, + int rc) +{ + struct audit_buffer *ab; + uid_t uid, ologinuid, nloginuid; + + uid = from_kuid(&init_user_ns, task_uid(current)); + ologinuid = from_kuid(&init_user_ns, koldloginuid); + nloginuid = from_kuid(&init_user_ns, kloginuid), + + ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN); + if (!ab) + return; + audit_log_format(ab, "pid=%d uid=%u old auid=%u new auid=%u old " + "ses=%u new ses=%u res=%d", current->pid, uid, ologinuid, + nloginuid, oldsessionid, sessionid, !rc); + audit_log_end(ab); +} + /** * audit_set_loginuid - set current task's audit_context loginuid * @loginuid: loginuid value @@ -1977,37 +2010,24 @@ static atomic_t session_id = ATOMIC_INIT(0); int audit_set_loginuid(kuid_t loginuid) { struct task_struct *task = current; - struct audit_context *context = task->audit_context; - unsigned int sessionid; + unsigned int sessionid = -1; + kuid_t oldloginuid, oldsessionid; + int rc; -#ifdef CONFIG_AUDIT_LOGINUID_IMMUTABLE - if (audit_loginuid_set(task)) - return -EPERM; -#else /* CONFIG_AUDIT_LOGINUID_IMMUTABLE */ - if (!capable(CAP_AUDIT_CONTROL)) - return -EPERM; -#endif /* CONFIG_AUDIT_LOGINUID_IMMUTABLE */ + oldloginuid = audit_get_loginuid(current); + oldsessionid = audit_get_sessionid(current); + + rc = audit_set_loginuid_perm(loginuid); + if (rc) + goto out; sessionid = atomic_inc_return(&session_id); - if (context && context->in_syscall) { - struct audit_buffer *ab; - ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN); - if (ab) { - audit_log_format(ab, "login pid=%d uid=%u " - "old auid=%u new auid=%u" - " old ses=%u new ses=%u", - task->pid, - from_kuid(&init_user_ns, task_uid(task)), - from_kuid(&init_user_ns, task->loginuid), - from_kuid(&init_user_ns, loginuid), - task->sessionid, sessionid); - audit_log_end(ab); - } - } task->sessionid = sessionid; task->loginuid = loginuid; - return 0; +out: + audit_log_set_loginuid(oldloginuid, loginuid, oldsessionid, sessionid, rc); + return rc; } /** -- cgit v0.10.2 From 83fa6bbe4c4541ae748b550b4ec391f8a0acfe94 Mon Sep 17 00:00:00 2001 From: Eric Paris Date: Fri, 24 May 2013 09:39:29 -0400 Subject: audit: remove CONFIG_AUDIT_LOGINUID_IMMUTABLE After trying to use this feature in Fedora we found the hard coding policy like this into the kernel was a bad idea. Surprise surprise. We ran into these problems because it was impossible to launch a container as a logged in user and run a login daemon inside that container. This reverts back to the old behavior before this option was added. The option will be re-added in a userspace selectable manor such that userspace can choose when it is and when it is not appropriate. Signed-off-by: Eric Paris Signed-off-by: Richard Guy Briggs Signed-off-by: Eric Paris diff --git a/init/Kconfig b/init/Kconfig index fed81b5..18a98c8 100644 --- a/init/Kconfig +++ b/init/Kconfig @@ -301,20 +301,6 @@ config AUDIT_TREE depends on AUDITSYSCALL select FSNOTIFY -config AUDIT_LOGINUID_IMMUTABLE - bool "Make audit loginuid immutable" - depends on AUDIT - help - The config option toggles if a task setting its loginuid requires - CAP_SYS_AUDITCONTROL or if that task should require no special permissions - but should instead only allow setting its loginuid if it was never - previously set. On systems which use systemd or a similar central - process to restart login services this should be set to true. On older - systems in which an admin would typically have to directly stop and - start processes this should be set to false. Setting this to true allows - one to drop potentially dangerous capabilites from the login tasks, - but may not be backwards compatible with older init systems. - source "kernel/irq/Kconfig" source "kernel/time/Kconfig" diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 7268467..b55788b 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -1968,15 +1968,13 @@ static atomic_t session_id = ATOMIC_INIT(0); static int audit_set_loginuid_perm(kuid_t loginuid) { -#ifdef CONFIG_AUDIT_LOGINUID_IMMUTABLE /* if we are unset, we don't need privs */ if (!audit_loginuid_set(current)) return 0; -#else /* CONFIG_AUDIT_LOGINUID_IMMUTABLE */ - if (capable(CAP_AUDIT_CONTROL)) - return 0; -#endif /* CONFIG_AUDIT_LOGINUID_IMMUTABLE */ - return -EPERM; + /* it is set, you need permission */ + if (!capable(CAP_AUDIT_CONTROL)) + return -EPERM; + return 0; } static void audit_log_set_loginuid(kuid_t koldloginuid, kuid_t kloginuid, -- cgit v0.10.2 From 81407c84ace88368ff23abb81caaeacf050c8450 Mon Sep 17 00:00:00 2001 From: Eric Paris Date: Fri, 24 May 2013 09:49:14 -0400 Subject: audit: allow unsetting the loginuid (with priv) If a task has CAP_AUDIT_CONTROL allow that task to unset their loginuid. This would allow a child of that task to set their loginuid without CAP_AUDIT_CONTROL. Thus when launching a new login daemon, a priviledged helper would be able to unset the loginuid and then the daemon, which may be malicious user facing, do not need priv to function correctly. Signed-off-by: Eric Paris Signed-off-by: Richard Guy Briggs Signed-off-by: Eric Paris diff --git a/fs/proc/base.c b/fs/proc/base.c index 1485e38..03c8d74 100644 --- a/fs/proc/base.c +++ b/fs/proc/base.c @@ -1151,10 +1151,16 @@ static ssize_t proc_loginuid_write(struct file * file, const char __user * buf, goto out_free_page; } - kloginuid = make_kuid(file->f_cred->user_ns, loginuid); - if (!uid_valid(kloginuid)) { - length = -EINVAL; - goto out_free_page; + + /* is userspace tring to explicitly UNSET the loginuid? */ + if (loginuid == AUDIT_UID_UNSET) { + kloginuid = INVALID_UID; + } else { + kloginuid = make_kuid(file->f_cred->user_ns, loginuid); + if (!uid_valid(kloginuid)) { + length = -EINVAL; + goto out_free_page; + } } length = audit_set_loginuid(kloginuid); diff --git a/kernel/auditsc.c b/kernel/auditsc.c index b55788b..c75d781 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -2019,7 +2019,9 @@ int audit_set_loginuid(kuid_t loginuid) if (rc) goto out; - sessionid = atomic_inc_return(&session_id); + /* are we setting or clearing? */ + if (uid_valid(loginuid)) + sessionid = atomic_inc_return(&session_id); task->sessionid = sessionid; task->loginuid = loginuid; -- cgit v0.10.2 From d040e5af380554c23ffe0a034ae5f3e53da93a1d Mon Sep 17 00:00:00 2001 From: Eric Paris Date: Fri, 24 May 2013 09:18:04 -0400 Subject: audit: audit feature to only allow unsetting the loginuid This is a new audit feature which only grants processes with CAP_AUDIT_CONTROL the ability to unset their loginuid. They cannot directly set it from a valid uid to another valid uid. The ability to unset the loginuid is nice because a priviledged task, like that of container creation, can unset the loginuid and then priv is not needed inside the container when a login daemon needs to set the loginuid. Signed-off-by: Eric Paris Signed-off-by: Richard Guy Briggs Signed-off-by: Eric Paris diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h index 9eddf2c..05e5e8f 100644 --- a/include/uapi/linux/audit.h +++ b/include/uapi/linux/audit.h @@ -386,7 +386,8 @@ struct audit_features { __u32 lock; /* which features to lock */ }; -#define AUDIT_LAST_FEATURE -1 +#define AUDIT_FEATURE_ONLY_UNSET_LOGINUID 0 +#define AUDIT_LAST_FEATURE AUDIT_FEATURE_ONLY_UNSET_LOGINUID #define audit_feature_valid(x) ((x) >= 0 && (x) <= AUDIT_LAST_FEATURE) #define AUDIT_FEATURE_TO_MASK(x) (1 << ((x) & 31)) /* mask for __u32 */ diff --git a/kernel/audit.c b/kernel/audit.c index 29ee6a4..fbfa3a7 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -144,7 +144,8 @@ static struct audit_features af = {.vers = AUDIT_FEATURE_VERSION, .features = 0, .lock = 0,}; -static char *audit_feature_names[0] = { +static char *audit_feature_names[1] = { + "only_unset_loginuid", }; diff --git a/kernel/auditsc.c b/kernel/auditsc.c index c75d781..924c0bf 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -1974,6 +1974,9 @@ static int audit_set_loginuid_perm(kuid_t loginuid) /* it is set, you need permission */ if (!capable(CAP_AUDIT_CONTROL)) return -EPERM; + /* reject if this is not an unset and we don't allow that */ + if (is_audit_feature_set(AUDIT_FEATURE_ONLY_UNSET_LOGINUID) && uid_valid(loginuid)) + return -EPERM; return 0; } -- cgit v0.10.2 From 21b85c31d23f2047d47e1f74bfa5caa8b75c1c77 Mon Sep 17 00:00:00 2001 From: Eric Paris Date: Thu, 23 May 2013 14:26:00 -0400 Subject: audit: audit feature to set loginuid immutable This adds a new 'audit_feature' bit which allows userspace to set it such that the loginuid is absolutely immutable, even if you have CAP_AUDIT_CONTROL. Signed-off-by: Eric Paris Signed-off-by: Richard Guy Briggs Signed-off-by: Eric Paris diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h index 05e5e8f..e2f0d99 100644 --- a/include/uapi/linux/audit.h +++ b/include/uapi/linux/audit.h @@ -387,7 +387,8 @@ struct audit_features { }; #define AUDIT_FEATURE_ONLY_UNSET_LOGINUID 0 -#define AUDIT_LAST_FEATURE AUDIT_FEATURE_ONLY_UNSET_LOGINUID +#define AUDIT_FEATURE_LOGINUID_IMMUTABLE 1 +#define AUDIT_LAST_FEATURE AUDIT_FEATURE_LOGINUID_IMMUTABLE #define audit_feature_valid(x) ((x) >= 0 && (x) <= AUDIT_LAST_FEATURE) #define AUDIT_FEATURE_TO_MASK(x) (1 << ((x) & 31)) /* mask for __u32 */ diff --git a/kernel/audit.c b/kernel/audit.c index fbfa3a7..f3f36f5 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -144,8 +144,9 @@ static struct audit_features af = {.vers = AUDIT_FEATURE_VERSION, .features = 0, .lock = 0,}; -static char *audit_feature_names[1] = { +static char *audit_feature_names[2] = { "only_unset_loginuid", + "loginuid_immutable", }; diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 924c0bf..63223d6 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -1971,6 +1971,9 @@ static int audit_set_loginuid_perm(kuid_t loginuid) /* if we are unset, we don't need privs */ if (!audit_loginuid_set(current)) return 0; + /* if AUDIT_FEATURE_LOGINUID_IMMUTABLE means never ever allow a change*/ + if (is_audit_feature_set(AUDIT_FEATURE_LOGINUID_IMMUTABLE)) + return -EPERM; /* it is set, you need permission */ if (!capable(CAP_AUDIT_CONTROL)) return -EPERM; -- cgit v0.10.2 From db510fc5cd9b9db214d7ec1828662942fac19c8c Mon Sep 17 00:00:00 2001 From: Richard Guy Briggs Date: Thu, 4 Jul 2013 12:56:11 -0400 Subject: audit: update AUDIT_INODE filter rule to comparator function It appears this one comparison function got missed in f368c07d (and 9c937dcc). Signed-off-by: Richard Guy Briggs Signed-off-by: Eric Paris diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 63223d6..065c7a1 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -566,7 +566,7 @@ static int audit_filter_rules(struct task_struct *tsk, break; case AUDIT_INODE: if (name) - result = (name->ino == f->val); + result = audit_comparator(name->ino, f->op, f->val); else if (ctx) { list_for_each_entry(n, &ctx->names_list, list) { if (audit_comparator(n->ino, f->op, f->val)) { -- cgit v0.10.2 From 64fbff9ae0a0a843365d922e0057fc785f23f0e3 Mon Sep 17 00:00:00 2001 From: Mathias Krause Date: Mon, 30 Sep 2013 22:04:24 +0200 Subject: audit: fix info leak in AUDIT_GET requests We leak 4 bytes of kernel stack in response to an AUDIT_GET request as we miss to initialize the mask member of status_set. Fix that. Cc: Al Viro Cc: Eric Paris Cc: stable@vger.kernel.org # v2.6.6+ Signed-off-by: Mathias Krause Signed-off-by: Richard Guy Briggs Signed-off-by: Eric Paris diff --git a/kernel/audit.c b/kernel/audit.c index f3f36f5..e0f7767 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -759,6 +759,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) switch (msg_type) { case AUDIT_GET: + status_set.mask = 0; status_set.enabled = audit_enabled; status_set.failure = audit_failure; status_set.pid = audit_pid; -- cgit v0.10.2 From e13f91e3c57986a609c10ddf94af0546a2a97dce Mon Sep 17 00:00:00 2001 From: Eric Paris Date: Tue, 5 Nov 2013 10:48:02 -0500 Subject: audit: use memset instead of trying to initialize field by field We currently are setting fields to 0 to initialize the structure declared on the stack. This is a bad idea as if the structure has holes or unpacked space these will not be initialized. Just use memset. This is not a performance critical section of code. Signed-off-by: Eric Paris diff --git a/kernel/audit.c b/kernel/audit.c index e0f7767..3ce60e0 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -759,7 +759,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) switch (msg_type) { case AUDIT_GET: - status_set.mask = 0; + memset(&status_set, 0, sizeof(status_set)); status_set.enabled = audit_enabled; status_set.failure = audit_failure; status_set.pid = audit_pid; -- cgit v0.10.2 From 4d8fe7376a12bf4524783dd95cbc00f1fece6232 Mon Sep 17 00:00:00 2001 From: Mathias Krause Date: Mon, 30 Sep 2013 22:04:25 +0200 Subject: audit: use nlmsg_len() to get message payload length Using the nlmsg_len member of the netlink header to test if the message is valid is wrong as it includes the size of the netlink header itself. Thereby allowing to send short netlink messages that pass those checks. Use nlmsg_len() instead to test for the right message length. The result of nlmsg_len() is guaranteed to be non-negative as the netlink message already passed the checks of nlmsg_ok(). Also switch to min_t() to please checkpatch.pl. Cc: Al Viro Cc: Eric Paris Cc: stable@vger.kernel.org # v2.6.6+ for the 1st hunk, v2.6.23+ for the 2nd Signed-off-by: Mathias Krause Signed-off-by: Richard Guy Briggs Signed-off-by: Eric Paris diff --git a/kernel/audit.c b/kernel/audit.c index 3ce60e0..3ad14e6 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -771,7 +771,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) &status_set, sizeof(status_set)); break; case AUDIT_SET: - if (nlh->nlmsg_len < sizeof(struct audit_status)) + if (nlmsg_len(nlh) < sizeof(struct audit_status)) return -EINVAL; status_get = (struct audit_status *)data; if (status_get->mask & AUDIT_STATUS_ENABLED) { @@ -944,7 +944,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) memset(&s, 0, sizeof(s)); /* guard against past and future API changes */ - memcpy(&s, data, min(sizeof(s), (size_t)nlh->nlmsg_len)); + memcpy(&s, data, min_t(size_t, sizeof(s), nlmsg_len(nlh))); if ((s.enabled != 0 && s.enabled != 1) || (s.log_passwd != 0 && s.log_passwd != 1)) return -EINVAL; -- cgit v0.10.2 From b95d77fe341b9c9641addb326cf43c30d1ba23b8 Mon Sep 17 00:00:00 2001 From: Richard Guy Briggs Date: Fri, 3 May 2013 14:03:49 -0400 Subject: audit: use given values in tty_audit enable api In send/GET, we don't want the kernel to lie about what value is set. Signed-off-by: Richard Guy Briggs Signed-off-by: Eric Paris diff --git a/kernel/audit.c b/kernel/audit.c index 3ad14e6..6161640 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -930,7 +930,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) struct task_struct *tsk = current; spin_lock(&tsk->sighand->siglock); - s.enabled = tsk->signal->audit_tty != 0; + s.enabled = tsk->signal->audit_tty; s.log_passwd = tsk->signal->audit_tty_log_passwd; spin_unlock(&tsk->sighand->siglock); -- cgit v0.10.2 From 14e972b4517128ac8e30e3de2ee4fbd995084223 Mon Sep 17 00:00:00 2001 From: Jeff Layton Date: Wed, 8 May 2013 10:25:58 -0400 Subject: audit: add child record before the create to handle case where create fails Historically, when a syscall that creates a dentry fails, you get an audit record that looks something like this (when trying to create a file named "new" in "/tmp/tmp.SxiLnCcv63"): type=PATH msg=audit(1366128956.279:965): item=0 name="/tmp/tmp.SxiLnCcv63/new" inode=2138308 dev=fd:02 mode=040700 ouid=0 ogid=0 rdev=00:00 obj=staff_u:object_r:user_tmp_t:s15:c0.c1023 This record makes no sense since it's associating the inode information for "/tmp/tmp.SxiLnCcv63" with the path "/tmp/tmp.SxiLnCcv63/new". The recent patch I posted to fix the audit_inode call in do_last fixes this, by making it look more like this: type=PATH msg=audit(1366128765.989:13875): item=0 name="/tmp/tmp.DJ1O8V3e4f/" inode=141 dev=fd:02 mode=040700 ouid=0 ogid=0 rdev=00:00 obj=staff_u:object_r:user_tmp_t:s15:c0.c1023 While this is more correct, if the creation of the file fails, then we have no record of the filename that the user tried to create. This patch adds a call to audit_inode_child to may_create. This creates an AUDIT_TYPE_CHILD_CREATE record that will sit in place until the create succeeds. When and if the create does succeed, then this record will be updated with the correct inode info from the create. This fixes what was broken in commit bfcec708. Commit 79f6530c should also be backported to stable v3.7+. Signed-off-by: Jeff Layton Signed-off-by: Eric Paris Signed-off-by: Richard Guy Briggs Signed-off-by: Eric Paris diff --git a/fs/namei.c b/fs/namei.c index 7720fbd..df9946e 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -2262,6 +2262,7 @@ static int may_delete(struct inode *dir,struct dentry *victim,int isdir) */ static inline int may_create(struct inode *dir, struct dentry *child) { + audit_inode_child(dir, child, AUDIT_TYPE_CHILD_CREATE); if (child->d_inode) return -EEXIST; if (IS_DEADDIR(dir)) -- cgit v0.10.2 From d3aea84a4ace5ff9ce7fb7714cee07bebef681c2 Mon Sep 17 00:00:00 2001 From: Jeff Layton Date: Wed, 8 May 2013 10:32:23 -0400 Subject: audit: log the audit_names record type ...to make it clear what the intent behind each record's operation was. In many cases you can infer this, based on the context of the syscall and the result. In other cases it's not so obvious. For instance, in the case where you have a file being renamed over another, you'll have two different records with the same filename but different inode info. By logging this information we can clearly tell which one was created and which was deleted. This fixes what was broken in commit bfcec708. Commit 79f6530c should also be backported to stable v3.7+. Signed-off-by: Jeff Layton Signed-off-by: Eric Paris Signed-off-by: Richard Guy Briggs Signed-off-by: Eric Paris diff --git a/kernel/audit.c b/kernel/audit.c index 6161640..b8831ac 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -1640,6 +1640,26 @@ void audit_log_name(struct audit_context *context, struct audit_names *n, } } + /* log the audit_names record type */ + audit_log_format(ab, " nametype="); + switch(n->type) { + case AUDIT_TYPE_NORMAL: + audit_log_format(ab, "NORMAL"); + break; + case AUDIT_TYPE_PARENT: + audit_log_format(ab, "PARENT"); + break; + case AUDIT_TYPE_CHILD_DELETE: + audit_log_format(ab, "DELETE"); + break; + case AUDIT_TYPE_CHILD_CREATE: + audit_log_format(ab, "CREATE"); + break; + default: + audit_log_format(ab, "UNKNOWN"); + break; + } + audit_log_fcaps(ab, n); audit_log_end(ab); } -- cgit v0.10.2 From a20b62bdf7a1ed1a334eff3c4cafa97f5826006b Mon Sep 17 00:00:00 2001 From: Richard Guy Briggs Date: Tue, 1 Oct 2013 21:14:54 -0400 Subject: audit: suppress stock memalloc failure warnings since already managed Supress the stock memory allocation failure warnings for audit buffers since audit alreay takes care of memory allocation failure warnings, including rate-limiting, in audit_log_start(). Signed-off-by: Richard Guy Briggs Signed-off-by: Eric Paris diff --git a/security/lsm_audit.c b/security/lsm_audit.c index 8d8d97d..b0f249d 100644 --- a/security/lsm_audit.c +++ b/security/lsm_audit.c @@ -396,7 +396,8 @@ void common_lsm_audit(struct common_audit_data *a, if (a == NULL) return; /* we use GFP_ATOMIC so we won't sleep */ - ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_AVC); + ab = audit_log_start(current->audit_context, GFP_ATOMIC | __GFP_NOWARN, + AUDIT_AVC); if (ab == NULL) return; -- cgit v0.10.2 From 78122037b7e8febbd3116ab0da3ee6c34756bde9 Mon Sep 17 00:00:00 2001 From: Eric Paris Date: Wed, 4 Sep 2013 15:01:43 -0400 Subject: audit: do not reject all AUDIT_INODE filter types commit ab61d38ed8cf670946d12dc46b9198b521c790ea tried to merge the invalid filter checking into a single function. However AUDIT_INODE filters were not verified in the new generic checker. Thus such rules were being denied even though they were perfectly valid. Ex: $ auditctl -a exit,always -F arch=b64 -S open -F key=/foo -F inode=6955 -F devmajor=9 -F devminor=1 Error sending add rule data request (Invalid argument) Signed-off-by: Eric Paris Signed-off-by: Richard Guy Briggs Signed-off-by: Eric Paris diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index 8a344ce..51f3fd4 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -343,6 +343,7 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f) case AUDIT_DEVMINOR: case AUDIT_EXIT: case AUDIT_SUCCESS: + case AUDIT_INODE: /* bit ops are only useful on syscall args */ if (f->op == Audit_bitmask || f->op == Audit_bittest) return -EINVAL; -- cgit v0.10.2 From bd131fb1aa5e4cd879f89aef30f4f7cde6d4b409 Mon Sep 17 00:00:00 2001 From: "Eric W. Biederman" Date: Tue, 19 Mar 2013 00:09:40 -0700 Subject: audit: Kill the unused struct audit_aux_data_capset Signed-off-by: "Eric W. Biederman" (cherry picked from ebiederman commit 6904431d6b41190e42d6b94430b67cb4e7e6a4b7) Signed-off-by: Eric Paris diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 065c7a1..c7b97aa 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -121,12 +121,6 @@ struct audit_aux_data_bprm_fcaps { struct audit_cap_data new_pcap; }; -struct audit_aux_data_capset { - struct audit_aux_data d; - pid_t pid; - struct audit_cap_data cap; -}; - struct audit_tree_refs { struct audit_tree_refs *next; struct audit_chunk *c[31]; -- cgit v0.10.2 From 9462dc59817580419ef1f2504e32f861c290f251 Mon Sep 17 00:00:00 2001 From: Richard Guy Briggs Date: Wed, 23 Oct 2013 16:55:38 -0400 Subject: audit: remove unused envc member of audit_aux_data_execve Get rid of write-only audit_aux_data_exeve structure member envc. Signed-off-by: Richard Guy Briggs Signed-off-by: Eric Paris diff --git a/kernel/auditsc.c b/kernel/auditsc.c index c7b97aa..11078f3 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -98,7 +98,6 @@ struct audit_aux_data { struct audit_aux_data_execve { struct audit_aux_data d; int argc; - int envc; struct mm_struct *mm; }; @@ -2158,7 +2157,6 @@ int __audit_bprm(struct linux_binprm *bprm) return -ENOMEM; ax->argc = bprm->argc; - ax->envc = bprm->envc; ax->mm = bprm->mm; ax->d.type = AUDIT_EXECVE; ax->d.next = context->aux; -- cgit v0.10.2 From d9cfea91e97d5d19f9d69beaa844f5fe56a6adc6 Mon Sep 17 00:00:00 2001 From: Richard Guy Briggs Date: Wed, 30 Oct 2013 17:56:13 -0400 Subject: audit: move audit_aux_data_execve contents into audit_context union audit_bprm() was being called to add an AUDIT_EXECVE record to the audit context every time search_binary_handler() was recursively called. Only one reference is necessary, so just update it. Move the the contents of audit_aux_data_execve into the union in audit_context, removing dependence on a kmalloc along the way. Reported-by: Oleg Nesterov Cc: Eric Paris Signed-off-by: Richard Guy Briggs Signed-off-by: Eric Paris diff --git a/include/linux/audit.h b/include/linux/audit.h index 7b31bec..08b38bf 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -209,7 +209,7 @@ static inline int audit_get_sessionid(struct task_struct *tsk) extern void __audit_ipc_obj(struct kern_ipc_perm *ipcp); extern void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode); -extern int __audit_bprm(struct linux_binprm *bprm); +extern void __audit_bprm(struct linux_binprm *bprm); extern int __audit_socketcall(int nargs, unsigned long *args); extern int __audit_sockaddr(int len, void *addr); extern void __audit_fd_pair(int fd1, int fd2); @@ -241,7 +241,7 @@ static inline void audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid static inline int audit_bprm(struct linux_binprm *bprm) { if (unlikely(!audit_dummy_context())) - return __audit_bprm(bprm); + __audit_bprm(bprm); return 0; } static inline int audit_socketcall(int nargs, unsigned long *args) diff --git a/kernel/audit.h b/kernel/audit.h index 123c9b7..e7b94ab 100644 --- a/kernel/audit.h +++ b/kernel/audit.h @@ -197,6 +197,10 @@ struct audit_context { int fd; int flags; } mmap; + struct { + int argc; + struct mm_struct *mm; + } execve; }; int fds[2]; diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 11078f3..425a893 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -95,12 +95,6 @@ struct audit_aux_data { /* Number of target pids per aux struct. */ #define AUDIT_AUX_PIDS 16 -struct audit_aux_data_execve { - struct audit_aux_data d; - int argc; - struct mm_struct *mm; -}; - struct audit_aux_data_pids { struct audit_aux_data d; pid_t target_pid[AUDIT_AUX_PIDS]; @@ -1144,20 +1138,19 @@ static int audit_log_single_execve_arg(struct audit_context *context, } static void audit_log_execve_info(struct audit_context *context, - struct audit_buffer **ab, - struct audit_aux_data_execve *axi) + struct audit_buffer **ab) { int i, len; size_t len_sent = 0; const char __user *p; char *buf; - if (axi->mm != current->mm) + if (context->execve.mm != current->mm) return; /* execve failed, no additional info */ - p = (const char __user *)axi->mm->arg_start; + p = (const char __user *)current->mm->arg_start; - audit_log_format(*ab, "argc=%d", axi->argc); + audit_log_format(*ab, "argc=%d", context->execve.argc); /* * we need some kernel buffer to hold the userspace args. Just @@ -1171,7 +1164,7 @@ static void audit_log_execve_info(struct audit_context *context, return; } - for (i = 0; i < axi->argc; i++) { + for (i = 0; i < context->execve.argc; i++) { len = audit_log_single_execve_arg(context, ab, i, &len_sent, p, buf); if (len <= 0) @@ -1274,6 +1267,9 @@ static void show_special(struct audit_context *context, int *call_panic) audit_log_format(ab, "fd=%d flags=0x%x", context->mmap.fd, context->mmap.flags); break; } + case AUDIT_EXECVE: { + audit_log_execve_info(context, &ab); + break; } } audit_log_end(ab); } @@ -1320,11 +1316,6 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts switch (aux->type) { - case AUDIT_EXECVE: { - struct audit_aux_data_execve *axi = (void *)aux; - audit_log_execve_info(context, &ab, axi); - break; } - case AUDIT_BPRM_FCAPS: { struct audit_aux_data_bprm_fcaps *axs = (void *)aux; audit_log_format(ab, "fver=%x", axs->fcap_ver); @@ -2147,21 +2138,13 @@ void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mo context->ipc.has_perm = 1; } -int __audit_bprm(struct linux_binprm *bprm) +void __audit_bprm(struct linux_binprm *bprm) { - struct audit_aux_data_execve *ax; struct audit_context *context = current->audit_context; - ax = kmalloc(sizeof(*ax), GFP_KERNEL); - if (!ax) - return -ENOMEM; - - ax->argc = bprm->argc; - ax->mm = bprm->mm; - ax->d.type = AUDIT_EXECVE; - ax->d.next = context->aux; - context->aux = (void *)ax; - return 0; + context->type = AUDIT_EXECVE; + context->execve.argc = bprm->argc; + context->execve.mm = bprm->mm; } -- cgit v0.10.2 From 9410d228a4cf434305306746bb799fb7acdd8648 Mon Sep 17 00:00:00 2001 From: Richard Guy Briggs Date: Wed, 30 Oct 2013 18:05:24 -0400 Subject: audit: call audit_bprm() only once to add AUDIT_EXECVE information Move the audit_bprm() call from search_binary_handler() to exec_binprm(). This allows us to get rid of the mm member of struct audit_aux_data_execve since bprm->mm will equal current->mm. This also mitigates the issue that ->argc could be modified by the load_binary() call in search_binary_handler(). audit_bprm() was being called to add an AUDIT_EXECVE record to the audit context every time search_binary_handler() was recursively called. Only one reference is necessary. Reported-by: Oleg Nesterov Cc: Eric Paris Signed-off-by: Richard Guy Briggs Signed-off-by: Eric Paris --- This patch is against 3.11, but was developed on Oleg's post-3.11 patches that introduce exec_binprm(). diff --git a/fs/exec.c b/fs/exec.c index fd774c7..c5c24f2 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -1383,10 +1383,6 @@ int search_binary_handler(struct linux_binprm *bprm) if (retval) return retval; - retval = audit_bprm(bprm); - if (retval) - return retval; - /* Need to fetch pid before load_binary changes it */ old_pid = current->pid; rcu_read_lock(); @@ -1408,6 +1404,7 @@ int search_binary_handler(struct linux_binprm *bprm) bprm->recursion_depth = depth; if (retval >= 0) { if (depth == 0) { + audit_bprm(bprm); trace_sched_process_exec(current, old_pid, bprm); ptrace_event(PTRACE_EVENT_EXEC, old_vpid); } diff --git a/include/linux/audit.h b/include/linux/audit.h index 08b38bf..a406419 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -238,11 +238,10 @@ static inline void audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid if (unlikely(!audit_dummy_context())) __audit_ipc_set_perm(qbytes, uid, gid, mode); } -static inline int audit_bprm(struct linux_binprm *bprm) +static inline void audit_bprm(struct linux_binprm *bprm) { if (unlikely(!audit_dummy_context())) __audit_bprm(bprm); - return 0; } static inline int audit_socketcall(int nargs, unsigned long *args) { @@ -369,10 +368,8 @@ static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp) static inline void audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode) { } -static inline int audit_bprm(struct linux_binprm *bprm) -{ - return 0; -} +static inline void audit_bprm(struct linux_binprm *bprm) +{ } static inline int audit_socketcall(int nargs, unsigned long *args) { return 0; diff --git a/kernel/audit.h b/kernel/audit.h index e7b94ab..b779642 100644 --- a/kernel/audit.h +++ b/kernel/audit.h @@ -199,7 +199,6 @@ struct audit_context { } mmap; struct { int argc; - struct mm_struct *mm; } execve; }; int fds[2]; diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 425a893..dfc5d67 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -1145,9 +1145,6 @@ static void audit_log_execve_info(struct audit_context *context, const char __user *p; char *buf; - if (context->execve.mm != current->mm) - return; /* execve failed, no additional info */ - p = (const char __user *)current->mm->arg_start; audit_log_format(*ab, "argc=%d", context->execve.argc); @@ -2144,7 +2141,6 @@ void __audit_bprm(struct linux_binprm *bprm) context->type = AUDIT_EXECVE; context->execve.argc = bprm->argc; - context->execve.mm = bprm->mm; } -- cgit v0.10.2 From 9175c9d2aed528800175ef81c90569d00d23f9be Mon Sep 17 00:00:00 2001 From: Eric Paris Date: Wed, 6 Nov 2013 10:47:17 -0500 Subject: audit: fix type of sessionid in audit_set_loginuid() sfr pointed out that with CONFIG_UIDGID_STRICT_TYPE_CHECKS set the audit tree would not build. This is because the oldsessionid in audit_set_loginuid() was accidentally being declared as a kuid_t. This patch fixes that declaration mistake. Example of problem: kernel/auditsc.c: In function 'audit_set_loginuid': kernel/auditsc.c:2003:15: error: incompatible types when assigning to type 'kuid_t' from type 'int' oldsessionid = audit_get_sessionid(current); Reported-by: Stephen Rothwell Signed-off-by: Eric Paris diff --git a/kernel/auditsc.c b/kernel/auditsc.c index dfc5d67..90594c9 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -1995,8 +1995,8 @@ static void audit_log_set_loginuid(kuid_t koldloginuid, kuid_t kloginuid, int audit_set_loginuid(kuid_t loginuid) { struct task_struct *task = current; - unsigned int sessionid = -1; - kuid_t oldloginuid, oldsessionid; + unsigned int oldsessionid, sessionid = (unsigned int)-1; + kuid_t oldloginuid; int rc; oldloginuid = audit_get_loginuid(current); -- cgit v0.10.2