1. 11 Nov, 2008 2 commits
    • Eric Paris's avatar
      Any time fcaps or a setuid app under SECURE_NOROOT is used to result in a · 3fc689e9
      Eric Paris authored
      
      non-zero pE we will crate a new audit record which contains the entire set
      of known information about the executable in question, fP, fI, fE, fversion
      and includes the process's pE, pI, pP.  Before and after the bprm capability
      are applied.  This record type will only be emitted from execve syscalls.
      
      an example of making ping use fcaps instead of setuid:
      
      setcap "cat_net_raw+pe" /bin/ping
      
      type=SYSCALL msg=audit(1225742021.015:236): arch=c000003e syscall=59 success=yes exit=0 a0=1457f30 a1=14606b0 a2=1463940 a3=321b770a70 items=2 ppid=2929 pid=2963 auid=0 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts0 ses=3 comm="ping" exe="/bin/ping" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
      type=UNKNOWN[1321] msg=audit(1225742021.015:236): fver=2 fp=0000000000002000 fi=0000000000000000 fe=1 old_pp=0000000000000000 old_pi=0000000000000000 old_pe=0000000000000000 new_pp=0000000000002000 new_pi=0000000000000000 new_pe=0000000000002000
      type=EXECVE msg=audit(1225742021.015:236): argc=2 a0="ping" a1="127.0.0.1"
      type=CWD msg=audit(1225742021.015:236):  cwd="/home/test"
      type=PATH msg=audit(1225742021.015:236): item=0 name="/bin/ping" inode=49256 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ping_exec_t:s0 cap_fp=0000000000002000 cap_fe=1 cap_fver=2
      type=PATH msg=audit(1225742021.015:236): item=1 name=(null) inode=507915 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      Acked-by: default avatarSerge Hallyn <serue@us.ibm.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      3fc689e9
    • Eric Paris's avatar
      This patch will print cap_permitted and cap_inheritable data in the PATH · 851f7ff5
      Eric Paris authored
      
      records of any file that has file capabilities set.  Files which do not
      have fcaps set will not have different PATH records.
      
      An example audit record if you run:
      setcap "cap_net_admin+pie" /bin/bash
      /bin/bash
      
      type=SYSCALL msg=audit(1225741937.363:230): arch=c000003e syscall=59 success=yes exit=0 a0=2119230 a1=210da30 a2=20ee290 a3=8 items=2 ppid=2149 pid=2923 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="ping" exe="/bin/ping" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
      type=EXECVE msg=audit(1225741937.363:230): argc=2 a0="ping" a1="www.google.com"
      type=CWD msg=audit(1225741937.363:230):  cwd="/root"
      type=PATH msg=audit(1225741937.363:230): item=0 name="/bin/ping" inode=49256 dev=fd:00 mode=0104755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ping_exec_t:s0 cap_fp=0000000000002000 cap_fi=0000000000002000 cap_fe=1 cap_fver=2
      type=PATH msg=audit(1225741937.363:230): item=1 name=(null) inode=507915 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      Acked-by: default avatarSerge Hallyn <serue@us.ibm.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      851f7ff5
  2. 13 Oct, 2008 1 commit
  3. 02 Sep, 2008 1 commit
  4. 04 Aug, 2008 1 commit
  5. 01 Aug, 2008 2 commits
  6. 24 Jul, 2008 1 commit
    • Roland McGrath's avatar
      x86_64 syscall audit fast-path · 86a1c34a
      Roland McGrath authored
      
      
      This adds a fast path for 64-bit syscall entry and exit when
      TIF_SYSCALL_AUDIT is set, but no other kind of syscall tracing.
      This path does not need to save and restore all registers as
      the general case of tracing does.  Avoiding the iret return path
      when syscall audit is enabled helps performance a lot.
      Signed-off-by: default avatarRoland McGrath <roland@redhat.com>
      86a1c34a
  7. 28 Apr, 2008 5 commits
    • Al Viro's avatar
      [PATCH] new predicate - AUDIT_FILETYPE · 8b67dca9
      Al Viro authored
      
      
      Argument is S_IF... | <index>, where index is normally 0 or 1.
      Triggers if chosen element of ctx->names[] is present and the
      mode of object in question matches the upper bits of argument.
      I.e. for things like "is the argument of that chmod a directory",
      etc.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      8b67dca9
    • Harvey Harrison's avatar
      [PATCH 2/2] audit: fix sparse shadowed variable warnings · 7719e437
      Harvey Harrison authored
      
      
      Use msglen as the identifier.
      kernel/audit.c:724:10: warning: symbol 'len' shadows an earlier one
      kernel/audit.c:575:8: originally declared here
      
      Don't use ino_f to check the inode field at the end of the functions.
      kernel/auditfilter.c:429:22: warning: symbol 'f' shadows an earlier one
      kernel/auditfilter.c:420:21: originally declared here
      kernel/auditfilter.c:542:22: warning: symbol 'f' shadows an earlier one
      kernel/auditfilter.c:529:21: originally declared here
      
      i always used as a counter for a for loop and initialized to zero before
      use.  Eliminate the inner i variables.
      kernel/auditsc.c:1295:8: warning: symbol 'i' shadows an earlier one
      kernel/auditsc.c:1152:6: originally declared here
      kernel/auditsc.c:1320:7: warning: symbol 'i' shadows an earlier one
      kernel/auditsc.c:1152:6: originally declared here
      Signed-off-by: default avatarHarvey Harrison <harvey.harrison@gmail.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      7719e437
    • Harvey Harrison's avatar
      [PATCH 1/2] audit: move extern declarations to audit.h · c782f242
      Harvey Harrison authored
      
      
      Leave audit_sig_{uid|pid|sid} protected by #ifdef CONFIG_AUDITSYSCALL.
      
      Noticed by sparse:
      kernel/audit.c:73:6: warning: symbol 'audit_ever_enabled' was not declared. Should it be static?
      kernel/audit.c:100:8: warning: symbol 'audit_sig_uid' was not declared. Should it be static?
      kernel/audit.c:101:8: warning: symbol 'audit_sig_pid' was not declared. Should it be static?
      kernel/audit.c:102:6: warning: symbol 'audit_sig_sid' was not declared. Should it be static?
      kernel/audit.c:117:23: warning: symbol 'audit_ih' was not declared. Should it be static?
      kernel/auditfilter.c:78:18: warning: symbol 'audit_filter_list' was not declared. Should it be static?
      Signed-off-by: default avatarHarvey Harrison <harvey.harrison@gmail.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      c782f242
    • Eric Paris's avatar
      Audit: standardize string audit interfaces · b556f8ad
      Eric Paris authored
      
      
      This patch standardized the string auditing interfaces.  No userspace
      changes will be visible and this is all just cleanup and consistancy
      work.  We have the following string audit interfaces to use:
      
      void audit_log_n_hex(struct audit_buffer *ab, const unsigned char *buf, size_t len);
      
      void audit_log_n_string(struct audit_buffer *ab, const char *buf, size_t n);
      void audit_log_string(struct audit_buffer *ab, const char *buf);
      
      void audit_log_n_untrustedstring(struct audit_buffer *ab, const char *string, size_t n);
      void audit_log_untrustedstring(struct audit_buffer *ab, const char *string);
      
      This may be the first step to possibly fixing some of the issues that
      people have with the string output from the kernel audit system.  But we
      still don't have an agreed upon solution to that problem.
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      b556f8ad
    • Eric Paris's avatar
      Audit: end printk with newline · 436c405c
      Eric Paris authored
      
      
      A couple of audit printk statements did not have a newline.
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      436c405c
  8. 18 Apr, 2008 3 commits
  9. 01 Mar, 2008 1 commit
  10. 19 Feb, 2008 1 commit
  11. 15 Feb, 2008 2 commits
  12. 01 Feb, 2008 9 commits
  13. 23 Oct, 2007 1 commit
  14. 21 Oct, 2007 2 commits
    • Al Viro's avatar
      [PATCH] audit: watching subtrees · 74c3cbe3
      Al Viro authored
      
      
      New kind of audit rule predicates: "object is visible in given subtree".
      The part that can be sanely implemented, that is.  Limitations:
      	* if you have hardlink from outside of tree, you'd better watch
      it too (or just watch the object itself, obviously)
      	* if you mount something under a watched tree, tell audit
      that new chunk should be added to watched subtrees
      	* if you umount something in a watched tree and it's still mounted
      elsewhere, you will get matches on events happening there.  New command
      tells audit to recalculate the trees, trimming such sources of false
      positives.
      
      Note that it's _not_ about path - if something mounted in several places
      (multiple mount, bindings, different namespaces, etc.), the match does
      _not_ depend on which one we are using for access.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      74c3cbe3
    • Al Viro's avatar
      [PATCH] pass dentry to audit_inode()/audit_inode_child() · 5a190ae6
      Al Viro authored
      
      
      makes caller simpler *and* allows to scan ancestors
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      5a190ae6
  15. 18 Oct, 2007 1 commit
  16. 17 Oct, 2007 1 commit
  17. 09 Oct, 2007 1 commit
  18. 23 Aug, 2007 1 commit
  19. 08 Aug, 2007 1 commit
  20. 29 Jul, 2007 1 commit
  21. 22 Jul, 2007 2 commits
    • Al Viro's avatar
      [PATCH] get rid of AVC_PATH postponed treatment · 4259fa01
      Al Viro authored
      
      
              Selinux folks had been complaining about the lack of AVC_PATH
      records when audit is disabled.  I must admit my stupidity - I assumed
      that avc_audit() really couldn't use audit_log_d_path() because of
      deadlocks (== could be called with dcache_lock or vfsmount_lock held).
      Shouldn't have made that assumption - it never gets called that way.
      It _is_ called under spinlocks, but not those.
      
              Since audit_log_d_path() uses ab->gfp_mask for allocations,
      kmalloc() in there is not a problem.  IOW, the simple fix is sufficient:
      let's rip AUDIT_AVC_PATH out and simply generate pathname as part of main
      record.  It's trivial to do.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Acked-by: default avatarJames Morris <jmorris@namei.org>
      4259fa01
    • Steve Grubb's avatar
      [PATCH] Make IPC mode consistent · 5b9a4262
      Steve Grubb authored
      
      
      The mode fields for IPC records are not consistent. Some are hex, others are
      octal. This patch makes them all octal.
      Signed-off-by: default avatarSteve Grubb <sgrubb@redhat.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      5b9a4262