audit rule additions containing "-F auid!=4294967295" were failing
with EINVAL because of a regression caused by e1760bd.
Apparently some userland audit rule sets want to know if loginuid uid
has been set and are using a test for auid != 4294967295 to determine
that.
In practice that is a horrible way to ask if a value has been set,
because it relies on subtle implementation details and will break
every time the uid implementation in the kernel changes.
So add a clean way to test if the audit loginuid has been set, and
silently convert the old idiom to the cleaner and more comprehensible
new idiom.
Cc: <stable@vger.kernel.org> # 3.7
Reported-By: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Tested-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
The userspace audit tools didn't like the existing formatting of the
AUDIT_ANOM_LINK event. It needed to be expanded to emit an AUDIT_PATH
event as well, so this implements the change. The bulk of the patch is
moving code out of auditsc.c into audit.c and audit.h for general use.
It expands audit_log_name to include an optional "struct path" argument
for the simple case of just needing to report a pathname. This also
makes
audit_log_task_info available when syscall auditing is not enabled,
since
it is needed in either case for process details.
Signed-off-by: Kees Cook <keescook@chromium.org>
Reported-by: Steve Grubb <sgrubb@redhat.com>
This function is called when we receive a netlink message from
userspace. We don't need to worry about it coming from irq context or
irqs making it re-entrant.
Signed-off-by: Eric Paris <eparis@redhat.com>
We were doing spin_lock_irq and spin_unlock_irq. This is STOOPID.
If we were in interupt context we were already screwed and called
panic() in do_exit(). So the irq stuff is useless. Also, these values
can only be changed by receiving a netlink message from current. Since
we are in do_exit() clearly we aren't in the syscall sending the netlink
message to change these values. Thus, just read them and go with it.
Signed-off-by: Eric Paris <eparis@redhat.com>
current->signal->audit_* can only change from a netlink message from
current. Obviously in this case we cannot be handling a netlink message
from current. So there is no change these can change under us. No need
to take a lock to read them.
Signed-off-by: Eric Paris <eparis@redhat.com>
Most commands are entered one line at a time and processed as complete lines
in non-canonical mode. Commands that interactively require a password, enter
canonical mode to do this while shutting off echo. This pair of features
(icanon and !echo) can be used to avoid logging passwords by audit while still
logging the rest of the command.
Adding a member (log_passwd) to the struct audit_tty_status passed in by
pam_tty_audit allows control of canonical mode without echo per task.
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Some of the callers of the audit tty function use spin_lock_irqsave/restore.
We were using the forced always enable version, which seems really bad.
Since I don't know every one of these code paths well enough, it makes
sense to just switch everything to the safe version. Maybe it's a
little overzealous, but it's a lot better than an unlucky deadlock when
we return to a caller with irq enabled and they expect it to be
disabled.
Signed-off-by: Eric Paris <eparis@redhat.com>
We have a number of places we were reimplementing the same code to write
out lsm labels. Just do it one darn place.
Signed-off-by: Eric Paris <eparis@redhat.com>
Since we are always current, we can push a lot of this stuff to the
bottom and get rid of useless interfaces and arguments.
Signed-off-by: Eric Paris <eparis@redhat.com>
We always use current. Stop pulling this when the skb comes in and
pushing it around as arguments. Just get it at the end when you need
it.
Signed-off-by: Eric Paris <eparis@redhat.com>
We used to have an inflexible mechanism to add audit rules to the
kernel. It hasn't been used in a long time. Get rid of that stuff.
Signed-off-by: Eric Paris <eparis@redhat.com>
We have 2 interfaces to send audit rules. Rather than check validity of
things in 2 places make a helper function.
Signed-off-by: Eric Paris <eparis@redhat.com>
When userspace sends messages to the audit system it includes a type.
We want to be able to filter messages based on that type without have to
do the all or nothing option currently available on the
AUDIT_FILTER_TYPE filter list. Instead we should be able to use the
AUDIT_FILTER_USER filter list and just use the message type as one part
of the matching decision.
Signed-off-by: Eric Paris <eparis@redhat.com>
Looks like this one has been around since 5195d8e21:
kernel/auditsc.c: In function ‘audit_free_names’:
kernel/auditsc.c:998: error: ‘i’ undeclared (first use in this function)
...and this warning:
kernel/auditsc.c: In function ‘audit_putname’:
kernel/auditsc.c:2045: warning: ‘i’ may be used uninitialized in this function
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
audit_enabled has already been exported in
include/linux/audit.h. and kernel/audit.h
includes include/linux/audit.h, no need to
export aduit_enabled again in kernel/audit.h
Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
RHBZ: 785936
If the audit system collects a record about one process sending a signal
to another process it includes in that collection the 'secid' or 'an int
used to represet an LSM label.' If there is no LSM enabled it will
collect a 0. The problem is that when we attempt to print that record
we ask the LSM to convert the secid back to a string. Since there is no
LSM it returns EOPNOTSUPP.
Most code in the audit system checks if the secid is 0 and does not
print LSM info in that case. The signal information code however forgot
that check. Thus users will see a message in syslog indicating that
converting the sid to string failed. Add the right check.
Signed-off-by: Eric Paris <eparis@redhat.com>
Userspace parsing libraries assume that msg= is only for userspace audit
records, not for user tty records. Make this consistent with the other
tty records.
Reported-by: Steve Grubb <sgrubb@redhat.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
> In function audit_alloc_context(), use kzalloc, instead of kmalloc+memset. Patch also renames audit_zero_context() to
> audit_set_context(), to represent it's inner workings properly.
Fair enough. I'd go futher...
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Eric Paris <eparis@redhat.com>
Cc: Rakib Mullick <rakib.mullick@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Eric Paris <eparis@redhat.com>
In function audit_alloc_context(), use kzalloc, instead of kmalloc+memset. Patch also renames audit_zero_context() to
audit_set_context(), to represent it's inner workings properly.
Signed-off-by: Rakib Mullick <rakib.mullick@gmail.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
__audit_socketcall is an extern function.
better to check its parameters by itself.
also can return error code, when fail (find invalid parameters).
also use macro instead of real hard code number
also give related comments for it.
Signed-off-by: Chen Gang <gang.chen@asianux.com>
[eparis: fix the return value when !CONFIG_AUDIT]
Signed-off-by: Eric Paris <eparis@redhat.com>
filename should be destroyed via final_putname() instead of __putname()
Otherwise this result in following BUGON() in case of long names:
kernel BUG at mm/slab.c:3006!
Call Trace:
kmem_cache_free+0x1c1/0x850
audit_putname+0x88/0x90
putname+0x73/0x80
sys_symlinkat+0x120/0x150
sys_symlink+0x16/0x20
system_call_fastpath+0x16/0x1b
Introduced-in: 7950e3852
Signed-off-by: Dmitry Monakhov <dmonakhov@openvz.org>
Reviewed-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Some distros enable auditing by default which forces us through the
syscall trace path. Remove the static branch prediction in our 64bit
syscall handler and let the hardware do the prediction.
Signed-off-by: Anton Blanchard <anton@samba.org>
Signed-off-by: Eric Paris <eparis@redhat.com>
Commit b05d8447e7 (audit: inline audit_syscall_entry to reduce
burden on archs) changed audit_syscall_entry to check for a dummy
context before calling __audit_syscall_entry. Unfortunately the dummy
context state is maintained in __audit_syscall_entry so once set it
never gets cleared, even if the audit rules change.
As a result, if there are no auditing rules when a process starts
then it will never be subject to any rules added later. x86 doesn't
see this because it has an assembly fast path that calls directly into
__audit_syscall_entry.
I noticed this issue when working on audit performance optimisations.
I wrote a set of simple test cases available at:
http://ozlabs.org/~anton/junkcode/audit_tests.tar.gz
02_new_rule.py fails without the patch and passes with it. The
test case clears all rules, starts a process, adds a rule then
verifies the process produces a syscall audit record.
Signed-off-by: Anton Blanchard <anton@samba.org>
Cc: <stable@kernel.org> # 3.3+
Signed-off-by: Eric Paris <eparis@redhat.com>
The kauditd_thread() task was started only after the auditd userspace daemon
registers itself with kaudit. This was fine when only auditd consumed messages
from the kaudit netlink unicast socket. With the addition of a multicast group
to that socket it is more convenient to have the thread start on init of the
kaudit kernel subsystem.
Signed-off-by: Richard Guy Briggs <rbriggs@redhat.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Eric W. Biederman
Eric Paris
Richard Guy Briggs
Eric Paris
Gao feng
Andrew Morton
Rakib Mullick
Chen Gang
Dmitry Monakhov
Anton Blanchard