2019-05-27 06:55:05 +00:00
|
|
|
// SPDX-License-Identifier: GPL-2.0-or-later
|
2005-12-15 18:33:52 +00:00
|
|
|
/* auditfilter.c -- filtering of audit events
|
|
|
|
*
|
|
|
|
* Copyright 2003-2004 Red Hat, Inc.
|
|
|
|
* Copyright 2005 Hewlett-Packard Development Company, L.P.
|
|
|
|
* Copyright 2005 IBM Corporation
|
|
|
|
*/
|
|
|
|
|
2014-01-27 22:38:42 +00:00
|
|
|
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
|
|
|
|
|
2005-12-15 18:33:52 +00:00
|
|
|
#include <linux/kernel.h>
|
|
|
|
#include <linux/audit.h>
|
|
|
|
#include <linux/kthread.h>
|
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2006-04-07 20:55:56 +00:00
|
|
|
#include <linux/mutex.h>
|
|
|
|
#include <linux/fs.h>
|
|
|
|
#include <linux/namei.h>
|
2005-12-15 18:33:52 +00:00
|
|
|
#include <linux/netlink.h>
|
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2006-04-07 20:55:56 +00:00
|
|
|
#include <linux/sched.h>
|
include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h
percpu.h is included by sched.h and module.h and thus ends up being
included when building most .c files. percpu.h includes slab.h which
in turn includes gfp.h making everything defined by the two files
universally available and complicating inclusion dependencies.
percpu.h -> slab.h dependency is about to be removed. Prepare for
this change by updating users of gfp and slab facilities include those
headers directly instead of assuming availability. As this conversion
needs to touch large number of source files, the following script is
used as the basis of conversion.
http://userweb.kernel.org/~tj/misc/slabh-sweep.py
The script does the followings.
* Scan files for gfp and slab usages and update includes such that
only the necessary includes are there. ie. if only gfp is used,
gfp.h, if slab is used, slab.h.
* When the script inserts a new include, it looks at the include
blocks and try to put the new include such that its order conforms
to its surrounding. It's put in the include block which contains
core kernel includes, in the same order that the rest are ordered -
alphabetical, Christmas tree, rev-Xmas-tree or at the end if there
doesn't seem to be any matching order.
* If the script can't find a place to put a new include (mostly
because the file doesn't have fitting include block), it prints out
an error message indicating which .h file needs to be added to the
file.
The conversion was done in the following steps.
1. The initial automatic conversion of all .c files updated slightly
over 4000 files, deleting around 700 includes and adding ~480 gfp.h
and ~3000 slab.h inclusions. The script emitted errors for ~400
files.
2. Each error was manually checked. Some didn't need the inclusion,
some needed manual addition while adding it to implementation .h or
embedding .c file was more appropriate for others. This step added
inclusions to around 150 files.
3. The script was run again and the output was compared to the edits
from #2 to make sure no file was left behind.
4. Several build tests were done and a couple of problems were fixed.
e.g. lib/decompress_*.c used malloc/free() wrappers around slab
APIs requiring slab.h to be added manually.
5. The script was run on all .h files but without automatically
editing them as sprinkling gfp.h and slab.h inclusions around .h
files could easily lead to inclusion dependency hell. Most gfp.h
inclusion directives were ignored as stuff from gfp.h was usually
wildly available and often used in preprocessor macros. Each
slab.h inclusion directive was examined and added manually as
necessary.
6. percpu.h was updated not to include slab.h.
7. Build test were done on the following configurations and failures
were fixed. CONFIG_GCOV_KERNEL was turned off for all tests (as my
distributed build env didn't work with gcov compiles) and a few
more options had to be turned off depending on archs to make things
build (like ipr on powerpc/64 which failed due to missing writeq).
* x86 and x86_64 UP and SMP allmodconfig and a custom test config.
* powerpc and powerpc64 SMP allmodconfig
* sparc and sparc64 SMP allmodconfig
* ia64 SMP allmodconfig
* s390 SMP allmodconfig
* alpha SMP allmodconfig
* um on x86_64 SMP allmodconfig
8. percpu.h modifications were reverted so that it could be applied as
a separate patch and serve as bisection point.
Given the fact that I had only a couple of failures from tests on step
6, I'm fairly confident about the coverage of this conversion patch.
If there is a breakage, it's likely to be something in one of the arch
headers which should be easily discoverable easily on most builds of
the specific arch.
Signed-off-by: Tejun Heo <tj@kernel.org>
Guess-its-ok-by: Christoph Lameter <cl@linux-foundation.org>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Lee Schermerhorn <Lee.Schermerhorn@hp.com>
2010-03-24 08:04:11 +00:00
|
|
|
#include <linux/slab.h>
|
Audit: use new LSM hooks instead of SELinux exports
Stop using the following exported SELinux interfaces:
selinux_get_inode_sid(inode, sid)
selinux_get_ipc_sid(ipcp, sid)
selinux_get_task_sid(tsk, sid)
selinux_sid_to_string(sid, ctx, len)
kfree(ctx)
and use following generic LSM equivalents respectively:
security_inode_getsecid(inode, secid)
security_ipc_getsecid*(ipcp, secid)
security_task_getsecid(tsk, secid)
security_sid_to_secctx(sid, ctx, len)
security_release_secctx(ctx, len)
Call security_release_secctx only if security_secid_to_secctx
succeeded.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Ahmed S. Darwish <darwish.07@gmail.com>
Acked-by: James Morris <jmorris@namei.org>
Reviewed-by: Paul Moore <paul.moore@hp.com>
2008-03-01 19:54:38 +00:00
|
|
|
#include <linux/security.h>
|
2014-02-04 01:25:33 +00:00
|
|
|
#include <net/net_namespace.h>
|
2014-03-01 03:44:55 +00:00
|
|
|
#include <net/sock.h>
|
2005-12-15 18:33:52 +00:00
|
|
|
#include "audit.h"
|
|
|
|
|
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2006-04-07 20:55:56 +00:00
|
|
|
/*
|
|
|
|
* Locking model:
|
|
|
|
*
|
|
|
|
* audit_filter_mutex:
|
2015-11-04 13:23:51 +00:00
|
|
|
* Synchronizes writes and blocking reads of audit's filterlist
|
|
|
|
* data. Rcu is used to traverse the filterlist and access
|
|
|
|
* contents of structs audit_entry, audit_watch and opaque
|
|
|
|
* LSM rules during filtering. If modified, these structures
|
|
|
|
* must be copied and replace their counterparts in the filterlist.
|
|
|
|
* An audit_parent struct is not accessed during filtering, so may
|
|
|
|
* be written directly provided audit_filter_mutex is held.
|
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2006-04-07 20:55:56 +00:00
|
|
|
*/
|
|
|
|
|
|
|
|
/* Audit filter lists, defined in <linux/audit.h> */
|
2005-12-15 18:33:52 +00:00
|
|
|
struct list_head audit_filter_list[AUDIT_NR_FILTERS] = {
|
|
|
|
LIST_HEAD_INIT(audit_filter_list[0]),
|
|
|
|
LIST_HEAD_INIT(audit_filter_list[1]),
|
|
|
|
LIST_HEAD_INIT(audit_filter_list[2]),
|
|
|
|
LIST_HEAD_INIT(audit_filter_list[3]),
|
|
|
|
LIST_HEAD_INIT(audit_filter_list[4]),
|
|
|
|
LIST_HEAD_INIT(audit_filter_list[5]),
|
2017-08-23 11:03:39 +00:00
|
|
|
LIST_HEAD_INIT(audit_filter_list[6]),
|
|
|
|
#if AUDIT_NR_FILTERS != 7
|
2005-12-15 18:33:52 +00:00
|
|
|
#error Fix audit_filter_list initialiser
|
|
|
|
#endif
|
|
|
|
};
|
2008-12-15 06:17:50 +00:00
|
|
|
static struct list_head audit_rules_list[AUDIT_NR_FILTERS] = {
|
|
|
|
LIST_HEAD_INIT(audit_rules_list[0]),
|
|
|
|
LIST_HEAD_INIT(audit_rules_list[1]),
|
|
|
|
LIST_HEAD_INIT(audit_rules_list[2]),
|
|
|
|
LIST_HEAD_INIT(audit_rules_list[3]),
|
|
|
|
LIST_HEAD_INIT(audit_rules_list[4]),
|
|
|
|
LIST_HEAD_INIT(audit_rules_list[5]),
|
2017-08-23 11:03:39 +00:00
|
|
|
LIST_HEAD_INIT(audit_rules_list[6]),
|
2008-12-15 06:17:50 +00:00
|
|
|
};
|
2005-12-15 18:33:52 +00:00
|
|
|
|
[PATCH] audit: watching subtrees
New kind of audit rule predicates: "object is visible in given subtree".
The part that can be sanely implemented, that is. Limitations:
* if you have hardlink from outside of tree, you'd better watch
it too (or just watch the object itself, obviously)
* if you mount something under a watched tree, tell audit
that new chunk should be added to watched subtrees
* if you umount something in a watched tree and it's still mounted
elsewhere, you will get matches on events happening there. New command
tells audit to recalculate the trees, trimming such sources of false
positives.
Note that it's _not_ about path - if something mounted in several places
(multiple mount, bindings, different namespaces, etc.), the match does
_not_ depend on which one we are using for access.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2007-07-22 12:04:18 +00:00
|
|
|
DEFINE_MUTEX(audit_filter_mutex);
|
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2006-04-07 20:55:56 +00:00
|
|
|
|
2014-03-26 11:26:47 +00:00
|
|
|
static void audit_free_lsm_field(struct audit_field *f)
|
|
|
|
{
|
|
|
|
switch (f->type) {
|
|
|
|
case AUDIT_SUBJ_USER:
|
|
|
|
case AUDIT_SUBJ_ROLE:
|
|
|
|
case AUDIT_SUBJ_TYPE:
|
|
|
|
case AUDIT_SUBJ_SEN:
|
|
|
|
case AUDIT_SUBJ_CLR:
|
|
|
|
case AUDIT_OBJ_USER:
|
|
|
|
case AUDIT_OBJ_ROLE:
|
|
|
|
case AUDIT_OBJ_TYPE:
|
|
|
|
case AUDIT_OBJ_LEV_LOW:
|
|
|
|
case AUDIT_OBJ_LEV_HIGH:
|
|
|
|
kfree(f->lsm_str);
|
|
|
|
security_audit_rule_free(f->lsm_rule);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2006-02-07 17:05:27 +00:00
|
|
|
static inline void audit_free_rule(struct audit_entry *e)
|
2005-12-15 18:33:52 +00:00
|
|
|
{
|
2006-03-11 00:14:06 +00:00
|
|
|
int i;
|
2009-03-12 14:16:12 +00:00
|
|
|
struct audit_krule *erule = &e->rule;
|
2009-12-18 01:12:04 +00:00
|
|
|
|
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2006-04-07 20:55:56 +00:00
|
|
|
/* some rules don't have associated watches */
|
2009-03-12 14:16:12 +00:00
|
|
|
if (erule->watch)
|
|
|
|
audit_put_watch(erule->watch);
|
|
|
|
if (erule->fields)
|
2014-03-26 11:26:47 +00:00
|
|
|
for (i = 0; i < erule->field_count; i++)
|
|
|
|
audit_free_lsm_field(&erule->fields[i]);
|
2009-03-12 14:16:12 +00:00
|
|
|
kfree(erule->fields);
|
|
|
|
kfree(erule->filterkey);
|
2006-02-07 17:05:27 +00:00
|
|
|
kfree(e);
|
|
|
|
}
|
|
|
|
|
[PATCH] audit: watching subtrees
New kind of audit rule predicates: "object is visible in given subtree".
The part that can be sanely implemented, that is. Limitations:
* if you have hardlink from outside of tree, you'd better watch
it too (or just watch the object itself, obviously)
* if you mount something under a watched tree, tell audit
that new chunk should be added to watched subtrees
* if you umount something in a watched tree and it's still mounted
elsewhere, you will get matches on events happening there. New command
tells audit to recalculate the trees, trimming such sources of false
positives.
Note that it's _not_ about path - if something mounted in several places
(multiple mount, bindings, different namespaces, etc.), the match does
_not_ depend on which one we are using for access.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2007-07-22 12:04:18 +00:00
|
|
|
void audit_free_rule_rcu(struct rcu_head *head)
|
2006-02-07 17:05:27 +00:00
|
|
|
{
|
|
|
|
struct audit_entry *e = container_of(head, struct audit_entry, rcu);
|
|
|
|
audit_free_rule(e);
|
|
|
|
}
|
|
|
|
|
2006-03-11 00:14:06 +00:00
|
|
|
/* Initialize an audit filterlist entry. */
|
|
|
|
static inline struct audit_entry *audit_init_entry(u32 field_count)
|
|
|
|
{
|
|
|
|
struct audit_entry *entry;
|
|
|
|
struct audit_field *fields;
|
|
|
|
|
|
|
|
entry = kzalloc(sizeof(*entry), GFP_KERNEL);
|
|
|
|
if (unlikely(!entry))
|
|
|
|
return NULL;
|
|
|
|
|
2014-08-06 23:03:22 +00:00
|
|
|
fields = kcalloc(field_count, sizeof(*fields), GFP_KERNEL);
|
2006-03-11 00:14:06 +00:00
|
|
|
if (unlikely(!fields)) {
|
|
|
|
kfree(entry);
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
entry->rule.fields = fields;
|
|
|
|
|
|
|
|
return entry;
|
|
|
|
}
|
|
|
|
|
2006-02-07 17:05:27 +00:00
|
|
|
/* Unpack a filter field's string representation from user-space
|
|
|
|
* buffer. */
|
[PATCH] audit: watching subtrees
New kind of audit rule predicates: "object is visible in given subtree".
The part that can be sanely implemented, that is. Limitations:
* if you have hardlink from outside of tree, you'd better watch
it too (or just watch the object itself, obviously)
* if you mount something under a watched tree, tell audit
that new chunk should be added to watched subtrees
* if you umount something in a watched tree and it's still mounted
elsewhere, you will get matches on events happening there. New command
tells audit to recalculate the trees, trimming such sources of false
positives.
Note that it's _not_ about path - if something mounted in several places
(multiple mount, bindings, different namespaces, etc.), the match does
_not_ depend on which one we are using for access.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2007-07-22 12:04:18 +00:00
|
|
|
char *audit_unpack_string(void **bufp, size_t *remain, size_t len)
|
2006-02-07 17:05:27 +00:00
|
|
|
{
|
|
|
|
char *str;
|
|
|
|
|
|
|
|
if (!*bufp || (len == 0) || (len > *remain))
|
|
|
|
return ERR_PTR(-EINVAL);
|
|
|
|
|
|
|
|
/* Of the currently implemented string fields, PATH_MAX
|
|
|
|
* defines the longest valid length.
|
|
|
|
*/
|
|
|
|
if (len > PATH_MAX)
|
|
|
|
return ERR_PTR(-ENAMETOOLONG);
|
|
|
|
|
|
|
|
str = kmalloc(len + 1, GFP_KERNEL);
|
|
|
|
if (unlikely(!str))
|
|
|
|
return ERR_PTR(-ENOMEM);
|
|
|
|
|
|
|
|
memcpy(str, *bufp, len);
|
|
|
|
str[len] = 0;
|
|
|
|
*bufp += len;
|
|
|
|
*remain -= len;
|
|
|
|
|
|
|
|
return str;
|
|
|
|
}
|
|
|
|
|
2016-02-06 07:39:47 +00:00
|
|
|
/* Translate an inode field to kernel representation. */
|
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2006-04-07 20:55:56 +00:00
|
|
|
static inline int audit_to_inode(struct audit_krule *krule,
|
|
|
|
struct audit_field *f)
|
|
|
|
{
|
|
|
|
if (krule->listnr != AUDIT_FILTER_EXIT ||
|
2014-10-03 02:05:18 +00:00
|
|
|
krule->inode_f || krule->watch || krule->tree ||
|
2008-12-16 10:59:26 +00:00
|
|
|
(f->op != Audit_equal && f->op != Audit_not_equal))
|
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2006-04-07 20:55:56 +00:00
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
krule->inode_f = f;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2006-07-01 07:56:16 +00:00
|
|
|
static __u32 *classes[AUDIT_SYSCALL_CLASSES];
|
|
|
|
|
|
|
|
int __init audit_register_class(int class, unsigned *list)
|
|
|
|
{
|
2014-08-06 23:03:22 +00:00
|
|
|
__u32 *p = kcalloc(AUDIT_BITMASK_SIZE, sizeof(__u32), GFP_KERNEL);
|
2006-07-01 07:56:16 +00:00
|
|
|
if (!p)
|
|
|
|
return -ENOMEM;
|
|
|
|
while (*list != ~0U) {
|
|
|
|
unsigned n = *list++;
|
|
|
|
if (n >= AUDIT_BITMASK_SIZE * 32 - AUDIT_SYSCALL_CLASSES) {
|
|
|
|
kfree(p);
|
|
|
|
return -EINVAL;
|
|
|
|
}
|
|
|
|
p[AUDIT_WORD(n)] |= AUDIT_BIT(n);
|
|
|
|
}
|
|
|
|
if (class >= AUDIT_SYSCALL_CLASSES || classes[class]) {
|
|
|
|
kfree(p);
|
|
|
|
return -EINVAL;
|
|
|
|
}
|
|
|
|
classes[class] = p;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2006-08-31 23:26:40 +00:00
|
|
|
int audit_match_class(int class, unsigned syscall)
|
|
|
|
{
|
2007-05-16 22:45:42 +00:00
|
|
|
if (unlikely(syscall >= AUDIT_BITMASK_SIZE * 32))
|
2006-08-31 23:26:40 +00:00
|
|
|
return 0;
|
|
|
|
if (unlikely(class >= AUDIT_SYSCALL_CLASSES || !classes[class]))
|
|
|
|
return 0;
|
|
|
|
return classes[class][AUDIT_WORD(syscall)] & AUDIT_BIT(syscall);
|
|
|
|
}
|
|
|
|
|
2007-05-15 19:37:10 +00:00
|
|
|
#ifdef CONFIG_AUDITSYSCALL
|
2007-03-29 22:01:04 +00:00
|
|
|
static inline int audit_match_class_bits(int class, u32 *mask)
|
|
|
|
{
|
|
|
|
int i;
|
|
|
|
|
|
|
|
if (classes[class]) {
|
|
|
|
for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
|
|
|
|
if (mask[i] & classes[class][i])
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int audit_match_signal(struct audit_entry *entry)
|
|
|
|
{
|
|
|
|
struct audit_field *arch = entry->rule.arch_f;
|
|
|
|
|
|
|
|
if (!arch) {
|
|
|
|
/* When arch is unspecified, we must check both masks on biarch
|
|
|
|
* as syscall number alone is ambiguous. */
|
|
|
|
return (audit_match_class_bits(AUDIT_CLASS_SIGNAL,
|
|
|
|
entry->rule.mask) &&
|
|
|
|
audit_match_class_bits(AUDIT_CLASS_SIGNAL_32,
|
|
|
|
entry->rule.mask));
|
|
|
|
}
|
|
|
|
|
|
|
|
switch(audit_classify_arch(arch->val)) {
|
|
|
|
case 0: /* native */
|
|
|
|
return (audit_match_class_bits(AUDIT_CLASS_SIGNAL,
|
|
|
|
entry->rule.mask));
|
|
|
|
case 1: /* 32bit on biarch */
|
|
|
|
return (audit_match_class_bits(AUDIT_CLASS_SIGNAL_32,
|
|
|
|
entry->rule.mask));
|
|
|
|
default:
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
}
|
2007-05-15 19:37:10 +00:00
|
|
|
#endif
|
2007-03-29 22:01:04 +00:00
|
|
|
|
2006-02-07 17:05:27 +00:00
|
|
|
/* Common user-space to kernel rule translation. */
|
2014-04-02 19:46:42 +00:00
|
|
|
static inline struct audit_entry *audit_to_entry_common(struct audit_rule_data *rule)
|
2006-02-07 17:05:27 +00:00
|
|
|
{
|
|
|
|
unsigned listnr;
|
|
|
|
struct audit_entry *entry;
|
|
|
|
int i, err;
|
|
|
|
|
|
|
|
err = -EINVAL;
|
|
|
|
listnr = rule->flags & ~AUDIT_FILTER_PREPEND;
|
|
|
|
switch(listnr) {
|
|
|
|
default:
|
|
|
|
goto exit_err;
|
|
|
|
#ifdef CONFIG_AUDITSYSCALL
|
|
|
|
case AUDIT_FILTER_ENTRY:
|
2018-02-15 02:47:43 +00:00
|
|
|
pr_err("AUDIT_FILTER_ENTRY is deprecated\n");
|
|
|
|
goto exit_err;
|
2006-02-07 17:05:27 +00:00
|
|
|
case AUDIT_FILTER_EXIT:
|
|
|
|
case AUDIT_FILTER_TASK:
|
|
|
|
#endif
|
2012-01-03 19:23:07 +00:00
|
|
|
case AUDIT_FILTER_USER:
|
2018-06-05 15:45:07 +00:00
|
|
|
case AUDIT_FILTER_EXCLUDE:
|
2017-08-23 11:03:39 +00:00
|
|
|
case AUDIT_FILTER_FS:
|
2006-02-07 17:05:27 +00:00
|
|
|
;
|
|
|
|
}
|
2006-05-23 05:36:13 +00:00
|
|
|
if (unlikely(rule->action == AUDIT_POSSIBLE)) {
|
2014-01-27 22:38:42 +00:00
|
|
|
pr_err("AUDIT_POSSIBLE is deprecated\n");
|
2006-05-23 05:36:13 +00:00
|
|
|
goto exit_err;
|
|
|
|
}
|
|
|
|
if (rule->action != AUDIT_NEVER && rule->action != AUDIT_ALWAYS)
|
2006-02-07 17:05:27 +00:00
|
|
|
goto exit_err;
|
|
|
|
if (rule->field_count > AUDIT_MAX_FIELDS)
|
|
|
|
goto exit_err;
|
|
|
|
|
|
|
|
err = -ENOMEM;
|
2006-03-11 00:14:06 +00:00
|
|
|
entry = audit_init_entry(rule->field_count);
|
|
|
|
if (!entry)
|
2006-02-07 17:05:27 +00:00
|
|
|
goto exit_err;
|
|
|
|
|
|
|
|
entry->rule.flags = rule->flags & AUDIT_FILTER_PREPEND;
|
|
|
|
entry->rule.listnr = listnr;
|
|
|
|
entry->rule.action = rule->action;
|
|
|
|
entry->rule.field_count = rule->field_count;
|
|
|
|
|
|
|
|
for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
|
|
|
|
entry->rule.mask[i] = rule->mask[i];
|
|
|
|
|
2006-07-01 07:56:16 +00:00
|
|
|
for (i = 0; i < AUDIT_SYSCALL_CLASSES; i++) {
|
|
|
|
int bit = AUDIT_BITMASK_SIZE * 32 - i - 1;
|
|
|
|
__u32 *p = &entry->rule.mask[AUDIT_WORD(bit)];
|
|
|
|
__u32 *class;
|
|
|
|
|
|
|
|
if (!(*p & AUDIT_BIT(bit)))
|
|
|
|
continue;
|
|
|
|
*p &= ~AUDIT_BIT(bit);
|
|
|
|
class = classes[i];
|
|
|
|
if (class) {
|
|
|
|
int j;
|
|
|
|
for (j = 0; j < AUDIT_BITMASK_SIZE; j++)
|
|
|
|
entry->rule.mask[j] |= class[j];
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2006-02-07 17:05:27 +00:00
|
|
|
return entry;
|
|
|
|
|
|
|
|
exit_err:
|
|
|
|
return ERR_PTR(err);
|
|
|
|
}
|
|
|
|
|
2008-12-16 10:59:26 +00:00
|
|
|
static u32 audit_ops[] =
|
|
|
|
{
|
|
|
|
[Audit_equal] = AUDIT_EQUAL,
|
|
|
|
[Audit_not_equal] = AUDIT_NOT_EQUAL,
|
|
|
|
[Audit_bitmask] = AUDIT_BIT_MASK,
|
|
|
|
[Audit_bittest] = AUDIT_BIT_TEST,
|
|
|
|
[Audit_lt] = AUDIT_LESS_THAN,
|
|
|
|
[Audit_gt] = AUDIT_GREATER_THAN,
|
|
|
|
[Audit_le] = AUDIT_LESS_THAN_OR_EQUAL,
|
|
|
|
[Audit_ge] = AUDIT_GREATER_THAN_OR_EQUAL,
|
|
|
|
};
|
|
|
|
|
|
|
|
static u32 audit_to_op(u32 op)
|
|
|
|
{
|
|
|
|
u32 n;
|
|
|
|
for (n = Audit_equal; n < Audit_bad && audit_ops[n] != op; n++)
|
|
|
|
;
|
|
|
|
return n;
|
|
|
|
}
|
|
|
|
|
2013-04-16 21:26:51 +00:00
|
|
|
/* check if an audit field is valid */
|
2013-04-16 17:08:43 +00:00
|
|
|
static int audit_field_valid(struct audit_entry *entry, struct audit_field *f)
|
2006-02-07 17:05:27 +00:00
|
|
|
{
|
2019-05-22 21:51:09 +00:00
|
|
|
switch (f->type) {
|
2013-04-16 17:08:43 +00:00
|
|
|
case AUDIT_MSGTYPE:
|
2018-06-05 15:45:07 +00:00
|
|
|
if (entry->rule.listnr != AUDIT_FILTER_EXCLUDE &&
|
2013-04-16 17:08:43 +00:00
|
|
|
entry->rule.listnr != AUDIT_FILTER_USER)
|
|
|
|
return -EINVAL;
|
|
|
|
break;
|
2017-08-23 11:03:39 +00:00
|
|
|
case AUDIT_FSTYPE:
|
|
|
|
if (entry->rule.listnr != AUDIT_FILTER_FS)
|
|
|
|
return -EINVAL;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
2019-05-22 21:51:09 +00:00
|
|
|
switch (entry->rule.listnr) {
|
2017-08-23 11:03:39 +00:00
|
|
|
case AUDIT_FILTER_FS:
|
|
|
|
switch(f->type) {
|
|
|
|
case AUDIT_FSTYPE:
|
|
|
|
case AUDIT_FILTERKEY:
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
return -EINVAL;
|
|
|
|
}
|
2017-05-02 14:16:03 +00:00
|
|
|
}
|
2006-02-07 17:05:27 +00:00
|
|
|
|
2019-05-22 21:51:09 +00:00
|
|
|
/* Check for valid field type and op */
|
|
|
|
switch (f->type) {
|
|
|
|
case AUDIT_ARG0:
|
|
|
|
case AUDIT_ARG1:
|
|
|
|
case AUDIT_ARG2:
|
|
|
|
case AUDIT_ARG3:
|
|
|
|
case AUDIT_PERS: /* <uapi/linux/personality.h> */
|
|
|
|
case AUDIT_DEVMINOR:
|
|
|
|
/* all ops are valid */
|
|
|
|
break;
|
2013-04-16 21:26:51 +00:00
|
|
|
case AUDIT_UID:
|
|
|
|
case AUDIT_EUID:
|
|
|
|
case AUDIT_SUID:
|
|
|
|
case AUDIT_FSUID:
|
|
|
|
case AUDIT_LOGINUID:
|
|
|
|
case AUDIT_OBJ_UID:
|
|
|
|
case AUDIT_GID:
|
|
|
|
case AUDIT_EGID:
|
|
|
|
case AUDIT_SGID:
|
|
|
|
case AUDIT_FSGID:
|
|
|
|
case AUDIT_OBJ_GID:
|
|
|
|
case AUDIT_PID:
|
|
|
|
case AUDIT_MSGTYPE:
|
|
|
|
case AUDIT_PPID:
|
|
|
|
case AUDIT_DEVMAJOR:
|
|
|
|
case AUDIT_EXIT:
|
|
|
|
case AUDIT_SUCCESS:
|
2013-09-04 19:01:43 +00:00
|
|
|
case AUDIT_INODE:
|
2016-11-20 21:47:55 +00:00
|
|
|
case AUDIT_SESSIONID:
|
2019-05-22 21:51:09 +00:00
|
|
|
case AUDIT_SUBJ_SEN:
|
|
|
|
case AUDIT_SUBJ_CLR:
|
|
|
|
case AUDIT_OBJ_LEV_LOW:
|
|
|
|
case AUDIT_OBJ_LEV_HIGH:
|
2019-05-10 00:01:36 +00:00
|
|
|
case AUDIT_SADDR_FAM:
|
2013-04-16 21:26:51 +00:00
|
|
|
/* bit ops are only useful on syscall args */
|
|
|
|
if (f->op == Audit_bitmask || f->op == Audit_bittest)
|
|
|
|
return -EINVAL;
|
|
|
|
break;
|
|
|
|
case AUDIT_SUBJ_USER:
|
|
|
|
case AUDIT_SUBJ_ROLE:
|
|
|
|
case AUDIT_SUBJ_TYPE:
|
|
|
|
case AUDIT_OBJ_USER:
|
|
|
|
case AUDIT_OBJ_ROLE:
|
|
|
|
case AUDIT_OBJ_TYPE:
|
|
|
|
case AUDIT_WATCH:
|
|
|
|
case AUDIT_DIR:
|
|
|
|
case AUDIT_FILTERKEY:
|
2013-04-09 09:22:10 +00:00
|
|
|
case AUDIT_LOGINUID_SET:
|
2013-04-16 21:26:51 +00:00
|
|
|
case AUDIT_ARCH:
|
2017-08-23 11:03:39 +00:00
|
|
|
case AUDIT_FSTYPE:
|
2019-05-22 21:51:09 +00:00
|
|
|
case AUDIT_PERM:
|
|
|
|
case AUDIT_FILETYPE:
|
|
|
|
case AUDIT_FIELD_COMPARE:
|
|
|
|
case AUDIT_EXE:
|
|
|
|
/* only equal and not equal valid ops */
|
2013-04-16 21:26:51 +00:00
|
|
|
if (f->op != Audit_not_equal && f->op != Audit_equal)
|
|
|
|
return -EINVAL;
|
|
|
|
break;
|
2019-05-22 21:51:09 +00:00
|
|
|
default:
|
|
|
|
/* field not recognized */
|
|
|
|
return -EINVAL;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Check for select valid field values */
|
|
|
|
switch (f->type) {
|
|
|
|
case AUDIT_LOGINUID_SET:
|
|
|
|
if ((f->val != 0) && (f->val != 1))
|
|
|
|
return -EINVAL;
|
|
|
|
break;
|
2013-04-16 21:26:51 +00:00
|
|
|
case AUDIT_PERM:
|
|
|
|
if (f->val & ~15)
|
|
|
|
return -EINVAL;
|
|
|
|
break;
|
|
|
|
case AUDIT_FILETYPE:
|
|
|
|
if (f->val & ~S_IFMT)
|
|
|
|
return -EINVAL;
|
|
|
|
break;
|
|
|
|
case AUDIT_FIELD_COMPARE:
|
|
|
|
if (f->val > AUDIT_MAX_FIELD_COMPARE)
|
|
|
|
return -EINVAL;
|
|
|
|
break;
|
2019-05-10 00:01:36 +00:00
|
|
|
case AUDIT_SADDR_FAM:
|
|
|
|
if (f->val >= AF_MAX)
|
2015-08-05 20:29:37 +00:00
|
|
|
return -EINVAL;
|
|
|
|
break;
|
2019-05-22 21:51:09 +00:00
|
|
|
default:
|
2015-08-05 20:29:37 +00:00
|
|
|
break;
|
2017-05-02 14:16:03 +00:00
|
|
|
}
|
2019-05-22 21:51:09 +00:00
|
|
|
|
2013-04-16 17:08:43 +00:00
|
|
|
return 0;
|
2005-12-15 18:33:52 +00:00
|
|
|
}
|
|
|
|
|
2016-02-06 07:39:47 +00:00
|
|
|
/* Translate struct audit_rule_data to kernel's rule representation. */
|
2006-02-07 17:05:27 +00:00
|
|
|
static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
|
|
|
|
size_t datasz)
|
2005-12-15 18:33:52 +00:00
|
|
|
{
|
2006-02-07 17:05:27 +00:00
|
|
|
int err = 0;
|
|
|
|
struct audit_entry *entry;
|
|
|
|
void *bufp;
|
2006-03-11 00:14:06 +00:00
|
|
|
size_t remain = datasz - sizeof(struct audit_rule_data);
|
2005-12-15 18:33:52 +00:00
|
|
|
int i;
|
2006-03-11 00:14:06 +00:00
|
|
|
char *str;
|
2015-08-05 20:29:37 +00:00
|
|
|
struct audit_fsnotify_mark *audit_mark;
|
2005-12-15 18:33:52 +00:00
|
|
|
|
2014-04-02 19:46:42 +00:00
|
|
|
entry = audit_to_entry_common(data);
|
2006-02-07 17:05:27 +00:00
|
|
|
if (IS_ERR(entry))
|
|
|
|
goto exit_nofree;
|
2005-12-15 18:33:52 +00:00
|
|
|
|
2006-02-07 17:05:27 +00:00
|
|
|
bufp = data->buf;
|
|
|
|
for (i = 0; i < data->field_count; i++) {
|
|
|
|
struct audit_field *f = &entry->rule.fields[i];
|
|
|
|
|
|
|
|
err = -EINVAL;
|
2008-12-16 10:59:26 +00:00
|
|
|
|
|
|
|
f->op = audit_to_op(data->fieldflags[i]);
|
|
|
|
if (f->op == Audit_bad)
|
2006-02-07 17:05:27 +00:00
|
|
|
goto exit_free;
|
|
|
|
|
|
|
|
f->type = data->fields[i];
|
2006-03-11 00:14:06 +00:00
|
|
|
f->val = data->values[i];
|
2013-04-16 17:08:43 +00:00
|
|
|
|
2013-04-09 09:22:10 +00:00
|
|
|
/* Support legacy tests for a valid loginuid */
|
2013-05-20 19:08:18 +00:00
|
|
|
if ((f->type == AUDIT_LOGINUID) && (f->val == AUDIT_UID_UNSET)) {
|
2013-04-09 09:22:10 +00:00
|
|
|
f->type = AUDIT_LOGINUID_SET;
|
|
|
|
f->val = 0;
|
2014-12-23 18:02:04 +00:00
|
|
|
entry->rule.pflags |= AUDIT_LOGINUID_LEGACY;
|
2013-12-11 18:52:26 +00:00
|
|
|
}
|
|
|
|
|
2013-04-16 17:08:43 +00:00
|
|
|
err = audit_field_valid(entry, f);
|
|
|
|
if (err)
|
|
|
|
goto exit_free;
|
|
|
|
|
|
|
|
err = -EINVAL;
|
2013-04-16 21:26:51 +00:00
|
|
|
switch (f->type) {
|
2013-04-09 09:22:10 +00:00
|
|
|
case AUDIT_LOGINUID:
|
2006-06-05 12:15:59 +00:00
|
|
|
case AUDIT_UID:
|
|
|
|
case AUDIT_EUID:
|
|
|
|
case AUDIT_SUID:
|
|
|
|
case AUDIT_FSUID:
|
2012-09-11 09:18:08 +00:00
|
|
|
case AUDIT_OBJ_UID:
|
|
|
|
f->uid = make_kuid(current_user_ns(), f->val);
|
|
|
|
if (!uid_valid(f->uid))
|
|
|
|
goto exit_free;
|
|
|
|
break;
|
2006-06-05 12:15:59 +00:00
|
|
|
case AUDIT_GID:
|
|
|
|
case AUDIT_EGID:
|
|
|
|
case AUDIT_SGID:
|
|
|
|
case AUDIT_FSGID:
|
2012-09-11 09:18:08 +00:00
|
|
|
case AUDIT_OBJ_GID:
|
|
|
|
f->gid = make_kgid(current_user_ns(), f->val);
|
|
|
|
if (!gid_valid(f->gid))
|
|
|
|
goto exit_free;
|
|
|
|
break;
|
2007-03-29 22:01:04 +00:00
|
|
|
case AUDIT_ARCH:
|
|
|
|
entry->rule.arch_f = f;
|
|
|
|
break;
|
2006-06-29 21:56:39 +00:00
|
|
|
case AUDIT_SUBJ_USER:
|
|
|
|
case AUDIT_SUBJ_ROLE:
|
|
|
|
case AUDIT_SUBJ_TYPE:
|
|
|
|
case AUDIT_SUBJ_SEN:
|
|
|
|
case AUDIT_SUBJ_CLR:
|
2006-06-29 21:57:08 +00:00
|
|
|
case AUDIT_OBJ_USER:
|
|
|
|
case AUDIT_OBJ_ROLE:
|
|
|
|
case AUDIT_OBJ_TYPE:
|
|
|
|
case AUDIT_OBJ_LEV_LOW:
|
|
|
|
case AUDIT_OBJ_LEV_HIGH:
|
2006-03-11 00:14:06 +00:00
|
|
|
str = audit_unpack_string(&bufp, &remain, f->val);
|
|
|
|
if (IS_ERR(str))
|
|
|
|
goto exit_free;
|
|
|
|
entry->rule.buflen += f->val;
|
|
|
|
|
2008-03-01 20:01:11 +00:00
|
|
|
err = security_audit_rule_init(f->type, f->op, str,
|
2008-04-18 23:59:43 +00:00
|
|
|
(void **)&f->lsm_rule);
|
2006-03-11 00:14:06 +00:00
|
|
|
/* Keep currently invalid fields around in case they
|
|
|
|
* become valid after a policy reload. */
|
|
|
|
if (err == -EINVAL) {
|
2014-01-27 22:38:42 +00:00
|
|
|
pr_warn("audit rule for LSM \'%s\' is invalid\n",
|
|
|
|
str);
|
2006-03-11 00:14:06 +00:00
|
|
|
err = 0;
|
|
|
|
}
|
|
|
|
if (err) {
|
|
|
|
kfree(str);
|
|
|
|
goto exit_free;
|
|
|
|
} else
|
2008-04-18 23:59:43 +00:00
|
|
|
f->lsm_str = str;
|
2006-03-11 00:14:06 +00:00
|
|
|
break;
|
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2006-04-07 20:55:56 +00:00
|
|
|
case AUDIT_WATCH:
|
|
|
|
str = audit_unpack_string(&bufp, &remain, f->val);
|
|
|
|
if (IS_ERR(str))
|
|
|
|
goto exit_free;
|
|
|
|
entry->rule.buflen += f->val;
|
|
|
|
|
|
|
|
err = audit_to_watch(&entry->rule, str, f->val, f->op);
|
|
|
|
if (err) {
|
|
|
|
kfree(str);
|
|
|
|
goto exit_free;
|
|
|
|
}
|
|
|
|
break;
|
[PATCH] audit: watching subtrees
New kind of audit rule predicates: "object is visible in given subtree".
The part that can be sanely implemented, that is. Limitations:
* if you have hardlink from outside of tree, you'd better watch
it too (or just watch the object itself, obviously)
* if you mount something under a watched tree, tell audit
that new chunk should be added to watched subtrees
* if you umount something in a watched tree and it's still mounted
elsewhere, you will get matches on events happening there. New command
tells audit to recalculate the trees, trimming such sources of false
positives.
Note that it's _not_ about path - if something mounted in several places
(multiple mount, bindings, different namespaces, etc.), the match does
_not_ depend on which one we are using for access.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2007-07-22 12:04:18 +00:00
|
|
|
case AUDIT_DIR:
|
|
|
|
str = audit_unpack_string(&bufp, &remain, f->val);
|
|
|
|
if (IS_ERR(str))
|
|
|
|
goto exit_free;
|
|
|
|
entry->rule.buflen += f->val;
|
|
|
|
|
|
|
|
err = audit_make_tree(&entry->rule, str, f->op);
|
|
|
|
kfree(str);
|
|
|
|
if (err)
|
|
|
|
goto exit_free;
|
|
|
|
break;
|
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2006-04-07 20:55:56 +00:00
|
|
|
case AUDIT_INODE:
|
|
|
|
err = audit_to_inode(&entry->rule, f);
|
|
|
|
if (err)
|
|
|
|
goto exit_free;
|
|
|
|
break;
|
2006-06-14 22:45:21 +00:00
|
|
|
case AUDIT_FILTERKEY:
|
|
|
|
if (entry->rule.filterkey || f->val > AUDIT_MAX_KEY_LEN)
|
|
|
|
goto exit_free;
|
|
|
|
str = audit_unpack_string(&bufp, &remain, f->val);
|
|
|
|
if (IS_ERR(str))
|
|
|
|
goto exit_free;
|
|
|
|
entry->rule.buflen += f->val;
|
|
|
|
entry->rule.filterkey = str;
|
|
|
|
break;
|
2015-08-05 20:29:37 +00:00
|
|
|
case AUDIT_EXE:
|
|
|
|
if (entry->rule.exe || f->val > PATH_MAX)
|
|
|
|
goto exit_free;
|
|
|
|
str = audit_unpack_string(&bufp, &remain, f->val);
|
|
|
|
if (IS_ERR(str)) {
|
|
|
|
err = PTR_ERR(str);
|
|
|
|
goto exit_free;
|
|
|
|
}
|
|
|
|
entry->rule.buflen += f->val;
|
|
|
|
|
|
|
|
audit_mark = audit_alloc_mark(&entry->rule, str, f->val);
|
|
|
|
if (IS_ERR(audit_mark)) {
|
|
|
|
kfree(str);
|
|
|
|
err = PTR_ERR(audit_mark);
|
|
|
|
goto exit_free;
|
|
|
|
}
|
|
|
|
entry->rule.exe = audit_mark;
|
|
|
|
break;
|
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2006-04-07 20:55:56 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2008-12-16 10:59:26 +00:00
|
|
|
if (entry->rule.inode_f && entry->rule.inode_f->op == Audit_not_equal)
|
|
|
|
entry->rule.inode_f = NULL;
|
2006-02-07 17:05:27 +00:00
|
|
|
|
|
|
|
exit_nofree:
|
|
|
|
return entry;
|
|
|
|
|
|
|
|
exit_free:
|
2013-04-29 22:05:18 +00:00
|
|
|
if (entry->rule.tree)
|
|
|
|
audit_put_tree(entry->rule.tree); /* that's the temporary one */
|
2015-08-05 20:29:37 +00:00
|
|
|
if (entry->rule.exe)
|
|
|
|
audit_remove_mark(entry->rule.exe); /* that's the template one */
|
2006-02-07 17:05:27 +00:00
|
|
|
audit_free_rule(entry);
|
|
|
|
return ERR_PTR(err);
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Pack a filter field's string representation into data block. */
|
[PATCH] audit: watching subtrees
New kind of audit rule predicates: "object is visible in given subtree".
The part that can be sanely implemented, that is. Limitations:
* if you have hardlink from outside of tree, you'd better watch
it too (or just watch the object itself, obviously)
* if you mount something under a watched tree, tell audit
that new chunk should be added to watched subtrees
* if you umount something in a watched tree and it's still mounted
elsewhere, you will get matches on events happening there. New command
tells audit to recalculate the trees, trimming such sources of false
positives.
Note that it's _not_ about path - if something mounted in several places
(multiple mount, bindings, different namespaces, etc.), the match does
_not_ depend on which one we are using for access.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2007-07-22 12:04:18 +00:00
|
|
|
static inline size_t audit_pack_string(void **bufp, const char *str)
|
2006-02-07 17:05:27 +00:00
|
|
|
{
|
|
|
|
size_t len = strlen(str);
|
|
|
|
|
|
|
|
memcpy(*bufp, str, len);
|
|
|
|
*bufp += len;
|
|
|
|
|
|
|
|
return len;
|
|
|
|
}
|
|
|
|
|
2016-02-06 07:39:47 +00:00
|
|
|
/* Translate kernel rule representation to struct audit_rule_data. */
|
2006-02-07 17:05:27 +00:00
|
|
|
static struct audit_rule_data *audit_krule_to_data(struct audit_krule *krule)
|
|
|
|
{
|
|
|
|
struct audit_rule_data *data;
|
|
|
|
void *bufp;
|
|
|
|
int i;
|
|
|
|
|
|
|
|
data = kmalloc(sizeof(*data) + krule->buflen, GFP_KERNEL);
|
|
|
|
if (unlikely(!data))
|
2006-05-02 19:06:01 +00:00
|
|
|
return NULL;
|
2006-02-07 17:05:27 +00:00
|
|
|
memset(data, 0, sizeof(*data));
|
|
|
|
|
|
|
|
data->flags = krule->flags | krule->listnr;
|
|
|
|
data->action = krule->action;
|
|
|
|
data->field_count = krule->field_count;
|
|
|
|
bufp = data->buf;
|
|
|
|
for (i = 0; i < data->field_count; i++) {
|
|
|
|
struct audit_field *f = &krule->fields[i];
|
|
|
|
|
|
|
|
data->fields[i] = f->type;
|
2008-12-16 10:59:26 +00:00
|
|
|
data->fieldflags[i] = audit_ops[f->op];
|
2006-02-07 17:05:27 +00:00
|
|
|
switch(f->type) {
|
2006-06-29 21:56:39 +00:00
|
|
|
case AUDIT_SUBJ_USER:
|
|
|
|
case AUDIT_SUBJ_ROLE:
|
|
|
|
case AUDIT_SUBJ_TYPE:
|
|
|
|
case AUDIT_SUBJ_SEN:
|
|
|
|
case AUDIT_SUBJ_CLR:
|
2006-06-29 21:57:08 +00:00
|
|
|
case AUDIT_OBJ_USER:
|
|
|
|
case AUDIT_OBJ_ROLE:
|
|
|
|
case AUDIT_OBJ_TYPE:
|
|
|
|
case AUDIT_OBJ_LEV_LOW:
|
|
|
|
case AUDIT_OBJ_LEV_HIGH:
|
2006-03-11 00:14:06 +00:00
|
|
|
data->buflen += data->values[i] =
|
2008-04-18 23:59:43 +00:00
|
|
|
audit_pack_string(&bufp, f->lsm_str);
|
2006-03-11 00:14:06 +00:00
|
|
|
break;
|
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2006-04-07 20:55:56 +00:00
|
|
|
case AUDIT_WATCH:
|
|
|
|
data->buflen += data->values[i] =
|
2009-06-11 18:31:36 +00:00
|
|
|
audit_pack_string(&bufp,
|
|
|
|
audit_watch_path(krule->watch));
|
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2006-04-07 20:55:56 +00:00
|
|
|
break;
|
[PATCH] audit: watching subtrees
New kind of audit rule predicates: "object is visible in given subtree".
The part that can be sanely implemented, that is. Limitations:
* if you have hardlink from outside of tree, you'd better watch
it too (or just watch the object itself, obviously)
* if you mount something under a watched tree, tell audit
that new chunk should be added to watched subtrees
* if you umount something in a watched tree and it's still mounted
elsewhere, you will get matches on events happening there. New command
tells audit to recalculate the trees, trimming such sources of false
positives.
Note that it's _not_ about path - if something mounted in several places
(multiple mount, bindings, different namespaces, etc.), the match does
_not_ depend on which one we are using for access.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2007-07-22 12:04:18 +00:00
|
|
|
case AUDIT_DIR:
|
|
|
|
data->buflen += data->values[i] =
|
|
|
|
audit_pack_string(&bufp,
|
|
|
|
audit_tree_path(krule->tree));
|
|
|
|
break;
|
2006-06-14 22:45:21 +00:00
|
|
|
case AUDIT_FILTERKEY:
|
|
|
|
data->buflen += data->values[i] =
|
|
|
|
audit_pack_string(&bufp, krule->filterkey);
|
|
|
|
break;
|
2015-08-05 20:29:37 +00:00
|
|
|
case AUDIT_EXE:
|
|
|
|
data->buflen += data->values[i] =
|
|
|
|
audit_pack_string(&bufp, audit_mark_path(krule->exe));
|
|
|
|
break;
|
2014-12-23 18:02:04 +00:00
|
|
|
case AUDIT_LOGINUID_SET:
|
|
|
|
if (krule->pflags & AUDIT_LOGINUID_LEGACY && !f->val) {
|
|
|
|
data->fields[i] = AUDIT_LOGINUID;
|
|
|
|
data->values[i] = AUDIT_UID_UNSET;
|
|
|
|
break;
|
|
|
|
}
|
2019-02-12 20:46:00 +00:00
|
|
|
/* fall through - if set */
|
2006-02-07 17:05:27 +00:00
|
|
|
default:
|
|
|
|
data->values[i] = f->val;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
for (i = 0; i < AUDIT_BITMASK_SIZE; i++) data->mask[i] = krule->mask[i];
|
|
|
|
|
|
|
|
return data;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Compare two rules in kernel format. Considered success if rules
|
|
|
|
* don't match. */
|
|
|
|
static int audit_compare_rule(struct audit_krule *a, struct audit_krule *b)
|
|
|
|
{
|
|
|
|
int i;
|
|
|
|
|
|
|
|
if (a->flags != b->flags ||
|
2014-12-23 18:02:04 +00:00
|
|
|
a->pflags != b->pflags ||
|
2006-02-07 17:05:27 +00:00
|
|
|
a->listnr != b->listnr ||
|
|
|
|
a->action != b->action ||
|
|
|
|
a->field_count != b->field_count)
|
2005-12-15 18:33:52 +00:00
|
|
|
return 1;
|
|
|
|
|
|
|
|
for (i = 0; i < a->field_count; i++) {
|
2006-02-07 17:05:27 +00:00
|
|
|
if (a->fields[i].type != b->fields[i].type ||
|
|
|
|
a->fields[i].op != b->fields[i].op)
|
2005-12-15 18:33:52 +00:00
|
|
|
return 1;
|
2006-02-07 17:05:27 +00:00
|
|
|
|
|
|
|
switch(a->fields[i].type) {
|
2006-06-29 21:56:39 +00:00
|
|
|
case AUDIT_SUBJ_USER:
|
|
|
|
case AUDIT_SUBJ_ROLE:
|
|
|
|
case AUDIT_SUBJ_TYPE:
|
|
|
|
case AUDIT_SUBJ_SEN:
|
|
|
|
case AUDIT_SUBJ_CLR:
|
2006-06-29 21:57:08 +00:00
|
|
|
case AUDIT_OBJ_USER:
|
|
|
|
case AUDIT_OBJ_ROLE:
|
|
|
|
case AUDIT_OBJ_TYPE:
|
|
|
|
case AUDIT_OBJ_LEV_LOW:
|
|
|
|
case AUDIT_OBJ_LEV_HIGH:
|
2008-04-18 23:59:43 +00:00
|
|
|
if (strcmp(a->fields[i].lsm_str, b->fields[i].lsm_str))
|
2006-03-11 00:14:06 +00:00
|
|
|
return 1;
|
|
|
|
break;
|
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2006-04-07 20:55:56 +00:00
|
|
|
case AUDIT_WATCH:
|
2009-06-11 18:31:36 +00:00
|
|
|
if (strcmp(audit_watch_path(a->watch),
|
|
|
|
audit_watch_path(b->watch)))
|
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2006-04-07 20:55:56 +00:00
|
|
|
return 1;
|
|
|
|
break;
|
[PATCH] audit: watching subtrees
New kind of audit rule predicates: "object is visible in given subtree".
The part that can be sanely implemented, that is. Limitations:
* if you have hardlink from outside of tree, you'd better watch
it too (or just watch the object itself, obviously)
* if you mount something under a watched tree, tell audit
that new chunk should be added to watched subtrees
* if you umount something in a watched tree and it's still mounted
elsewhere, you will get matches on events happening there. New command
tells audit to recalculate the trees, trimming such sources of false
positives.
Note that it's _not_ about path - if something mounted in several places
(multiple mount, bindings, different namespaces, etc.), the match does
_not_ depend on which one we are using for access.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2007-07-22 12:04:18 +00:00
|
|
|
case AUDIT_DIR:
|
|
|
|
if (strcmp(audit_tree_path(a->tree),
|
|
|
|
audit_tree_path(b->tree)))
|
|
|
|
return 1;
|
|
|
|
break;
|
2006-06-14 22:45:21 +00:00
|
|
|
case AUDIT_FILTERKEY:
|
|
|
|
/* both filterkeys exist based on above type compare */
|
|
|
|
if (strcmp(a->filterkey, b->filterkey))
|
|
|
|
return 1;
|
|
|
|
break;
|
2015-08-05 20:29:37 +00:00
|
|
|
case AUDIT_EXE:
|
|
|
|
/* both paths exist based on above type compare */
|
|
|
|
if (strcmp(audit_mark_path(a->exe),
|
|
|
|
audit_mark_path(b->exe)))
|
|
|
|
return 1;
|
|
|
|
break;
|
2012-09-11 09:18:08 +00:00
|
|
|
case AUDIT_UID:
|
|
|
|
case AUDIT_EUID:
|
|
|
|
case AUDIT_SUID:
|
|
|
|
case AUDIT_FSUID:
|
|
|
|
case AUDIT_LOGINUID:
|
|
|
|
case AUDIT_OBJ_UID:
|
|
|
|
if (!uid_eq(a->fields[i].uid, b->fields[i].uid))
|
|
|
|
return 1;
|
|
|
|
break;
|
|
|
|
case AUDIT_GID:
|
|
|
|
case AUDIT_EGID:
|
|
|
|
case AUDIT_SGID:
|
|
|
|
case AUDIT_FSGID:
|
|
|
|
case AUDIT_OBJ_GID:
|
|
|
|
if (!gid_eq(a->fields[i].gid, b->fields[i].gid))
|
|
|
|
return 1;
|
|
|
|
break;
|
2006-02-07 17:05:27 +00:00
|
|
|
default:
|
|
|
|
if (a->fields[i].val != b->fields[i].val)
|
|
|
|
return 1;
|
|
|
|
}
|
2005-12-15 18:33:52 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
|
|
|
|
if (a->mask[i] != b->mask[i])
|
|
|
|
return 1;
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2008-04-18 23:59:43 +00:00
|
|
|
/* Duplicate LSM field information. The lsm_rule is opaque, so must be
|
2006-03-11 00:14:06 +00:00
|
|
|
* re-initialized. */
|
2008-03-01 20:01:11 +00:00
|
|
|
static inline int audit_dupe_lsm_field(struct audit_field *df,
|
2006-03-11 00:14:06 +00:00
|
|
|
struct audit_field *sf)
|
|
|
|
{
|
|
|
|
int ret = 0;
|
2008-04-18 23:59:43 +00:00
|
|
|
char *lsm_str;
|
2006-03-11 00:14:06 +00:00
|
|
|
|
2008-04-18 23:59:43 +00:00
|
|
|
/* our own copy of lsm_str */
|
|
|
|
lsm_str = kstrdup(sf->lsm_str, GFP_KERNEL);
|
|
|
|
if (unlikely(!lsm_str))
|
2006-12-22 09:10:02 +00:00
|
|
|
return -ENOMEM;
|
2008-04-18 23:59:43 +00:00
|
|
|
df->lsm_str = lsm_str;
|
2006-03-11 00:14:06 +00:00
|
|
|
|
2008-04-18 23:59:43 +00:00
|
|
|
/* our own (refreshed) copy of lsm_rule */
|
|
|
|
ret = security_audit_rule_init(df->type, df->op, df->lsm_str,
|
|
|
|
(void **)&df->lsm_rule);
|
2006-03-11 00:14:06 +00:00
|
|
|
/* Keep currently invalid fields around in case they
|
|
|
|
* become valid after a policy reload. */
|
|
|
|
if (ret == -EINVAL) {
|
2014-01-27 22:38:42 +00:00
|
|
|
pr_warn("audit rule for LSM \'%s\' is invalid\n",
|
|
|
|
df->lsm_str);
|
2006-03-11 00:14:06 +00:00
|
|
|
ret = 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Duplicate an audit rule. This will be a deep copy with the exception
|
2008-03-01 20:01:11 +00:00
|
|
|
* of the watch - that pointer is carried over. The LSM specific fields
|
2006-03-11 00:14:06 +00:00
|
|
|
* will be updated in the copy. The point is to be able to replace the old
|
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2006-04-07 20:55:56 +00:00
|
|
|
* rule with the new rule in the filterlist, then free the old rule.
|
|
|
|
* The rlist element is undefined; list manipulations are handled apart from
|
|
|
|
* the initial copy. */
|
2009-12-18 01:12:04 +00:00
|
|
|
struct audit_entry *audit_dupe_rule(struct audit_krule *old)
|
2006-03-11 00:14:06 +00:00
|
|
|
{
|
|
|
|
u32 fcount = old->field_count;
|
|
|
|
struct audit_entry *entry;
|
|
|
|
struct audit_krule *new;
|
2006-06-14 22:45:21 +00:00
|
|
|
char *fk;
|
2006-03-11 00:14:06 +00:00
|
|
|
int i, err = 0;
|
|
|
|
|
|
|
|
entry = audit_init_entry(fcount);
|
|
|
|
if (unlikely(!entry))
|
|
|
|
return ERR_PTR(-ENOMEM);
|
|
|
|
|
|
|
|
new = &entry->rule;
|
|
|
|
new->flags = old->flags;
|
2014-12-23 18:02:04 +00:00
|
|
|
new->pflags = old->pflags;
|
2006-03-11 00:14:06 +00:00
|
|
|
new->listnr = old->listnr;
|
|
|
|
new->action = old->action;
|
|
|
|
for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
|
|
|
|
new->mask[i] = old->mask[i];
|
2008-12-15 04:45:27 +00:00
|
|
|
new->prio = old->prio;
|
2006-03-11 00:14:06 +00:00
|
|
|
new->buflen = old->buflen;
|
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2006-04-07 20:55:56 +00:00
|
|
|
new->inode_f = old->inode_f;
|
2006-03-11 00:14:06 +00:00
|
|
|
new->field_count = old->field_count;
|
2009-12-18 01:12:04 +00:00
|
|
|
|
[PATCH] audit: watching subtrees
New kind of audit rule predicates: "object is visible in given subtree".
The part that can be sanely implemented, that is. Limitations:
* if you have hardlink from outside of tree, you'd better watch
it too (or just watch the object itself, obviously)
* if you mount something under a watched tree, tell audit
that new chunk should be added to watched subtrees
* if you umount something in a watched tree and it's still mounted
elsewhere, you will get matches on events happening there. New command
tells audit to recalculate the trees, trimming such sources of false
positives.
Note that it's _not_ about path - if something mounted in several places
(multiple mount, bindings, different namespaces, etc.), the match does
_not_ depend on which one we are using for access.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2007-07-22 12:04:18 +00:00
|
|
|
/*
|
|
|
|
* note that we are OK with not refcounting here; audit_match_tree()
|
|
|
|
* never dereferences tree and we can't get false positives there
|
|
|
|
* since we'd have to have rule gone from the list *and* removed
|
|
|
|
* before the chunks found by lookup had been allocated, i.e. before
|
|
|
|
* the beginning of list scan.
|
|
|
|
*/
|
|
|
|
new->tree = old->tree;
|
2006-03-11 00:14:06 +00:00
|
|
|
memcpy(new->fields, old->fields, sizeof(struct audit_field) * fcount);
|
|
|
|
|
2008-04-18 23:59:43 +00:00
|
|
|
/* deep copy this information, updating the lsm_rule fields, because
|
2006-03-11 00:14:06 +00:00
|
|
|
* the originals will all be freed when the old rule is freed. */
|
|
|
|
for (i = 0; i < fcount; i++) {
|
|
|
|
switch (new->fields[i].type) {
|
2006-06-29 21:56:39 +00:00
|
|
|
case AUDIT_SUBJ_USER:
|
|
|
|
case AUDIT_SUBJ_ROLE:
|
|
|
|
case AUDIT_SUBJ_TYPE:
|
|
|
|
case AUDIT_SUBJ_SEN:
|
|
|
|
case AUDIT_SUBJ_CLR:
|
2006-06-29 21:57:08 +00:00
|
|
|
case AUDIT_OBJ_USER:
|
|
|
|
case AUDIT_OBJ_ROLE:
|
|
|
|
case AUDIT_OBJ_TYPE:
|
|
|
|
case AUDIT_OBJ_LEV_LOW:
|
|
|
|
case AUDIT_OBJ_LEV_HIGH:
|
2008-03-01 20:01:11 +00:00
|
|
|
err = audit_dupe_lsm_field(&new->fields[i],
|
2006-03-11 00:14:06 +00:00
|
|
|
&old->fields[i]);
|
2006-06-14 22:45:21 +00:00
|
|
|
break;
|
|
|
|
case AUDIT_FILTERKEY:
|
|
|
|
fk = kstrdup(old->filterkey, GFP_KERNEL);
|
|
|
|
if (unlikely(!fk))
|
|
|
|
err = -ENOMEM;
|
|
|
|
else
|
|
|
|
new->filterkey = fk;
|
2015-08-05 20:29:37 +00:00
|
|
|
break;
|
|
|
|
case AUDIT_EXE:
|
|
|
|
err = audit_dupe_exe(new, old);
|
|
|
|
break;
|
2006-03-11 00:14:06 +00:00
|
|
|
}
|
|
|
|
if (err) {
|
2015-08-05 20:29:37 +00:00
|
|
|
if (new->exe)
|
|
|
|
audit_remove_mark(new->exe);
|
2006-03-11 00:14:06 +00:00
|
|
|
audit_free_rule(entry);
|
|
|
|
return ERR_PTR(err);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2009-12-18 01:12:04 +00:00
|
|
|
if (old->watch) {
|
|
|
|
audit_get_watch(old->watch);
|
|
|
|
new->watch = old->watch;
|
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2006-04-07 20:55:56 +00:00
|
|
|
}
|
|
|
|
|
2006-03-11 00:14:06 +00:00
|
|
|
return entry;
|
|
|
|
}
|
|
|
|
|
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2006-04-07 20:55:56 +00:00
|
|
|
/* Find an existing audit rule.
|
|
|
|
* Caller must hold audit_filter_mutex to prevent stale rule data. */
|
|
|
|
static struct audit_entry *audit_find_rule(struct audit_entry *entry,
|
2008-12-15 06:50:28 +00:00
|
|
|
struct list_head **p)
|
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2006-04-07 20:55:56 +00:00
|
|
|
{
|
|
|
|
struct audit_entry *e, *found = NULL;
|
2008-12-15 06:50:28 +00:00
|
|
|
struct list_head *list;
|
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2006-04-07 20:55:56 +00:00
|
|
|
int h;
|
|
|
|
|
2008-12-15 06:50:28 +00:00
|
|
|
if (entry->rule.inode_f) {
|
|
|
|
h = audit_hash_ino(entry->rule.inode_f->val);
|
|
|
|
*p = list = &audit_inode_hash[h];
|
|
|
|
} else if (entry->rule.watch) {
|
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2006-04-07 20:55:56 +00:00
|
|
|
/* we don't know the inode number, so must walk entire hash */
|
|
|
|
for (h = 0; h < AUDIT_INODE_BUCKETS; h++) {
|
|
|
|
list = &audit_inode_hash[h];
|
|
|
|
list_for_each_entry(e, list, list)
|
|
|
|
if (!audit_compare_rule(&entry->rule, &e->rule)) {
|
|
|
|
found = e;
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
goto out;
|
2008-12-15 06:50:28 +00:00
|
|
|
} else {
|
|
|
|
*p = list = &audit_filter_list[entry->rule.listnr];
|
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2006-04-07 20:55:56 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
list_for_each_entry(e, list, list)
|
|
|
|
if (!audit_compare_rule(&entry->rule, &e->rule)) {
|
|
|
|
found = e;
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
|
|
|
|
out:
|
|
|
|
return found;
|
|
|
|
}
|
|
|
|
|
2008-12-15 04:45:27 +00:00
|
|
|
static u64 prio_low = ~0ULL/2;
|
|
|
|
static u64 prio_high = ~0ULL/2 - 1;
|
|
|
|
|
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2006-04-07 20:55:56 +00:00
|
|
|
/* Add rule to given filterlist if not a duplicate. */
|
2008-12-15 06:50:28 +00:00
|
|
|
static inline int audit_add_rule(struct audit_entry *entry)
|
2005-12-15 18:33:52 +00:00
|
|
|
{
|
2006-02-07 17:05:27 +00:00
|
|
|
struct audit_entry *e;
|
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2006-04-07 20:55:56 +00:00
|
|
|
struct audit_watch *watch = entry->rule.watch;
|
[PATCH] audit: watching subtrees
New kind of audit rule predicates: "object is visible in given subtree".
The part that can be sanely implemented, that is. Limitations:
* if you have hardlink from outside of tree, you'd better watch
it too (or just watch the object itself, obviously)
* if you mount something under a watched tree, tell audit
that new chunk should be added to watched subtrees
* if you umount something in a watched tree and it's still mounted
elsewhere, you will get matches on events happening there. New command
tells audit to recalculate the trees, trimming such sources of false
positives.
Note that it's _not_ about path - if something mounted in several places
(multiple mount, bindings, different namespaces, etc.), the match does
_not_ depend on which one we are using for access.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2007-07-22 12:04:18 +00:00
|
|
|
struct audit_tree *tree = entry->rule.tree;
|
2008-12-15 06:50:28 +00:00
|
|
|
struct list_head *list;
|
2015-08-05 15:19:45 +00:00
|
|
|
int err = 0;
|
2006-07-10 12:29:24 +00:00
|
|
|
#ifdef CONFIG_AUDITSYSCALL
|
|
|
|
int dont_count = 0;
|
|
|
|
|
2017-08-23 11:03:39 +00:00
|
|
|
/* If any of these, don't count towards total */
|
|
|
|
switch(entry->rule.listnr) {
|
|
|
|
case AUDIT_FILTER_USER:
|
2018-06-05 15:45:07 +00:00
|
|
|
case AUDIT_FILTER_EXCLUDE:
|
2017-08-23 11:03:39 +00:00
|
|
|
case AUDIT_FILTER_FS:
|
2006-07-10 12:29:24 +00:00
|
|
|
dont_count = 1;
|
2017-08-23 11:03:39 +00:00
|
|
|
}
|
2006-07-10 12:29:24 +00:00
|
|
|
#endif
|
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2006-04-07 20:55:56 +00:00
|
|
|
|
|
|
|
mutex_lock(&audit_filter_mutex);
|
2008-12-15 06:50:28 +00:00
|
|
|
e = audit_find_rule(entry, &list);
|
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2006-04-07 20:55:56 +00:00
|
|
|
if (e) {
|
2009-06-11 18:31:36 +00:00
|
|
|
mutex_unlock(&audit_filter_mutex);
|
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2006-04-07 20:55:56 +00:00
|
|
|
err = -EEXIST;
|
[PATCH] audit: watching subtrees
New kind of audit rule predicates: "object is visible in given subtree".
The part that can be sanely implemented, that is. Limitations:
* if you have hardlink from outside of tree, you'd better watch
it too (or just watch the object itself, obviously)
* if you mount something under a watched tree, tell audit
that new chunk should be added to watched subtrees
* if you umount something in a watched tree and it's still mounted
elsewhere, you will get matches on events happening there. New command
tells audit to recalculate the trees, trimming such sources of false
positives.
Note that it's _not_ about path - if something mounted in several places
(multiple mount, bindings, different namespaces, etc.), the match does
_not_ depend on which one we are using for access.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2007-07-22 12:04:18 +00:00
|
|
|
/* normally audit_add_tree_rule() will free it on failure */
|
|
|
|
if (tree)
|
|
|
|
audit_put_tree(tree);
|
2015-08-01 19:41:12 +00:00
|
|
|
return err;
|
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2006-04-07 20:55:56 +00:00
|
|
|
}
|
2005-12-15 18:33:52 +00:00
|
|
|
|
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2006-04-07 20:55:56 +00:00
|
|
|
if (watch) {
|
|
|
|
/* audit_filter_mutex is dropped and re-taken during this call */
|
2009-12-18 01:12:04 +00:00
|
|
|
err = audit_add_watch(&entry->rule, &list);
|
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2006-04-07 20:55:56 +00:00
|
|
|
if (err) {
|
|
|
|
mutex_unlock(&audit_filter_mutex);
|
2013-07-08 22:59:38 +00:00
|
|
|
/*
|
|
|
|
* normally audit_add_tree_rule() will free it
|
|
|
|
* on failure
|
|
|
|
*/
|
|
|
|
if (tree)
|
|
|
|
audit_put_tree(tree);
|
2015-08-01 19:41:12 +00:00
|
|
|
return err;
|
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2006-04-07 20:55:56 +00:00
|
|
|
}
|
2005-12-15 18:33:52 +00:00
|
|
|
}
|
[PATCH] audit: watching subtrees
New kind of audit rule predicates: "object is visible in given subtree".
The part that can be sanely implemented, that is. Limitations:
* if you have hardlink from outside of tree, you'd better watch
it too (or just watch the object itself, obviously)
* if you mount something under a watched tree, tell audit
that new chunk should be added to watched subtrees
* if you umount something in a watched tree and it's still mounted
elsewhere, you will get matches on events happening there. New command
tells audit to recalculate the trees, trimming such sources of false
positives.
Note that it's _not_ about path - if something mounted in several places
(multiple mount, bindings, different namespaces, etc.), the match does
_not_ depend on which one we are using for access.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2007-07-22 12:04:18 +00:00
|
|
|
if (tree) {
|
|
|
|
err = audit_add_tree_rule(&entry->rule);
|
|
|
|
if (err) {
|
|
|
|
mutex_unlock(&audit_filter_mutex);
|
2015-08-01 19:41:12 +00:00
|
|
|
return err;
|
[PATCH] audit: watching subtrees
New kind of audit rule predicates: "object is visible in given subtree".
The part that can be sanely implemented, that is. Limitations:
* if you have hardlink from outside of tree, you'd better watch
it too (or just watch the object itself, obviously)
* if you mount something under a watched tree, tell audit
that new chunk should be added to watched subtrees
* if you umount something in a watched tree and it's still mounted
elsewhere, you will get matches on events happening there. New command
tells audit to recalculate the trees, trimming such sources of false
positives.
Note that it's _not_ about path - if something mounted in several places
(multiple mount, bindings, different namespaces, etc.), the match does
_not_ depend on which one we are using for access.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2007-07-22 12:04:18 +00:00
|
|
|
}
|
|
|
|
}
|
2005-12-15 18:33:52 +00:00
|
|
|
|
2008-12-15 04:45:27 +00:00
|
|
|
entry->rule.prio = ~0ULL;
|
|
|
|
if (entry->rule.listnr == AUDIT_FILTER_EXIT) {
|
|
|
|
if (entry->rule.flags & AUDIT_FILTER_PREPEND)
|
|
|
|
entry->rule.prio = ++prio_high;
|
|
|
|
else
|
|
|
|
entry->rule.prio = --prio_low;
|
|
|
|
}
|
|
|
|
|
2005-12-15 18:33:52 +00:00
|
|
|
if (entry->rule.flags & AUDIT_FILTER_PREPEND) {
|
2008-12-15 06:17:50 +00:00
|
|
|
list_add(&entry->rule.list,
|
|
|
|
&audit_rules_list[entry->rule.listnr]);
|
2005-12-15 18:33:52 +00:00
|
|
|
list_add_rcu(&entry->list, list);
|
2006-06-02 17:16:01 +00:00
|
|
|
entry->rule.flags &= ~AUDIT_FILTER_PREPEND;
|
2005-12-15 18:33:52 +00:00
|
|
|
} else {
|
2008-12-15 06:17:50 +00:00
|
|
|
list_add_tail(&entry->rule.list,
|
|
|
|
&audit_rules_list[entry->rule.listnr]);
|
2005-12-15 18:33:52 +00:00
|
|
|
list_add_tail_rcu(&entry->list, list);
|
|
|
|
}
|
2006-07-10 12:29:24 +00:00
|
|
|
#ifdef CONFIG_AUDITSYSCALL
|
|
|
|
if (!dont_count)
|
|
|
|
audit_n_rules++;
|
2007-03-29 22:01:04 +00:00
|
|
|
|
|
|
|
if (!audit_match_signal(entry))
|
|
|
|
audit_signals++;
|
2006-07-10 12:29:24 +00:00
|
|
|
#endif
|
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2006-04-07 20:55:56 +00:00
|
|
|
mutex_unlock(&audit_filter_mutex);
|
2005-12-15 18:33:52 +00:00
|
|
|
|
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2006-04-07 20:55:56 +00:00
|
|
|
return err;
|
2005-12-15 18:33:52 +00:00
|
|
|
}
|
|
|
|
|
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2006-04-07 20:55:56 +00:00
|
|
|
/* Remove an existing rule from filterlist. */
|
2015-08-05 20:29:36 +00:00
|
|
|
int audit_del_rule(struct audit_entry *entry)
|
2005-12-15 18:33:52 +00:00
|
|
|
{
|
|
|
|
struct audit_entry *e;
|
[PATCH] audit: watching subtrees
New kind of audit rule predicates: "object is visible in given subtree".
The part that can be sanely implemented, that is. Limitations:
* if you have hardlink from outside of tree, you'd better watch
it too (or just watch the object itself, obviously)
* if you mount something under a watched tree, tell audit
that new chunk should be added to watched subtrees
* if you umount something in a watched tree and it's still mounted
elsewhere, you will get matches on events happening there. New command
tells audit to recalculate the trees, trimming such sources of false
positives.
Note that it's _not_ about path - if something mounted in several places
(multiple mount, bindings, different namespaces, etc.), the match does
_not_ depend on which one we are using for access.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2007-07-22 12:04:18 +00:00
|
|
|
struct audit_tree *tree = entry->rule.tree;
|
2008-12-15 06:50:28 +00:00
|
|
|
struct list_head *list;
|
|
|
|
int ret = 0;
|
2006-07-10 12:29:24 +00:00
|
|
|
#ifdef CONFIG_AUDITSYSCALL
|
|
|
|
int dont_count = 0;
|
|
|
|
|
2017-08-23 11:03:39 +00:00
|
|
|
/* If any of these, don't count towards total */
|
|
|
|
switch(entry->rule.listnr) {
|
|
|
|
case AUDIT_FILTER_USER:
|
2018-06-05 15:45:07 +00:00
|
|
|
case AUDIT_FILTER_EXCLUDE:
|
2017-08-23 11:03:39 +00:00
|
|
|
case AUDIT_FILTER_FS:
|
2006-07-10 12:29:24 +00:00
|
|
|
dont_count = 1;
|
2017-08-23 11:03:39 +00:00
|
|
|
}
|
2006-07-10 12:29:24 +00:00
|
|
|
#endif
|
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2006-04-07 20:55:56 +00:00
|
|
|
|
|
|
|
mutex_lock(&audit_filter_mutex);
|
2008-12-15 06:50:28 +00:00
|
|
|
e = audit_find_rule(entry, &list);
|
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2006-04-07 20:55:56 +00:00
|
|
|
if (!e) {
|
|
|
|
ret = -ENOENT;
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
|
2009-06-11 18:31:36 +00:00
|
|
|
if (e->rule.watch)
|
2009-12-18 01:12:05 +00:00
|
|
|
audit_remove_watch_rule(&e->rule);
|
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2006-04-07 20:55:56 +00:00
|
|
|
|
[PATCH] audit: watching subtrees
New kind of audit rule predicates: "object is visible in given subtree".
The part that can be sanely implemented, that is. Limitations:
* if you have hardlink from outside of tree, you'd better watch
it too (or just watch the object itself, obviously)
* if you mount something under a watched tree, tell audit
that new chunk should be added to watched subtrees
* if you umount something in a watched tree and it's still mounted
elsewhere, you will get matches on events happening there. New command
tells audit to recalculate the trees, trimming such sources of false
positives.
Note that it's _not_ about path - if something mounted in several places
(multiple mount, bindings, different namespaces, etc.), the match does
_not_ depend on which one we are using for access.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2007-07-22 12:04:18 +00:00
|
|
|
if (e->rule.tree)
|
|
|
|
audit_remove_tree_rule(&e->rule);
|
|
|
|
|
2015-08-05 20:29:37 +00:00
|
|
|
if (e->rule.exe)
|
|
|
|
audit_remove_mark_rule(&e->rule);
|
|
|
|
|
2006-07-10 12:29:24 +00:00
|
|
|
#ifdef CONFIG_AUDITSYSCALL
|
|
|
|
if (!dont_count)
|
|
|
|
audit_n_rules--;
|
2007-03-29 22:01:04 +00:00
|
|
|
|
|
|
|
if (!audit_match_signal(entry))
|
|
|
|
audit_signals--;
|
2006-07-10 12:29:24 +00:00
|
|
|
#endif
|
2015-08-05 19:23:09 +00:00
|
|
|
|
|
|
|
list_del_rcu(&e->list);
|
|
|
|
list_del(&e->rule.list);
|
|
|
|
call_rcu(&e->rcu, audit_free_rule_rcu);
|
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2006-04-07 20:55:56 +00:00
|
|
|
|
|
|
|
out:
|
2015-08-05 19:23:09 +00:00
|
|
|
mutex_unlock(&audit_filter_mutex);
|
|
|
|
|
[PATCH] audit: watching subtrees
New kind of audit rule predicates: "object is visible in given subtree".
The part that can be sanely implemented, that is. Limitations:
* if you have hardlink from outside of tree, you'd better watch
it too (or just watch the object itself, obviously)
* if you mount something under a watched tree, tell audit
that new chunk should be added to watched subtrees
* if you umount something in a watched tree and it's still mounted
elsewhere, you will get matches on events happening there. New command
tells audit to recalculate the trees, trimming such sources of false
positives.
Note that it's _not_ about path - if something mounted in several places
(multiple mount, bindings, different namespaces, etc.), the match does
_not_ depend on which one we are using for access.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2007-07-22 12:04:18 +00:00
|
|
|
if (tree)
|
|
|
|
audit_put_tree(tree); /* that's the temporary one */
|
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2006-04-07 20:55:56 +00:00
|
|
|
|
|
|
|
return ret;
|
2005-12-15 18:33:52 +00:00
|
|
|
}
|
|
|
|
|
2006-02-07 17:05:27 +00:00
|
|
|
/* List rules using struct audit_rule_data. */
|
2017-05-02 14:16:05 +00:00
|
|
|
static void audit_list_rules(int seq, struct sk_buff_head *q)
|
2006-02-07 17:05:27 +00:00
|
|
|
{
|
2006-05-22 05:09:24 +00:00
|
|
|
struct sk_buff *skb;
|
2008-12-15 06:17:50 +00:00
|
|
|
struct audit_krule *r;
|
2006-02-07 17:05:27 +00:00
|
|
|
int i;
|
|
|
|
|
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2006-04-07 20:55:56 +00:00
|
|
|
/* This is a blocking read, so use audit_filter_mutex instead of rcu
|
|
|
|
* iterator to sync with list writers. */
|
2006-02-07 17:05:27 +00:00
|
|
|
for (i=0; i<AUDIT_NR_FILTERS; i++) {
|
2008-12-15 06:17:50 +00:00
|
|
|
list_for_each_entry(r, &audit_rules_list[i], list) {
|
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2006-04-07 20:55:56 +00:00
|
|
|
struct audit_rule_data *data;
|
|
|
|
|
2008-12-15 06:17:50 +00:00
|
|
|
data = audit_krule_to_data(r);
|
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2006-04-07 20:55:56 +00:00
|
|
|
if (unlikely(!data))
|
|
|
|
break;
|
2017-05-02 14:16:05 +00:00
|
|
|
skb = audit_make_reply(seq, AUDIT_LIST_RULES, 0, 1,
|
|
|
|
data,
|
2013-08-14 15:32:45 +00:00
|
|
|
sizeof(*data) + data->buflen);
|
2006-05-22 05:09:24 +00:00
|
|
|
if (skb)
|
|
|
|
skb_queue_tail(q, skb);
|
2006-02-07 17:05:27 +00:00
|
|
|
kfree(data);
|
|
|
|
}
|
|
|
|
}
|
2017-05-02 14:16:05 +00:00
|
|
|
skb = audit_make_reply(seq, AUDIT_LIST_RULES, 1, 1, NULL, 0);
|
2006-05-22 05:09:24 +00:00
|
|
|
if (skb)
|
|
|
|
skb_queue_tail(q, skb);
|
2006-02-07 17:05:27 +00:00
|
|
|
}
|
|
|
|
|
2006-06-14 22:45:21 +00:00
|
|
|
/* Log rule additions and removals */
|
2013-04-19 17:23:09 +00:00
|
|
|
static void audit_log_rule_change(char *action, struct audit_krule *rule, int res)
|
2006-06-14 22:45:21 +00:00
|
|
|
{
|
|
|
|
struct audit_buffer *ab;
|
|
|
|
|
2008-01-07 22:09:31 +00:00
|
|
|
if (!audit_enabled)
|
|
|
|
return;
|
|
|
|
|
2019-01-18 22:42:48 +00:00
|
|
|
ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_CONFIG_CHANGE);
|
2006-06-14 22:45:21 +00:00
|
|
|
if (!ab)
|
|
|
|
return;
|
2018-05-18 02:01:48 +00:00
|
|
|
audit_log_session_info(ab);
|
2013-04-19 19:00:33 +00:00
|
|
|
audit_log_task_context(ab);
|
2016-11-16 21:14:33 +00:00
|
|
|
audit_log_format(ab, " op=%s", action);
|
2009-06-11 18:31:37 +00:00
|
|
|
audit_log_key(ab, rule->filterkey);
|
2006-06-14 22:45:21 +00:00
|
|
|
audit_log_format(ab, " list=%d res=%d", rule->listnr, res);
|
|
|
|
audit_log_end(ab);
|
|
|
|
}
|
|
|
|
|
2005-12-15 18:33:52 +00:00
|
|
|
/**
|
2013-11-20 19:01:53 +00:00
|
|
|
* audit_rule_change - apply all rules to the specified message type
|
2005-12-15 18:33:52 +00:00
|
|
|
* @type: audit message type
|
|
|
|
* @seq: netlink audit message sequence (serial) number
|
|
|
|
* @data: payload data
|
2006-02-07 17:05:27 +00:00
|
|
|
* @datasz: size of payload data
|
2005-12-15 18:33:52 +00:00
|
|
|
*/
|
2017-05-02 14:16:05 +00:00
|
|
|
int audit_rule_change(int type, int seq, void *data, size_t datasz)
|
2005-12-15 18:33:52 +00:00
|
|
|
{
|
2006-02-07 17:05:27 +00:00
|
|
|
int err = 0;
|
|
|
|
struct audit_entry *entry;
|
2005-12-15 18:33:52 +00:00
|
|
|
|
|
|
|
switch (type) {
|
2006-02-07 17:05:27 +00:00
|
|
|
case AUDIT_ADD_RULE:
|
audit: fix a memory leak bug
In audit_rule_change(), audit_data_to_entry() is firstly invoked to
translate the payload data to the kernel's rule representation. In
audit_data_to_entry(), depending on the audit field type, an audit tree may
be created in audit_make_tree(), which eventually invokes kmalloc() to
allocate the tree. Since this tree is a temporary tree, it will be then
freed in the following execution, e.g., audit_add_rule() if the message
type is AUDIT_ADD_RULE or audit_del_rule() if the message type is
AUDIT_DEL_RULE. However, if the message type is neither AUDIT_ADD_RULE nor
AUDIT_DEL_RULE, i.e., the default case of the switch statement, this
temporary tree is not freed.
To fix this issue, only allocate the tree when the type is AUDIT_ADD_RULE
or AUDIT_DEL_RULE.
Signed-off-by: Wenwen Wang <wang6495@umn.edu>
Reviewed-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2019-04-20 01:49:29 +00:00
|
|
|
entry = audit_data_to_entry(data, datasz);
|
|
|
|
if (IS_ERR(entry))
|
|
|
|
return PTR_ERR(entry);
|
2008-12-15 06:50:28 +00:00
|
|
|
err = audit_add_rule(entry);
|
2014-04-04 05:00:38 +00:00
|
|
|
audit_log_rule_change("add_rule", &entry->rule, !err);
|
2005-12-15 18:33:52 +00:00
|
|
|
break;
|
2006-02-07 17:05:27 +00:00
|
|
|
case AUDIT_DEL_RULE:
|
audit: fix a memory leak bug
In audit_rule_change(), audit_data_to_entry() is firstly invoked to
translate the payload data to the kernel's rule representation. In
audit_data_to_entry(), depending on the audit field type, an audit tree may
be created in audit_make_tree(), which eventually invokes kmalloc() to
allocate the tree. Since this tree is a temporary tree, it will be then
freed in the following execution, e.g., audit_add_rule() if the message
type is AUDIT_ADD_RULE or audit_del_rule() if the message type is
AUDIT_DEL_RULE. However, if the message type is neither AUDIT_ADD_RULE nor
AUDIT_DEL_RULE, i.e., the default case of the switch statement, this
temporary tree is not freed.
To fix this issue, only allocate the tree when the type is AUDIT_ADD_RULE
or AUDIT_DEL_RULE.
Signed-off-by: Wenwen Wang <wang6495@umn.edu>
Reviewed-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2019-04-20 01:49:29 +00:00
|
|
|
entry = audit_data_to_entry(data, datasz);
|
|
|
|
if (IS_ERR(entry))
|
|
|
|
return PTR_ERR(entry);
|
2008-12-15 06:50:28 +00:00
|
|
|
err = audit_del_rule(entry);
|
2014-04-04 05:00:38 +00:00
|
|
|
audit_log_rule_change("remove_rule", &entry->rule, !err);
|
2005-12-15 18:33:52 +00:00
|
|
|
break;
|
|
|
|
default:
|
2014-10-10 19:05:21 +00:00
|
|
|
WARN_ON(1);
|
audit: fix a memory leak bug
In audit_rule_change(), audit_data_to_entry() is firstly invoked to
translate the payload data to the kernel's rule representation. In
audit_data_to_entry(), depending on the audit field type, an audit tree may
be created in audit_make_tree(), which eventually invokes kmalloc() to
allocate the tree. Since this tree is a temporary tree, it will be then
freed in the following execution, e.g., audit_add_rule() if the message
type is AUDIT_ADD_RULE or audit_del_rule() if the message type is
AUDIT_DEL_RULE. However, if the message type is neither AUDIT_ADD_RULE nor
AUDIT_DEL_RULE, i.e., the default case of the switch statement, this
temporary tree is not freed.
To fix this issue, only allocate the tree when the type is AUDIT_ADD_RULE
or AUDIT_DEL_RULE.
Signed-off-by: Wenwen Wang <wang6495@umn.edu>
Reviewed-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2019-04-20 01:49:29 +00:00
|
|
|
return -EINVAL;
|
2005-12-15 18:33:52 +00:00
|
|
|
}
|
|
|
|
|
2015-08-05 20:29:37 +00:00
|
|
|
if (err || type == AUDIT_DEL_RULE) {
|
|
|
|
if (entry->rule.exe)
|
|
|
|
audit_remove_mark(entry->rule.exe);
|
2014-10-03 02:05:19 +00:00
|
|
|
audit_free_rule(entry);
|
2015-08-05 20:29:37 +00:00
|
|
|
}
|
2014-10-03 02:05:19 +00:00
|
|
|
|
2005-12-15 18:33:52 +00:00
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
2013-11-20 19:01:53 +00:00
|
|
|
/**
|
|
|
|
* audit_list_rules_send - list the audit rules
|
2014-03-08 23:31:54 +00:00
|
|
|
* @request_skb: skb of request we are replying to (used to target the reply)
|
2013-11-20 19:01:53 +00:00
|
|
|
* @seq: netlink audit message sequence (serial) number
|
|
|
|
*/
|
2014-03-01 03:44:55 +00:00
|
|
|
int audit_list_rules_send(struct sk_buff *request_skb, int seq)
|
2013-11-20 19:01:53 +00:00
|
|
|
{
|
2014-03-01 03:44:55 +00:00
|
|
|
u32 portid = NETLINK_CB(request_skb).portid;
|
|
|
|
struct net *net = sock_net(NETLINK_CB(request_skb).sk);
|
2013-11-20 19:01:53 +00:00
|
|
|
struct task_struct *tsk;
|
|
|
|
struct audit_netlink_list *dest;
|
|
|
|
int err = 0;
|
|
|
|
|
|
|
|
/* We can't just spew out the rules here because we might fill
|
|
|
|
* the available socket buffer space and deadlock waiting for
|
|
|
|
* auditctl to read from it... which isn't ever going to
|
|
|
|
* happen if we're actually running in the context of auditctl
|
|
|
|
* trying to _send_ the stuff */
|
|
|
|
|
|
|
|
dest = kmalloc(sizeof(struct audit_netlink_list), GFP_KERNEL);
|
|
|
|
if (!dest)
|
|
|
|
return -ENOMEM;
|
2014-03-01 03:44:55 +00:00
|
|
|
dest->net = get_net(net);
|
2013-11-20 19:01:53 +00:00
|
|
|
dest->portid = portid;
|
|
|
|
skb_queue_head_init(&dest->q);
|
|
|
|
|
|
|
|
mutex_lock(&audit_filter_mutex);
|
2017-05-02 14:16:05 +00:00
|
|
|
audit_list_rules(seq, &dest->q);
|
2013-11-20 19:01:53 +00:00
|
|
|
mutex_unlock(&audit_filter_mutex);
|
|
|
|
|
|
|
|
tsk = kthread_run(audit_send_list, dest, "audit_send_list");
|
|
|
|
if (IS_ERR(tsk)) {
|
|
|
|
skb_queue_purge(&dest->q);
|
|
|
|
kfree(dest);
|
|
|
|
err = PTR_ERR(tsk);
|
|
|
|
}
|
|
|
|
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
2008-12-16 10:59:26 +00:00
|
|
|
int audit_comparator(u32 left, u32 op, u32 right)
|
2005-12-15 18:33:52 +00:00
|
|
|
{
|
|
|
|
switch (op) {
|
2008-12-16 10:59:26 +00:00
|
|
|
case Audit_equal:
|
2005-12-15 18:33:52 +00:00
|
|
|
return (left == right);
|
2008-12-16 10:59:26 +00:00
|
|
|
case Audit_not_equal:
|
2005-12-15 18:33:52 +00:00
|
|
|
return (left != right);
|
2008-12-16 10:59:26 +00:00
|
|
|
case Audit_lt:
|
2005-12-15 18:33:52 +00:00
|
|
|
return (left < right);
|
2008-12-16 10:59:26 +00:00
|
|
|
case Audit_le:
|
2005-12-15 18:33:52 +00:00
|
|
|
return (left <= right);
|
2008-12-16 10:59:26 +00:00
|
|
|
case Audit_gt:
|
2005-12-15 18:33:52 +00:00
|
|
|
return (left > right);
|
2008-12-16 10:59:26 +00:00
|
|
|
case Audit_ge:
|
2005-12-15 18:33:52 +00:00
|
|
|
return (left >= right);
|
2008-12-16 10:59:26 +00:00
|
|
|
case Audit_bitmask:
|
2007-06-04 21:00:14 +00:00
|
|
|
return (left & right);
|
2008-12-16 10:59:26 +00:00
|
|
|
case Audit_bittest:
|
2007-06-04 21:00:14 +00:00
|
|
|
return ((left & right) == right);
|
2008-12-16 10:59:26 +00:00
|
|
|
default:
|
|
|
|
return 0;
|
2005-12-15 18:33:52 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2012-09-11 09:18:08 +00:00
|
|
|
int audit_uid_comparator(kuid_t left, u32 op, kuid_t right)
|
|
|
|
{
|
|
|
|
switch (op) {
|
|
|
|
case Audit_equal:
|
|
|
|
return uid_eq(left, right);
|
|
|
|
case Audit_not_equal:
|
|
|
|
return !uid_eq(left, right);
|
|
|
|
case Audit_lt:
|
|
|
|
return uid_lt(left, right);
|
|
|
|
case Audit_le:
|
|
|
|
return uid_lte(left, right);
|
|
|
|
case Audit_gt:
|
|
|
|
return uid_gt(left, right);
|
|
|
|
case Audit_ge:
|
|
|
|
return uid_gte(left, right);
|
|
|
|
case Audit_bitmask:
|
|
|
|
case Audit_bittest:
|
|
|
|
default:
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
int audit_gid_comparator(kgid_t left, u32 op, kgid_t right)
|
|
|
|
{
|
|
|
|
switch (op) {
|
|
|
|
case Audit_equal:
|
|
|
|
return gid_eq(left, right);
|
|
|
|
case Audit_not_equal:
|
|
|
|
return !gid_eq(left, right);
|
|
|
|
case Audit_lt:
|
|
|
|
return gid_lt(left, right);
|
|
|
|
case Audit_le:
|
|
|
|
return gid_lte(left, right);
|
|
|
|
case Audit_gt:
|
|
|
|
return gid_gt(left, right);
|
|
|
|
case Audit_ge:
|
|
|
|
return gid_gte(left, right);
|
|
|
|
case Audit_bitmask:
|
|
|
|
case Audit_bittest:
|
|
|
|
default:
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2012-10-10 19:25:23 +00:00
|
|
|
/**
|
|
|
|
* parent_len - find the length of the parent portion of a pathname
|
|
|
|
* @path: pathname of which to determine length
|
|
|
|
*/
|
|
|
|
int parent_len(const char *path)
|
|
|
|
{
|
|
|
|
int plen;
|
|
|
|
const char *p;
|
|
|
|
|
|
|
|
plen = strlen(path);
|
|
|
|
|
|
|
|
if (plen == 0)
|
|
|
|
return plen;
|
|
|
|
|
|
|
|
/* disregard trailing slashes */
|
|
|
|
p = path + plen - 1;
|
|
|
|
while ((*p == '/') && (p > path))
|
|
|
|
p--;
|
|
|
|
|
|
|
|
/* walk backward until we find the next slash or hit beginning */
|
|
|
|
while ((*p != '/') && (p > path))
|
|
|
|
p--;
|
|
|
|
|
|
|
|
/* did we find a slash? Then increment to include it in path */
|
|
|
|
if (*p == '/')
|
|
|
|
p++;
|
|
|
|
|
|
|
|
return p - path;
|
|
|
|
}
|
|
|
|
|
2012-10-10 19:25:25 +00:00
|
|
|
/**
|
|
|
|
* audit_compare_dname_path - compare given dentry name with last component in
|
|
|
|
* given path. Return of 0 indicates a match.
|
|
|
|
* @dname: dentry name that we're comparing
|
|
|
|
* @path: full pathname that we're comparing
|
|
|
|
* @parentlen: length of the parent if known. Passing in AUDIT_NAME_FULL
|
|
|
|
* here indicates that we must compute this value.
|
|
|
|
*/
|
2019-04-26 18:11:05 +00:00
|
|
|
int audit_compare_dname_path(const struct qstr *dname, const char *path, int parentlen)
|
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2006-04-07 20:55:56 +00:00
|
|
|
{
|
2012-10-10 19:25:25 +00:00
|
|
|
int dlen, pathlen;
|
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2006-04-07 20:55:56 +00:00
|
|
|
const char *p;
|
|
|
|
|
2019-04-26 18:11:05 +00:00
|
|
|
dlen = dname->len;
|
2012-10-10 19:25:24 +00:00
|
|
|
pathlen = strlen(path);
|
|
|
|
if (pathlen < dlen)
|
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2006-04-07 20:55:56 +00:00
|
|
|
return 1;
|
|
|
|
|
2012-10-10 19:25:25 +00:00
|
|
|
parentlen = parentlen == AUDIT_NAME_FULL ? parent_len(path) : parentlen;
|
2012-10-10 19:25:24 +00:00
|
|
|
if (pathlen - parentlen != dlen)
|
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2006-04-07 20:55:56 +00:00
|
|
|
return 1;
|
2012-10-10 19:25:24 +00:00
|
|
|
|
|
|
|
p = path + parentlen;
|
2005-12-15 18:33:52 +00:00
|
|
|
|
2019-04-26 18:11:05 +00:00
|
|
|
return strncmp(p, dname->name, dlen);
|
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2006-04-07 20:55:56 +00:00
|
|
|
}
|
2005-12-15 18:33:52 +00:00
|
|
|
|
2016-06-24 20:35:46 +00:00
|
|
|
int audit_filter(int msgtype, unsigned int listtype)
|
2005-12-15 18:33:52 +00:00
|
|
|
{
|
|
|
|
struct audit_entry *e;
|
2016-06-24 20:35:46 +00:00
|
|
|
int ret = 1; /* Audit by default */
|
2007-10-18 10:06:06 +00:00
|
|
|
|
2005-12-15 18:33:52 +00:00
|
|
|
rcu_read_lock();
|
2016-06-24 20:35:46 +00:00
|
|
|
list_for_each_entry_rcu(e, &audit_filter_list[listtype], list) {
|
|
|
|
int i, result = 0;
|
2005-12-15 18:33:52 +00:00
|
|
|
|
2006-02-07 17:05:27 +00:00
|
|
|
for (i = 0; i < e->rule.field_count; i++) {
|
|
|
|
struct audit_field *f = &e->rule.fields[i];
|
2016-06-24 20:35:46 +00:00
|
|
|
pid_t pid;
|
|
|
|
u32 sid;
|
|
|
|
|
|
|
|
switch (f->type) {
|
|
|
|
case AUDIT_PID:
|
|
|
|
pid = task_pid_nr(current);
|
|
|
|
result = audit_comparator(pid, f->op, f->val);
|
|
|
|
break;
|
|
|
|
case AUDIT_UID:
|
|
|
|
result = audit_uid_comparator(current_uid(), f->op, f->uid);
|
|
|
|
break;
|
|
|
|
case AUDIT_GID:
|
|
|
|
result = audit_gid_comparator(current_gid(), f->op, f->gid);
|
|
|
|
break;
|
|
|
|
case AUDIT_LOGINUID:
|
|
|
|
result = audit_uid_comparator(audit_get_loginuid(current),
|
|
|
|
f->op, f->uid);
|
|
|
|
break;
|
|
|
|
case AUDIT_LOGINUID_SET:
|
|
|
|
result = audit_comparator(audit_loginuid_set(current),
|
|
|
|
f->op, f->val);
|
|
|
|
break;
|
|
|
|
case AUDIT_MSGTYPE:
|
|
|
|
result = audit_comparator(msgtype, f->op, f->val);
|
|
|
|
break;
|
|
|
|
case AUDIT_SUBJ_USER:
|
|
|
|
case AUDIT_SUBJ_ROLE:
|
|
|
|
case AUDIT_SUBJ_TYPE:
|
|
|
|
case AUDIT_SUBJ_SEN:
|
|
|
|
case AUDIT_SUBJ_CLR:
|
|
|
|
if (f->lsm_rule) {
|
|
|
|
security_task_getsecid(current, &sid);
|
|
|
|
result = security_audit_rule_match(sid,
|
2019-01-31 16:52:11 +00:00
|
|
|
f->type, f->op, f->lsm_rule);
|
2016-06-24 20:35:46 +00:00
|
|
|
}
|
|
|
|
break;
|
2018-05-30 08:45:24 +00:00
|
|
|
case AUDIT_EXE:
|
|
|
|
result = audit_exe_compare(current, e->rule.exe);
|
|
|
|
if (f->op == Audit_not_equal)
|
|
|
|
result = !result;
|
|
|
|
break;
|
2016-06-24 20:35:46 +00:00
|
|
|
default:
|
|
|
|
goto unlock_and_return;
|
2005-12-15 18:33:52 +00:00
|
|
|
}
|
2016-06-24 20:35:46 +00:00
|
|
|
if (result < 0) /* error */
|
|
|
|
goto unlock_and_return;
|
|
|
|
if (!result)
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
if (result > 0) {
|
2018-06-05 15:45:07 +00:00
|
|
|
if (e->rule.action == AUDIT_NEVER || listtype == AUDIT_FILTER_EXCLUDE)
|
2016-06-24 20:35:46 +00:00
|
|
|
ret = 0;
|
|
|
|
break;
|
2005-12-15 18:33:52 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
unlock_and_return:
|
|
|
|
rcu_read_unlock();
|
2016-06-24 20:35:46 +00:00
|
|
|
return ret;
|
2005-12-15 18:33:52 +00:00
|
|
|
}
|
2006-03-11 00:14:06 +00:00
|
|
|
|
2008-12-15 06:17:50 +00:00
|
|
|
static int update_lsm_rule(struct audit_krule *r)
|
2008-12-14 17:04:02 +00:00
|
|
|
{
|
2008-12-15 06:17:50 +00:00
|
|
|
struct audit_entry *entry = container_of(r, struct audit_entry, rule);
|
2008-12-14 17:04:02 +00:00
|
|
|
struct audit_entry *nentry;
|
|
|
|
int err = 0;
|
|
|
|
|
2008-12-15 06:17:50 +00:00
|
|
|
if (!security_audit_rule_known(r))
|
2008-12-14 17:04:02 +00:00
|
|
|
return 0;
|
|
|
|
|
2009-12-18 01:12:04 +00:00
|
|
|
nentry = audit_dupe_rule(r);
|
2015-08-05 20:29:37 +00:00
|
|
|
if (entry->rule.exe)
|
|
|
|
audit_remove_mark(entry->rule.exe);
|
2008-12-14 17:04:02 +00:00
|
|
|
if (IS_ERR(nentry)) {
|
|
|
|
/* save the first error encountered for the
|
|
|
|
* return value */
|
|
|
|
err = PTR_ERR(nentry);
|
|
|
|
audit_panic("error updating LSM filters");
|
2009-12-18 01:12:04 +00:00
|
|
|
if (r->watch)
|
2008-12-15 06:17:50 +00:00
|
|
|
list_del(&r->rlist);
|
2008-12-14 17:04:02 +00:00
|
|
|
list_del_rcu(&entry->list);
|
2008-12-15 06:17:50 +00:00
|
|
|
list_del(&r->list);
|
2008-12-14 17:04:02 +00:00
|
|
|
} else {
|
2009-12-18 01:12:04 +00:00
|
|
|
if (r->watch || r->tree)
|
2008-12-15 06:17:50 +00:00
|
|
|
list_replace_init(&r->rlist, &nentry->rule.rlist);
|
2008-12-14 17:04:02 +00:00
|
|
|
list_replace_rcu(&entry->list, &nentry->list);
|
2008-12-15 06:17:50 +00:00
|
|
|
list_replace(&r->list, &nentry->rule.list);
|
2008-12-14 17:04:02 +00:00
|
|
|
}
|
|
|
|
call_rcu(&entry->rcu, audit_free_rule_rcu);
|
|
|
|
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
2008-04-18 23:59:43 +00:00
|
|
|
/* This function will re-initialize the lsm_rule field of all applicable rules.
|
2008-03-01 20:01:11 +00:00
|
|
|
* It will traverse the filter lists serarching for rules that contain LSM
|
2006-03-11 00:14:06 +00:00
|
|
|
* specific filter fields. When such a rule is found, it is copied, the
|
2008-03-01 20:01:11 +00:00
|
|
|
* LSM field is re-initialized, and the old rule is replaced with the
|
2006-03-11 00:14:06 +00:00
|
|
|
* updated rule. */
|
2008-03-01 20:01:11 +00:00
|
|
|
int audit_update_lsm_rules(void)
|
2006-03-11 00:14:06 +00:00
|
|
|
{
|
2008-12-15 06:17:50 +00:00
|
|
|
struct audit_krule *r, *n;
|
2006-03-11 00:14:06 +00:00
|
|
|
int i, err = 0;
|
|
|
|
|
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2006-04-07 20:55:56 +00:00
|
|
|
/* audit_filter_mutex synchronizes the writers */
|
|
|
|
mutex_lock(&audit_filter_mutex);
|
2006-03-11 00:14:06 +00:00
|
|
|
|
|
|
|
for (i = 0; i < AUDIT_NR_FILTERS; i++) {
|
2008-12-15 06:17:50 +00:00
|
|
|
list_for_each_entry_safe(r, n, &audit_rules_list[i], list) {
|
|
|
|
int res = update_lsm_rule(r);
|
2008-12-14 17:04:02 +00:00
|
|
|
if (!err)
|
|
|
|
err = res;
|
2006-03-11 00:14:06 +00:00
|
|
|
}
|
|
|
|
}
|
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2006-04-07 20:55:56 +00:00
|
|
|
mutex_unlock(&audit_filter_mutex);
|
2006-03-11 00:14:06 +00:00
|
|
|
|
|
|
|
return err;
|
|
|
|
}
|