From 510f4006e7a82b37b53c17bbe64ec20f3a59302b Mon Sep 17 00:00:00 2001 From: Amy Griffis Date: Tue, 13 Feb 2007 14:14:41 -0500 Subject: [PATCH] audit inode for all xattr syscalls Collect inode info for the remaining xattr syscalls that operate on a file descriptor. These don't call a path_lookup variant, so they aren't covered by the general audit hook. Signed-off-by: Amy Griffis Signed-off-by: Al Viro --- fs/xattr.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'fs') diff --git a/fs/xattr.c b/fs/xattr.c index 9f4568b55b0f..4523aca79659 100644 --- a/fs/xattr.c +++ b/fs/xattr.c @@ -350,6 +350,7 @@ sys_fgetxattr(int fd, char __user *name, void __user *value, size_t size) f = fget(fd); if (!f) return error; + audit_inode(NULL, f->f_path.dentry->d_inode); error = getxattr(f->f_path.dentry, name, value, size); fput(f); return error; @@ -422,6 +423,7 @@ sys_flistxattr(int fd, char __user *list, size_t size) f = fget(fd); if (!f) return error; + audit_inode(NULL, f->f_path.dentry->d_inode); error = listxattr(f->f_path.dentry, list, size); fput(f); return error; -- cgit v1.2.3 From 4fc03b9beb2314f3adb9e72b7935a80c577954d1 Mon Sep 17 00:00:00 2001 From: Amy Griffis Date: Tue, 13 Feb 2007 14:15:01 -0500 Subject: [PATCH] complete message queue auditing Handle the edge cases for POSIX message queue auditing. Collect inode info when opening an existing mq, and for send/receive operations. Remove audit_inode_update() as it has really evolved into the equivalent of audit_inode(). Signed-off-by: Amy Griffis Signed-off-by: Al Viro --- fs/namei.c | 2 +- include/linux/audit.h | 7 ------- ipc/mqueue.c | 4 ++++ kernel/auditsc.c | 27 --------------------------- 4 files changed, 5 insertions(+), 35 deletions(-) (limited to 'fs') diff --git a/fs/namei.c b/fs/namei.c index b3780e3fc88e..5e2d98d10c5d 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -1719,7 +1719,7 @@ do_last: * It already exists. */ mutex_unlock(&dir->d_inode->i_mutex); - audit_inode_update(path.dentry->d_inode); + audit_inode(pathname, path.dentry->d_inode); error = -EEXIST; if (flag & O_EXCL) diff --git a/include/linux/audit.h b/include/linux/audit.h index fde0f1420cd2..22976ddbd264 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -355,7 +355,6 @@ extern void audit_putname(const char *name); extern void __audit_inode(const char *name, const struct inode *inode); extern void __audit_inode_child(const char *dname, const struct inode *inode, const struct inode *parent); -extern void __audit_inode_update(const struct inode *inode); extern void __audit_ptrace(struct task_struct *t); static inline int audit_dummy_context(void) @@ -378,10 +377,6 @@ static inline void audit_inode_child(const char *dname, if (unlikely(!audit_dummy_context())) __audit_inode_child(dname, inode, parent); } -static inline void audit_inode_update(const struct inode *inode) { - if (unlikely(!audit_dummy_context())) - __audit_inode_update(inode); -} static inline void audit_ptrace(struct task_struct *t) { @@ -470,10 +465,8 @@ extern int audit_signals; #define audit_putname(n) do { ; } while (0) #define __audit_inode(n,i) do { ; } while (0) #define __audit_inode_child(d,i,p) do { ; } while (0) -#define __audit_inode_update(i) do { ; } while (0) #define audit_inode(n,i) do { ; } while (0) #define audit_inode_child(d,i,p) do { ; } while (0) -#define audit_inode_update(i) do { ; } while (0) #define auditsc_get_stamp(c,t,s) do { BUG(); } while (0) #define audit_get_loginuid(c) ({ -1; }) #define audit_log_task_context(b) do { ; } while (0) diff --git a/ipc/mqueue.c b/ipc/mqueue.c index d17821d3f483..fab5707cb5f7 100644 --- a/ipc/mqueue.c +++ b/ipc/mqueue.c @@ -681,6 +681,7 @@ asmlinkage long sys_mq_open(const char __user *u_name, int oflag, mode_t mode, if (oflag & O_CREAT) { if (dentry->d_inode) { /* entry already exists */ + audit_inode(name, dentry->d_inode); error = -EEXIST; if (oflag & O_EXCL) goto out; @@ -693,6 +694,7 @@ asmlinkage long sys_mq_open(const char __user *u_name, int oflag, mode_t mode, error = -ENOENT; if (!dentry->d_inode) goto out; + audit_inode(name, dentry->d_inode); filp = do_open(dentry, oflag); } @@ -840,6 +842,7 @@ asmlinkage long sys_mq_timedsend(mqd_t mqdes, const char __user *u_msg_ptr, if (unlikely(filp->f_op != &mqueue_file_operations)) goto out_fput; info = MQUEUE_I(inode); + audit_inode(NULL, inode); if (unlikely(!(filp->f_mode & FMODE_WRITE))) goto out_fput; @@ -923,6 +926,7 @@ asmlinkage ssize_t sys_mq_timedreceive(mqd_t mqdes, char __user *u_msg_ptr, if (unlikely(filp->f_op != &mqueue_file_operations)) goto out_fput; info = MQUEUE_I(inode); + audit_inode(NULL, inode); if (unlikely(!(filp->f_mode & FMODE_READ))) goto out_fput; diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 41d129a78793..25d890e997f2 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -1475,33 +1475,6 @@ update_context: } } -/** - * audit_inode_update - update inode info for last collected name - * @inode: inode being audited - * - * When open() is called on an existing object with the O_CREAT flag, the inode - * data audit initially collects is incorrect. This additional hook ensures - * audit has the inode data for the actual object to be opened. - */ -void __audit_inode_update(const struct inode *inode) -{ - struct audit_context *context = current->audit_context; - int idx; - - if (!context->in_syscall || !inode) - return; - - if (context->name_count == 0) { - context->name_count++; -#if AUDIT_DEBUG - context->ino_count++; -#endif - } - idx = context->name_count - 1; - - audit_copy_inode(&context->names[idx], inode); -} - /** * auditsc_get_stamp - get local copies of audit_context values * @ctx: audit_context for the task -- cgit v1.2.3 From 0a4ff8c2598b72f2fa9d50aae9e1809e684dbf41 Mon Sep 17 00:00:00 2001 From: Steve Grubb Date: Thu, 19 Apr 2007 10:28:21 -0400 Subject: [PATCH] Abnormal End of Processes Hi, I have been working on some code that detects abnormal events based on audit system events. One kind of event that we currently have no visibility for is when a program terminates due to segfault - which should never happen on a production machine. And if it did, you'd want to investigate it. Attached is a patch that collects these events and sends them into the audit system. Signed-off-by: Steve Grubb Signed-off-by: Al Viro --- fs/exec.c | 2 ++ include/linux/audit.h | 3 +++ kernel/auditsc.c | 39 +++++++++++++++++++++++++++++++++++++++ 3 files changed, 44 insertions(+) (limited to 'fs') diff --git a/fs/exec.c b/fs/exec.c index 1ba85c7fc6af..7cf078ec758e 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -1488,6 +1488,8 @@ int do_coredump(long signr, int exit_code, struct pt_regs * regs) int flag = 0; int ispipe = 0; + audit_core_dumps(signr); + binfmt = current->binfmt; if (!binfmt || !binfmt->core_dump) goto fail; diff --git a/include/linux/audit.h b/include/linux/audit.h index 22976ddbd264..fccc6e50298a 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -112,6 +112,7 @@ #define AUDIT_FIRST_KERN_ANOM_MSG 1700 #define AUDIT_LAST_KERN_ANOM_MSG 1799 #define AUDIT_ANOM_PROMISCUOUS 1700 /* Device changed promiscuous mode */ +#define AUDIT_ANOM_ABEND 1701 /* Process ended abnormally */ #define AUDIT_KERNEL 2000 /* Asynchronous audit record. NOT A REQUEST. */ @@ -377,6 +378,7 @@ static inline void audit_inode_child(const char *dname, if (unlikely(!audit_dummy_context())) __audit_inode_child(dname, inode, parent); } +void audit_core_dumps(long signr); static inline void audit_ptrace(struct task_struct *t) { @@ -467,6 +469,7 @@ extern int audit_signals; #define __audit_inode_child(d,i,p) do { ; } while (0) #define audit_inode(n,i) do { ; } while (0) #define audit_inode_child(d,i,p) do { ; } while (0) +#define audit_core_dumps(i) do { ; } while (0) #define auditsc_get_stamp(c,t,s) do { BUG(); } while (0) #define audit_get_loginuid(c) ({ -1; }) #define audit_log_task_context(b) do { ; } while (0) diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 5276b7ef05f1..e36481ed61b4 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -2037,3 +2037,42 @@ int __audit_signal_info(int sig, struct task_struct *t) return 0; } + +/** + * audit_core_dumps - record information about processes that end abnormally + * @sig: signal value + * + * If a process ends with a core dump, something fishy is going on and we + * should record the event for investigation. + */ +void audit_core_dumps(long signr) +{ + struct audit_buffer *ab; + u32 sid; + + if (!audit_enabled) + return; + + if (signr == SIGQUIT) /* don't care for those */ + return; + + ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND); + audit_log_format(ab, "auid=%u uid=%u gid=%u", + audit_get_loginuid(current->audit_context), + current->uid, current->gid); + selinux_get_task_sid(current, &sid); + if (sid) { + char *ctx = NULL; + u32 len; + + if (selinux_sid_to_string(sid, &ctx, &len)) + audit_log_format(ab, " ssid=%u", sid); + else + audit_log_format(ab, " subj=%s", ctx); + kfree(ctx); + } + audit_log_format(ab, " pid=%d comm=", current->pid); + audit_log_untrustedstring(ab, current->comm); + audit_log_format(ab, " sig=%ld", signr); + audit_log_end(ab); +} -- cgit v1.2.3