tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag 'audit-pr-20190702' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit

Pull audit updates from Paul Moore:
"This pull request is a bit early, but with some vacation time coming
up I wanted to send this out now just in case the remote Internet Gods
decide not to smile on me once the merge window opens. The patchset
for v5.3 is pretty minor this time, the highlights include:

- When the audit daemon is sent a signal, ensure we deliver
information about the sender even when syscall auditing is not
enabled/supported.

- Add the ability to filter audit records based on network address
family.

- Tighten the audit field filtering restrictions on string based
fields.

- Cleanup the audit field filtering verification code.

- Remove a few BUG() calls from the audit code"

* tag 'audit-pr-20190702' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit:
audit: remove the BUG() calls in the audit rule comparison functions
audit: enforce op for string fields
audit: add saddr_fam filter field
audit: re-structure audit field valid checks
audit: deliver signal_info regarless of syscall

Linus Torvalds 61fc5771 88492259

+105 -46
+9
include/linux/audit.h
··· 182 182 } 183 183 184 184 extern u32 audit_enabled; 185 + 186 + extern int audit_signal_info(int sig, struct task_struct *t); 187 + 185 188 #else /* CONFIG_AUDIT */ 186 189 static inline __printf(4, 5) 187 190 void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type, ··· 238 235 } 239 236 240 237 #define audit_enabled AUDIT_OFF 238 + 239 + static inline int audit_signal_info(int sig, struct task_struct *t) 240 + { 241 + return 0; 242 + } 243 + 241 244 #endif /* CONFIG_AUDIT */ 242 245 243 246 #ifdef CONFIG_AUDIT_COMPAT_GENERIC
+1
include/uapi/linux/audit.h
··· 281 281 #define AUDIT_OBJ_GID 110 282 282 #define AUDIT_FIELD_COMPARE 111 283 283 #define AUDIT_EXE 112 284 + #define AUDIT_SADDR_FAM 113 284 285 285 286 #define AUDIT_ARG0 200 286 287 #define AUDIT_ARG1 (AUDIT_ARG0+1)
+27
kernel/audit.c
··· 2261 2261 } 2262 2262 2263 2263 /** 2264 + * audit_signal_info - record signal info for shutting down audit subsystem 2265 + * @sig: signal value 2266 + * @t: task being signaled 2267 + * 2268 + * If the audit subsystem is being terminated, record the task (pid) 2269 + * and uid that is doing that. 2270 + */ 2271 + int audit_signal_info(int sig, struct task_struct *t) 2272 + { 2273 + kuid_t uid = current_uid(), auid; 2274 + 2275 + if (auditd_test_task(t) && 2276 + (sig == SIGTERM || sig == SIGHUP || 2277 + sig == SIGUSR1 || sig == SIGUSR2)) { 2278 + audit_sig_pid = task_tgid_nr(current); 2279 + auid = audit_get_loginuid(current); 2280 + if (uid_valid(auid)) 2281 + audit_sig_uid = auid; 2282 + else 2283 + audit_sig_uid = uid; 2284 + security_task_getsecid(current, &audit_sig_sid); 2285 + } 2286 + 2287 + return audit_signal_info_syscall(t); 2288 + } 2289 + 2290 + /** 2264 2291 * audit_log_end - end one audit record 2265 2292 * @ab: the audit_buffer 2266 2293 *
+6 -2
kernel/audit.h
··· 286 286 extern void audit_put_tree(struct audit_tree *tree); 287 287 extern void audit_kill_trees(struct audit_context *context); 288 288 289 - extern int audit_signal_info(int sig, struct task_struct *t); 289 + extern int audit_signal_info_syscall(struct task_struct *t); 290 290 extern void audit_filter_inodes(struct task_struct *tsk, 291 291 struct audit_context *ctx); 292 292 extern struct list_head *audit_killed_trees(void); ··· 317 317 #define audit_tree_path(rule) "" /* never called */ 318 318 #define audit_kill_trees(context) BUG() 319 319 320 - #define audit_signal_info(s, t) AUDIT_DISABLED 320 + static inline int audit_signal_info_syscall(struct task_struct *t) 321 + { 322 + return 0; 323 + } 324 + 321 325 #define audit_filter_inodes(t, c) AUDIT_DISABLED 322 326 #endif /* CONFIG_AUDITSYSCALL */ 323 327
+38 -24
kernel/auditfilter.c
··· 322 322 /* check if an audit field is valid */ 323 323 static int audit_field_valid(struct audit_entry *entry, struct audit_field *f) 324 324 { 325 - switch(f->type) { 325 + switch (f->type) { 326 326 case AUDIT_MSGTYPE: 327 327 if (entry->rule.listnr != AUDIT_FILTER_EXCLUDE && 328 328 entry->rule.listnr != AUDIT_FILTER_USER) ··· 334 334 break; 335 335 } 336 336 337 - switch(entry->rule.listnr) { 337 + switch (entry->rule.listnr) { 338 338 case AUDIT_FILTER_FS: 339 339 switch(f->type) { 340 340 case AUDIT_FSTYPE: ··· 345 345 } 346 346 } 347 347 348 - switch(f->type) { 349 - default: 350 - return -EINVAL; 348 + /* Check for valid field type and op */ 349 + switch (f->type) { 350 + case AUDIT_ARG0: 351 + case AUDIT_ARG1: 352 + case AUDIT_ARG2: 353 + case AUDIT_ARG3: 354 + case AUDIT_PERS: /* <uapi/linux/personality.h> */ 355 + case AUDIT_DEVMINOR: 356 + /* all ops are valid */ 357 + break; 351 358 case AUDIT_UID: 352 359 case AUDIT_EUID: 353 360 case AUDIT_SUID: ··· 367 360 case AUDIT_FSGID: 368 361 case AUDIT_OBJ_GID: 369 362 case AUDIT_PID: 370 - case AUDIT_PERS: 371 363 case AUDIT_MSGTYPE: 372 364 case AUDIT_PPID: 373 365 case AUDIT_DEVMAJOR: 374 - case AUDIT_DEVMINOR: 375 366 case AUDIT_EXIT: 376 367 case AUDIT_SUCCESS: 377 368 case AUDIT_INODE: 378 369 case AUDIT_SESSIONID: 370 + case AUDIT_SUBJ_SEN: 371 + case AUDIT_SUBJ_CLR: 372 + case AUDIT_OBJ_LEV_LOW: 373 + case AUDIT_OBJ_LEV_HIGH: 374 + case AUDIT_SADDR_FAM: 379 375 /* bit ops are only useful on syscall args */ 380 376 if (f->op == Audit_bitmask || f->op == Audit_bittest) 381 377 return -EINVAL; 382 378 break; 383 - case AUDIT_ARG0: 384 - case AUDIT_ARG1: 385 - case AUDIT_ARG2: 386 - case AUDIT_ARG3: 387 379 case AUDIT_SUBJ_USER: 388 380 case AUDIT_SUBJ_ROLE: 389 381 case AUDIT_SUBJ_TYPE: 390 - case AUDIT_SUBJ_SEN: 391 - case AUDIT_SUBJ_CLR: 392 382 case AUDIT_OBJ_USER: 393 383 case AUDIT_OBJ_ROLE: 394 384 case AUDIT_OBJ_TYPE: 395 - case AUDIT_OBJ_LEV_LOW: 396 - case AUDIT_OBJ_LEV_HIGH: 397 385 case AUDIT_WATCH: 398 386 case AUDIT_DIR: 399 387 case AUDIT_FILTERKEY: 400 - break; 401 388 case AUDIT_LOGINUID_SET: 402 - if ((f->val != 0) && (f->val != 1)) 403 - return -EINVAL; 404 - /* FALL THROUGH */ 405 389 case AUDIT_ARCH: 406 390 case AUDIT_FSTYPE: 391 + case AUDIT_PERM: 392 + case AUDIT_FILETYPE: 393 + case AUDIT_FIELD_COMPARE: 394 + case AUDIT_EXE: 395 + /* only equal and not equal valid ops */ 407 396 if (f->op != Audit_not_equal && f->op != Audit_equal) 397 + return -EINVAL; 398 + break; 399 + default: 400 + /* field not recognized */ 401 + return -EINVAL; 402 + } 403 + 404 + /* Check for select valid field values */ 405 + switch (f->type) { 406 + case AUDIT_LOGINUID_SET: 407 + if ((f->val != 0) && (f->val != 1)) 408 408 return -EINVAL; 409 409 break; 410 410 case AUDIT_PERM: ··· 426 412 if (f->val > AUDIT_MAX_FIELD_COMPARE) 427 413 return -EINVAL; 428 414 break; 429 - case AUDIT_EXE: 430 - if (f->op != Audit_not_equal && f->op != Audit_equal) 415 + case AUDIT_SADDR_FAM: 416 + if (f->val >= AF_MAX) 431 417 return -EINVAL; 432 418 break; 419 + default: 420 + break; 433 421 } 422 + 434 423 return 0; 435 424 } 436 425 ··· 1207 1190 case Audit_bittest: 1208 1191 return ((left & right) == right); 1209 1192 default: 1210 - BUG(); 1211 1193 return 0; 1212 1194 } 1213 1195 } ··· 1229 1213 case Audit_bitmask: 1230 1214 case Audit_bittest: 1231 1215 default: 1232 - BUG(); 1233 1216 return 0; 1234 1217 } 1235 1218 } ··· 1251 1236 case Audit_bitmask: 1252 1237 case Audit_bittest: 1253 1238 default: 1254 - BUG(); 1255 1239 return 0; 1256 1240 } 1257 1241 }
+23 -19
kernel/auditsc.c
··· 601 601 } 602 602 break; 603 603 case AUDIT_WATCH: 604 - if (name) 605 - result = audit_watch_compare(rule->watch, name->ino, name->dev); 604 + if (name) { 605 + result = audit_watch_compare(rule->watch, 606 + name->ino, 607 + name->dev); 608 + if (f->op == Audit_not_equal) 609 + result = !result; 610 + } 606 611 break; 607 612 case AUDIT_DIR: 608 - if (ctx) 613 + if (ctx) { 609 614 result = match_tree_refs(ctx, rule->tree); 615 + if (f->op == Audit_not_equal) 616 + result = !result; 617 + } 610 618 break; 611 619 case AUDIT_LOGINUID: 612 620 result = audit_uid_comparator(audit_get_loginuid(tsk), ··· 622 614 break; 623 615 case AUDIT_LOGINUID_SET: 624 616 result = audit_comparator(audit_loginuid_set(tsk), f->op, f->val); 617 + break; 618 + case AUDIT_SADDR_FAM: 619 + if (ctx->sockaddr) 620 + result = audit_comparator(ctx->sockaddr->ss_family, 621 + f->op, f->val); 625 622 break; 626 623 case AUDIT_SUBJ_USER: 627 624 case AUDIT_SUBJ_ROLE: ··· 697 684 break; 698 685 case AUDIT_PERM: 699 686 result = audit_match_perm(ctx, f->val); 687 + if (f->op == Audit_not_equal) 688 + result = !result; 700 689 break; 701 690 case AUDIT_FILETYPE: 702 691 result = audit_match_filetype(ctx, f->val); 692 + if (f->op == Audit_not_equal) 693 + result = !result; 703 694 break; 704 695 case AUDIT_FIELD_COMPARE: 705 696 result = audit_field_compare(tsk, cred, f, ctx, name); ··· 2377 2360 } 2378 2361 2379 2362 /** 2380 - * audit_signal_info - record signal info for shutting down audit subsystem 2381 - * @sig: signal value 2363 + * audit_signal_info_syscall - record signal info for syscalls 2382 2364 * @t: task being signaled 2383 2365 * 2384 2366 * If the audit subsystem is being terminated, record the task (pid) 2385 2367 * and uid that is doing that. 2386 2368 */ 2387 - int audit_signal_info(int sig, struct task_struct *t) 2369 + int audit_signal_info_syscall(struct task_struct *t) 2388 2370 { 2389 2371 struct audit_aux_data_pids *axp; 2390 2372 struct audit_context *ctx = audit_context(); 2391 - kuid_t uid = current_uid(), auid, t_uid = task_uid(t); 2392 - 2393 - if (auditd_test_task(t) && 2394 - (sig == SIGTERM || sig == SIGHUP || 2395 - sig == SIGUSR1 || sig == SIGUSR2)) { 2396 - audit_sig_pid = task_tgid_nr(current); 2397 - auid = audit_get_loginuid(current); 2398 - if (uid_valid(auid)) 2399 - audit_sig_uid = auid; 2400 - else 2401 - audit_sig_uid = uid; 2402 - security_task_getsecid(current, &audit_sig_sid); 2403 - } 2373 + kuid_t t_uid = task_uid(t); 2404 2374 2405 2375 if (!audit_signals || audit_dummy_context()) 2406 2376 return 0;
+1 -1
kernel/signal.c
··· 45 45 #include <linux/posix-timers.h> 46 46 #include <linux/livepatch.h> 47 47 #include <linux/cgroup.h> 48 + #include <linux/audit.h> 48 49 49 50 #define CREATE_TRACE_POINTS 50 51 #include <trace/events/signal.h> ··· 55 54 #include <asm/unistd.h> 56 55 #include <asm/siginfo.h> 57 56 #include <asm/cacheflush.h> 58 - #include "audit.h" /* audit_signal_info() */ 59 57 60 58 /* 61 59 * SLAB caches for signal bits.