diff options
| author | Richard Guy Briggs <rgb@redhat.com> | 2019-01-18 17:42:48 -0500 |
|---|---|---|
| committer | Paul Moore <paul@paul-moore.com> | 2019-01-18 17:53:29 -0500 |
| commit | 626abcd13d4ea2b67be3249a250046cf713f532a (patch) | |
| tree | 750412eb20cc016e7312d66a696be0af4b5130fc /kernel/audit.c | |
| parent | 9e36a5d49c3a6fc4a2e0ba2dc11b27c4a8ae6303 (diff) | |
audit: add syscall information to CONFIG_CHANGE records
Tie syscall information to all CONFIG_CHANGE calls since they are all a
result of user actions.
Exclude user records from syscall context:
Since the function audit_log_common_recv_msg() is shared by a number of
AUDIT_CONFIG_CHANGE and the entire range of AUDIT_USER_* record types,
and since the AUDIT_CONFIG_CHANGE message type has been converted to a
syscall accompanied record type, special-case the AUDIT_USER_* range of
messages so they remain standalone records.
See: https://github.com/linux-audit/audit-kernel/issues/59
See: https://github.com/linux-audit/audit-kernel/issues/50
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
[PM: fix line lengths in kernel/audit.c]
Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'kernel/audit.c')
| -rw-r--r-- | kernel/audit.c | 28 |
1 files changed, 19 insertions, 9 deletions
diff --git a/kernel/audit.c b/kernel/audit.c index d412fb4ae6d5..c2a7662cc254 100644 --- a/kernel/audit.c +++ b/kernel/audit.c | |||
| @@ -396,7 +396,7 @@ static int audit_log_config_change(char *function_name, u32 new, u32 old, | |||
| 396 | struct audit_buffer *ab; | 396 | struct audit_buffer *ab; |
| 397 | int rc = 0; | 397 | int rc = 0; |
| 398 | 398 | ||
| 399 | ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); | 399 | ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_CONFIG_CHANGE); |
| 400 | if (unlikely(!ab)) | 400 | if (unlikely(!ab)) |
| 401 | return rc; | 401 | return rc; |
| 402 | audit_log_format(ab, "op=set %s=%u old=%u ", function_name, new, old); | 402 | audit_log_format(ab, "op=set %s=%u old=%u ", function_name, new, old); |
| @@ -1053,7 +1053,8 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type) | |||
| 1053 | return err; | 1053 | return err; |
| 1054 | } | 1054 | } |
| 1055 | 1055 | ||
| 1056 | static void audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type) | 1056 | static void audit_log_common_recv_msg(struct audit_context *context, |
| 1057 | struct audit_buffer **ab, u16 msg_type) | ||
| 1057 | { | 1058 | { |
| 1058 | uid_t uid = from_kuid(&init_user_ns, current_uid()); | 1059 | uid_t uid = from_kuid(&init_user_ns, current_uid()); |
| 1059 | pid_t pid = task_tgid_nr(current); | 1060 | pid_t pid = task_tgid_nr(current); |
| @@ -1063,7 +1064,7 @@ static void audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type) | |||
| 1063 | return; | 1064 | return; |
| 1064 | } | 1065 | } |
| 1065 | 1066 | ||
| 1066 | *ab = audit_log_start(NULL, GFP_KERNEL, msg_type); | 1067 | *ab = audit_log_start(context, GFP_KERNEL, msg_type); |
| 1067 | if (unlikely(!*ab)) | 1068 | if (unlikely(!*ab)) |
| 1068 | return; | 1069 | return; |
| 1069 | audit_log_format(*ab, "pid=%d uid=%u ", pid, uid); | 1070 | audit_log_format(*ab, "pid=%d uid=%u ", pid, uid); |
| @@ -1071,6 +1072,12 @@ static void audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type) | |||
| 1071 | audit_log_task_context(*ab); | 1072 | audit_log_task_context(*ab); |
| 1072 | } | 1073 | } |
| 1073 | 1074 | ||
| 1075 | static inline void audit_log_user_recv_msg(struct audit_buffer **ab, | ||
| 1076 | u16 msg_type) | ||
| 1077 | { | ||
| 1078 | audit_log_common_recv_msg(NULL, ab, msg_type); | ||
| 1079 | } | ||
| 1080 | |||
| 1074 | int is_audit_feature_set(int i) | 1081 | int is_audit_feature_set(int i) |
| 1075 | { | 1082 | { |
| 1076 | return af.features & AUDIT_FEATURE_TO_MASK(i); | 1083 | return af.features & AUDIT_FEATURE_TO_MASK(i); |
| @@ -1338,7 +1345,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) | |||
| 1338 | if (err) | 1345 | if (err) |
| 1339 | break; | 1346 | break; |
| 1340 | } | 1347 | } |
| 1341 | audit_log_common_recv_msg(&ab, msg_type); | 1348 | audit_log_user_recv_msg(&ab, msg_type); |
| 1342 | if (msg_type != AUDIT_USER_TTY) | 1349 | if (msg_type != AUDIT_USER_TTY) |
| 1343 | audit_log_format(ab, " msg='%.*s'", | 1350 | audit_log_format(ab, " msg='%.*s'", |
| 1344 | AUDIT_MESSAGE_TEXT_MAX, | 1351 | AUDIT_MESSAGE_TEXT_MAX, |
| @@ -1361,7 +1368,8 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) | |||
| 1361 | if (nlmsg_len(nlh) < sizeof(struct audit_rule_data)) | 1368 | if (nlmsg_len(nlh) < sizeof(struct audit_rule_data)) |
| 1362 | return -EINVAL; | 1369 | return -EINVAL; |
| 1363 | if (audit_enabled == AUDIT_LOCKED) { | 1370 | if (audit_enabled == AUDIT_LOCKED) { |
| 1364 | audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE); | 1371 | audit_log_common_recv_msg(audit_context(), &ab, |
| 1372 | AUDIT_CONFIG_CHANGE); | ||
| 1365 | audit_log_format(ab, " op=%s audit_enabled=%d res=0", | 1373 | audit_log_format(ab, " op=%s audit_enabled=%d res=0", |
| 1366 | msg_type == AUDIT_ADD_RULE ? | 1374 | msg_type == AUDIT_ADD_RULE ? |
| 1367 | "add_rule" : "remove_rule", | 1375 | "add_rule" : "remove_rule", |
| @@ -1376,7 +1384,8 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) | |||
| 1376 | break; | 1384 | break; |
| 1377 | case AUDIT_TRIM: | 1385 | case AUDIT_TRIM: |
| 1378 | audit_trim_trees(); | 1386 | audit_trim_trees(); |
| 1379 | audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE); | 1387 | audit_log_common_recv_msg(audit_context(), &ab, |
| 1388 | AUDIT_CONFIG_CHANGE); | ||
| 1380 | audit_log_format(ab, " op=trim res=1"); | 1389 | audit_log_format(ab, " op=trim res=1"); |
| 1381 | audit_log_end(ab); | 1390 | audit_log_end(ab); |
| 1382 | break; | 1391 | break; |
| @@ -1406,8 +1415,8 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) | |||
| 1406 | /* OK, here comes... */ | 1415 | /* OK, here comes... */ |
| 1407 | err = audit_tag_tree(old, new); | 1416 | err = audit_tag_tree(old, new); |
| 1408 | 1417 | ||
| 1409 | audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE); | 1418 | audit_log_common_recv_msg(audit_context(), &ab, |
| 1410 | 1419 | AUDIT_CONFIG_CHANGE); | |
| 1411 | audit_log_format(ab, " op=make_equiv old="); | 1420 | audit_log_format(ab, " op=make_equiv old="); |
| 1412 | audit_log_untrustedstring(ab, old); | 1421 | audit_log_untrustedstring(ab, old); |
| 1413 | audit_log_format(ab, " new="); | 1422 | audit_log_format(ab, " new="); |
| @@ -1474,7 +1483,8 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) | |||
| 1474 | old.enabled = t & AUDIT_TTY_ENABLE; | 1483 | old.enabled = t & AUDIT_TTY_ENABLE; |
| 1475 | old.log_passwd = !!(t & AUDIT_TTY_LOG_PASSWD); | 1484 | old.log_passwd = !!(t & AUDIT_TTY_LOG_PASSWD); |
| 1476 | 1485 | ||
| 1477 | audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE); | 1486 | audit_log_common_recv_msg(audit_context(), &ab, |
| 1487 | AUDIT_CONFIG_CHANGE); | ||
| 1478 | audit_log_format(ab, " op=tty_set old-enabled=%d new-enabled=%d" | 1488 | audit_log_format(ab, " op=tty_set old-enabled=%d new-enabled=%d" |
| 1479 | " old-log_passwd=%d new-log_passwd=%d res=%d", | 1489 | " old-log_passwd=%d new-log_passwd=%d res=%d", |
| 1480 | old.enabled, s.enabled, old.log_passwd, | 1490 | old.enabled, s.enabled, old.log_passwd, |