diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2016-01-17 21:48:49 -0500 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2016-01-17 21:48:49 -0500 |
| commit | 2d663b55816e5c1d211a77fff90687053fe78aac (patch) | |
| tree | f74a6d3ce5c8b28a22b571dd5b4400f75317e9c5 | |
| parent | 25eedabe019851bc513abd601ed514df524cb482 (diff) | |
| parent | cb74ed278f8054fddf79ed930495b9e214f7c7b2 (diff) | |
Merge branch 'upstream' of git://git.infradead.org/users/pcmoore/audit
Pull audit updates from Paul Moore:
"Seven audit patches for 4.5, all very minor despite the diffstat.
The diffstat churn for linux/audit.h can be attributed to needing to
reshuffle the linux/audit.h header to fix the seccomp auditing issue
(see the commit description for details).
Besides the seccomp/audit fix, most of the fixes are around trying to
improve the connection with the audit daemon and a Kconfig
simplification. Nothing crazy, and everything passes our little
audit-testsuite"
* 'upstream' of git://git.infradead.org/users/pcmoore/audit:
audit: always enable syscall auditing when supported and audit is enabled
audit: force seccomp event logging to honor the audit_enabled flag
audit: Delete unnecessary checks before two function calls
audit: wake up threads if queue switched from limited to unlimited
audit: include auditd's threads in audit_log_start() wait exception
audit: remove audit_backlog_wait_overflow
audit: don't needlessly reset valid wait time
| -rw-r--r-- | include/linux/audit.h | 204 | ||||
| -rw-r--r-- | init/Kconfig | 11 | ||||
| -rw-r--r-- | kernel/audit.c | 17 |
3 files changed, 114 insertions, 118 deletions
diff --git a/include/linux/audit.h b/include/linux/audit.h index 20eba1eb0a3c..476bc1237ec2 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h | |||
| @@ -113,6 +113,107 @@ struct filename; | |||
| 113 | 113 | ||
| 114 | extern void audit_log_session_info(struct audit_buffer *ab); | 114 | extern void audit_log_session_info(struct audit_buffer *ab); |
| 115 | 115 | ||
| 116 | #ifdef CONFIG_AUDIT | ||
| 117 | /* These are defined in audit.c */ | ||
| 118 | /* Public API */ | ||
| 119 | extern __printf(4, 5) | ||
| 120 | void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type, | ||
| 121 | const char *fmt, ...); | ||
| 122 | |||
| 123 | extern struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type); | ||
| 124 | extern __printf(2, 3) | ||
| 125 | void audit_log_format(struct audit_buffer *ab, const char *fmt, ...); | ||
| 126 | extern void audit_log_end(struct audit_buffer *ab); | ||
| 127 | extern bool audit_string_contains_control(const char *string, | ||
| 128 | size_t len); | ||
| 129 | extern void audit_log_n_hex(struct audit_buffer *ab, | ||
| 130 | const unsigned char *buf, | ||
| 131 | size_t len); | ||
| 132 | extern void audit_log_n_string(struct audit_buffer *ab, | ||
| 133 | const char *buf, | ||
| 134 | size_t n); | ||
| 135 | extern void audit_log_n_untrustedstring(struct audit_buffer *ab, | ||
| 136 | const char *string, | ||
| 137 | size_t n); | ||
| 138 | extern void audit_log_untrustedstring(struct audit_buffer *ab, | ||
| 139 | const char *string); | ||
| 140 | extern void audit_log_d_path(struct audit_buffer *ab, | ||
| 141 | const char *prefix, | ||
| 142 | const struct path *path); | ||
| 143 | extern void audit_log_key(struct audit_buffer *ab, | ||
| 144 | char *key); | ||
| 145 | extern void audit_log_link_denied(const char *operation, | ||
| 146 | struct path *link); | ||
| 147 | extern void audit_log_lost(const char *message); | ||
| 148 | #ifdef CONFIG_SECURITY | ||
| 149 | extern void audit_log_secctx(struct audit_buffer *ab, u32 secid); | ||
| 150 | #else | ||
| 151 | static inline void audit_log_secctx(struct audit_buffer *ab, u32 secid) | ||
| 152 | { } | ||
| 153 | #endif | ||
| 154 | |||
| 155 | extern int audit_log_task_context(struct audit_buffer *ab); | ||
| 156 | extern void audit_log_task_info(struct audit_buffer *ab, | ||
| 157 | struct task_struct *tsk); | ||
| 158 | |||
| 159 | extern int audit_update_lsm_rules(void); | ||
| 160 | |||
| 161 | /* Private API (for audit.c only) */ | ||
| 162 | extern int audit_filter_user(int type); | ||
| 163 | extern int audit_filter_type(int type); | ||
| 164 | extern int audit_rule_change(int type, __u32 portid, int seq, | ||
| 165 | void *data, size_t datasz); | ||
| 166 | extern int audit_list_rules_send(struct sk_buff *request_skb, int seq); | ||
| 167 | |||
| 168 | extern u32 audit_enabled; | ||
| 169 | #else /* CONFIG_AUDIT */ | ||
| 170 | static inline __printf(4, 5) | ||
| 171 | void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type, | ||
| 172 | const char *fmt, ...) | ||
| 173 | { } | ||
| 174 | static inline struct audit_buffer *audit_log_start(struct audit_context *ctx, | ||
| 175 | gfp_t gfp_mask, int type) | ||
| 176 | { | ||
| 177 | return NULL; | ||
| 178 | } | ||
| 179 | static inline __printf(2, 3) | ||
| 180 | void audit_log_format(struct audit_buffer *ab, const char *fmt, ...) | ||
| 181 | { } | ||
| 182 | static inline void audit_log_end(struct audit_buffer *ab) | ||
| 183 | { } | ||
| 184 | static inline void audit_log_n_hex(struct audit_buffer *ab, | ||
| 185 | const unsigned char *buf, size_t len) | ||
| 186 | { } | ||
| 187 | static inline void audit_log_n_string(struct audit_buffer *ab, | ||
| 188 | const char *buf, size_t n) | ||
| 189 | { } | ||
| 190 | static inline void audit_log_n_untrustedstring(struct audit_buffer *ab, | ||
| 191 | const char *string, size_t n) | ||
| 192 | { } | ||
| 193 | static inline void audit_log_untrustedstring(struct audit_buffer *ab, | ||
| 194 | const char *string) | ||
| 195 | { } | ||
| 196 | static inline void audit_log_d_path(struct audit_buffer *ab, | ||
| 197 | const char *prefix, | ||
| 198 | const struct path *path) | ||
| 199 | { } | ||
| 200 | static inline void audit_log_key(struct audit_buffer *ab, char *key) | ||
| 201 | { } | ||
| 202 | static inline void audit_log_link_denied(const char *string, | ||
| 203 | const struct path *link) | ||
| 204 | { } | ||
| 205 | static inline void audit_log_secctx(struct audit_buffer *ab, u32 secid) | ||
| 206 | { } | ||
| 207 | static inline int audit_log_task_context(struct audit_buffer *ab) | ||
| 208 | { | ||
| 209 | return 0; | ||
| 210 | } | ||
| 211 | static inline void audit_log_task_info(struct audit_buffer *ab, | ||
| 212 | struct task_struct *tsk) | ||
| 213 | { } | ||
| 214 | #define audit_enabled 0 | ||
| 215 | #endif /* CONFIG_AUDIT */ | ||
| 216 | |||
| 116 | #ifdef CONFIG_AUDIT_COMPAT_GENERIC | 217 | #ifdef CONFIG_AUDIT_COMPAT_GENERIC |
| 117 | #define audit_is_compat(arch) (!((arch) & __AUDIT_ARCH_64BIT)) | 218 | #define audit_is_compat(arch) (!((arch) & __AUDIT_ARCH_64BIT)) |
| 118 | #else | 219 | #else |
| @@ -212,6 +313,9 @@ void audit_core_dumps(long signr); | |||
| 212 | 313 | ||
| 213 | static inline void audit_seccomp(unsigned long syscall, long signr, int code) | 314 | static inline void audit_seccomp(unsigned long syscall, long signr, int code) |
| 214 | { | 315 | { |
| 316 | if (!audit_enabled) | ||
| 317 | return; | ||
| 318 | |||
| 215 | /* Force a record to be reported if a signal was delivered. */ | 319 | /* Force a record to be reported if a signal was delivered. */ |
| 216 | if (signr || unlikely(!audit_dummy_context())) | 320 | if (signr || unlikely(!audit_dummy_context())) |
| 217 | __audit_seccomp(syscall, signr, code); | 321 | __audit_seccomp(syscall, signr, code); |
| @@ -446,106 +550,6 @@ static inline bool audit_loginuid_set(struct task_struct *tsk) | |||
| 446 | return uid_valid(audit_get_loginuid(tsk)); | 550 | return uid_valid(audit_get_loginuid(tsk)); |
| 447 | } | 551 | } |
| 448 | 552 | ||
| 449 | #ifdef CONFIG_AUDIT | ||
| 450 | /* These are defined in audit.c */ | ||
| 451 | /* Public API */ | ||
| 452 | extern __printf(4, 5) | ||
| 453 | void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type, | ||
| 454 | const char *fmt, ...); | ||
| 455 | |||
| 456 | extern struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type); | ||
| 457 | extern __printf(2, 3) | ||
| 458 | void audit_log_format(struct audit_buffer *ab, const char *fmt, ...); | ||
| 459 | extern void audit_log_end(struct audit_buffer *ab); | ||
| 460 | extern bool audit_string_contains_control(const char *string, | ||
| 461 | size_t len); | ||
| 462 | extern void audit_log_n_hex(struct audit_buffer *ab, | ||
| 463 | const unsigned char *buf, | ||
| 464 | size_t len); | ||
| 465 | extern void audit_log_n_string(struct audit_buffer *ab, | ||
| 466 | const char *buf, | ||
| 467 | size_t n); | ||
| 468 | extern void audit_log_n_untrustedstring(struct audit_buffer *ab, | ||
| 469 | const char *string, | ||
| 470 | size_t n); | ||
| 471 | extern void audit_log_untrustedstring(struct audit_buffer *ab, | ||
| 472 | const char *string); | ||
| 473 | extern void audit_log_d_path(struct audit_buffer *ab, | ||
| 474 | const char *prefix, | ||
| 475 | const struct path *path); | ||
| 476 | extern void audit_log_key(struct audit_buffer *ab, | ||
| 477 | char *key); | ||
| 478 | extern void audit_log_link_denied(const char *operation, | ||
| 479 | struct path *link); | ||
| 480 | extern void audit_log_lost(const char *message); | ||
| 481 | #ifdef CONFIG_SECURITY | ||
| 482 | extern void audit_log_secctx(struct audit_buffer *ab, u32 secid); | ||
| 483 | #else | ||
| 484 | static inline void audit_log_secctx(struct audit_buffer *ab, u32 secid) | ||
| 485 | { } | ||
| 486 | #endif | ||
| 487 | |||
| 488 | extern int audit_log_task_context(struct audit_buffer *ab); | ||
| 489 | extern void audit_log_task_info(struct audit_buffer *ab, | ||
| 490 | struct task_struct *tsk); | ||
| 491 | |||
| 492 | extern int audit_update_lsm_rules(void); | ||
| 493 | |||
| 494 | /* Private API (for audit.c only) */ | ||
| 495 | extern int audit_filter_user(int type); | ||
| 496 | extern int audit_filter_type(int type); | ||
| 497 | extern int audit_rule_change(int type, __u32 portid, int seq, | ||
| 498 | void *data, size_t datasz); | ||
| 499 | extern int audit_list_rules_send(struct sk_buff *request_skb, int seq); | ||
| 500 | |||
| 501 | extern u32 audit_enabled; | ||
| 502 | #else /* CONFIG_AUDIT */ | ||
| 503 | static inline __printf(4, 5) | ||
| 504 | void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type, | ||
| 505 | const char *fmt, ...) | ||
| 506 | { } | ||
| 507 | static inline struct audit_buffer *audit_log_start(struct audit_context *ctx, | ||
| 508 | gfp_t gfp_mask, int type) | ||
| 509 | { | ||
| 510 | return NULL; | ||
| 511 | } | ||
| 512 | static inline __printf(2, 3) | ||
| 513 | void audit_log_format(struct audit_buffer *ab, const char *fmt, ...) | ||
| 514 | { } | ||
| 515 | static inline void audit_log_end(struct audit_buffer *ab) | ||
| 516 | { } | ||
| 517 | static inline void audit_log_n_hex(struct audit_buffer *ab, | ||
| 518 | const unsigned char *buf, size_t len) | ||
| 519 | { } | ||
| 520 | static inline void audit_log_n_string(struct audit_buffer *ab, | ||
| 521 | const char *buf, size_t n) | ||
| 522 | { } | ||
| 523 | static inline void audit_log_n_untrustedstring(struct audit_buffer *ab, | ||
| 524 | const char *string, size_t n) | ||
| 525 | { } | ||
| 526 | static inline void audit_log_untrustedstring(struct audit_buffer *ab, | ||
| 527 | const char *string) | ||
| 528 | { } | ||
| 529 | static inline void audit_log_d_path(struct audit_buffer *ab, | ||
| 530 | const char *prefix, | ||
| 531 | const struct path *path) | ||
| 532 | { } | ||
| 533 | static inline void audit_log_key(struct audit_buffer *ab, char *key) | ||
| 534 | { } | ||
| 535 | static inline void audit_log_link_denied(const char *string, | ||
| 536 | const struct path *link) | ||
| 537 | { } | ||
| 538 | static inline void audit_log_secctx(struct audit_buffer *ab, u32 secid) | ||
| 539 | { } | ||
| 540 | static inline int audit_log_task_context(struct audit_buffer *ab) | ||
| 541 | { | ||
| 542 | return 0; | ||
| 543 | } | ||
| 544 | static inline void audit_log_task_info(struct audit_buffer *ab, | ||
| 545 | struct task_struct *tsk) | ||
| 546 | { } | ||
| 547 | #define audit_enabled 0 | ||
| 548 | #endif /* CONFIG_AUDIT */ | ||
| 549 | static inline void audit_log_string(struct audit_buffer *ab, const char *buf) | 553 | static inline void audit_log_string(struct audit_buffer *ab, const char *buf) |
| 550 | { | 554 | { |
| 551 | audit_log_n_string(ab, buf, strlen(buf)); | 555 | audit_log_n_string(ab, buf, strlen(buf)); |
diff --git a/init/Kconfig b/init/Kconfig index 4644217b2373..5b86082fa238 100644 --- a/init/Kconfig +++ b/init/Kconfig | |||
| @@ -299,20 +299,15 @@ config AUDIT | |||
| 299 | help | 299 | help |
| 300 | Enable auditing infrastructure that can be used with another | 300 | Enable auditing infrastructure that can be used with another |
| 301 | kernel subsystem, such as SELinux (which requires this for | 301 | kernel subsystem, such as SELinux (which requires this for |
| 302 | logging of avc messages output). Does not do system-call | 302 | logging of avc messages output). System call auditing is included |
| 303 | auditing without CONFIG_AUDITSYSCALL. | 303 | on architectures which support it. |
| 304 | 304 | ||
| 305 | config HAVE_ARCH_AUDITSYSCALL | 305 | config HAVE_ARCH_AUDITSYSCALL |
| 306 | bool | 306 | bool |
| 307 | 307 | ||
| 308 | config AUDITSYSCALL | 308 | config AUDITSYSCALL |
| 309 | bool "Enable system-call auditing support" | 309 | def_bool y |
| 310 | depends on AUDIT && HAVE_ARCH_AUDITSYSCALL | 310 | depends on AUDIT && HAVE_ARCH_AUDITSYSCALL |
| 311 | default y if SECURITY_SELINUX | ||
| 312 | help | ||
| 313 | Enable low-overhead system-call auditing infrastructure that | ||
| 314 | can be used independently or with another kernel subsystem, | ||
| 315 | such as SELinux. | ||
| 316 | 311 | ||
| 317 | config AUDIT_WATCH | 312 | config AUDIT_WATCH |
| 318 | def_bool y | 313 | def_bool y |
diff --git a/kernel/audit.c b/kernel/audit.c index 5ffcbd354a52..d6dd95cc59e6 100644 --- a/kernel/audit.c +++ b/kernel/audit.c | |||
| @@ -110,7 +110,6 @@ static u32 audit_backlog_limit = 64; | |||
| 110 | #define AUDIT_BACKLOG_WAIT_TIME (60 * HZ) | 110 | #define AUDIT_BACKLOG_WAIT_TIME (60 * HZ) |
| 111 | static u32 audit_backlog_wait_time_master = AUDIT_BACKLOG_WAIT_TIME; | 111 | static u32 audit_backlog_wait_time_master = AUDIT_BACKLOG_WAIT_TIME; |
| 112 | static u32 audit_backlog_wait_time = AUDIT_BACKLOG_WAIT_TIME; | 112 | static u32 audit_backlog_wait_time = AUDIT_BACKLOG_WAIT_TIME; |
| 113 | static u32 audit_backlog_wait_overflow = 0; | ||
| 114 | 113 | ||
| 115 | /* The identity of the user shutting down the audit system. */ | 114 | /* The identity of the user shutting down the audit system. */ |
| 116 | kuid_t audit_sig_uid = INVALID_UID; | 115 | kuid_t audit_sig_uid = INVALID_UID; |
| @@ -509,8 +508,7 @@ static void flush_hold_queue(void) | |||
| 509 | * if auditd just disappeared but we | 508 | * if auditd just disappeared but we |
| 510 | * dequeued an skb we need to drop ref | 509 | * dequeued an skb we need to drop ref |
| 511 | */ | 510 | */ |
| 512 | if (skb) | 511 | consume_skb(skb); |
| 513 | consume_skb(skb); | ||
| 514 | } | 512 | } |
| 515 | 513 | ||
| 516 | static int kauditd_thread(void *dummy) | 514 | static int kauditd_thread(void *dummy) |
| @@ -524,7 +522,8 @@ static int kauditd_thread(void *dummy) | |||
| 524 | skb = skb_dequeue(&audit_skb_queue); | 522 | skb = skb_dequeue(&audit_skb_queue); |
| 525 | 523 | ||
| 526 | if (skb) { | 524 | if (skb) { |
| 527 | if (skb_queue_len(&audit_skb_queue) <= audit_backlog_limit) | 525 | if (!audit_backlog_limit || |
| 526 | (skb_queue_len(&audit_skb_queue) <= audit_backlog_limit)) | ||
| 528 | wake_up(&audit_backlog_wait); | 527 | wake_up(&audit_backlog_wait); |
| 529 | if (audit_pid) | 528 | if (audit_pid) |
| 530 | kauditd_send_skb(skb); | 529 | kauditd_send_skb(skb); |
| @@ -1232,9 +1231,7 @@ static void audit_buffer_free(struct audit_buffer *ab) | |||
| 1232 | if (!ab) | 1231 | if (!ab) |
| 1233 | return; | 1232 | return; |
| 1234 | 1233 | ||
| 1235 | if (ab->skb) | 1234 | kfree_skb(ab->skb); |
| 1236 | kfree_skb(ab->skb); | ||
| 1237 | |||
| 1238 | spin_lock_irqsave(&audit_freelist_lock, flags); | 1235 | spin_lock_irqsave(&audit_freelist_lock, flags); |
| 1239 | if (audit_freelist_count > AUDIT_MAXFREE) | 1236 | if (audit_freelist_count > AUDIT_MAXFREE) |
| 1240 | kfree(ab); | 1237 | kfree(ab); |
| @@ -1372,7 +1369,7 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, | |||
| 1372 | return NULL; | 1369 | return NULL; |
| 1373 | 1370 | ||
| 1374 | if (gfp_mask & __GFP_DIRECT_RECLAIM) { | 1371 | if (gfp_mask & __GFP_DIRECT_RECLAIM) { |
| 1375 | if (audit_pid && audit_pid == current->pid) | 1372 | if (audit_pid && audit_pid == current->tgid) |
| 1376 | gfp_mask &= ~__GFP_DIRECT_RECLAIM; | 1373 | gfp_mask &= ~__GFP_DIRECT_RECLAIM; |
| 1377 | else | 1374 | else |
| 1378 | reserve = 0; | 1375 | reserve = 0; |
| @@ -1395,12 +1392,12 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, | |||
| 1395 | skb_queue_len(&audit_skb_queue), | 1392 | skb_queue_len(&audit_skb_queue), |
| 1396 | audit_backlog_limit); | 1393 | audit_backlog_limit); |
| 1397 | audit_log_lost("backlog limit exceeded"); | 1394 | audit_log_lost("backlog limit exceeded"); |
| 1398 | audit_backlog_wait_time = audit_backlog_wait_overflow; | 1395 | audit_backlog_wait_time = 0; |
| 1399 | wake_up(&audit_backlog_wait); | 1396 | wake_up(&audit_backlog_wait); |
| 1400 | return NULL; | 1397 | return NULL; |
| 1401 | } | 1398 | } |
| 1402 | 1399 | ||
| 1403 | if (!reserve) | 1400 | if (!reserve && !audit_backlog_wait_time) |
| 1404 | audit_backlog_wait_time = audit_backlog_wait_time_master; | 1401 | audit_backlog_wait_time = audit_backlog_wait_time_master; |
| 1405 | 1402 | ||
| 1406 | ab = audit_buffer_alloc(ctx, gfp_mask, type); | 1403 | ab = audit_buffer_alloc(ctx, gfp_mask, type); |