diff options
| author | Steve Grubb <sgrubb@redhat.com> | 2005-05-13 13:17:42 -0400 |
|---|---|---|
| committer | David Woodhouse <dwmw2@shinybook.infradead.org> | 2005-05-13 13:17:42 -0400 |
| commit | c04049939f88b29e235d2da217bce6e8ead44f32 (patch) | |
| tree | 9bf3ab72b9939c529e7c96f8768bc8b7e1d768c9 /kernel/audit.c | |
| parent | 9ea74f0655412d0fbd12bf9adb6c14c8fe707a42 (diff) | |
AUDIT: Add message types to audit records
This patch adds more messages types to the audit subsystem so that audit
analysis is quicker, intuitive, and more useful.
Signed-off-by: Steve Grubb <sgrubb@redhat.com>
---
I forgot one type in the big patch. I need to add one for user space
originating SE Linux avc messages. This is used by dbus and nscd.
-Steve
---
Updated to 2.6.12-rc4-mm1.
-dwmw2
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Diffstat (limited to 'kernel/audit.c')
| -rw-r--r-- | kernel/audit.c | 78 |
1 files changed, 55 insertions, 23 deletions
diff --git a/kernel/audit.c b/kernel/audit.c index 187164572bd0..4e940c05ede8 100644 --- a/kernel/audit.c +++ b/kernel/audit.c | |||
| @@ -140,6 +140,12 @@ struct audit_buffer { | |||
| 140 | struct audit_context *ctx; /* NULL or associated context */ | 140 | struct audit_context *ctx; /* NULL or associated context */ |
| 141 | }; | 141 | }; |
| 142 | 142 | ||
| 143 | static void audit_set_pid(struct audit_buffer *ab, pid_t pid) | ||
| 144 | { | ||
| 145 | struct nlmsghdr *nlh = (struct nlmsghdr *)ab->skb->data; | ||
| 146 | nlh->nlmsg_pid = pid; | ||
| 147 | } | ||
| 148 | |||
| 143 | struct audit_entry { | 149 | struct audit_entry { |
| 144 | struct list_head list; | 150 | struct list_head list; |
| 145 | struct audit_rule rule; | 151 | struct audit_rule rule; |
| @@ -233,7 +239,8 @@ static int audit_set_rate_limit(int limit, uid_t loginuid) | |||
| 233 | { | 239 | { |
| 234 | int old = audit_rate_limit; | 240 | int old = audit_rate_limit; |
| 235 | audit_rate_limit = limit; | 241 | audit_rate_limit = limit; |
| 236 | audit_log(NULL, "audit_rate_limit=%d old=%d by auid %u", | 242 | audit_log(NULL, AUDIT_CONFIG_CHANGE, |
| 243 | "audit_rate_limit=%d old=%d by auid %u", | ||
| 237 | audit_rate_limit, old, loginuid); | 244 | audit_rate_limit, old, loginuid); |
| 238 | return old; | 245 | return old; |
| 239 | } | 246 | } |
| @@ -242,7 +249,8 @@ static int audit_set_backlog_limit(int limit, uid_t loginuid) | |||
| 242 | { | 249 | { |
| 243 | int old = audit_backlog_limit; | 250 | int old = audit_backlog_limit; |
| 244 | audit_backlog_limit = limit; | 251 | audit_backlog_limit = limit; |
| 245 | audit_log(NULL, "audit_backlog_limit=%d old=%d by auid %u", | 252 | audit_log(NULL, AUDIT_CONFIG_CHANGE, |
| 253 | "audit_backlog_limit=%d old=%d by auid %u", | ||
| 246 | audit_backlog_limit, old, loginuid); | 254 | audit_backlog_limit, old, loginuid); |
| 247 | return old; | 255 | return old; |
| 248 | } | 256 | } |
| @@ -253,8 +261,9 @@ static int audit_set_enabled(int state, uid_t loginuid) | |||
| 253 | if (state != 0 && state != 1) | 261 | if (state != 0 && state != 1) |
| 254 | return -EINVAL; | 262 | return -EINVAL; |
| 255 | audit_enabled = state; | 263 | audit_enabled = state; |
| 256 | audit_log(NULL, "audit_enabled=%d old=%d by auid %u", | 264 | audit_log(NULL, AUDIT_CONFIG_CHANGE, |
| 257 | audit_enabled, old, loginuid); | 265 | "audit_enabled=%d old=%d by auid %u", |
| 266 | audit_enabled, old, loginuid); | ||
| 258 | return old; | 267 | return old; |
| 259 | } | 268 | } |
| 260 | 269 | ||
| @@ -266,8 +275,9 @@ static int audit_set_failure(int state, uid_t loginuid) | |||
| 266 | && state != AUDIT_FAIL_PANIC) | 275 | && state != AUDIT_FAIL_PANIC) |
| 267 | return -EINVAL; | 276 | return -EINVAL; |
| 268 | audit_failure = state; | 277 | audit_failure = state; |
| 269 | audit_log(NULL, "audit_failure=%d old=%d by auid %u", | 278 | audit_log(NULL, AUDIT_CONFIG_CHANGE, |
| 270 | audit_failure, old, loginuid); | 279 | "audit_failure=%d old=%d by auid %u", |
| 280 | audit_failure, old, loginuid); | ||
| 271 | return old; | 281 | return old; |
| 272 | } | 282 | } |
| 273 | 283 | ||
| @@ -316,6 +326,14 @@ static int audit_netlink_ok(kernel_cap_t eff_cap, u16 msg_type) | |||
| 316 | err = -EPERM; | 326 | err = -EPERM; |
| 317 | break; | 327 | break; |
| 318 | case AUDIT_USER: | 328 | case AUDIT_USER: |
| 329 | case AUDIT_USER_AUTH: | ||
| 330 | case AUDIT_USER_ACCT: | ||
| 331 | case AUDIT_USER_MGMT: | ||
| 332 | case AUDIT_CRED_ACQ: | ||
| 333 | case AUDIT_CRED_DISP: | ||
| 334 | case AUDIT_USER_START: | ||
| 335 | case AUDIT_USER_END: | ||
| 336 | case AUDIT_USER_AVC: | ||
| 319 | if (!cap_raised(eff_cap, CAP_AUDIT_WRITE)) | 337 | if (!cap_raised(eff_cap, CAP_AUDIT_WRITE)) |
| 320 | err = -EPERM; | 338 | err = -EPERM; |
| 321 | break; | 339 | break; |
| @@ -332,6 +350,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) | |||
| 332 | void *data; | 350 | void *data; |
| 333 | struct audit_status *status_get, status_set; | 351 | struct audit_status *status_get, status_set; |
| 334 | int err; | 352 | int err; |
| 353 | struct audit_buffer *ab; | ||
| 335 | u16 msg_type = nlh->nlmsg_type; | 354 | u16 msg_type = nlh->nlmsg_type; |
| 336 | uid_t loginuid; /* loginuid of sender */ | 355 | uid_t loginuid; /* loginuid of sender */ |
| 337 | struct audit_sig_info sig_data; | 356 | struct audit_sig_info sig_data; |
| @@ -373,7 +392,8 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) | |||
| 373 | if (status_get->mask & AUDIT_STATUS_PID) { | 392 | if (status_get->mask & AUDIT_STATUS_PID) { |
| 374 | int old = audit_pid; | 393 | int old = audit_pid; |
| 375 | audit_pid = status_get->pid; | 394 | audit_pid = status_get->pid; |
| 376 | audit_log(NULL, "audit_pid=%d old=%d by auid %u", | 395 | audit_log(NULL, AUDIT_CONFIG_CHANGE, |
| 396 | "audit_pid=%d old=%d by auid %u", | ||
| 377 | audit_pid, old, loginuid); | 397 | audit_pid, old, loginuid); |
| 378 | } | 398 | } |
| 379 | if (status_get->mask & AUDIT_STATUS_RATE_LIMIT) | 399 | if (status_get->mask & AUDIT_STATUS_RATE_LIMIT) |
| @@ -383,13 +403,26 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) | |||
| 383 | loginuid); | 403 | loginuid); |
| 384 | break; | 404 | break; |
| 385 | case AUDIT_USER: | 405 | case AUDIT_USER: |
| 386 | audit_log_type(NULL, AUDIT_USER, pid, | 406 | case AUDIT_USER_AUTH: |
| 407 | case AUDIT_USER_ACCT: | ||
| 408 | case AUDIT_USER_MGMT: | ||
| 409 | case AUDIT_CRED_ACQ: | ||
| 410 | case AUDIT_CRED_DISP: | ||
| 411 | case AUDIT_USER_START: | ||
| 412 | case AUDIT_USER_END: | ||
| 413 | case AUDIT_USER_AVC: | ||
| 414 | ab = audit_log_start(NULL, msg_type); | ||
| 415 | if (!ab) | ||
| 416 | break; /* audit_panic has been called */ | ||
| 417 | audit_log_format(ab, | ||
| 387 | "user pid=%d uid=%d length=%d loginuid=%u" | 418 | "user pid=%d uid=%d length=%d loginuid=%u" |
| 388 | " msg='%.1024s'", | 419 | " msg='%.1024s'", |
| 389 | pid, uid, | 420 | pid, uid, |
| 390 | (int)(nlh->nlmsg_len | 421 | (int)(nlh->nlmsg_len |
| 391 | - ((char *)data - (char *)nlh)), | 422 | - ((char *)data - (char *)nlh)), |
| 392 | loginuid, (char *)data); | 423 | loginuid, (char *)data); |
| 424 | audit_set_pid(ab, pid); | ||
| 425 | audit_log_end(ab); | ||
| 393 | break; | 426 | break; |
| 394 | case AUDIT_ADD: | 427 | case AUDIT_ADD: |
| 395 | case AUDIT_DEL: | 428 | case AUDIT_DEL: |
| @@ -504,7 +537,7 @@ static int __init audit_init(void) | |||
| 504 | 537 | ||
| 505 | audit_initialized = 1; | 538 | audit_initialized = 1; |
| 506 | audit_enabled = audit_default; | 539 | audit_enabled = audit_default; |
| 507 | audit_log(NULL, "initialized"); | 540 | audit_log(NULL, AUDIT_KERNEL, "initialized"); |
| 508 | return 0; | 541 | return 0; |
| 509 | } | 542 | } |
| 510 | __initcall(audit_init); | 543 | __initcall(audit_init); |
| @@ -541,10 +574,12 @@ static void audit_buffer_free(struct audit_buffer *ab) | |||
| 541 | spin_unlock_irqrestore(&audit_freelist_lock, flags); | 574 | spin_unlock_irqrestore(&audit_freelist_lock, flags); |
| 542 | } | 575 | } |
| 543 | 576 | ||
| 544 | static struct audit_buffer * audit_buffer_alloc(int gfp_mask) | 577 | static struct audit_buffer * audit_buffer_alloc(struct audit_context *ctx, |
| 578 | int gfp_mask, int type) | ||
| 545 | { | 579 | { |
| 546 | unsigned long flags; | 580 | unsigned long flags; |
| 547 | struct audit_buffer *ab = NULL; | 581 | struct audit_buffer *ab = NULL; |
| 582 | struct nlmsghdr *nlh; | ||
| 548 | 583 | ||
| 549 | spin_lock_irqsave(&audit_freelist_lock, flags); | 584 | spin_lock_irqsave(&audit_freelist_lock, flags); |
| 550 | if (!list_empty(&audit_freelist)) { | 585 | if (!list_empty(&audit_freelist)) { |
| @@ -566,6 +601,12 @@ static struct audit_buffer * audit_buffer_alloc(int gfp_mask) | |||
| 566 | if (!ab->skb) | 601 | if (!ab->skb) |
| 567 | goto err; | 602 | goto err; |
| 568 | 603 | ||
| 604 | ab->ctx = ctx; | ||
| 605 | nlh = (struct nlmsghdr *)skb_put(ab->skb, NLMSG_SPACE(0)); | ||
| 606 | nlh->nlmsg_type = type; | ||
| 607 | nlh->nlmsg_flags = 0; | ||
| 608 | nlh->nlmsg_pid = 0; | ||
| 609 | nlh->nlmsg_seq = 0; | ||
| 569 | return ab; | 610 | return ab; |
| 570 | err: | 611 | err: |
| 571 | audit_buffer_free(ab); | 612 | audit_buffer_free(ab); |
| @@ -578,12 +619,11 @@ err: | |||
| 578 | * syscall, then the syscall is marked as auditable and an audit record | 619 | * syscall, then the syscall is marked as auditable and an audit record |
| 579 | * will be written at syscall exit. If there is no associated task, tsk | 620 | * will be written at syscall exit. If there is no associated task, tsk |
| 580 | * should be NULL. */ | 621 | * should be NULL. */ |
| 581 | struct audit_buffer *audit_log_start(struct audit_context *ctx, int type, int pid) | 622 | struct audit_buffer *audit_log_start(struct audit_context *ctx, int type) |
| 582 | { | 623 | { |
| 583 | struct audit_buffer *ab = NULL; | 624 | struct audit_buffer *ab = NULL; |
| 584 | struct timespec t; | 625 | struct timespec t; |
| 585 | unsigned int serial; | 626 | unsigned int serial; |
| 586 | struct nlmsghdr *nlh; | ||
| 587 | 627 | ||
| 588 | if (!audit_initialized) | 628 | if (!audit_initialized) |
| 589 | return NULL; | 629 | return NULL; |
| @@ -600,19 +640,12 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, int type, int pi | |||
| 600 | return NULL; | 640 | return NULL; |
| 601 | } | 641 | } |
| 602 | 642 | ||
| 603 | ab = audit_buffer_alloc(GFP_ATOMIC); | 643 | ab = audit_buffer_alloc(ctx, GFP_ATOMIC, type); |
| 604 | if (!ab) { | 644 | if (!ab) { |
| 605 | audit_log_lost("out of memory in audit_log_start"); | 645 | audit_log_lost("out of memory in audit_log_start"); |
| 606 | return NULL; | 646 | return NULL; |
| 607 | } | 647 | } |
| 608 | 648 | ||
| 609 | ab->ctx = ctx; | ||
| 610 | nlh = (struct nlmsghdr *)skb_put(ab->skb, NLMSG_SPACE(0)); | ||
| 611 | nlh->nlmsg_type = type; | ||
| 612 | nlh->nlmsg_flags = 0; | ||
| 613 | nlh->nlmsg_pid = pid; | ||
| 614 | nlh->nlmsg_seq = 0; | ||
| 615 | |||
| 616 | if (!audit_get_stamp(ab->ctx, &t, &serial)) { | 649 | if (!audit_get_stamp(ab->ctx, &t, &serial)) { |
| 617 | t = CURRENT_TIME; | 650 | t = CURRENT_TIME; |
| 618 | serial = 0; | 651 | serial = 0; |
| @@ -809,13 +842,12 @@ void audit_log_end(struct audit_buffer *ab) | |||
| 809 | /* Log an audit record. This is a convenience function that calls | 842 | /* Log an audit record. This is a convenience function that calls |
| 810 | * audit_log_start, audit_log_vformat, and audit_log_end. It may be | 843 | * audit_log_start, audit_log_vformat, and audit_log_end. It may be |
| 811 | * called in any context. */ | 844 | * called in any context. */ |
| 812 | void audit_log_type(struct audit_context *ctx, int type, int pid, | 845 | void audit_log(struct audit_context *ctx, int type, const char *fmt, ...) |
| 813 | const char *fmt, ...) | ||
| 814 | { | 846 | { |
| 815 | struct audit_buffer *ab; | 847 | struct audit_buffer *ab; |
| 816 | va_list args; | 848 | va_list args; |
| 817 | 849 | ||
| 818 | ab = audit_log_start(ctx, type, pid); | 850 | ab = audit_log_start(ctx, type); |
| 819 | if (ab) { | 851 | if (ab) { |
| 820 | va_start(args, fmt); | 852 | va_start(args, fmt); |
| 821 | audit_log_vformat(ab, fmt, args); | 853 | audit_log_vformat(ab, fmt, args); |