AUDIT: Add message types to audit records

This patch adds more messages types to the audit subsystem so that audit analysis is quicker, intuitive, and more useful. Signed-off-by: Steve Grubb <sgrubb@redhat.com> --- I forgot one type in the big patch. I need to add one for user space originating SE Linux avc messages. This is used by dbus and nscd. -Steve --- Updated to 2.6.12-rc4-mm1. -dwmw2 Signed-off-by: David Woodhouse <dwmw2@infradead.org>
author: Steve Grubb <sgrubb@redhat.com> 2005-05-13 13:17:42 -0400
committer: David Woodhouse <dwmw2@shinybook.infradead.org> 2005-05-13 13:17:42 -0400
commit: c04049939f88b29e235d2da217bce6e8ead44f32 (patch)
tree: 9bf3ab72b9939c529e7c96f8768bc8b7e1d768c9 /kernel/auditsc.c
parent: 9ea74f0655412d0fbd12bf9adb6c14c8fe707a42 (diff)
1 files changed, 25 insertions, 17 deletions
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index d089263253a7..1b7c91f9d5ff 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -286,7 +286,8 @@ int audit_receive_filter(int type, int pid, int uid, int seq, void *data,
                        err = audit_add_rule(entry, &audit_entlist);
                if (!err && (flags & AUDIT_AT_EXIT))
                        err = audit_add_rule(entry, &audit_extlist);
-                audit_log(NULL, "auid %u added an audit rule\n", loginuid);
+                audit_log(NULL, AUDIT_CONFIG_CHANGE, 
+                                "auid %u added an audit rule\n", loginuid);
                break;
        case AUDIT_DEL:
                flags =((struct audit_rule *)data)->flags;
@@ -296,7 +297,8 @@ int audit_receive_filter(int type, int pid, int uid, int seq, void *data,
                        err = audit_del_rule(data, &audit_entlist);
                if (!err && (flags & AUDIT_AT_EXIT))
                        err = audit_del_rule(data, &audit_extlist);
-                audit_log(NULL, "auid %u removed an audit rule\n", loginuid);
+                audit_log(NULL, AUDIT_CONFIG_CHANGE,
+                                "auid %u removed an audit rule\n", loginuid);
                break;
        default:
                return -EINVAL;
@@ -648,7 +650,7 @@ static void audit_log_exit(struct audit_context *context)
        int i;
        struct audit_buffer *ab;
-        ab = audit_log_start(context, AUDIT_KERNEL, 0);
+        ab = audit_log_start(context, AUDIT_SYSCALL);
        if (!ab)
                return;         /* audit_panic has been called */
        audit_log_format(ab, "syscall=%d", context->major);
@@ -680,28 +682,28 @@ static void audit_log_exit(struct audit_context *context)
        while (context->aux) {
                struct audit_aux_data *aux;
-                ab = audit_log_start(context, AUDIT_KERNEL, 0);
+                aux = context->aux;
+                ab = audit_log_start(context, aux->type);
                if (!ab)
                        continue; /* audit_panic has been called */
-                aux = context->aux;
-                context->aux = aux->next;
-                audit_log_format(ab, "auxitem=%d", aux->type);
                switch (aux->type) {
-                case AUDIT_AUX_IPCPERM: {
+                case AUDIT_IPC: {
                        struct audit_aux_data_ipcctl *axi = (void *)aux;
                        audit_log_format(ab, 
-                                         " qbytes=%lx uid=%d gid=%d mode=%x",
+                                         " qbytes=%lx iuid=%d igid=%d mode=%x",
                                         axi->qbytes, axi->uid, axi->gid, axi->mode);
                        }
                }
                audit_log_end(ab);
+                context->aux = aux->next;
                kfree(aux);
        }
        for (i = 0; i < context->name_count; i++) {
-                ab = audit_log_start(context, AUDIT_KERNEL, 0);
+                ab = audit_log_start(context, AUDIT_PATH);
                if (!ab)
                        continue; /* audit_panic has been called */
                audit_log_format(ab, "item=%d", i);
@@ -711,7 +713,7 @@ static void audit_log_exit(struct audit_context *context)
                }
                if (context->names[i].ino != (unsigned long)-1)
                        audit_log_format(ab, " inode=%lu dev=%02x:%02x mode=%#o"
-                                             " uid=%d gid=%d rdev=%02x:%02x",
+                                             " ouid=%d ogid=%d rdev=%02x:%02x",
                                         context->names[i].ino,
                                         MAJOR(context->names[i].dev),
                                         MINOR(context->names[i].dev),
@@ -1008,10 +1010,16 @@ int audit_get_stamp(struct audit_context *ctx,
 int audit_set_loginuid(struct task_struct *task, uid_t loginuid)
 {
        if (task->audit_context) {
-                audit_log_type(NULL, AUDIT_LOGIN, 0,
+                struct audit_buffer *ab;
-                          "login pid=%d uid=%u old loginuid=%u new loginuid=%u",
-                          task->pid, task->uid, task->audit_context->loginuid,
+                ab = audit_log_start(NULL, AUDIT_LOGIN);
-                          loginuid);
+                if (ab) {
+                        audit_log_format(ab, "login pid=%d uid=%u "
+                                "old loginuid=%u new loginuid=%u",
+                                task->pid, task->uid, 
+                                task->audit_context->loginuid, loginuid);
+                        audit_log_end(ab);
+                }
                task->audit_context->loginuid = loginuid;
        }
        return 0;
@@ -1039,7 +1047,7 @@ int audit_ipc_perms(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode)
        ax->gid = gid;
        ax->mode = mode;
-        ax->d.type = AUDIT_AUX_IPCPERM;
+        ax->d.type = AUDIT_IPC;
        ax->d.next = context->aux;
        context->aux = (void *)ax;
        return 0;
author	Steve Grubb <sgrubb@redhat.com>	2005-05-13 13:17:42 -0400
committer	David Woodhouse <dwmw2@shinybook.infradead.org>	2005-05-13 13:17:42 -0400
commit	c04049939f88b29e235d2da217bce6e8ead44f32 (patch)
tree	9bf3ab72b9939c529e7c96f8768bc8b7e1d768c9 /kernel/auditsc.c
parent	9ea74f0655412d0fbd12bf9adb6c14c8fe707a42 (diff)

diff --git a/kernel/auditsc.c b/kernel/auditsc.c index d089263253a7..1b7c91f9d5ff 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c
@@ -286,7 +286,8 @@ int audit_receive_filter(int type, int pid, int uid, int seq, void *data,
286	err = audit_add_rule(entry, &audit_entlist);	286	err = audit_add_rule(entry, &audit_entlist);
287	if (!err && (flags & AUDIT_AT_EXIT))	287	if (!err && (flags & AUDIT_AT_EXIT))
288	err = audit_add_rule(entry, &audit_extlist);	288	err = audit_add_rule(entry, &audit_extlist);
289	audit_log(NULL, "auid %u added an audit rule\n", loginuid);	289	audit_log(NULL, AUDIT_CONFIG_CHANGE,
		290	"auid %u added an audit rule\n", loginuid);
290	break;	291	break;
291	case AUDIT_DEL:	292	case AUDIT_DEL:
292	flags =((struct audit_rule *)data)->flags;	293	flags =((struct audit_rule *)data)->flags;
@@ -296,7 +297,8 @@ int audit_receive_filter(int type, int pid, int uid, int seq, void *data,
296	err = audit_del_rule(data, &audit_entlist);	297	err = audit_del_rule(data, &audit_entlist);
297	if (!err && (flags & AUDIT_AT_EXIT))	298	if (!err && (flags & AUDIT_AT_EXIT))
298	err = audit_del_rule(data, &audit_extlist);	299	err = audit_del_rule(data, &audit_extlist);
299	audit_log(NULL, "auid %u removed an audit rule\n", loginuid);	300	audit_log(NULL, AUDIT_CONFIG_CHANGE,
		301	"auid %u removed an audit rule\n", loginuid);
300	break;	302	break;
301	default:	303	default:
302	return -EINVAL;	304	return -EINVAL;
@@ -648,7 +650,7 @@ static void audit_log_exit(struct audit_context *context)
648	int i;	650	int i;
649	struct audit_buffer *ab;	651	struct audit_buffer *ab;
650		652
651	ab = audit_log_start(context, AUDIT_KERNEL, 0);	653	ab = audit_log_start(context, AUDIT_SYSCALL);
652	if (!ab)	654	if (!ab)
653	return; /* audit_panic has been called */	655	return; /* audit_panic has been called */
654	audit_log_format(ab, "syscall=%d", context->major);	656	audit_log_format(ab, "syscall=%d", context->major);
@@ -680,28 +682,28 @@ static void audit_log_exit(struct audit_context *context)
680	while (context->aux) {	682	while (context->aux) {
681	struct audit_aux_data *aux;	683	struct audit_aux_data *aux;
682		684
683	ab = audit_log_start(context, AUDIT_KERNEL, 0);	685	aux = context->aux;
		686
		687	ab = audit_log_start(context, aux->type);
684	if (!ab)	688	if (!ab)
685	continue; /* audit_panic has been called */	689	continue; /* audit_panic has been called */
686		690
687	aux = context->aux;
688	context->aux = aux->next;
689
690	audit_log_format(ab, "auxitem=%d", aux->type);
691	switch (aux->type) {	691	switch (aux->type) {
692	case AUDIT_AUX_IPCPERM: {	692	case AUDIT_IPC: {
693	struct audit_aux_data_ipcctl axi = (void )aux;	693	struct audit_aux_data_ipcctl axi = (void )aux;
694	audit_log_format(ab,	694	audit_log_format(ab,
695	" qbytes=%lx uid=%d gid=%d mode=%x",	695	" qbytes=%lx iuid=%d igid=%d mode=%x",
696	axi->qbytes, axi->uid, axi->gid, axi->mode);	696	axi->qbytes, axi->uid, axi->gid, axi->mode);
697	}	697	}
698	}	698	}
699	audit_log_end(ab);	699	audit_log_end(ab);
		700
		701	context->aux = aux->next;
700	kfree(aux);	702	kfree(aux);
701	}	703	}
702		704
703	for (i = 0; i < context->name_count; i++) {	705	for (i = 0; i < context->name_count; i++) {
704	ab = audit_log_start(context, AUDIT_KERNEL, 0);	706	ab = audit_log_start(context, AUDIT_PATH);
705	if (!ab)	707	if (!ab)
706	continue; /* audit_panic has been called */	708	continue; /* audit_panic has been called */
707	audit_log_format(ab, "item=%d", i);	709	audit_log_format(ab, "item=%d", i);
@@ -711,7 +713,7 @@ static void audit_log_exit(struct audit_context *context)
711	}	713	}
712	if (context->names[i].ino != (unsigned long)-1)	714	if (context->names[i].ino != (unsigned long)-1)
713	audit_log_format(ab, " inode=%lu dev=%02x:%02x mode=%#o"	715	audit_log_format(ab, " inode=%lu dev=%02x:%02x mode=%#o"
714	" uid=%d gid=%d rdev=%02x:%02x",	716	" ouid=%d ogid=%d rdev=%02x:%02x",
715	context->names[i].ino,	717	context->names[i].ino,
716	MAJOR(context->names[i].dev),	718	MAJOR(context->names[i].dev),
717	MINOR(context->names[i].dev),	719	MINOR(context->names[i].dev),
@@ -1008,10 +1010,16 @@ int audit_get_stamp(struct audit_context *ctx,
1008	int audit_set_loginuid(struct task_struct *task, uid_t loginuid)	1010	int audit_set_loginuid(struct task_struct *task, uid_t loginuid)
1009	{	1011	{
1010	if (task->audit_context) {	1012	if (task->audit_context) {
1011	audit_log_type(NULL, AUDIT_LOGIN, 0,	1013	struct audit_buffer *ab;
1012	"login pid=%d uid=%u old loginuid=%u new loginuid=%u",	1014
1013	task->pid, task->uid, task->audit_context->loginuid,	1015	ab = audit_log_start(NULL, AUDIT_LOGIN);
1014	loginuid);	1016	if (ab) {
		1017	audit_log_format(ab, "login pid=%d uid=%u "
		1018	"old loginuid=%u new loginuid=%u",
		1019	task->pid, task->uid,
		1020	task->audit_context->loginuid, loginuid);
		1021	audit_log_end(ab);
		1022	}
1015	task->audit_context->loginuid = loginuid;	1023	task->audit_context->loginuid = loginuid;
1016	}	1024	}
1017	return 0;	1025	return 0;
@@ -1039,7 +1047,7 @@ int audit_ipc_perms(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode)
1039	ax->gid = gid;	1047	ax->gid = gid;
1040	ax->mode = mode;	1048	ax->mode = mode;
1041		1049
1042	ax->d.type = AUDIT_AUX_IPCPERM;	1050	ax->d.type = AUDIT_IPC;
1043	ax->d.next = context->aux;	1051	ax->d.next = context->aux;
1044	context->aux = (void *)ax;	1052	context->aux = (void *)ax;
1045	return 0;	1053	return 0;