aboutsummaryrefslogtreecommitdiffstats
path: root/kernel/auditsc.c
diff options
context:
space:
mode:
authorEric Paris <eparis@redhat.com>2008-11-11 05:48:18 -0500
committerJames Morris <jmorris@namei.org>2008-11-11 05:48:18 -0500
commit3fc689e96c0c90b6fede5946d6c31075e9464f69 (patch)
tree5e59b6c607eb595ababa74bad18787cfa49b16e9 /kernel/auditsc.c
parent851f7ff56d9c21272f289dd85fb3f1b6cf7a6e10 (diff)
Any time fcaps or a setuid app under SECURE_NOROOT is used to result in a
non-zero pE we will crate a new audit record which contains the entire set of known information about the executable in question, fP, fI, fE, fversion and includes the process's pE, pI, pP. Before and after the bprm capability are applied. This record type will only be emitted from execve syscalls. an example of making ping use fcaps instead of setuid: setcap "cat_net_raw+pe" /bin/ping type=SYSCALL msg=audit(1225742021.015:236): arch=c000003e syscall=59 success=yes exit=0 a0=1457f30 a1=14606b0 a2=1463940 a3=321b770a70 items=2 ppid=2929 pid=2963 auid=0 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts0 ses=3 comm="ping" exe="/bin/ping" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=UNKNOWN[1321] msg=audit(1225742021.015:236): fver=2 fp=0000000000002000 fi=0000000000000000 fe=1 old_pp=0000000000000000 old_pi=0000000000000000 old_pe=0000000000000000 new_pp=0000000000002000 new_pi=0000000000000000 new_pe=0000000000002000 type=EXECVE msg=audit(1225742021.015:236): argc=2 a0="ping" a1="127.0.0.1" type=CWD msg=audit(1225742021.015:236): cwd="/home/test" type=PATH msg=audit(1225742021.015:236): item=0 name="/bin/ping" inode=49256 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ping_exec_t:s0 cap_fp=0000000000002000 cap_fe=1 cap_fver=2 type=PATH msg=audit(1225742021.015:236): item=1 name=(null) inode=507915 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Serge Hallyn <serue@us.ibm.com> Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'kernel/auditsc.c')
-rw-r--r--kernel/auditsc.c68
1 files changed, 68 insertions, 0 deletions
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index de7e9bcba9ae..3229cd4206f5 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -196,6 +196,14 @@ struct audit_aux_data_pids {
196 int pid_count; 196 int pid_count;
197}; 197};
198 198
199struct audit_aux_data_bprm_fcaps {
200 struct audit_aux_data d;
201 struct audit_cap_data fcap;
202 unsigned int fcap_ver;
203 struct audit_cap_data old_pcap;
204 struct audit_cap_data new_pcap;
205};
206
199struct audit_tree_refs { 207struct audit_tree_refs {
200 struct audit_tree_refs *next; 208 struct audit_tree_refs *next;
201 struct audit_chunk *c[31]; 209 struct audit_chunk *c[31];
@@ -1375,6 +1383,20 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
1375 audit_log_format(ab, "fd0=%d fd1=%d", axs->fd[0], axs->fd[1]); 1383 audit_log_format(ab, "fd0=%d fd1=%d", axs->fd[0], axs->fd[1]);
1376 break; } 1384 break; }
1377 1385
1386 case AUDIT_BPRM_FCAPS: {
1387 struct audit_aux_data_bprm_fcaps *axs = (void *)aux;
1388 audit_log_format(ab, "fver=%x", axs->fcap_ver);
1389 audit_log_cap(ab, "fp", &axs->fcap.permitted);
1390 audit_log_cap(ab, "fi", &axs->fcap.inheritable);
1391 audit_log_format(ab, " fe=%d", axs->fcap.fE);
1392 audit_log_cap(ab, "old_pp", &axs->old_pcap.permitted);
1393 audit_log_cap(ab, "old_pi", &axs->old_pcap.inheritable);
1394 audit_log_cap(ab, "old_pe", &axs->old_pcap.effective);
1395 audit_log_cap(ab, "new_pp", &axs->new_pcap.permitted);
1396 audit_log_cap(ab, "new_pi", &axs->new_pcap.inheritable);
1397 audit_log_cap(ab, "new_pe", &axs->new_pcap.effective);
1398 break; }
1399
1378 } 1400 }
1379 audit_log_end(ab); 1401 audit_log_end(ab);
1380 } 1402 }
@@ -2502,6 +2524,52 @@ int __audit_signal_info(int sig, struct task_struct *t)
2502} 2524}
2503 2525
2504/** 2526/**
2527 * __audit_log_bprm_fcaps - store information about a loading bprm and relevant fcaps
2528 * @bprm pointer to the bprm being processed
2529 * @caps the caps read from the disk
2530 *
2531 * Simply check if the proc already has the caps given by the file and if not
2532 * store the priv escalation info for later auditing at the end of the syscall
2533 *
2534 * this can fail and we don't care. See the note in audit.h for
2535 * audit_log_bprm_fcaps() for my explaination....
2536 *
2537 * -Eric
2538 */
2539void __audit_log_bprm_fcaps(struct linux_binprm *bprm, kernel_cap_t *pP, kernel_cap_t *pE)
2540{
2541 struct audit_aux_data_bprm_fcaps *ax;
2542 struct audit_context *context = current->audit_context;
2543 struct cpu_vfs_cap_data vcaps;
2544 struct dentry *dentry;
2545
2546 ax = kmalloc(sizeof(*ax), GFP_KERNEL);
2547 if (!ax)
2548 return;
2549
2550 ax->d.type = AUDIT_BPRM_FCAPS;
2551 ax->d.next = context->aux;
2552 context->aux = (void *)ax;
2553
2554 dentry = dget(bprm->file->f_dentry);
2555 get_vfs_caps_from_disk(dentry, &vcaps);
2556 dput(dentry);
2557
2558 ax->fcap.permitted = vcaps.permitted;
2559 ax->fcap.inheritable = vcaps.inheritable;
2560 ax->fcap.fE = !!(vcaps.magic_etc & VFS_CAP_FLAGS_EFFECTIVE);
2561 ax->fcap_ver = (vcaps.magic_etc & VFS_CAP_REVISION_MASK) >> VFS_CAP_REVISION_SHIFT;
2562
2563 ax->old_pcap.permitted = *pP;
2564 ax->old_pcap.inheritable = current->cap_inheritable;
2565 ax->old_pcap.effective = *pE;
2566
2567 ax->new_pcap.permitted = current->cap_permitted;
2568 ax->new_pcap.inheritable = current->cap_inheritable;
2569 ax->new_pcap.effective = current->cap_effective;
2570}
2571
2572/**
2505 * audit_core_dumps - record information about processes that end abnormally 2573 * audit_core_dumps - record information about processes that end abnormally
2506 * @signr: signal value 2574 * @signr: signal value
2507 * 2575 *