diff options
| author | Amy Griffis <amy.griffis@hp.com> | 2007-03-29 18:01:04 -0400 |
|---|---|---|
| committer | Al Viro <viro@zeniv.linux.org.uk> | 2007-05-11 05:38:25 -0400 |
| commit | e54dc2431d740a79a6bd013babade99d71b1714f (patch) | |
| tree | 16b0990d5c16946239a17b332f54b5918fb03305 /kernel | |
| parent | 7f13da40e36c84d0d046b7adbd060af7d3717250 (diff) | |
[PATCH] audit signal recipients
When auditing syscalls that send signals, log the pid and security
context for each target process. Optimize the data collection by
adding a counter for signal-related rules, and avoiding allocating an
aux struct unless we have more than one target process. For process
groups, collect pid/context data in blocks of 16. Move the
audit_signal_info() hook up in check_kill_permission() so we audit
attempts where permission is denied.
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Diffstat (limited to 'kernel')
| -rw-r--r-- | kernel/audit.h | 13 | ||||
| -rw-r--r-- | kernel/auditfilter.c | 48 | ||||
| -rw-r--r-- | kernel/auditsc.c | 111 | ||||
| -rw-r--r-- | kernel/signal.c | 10 |
4 files changed, 153 insertions, 29 deletions
diff --git a/kernel/audit.h b/kernel/audit.h index a3370232a390..815d6f5c04ee 100644 --- a/kernel/audit.h +++ b/kernel/audit.h | |||
| @@ -83,6 +83,7 @@ struct audit_krule { | |||
| 83 | u32 field_count; | 83 | u32 field_count; |
| 84 | char *filterkey; /* ties events to rules */ | 84 | char *filterkey; /* ties events to rules */ |
| 85 | struct audit_field *fields; | 85 | struct audit_field *fields; |
| 86 | struct audit_field *arch_f; /* quick access to arch field */ | ||
| 86 | struct audit_field *inode_f; /* quick access to an inode field */ | 87 | struct audit_field *inode_f; /* quick access to an inode field */ |
| 87 | struct audit_watch *watch; /* associated watch */ | 88 | struct audit_watch *watch; /* associated watch */ |
| 88 | struct list_head rlist; /* entry in audit_watch.rules list */ | 89 | struct list_head rlist; /* entry in audit_watch.rules list */ |
| @@ -131,17 +132,19 @@ extern void audit_handle_ievent(struct inotify_watch *, u32, u32, u32, | |||
| 131 | extern int selinux_audit_rule_update(void); | 132 | extern int selinux_audit_rule_update(void); |
| 132 | 133 | ||
| 133 | #ifdef CONFIG_AUDITSYSCALL | 134 | #ifdef CONFIG_AUDITSYSCALL |
| 134 | extern void __audit_signal_info(int sig, struct task_struct *t); | 135 | extern int __audit_signal_info(int sig, struct task_struct *t); |
| 135 | static inline void audit_signal_info(int sig, struct task_struct *t) | 136 | static inline int audit_signal_info(int sig, struct task_struct *t) |
| 136 | { | 137 | { |
| 137 | if (unlikely(audit_pid && t->tgid == audit_pid)) | 138 | if (unlikely((audit_pid && t->tgid == audit_pid) || |
| 138 | __audit_signal_info(sig, t); | 139 | (audit_signals && !audit_dummy_context()))) |
| 140 | return __audit_signal_info(sig, t); | ||
| 141 | return 0; | ||
| 139 | } | 142 | } |
| 140 | extern enum audit_state audit_filter_inodes(struct task_struct *, | 143 | extern enum audit_state audit_filter_inodes(struct task_struct *, |
| 141 | struct audit_context *); | 144 | struct audit_context *); |
| 142 | extern void audit_set_auditable(struct audit_context *); | 145 | extern void audit_set_auditable(struct audit_context *); |
| 143 | #else | 146 | #else |
| 144 | #define audit_signal_info(s,t) | 147 | #define audit_signal_info(s,t) AUDIT_DISABLED |
| 145 | #define audit_filter_inodes(t,c) AUDIT_DISABLED | 148 | #define audit_filter_inodes(t,c) AUDIT_DISABLED |
| 146 | #define audit_set_auditable(c) | 149 | #define audit_set_auditable(c) |
| 147 | #endif | 150 | #endif |
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index 3749193aed8c..6c61263ff96d 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c | |||
| @@ -311,6 +311,43 @@ int audit_match_class(int class, unsigned syscall) | |||
| 311 | return classes[class][AUDIT_WORD(syscall)] & AUDIT_BIT(syscall); | 311 | return classes[class][AUDIT_WORD(syscall)] & AUDIT_BIT(syscall); |
| 312 | } | 312 | } |
| 313 | 313 | ||
| 314 | static inline int audit_match_class_bits(int class, u32 *mask) | ||
| 315 | { | ||
| 316 | int i; | ||
| 317 | |||
| 318 | if (classes[class]) { | ||
| 319 | for (i = 0; i < AUDIT_BITMASK_SIZE; i++) | ||
| 320 | if (mask[i] & classes[class][i]) | ||
| 321 | return 0; | ||
| 322 | } | ||
| 323 | return 1; | ||
| 324 | } | ||
| 325 | |||
| 326 | static int audit_match_signal(struct audit_entry *entry) | ||
| 327 | { | ||
| 328 | struct audit_field *arch = entry->rule.arch_f; | ||
| 329 | |||
| 330 | if (!arch) { | ||
| 331 | /* When arch is unspecified, we must check both masks on biarch | ||
| 332 | * as syscall number alone is ambiguous. */ | ||
| 333 | return (audit_match_class_bits(AUDIT_CLASS_SIGNAL, | ||
| 334 | entry->rule.mask) && | ||
| 335 | audit_match_class_bits(AUDIT_CLASS_SIGNAL_32, | ||
| 336 | entry->rule.mask)); | ||
| 337 | } | ||
| 338 | |||
| 339 | switch(audit_classify_arch(arch->val)) { | ||
| 340 | case 0: /* native */ | ||
| 341 | return (audit_match_class_bits(AUDIT_CLASS_SIGNAL, | ||
| 342 | entry->rule.mask)); | ||
| 343 | case 1: /* 32bit on biarch */ | ||
| 344 | return (audit_match_class_bits(AUDIT_CLASS_SIGNAL_32, | ||
| 345 | entry->rule.mask)); | ||
| 346 | default: | ||
| 347 | return 1; | ||
| 348 | } | ||
| 349 | } | ||
| 350 | |||
| 314 | /* Common user-space to kernel rule translation. */ | 351 | /* Common user-space to kernel rule translation. */ |
| 315 | static inline struct audit_entry *audit_to_entry_common(struct audit_rule *rule) | 352 | static inline struct audit_entry *audit_to_entry_common(struct audit_rule *rule) |
| 316 | { | 353 | { |
| @@ -429,6 +466,7 @@ static struct audit_entry *audit_rule_to_entry(struct audit_rule *rule) | |||
| 429 | err = -EINVAL; | 466 | err = -EINVAL; |
| 430 | goto exit_free; | 467 | goto exit_free; |
| 431 | } | 468 | } |
| 469 | entry->rule.arch_f = f; | ||
| 432 | break; | 470 | break; |
| 433 | case AUDIT_PERM: | 471 | case AUDIT_PERM: |
| 434 | if (f->val & ~15) | 472 | if (f->val & ~15) |
| @@ -519,7 +557,6 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data, | |||
| 519 | case AUDIT_FSGID: | 557 | case AUDIT_FSGID: |
| 520 | case AUDIT_LOGINUID: | 558 | case AUDIT_LOGINUID: |
| 521 | case AUDIT_PERS: | 559 | case AUDIT_PERS: |
| 522 | case AUDIT_ARCH: | ||
| 523 | case AUDIT_MSGTYPE: | 560 | case AUDIT_MSGTYPE: |
| 524 | case AUDIT_PPID: | 561 | case AUDIT_PPID: |
| 525 | case AUDIT_DEVMAJOR: | 562 | case AUDIT_DEVMAJOR: |
| @@ -531,6 +568,9 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data, | |||
| 531 | case AUDIT_ARG2: | 568 | case AUDIT_ARG2: |
| 532 | case AUDIT_ARG3: | 569 | case AUDIT_ARG3: |
| 533 | break; | 570 | break; |
| 571 | case AUDIT_ARCH: | ||
| 572 | entry->rule.arch_f = f; | ||
| 573 | break; | ||
| 534 | case AUDIT_SUBJ_USER: | 574 | case AUDIT_SUBJ_USER: |
| 535 | case AUDIT_SUBJ_ROLE: | 575 | case AUDIT_SUBJ_ROLE: |
| 536 | case AUDIT_SUBJ_TYPE: | 576 | case AUDIT_SUBJ_TYPE: |
| @@ -1221,6 +1261,9 @@ static inline int audit_add_rule(struct audit_entry *entry, | |||
| 1221 | #ifdef CONFIG_AUDITSYSCALL | 1261 | #ifdef CONFIG_AUDITSYSCALL |
| 1222 | if (!dont_count) | 1262 | if (!dont_count) |
| 1223 | audit_n_rules++; | 1263 | audit_n_rules++; |
| 1264 | |||
| 1265 | if (!audit_match_signal(entry)) | ||
| 1266 | audit_signals++; | ||
| 1224 | #endif | 1267 | #endif |
| 1225 | mutex_unlock(&audit_filter_mutex); | 1268 | mutex_unlock(&audit_filter_mutex); |
| 1226 | 1269 | ||
| @@ -1294,6 +1337,9 @@ static inline int audit_del_rule(struct audit_entry *entry, | |||
| 1294 | #ifdef CONFIG_AUDITSYSCALL | 1337 | #ifdef CONFIG_AUDITSYSCALL |
| 1295 | if (!dont_count) | 1338 | if (!dont_count) |
| 1296 | audit_n_rules--; | 1339 | audit_n_rules--; |
| 1340 | |||
| 1341 | if (!audit_match_signal(entry)) | ||
| 1342 | audit_signals--; | ||
| 1297 | #endif | 1343 | #endif |
| 1298 | mutex_unlock(&audit_filter_mutex); | 1344 | mutex_unlock(&audit_filter_mutex); |
| 1299 | 1345 | ||
diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 2243c559bc03..6aff0df75568 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c | |||
| @@ -89,6 +89,9 @@ extern int audit_enabled; | |||
| 89 | /* number of audit rules */ | 89 | /* number of audit rules */ |
| 90 | int audit_n_rules; | 90 | int audit_n_rules; |
| 91 | 91 | ||
| 92 | /* determines whether we collect data for signals sent */ | ||
| 93 | int audit_signals; | ||
| 94 | |||
| 92 | /* When fs/namei.c:getname() is called, we store the pointer in name and | 95 | /* When fs/namei.c:getname() is called, we store the pointer in name and |
| 93 | * we don't let putname() free it (instead we free all of the saved | 96 | * we don't let putname() free it (instead we free all of the saved |
| 94 | * pointers at syscall exit time). | 97 | * pointers at syscall exit time). |
| @@ -114,6 +117,9 @@ struct audit_aux_data { | |||
| 114 | 117 | ||
| 115 | #define AUDIT_AUX_IPCPERM 0 | 118 | #define AUDIT_AUX_IPCPERM 0 |
| 116 | 119 | ||
| 120 | /* Number of target pids per aux struct. */ | ||
| 121 | #define AUDIT_AUX_PIDS 16 | ||
| 122 | |||
| 117 | struct audit_aux_data_mq_open { | 123 | struct audit_aux_data_mq_open { |
| 118 | struct audit_aux_data d; | 124 | struct audit_aux_data d; |
| 119 | int oflag; | 125 | int oflag; |
| @@ -181,6 +187,13 @@ struct audit_aux_data_path { | |||
| 181 | struct vfsmount *mnt; | 187 | struct vfsmount *mnt; |
| 182 | }; | 188 | }; |
| 183 | 189 | ||
| 190 | struct audit_aux_data_pids { | ||
| 191 | struct audit_aux_data d; | ||
| 192 | pid_t target_pid[AUDIT_AUX_PIDS]; | ||
| 193 | u32 target_sid[AUDIT_AUX_PIDS]; | ||
| 194 | int pid_count; | ||
| 195 | }; | ||
| 196 | |||
| 184 | /* The per-task audit context. */ | 197 | /* The per-task audit context. */ |
| 185 | struct audit_context { | 198 | struct audit_context { |
| 186 | int dummy; /* must be the first element */ | 199 | int dummy; /* must be the first element */ |
| @@ -201,6 +214,7 @@ struct audit_context { | |||
| 201 | struct vfsmount * pwdmnt; | 214 | struct vfsmount * pwdmnt; |
| 202 | struct audit_context *previous; /* For nested syscalls */ | 215 | struct audit_context *previous; /* For nested syscalls */ |
| 203 | struct audit_aux_data *aux; | 216 | struct audit_aux_data *aux; |
| 217 | struct audit_aux_data *aux_pids; | ||
| 204 | 218 | ||
| 205 | /* Save things to print about task_struct */ | 219 | /* Save things to print about task_struct */ |
| 206 | pid_t pid, ppid; | 220 | pid_t pid, ppid; |
| @@ -657,6 +671,10 @@ static inline void audit_free_aux(struct audit_context *context) | |||
| 657 | context->aux = aux->next; | 671 | context->aux = aux->next; |
| 658 | kfree(aux); | 672 | kfree(aux); |
| 659 | } | 673 | } |
| 674 | while ((aux = context->aux_pids)) { | ||
| 675 | context->aux_pids = aux->next; | ||
| 676 | kfree(aux); | ||
| 677 | } | ||
| 660 | } | 678 | } |
| 661 | 679 | ||
| 662 | static inline void audit_zero_context(struct audit_context *context, | 680 | static inline void audit_zero_context(struct audit_context *context, |
| @@ -798,6 +816,29 @@ static void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk | |||
| 798 | audit_log_task_context(ab); | 816 | audit_log_task_context(ab); |
| 799 | } | 817 | } |
| 800 | 818 | ||
| 819 | static int audit_log_pid_context(struct audit_context *context, pid_t pid, | ||
| 820 | u32 sid) | ||
| 821 | { | ||
| 822 | struct audit_buffer *ab; | ||
| 823 | char *s = NULL; | ||
| 824 | u32 len; | ||
| 825 | int rc = 0; | ||
| 826 | |||
| 827 | ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID); | ||
| 828 | if (!ab) | ||
| 829 | return 1; | ||
| 830 | |||
| 831 | if (selinux_sid_to_string(sid, &s, &len)) { | ||
| 832 | audit_log_format(ab, "opid=%d obj=(none)", pid); | ||
| 833 | rc = 1; | ||
| 834 | } else | ||
| 835 | audit_log_format(ab, "opid=%d obj=%s", pid, s); | ||
| 836 | audit_log_end(ab); | ||
| 837 | kfree(s); | ||
| 838 | |||
| 839 | return rc; | ||
| 840 | } | ||
| 841 | |||
| 801 | static void audit_log_exit(struct audit_context *context, struct task_struct *tsk) | 842 | static void audit_log_exit(struct audit_context *context, struct task_struct *tsk) |
| 802 | { | 843 | { |
| 803 | int i, call_panic = 0; | 844 | int i, call_panic = 0; |
| @@ -976,23 +1017,21 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts | |||
| 976 | audit_log_end(ab); | 1017 | audit_log_end(ab); |
| 977 | } | 1018 | } |
| 978 | 1019 | ||
| 979 | if (context->target_pid) { | 1020 | for (aux = context->aux_pids; aux; aux = aux->next) { |
| 980 | ab =audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID); | 1021 | struct audit_aux_data_pids *axs = (void *)aux; |
| 981 | if (ab) { | 1022 | int i; |
| 982 | char *s = NULL, *t; | 1023 | |
| 983 | u32 len; | 1024 | for (i = 0; i < axs->pid_count; i++) |
| 984 | if (selinux_sid_to_string(context->target_sid, | 1025 | if (audit_log_pid_context(context, axs->target_pid[i], |
| 985 | &s, &len)) | 1026 | axs->target_sid[i])) |
| 986 | t = "(none)"; | 1027 | call_panic = 1; |
| 987 | else | ||
| 988 | t = s; | ||
| 989 | audit_log_format(ab, "opid=%d obj=%s", | ||
| 990 | context->target_pid, t); | ||
| 991 | audit_log_end(ab); | ||
| 992 | kfree(s); | ||
| 993 | } | ||
| 994 | } | 1028 | } |
| 995 | 1029 | ||
| 1030 | if (context->target_pid && | ||
| 1031 | audit_log_pid_context(context, context->target_pid, | ||
| 1032 | context->target_sid)) | ||
| 1033 | call_panic = 1; | ||
| 1034 | |||
| 996 | if (context->pwd && context->pwdmnt) { | 1035 | if (context->pwd && context->pwdmnt) { |
| 997 | ab = audit_log_start(context, GFP_KERNEL, AUDIT_CWD); | 1036 | ab = audit_log_start(context, GFP_KERNEL, AUDIT_CWD); |
| 998 | if (ab) { | 1037 | if (ab) { |
| @@ -1213,7 +1252,10 @@ void audit_syscall_exit(int valid, long return_code) | |||
| 1213 | } else { | 1252 | } else { |
| 1214 | audit_free_names(context); | 1253 | audit_free_names(context); |
| 1215 | audit_free_aux(context); | 1254 | audit_free_aux(context); |
| 1255 | context->aux = NULL; | ||
| 1256 | context->aux_pids = NULL; | ||
| 1216 | context->target_pid = 0; | 1257 | context->target_pid = 0; |
| 1258 | context->target_sid = 0; | ||
| 1217 | kfree(context->filterkey); | 1259 | kfree(context->filterkey); |
| 1218 | context->filterkey = NULL; | 1260 | context->filterkey = NULL; |
| 1219 | tsk->audit_context = context; | 1261 | tsk->audit_context = context; |
| @@ -1947,15 +1989,17 @@ int audit_avc_path(struct dentry *dentry, struct vfsmount *mnt) | |||
| 1947 | * If the audit subsystem is being terminated, record the task (pid) | 1989 | * If the audit subsystem is being terminated, record the task (pid) |
| 1948 | * and uid that is doing that. | 1990 | * and uid that is doing that. |
| 1949 | */ | 1991 | */ |
| 1950 | void __audit_signal_info(int sig, struct task_struct *t) | 1992 | int __audit_signal_info(int sig, struct task_struct *t) |
| 1951 | { | 1993 | { |
| 1994 | struct audit_aux_data_pids *axp; | ||
| 1995 | struct task_struct *tsk = current; | ||
| 1996 | struct audit_context *ctx = tsk->audit_context; | ||
| 1952 | extern pid_t audit_sig_pid; | 1997 | extern pid_t audit_sig_pid; |
| 1953 | extern uid_t audit_sig_uid; | 1998 | extern uid_t audit_sig_uid; |
| 1954 | extern u32 audit_sig_sid; | 1999 | extern u32 audit_sig_sid; |
| 1955 | 2000 | ||
| 1956 | if (sig == SIGTERM || sig == SIGHUP || sig == SIGUSR1) { | 2001 | if (audit_pid && t->tgid == audit_pid && |
| 1957 | struct task_struct *tsk = current; | 2002 | (sig == SIGTERM || sig == SIGHUP || sig == SIGUSR1)) { |
| 1958 | struct audit_context *ctx = tsk->audit_context; | ||
| 1959 | audit_sig_pid = tsk->pid; | 2003 | audit_sig_pid = tsk->pid; |
| 1960 | if (ctx) | 2004 | if (ctx) |
| 1961 | audit_sig_uid = ctx->loginuid; | 2005 | audit_sig_uid = ctx->loginuid; |
| @@ -1963,4 +2007,33 @@ void __audit_signal_info(int sig, struct task_struct *t) | |||
| 1963 | audit_sig_uid = tsk->uid; | 2007 | audit_sig_uid = tsk->uid; |
| 1964 | selinux_get_task_sid(tsk, &audit_sig_sid); | 2008 | selinux_get_task_sid(tsk, &audit_sig_sid); |
| 1965 | } | 2009 | } |
| 2010 | |||
| 2011 | if (!audit_signals) /* audit_context checked in wrapper */ | ||
| 2012 | return 0; | ||
| 2013 | |||
| 2014 | /* optimize the common case by putting first signal recipient directly | ||
| 2015 | * in audit_context */ | ||
| 2016 | if (!ctx->target_pid) { | ||
| 2017 | ctx->target_pid = t->tgid; | ||
| 2018 | selinux_get_task_sid(t, &ctx->target_sid); | ||
| 2019 | return 0; | ||
| 2020 | } | ||
| 2021 | |||
| 2022 | axp = (void *)ctx->aux_pids; | ||
| 2023 | if (!axp || axp->pid_count == AUDIT_AUX_PIDS) { | ||
| 2024 | axp = kzalloc(sizeof(*axp), GFP_ATOMIC); | ||
| 2025 | if (!axp) | ||
| 2026 | return -ENOMEM; | ||
| 2027 | |||
| 2028 | axp->d.type = AUDIT_OBJ_PID; | ||
| 2029 | axp->d.next = ctx->aux_pids; | ||
| 2030 | ctx->aux_pids = (void *)axp; | ||
| 2031 | } | ||
| 2032 | BUG_ON(axp->pid_count > AUDIT_AUX_PIDS); | ||
| 2033 | |||
| 2034 | axp->target_pid[axp->pid_count] = t->tgid; | ||
| 2035 | selinux_get_task_sid(t, &axp->target_sid[axp->pid_count]); | ||
| 2036 | axp->pid_count++; | ||
| 2037 | |||
| 2038 | return 0; | ||
| 1966 | } | 2039 | } |
diff --git a/kernel/signal.c b/kernel/signal.c index 2ac3a668d9dd..c43a3f19d477 100644 --- a/kernel/signal.c +++ b/kernel/signal.c | |||
| @@ -497,6 +497,11 @@ static int check_kill_permission(int sig, struct siginfo *info, | |||
| 497 | int error = -EINVAL; | 497 | int error = -EINVAL; |
| 498 | if (!valid_signal(sig)) | 498 | if (!valid_signal(sig)) |
| 499 | return error; | 499 | return error; |
| 500 | |||
| 501 | error = audit_signal_info(sig, t); /* Let audit system see the signal */ | ||
| 502 | if (error) | ||
| 503 | return error; | ||
| 504 | |||
| 500 | error = -EPERM; | 505 | error = -EPERM; |
| 501 | if ((info == SEND_SIG_NOINFO || (!is_si_special(info) && SI_FROMUSER(info))) | 506 | if ((info == SEND_SIG_NOINFO || (!is_si_special(info) && SI_FROMUSER(info))) |
| 502 | && ((sig != SIGCONT) || | 507 | && ((sig != SIGCONT) || |
| @@ -506,10 +511,7 @@ static int check_kill_permission(int sig, struct siginfo *info, | |||
| 506 | && !capable(CAP_KILL)) | 511 | && !capable(CAP_KILL)) |
| 507 | return error; | 512 | return error; |
| 508 | 513 | ||
| 509 | error = security_task_kill(t, info, sig, 0); | 514 | return security_task_kill(t, info, sig, 0); |
| 510 | if (!error) | ||
| 511 | audit_signal_info(sig, t); /* Let audit system see the signal */ | ||
| 512 | return error; | ||
| 513 | } | 515 | } |
| 514 | 516 | ||
| 515 | /* forward decl */ | 517 | /* forward decl */ |