diff options
Diffstat (limited to 'kernel')
-rw-r--r-- | kernel/audit.c | 191 | ||||
-rw-r--r-- | kernel/auditfilter.c | 54 |
2 files changed, 93 insertions, 152 deletions
diff --git a/kernel/audit.c b/kernel/audit.c index 26ff925e13f2..7e29372da284 100644 --- a/kernel/audit.c +++ b/kernel/audit.c | |||
@@ -66,9 +66,9 @@ | |||
66 | * (Initialization happens after skb_init is called.) */ | 66 | * (Initialization happens after skb_init is called.) */ |
67 | static int audit_initialized; | 67 | static int audit_initialized; |
68 | 68 | ||
69 | /* 0 - no auditing | 69 | #define AUDIT_OFF 0 |
70 | * 1 - auditing enabled | 70 | #define AUDIT_ON 1 |
71 | * 2 - auditing enabled and configuration is locked/unchangeable. */ | 71 | #define AUDIT_LOCKED 2 |
72 | int audit_enabled; | 72 | int audit_enabled; |
73 | 73 | ||
74 | /* Default state when kernel boots without any parameters. */ | 74 | /* Default state when kernel boots without any parameters. */ |
@@ -240,152 +240,90 @@ void audit_log_lost(const char *message) | |||
240 | } | 240 | } |
241 | } | 241 | } |
242 | 242 | ||
243 | static int audit_set_rate_limit(int limit, uid_t loginuid, u32 sid) | 243 | static int audit_log_config_change(char *function_name, int new, int old, |
244 | uid_t loginuid, u32 sid, int allow_changes) | ||
244 | { | 245 | { |
245 | int res, rc = 0, old = audit_rate_limit; | 246 | struct audit_buffer *ab; |
246 | 247 | int rc = 0; | |
247 | /* check if we are locked */ | ||
248 | if (audit_enabled == 2) | ||
249 | res = 0; | ||
250 | else | ||
251 | res = 1; | ||
252 | 248 | ||
249 | ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); | ||
250 | audit_log_format(ab, "%s=%d old=%d by auid=%u", function_name, new, | ||
251 | old, loginuid); | ||
253 | if (sid) { | 252 | if (sid) { |
254 | char *ctx = NULL; | 253 | char *ctx = NULL; |
255 | u32 len; | 254 | u32 len; |
256 | if ((rc = selinux_sid_to_string(sid, &ctx, &len)) == 0) { | 255 | |
257 | audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, | 256 | rc = selinux_sid_to_string(sid, &ctx, &len); |
258 | "audit_rate_limit=%d old=%d by auid=%u" | 257 | if (rc) { |
259 | " subj=%s res=%d", | 258 | audit_log_format(ab, " sid=%u", sid); |
260 | limit, old, loginuid, ctx, res); | 259 | allow_changes = 0; /* Something weird, deny request */ |
260 | } else { | ||
261 | audit_log_format(ab, " subj=%s", ctx); | ||
261 | kfree(ctx); | 262 | kfree(ctx); |
262 | } else | 263 | } |
263 | res = 0; /* Something weird, deny request */ | ||
264 | } | 264 | } |
265 | audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, | 265 | audit_log_format(ab, " res=%d", allow_changes); |
266 | "audit_rate_limit=%d old=%d by auid=%u res=%d", | 266 | audit_log_end(ab); |
267 | limit, old, loginuid, res); | ||
268 | |||
269 | /* If we are allowed, make the change */ | ||
270 | if (res == 1) | ||
271 | audit_rate_limit = limit; | ||
272 | /* Not allowed, update reason */ | ||
273 | else if (rc == 0) | ||
274 | rc = -EPERM; | ||
275 | return rc; | 267 | return rc; |
276 | } | 268 | } |
277 | 269 | ||
278 | static int audit_set_backlog_limit(int limit, uid_t loginuid, u32 sid) | 270 | static int audit_do_config_change(char *function_name, int *to_change, |
271 | int new, uid_t loginuid, u32 sid) | ||
279 | { | 272 | { |
280 | int res, rc = 0, old = audit_backlog_limit; | 273 | int allow_changes, rc = 0, old = *to_change; |
281 | 274 | ||
282 | /* check if we are locked */ | 275 | /* check if we are locked */ |
283 | if (audit_enabled == 2) | 276 | if (audit_enabled == AUDIT_LOCKED) |
284 | res = 0; | 277 | allow_changes = 0; |
285 | else | 278 | else |
286 | res = 1; | 279 | allow_changes = 1; |
287 | 280 | ||
288 | if (sid) { | 281 | if (audit_enabled != AUDIT_OFF) { |
289 | char *ctx = NULL; | 282 | rc = audit_log_config_change(function_name, new, old, |
290 | u32 len; | 283 | loginuid, sid, allow_changes); |
291 | if ((rc = selinux_sid_to_string(sid, &ctx, &len)) == 0) { | 284 | if (rc) |
292 | audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, | 285 | allow_changes = 0; |
293 | "audit_backlog_limit=%d old=%d by auid=%u" | ||
294 | " subj=%s res=%d", | ||
295 | limit, old, loginuid, ctx, res); | ||
296 | kfree(ctx); | ||
297 | } else | ||
298 | res = 0; /* Something weird, deny request */ | ||
299 | } | 286 | } |
300 | audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, | ||
301 | "audit_backlog_limit=%d old=%d by auid=%u res=%d", | ||
302 | limit, old, loginuid, res); | ||
303 | 287 | ||
304 | /* If we are allowed, make the change */ | 288 | /* If we are allowed, make the change */ |
305 | if (res == 1) | 289 | if (allow_changes == 1) |
306 | audit_backlog_limit = limit; | 290 | *to_change = new; |
307 | /* Not allowed, update reason */ | 291 | /* Not allowed, update reason */ |
308 | else if (rc == 0) | 292 | else if (rc == 0) |
309 | rc = -EPERM; | 293 | rc = -EPERM; |
310 | return rc; | 294 | return rc; |
311 | } | 295 | } |
312 | 296 | ||
313 | static int audit_set_enabled(int state, uid_t loginuid, u32 sid) | 297 | static int audit_set_rate_limit(int limit, uid_t loginuid, u32 sid) |
314 | { | 298 | { |
315 | int res, rc = 0, old = audit_enabled; | 299 | return audit_do_config_change("audit_rate_limit", &audit_rate_limit, |
316 | 300 | limit, loginuid, sid); | |
317 | if (state < 0 || state > 2) | 301 | } |
318 | return -EINVAL; | ||
319 | 302 | ||
320 | /* check if we are locked */ | 303 | static int audit_set_backlog_limit(int limit, uid_t loginuid, u32 sid) |
321 | if (audit_enabled == 2) | 304 | { |
322 | res = 0; | 305 | return audit_do_config_change("audit_backlog_limit", &audit_backlog_limit, |
323 | else | 306 | limit, loginuid, sid); |
324 | res = 1; | 307 | } |
325 | 308 | ||
326 | if (sid) { | 309 | static int audit_set_enabled(int state, uid_t loginuid, u32 sid) |
327 | char *ctx = NULL; | 310 | { |
328 | u32 len; | 311 | if (state < AUDIT_OFF || state > AUDIT_LOCKED) |
329 | if ((rc = selinux_sid_to_string(sid, &ctx, &len)) == 0) { | 312 | return -EINVAL; |
330 | audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, | ||
331 | "audit_enabled=%d old=%d by auid=%u" | ||
332 | " subj=%s res=%d", | ||
333 | state, old, loginuid, ctx, res); | ||
334 | kfree(ctx); | ||
335 | } else | ||
336 | res = 0; /* Something weird, deny request */ | ||
337 | } | ||
338 | audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, | ||
339 | "audit_enabled=%d old=%d by auid=%u res=%d", | ||
340 | state, old, loginuid, res); | ||
341 | 313 | ||
342 | /* If we are allowed, make the change */ | 314 | return audit_do_config_change("audit_enabled", &audit_enabled, state, |
343 | if (res == 1) | 315 | loginuid, sid); |
344 | audit_enabled = state; | ||
345 | /* Not allowed, update reason */ | ||
346 | else if (rc == 0) | ||
347 | rc = -EPERM; | ||
348 | return rc; | ||
349 | } | 316 | } |
350 | 317 | ||
351 | static int audit_set_failure(int state, uid_t loginuid, u32 sid) | 318 | static int audit_set_failure(int state, uid_t loginuid, u32 sid) |
352 | { | 319 | { |
353 | int res, rc = 0, old = audit_failure; | ||
354 | |||
355 | if (state != AUDIT_FAIL_SILENT | 320 | if (state != AUDIT_FAIL_SILENT |
356 | && state != AUDIT_FAIL_PRINTK | 321 | && state != AUDIT_FAIL_PRINTK |
357 | && state != AUDIT_FAIL_PANIC) | 322 | && state != AUDIT_FAIL_PANIC) |
358 | return -EINVAL; | 323 | return -EINVAL; |
359 | 324 | ||
360 | /* check if we are locked */ | 325 | return audit_do_config_change("audit_failure", &audit_failure, state, |
361 | if (audit_enabled == 2) | 326 | loginuid, sid); |
362 | res = 0; | ||
363 | else | ||
364 | res = 1; | ||
365 | |||
366 | if (sid) { | ||
367 | char *ctx = NULL; | ||
368 | u32 len; | ||
369 | if ((rc = selinux_sid_to_string(sid, &ctx, &len)) == 0) { | ||
370 | audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, | ||
371 | "audit_failure=%d old=%d by auid=%u" | ||
372 | " subj=%s res=%d", | ||
373 | state, old, loginuid, ctx, res); | ||
374 | kfree(ctx); | ||
375 | } else | ||
376 | res = 0; /* Something weird, deny request */ | ||
377 | } | ||
378 | audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, | ||
379 | "audit_failure=%d old=%d by auid=%u res=%d", | ||
380 | state, old, loginuid, res); | ||
381 | |||
382 | /* If we are allowed, make the change */ | ||
383 | if (res == 1) | ||
384 | audit_failure = state; | ||
385 | /* Not allowed, update reason */ | ||
386 | else if (rc == 0) | ||
387 | rc = -EPERM; | ||
388 | return rc; | ||
389 | } | 327 | } |
390 | 328 | ||
391 | static int kauditd_thread(void *dummy) | 329 | static int kauditd_thread(void *dummy) |
@@ -634,23 +572,14 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) | |||
634 | if (err < 0) return err; | 572 | if (err < 0) return err; |
635 | } | 573 | } |
636 | if (status_get->mask & AUDIT_STATUS_PID) { | 574 | if (status_get->mask & AUDIT_STATUS_PID) { |
637 | int old = audit_pid; | 575 | int new_pid = status_get->pid; |
638 | if (sid) { | 576 | |
639 | if ((err = selinux_sid_to_string( | 577 | if (audit_enabled != AUDIT_OFF) |
640 | sid, &ctx, &len))) | 578 | audit_log_config_change("audit_pid", new_pid, |
641 | return err; | 579 | audit_pid, loginuid, |
642 | else | 580 | sid, 1); |
643 | audit_log(NULL, GFP_KERNEL, | 581 | |
644 | AUDIT_CONFIG_CHANGE, | 582 | audit_pid = new_pid; |
645 | "audit_pid=%d old=%d by auid=%u subj=%s", | ||
646 | status_get->pid, old, | ||
647 | loginuid, ctx); | ||
648 | kfree(ctx); | ||
649 | } else | ||
650 | audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, | ||
651 | "audit_pid=%d old=%d by auid=%u", | ||
652 | status_get->pid, old, loginuid); | ||
653 | audit_pid = status_get->pid; | ||
654 | } | 583 | } |
655 | if (status_get->mask & AUDIT_STATUS_RATE_LIMIT) | 584 | if (status_get->mask & AUDIT_STATUS_RATE_LIMIT) |
656 | err = audit_set_rate_limit(status_get->rate_limit, | 585 | err = audit_set_rate_limit(status_get->rate_limit, |
@@ -709,7 +638,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) | |||
709 | case AUDIT_DEL: | 638 | case AUDIT_DEL: |
710 | if (nlmsg_len(nlh) < sizeof(struct audit_rule)) | 639 | if (nlmsg_len(nlh) < sizeof(struct audit_rule)) |
711 | return -EINVAL; | 640 | return -EINVAL; |
712 | if (audit_enabled == 2) { | 641 | if (audit_enabled == AUDIT_LOCKED) { |
713 | ab = audit_log_start(NULL, GFP_KERNEL, | 642 | ab = audit_log_start(NULL, GFP_KERNEL, |
714 | AUDIT_CONFIG_CHANGE); | 643 | AUDIT_CONFIG_CHANGE); |
715 | if (ab) { | 644 | if (ab) { |
@@ -743,7 +672,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) | |||
743 | case AUDIT_DEL_RULE: | 672 | case AUDIT_DEL_RULE: |
744 | if (nlmsg_len(nlh) < sizeof(struct audit_rule_data)) | 673 | if (nlmsg_len(nlh) < sizeof(struct audit_rule_data)) |
745 | return -EINVAL; | 674 | return -EINVAL; |
746 | if (audit_enabled == 2) { | 675 | if (audit_enabled == AUDIT_LOCKED) { |
747 | ab = audit_log_start(NULL, GFP_KERNEL, | 676 | ab = audit_log_start(NULL, GFP_KERNEL, |
748 | AUDIT_CONFIG_CHANGE); | 677 | AUDIT_CONFIG_CHANGE); |
749 | if (ab) { | 678 | if (ab) { |
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index 5d96f2cc7be8..6f19fd477aac 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c | |||
@@ -95,6 +95,8 @@ extern struct inotify_handle *audit_ih; | |||
95 | /* Inotify events we care about. */ | 95 | /* Inotify events we care about. */ |
96 | #define AUDIT_IN_WATCH IN_MOVE|IN_CREATE|IN_DELETE|IN_DELETE_SELF|IN_MOVE_SELF | 96 | #define AUDIT_IN_WATCH IN_MOVE|IN_CREATE|IN_DELETE|IN_DELETE_SELF|IN_MOVE_SELF |
97 | 97 | ||
98 | extern int audit_enabled; | ||
99 | |||
98 | void audit_free_parent(struct inotify_watch *i_watch) | 100 | void audit_free_parent(struct inotify_watch *i_watch) |
99 | { | 101 | { |
100 | struct audit_parent *parent; | 102 | struct audit_parent *parent; |
@@ -974,7 +976,6 @@ static void audit_update_watch(struct audit_parent *parent, | |||
974 | struct audit_watch *owatch, *nwatch, *nextw; | 976 | struct audit_watch *owatch, *nwatch, *nextw; |
975 | struct audit_krule *r, *nextr; | 977 | struct audit_krule *r, *nextr; |
976 | struct audit_entry *oentry, *nentry; | 978 | struct audit_entry *oentry, *nentry; |
977 | struct audit_buffer *ab; | ||
978 | 979 | ||
979 | mutex_lock(&audit_filter_mutex); | 980 | mutex_lock(&audit_filter_mutex); |
980 | list_for_each_entry_safe(owatch, nextw, &parent->watches, wlist) { | 981 | list_for_each_entry_safe(owatch, nextw, &parent->watches, wlist) { |
@@ -1014,13 +1015,18 @@ static void audit_update_watch(struct audit_parent *parent, | |||
1014 | call_rcu(&oentry->rcu, audit_free_rule_rcu); | 1015 | call_rcu(&oentry->rcu, audit_free_rule_rcu); |
1015 | } | 1016 | } |
1016 | 1017 | ||
1017 | ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); | 1018 | if (audit_enabled) { |
1018 | audit_log_format(ab, "op=updated rules specifying path="); | 1019 | struct audit_buffer *ab; |
1019 | audit_log_untrustedstring(ab, owatch->path); | 1020 | ab = audit_log_start(NULL, GFP_KERNEL, |
1020 | audit_log_format(ab, " with dev=%u ino=%lu\n", dev, ino); | 1021 | AUDIT_CONFIG_CHANGE); |
1021 | audit_log_format(ab, " list=%d res=1", r->listnr); | 1022 | audit_log_format(ab, |
1022 | audit_log_end(ab); | 1023 | "op=updated rules specifying path="); |
1023 | 1024 | audit_log_untrustedstring(ab, owatch->path); | |
1025 | audit_log_format(ab, " with dev=%u ino=%lu\n", | ||
1026 | dev, ino); | ||
1027 | audit_log_format(ab, " list=%d res=1", r->listnr); | ||
1028 | audit_log_end(ab); | ||
1029 | } | ||
1024 | audit_remove_watch(owatch); | 1030 | audit_remove_watch(owatch); |
1025 | goto add_watch_to_parent; /* event applies to a single watch */ | 1031 | goto add_watch_to_parent; /* event applies to a single watch */ |
1026 | } | 1032 | } |
@@ -1039,25 +1045,28 @@ static void audit_remove_parent_watches(struct audit_parent *parent) | |||
1039 | struct audit_watch *w, *nextw; | 1045 | struct audit_watch *w, *nextw; |
1040 | struct audit_krule *r, *nextr; | 1046 | struct audit_krule *r, *nextr; |
1041 | struct audit_entry *e; | 1047 | struct audit_entry *e; |
1042 | struct audit_buffer *ab; | ||
1043 | 1048 | ||
1044 | mutex_lock(&audit_filter_mutex); | 1049 | mutex_lock(&audit_filter_mutex); |
1045 | parent->flags |= AUDIT_PARENT_INVALID; | 1050 | parent->flags |= AUDIT_PARENT_INVALID; |
1046 | list_for_each_entry_safe(w, nextw, &parent->watches, wlist) { | 1051 | list_for_each_entry_safe(w, nextw, &parent->watches, wlist) { |
1047 | list_for_each_entry_safe(r, nextr, &w->rules, rlist) { | 1052 | list_for_each_entry_safe(r, nextr, &w->rules, rlist) { |
1048 | e = container_of(r, struct audit_entry, rule); | 1053 | e = container_of(r, struct audit_entry, rule); |
1049 | 1054 | if (audit_enabled) { | |
1050 | ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); | 1055 | struct audit_buffer *ab; |
1051 | audit_log_format(ab, "op=remove rule path="); | 1056 | ab = audit_log_start(NULL, GFP_KERNEL, |
1052 | audit_log_untrustedstring(ab, w->path); | 1057 | AUDIT_CONFIG_CHANGE); |
1053 | if (r->filterkey) { | 1058 | audit_log_format(ab, "op=remove rule path="); |
1054 | audit_log_format(ab, " key="); | 1059 | audit_log_untrustedstring(ab, w->path); |
1055 | audit_log_untrustedstring(ab, r->filterkey); | 1060 | if (r->filterkey) { |
1056 | } else | 1061 | audit_log_format(ab, " key="); |
1057 | audit_log_format(ab, " key=(null)"); | 1062 | audit_log_untrustedstring(ab, |
1058 | audit_log_format(ab, " list=%d res=1", r->listnr); | 1063 | r->filterkey); |
1059 | audit_log_end(ab); | 1064 | } else |
1060 | 1065 | audit_log_format(ab, " key=(null)"); | |
1066 | audit_log_format(ab, " list=%d res=1", | ||
1067 | r->listnr); | ||
1068 | audit_log_end(ab); | ||
1069 | } | ||
1061 | list_del(&r->rlist); | 1070 | list_del(&r->rlist); |
1062 | list_del_rcu(&e->list); | 1071 | list_del_rcu(&e->list); |
1063 | call_rcu(&e->rcu, audit_free_rule_rcu); | 1072 | call_rcu(&e->rcu, audit_free_rule_rcu); |
@@ -1495,6 +1504,9 @@ static void audit_log_rule_change(uid_t loginuid, u32 sid, char *action, | |||
1495 | { | 1504 | { |
1496 | struct audit_buffer *ab; | 1505 | struct audit_buffer *ab; |
1497 | 1506 | ||
1507 | if (!audit_enabled) | ||
1508 | return; | ||
1509 | |||
1498 | ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); | 1510 | ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); |
1499 | if (!ab) | 1511 | if (!ab) |
1500 | return; | 1512 | return; |