From c1b773d87eadc3972d697444127e89a7291769a2 Mon Sep 17 00:00:00 2001 From: Chris Wright Date: Wed, 11 May 2005 10:55:10 +0100 Subject: Add audit_log_type Add audit_log_type to allow callers to specify type and pid when logging. Convert audit_log to wrapper around audit_log_type. Could have converted all audit_log callers directly, but common case is default of type AUDIT_KERNEL and pid 0. Update audit_log_start to take type and pid values when creating a new audit_buffer. Move sequences that did audit_log_start, audit_log_format, audit_set_type, audit_log_end, to simply call audit_log_type directly. This obsoletes audit_set_type and audit_set_pid, so remove them. Signed-off-by: Chris Wright Signed-off-by: David Woodhouse --- security/selinux/avc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'security/selinux/avc.c') diff --git a/security/selinux/avc.c b/security/selinux/avc.c index 85a6f66a873f..9e71a1bbe011 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -549,7 +549,7 @@ void avc_audit(u32 ssid, u32 tsid, return; } - ab = audit_log_start(current->audit_context); + ab = audit_log_start(current->audit_context, AUDIT_KERNEL, 0); if (!ab) return; /* audit_panic has been called */ audit_log_format(ab, "avc: %s ", denied ? "denied" : "granted"); -- cgit v1.2.2 From c04049939f88b29e235d2da217bce6e8ead44f32 Mon Sep 17 00:00:00 2001 From: Steve Grubb Date: Fri, 13 May 2005 18:17:42 +0100 Subject: AUDIT: Add message types to audit records This patch adds more messages types to the audit subsystem so that audit analysis is quicker, intuitive, and more useful. Signed-off-by: Steve Grubb --- I forgot one type in the big patch. I need to add one for user space originating SE Linux avc messages. This is used by dbus and nscd. -Steve --- Updated to 2.6.12-rc4-mm1. -dwmw2 Signed-off-by: David Woodhouse --- security/selinux/avc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'security/selinux/avc.c') diff --git a/security/selinux/avc.c b/security/selinux/avc.c index 9e71a1bbe011..042f91e9f9d2 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -242,7 +242,7 @@ void __init avc_init(void) avc_node_cachep = kmem_cache_create("avc_node", sizeof(struct avc_node), 0, SLAB_PANIC, NULL, NULL); - audit_log(current->audit_context, "AVC INITIALIZED\n"); + audit_log(current->audit_context, AUDIT_KERNEL, "AVC INITIALIZED\n"); } int avc_get_hash_stats(char *page) @@ -549,7 +549,7 @@ void avc_audit(u32 ssid, u32 tsid, return; } - ab = audit_log_start(current->audit_context, AUDIT_KERNEL, 0); + ab = audit_log_start(current->audit_context, AUDIT_AVC); if (!ab) return; /* audit_panic has been called */ audit_log_format(ab, "avc: %s ", denied ? "denied" : "granted"); -- cgit v1.2.2 From cd77b8212d5473b800ac865364981d334ff564ea Mon Sep 17 00:00:00 2001 From: David Woodhouse Date: Thu, 19 May 2005 11:18:24 +0100 Subject: Restore logging of pid= and comm= in AVC audit messages We turned this all off because the 'exe=' was causing deadlocks on dcache_lock. There's no need to leave the pid and comm out though. They'll all be logged correctly if full auditing is enabled, but we should still print them in case auditing _isn't_ enabled. Signed-off-by: David Woodhouse --- security/selinux/avc.c | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'security/selinux/avc.c') diff --git a/security/selinux/avc.c b/security/selinux/avc.c index 042f91e9f9d2..62b963aca275 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -532,6 +532,7 @@ void avc_audit(u32 ssid, u32 tsid, u16 tclass, u32 requested, struct av_decision *avd, int result, struct avc_audit_data *a) { + struct task_struct *tsk = current; struct inode *inode = NULL; u32 denied, audited; struct audit_buffer *ab; @@ -555,6 +556,12 @@ void avc_audit(u32 ssid, u32 tsid, audit_log_format(ab, "avc: %s ", denied ? "denied" : "granted"); avc_dump_av(ab, tclass,audited); audit_log_format(ab, " for "); + if (a && a->tsk) + tsk = a->tsk; + if (a->tsk && a->tsk->pid) { + audit_log_format(ab, " pid=%d comm=", tsk->pid); + audit_log_untrustedstring(ab, tsk->comm); + } if (a) { switch (a->type) { case AVC_AUDIT_DATA_IPC: -- cgit v1.2.2 From 011161051bbc25f7f8b7df059dbd934c534443f0 Mon Sep 17 00:00:00 2001 From: Stephen Smalley Date: Sat, 21 May 2005 00:15:52 +0100 Subject: AUDIT: Avoid sleeping function in SElinux AVC audit. This patch changes the SELinux AVC to defer logging of paths to the audit framework upon syscall exit, by saving a reference to the (dentry,vfsmount) pair in an auxiliary audit item on the current audit context for processing by audit_log_exit. Signed-off-by: Stephen Smalley Signed-off-by: David Woodhouse --- security/selinux/avc.c | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) (limited to 'security/selinux/avc.c') diff --git a/security/selinux/avc.c b/security/selinux/avc.c index 62b963aca275..0fbc3e98c5ea 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -573,13 +573,10 @@ void avc_audit(u32 ssid, u32 tsid, case AVC_AUDIT_DATA_FS: if (a->u.fs.dentry) { struct dentry *dentry = a->u.fs.dentry; - if (a->u.fs.mnt) { - audit_log_d_path(ab, "path=", dentry, - a->u.fs.mnt); - } else { - audit_log_format(ab, " name=%s", - dentry->d_name.name); - } + if (a->u.fs.mnt) + audit_avc_path(dentry, a->u.fs.mnt); + audit_log_format(ab, " name=%s", + dentry->d_name.name); inode = dentry->d_inode; } else if (a->u.fs.inode) { struct dentry *dentry; @@ -630,8 +627,10 @@ void avc_audit(u32 ssid, u32 tsid, case AF_UNIX: u = unix_sk(sk); if (u->dentry) { - audit_log_d_path(ab, "path=", - u->dentry, u->mnt); + audit_avc_path(u->dentry, u->mnt); + audit_log_format(ab, " name=%s", + u->dentry->d_name.name); + break; } if (!u->addr) -- cgit v1.2.2 From 7b5d781ce1f19fb7382d3d3fb7af48e429bed12d Mon Sep 17 00:00:00 2001 From: David Woodhouse Date: Sat, 21 May 2005 16:52:57 +0100 Subject: Fix oops due to thinko in avc_audit() When I added the logging of pid= and comm= back to avc_audit() I screwed it up. Put it back how it should be. Signed-off-by: David Woodhouse --- security/selinux/avc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'security/selinux/avc.c') diff --git a/security/selinux/avc.c b/security/selinux/avc.c index 0fbc3e98c5ea..914d0d294fff 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -558,7 +558,7 @@ void avc_audit(u32 ssid, u32 tsid, audit_log_format(ab, " for "); if (a && a->tsk) tsk = a->tsk; - if (a->tsk && a->tsk->pid) { + if (tsk && tsk->pid) { audit_log_format(ab, " pid=%d comm=", tsk->pid); audit_log_untrustedstring(ab, tsk->comm); } -- cgit v1.2.2 From 37ca5389b863e5ffba6fb7c22331bf57dbf7764a Mon Sep 17 00:00:00 2001 From: Stephen Smalley Date: Tue, 24 May 2005 21:28:28 +0100 Subject: AUDIT: Fix remaining cases of direct logging of untrusted strings by avc_audit Per Steve Grubb's observation that there are some remaining cases where avc_audit() directly logs untrusted strings without escaping them, here is a patch that changes avc_audit() to use audit_log_untrustedstring() or audit_log_hex() as appropriate. Note that d_name.name is nul- terminated by d_alloc(), and that sun_path is nul-terminated by unix_mkname(), so it is not necessary for the AVC to create nul- terminated copies or to alter audit_log_untrustedstring to take a length argument. In the case of an abstract name, we use audit_log_hex() with an explicit length. Signed-off-by: Stephen Smalley Signed-off-by: David Woodhouse --- security/selinux/avc.c | 22 +++++++++------------- 1 file changed, 9 insertions(+), 13 deletions(-) (limited to 'security/selinux/avc.c') diff --git a/security/selinux/avc.c b/security/selinux/avc.c index 914d0d294fff..451502467a9b 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -575,16 +575,16 @@ void avc_audit(u32 ssid, u32 tsid, struct dentry *dentry = a->u.fs.dentry; if (a->u.fs.mnt) audit_avc_path(dentry, a->u.fs.mnt); - audit_log_format(ab, " name=%s", - dentry->d_name.name); + audit_log_format(ab, " name="); + audit_log_untrustedstring(ab, dentry->d_name.name); inode = dentry->d_inode; } else if (a->u.fs.inode) { struct dentry *dentry; inode = a->u.fs.inode; dentry = d_find_alias(inode); if (dentry) { - audit_log_format(ab, " name=%s", - dentry->d_name.name); + audit_log_format(ab, " name="); + audit_log_untrustedstring(ab, dentry->d_name.name); dput(dentry); } } @@ -628,23 +628,19 @@ void avc_audit(u32 ssid, u32 tsid, u = unix_sk(sk); if (u->dentry) { audit_avc_path(u->dentry, u->mnt); - audit_log_format(ab, " name=%s", - u->dentry->d_name.name); - + audit_log_format(ab, " name="); + audit_log_untrustedstring(ab, u->dentry->d_name.name); break; } if (!u->addr) break; len = u->addr->len-sizeof(short); p = &u->addr->name->sun_path[0]; + audit_log_format(ab, " path="); if (*p) - audit_log_format(ab, - "path=%*.*s", len, - len, p); + audit_log_untrustedstring(ab, p); else - audit_log_format(ab, - "path=@%*.*s", len-1, - len-1, p+1); + audit_log_hex(ab, p, len); break; } } -- cgit v1.2.2