From c2f0c7c356dc9ae15419f00c725a2fcc58eeff58 Mon Sep 17 00:00:00 2001 From: Steve Grubb Date: Fri, 6 May 2005 12:38:39 +0100 Subject: The attached patch addresses the problem with getting the audit daemon shutdown credential information. It creates a new message type AUDIT_TERM_INFO, which is used by the audit daemon to query who issued the shutdown. It requires the placement of a hook function that gathers the information. The hook is after the DAC & MAC checks and before the function returns. Racing threads could overwrite the uid & pid - but they would have to be root and have policy that allows signalling the audit daemon. That should be a manageable risk. The userspace component will be released later in audit 0.7.2. When it receives the TERM signal, it queries the kernel for shutdown information. When it receives it, it writes the message and exits. The message looks like this: type=DAEMON msg=auditd(1114551182.000) auditd normal halt, sending pid=2650 uid=525, auditd pid=1685 Signed-off-by: Steve Grubb Signed-off-by: David Woodhouse --- security/selinux/nlmsgtab.c | 1 + 1 file changed, 1 insertion(+) (limited to 'security/selinux') diff --git a/security/selinux/nlmsgtab.c b/security/selinux/nlmsgtab.c index b3adb481bc25..deac14367d43 100644 --- a/security/selinux/nlmsgtab.c +++ b/security/selinux/nlmsgtab.c @@ -97,6 +97,7 @@ static struct nlmsg_perm nlmsg_audit_perms[] = { AUDIT_ADD, NETLINK_AUDIT_SOCKET__NLMSG_WRITE }, { AUDIT_DEL, NETLINK_AUDIT_SOCKET__NLMSG_WRITE }, { AUDIT_USER, NETLINK_AUDIT_SOCKET__NLMSG_RELAY }, + { AUDIT_SIGNAL_INFO, NETLINK_AUDIT_SOCKET__NLMSG_READ }, }; -- cgit v1.2.2 From c1b773d87eadc3972d697444127e89a7291769a2 Mon Sep 17 00:00:00 2001 From: Chris Wright Date: Wed, 11 May 2005 10:55:10 +0100 Subject: Add audit_log_type Add audit_log_type to allow callers to specify type and pid when logging. Convert audit_log to wrapper around audit_log_type. Could have converted all audit_log callers directly, but common case is default of type AUDIT_KERNEL and pid 0. Update audit_log_start to take type and pid values when creating a new audit_buffer. Move sequences that did audit_log_start, audit_log_format, audit_set_type, audit_log_end, to simply call audit_log_type directly. This obsoletes audit_set_type and audit_set_pid, so remove them. Signed-off-by: Chris Wright Signed-off-by: David Woodhouse --- security/selinux/avc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'security/selinux') diff --git a/security/selinux/avc.c b/security/selinux/avc.c index 85a6f66a873f..9e71a1bbe011 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -549,7 +549,7 @@ void avc_audit(u32 ssid, u32 tsid, return; } - ab = audit_log_start(current->audit_context); + ab = audit_log_start(current->audit_context, AUDIT_KERNEL, 0); if (!ab) return; /* audit_panic has been called */ audit_log_format(ab, "avc: %s ", denied ? "denied" : "granted"); -- cgit v1.2.2 From c04049939f88b29e235d2da217bce6e8ead44f32 Mon Sep 17 00:00:00 2001 From: Steve Grubb Date: Fri, 13 May 2005 18:17:42 +0100 Subject: AUDIT: Add message types to audit records This patch adds more messages types to the audit subsystem so that audit analysis is quicker, intuitive, and more useful. Signed-off-by: Steve Grubb --- I forgot one type in the big patch. I need to add one for user space originating SE Linux avc messages. This is used by dbus and nscd. -Steve --- Updated to 2.6.12-rc4-mm1. -dwmw2 Signed-off-by: David Woodhouse --- security/selinux/avc.c | 4 ++-- security/selinux/hooks.c | 2 +- security/selinux/nlmsgtab.c | 8 ++++++++ security/selinux/ss/services.c | 4 ++-- 4 files changed, 13 insertions(+), 5 deletions(-) (limited to 'security/selinux') diff --git a/security/selinux/avc.c b/security/selinux/avc.c index 9e71a1bbe011..042f91e9f9d2 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -242,7 +242,7 @@ void __init avc_init(void) avc_node_cachep = kmem_cache_create("avc_node", sizeof(struct avc_node), 0, SLAB_PANIC, NULL, NULL); - audit_log(current->audit_context, "AVC INITIALIZED\n"); + audit_log(current->audit_context, AUDIT_KERNEL, "AVC INITIALIZED\n"); } int avc_get_hash_stats(char *page) @@ -549,7 +549,7 @@ void avc_audit(u32 ssid, u32 tsid, return; } - ab = audit_log_start(current->audit_context, AUDIT_KERNEL, 0); + ab = audit_log_start(current->audit_context, AUDIT_AVC); if (!ab) return; /* audit_panic has been called */ audit_log_format(ab, "avc: %s ", denied ? "denied" : "granted"); diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index aae1e794fe48..db845cbd5841 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -3419,7 +3419,7 @@ static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb) err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm); if (err) { if (err == -EINVAL) { - audit_log(current->audit_context, + audit_log(current->audit_context, AUDIT_SELINUX_ERR, "SELinux: unrecognized netlink message" " type=%hu for sclass=%hu\n", nlh->nlmsg_type, isec->sclass); diff --git a/security/selinux/nlmsgtab.c b/security/selinux/nlmsgtab.c index deac14367d43..67e77acc4795 100644 --- a/security/selinux/nlmsgtab.c +++ b/security/selinux/nlmsgtab.c @@ -98,6 +98,14 @@ static struct nlmsg_perm nlmsg_audit_perms[] = { AUDIT_DEL, NETLINK_AUDIT_SOCKET__NLMSG_WRITE }, { AUDIT_USER, NETLINK_AUDIT_SOCKET__NLMSG_RELAY }, { AUDIT_SIGNAL_INFO, NETLINK_AUDIT_SOCKET__NLMSG_READ }, + { AUDIT_USER_AUTH, NETLINK_AUDIT_SOCKET__NLMSG_RELAY }, + { AUDIT_USER_ACCT, NETLINK_AUDIT_SOCKET__NLMSG_RELAY }, + { AUDIT_USER_MGMT, NETLINK_AUDIT_SOCKET__NLMSG_RELAY }, + { AUDIT_CRED_ACQ, NETLINK_AUDIT_SOCKET__NLMSG_RELAY }, + { AUDIT_CRED_DISP, NETLINK_AUDIT_SOCKET__NLMSG_RELAY }, + { AUDIT_USER_START, NETLINK_AUDIT_SOCKET__NLMSG_RELAY }, + { AUDIT_USER_END, NETLINK_AUDIT_SOCKET__NLMSG_RELAY }, + { AUDIT_USER_AVC, NETLINK_AUDIT_SOCKET__NLMSG_RELAY }, }; diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 5a820cf88c9c..07fdf6ee6148 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -365,7 +365,7 @@ static int security_validtrans_handle_fail(struct context *ocontext, goto out; if (context_struct_to_string(tcontext, &t, &tlen) < 0) goto out; - audit_log(current->audit_context, + audit_log(current->audit_context, AUDIT_SELINUX_ERR, "security_validate_transition: denied for" " oldcontext=%s newcontext=%s taskcontext=%s tclass=%s", o, n, t, policydb.p_class_val_to_name[tclass-1]); @@ -742,7 +742,7 @@ static int compute_sid_handle_invalid_context( goto out; if (context_struct_to_string(newcontext, &n, &nlen) < 0) goto out; - audit_log(current->audit_context, + audit_log(current->audit_context, AUDIT_SELINUX_ERR, "security_compute_sid: invalid context %s" " for scontext=%s" " tcontext=%s" -- cgit v1.2.2 From 209aba03243ee42a22f8df8d08aa9963f62aec64 Mon Sep 17 00:00:00 2001 From: David Woodhouse Date: Wed, 18 May 2005 10:21:07 +0100 Subject: AUDIT: Treat all user messages identically. It's silly to have to add explicit entries for new userspace messages as we invent them. Just treat all messages in the user range the same. Signed-off-by: David Woodhouse --- security/selinux/nlmsgtab.c | 17 +++++++---------- 1 file changed, 7 insertions(+), 10 deletions(-) (limited to 'security/selinux') diff --git a/security/selinux/nlmsgtab.c b/security/selinux/nlmsgtab.c index 67e77acc4795..f0fb6d76f7c5 100644 --- a/security/selinux/nlmsgtab.c +++ b/security/selinux/nlmsgtab.c @@ -98,14 +98,6 @@ static struct nlmsg_perm nlmsg_audit_perms[] = { AUDIT_DEL, NETLINK_AUDIT_SOCKET__NLMSG_WRITE }, { AUDIT_USER, NETLINK_AUDIT_SOCKET__NLMSG_RELAY }, { AUDIT_SIGNAL_INFO, NETLINK_AUDIT_SOCKET__NLMSG_READ }, - { AUDIT_USER_AUTH, NETLINK_AUDIT_SOCKET__NLMSG_RELAY }, - { AUDIT_USER_ACCT, NETLINK_AUDIT_SOCKET__NLMSG_RELAY }, - { AUDIT_USER_MGMT, NETLINK_AUDIT_SOCKET__NLMSG_RELAY }, - { AUDIT_CRED_ACQ, NETLINK_AUDIT_SOCKET__NLMSG_RELAY }, - { AUDIT_CRED_DISP, NETLINK_AUDIT_SOCKET__NLMSG_RELAY }, - { AUDIT_USER_START, NETLINK_AUDIT_SOCKET__NLMSG_RELAY }, - { AUDIT_USER_END, NETLINK_AUDIT_SOCKET__NLMSG_RELAY }, - { AUDIT_USER_AVC, NETLINK_AUDIT_SOCKET__NLMSG_RELAY }, }; @@ -150,8 +142,13 @@ int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm) break; case SECCLASS_NETLINK_AUDIT_SOCKET: - err = nlmsg_perm(nlmsg_type, perm, nlmsg_audit_perms, - sizeof(nlmsg_audit_perms)); + if (nlmsg_type >= AUDIT_FIRST_USER_MSG && + nlmsg_type <= AUDIT_LAST_USER_MSG) { + *perm = NETLINK_AUDIT_SOCKET__NLMSG_RELAY; + } else { + err = nlmsg_perm(nlmsg_type, perm, nlmsg_audit_perms, + sizeof(nlmsg_audit_perms)); + } break; /* No messaging from userspace, or class unknown/unhandled */ -- cgit v1.2.2 From cd77b8212d5473b800ac865364981d334ff564ea Mon Sep 17 00:00:00 2001 From: David Woodhouse Date: Thu, 19 May 2005 11:18:24 +0100 Subject: Restore logging of pid= and comm= in AVC audit messages We turned this all off because the 'exe=' was causing deadlocks on dcache_lock. There's no need to leave the pid and comm out though. They'll all be logged correctly if full auditing is enabled, but we should still print them in case auditing _isn't_ enabled. Signed-off-by: David Woodhouse --- security/selinux/avc.c | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'security/selinux') diff --git a/security/selinux/avc.c b/security/selinux/avc.c index 042f91e9f9d2..62b963aca275 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -532,6 +532,7 @@ void avc_audit(u32 ssid, u32 tsid, u16 tclass, u32 requested, struct av_decision *avd, int result, struct avc_audit_data *a) { + struct task_struct *tsk = current; struct inode *inode = NULL; u32 denied, audited; struct audit_buffer *ab; @@ -555,6 +556,12 @@ void avc_audit(u32 ssid, u32 tsid, audit_log_format(ab, "avc: %s ", denied ? "denied" : "granted"); avc_dump_av(ab, tclass,audited); audit_log_format(ab, " for "); + if (a && a->tsk) + tsk = a->tsk; + if (a->tsk && a->tsk->pid) { + audit_log_format(ab, " pid=%d comm=", tsk->pid); + audit_log_untrustedstring(ab, tsk->comm); + } if (a) { switch (a->type) { case AVC_AUDIT_DATA_IPC: -- cgit v1.2.2 From 011161051bbc25f7f8b7df059dbd934c534443f0 Mon Sep 17 00:00:00 2001 From: Stephen Smalley Date: Sat, 21 May 2005 00:15:52 +0100 Subject: AUDIT: Avoid sleeping function in SElinux AVC audit. This patch changes the SELinux AVC to defer logging of paths to the audit framework upon syscall exit, by saving a reference to the (dentry,vfsmount) pair in an auxiliary audit item on the current audit context for processing by audit_log_exit. Signed-off-by: Stephen Smalley Signed-off-by: David Woodhouse --- security/selinux/avc.c | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) (limited to 'security/selinux') diff --git a/security/selinux/avc.c b/security/selinux/avc.c index 62b963aca275..0fbc3e98c5ea 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -573,13 +573,10 @@ void avc_audit(u32 ssid, u32 tsid, case AVC_AUDIT_DATA_FS: if (a->u.fs.dentry) { struct dentry *dentry = a->u.fs.dentry; - if (a->u.fs.mnt) { - audit_log_d_path(ab, "path=", dentry, - a->u.fs.mnt); - } else { - audit_log_format(ab, " name=%s", - dentry->d_name.name); - } + if (a->u.fs.mnt) + audit_avc_path(dentry, a->u.fs.mnt); + audit_log_format(ab, " name=%s", + dentry->d_name.name); inode = dentry->d_inode; } else if (a->u.fs.inode) { struct dentry *dentry; @@ -630,8 +627,10 @@ void avc_audit(u32 ssid, u32 tsid, case AF_UNIX: u = unix_sk(sk); if (u->dentry) { - audit_log_d_path(ab, "path=", - u->dentry, u->mnt); + audit_avc_path(u->dentry, u->mnt); + audit_log_format(ab, " name=%s", + u->dentry->d_name.name); + break; } if (!u->addr) -- cgit v1.2.2 From 7b5d781ce1f19fb7382d3d3fb7af48e429bed12d Mon Sep 17 00:00:00 2001 From: David Woodhouse Date: Sat, 21 May 2005 16:52:57 +0100 Subject: Fix oops due to thinko in avc_audit() When I added the logging of pid= and comm= back to avc_audit() I screwed it up. Put it back how it should be. Signed-off-by: David Woodhouse --- security/selinux/avc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'security/selinux') diff --git a/security/selinux/avc.c b/security/selinux/avc.c index 0fbc3e98c5ea..914d0d294fff 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -558,7 +558,7 @@ void avc_audit(u32 ssid, u32 tsid, audit_log_format(ab, " for "); if (a && a->tsk) tsk = a->tsk; - if (a->tsk && a->tsk->pid) { + if (tsk && tsk->pid) { audit_log_format(ab, " pid=%d comm=", tsk->pid); audit_log_untrustedstring(ab, tsk->comm); } -- cgit v1.2.2 From 37ca5389b863e5ffba6fb7c22331bf57dbf7764a Mon Sep 17 00:00:00 2001 From: Stephen Smalley Date: Tue, 24 May 2005 21:28:28 +0100 Subject: AUDIT: Fix remaining cases of direct logging of untrusted strings by avc_audit Per Steve Grubb's observation that there are some remaining cases where avc_audit() directly logs untrusted strings without escaping them, here is a patch that changes avc_audit() to use audit_log_untrustedstring() or audit_log_hex() as appropriate. Note that d_name.name is nul- terminated by d_alloc(), and that sun_path is nul-terminated by unix_mkname(), so it is not necessary for the AVC to create nul- terminated copies or to alter audit_log_untrustedstring to take a length argument. In the case of an abstract name, we use audit_log_hex() with an explicit length. Signed-off-by: Stephen Smalley Signed-off-by: David Woodhouse --- security/selinux/avc.c | 22 +++++++++------------- 1 file changed, 9 insertions(+), 13 deletions(-) (limited to 'security/selinux') diff --git a/security/selinux/avc.c b/security/selinux/avc.c index 914d0d294fff..451502467a9b 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -575,16 +575,16 @@ void avc_audit(u32 ssid, u32 tsid, struct dentry *dentry = a->u.fs.dentry; if (a->u.fs.mnt) audit_avc_path(dentry, a->u.fs.mnt); - audit_log_format(ab, " name=%s", - dentry->d_name.name); + audit_log_format(ab, " name="); + audit_log_untrustedstring(ab, dentry->d_name.name); inode = dentry->d_inode; } else if (a->u.fs.inode) { struct dentry *dentry; inode = a->u.fs.inode; dentry = d_find_alias(inode); if (dentry) { - audit_log_format(ab, " name=%s", - dentry->d_name.name); + audit_log_format(ab, " name="); + audit_log_untrustedstring(ab, dentry->d_name.name); dput(dentry); } } @@ -628,23 +628,19 @@ void avc_audit(u32 ssid, u32 tsid, u = unix_sk(sk); if (u->dentry) { audit_avc_path(u->dentry, u->mnt); - audit_log_format(ab, " name=%s", - u->dentry->d_name.name); - + audit_log_format(ab, " name="); + audit_log_untrustedstring(ab, u->dentry->d_name.name); break; } if (!u->addr) break; len = u->addr->len-sizeof(short); p = &u->addr->name->sun_path[0]; + audit_log_format(ab, " path="); if (*p) - audit_log_format(ab, - "path=%*.*s", len, - len, p); + audit_log_untrustedstring(ab, p); else - audit_log_format(ab, - "path=@%*.*s", len-1, - len-1, p+1); + audit_log_hex(ab, p, len); break; } } -- cgit v1.2.2 From c7fb64db001f83ece669c76a02d8ec2fdb1dd307 Mon Sep 17 00:00:00 2001 From: Thomas Graf Date: Sat, 18 Jun 2005 22:50:55 -0700 Subject: [NETLINK]: Neighbour table configuration and statistics via rtnetlink To retrieve the neighbour tables send RTM_GETNEIGHTBL with the NLM_F_DUMP flag set. Every neighbour table configuration is spread over multiple messages to avoid running into message size limits on systems with many interfaces. The first message in the sequence transports all not device specific data such as statistics, configuration, and the default parameter set. This message is followed by 0..n messages carrying device specific parameter sets. Although the ordering should be sufficient, NDTA_NAME can be used to identify sequences. The initial message can be identified by checking for NDTA_CONFIG. The device specific messages do not contain this TLV but have NDTPA_IFINDEX set to the corresponding interface index. To change neighbour table attributes, send RTM_SETNEIGHTBL with NDTA_NAME set. Changeable attribute include NDTA_THRESH[1-3], NDTA_GC_INTERVAL, and all TLVs in NDTA_PARMS unless marked otherwise. Device specific parameter sets can be changed by setting NDTPA_IFINDEX to the interface index of the corresponding device. Signed-off-by: Thomas Graf Signed-off-by: David S. Miller --- security/selinux/nlmsgtab.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'security/selinux') diff --git a/security/selinux/nlmsgtab.c b/security/selinux/nlmsgtab.c index f0fb6d76f7c5..92b057becb4b 100644 --- a/security/selinux/nlmsgtab.c +++ b/security/selinux/nlmsgtab.c @@ -63,6 +63,8 @@ static struct nlmsg_perm nlmsg_route_perms[] = { RTM_GETPREFIX, NETLINK_ROUTE_SOCKET__NLMSG_READ }, { RTM_GETMULTICAST, NETLINK_ROUTE_SOCKET__NLMSG_READ }, { RTM_GETANYCAST, NETLINK_ROUTE_SOCKET__NLMSG_READ }, + { RTM_GETNEIGHTBL, NETLINK_ROUTE_SOCKET__NLMSG_READ }, + { RTM_SETNEIGHTBL, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, }; static struct nlmsg_perm nlmsg_firewall_perms[] = -- cgit v1.2.2