<div dir="ltr">Well when I was adding to the AUDIT MSG types, I felt pretty dirty :-P<div><br></div><div style>I think versioning and bitpacking the features is the right way to go.</div><div style><br></div><div style>Whats the purpose of mask in audit_features struct?</div>
<div style><br></div><div style>Looks like you use it to indicate which bits userspace intended to set, incase the structure wasn't memset to 0?</div><div style><div><br></div><div style>Bill</div></div></div><div class="gmail_extra">
<br><br><div class="gmail_quote">On Fri, May 24, 2013 at 9:34 AM, Eric Paris <span dir="ltr"><<a href="mailto:eparis@parisplace.org" target="_blank">eparis@parisplace.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="im">On Wed, 2013-05-22 at 19:18 -0700, William Roberts wrote:<br>
> This need came about in Samsung's mobile products. Id like to see and<br>
> attempt to get this mainstreamed. Any feedback would be greatly<br>
> appreciated. Thanks.<br>
<br>
</div>My first thought is that I just sent a patch to introduce a flexible<br>
on/off flipping of bits for audit system features. Rather timely, so we<br>
don't have to keep introducing message types. AUDIT_SET/AUDIT_GET<br>
certainly weren't well thought out in that way. I'd like your thoughts<br>
on those patches (really 1/7 does the heavy lifting 6/7 and 7/7 use<br>
it)<br>
<br>
I thinking porting on top of my series will result in your patch being<br>
about 10 lines.<br>
<br>
I also don't love the name. This isn't about splitting logs, it's about<br>
also logging to kmsg.<br>
<br>
Do we need the Kconfig default? I'd think we should be able to get this<br>
set early enough in userspace. Any messages before auditd are going to<br>
go to kmsg. I envision that we should be able to set features in the<br>
audit.rules so you should be able to turn this on before auditd starts<br>
and things would stop going to kmsg.<br>
<br>
But I don't see a problem with it. If you port on top of this series<br>
I'm ok with queuing for 3.11<br>
<div class="HOEnZb"><div class="h5"><br>
> On Wed, May 22, 2013 at 7:16 PM, William Roberts<br>
> <<a href="mailto:bill.c.roberts@gmail.com">bill.c.roberts@gmail.com</a>> wrote:<br>
> Allow the audit subsystem to send audit events to both the<br>
> kernel<br>
> message buffer and auditd at the same time.<br>
><br>
> Signed-off-by: William Roberts <<a href="mailto:w.roberts@sta.samsung.com">w.roberts@sta.samsung.com</a>><br>
> ---<br>
> include/uapi/linux/audit.h | 11 ++++++++++<br>
> init/Kconfig | 8 +++++++<br>
> kernel/audit.c | 52<br>
> ++++++++++++++++++++++++++++++++++++++++------<br>
> kernel/audit.h | 6 ++++++<br>
> 4 files changed, 71 insertions(+), 6 deletions(-)<br>
><br>
> diff --git a/include/uapi/linux/audit.h<br>
> b/include/uapi/linux/audit.h<br>
> index 75cef3f..0af5d78 100644<br>
> --- a/include/uapi/linux/audit.h<br>
> +++ b/include/uapi/linux/audit.h<br>
> @@ -68,6 +68,8 @@<br>
> #define AUDIT_MAKE_EQUIV 1015 /* Append to watched<br>
> tree */<br>
> #define AUDIT_TTY_GET 1016 /* Get TTY auditing<br>
> status */<br>
> #define AUDIT_TTY_SET 1017 /* Set TTY auditing<br>
> status */<br>
> +#define AUDIT_LOGSPLIT_GET 1018 /* Get logsplit<br>
> status */<br>
> +#define AUDIT_LOGSPLIT_SET 1019 /* Set logsplit<br>
> status */<br>
><br>
> #define AUDIT_FIRST_USER_MSG 1100 /* Userspace messages<br>
> mostly uninteresting to kernel */<br>
> #define AUDIT_USER_AVC 1107 /* We filter this<br>
> differently */<br>
> @@ -321,6 +323,10 @@ enum {<br>
> #define AUDIT_FAIL_PRINTK 1<br>
> #define AUDIT_FAIL_PANIC 2<br>
><br>
> +/* Audit splitlog options */<br>
> +#define AUDIT_LOGSPLIT_OFF 0<br>
> +#define AUDIT_LOGSPLIT_ON 1<br>
> +<br>
> /* distinguish syscall tables */<br>
> #define __AUDIT_ARCH_64BIT 0x80000000<br>
> #define __AUDIT_ARCH_LE 0x40000000<br>
> @@ -374,6 +380,11 @@ struct audit_tty_status {<br>
> __u32 log_passwd; /* 1 = enabled, 0 =<br>
> disabled */<br>
> };<br>
><br>
> +struct audit_logsplit_status {<br>
> + __u32 enabled; /* AUDIT_LOGSPLIT_ON<br>
> or<br>
> +<br>
> AUDIT_LOGSPLIT_OFF */<br>
> +};<br>
> +<br>
> /* audit_rule_data supports filter rules with both integer<br>
> and string<br>
> * fields. It corresponds with AUDIT_ADD_RULE,<br>
> AUDIT_DEL_RULE and<br>
> * AUDIT_LIST_RULES requests.<br>
> diff --git a/init/Kconfig b/init/Kconfig<br>
> index 9d3a788..52efca6 100644<br>
> --- a/init/Kconfig<br>
> +++ b/init/Kconfig<br>
> @@ -286,6 +286,14 @@ config AUDIT_LOGINUID_IMMUTABLE<br>
> one to drop potentially dangerous capabilites from<br>
> the login tasks,<br>
> but may not be backwards compatible with older init<br>
> systems.<br>
><br>
> +config AUDIT_SPLITLOG<br>
> + bool "Split audit messages to userspace and kernel by<br>
> default"<br>
> + depends on AUDIT<br>
> + help<br>
> + Setting this to true will cause the audit messages<br>
> to be split<br>
> + by default to both the kernel message log and a<br>
> userspace audit<br>
> + daemon if registered.<br>
> +<br>
> source "kernel/irq/Kconfig"<br>
> source "kernel/time/Kconfig"<br>
><br>
> diff --git a/kernel/audit.c b/kernel/audit.c<br>
> index 21c7fa6..ccd2f60 100644<br>
> --- a/kernel/audit.c<br>
> +++ b/kernel/audit.c<br>
> @@ -88,6 +88,9 @@ static int audit_default;<br>
> /* If auditing cannot proceed, audit_failure selects what<br>
> happens. */<br>
> static int audit_failure = AUDIT_FAIL_PRINTK;<br>
><br>
> +/* Whether or not logsplit is enabled */<br>
> +static int audit_logsplit = AUDIT_SPLITLOG_INIT;<br>
> +<br>
> /*<br>
> * If audit records are to be written to the netlink socket,<br>
> audit_pid<br>
> * contains the pid of the auditd process and<br>
> audit_nlk_portid contains<br>
> @@ -343,6 +346,17 @@ static int audit_set_failure(int state)<br>
> return audit_do_config_change("audit_failure",<br>
> &audit_failure, state);<br>
> }<br>
><br>
> +static int audit_set_logsplit(int state)<br>
> +{<br>
> + if (state != AUDIT_LOGSPLIT_OFF<br>
> + && state != AUDIT_LOGSPLIT_ON)<br>
> + return -EINVAL;<br>
> +<br>
> + return audit_do_config_change("audit_logsplit",<br>
> &audit_logsplit, state);<br>
> +}<br>
> +<br>
> +<br>
> +<br>
> /*<br>
> * Queue skbs to be sent to auditd when/if it comes back.<br>
> These skbs should<br>
> * already have been sent via prink/syslog and so if these<br>
> messages are dropped<br>
> @@ -361,11 +375,8 @@ static void audit_hold_skb(struct sk_buff<br>
> *skb)<br>
> kfree_skb(skb);<br>
> }<br>
><br>
> -/*<br>
> - * For one reason or another this nlh isn't getting delivered<br>
> to the userspace<br>
> - * audit daemon, just send it to printk.<br>
> - */<br>
> -static void audit_printk_skb(struct sk_buff *skb)<br>
> +/* Just printks the skb, no audit_hold or free of any kind */<br>
> +static void __audit_printk_skb(struct sk_buff *skb)<br>
> {<br>
> struct nlmsghdr *nlh = nlmsg_hdr(skb);<br>
> char *data = nlmsg_data(nlh);<br>
> @@ -376,7 +387,14 @@ static void audit_printk_skb(struct<br>
> sk_buff *skb)<br>
> else<br>
> audit_log_lost("printk limit exceeded<br>
> \n");<br>
> }<br>
> -<br>
> +}<br>
> +/*<br>
> + * For one reason or another this nlh isn't getting delivered<br>
> to the userspace<br>
> + * audit daemon, just send it to printk.<br>
> + */<br>
> +static void audit_printk_skb(struct sk_buff *skb)<br>
> +{<br>
> + __audit_printk_skb(skb);<br>
> audit_hold_skb(skb);<br>
> }<br>
><br>
> @@ -590,6 +608,8 @@ static int audit_netlink_ok(struct sk_buff<br>
> *skb, u16 msg_type)<br>
> case AUDIT_SIGNAL_INFO:<br>
> case AUDIT_TTY_GET:<br>
> case AUDIT_TTY_SET:<br>
> + case AUDIT_LOGSPLIT_GET:<br>
> + case AUDIT_LOGSPLIT_SET:<br>
> case AUDIT_TRIM:<br>
> case AUDIT_MAKE_EQUIV:<br>
> if (!capable(CAP_AUDIT_CONTROL))<br>
> @@ -843,7 +863,24 @@ static int audit_receive_msg(struct<br>
> sk_buff *skb, struct nlmsghdr *nlh)<br>
> spin_unlock(&tsk->sighand->siglock);<br>
> break;<br>
> }<br>
> + case AUDIT_LOGSPLIT_GET: {<br>
> + struct audit_logsplit_status s;<br>
> + s.enabled = audit_logsplit;<br>
> + audit_send_reply(NETLINK_CB(skb).portid, seq,<br>
> + AUDIT_LOGSPLIT_GET, 0, 0, &s,<br>
> sizeof(s));<br>
> + break;<br>
> + }<br>
> + case AUDIT_LOGSPLIT_SET: {<br>
> + struct audit_logsplit_status *s;<br>
> + if (nlh->nlmsg_len < sizeof(struct<br>
> audit_logsplit_status))<br>
> + return -EINVAL;<br>
> + s = data;<br>
> + err = audit_set_logsplit(s->enabled);<br>
> + break;<br>
> + }<br>
> +<br>
> default:<br>
> + printk(KERN_ERR "Unkown audit command");<br>
> err = -EINVAL;<br>
> break;<br>
> }<br>
> @@ -1670,6 +1707,9 @@ void audit_log_end(struct audit_buffer<br>
> *ab)<br>
> nlh->nlmsg_len = ab->skb->len - NLMSG_HDRLEN;<br>
><br>
> if (audit_pid) {<br>
> + if (audit_logsplit ==<br>
> AUDIT_LOGSPLIT_ON)<br>
> + __audit_printk_skb(ab->skb);<br>
> +<br>
> skb_queue_tail(&audit_skb_queue,<br>
> ab->skb);<br>
> wake_up_interruptible(&kauditd_wait);<br>
> } else {<br>
> diff --git a/kernel/audit.h b/kernel/audit.h<br>
> index 1c95131..ef43bb1 100644<br>
> --- a/kernel/audit.h<br>
> +++ b/kernel/audit.h<br>
> @@ -321,4 +321,10 @@ extern struct list_head<br>
> *audit_killed_trees(void);<br>
> #define audit_filter_inodes(t,c) AUDIT_DISABLED<br>
> #endif<br>
><br>
> +#ifdef CONFIG_AUDIT_SPLITLOG<br>
> +#define AUDIT_SPLITLOG_INIT AUDIT_LOGSPLIT_ON<br>
> +#else<br>
> +#define AUDIT_SPLITLOG_INIT AUDIT_LOGSPLIT_OFF<br>
> +#endif<br>
> +<br>
> extern struct mutex audit_cmd_mutex;<br>
> --<br>
> 1.8.2.2<br>
><br>
><br>
><br>
><br>
><br>
> --<br>
> Respectfully,<br>
><br>
> William C Roberts<br>
><br>
><br>
</div></div><span class="HOEnZb"><font color="#888888">> --<br>
> Linux-audit mailing list<br>
> <a href="mailto:Linux-audit@redhat.com">Linux-audit@redhat.com</a><br>
> <a href="https://www.redhat.com/mailman/listinfo/linux-audit" target="_blank">https://www.redhat.com/mailman/listinfo/linux-audit</a><br>
<br>
<br>
</font></span></blockquote></div><br><br clear="all"><div><br></div>-- <br>Respectfully,<br><br>William C Roberts<br><br>
</div>