rpms/kernel/devel linux-2.6.13-audit-SE-context.patch, NONE, 1.1.4.1 linux-2.6.13-audit-new-user-types.patch, NONE, 1.1.4.1 linux-2.6.13-audit-operators.patch, NONE, 1.1.4.1 linux-2.6.13-audit_inode-augment-1.patch, NONE, 1.1.4.1 linux-2.6.13-audit_inode-augment-2.patch, NONE, 1.1.4.1 linux-2.6.13-unshare-core.patch, NONE, 1.1.4.1 linux-2.6.13-unshare-i386.patch, NONE, 1.1.4.1 linux-2.6.14-audit-filter-type.patch, NONE, 1.1.2.1 kernel-2.6.spec, 1.1639, 1.1639.2.1
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Thu Nov 3 15:25:48 UTC 2005
Author: dwmw2
Update of /cvs/dist/rpms/kernel/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv7760
Modified Files:
Tag: private-rawhide-lspp-branch-1369
kernel-2.6.spec
Added Files:
Tag: private-rawhide-lspp-branch-1369
linux-2.6.13-audit-SE-context.patch
linux-2.6.13-audit-new-user-types.patch
linux-2.6.13-audit-operators.patch
linux-2.6.13-audit_inode-augment-1.patch
linux-2.6.13-audit_inode-augment-2.patch
linux-2.6.13-unshare-core.patch
linux-2.6.13-unshare-i386.patch
linux-2.6.14-audit-filter-type.patch
Log Message:
second lspp audit kernel
linux-2.6.13-audit-SE-context.patch:
include/linux/audit.h | 8 ++-
include/linux/security.h | 27 ++++++++++
ipc/msg.c | 5 +
ipc/sem.c | 5 -
ipc/shm.c | 4 -
ipc/util.c | 2
kernel/audit.c | 2
kernel/auditsc.c | 125 +++++++++++++++++++++++++++++++++++++++++++++--
security/dummy.c | 6 ++
security/selinux/hooks.c | 96 ++++++++++++++++--------------------
10 files changed, 215 insertions(+), 65 deletions(-)
--- NEW FILE linux-2.6.13-audit-SE-context.patch ---
--- linux-2.6.13/include/linux/audit.h.p20004 2005-10-25 16:04:49.000000000 +0100
+++ linux-2.6.13/include/linux/audit.h 2005-10-25 16:04:49.000000000 +0100
@@ -277,12 +277,14 @@ extern void auditsc_get_stamp(struct aud
struct timespec *t, unsigned int *serial);
extern int audit_set_loginuid(struct task_struct *task, uid_t loginuid);
extern uid_t audit_get_loginuid(struct audit_context *ctx);
-extern int audit_ipc_perms(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode);
+extern int audit_ipc_perms(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode, struct kern_ipc_perm *ipcp);
extern int audit_socketcall(int nargs, unsigned long *args);
extern int audit_sockaddr(int len, void *addr);
extern int audit_avc_path(struct dentry *dentry, struct vfsmount *mnt);
extern void audit_signal_info(int sig, struct task_struct *t);
extern int audit_filter_user(struct netlink_skb_parms *cb, int type);
+extern char *audit_ipc_context(struct kern_ipc_perm *ipcp);
+extern int audit_set_macxattr(const char *name);
#else
#define audit_alloc(t) ({ 0; })
#define audit_free(t) do { ; } while (0)
@@ -303,6 +305,8 @@ extern int audit_filter_user(struct netl
#define audit_avc_path(dentry, mnt) ({ 0; })
#define audit_signal_info(s,t) do { ; } while (0)
#define audit_filter_user(cb,t) ({ 1; })
+#define audit_ipc_context(i) do { ; } while (0)
+#define audit_set_macxattr(n) do { ; } while (0)
#endif
#ifdef CONFIG_AUDIT
@@ -331,6 +335,7 @@ extern void audit_send_reply(int pi
int done, int multi,
void *payload, int size);
extern void audit_log_lost(const char *message);
+extern void audit_panic(const char *message);
extern struct semaphore audit_netlink_sem;
#else
#define audit_log(c,g,t,f,...) do { ; } while (0)
@@ -341,6 +346,7 @@ extern struct semaphore audit_netlink_se
#define audit_log_hex(a,b,l) do { ; } while (0)
#define audit_log_untrustedstring(a,s) do { ; } while (0)
#define audit_log_d_path(b,p,d,v) do { ; } while (0)
+#define audit_panic(m) do { ; } while (0)
#endif
#endif
#endif
--- linux-2.6.13/include/linux/security.h.p20004 2005-10-25 16:04:48.000000000 +0100
+++ linux-2.6.13/include/linux/security.h 2005-10-25 16:14:48.000000000 +0100
@@ -795,6 +795,11 @@ struct swap_info_struct;
* @ipcp contains the kernel IPC permission structure
* @flag contains the desired (requested) permission set
* Return 0 if permission is granted.
+ * @ipc_getsecurity:
+ * Copy the security label associated with the ipc object into
+ * @buffer. @buffer may be NULL to request the size of the buffer
+ * required. @size indicates the size of @buffer in bytes. Return
+ * number of bytes used/required on success.
*
* Security hooks for individual messages held in System V IPC message queues
* @msg_msg_alloc_security:
@@ -1094,6 +1099,7 @@ struct security_operations {
int (*inode_getxattr) (struct dentry *dentry, char *name);
int (*inode_listxattr) (struct dentry *dentry);
int (*inode_removexattr) (struct dentry *dentry, char *name);
+ char *(*inode_xattr_getsuffix) (void);
int (*inode_getsecurity)(struct inode *inode, const char *name, void *buffer, size_t size, int err);
int (*inode_setsecurity)(struct inode *inode, const char *name, const void *value, size_t size, int flags);
int (*inode_listsecurity)(struct inode *inode, char *buffer, size_t buffer_size);
@@ -1143,6 +1149,7 @@ struct security_operations {
void (*task_to_inode)(struct task_struct *p, struct inode *inode);
int (*ipc_permission) (struct kern_ipc_perm * ipcp, short flag);
+ int (*ipc_getsecurity)(struct kern_ipc_perm *ipcp, void *buffer, size_t size);
int (*msg_msg_alloc_security) (struct msg_msg * msg);
void (*msg_msg_free_security) (struct msg_msg * msg);
@@ -1583,6 +1590,11 @@ static inline int security_inode_removex
return security_ops->inode_removexattr (dentry, name);
}
+static inline const char *security_inode_xattr_getsuffix(void)
+{
+ return security_ops->inode_xattr_getsuffix();
+}
+
static inline int security_inode_getsecurity(struct inode *inode, const char *name, void *buffer, size_t size, int err)
{
if (unlikely (IS_PRIVATE (inode)))
@@ -1778,6 +1790,11 @@ static inline int security_ipc_permissio
return security_ops->ipc_permission (ipcp, flag);
}
+static inline int security_ipc_getsecurity(struct kern_ipc_perm *ipcp, void *buffer, size_t size)
+{
+ return security_ops->ipc_getsecurity(ipcp, buffer, size);
+}
+
static inline int security_msg_msg_alloc (struct msg_msg * msg)
{
return security_ops->msg_msg_alloc_security (msg);
@@ -2225,6 +2242,11 @@ static inline int security_inode_removex
return cap_inode_removexattr(dentry, name);
}
+static inline const char *security_inode_xattr_getsuffix (void)
+{
+ return NULL ;
+}
+
static inline int security_inode_getsecurity(struct inode *inode, const char *name, void *buffer, size_t size, int err)
{
return -EOPNOTSUPP;
@@ -2408,6 +2430,11 @@ static inline int security_ipc_permissio
return 0;
}
+static inline int security_ipc_getsecurity(struct kern_ipc_perm *ipcp, void *buffer, size_t size)
+{
+ return -EOPNOTSUPP;
+}
+
static inline int security_msg_msg_alloc (struct msg_msg * msg)
{
return 0;
--- linux-2.6.13/ipc/msg.c.p20004 2005-10-25 16:04:47.000000000 +0100
+++ linux-2.6.13/ipc/msg.c 2005-10-25 16:04:49.000000000 +0100
@@ -428,8 +428,6 @@ asmlinkage long sys_msgctl (int msqid, i
return -EFAULT;
if (copy_msqid_from_user (&setbuf, buf, version))
return -EFAULT;
- if ((err = audit_ipc_perms(setbuf.qbytes, setbuf.uid, setbuf.gid, setbuf.mode)))
- return err;
break;
case IPC_RMID:
break;
@@ -460,6 +458,9 @@ asmlinkage long sys_msgctl (int msqid, i
switch (cmd) {
case IPC_SET:
{
+ if ((err = audit_ipc_perms(setbuf.qbytes, setbuf.uid, setbuf.gid, setbuf.mode, ipcp)))
+ goto out_unlock_up;
+
err = -EPERM;
if (setbuf.qbytes > msg_ctlmnb && !capable(CAP_SYS_RESOURCE))
goto out_unlock_up;
--- linux-2.6.13/ipc/sem.c.p20004 2005-10-25 16:04:47.000000000 +0100
+++ linux-2.6.13/ipc/sem.c 2005-10-25 16:04:49.000000000 +0100
@@ -806,8 +806,6 @@ static int semctl_down(int semid, int se
if(cmd == IPC_SET) {
if(copy_semid_from_user (&setbuf, arg.buf, version))
return -EFAULT;
- if ((err = audit_ipc_perms(0, setbuf.uid, setbuf.gid, setbuf.mode)))
- return err;
}
sma = sem_lock(semid);
if(sma==NULL)
@@ -818,7 +816,6 @@ static int semctl_down(int semid, int se
goto out_unlock;
}
ipcp = &sma->sem_perm;
-
if (current->euid != ipcp->cuid &&
current->euid != ipcp->uid && !capable(CAP_SYS_ADMIN)) {
err=-EPERM;
@@ -835,6 +832,8 @@ static int semctl_down(int semid, int se
err = 0;
break;
case IPC_SET:
+ if ((err = audit_ipc_perms(0, setbuf.uid, setbuf.gid, setbuf.mode, ipcp)))
+ goto out_unlock;
ipcp->uid = setbuf.uid;
ipcp->gid = setbuf.gid;
ipcp->mode = (ipcp->mode & ~S_IRWXUGO)
--- linux-2.6.13/ipc/shm.c.p20004 2005-10-25 16:04:47.000000000 +0100
+++ linux-2.6.13/ipc/shm.c 2005-10-25 16:04:49.000000000 +0100
@@ -604,13 +604,13 @@ asmlinkage long sys_shmctl (int shmid, i
err = -EFAULT;
goto out;
}
- if ((err = audit_ipc_perms(0, setbuf.uid, setbuf.gid, setbuf.mode)))
- return err;
down(&shm_ids.sem);
shp = shm_lock(shmid);
err=-EINVAL;
if(shp==NULL)
goto out_up;
+ if ((err = audit_ipc_perms(0, setbuf.uid, setbuf.gid, setbuf.mode, &(shp->shm_perm))))
+ goto out_unlock_up;
err = shm_checkid(shp,shmid);
if(err)
goto out_unlock_up;
--- linux-2.6.13/ipc/util.c.p20004 2005-10-25 16:04:47.000000000 +0100
+++ linux-2.6.13/ipc/util.c 2005-10-25 16:04:49.000000000 +0100
@@ -26,6 +26,7 @@
#include <linux/workqueue.h>
#include <linux/seq_file.h>
#include <linux/proc_fs.h>
+#include <linux/audit.h>
#include <asm/unistd.h>
@@ -466,6 +467,7 @@ int ipcperms (struct kern_ipc_perm *ipcp
{ /* flag will most probably be 0 or S_...UGO from <linux/stat.h> */
int requested_mode, granted_mode;
+ audit_ipc_context(ipcp);
requested_mode = (flag >> 6) | (flag >> 3) | flag;
granted_mode = ipcp->mode;
if (current->euid == ipcp->cuid || current->euid == ipcp->uid)
--- linux-2.6.13/kernel/audit.c.p20004 2005-10-25 16:04:49.000000000 +0100
+++ linux-2.6.13/kernel/audit.c 2005-10-25 16:04:49.000000000 +0100
@@ -142,7 +142,7 @@ static void audit_set_pid(struct audit_b
nlh->nlmsg_pid = pid;
}
-static void audit_panic(const char *message)
+void audit_panic(const char *message)
{
switch (audit_failure)
{
--- linux-2.6.13/kernel/auditsc.c.p20004 2005-10-25 16:04:49.000000000 +0100
+++ linux-2.6.13/kernel/auditsc.c 2005-10-25 16:43:41.000000000 +0100
@@ -30,6 +31,9 @@
*
* Modified by Amy Griffis <amy.griffis at hp.com> to collect additional
* filesystem information.
+ *
+ * Subject and object context labeling support added by <danjones at us.ibm.com>
+ * and <dustin.kirkland at us.ibm.com> for LSPP certification compliance.
*/
#include <linux/init.h>
@@ -48,6 +52,7 @@
#include <linux/netlink.h>
#include <linux/compiler.h>
#include <asm/unistd.h>
+#include <linux/security.h>
/* 0 = no checking
1 = put_count checking
@@ -104,6 +109,7 @@ struct audit_names {
uid_t uid;
gid_t gid;
dev_t rdev;
+ char *ctx;
};
struct audit_aux_data {
@@ -120,6 +126,7 @@ struct audit_aux_data_ipcctl {
uid_t uid;
gid_t gid;
mode_t mode;
+ char *ctx;
};
struct audit_aux_data_socketcall {
@@ -696,10 +703,12 @@ static inline void audit_free_names(stru
context->serial, context->major, context->in_syscall,
context->name_count, context->put_count,
context->ino_count);
- for (i = 0; i < context->name_count; i++)
+ for (i = 0; i < context->name_count; i++) {
printk(KERN_ERR "names[%d] = %p = %s\n", i,
context->names[i].name,
context->names[i].name ?: "(null)");
+ kfree(context->names[i].ctx);
+ }
dump_stack();
return;
}
@@ -731,6 +740,12 @@ static inline void audit_free_aux(struct
dput(axi->dentry);
mntput(axi->mnt);
}
+ if ( aux->type == AUDIT_IPC ) {
+ struct audit_aux_data_ipcctl *axi = (void *)aux;
+ if (axi->ctx)
+ kfree(axi->ctx);
+ }
+
context->aux = aux->next;
kfree(aux);
}
@@ -810,6 +825,37 @@ static inline void audit_free_context(st
printk(KERN_ERR "audit: freed %d contexts\n", count);
}
+static void audit_log_task_context(struct audit_buffer *ab)
+{
+ char *ctx = NULL;
+ ssize_t len = 0;
+
+ len = security_getprocattr(current, "current", NULL, 0);
+ if (len < 0) {
+ if (len != -EINVAL)
+ goto error_path;
+ return;
+ }
+
+ ctx = kmalloc(len, GFP_KERNEL);
+ if (!ctx) {
+ goto error_path;
+ return;
+ }
+
+ len = security_getprocattr(current, "current", ctx, len);
+ if (len < 0 )
+ goto error_path;
+
+ audit_log_format(ab, " subj=%s", ctx);
+
+error_path:
+ if (ctx)
+ kfree(ctx);
+ audit_panic("security_getprocattr error in audit_log_task_context");
+ return;
+}
+
static void audit_log_task_info(struct audit_buffer *ab)
{
char name[sizeof(current->comm)];
@@ -836,6 +882,7 @@ static void audit_log_task_info(struct a
vma = vma->vm_next;
}
up_read(&mm->mmap_sem);
+ audit_log_task_context(ab);
}
static void audit_log_exit(struct audit_context *context, unsigned int gfp_mask)
@@ -884,8 +931,8 @@ static void audit_log_exit(struct audit_
case AUDIT_IPC: {
struct audit_aux_data_ipcctl *axi = (void *)aux;
audit_log_format(ab,
- " qbytes=%lx iuid=%u igid=%u mode=%x",
- axi->qbytes, axi->uid, axi->gid, axi->mode);
+ " qbytes=%lx iuid=%u igid=%u mode=%x obj=%s",
+ axi->qbytes, axi->uid, axi->gid, axi->mode, axi->ctx);
break; }
case AUDIT_SOCKETCALL: {
@@ -949,6 +996,11 @@ static void audit_log_exit(struct audit_
context->names[i].gid,
MAJOR(context->names[i].rdev),
MINOR(context->names[i].rdev));
+ if (context->names[i].ctx) {
+ audit_log_format(ab, " obj=%s",
+ context->names[i].ctx);
+ }
+
audit_log_end(ab);
}
}
@@ -1164,6 +1216,37 @@ void audit_putname(const char *name)
#endif
}
+void audit_inode_context(int idx, const struct inode *inode)
+{
+ struct audit_context *context = current->audit_context;
+ char *ctx = NULL;
+ int len = 0;
+
+ if (!security_inode_xattr_getsuffix())
+ return;
+
+ len = security_inode_getsecurity(inode, (char *)security_inode_xattr_getsuffix(), NULL, 0, 0);
+ if (len < 0)
+ goto error_path;
+
+ ctx = kmalloc(len, GFP_KERNEL);
+ if (!ctx)
+ goto error_path;
+
+ len = security_inode_getsecurity(inode, (char *)security_inode_xattr_getsuffix(), ctx, len, 0);
+ if (len < 0)
+ goto error_path;
+
+ context->names[idx].ctx = ctx;
+ return;
+
+error_path:
+ if (ctx)
+ kfree(ctx);
+ audit_panic("error in audit_inode_context");
+ return;
+}
+
/* Store the inode and device from a lookup. Called from
* fs/namei.c:path_lookup(). */
void audit_inode(const char *name, const struct inode *inode, unsigned flags)
@@ -1197,6 +1280,7 @@ void audit_inode(const char *name, const
context->names[idx].uid = inode->i_uid;
context->names[idx].gid = inode->i_gid;
context->names[idx].rdev = inode->i_rdev;
+ audit_inode_context(idx, inode);
if ((flags & LOOKUP_PARENT) && (strcmp(name, "/") != 0) &&
(strcmp(name, ".") != 0)) {
context->names[idx].ino = (unsigned long)-1;
@@ -1278,6 +1362,7 @@ update_context:
context->names[idx].uid = inode->i_uid;
context->names[idx].gid = inode->i_gid;
context->names[idx].rdev = inode->i_rdev;
+ audit_inode_context(idx, inode);
}
}
@@ -1315,7 +1400,7 @@ uid_t audit_get_loginuid(struct audit_co
return ctx ? ctx->loginuid : -1;
}
-int audit_ipc_perms(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode)
+int audit_ipc_perms(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode, struct kern_ipc_perm *ipcp)
{
struct audit_aux_data_ipcctl *ax;
struct audit_context *context = current->audit_context;
@@ -1323,7 +1408,7 @@ int audit_ipc_perms(unsigned long qbytes
if (likely(!context))
return 0;
- ax = kmalloc(sizeof(*ax), GFP_KERNEL);
+ ax = kmalloc(sizeof(*ax), GFP_ATOMIC);
if (!ax)
return -ENOMEM;
@@ -1331,6 +1416,7 @@ int audit_ipc_perms(unsigned long qbytes
ax->uid = uid;
ax->gid = gid;
ax->mode = mode;
+ ax->ctx = audit_ipc_context(ipcp);
ax->d.type = AUDIT_IPC;
ax->d.next = context->aux;
@@ -1338,6 +1424,36 @@ int audit_ipc_perms(unsigned long qbytes
return 0;
}
+char *audit_ipc_context(struct kern_ipc_perm *ipcp)
+{
+ struct audit_context *context = current->audit_context;
+ char *ctx = NULL;
+ int len = 0;
+
+ if (likely(!context))
+ return NULL;
+
+ len = security_ipc_getsecurity(ipcp, NULL, 0);
+ if (len < 0)
+ goto error_path;
+
+ ctx = kmalloc(len, GFP_ATOMIC);
+ if (!ctx)
+ goto error_path;
+
+ len = security_ipc_getsecurity(ipcp, ctx, len);
+ if (len < 0)
+ goto error_path;
+
+ return ctx;
+
+error_path:
+ if (ctx)
+ kfree(ctx);
+ audit_panic("error in audit_ipc_context");
+ return NULL;
+}
+
int audit_socketcall(int nargs, unsigned long *args)
{
struct audit_aux_data_socketcall *ax;
--- linux-2.6.13/security/selinux/hooks.c.p20004 2005-10-25 17:02:09.000000000 +0100
+++ linux-2.6.13/security/selinux/hooks.c 2005-10-25 17:03:48.000000000 +0100
@@ -116,6 +116,32 @@ static struct security_operations *secon
static LIST_HEAD(superblock_security_head);
static DEFINE_SPINLOCK(sb_security_lock);
+/* Return security context for a given sid or just the context
+ length if the buffer is null or length is 0 */
+static int selinux_getsecurity(u32 sid, void *buffer, size_t size)
+{
+ char *context;
+ unsigned len;
+ int rc;
+
+ rc = security_sid_to_context(sid, &context, &len);
+ if (rc)
+ return rc;
+
+ if (!buffer || !size)
+ goto getsecurity_exit;
+
+ if (size < len) {
+ len = -ERANGE;
+ goto getsecurity_exit;
+ }
+ memcpy(buffer, context, len);
+
+getsecurity_exit:
+ kfree(context);
+ return len;
+}
+
/* Allocate and free functions for each kind of security blob. */
static int task_alloc_security(struct task_struct *task)
@@ -2244,6 +2270,11 @@ static int selinux_inode_removexattr (st
return -EACCES;
}
+static const char *selinux_inode_xattr_getsuffix(void)
+{
+ return XATTR_SELINUX_SUFFIX;
+}
+
/*
* Copy the in-core inode security context value to the user. If the
* getxattr() prior to this succeeded, check to see if we need to
@@ -2254,44 +2285,11 @@ static int selinux_inode_removexattr (st
static int selinux_inode_getsecurity(struct inode *inode, const char *name, void *buffer, size_t size, int err)
{
struct inode_security_struct *isec = inode->i_security;
- char *context;
- unsigned len;
- int rc;
-
- if (strcmp(name, XATTR_SELINUX_SUFFIX)) {
- rc = -EOPNOTSUPP;
- goto out;
- }
-
- rc = security_sid_to_context(isec->sid, &context, &len);
- if (rc)
- goto out;
- /* Probe for required buffer size */
- if (!buffer || !size) {
- rc = len;
- goto out_free;
- }
+ if (strcmp(name, XATTR_SELINUX_SUFFIX))
+ return -EOPNOTSUPP;
- if (size < len) {
- rc = -ERANGE;
- goto out_free;
- }
-
- if (err > 0) {
- if ((len == err) && !(memcmp(context, buffer, len))) {
- /* Don't need to canonicalize value */
- rc = err;
- goto out_free;
- }
- memset(buffer, 0, size);
- }
- memcpy(buffer, context, len);
- rc = len;
-out_free:
- kfree(context);
-out:
- return rc;
+ return selinux_getsecurity(isec->sid, buffer, size);
}
static int selinux_inode_setsecurity(struct inode *inode, const char *name,
@@ -4063,6 +4061,13 @@ static int selinux_ipc_permission(struct
return ipc_has_perm(ipcp, av);
}
+static int selinux_ipc_getsecurity(struct kern_ipc_perm *ipcp, void *buffer, size_t size)
+{
+ struct ipc_security_struct *isec = ipcp->security;
+
+ return selinux_getsecurity(isec->sid, buffer, size);
+}
+
/* module stacking operations */
static int selinux_register_security (const char *name, struct security_operations *ops)
{
@@ -4104,8 +4109,7 @@ static int selinux_getprocattr(struct ta
char *name, void *value, size_t size)
{
struct task_security_struct *tsec;
- u32 sid, len;
- char *context;
+ u32 sid;
int error;
if (current != p) {
@@ -4114,9 +4118,6 @@ static int selinux_getprocattr(struct ta
return error;
}
- if (!size)
- return -ERANGE;
-
tsec = p->security;
if (!strcmp(name, "current"))
@@ -4133,16 +4134,7 @@ static int selinux_getprocattr(struct ta
if (!sid)
return 0;
- error = security_sid_to_context(sid, &context, &len);
- if (error)
- return error;
- if (len > size) {
- kfree(context);
- return -ERANGE;
- }
- memcpy(value, context, len);
- kfree(context);
- return len;
+ return selinux_getsecurity(sid, value, size);
}
static int selinux_setprocattr(struct task_struct *p,
@@ -4300,6 +4292,7 @@ static struct security_operations selinu
.inode_getxattr = selinux_inode_getxattr,
.inode_listxattr = selinux_inode_listxattr,
.inode_removexattr = selinux_inode_removexattr,
+ .inode_xattr_getsuffix = selinux_inode_xattr_getsuffix,
.inode_getsecurity = selinux_inode_getsecurity,
.inode_setsecurity = selinux_inode_setsecurity,
.inode_listsecurity = selinux_inode_listsecurity,
@@ -4337,6 +4330,7 @@ static struct security_operations selinu
.task_to_inode = selinux_task_to_inode,
.ipc_permission = selinux_ipc_permission,
+ .ipc_getsecurity = selinux_ipc_getsecurity,
.msg_msg_alloc_security = selinux_msg_msg_alloc_security,
.msg_msg_free_security = selinux_msg_msg_free_security,
--- linux-2.6.13/security/dummy.c.p20004 2005-10-25 16:04:48.000000000 +0100
+++ linux-2.6.13/security/dummy.c 2005-10-25 16:04:49.000000000 +0100
@@ -557,6 +557,11 @@ static int dummy_ipc_permission (struct
return 0;
}
+static int dummy_ipc_getsecurity(struct kern_ipc_perm *ipcp, void *buffer, size_t size)
+{
+ return -EOPNOTSUPP;
+}
+
static int dummy_msg_msg_alloc_security (struct msg_msg *msg)
{
return 0;
@@ -907,6 +912,7 @@ void security_fixup_ops (struct security
set_to_dummy_if_null(ops, task_reparent_to_init);
set_to_dummy_if_null(ops, task_to_inode);
set_to_dummy_if_null(ops, ipc_permission);
+ set_to_dummy_if_null(ops, ipc_getsecurity);
set_to_dummy_if_null(ops, msg_msg_alloc_security);
set_to_dummy_if_null(ops, msg_msg_free_security);
set_to_dummy_if_null(ops, msg_queue_alloc_security);
linux-2.6.13-audit-new-user-types.patch:
include/linux/audit.h | 19 +++++++++++++++----
kernel/audit.c | 2 ++
security/selinux/nlmsgtab.c | 6 ++++--
3 files changed, 21 insertions(+), 6 deletions(-)
--- NEW FILE linux-2.6.13-audit-new-user-types.patch ---
>From linux-audit-bounces at redhat.com Thu Oct 20 17:49:42 2005
Return-path: <linux-audit-bounces at redhat.com>
Envelope-to: dwmw2 at baythorne.infradead.org
Delivery-date: Thu, 20 Oct 2005 17:49:42 +0100
Received: from [2002:d592:9a28::1] (helo=pentafluge.infradead.org) by
baythorne.infradead.org with esmtps (Exim 4.52 #1 (Red Hat Linux)) id
1ESdbq-0005gx-0l for dwmw2 at baythorne.infradead.org; Thu, 20 Oct 2005
17:49:42 +0100
Received: from hormel.redhat.com ([209.132.177.30]) by
pentafluge.infradead.org with esmtp (Exim 4.54 #1 (Red Hat Linux)) id
1ESdbo-0008BL-0z for dwmw2 at infradead.org; Thu, 20 Oct 2005 17:49:41 +0100
Received: from listman.util.phx.redhat.com (listman.util.phx.redhat.com
[10.8.4.110]) by hormel.redhat.com (Postfix) with ESMTP id 21DAC732A3; Thu,
20 Oct 2005 12:49:39 -0400 (EDT)
Received: from int-mx1.corp.redhat.com (int-mx1.corp.redhat.com
[172.16.52.254]) by listman.util.phx.redhat.com (8.13.1/8.13.1) with ESMTP
id j9KGnc1u005440 for <linux-audit at listman.util.phx.redhat.com>; Thu, 20
Oct 2005 12:49:38 -0400
Received: from mail.boston.redhat.com (mail.boston.redhat.com
[172.16.76.12]) by int-mx1.corp.redhat.com (8.11.6/8.11.6) with ESMTP id
j9KGnbV19502 for <linux-audit at int-mx1.corp.redhat.com>; Thu, 20 Oct 2005
12:49:37 -0400
Received: from discovery.boston.redhat.com (discovery.boston.redhat.com
[172.16.80.171]) by mail.boston.redhat.com (8.12.8/8.12.8) with ESMTP id
j9KGnb6R024106 for <linux-audit at redhat.com>; Thu, 20 Oct 2005 12:49:37 -0400
From: Steve Grubb <sgrubb at redhat.com>
To: Linux Audit Discussion <linux-audit at redhat.com>
Date: Thu, 20 Oct 2005 12:49:40 -0400
User-Agent: KMail/1.8.2
MIME-Version: 1.0
Content-Type: Multipart/Mixed; boundary="Boundary-00=_kq8VDEtvxcJGGFR"
Message-Id: <200510201249.40644.sgrubb at redhat.com>
X-loop: linux-audit at redhat.com
Subject: [PATCH] New user space message types
X-BeenThere: linux-audit at redhat.com
X-Mailman-Version: 2.1.5
Precedence: junk
List-Id: Linux Audit Discussion <linux-audit.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
<mailto:linux-audit-request at redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit at redhat.com>
List-Help: <mailto:linux-audit-request at redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
<mailto:linux-audit-request at redhat.com?subject=subscribe>
Sender: linux-audit-bounces at redhat.com
Errors-To: linux-audit-bounces at redhat.com
X-Spam-Score: 0.0 (/)
X-Evolution-Source: imap://dwmw2@baythorne.infradead.org/
--Boundary-00=_kq8VDEtvxcJGGFR
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Hi,
The attached patch updates various items for the new user space messages.
Please apply.
-Steve
--Boundary-00=_kq8VDEtvxcJGGFR
Content-Type: text/x-diff; charset="us-ascii"; name="linux-2.6.13-audit-new-types.patch"
Content-Disposition: attachment; filename="linux-2.6.13-audit-new-types.patch"
Content-Transfer-Encoding: 8bit
diff -urp linux-2.6.13.orig/include/linux/audit.h linux-2.6.13/include/linux/audit.h
--- linux-2.6.13.orig/include/linux/audit.h 2005-10-20 12:30:19.000000000 -0400
+++ linux-2.6.13/include/linux/audit.h 2005-10-20 12:26:50.000000000 -0400
@@ -33,11 +33,20 @@
* 1200 - 1299 messages internal to the audit daemon
* 1300 - 1399 audit event messages
* 1400 - 1499 SE Linux use
- * 1500 - 1999 future use
- * 2000 is for otherwise unclassified kernel audit messages
+ * 1500 - 1599 kernel LSPP events
+ * 1600 - 1699 kernel crypto events
+ * 1700 - 1999 future kernel use (maybe integrity labels and related events)
+ * 2000 is for otherwise unclassified kernel audit messages (legacy)
+ * 2001 - 2099 unused (kernel)
+ * 2100 - 2199 user space anomaly records
+ * 2200 - 2299 user space actions taken in response to anomalies
+ * 2300 - 2399 user space generated LSPP events
+ * 2400 - 2499 user space crypto events
+ * 2500 - 2999 future user space (maybe integrity labels and related events)
*
- * Messages from 1000-1199 are bi-directional. 1200-1299 are exclusively user
- * space. Anything over that is kernel --> user space communication.
+ * Messages from 1000-1199 are bi-directional. 1200-1299 & 2100 - 2999 are
+ * exclusively user space. 1300-2099 is kernel --> user space
+ * communication.
*/
#define AUDIT_GET 1000 /* Get status */
#define AUDIT_SET 1001 /* Set status (enable/disable/auditd) */
@@ -54,6 +63,8 @@
#define AUDIT_FIRST_USER_MSG 1100 /* Userspace messages mostly uninteresting to kernel */
#define AUDIT_USER_AVC 1107 /* We filter this differently */
#define AUDIT_LAST_USER_MSG 1199
+#define AUDIT_FIRST_USER_MSG2 2100 /* More user space messages */
+#define AUDIT_LAST_USER_MSG2 2999
#define AUDIT_DAEMON_START 1200 /* Daemon startup record */
#define AUDIT_DAEMON_END 1201 /* Daemon normal stop record */
diff -urp linux-2.6.13.orig/kernel/audit.c linux-2.6.13/kernel/audit.c
--- linux-2.6.13.orig/kernel/audit.c 2005-10-20 12:30:28.000000000 -0400
+++ linux-2.6.13/kernel/audit.c 2005-10-20 12:27:31.000000000 -0400
@@ -349,6 +349,7 @@ static int audit_netlink_ok(kernel_cap_t
break;
case AUDIT_USER:
case AUDIT_FIRST_USER_MSG...AUDIT_LAST_USER_MSG:
+ case AUDIT_FIRST_USER_MSG2...AUDIT_LAST_USER_MSG2:
if (!cap_raised(eff_cap, CAP_AUDIT_WRITE))
err = -EPERM;
break;
@@ -428,6 +429,7 @@ static int audit_receive_msg(struct sk_b
break;
case AUDIT_USER:
case AUDIT_FIRST_USER_MSG...AUDIT_LAST_USER_MSG:
+ case AUDIT_FIRST_USER_MSG2...AUDIT_LAST_USER_MSG2:
if (!audit_enabled && msg_type != AUDIT_USER_AVC)
return 0;
diff -urp linux-2.6.13.orig/security/selinux/nlmsgtab.c linux-2.6.13/security/selinux/nlmsgtab.c
--- linux-2.6.13.orig/security/selinux/nlmsgtab.c 2005-10-20 12:30:29.000000000 -0400
+++ linux-2.6.13/security/selinux/nlmsgtab.c 2005-10-20 12:29:24.000000000 -0400
@@ -145,8 +145,10 @@ int selinux_nlmsg_lookup(u16 sclass, u16
break;
case SECCLASS_NETLINK_AUDIT_SOCKET:
- if (nlmsg_type >= AUDIT_FIRST_USER_MSG &&
- nlmsg_type <= AUDIT_LAST_USER_MSG) {
+ if ((nlmsg_type >= AUDIT_FIRST_USER_MSG &&
+ nlmsg_type <= AUDIT_LAST_USER_MSG) ||
+ (nlmsg_type >= AUDIT_FIRST_USER_MSG2 &&
+ nlmsg_type <= AUDIT_LAST_USER_MSG2)) {
*perm = NETLINK_AUDIT_SOCKET__NLMSG_RELAY;
} else {
err = nlmsg_perm(nlmsg_type, perm, nlmsg_audit_perms,
--Boundary-00=_kq8VDEtvxcJGGFR
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
--
Linux-audit mailing list
Linux-audit at redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
--Boundary-00=_kq8VDEtvxcJGGFR--
linux-2.6.13-audit-operators.patch:
include/linux/audit.h | 29 +++++++++
linux-2.6.14-rc4/kernel/auditsc.c | 115 ++++++++++++++++++++++++--------------
2 files changed, 102 insertions(+), 42 deletions(-)
--- NEW FILE linux-2.6.13-audit-operators.patch ---
--- linux-2.6.14-rc4/include/linux/audit.h 2005-10-19 09:40:27.000000000 -0500
+++ linux-2.6.14-rc4-audit_ops/include/linux/audit.h 2005-10-26 16:12:42.000000000 -0500
@@ -98,6 +98,13 @@
#define AUDIT_WORD(nr) ((__u32)((nr)/32))
#define AUDIT_BIT(nr) (1 << ((nr) - AUDIT_WORD(nr)*32))
+/* This bitmask is used to validate user input. It represents all bits that
+ * are currently used in an audit field constant understood by the kernel.
+ * If you are adding a new #define AUDIT_<whatever>, please ensure that
+ * AUDIT_UNUSED_BITS is updated if need be. */
+#define AUDIT_UNUSED_BITS 0x0FFFFC00
+
+
/* Rule fields */
/* These are useful when checking the
* task structure at task creation time
@@ -128,8 +135,28 @@
#define AUDIT_ARG2 (AUDIT_ARG0+2)
#define AUDIT_ARG3 (AUDIT_ARG0+3)
-#define AUDIT_NEGATE 0x80000000
+#define AUDIT_NEGATE 0x80000000
+/* These are the supported operators.
+ * 4 2 1
+ * = > <
+ * -------
+ * 0 0 0 0 nonsense
+ * 0 0 1 1 <
+ * 0 1 0 2 >
+ * 0 1 1 3 !=
+ * 1 0 0 4 =
+ * 1 0 1 5 <=
+ * 1 1 0 6 >=
+ * 1 1 1 7 all operators
+ */
+#define AUDIT_LESS_THAN 0x10000000
+#define AUDIT_GREATER_THAN 0x20000000
+#define AUDIT_NOT_EQUAL 0x30000000
+#define AUDIT_EQUAL 0x40000000
+#define AUDIT_LESS_THAN_OR_EQUAL (AUDIT_LESS_THAN|AUDIT_EQUAL)
+#define AUDIT_GREATER_THAN_OR_EQUAL (AUDIT_GREATER_THAN|AUDIT_EQUAL)
+#define AUDIT_OPERATORS (AUDIT_EQUAL|AUDIT_NOT_EQUAL)
/* Status symbols */
/* Mask values */
diff -urpN linux-2.6.14-rc4/kernel/auditsc.c
linux-2.6.14-rc4-audit_ops/kernel/auditsc.c
--- linux-2.6.14-rc4/kernel/auditsc.c 2005-10-19 09:40:29.000000000 -0500
+++ linux-2.6.14-rc4-audit_ops/kernel/auditsc.c 2005-10-27
14:17:41.000000000 -0500
@@ -2,6 +2,7 @@
* Handles all system-call specific auditing features.
*
* Copyright 2003-2004 Red Hat Inc., Durham, North Carolina.
+ * Copyright (C) 2005 IBM Corporation
* All Rights Reserved.
*
* This program is free software; you can redistribute it and/or modify
@@ -27,6 +28,9 @@
* this file -- see entry.S) is based on a GPL'd patch written by
* okir at suse.de and Copyright 2003 SuSE Linux AG.
*
+ * The support of additional filter rules compares (>, <, >=, <=) was
+ * added by Dustin Kirkland <dustin.kirkland at us.ibm.com>, 2005.
+ *
*/
#include <linux/init.h>
@@ -252,6 +256,7 @@ static inline int audit_add_rule(struct
struct list_head *list)
{
struct audit_entry *entry;
+ int i;
/* Do not use the _rcu iterator here, since this is the only
* addition routine. */
@@ -261,6 +266,16 @@ static inline int audit_add_rule(struct
}
}
+ for (i = 0; i < rule->field_count; i++) {
+ if (rule->fields[i] & AUDIT_UNUSED_BITS)
+ return -EINVAL;
+ if ( rule->fields[i] & AUDIT_NEGATE )
+ rule->fields[i] |= AUDIT_NOT_EQUAL;
+ else if ( (rule->fields[i] & AUDIT_OPERATORS) == 0 )
+ rule->fields[i] |= AUDIT_EQUAL;
+ rule->fields[i] &= (~AUDIT_NEGATE);
+ }
+
if (!(entry = kmalloc(sizeof(*entry), GFP_KERNEL)))
return -ENOMEM;
if (audit_copy_rule(&entry->rule, rule)) {
@@ -385,6 +400,26 @@ int audit_receive_filter(int type, int p
return err;
}
+static int audit_comparator(const u32 left, const u32 op, const u32 right)
+{
+ switch (op) {
+ case AUDIT_EQUAL:
+ return (left == right);
+ case AUDIT_NOT_EQUAL:
+ return (left != right);
+ case AUDIT_LESS_THAN:
+ return (left < right);
+ case AUDIT_LESS_THAN_OR_EQUAL:
+ return (left <= right);
+ case AUDIT_GREATER_THAN:
+ return (left > right);
+ case AUDIT_GREATER_THAN_OR_EQUAL:
+ return (left >= right);
+ default:
+ return -EINVAL;
+ }
+}
+
/* Compare a task_struct with an audit_rule. Return 1 on match, 0
* otherwise. */
static int audit_filter_rules(struct task_struct *tsk,
@@ -395,62 +430,63 @@ static int audit_filter_rules(struct tas
int i, j;
for (i = 0; i < rule->field_count; i++) {
- u32 field = rule->fields[i] & ~AUDIT_NEGATE;
+ u32 field = rule->fields[i] & ~AUDIT_OPERATORS;
+ u32 op = rule->fields[i] & AUDIT_OPERATORS;
u32 value = rule->values[i];
int result = 0;
switch (field) {
case AUDIT_PID:
- result = (tsk->pid == value);
+ result = audit_comparator(tsk->pid, op, value);
break;
case AUDIT_UID:
- result = (tsk->uid == value);
+ result = audit_comparator(tsk->uid, op, value);
break;
case AUDIT_EUID:
- result = (tsk->euid == value);
+ result = audit_comparator(tsk->euid, op, value);
break;
case AUDIT_SUID:
- result = (tsk->suid == value);
+ result = audit_comparator(tsk->suid, op, value);
break;
case AUDIT_FSUID:
- result = (tsk->fsuid == value);
+ result = audit_comparator(tsk->fsuid, op, value);
break;
case AUDIT_GID:
- result = (tsk->gid == value);
+ result = audit_comparator(tsk->gid, op, value);
break;
case AUDIT_EGID:
- result = (tsk->egid == value);
+ result = audit_comparator(tsk->egid, op, value);
break;
case AUDIT_SGID:
- result = (tsk->sgid == value);
+ result = audit_comparator(tsk->sgid, op, value);
break;
case AUDIT_FSGID:
- result = (tsk->fsgid == value);
+ result = audit_comparator(tsk->fsgid, op, value);
break;
case AUDIT_PERS:
- result = (tsk->personality == value);
+ result = audit_comparator(tsk->personality, op, value);
break;
case AUDIT_ARCH:
- if (ctx)
- result = (ctx->arch == value);
+ if (ctx)
+ result = audit_comparator(ctx->arch, op, value);
break;
case AUDIT_EXIT:
if (ctx && ctx->return_valid)
- result = (ctx->return_code == value);
+ result = audit_comparator(ctx->return_code, op, value);
break;
case AUDIT_SUCCESS:
if (ctx && ctx->return_valid) {
if (value)
- result = (ctx->return_valid == AUDITSC_SUCCESS);
+ result = audit_comparator(ctx->return_valid, op, AUDITSC_SUCCESS);
else
- result = (ctx->return_valid == AUDITSC_FAILURE);
+ result = audit_comparator(ctx->return_valid, op, AUDITSC_FAILURE);
}
break;
case AUDIT_DEVMAJOR:
if (ctx) {
for (j = 0; j < ctx->name_count; j++) {
- if (MAJOR(ctx->names[j].dev)==value) {
+ if (audit_comparator(MAJOR(ctx->names[j].dev), op, value)) {
++result;
break;
}
@@ -460,7 +504,7 @@ static int audit_filter_rules(struct tas
case AUDIT_DEVMINOR:
if (ctx) {
for (j = 0; j < ctx->name_count; j++) {
- if (MINOR(ctx->names[j].dev)==value) {
+ if (audit_comparator(MINOR(ctx->names[j].dev), op, value)) {
++result;
break;
}
@@ -470,7 +517,7 @@ static int audit_filter_rules(struct tas
case AUDIT_INODE:
if (ctx) {
for (j = 0; j < ctx->name_count; j++) {
- if (ctx->names[j].ino == value) {
+ if ( audit_comparator(ctx->names[j].ino, op, value)) {
++result;
break;
}
@@ -480,19 +529,17 @@ static int audit_filter_rules(struct tas
case AUDIT_LOGINUID:
result = 0;
if (ctx)
- result = (ctx->loginuid == value);
+ result = audit_comparator(ctx->loginuid, op, value);
break;
case AUDIT_ARG0:
case AUDIT_ARG1:
case AUDIT_ARG2:
case AUDIT_ARG3:
if (ctx)
- result = (ctx->argv[field-AUDIT_ARG0]==value);
+ result = audit_comparator(ctx->argv[field-AUDIT_ARG0], op, value);
break;
}
- if (rule->fields[i] & AUDIT_NEGATE)
- result = !result;
if (!result)
return 0;
}
@@ -541,49 +591,48 @@ static enum audit_state audit_filter_sys
rcu_read_lock();
if (!list_empty(list)) {
- int word = AUDIT_WORD(ctx->major);
- int bit = AUDIT_BIT(ctx->major);
+ int word = AUDIT_WORD(ctx->major);
+ int bit = AUDIT_BIT(ctx->major);
- list_for_each_entry_rcu(e, list, list) {
- if ((e->rule.mask[word] & bit) == bit
- && audit_filter_rules(tsk, &e->rule, ctx, &state)) {
- rcu_read_unlock();
- return state;
- }
- }
+ list_for_each_entry_rcu(e, list, list) {
+ if ((e->rule.mask[word] & bit) == bit
+ && audit_filter_rules(tsk, &e->rule, ctx, &state)) {
+ rcu_read_unlock();
+ return state;
+ }
+ }
}
rcu_read_unlock();
return AUDIT_BUILD_CONTEXT;
}
static int audit_filter_user_rules(struct netlink_skb_parms *cb,
- struct audit_rule *rule,
- enum audit_state *state)
+ struct audit_rule *rule,
+ enum audit_state *state)
{
int i;
for (i = 0; i < rule->field_count; i++) {
- u32 field = rule->fields[i] & ~AUDIT_NEGATE;
+ u32 field = rule->fields[i] & ~AUDIT_OPERATORS;
+ u32 op = rule->fields[i] & AUDIT_OPERATORS;
u32 value = rule->values[i];
int result = 0;
switch (field) {
case AUDIT_PID:
- result = (cb->creds.pid == value);
+ result = audit_comparator(cb->creds.pid, op, value);
break;
case AUDIT_UID:
- result = (cb->creds.uid == value);
+ result = audit_comparator(cb->creds.uid, op, value);
break;
case AUDIT_GID:
- result = (cb->creds.gid == value);
+ result = audit_comparator(cb->creds.gid, op, value);
break;
case AUDIT_LOGINUID:
- result = (cb->loginuid == value);
+ result = audit_comparator(cb->loginuid, op, value);
break;
}
- if (rule->fields[i] & AUDIT_NEGATE)
- result = !result;
if (!result)
return 0;
}
linux-2.6.13-audit_inode-augment-1.patch:
fs/namei.c | 10 +++++-----
include/linux/fsnotify.h | 9 +++++----
2 files changed, 10 insertions(+), 9 deletions(-)
--- NEW FILE linux-2.6.13-audit_inode-augment-1.patch ---
>From linux-audit-bounces at redhat.com Wed Oct 19 22:11:59 2005
Return-path: <linux-audit-bounces at redhat.com>
Envelope-to: dwmw2 at baythorne.infradead.org
Delivery-date: Wed, 19 Oct 2005 22:11:59 +0100
Received: from [2002:d592:9a28::1] (helo=pentafluge.infradead.org) by
baythorne.infradead.org with esmtps (Exim 4.52 #1 (Red Hat Linux)) id
1ESLE7-0001pO-6f for dwmw2 at baythorne.infradead.org; Wed, 19 Oct 2005
22:11:59 +0100
Received: from hormel.redhat.com ([209.132.177.30]) by
pentafluge.infradead.org with esmtp (Exim 4.54 #1 (Red Hat Linux)) id
1ESLE5-0002Hm-3p for dwmw2 at infradead.org; Wed, 19 Oct 2005 22:11:58 +0100
Received: from listman.util.phx.redhat.com (listman.util.phx.redhat.com
[10.8.4.110]) by hormel.redhat.com (Postfix) with ESMTP id 2CD38733EF; Wed,
19 Oct 2005 17:11:54 -0400 (EDT)
Received: from int-mx1.corp.redhat.com (int-mx1.corp.redhat.com
[172.16.52.254]) by listman.util.phx.redhat.com (8.13.1/8.13.1) with ESMTP
id j9JLBqWt021392 for <linux-audit at listman.util.phx.redhat.com>; Wed, 19
Oct 2005 17:11:52 -0400
Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31]) by
int-mx1.corp.redhat.com (8.11.6/8.11.6) with ESMTP id j9JLBpV23116 for
<linux-audit at redhat.com>; Wed, 19 Oct 2005 17:11:51 -0400
Received: from tayrelbas01.tay.hp.com (tayrelbas01.tay.hp.com
[161.114.80.244]) by mx1.redhat.com (8.12.11/8.12.11) with ESMTP id
j9JLBnrc028996 for <linux-audit at redhat.com>; Wed, 19 Oct 2005 17:11:49 -0400
Received: from tayrelint01.nz-tay.cpqcorp.net
(tayrelint01.nz-tay.cpqcorp.net [16.47.5.6]) by tayrelbas01.tay.hp.com
(Postfix) with ESMTP id 2DE601F4 for <linux-audit at redhat.com>; Mon, 24 Oct
2005 07:10:12 -0400 (EDT)
Received: from dill.zko.hp.com (dill.zko.hp.com [16.116.104.162]) by
tayrelint01.nz-tay.cpqcorp.net (Postfix) with ESMTP id 1EB6B2000085 for
<linux-audit at redhat.com>; Wed, 19 Oct 2005 17:11:44 -0400 (EDT)
Received: by dill.zko.hp.com (Postfix, from userid 10412) id E5C5130D8F38;
Wed, 19 Oct 2005 17:11:43 -0400 (EDT)
Date: Wed, 19 Oct 2005 17:11:43 -0400
From: Amy Griffis <amy.griffis at hp.com>
To: linux-audit at redhat.com
Message-ID: <20051019211143.GA6309 at zk3.dec.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-Mailer: Mutt http://www.mutt.org/
X-Editor: Vim http://www.vim.org/
User-Agent: Mutt/1.5.10i
X-loop: linux-audit at redhat.com
Subject: [PATCH 1/2] filesystem auditing: augment audit_inode
X-BeenThere: linux-audit at redhat.com
X-Mailman-Version: 2.1.5
Precedence: junk
List-Id: Linux Audit Discussion <linux-audit.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
<mailto:linux-audit-request at redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit at redhat.com>
List-Help: <mailto:linux-audit-request at redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
<mailto:linux-audit-request at redhat.com?subject=subscribe>
Sender: linux-audit-bounces at redhat.com
Errors-To: linux-audit-bounces at redhat.com
X-Spam-Score: 0.0 (/)
X-Evolution-Source: imap://dwmw2@baythorne.infradead.org/
Content-Transfer-Encoding: 8bit
Modify the arguments to fsnotify_create and fsnotify_mkdir so they
can be used by audit.
diff --git a/fs/namei.c b/fs/namei.c
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -1317,7 +1317,7 @@ int vfs_create(struct inode *dir, struct
DQUOT_INIT(dir);
error = dir->i_op->create(dir, dentry, mode, nd);
if (!error)
- fsnotify_create(dir, dentry->d_name.name);
+ fsnotify_create(dir, dentry);
return error;
}
@@ -1634,7 +1634,7 @@ int vfs_mknod(struct inode *dir, struct
DQUOT_INIT(dir);
error = dir->i_op->mknod(dir, dentry, mode, dev);
if (!error)
- fsnotify_create(dir, dentry->d_name.name);
+ fsnotify_create(dir, dentry);
return error;
}
@@ -1705,7 +1705,7 @@ int vfs_mkdir(struct inode *dir, struct
DQUOT_INIT(dir);
error = dir->i_op->mkdir(dir, dentry, mode);
if (!error)
- fsnotify_mkdir(dir, dentry->d_name.name);
+ fsnotify_mkdir(dir, dentry);
return error;
}
@@ -1942,7 +1942,7 @@ int vfs_symlink(struct inode *dir, struc
DQUOT_INIT(dir);
error = dir->i_op->symlink(dir, dentry, oldname);
if (!error)
- fsnotify_create(dir, dentry->d_name.name);
+ fsnotify_create(dir, dentry);
return error;
}
@@ -2013,7 +2013,7 @@ int vfs_link(struct dentry *old_dentry,
error = dir->i_op->link(old_dentry, dir, new_dentry);
up(&old_dentry->d_inode->i_sem);
if (!error)
- fsnotify_create(dir, new_dentry->d_name.name);
+ fsnotify_create(dir, new_dentry);
return error;
}
diff --git a/include/linux/fsnotify.h b/include/linux/fsnotify.h
--- a/include/linux/fsnotify.h
+++ b/include/linux/fsnotify.h
@@ -70,19 +70,20 @@ static inline void fsnotify_inoderemove(
/*
* fsnotify_create - 'name' was linked in
*/
-static inline void fsnotify_create(struct inode *inode, const char *name)
+static inline void fsnotify_create(struct inode *inode, struct dentry *dentry)
{
inode_dir_notify(inode, DN_CREATE);
- inotify_inode_queue_event(inode, IN_CREATE, 0, name);
+ inotify_inode_queue_event(inode, IN_CREATE, 0, dentry->d_name.name);
}
/*
* fsnotify_mkdir - directory 'name' was created
*/
-static inline void fsnotify_mkdir(struct inode *inode, const char *name)
+static inline void fsnotify_mkdir(struct inode *inode, struct dentry *dentry)
{
inode_dir_notify(inode, DN_CREATE);
- inotify_inode_queue_event(inode, IN_CREATE | IN_ISDIR, 0, name);
+ inotify_inode_queue_event(inode, IN_CREATE | IN_ISDIR, 0,
+ dentry->d_name.name);
}
/*
--
Linux-audit mailing list
Linux-audit at redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
linux-2.6.13-audit_inode-augment-2.patch:
fs/namei.c | 4 -
fs/open.c | 8 ++
fs/xattr.c | 11 +++
include/linux/audit.h | 18 +++++-
include/linux/fsnotify.h | 5 +
kernel/auditsc.c | 141 +++++++++++++++++++++++++++++++++++++++--------
6 files changed, 157 insertions(+), 30 deletions(-)
--- NEW FILE linux-2.6.13-audit_inode-augment-2.patch ---
>From linux-audit-bounces at redhat.com Wed Oct 19 22:12:25 2005
Return-path: <linux-audit-bounces at redhat.com>
Envelope-to: dwmw2 at baythorne.infradead.org
Delivery-date: Wed, 19 Oct 2005 22:12:25 +0100
Received: from [2002:d592:9a28::1] (helo=pentafluge.infradead.org) by
baythorne.infradead.org with esmtps (Exim 4.52 #1 (Red Hat Linux)) id
1ESLEW-0001pV-MC for dwmw2 at baythorne.infradead.org; Wed, 19 Oct 2005
22:12:25 +0100
Received: from hormel.redhat.com ([209.132.177.30]) by
pentafluge.infradead.org with esmtp (Exim 4.54 #1 (Red Hat Linux)) id
1ESLES-0002Hs-T4 for dwmw2 at infradead.org; Wed, 19 Oct 2005 22:12:24 +0100
Received: from listman.util.phx.redhat.com (listman.util.phx.redhat.com
[10.8.4.110]) by hormel.redhat.com (Postfix) with ESMTP id D9C5972E4A; Wed,
19 Oct 2005 17:12:19 -0400 (EDT)
Received: from int-mx1.corp.redhat.com (int-mx1.corp.redhat.com
[172.16.52.254]) by listman.util.phx.redhat.com (8.13.1/8.13.1) with ESMTP
id j9JLCIao021418 for <linux-audit at listman.util.phx.redhat.com>; Wed, 19
Oct 2005 17:12:18 -0400
Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32]) by
int-mx1.corp.redhat.com (8.11.6/8.11.6) with ESMTP id j9JLCIV23203 for
<linux-audit at redhat.com>; Wed, 19 Oct 2005 17:12:18 -0400
Received: from ccerelbas01.cce.hp.com (ccerelbas01.cce.hp.com
[161.114.21.104]) by mx3.redhat.com (8.13.1/8.13.1) with ESMTP id
j9JLCBQ7027237 for <linux-audit at redhat.com>; Wed, 19 Oct 2005 17:12:11 -0400
Received: from ccerelint01.cce.cpqcorp.net (ccerelint01.cce.cpqcorp.net
[16.110.74.103]) by ccerelbas01.cce.hp.com (Postfix) with ESMTP id
8B1052000099 for <linux-audit at redhat.com>; Wed, 19 Oct 2005 16:11:52 -0500
(CDT)
Received: from dill.zko.hp.com (dill.zko.hp.com [16.116.104.162]) by
ccerelint01.cce.cpqcorp.net (Postfix) with ESMTP id 21EF12000081 for
<linux-audit at redhat.com>; Wed, 19 Oct 2005 16:11:52 -0500 (CDT)
Received: by dill.zko.hp.com (Postfix, from userid 10412) id C23CE30D8F38;
Wed, 19 Oct 2005 17:11:51 -0400 (EDT)
Date: Wed, 19 Oct 2005 17:11:51 -0400
From: Amy Griffis <amy.griffis at hp.com>
To: linux-audit at redhat.com
Message-ID: <20051019211151.GA6318 at zk3.dec.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-Mailer: Mutt http://www.mutt.org/
X-Editor: Vim http://www.vim.org/
User-Agent: Mutt/1.5.10i
X-RedHat-Spam-Score: -100
X-loop: linux-audit at redhat.com
Subject: [PATCH 2/2] filesystem auditing: augment audit_inode
X-BeenThere: linux-audit at redhat.com
X-Mailman-Version: 2.1.5
Precedence: junk
List-Id: Linux Audit Discussion <linux-audit.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
<mailto:linux-audit-request at redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit at redhat.com>
List-Help: <mailto:linux-audit-request at redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
<mailto:linux-audit-request at redhat.com?subject=subscribe>
Sender: linux-audit-bounces at redhat.com
Errors-To: linux-audit-bounces at redhat.com
X-Spam-Score: 0.0 (/)
X-Evolution-Source: imap://dwmw2@baythorne.infradead.org/
Content-Transfer-Encoding: 8bit
Collect more inode information during syscall processing.
NOTE: This patch makes some changes to the output of AUDIT_PATH
records. In the case of the name field, the record will show
"name=(null)" if there is no name field (e.g. in an fchown call). I
did this because it seemed it would make more sense to someone looking
at the records.
I also added a "parent" field to distinguish between the inode number
and the parent inode number. This allowed me to remove the "flags"
field. In some cases, such as syscall failures, inode information may
not be present in the audit context. I took the liberty to not emit
fields with undefined values. I don't know if this is the right
approach. I think the real solution is to move to a binary record
format and leave this decision for a userspace tool.
diff --git a/fs/namei.c b/fs/namei.c
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -1046,8 +1046,7 @@ int fastcall path_lookup(const char *nam
current->total_link_count = 0;
retval = link_path_walk(name, nd);
out:
- if (unlikely(current->audit_context
- && nd && nd->dentry && nd->dentry->d_inode))
+ if (nd && nd->dentry && nd->dentry->d_inode)
audit_inode(name, nd->dentry->d_inode, flags);
return retval;
}
@@ -1192,6 +1191,7 @@ static inline int may_delete(struct inod
return -ENOENT;
BUG_ON(victim->d_parent->d_inode != dir);
+ audit_inode_child(victim->d_name.name, victim->d_inode, dir->i_ino);
error = permission(dir,MAY_WRITE | MAY_EXEC, NULL);
if (error)
diff --git a/fs/open.c b/fs/open.c
--- a/fs/open.c
+++ b/fs/open.c
@@ -25,6 +25,7 @@
#include <linux/pagemap.h>
#include <linux/syscalls.h>
#include <linux/rcupdate.h>
+#include <linux/audit.h>
#include <asm/unistd.h>
@@ -609,6 +610,8 @@ asmlinkage long sys_fchmod(unsigned int
dentry = file->f_dentry;
inode = dentry->d_inode;
+ audit_inode(NULL, inode, 0);
+
err = -EROFS;
if (IS_RDONLY(inode))
goto out_putf;
@@ -732,7 +735,10 @@ asmlinkage long sys_fchown(unsigned int
file = fget(fd);
if (file) {
- error = chown_common(file->f_dentry, user, group);
+ struct dentry * dentry;
+ dentry = file->f_dentry;
+ audit_inode(NULL, dentry->d_inode, 0);
+ error = chown_common(dentry, user, group);
fput(file);
}
return error;
diff --git a/fs/xattr.c b/fs/xattr.c
--- a/fs/xattr.c
+++ b/fs/xattr.c
@@ -17,6 +17,7 @@
#include <linux/syscalls.h>
#include <linux/module.h>
#include <linux/fsnotify.h>
+#include <linux/audit.h>
#include <asm/uaccess.h>
/*
@@ -114,12 +115,15 @@ sys_fsetxattr(int fd, char __user *name,
size_t size, int flags)
{
struct file *f;
+ struct dentry *dentry;
int error = -EBADF;
f = fget(fd);
if (!f)
return error;
- error = setxattr(f->f_dentry, name, value, size, flags);
+ dentry = f->f_dentry;
+ audit_inode(NULL, dentry->d_inode, 0);
+ error = setxattr(dentry, name, value, size, flags);
fput(f);
return error;
}
@@ -364,12 +368,15 @@ asmlinkage long
sys_fremovexattr(int fd, char __user *name)
{
struct file *f;
+ struct dentry *dentry;
int error = -EBADF;
f = fget(fd);
if (!f)
return error;
- error = removexattr(f->f_dentry, name);
+ dentry = f->f_dentry;
+ audit_inode(NULL, dentry->d_inode, 0);
+ error = removexattr(dentry, name);
fput(f);
return error;
}
diff --git a/include/linux/audit.h b/include/linux/audit.h
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -222,7 +222,20 @@ extern void audit_syscall_entry(struct t
extern void audit_syscall_exit(struct task_struct *task, int failed, long return_code);
extern void audit_getname(const char *name);
extern void audit_putname(const char *name);
-extern void audit_inode(const char *name, const struct inode *inode, unsigned flags);
+extern void __audit_inode(const char *name, const struct inode *inode, unsigned flags);
+extern void __audit_inode_child(const char *dname, const struct inode *inode,
+ unsigned long pino);
+static inline void audit_inode(const char *name, const struct inode *inode,
+ unsigned flags) {
+ if (unlikely(current->audit_context))
+ __audit_inode(name, inode, flags);
+}
+static inline void audit_inode_child(const char *dname,
+ const struct inode *inode,
+ unsigned long pino) {
+ if (unlikely(current->audit_context))
+ __audit_inode_child(dname, inode, pino);
+}
/* Private API (for audit.c only) */
extern int audit_receive_filter(int type, int pid, int uid, int seq,
@@ -245,7 +258,10 @@ extern int audit_filter_user(struct netl
#define audit_syscall_exit(t,f,r) do { ; } while (0)
#define audit_getname(n) do { ; } while (0)
#define audit_putname(n) do { ; } while (0)
+#define __audit_inode(n,i,f) do { ; } while (0)
+#define __audit_inode_child(d,i,p) do { ; } while (0)
#define audit_inode(n,i,f) do { ; } while (0)
+#define audit_inode_child(d,i,p) do { ; } while (0)
#define audit_receive_filter(t,p,u,s,d,l) ({ -EOPNOTSUPP; })
#define auditsc_get_stamp(c,t,s) do { BUG(); } while (0)
#define audit_get_loginuid(c) ({ -1; })
diff --git a/include/linux/fsnotify.h b/include/linux/fsnotify.h
--- a/include/linux/fsnotify.h
+++ b/include/linux/fsnotify.h
@@ -15,6 +15,7 @@
#include <linux/dnotify.h>
#include <linux/inotify.h>
+#include <linux/audit.h>
/*
* fsnotify_move - file old_name at old_dir was moved to new_name at new_dir
@@ -45,6 +46,8 @@ static inline void fsnotify_move(struct
if (source) {
inotify_inode_queue_event(source, IN_MOVE_SELF, 0, NULL);
}
+ audit_inode_child(old_name, source, old_dir->i_ino);
+ audit_inode_child(new_name, target, new_dir->i_ino);
}
/*
@@ -74,6 +77,7 @@ static inline void fsnotify_create(struc
{
inode_dir_notify(inode, DN_CREATE);
inotify_inode_queue_event(inode, IN_CREATE, 0, dentry->d_name.name);
+ audit_inode_child(dentry->d_name.name, dentry->d_inode, inode->i_ino);
}
/*
@@ -84,6 +88,7 @@ static inline void fsnotify_mkdir(struct
inode_dir_notify(inode, DN_CREATE);
inotify_inode_queue_event(inode, IN_CREATE | IN_ISDIR, 0,
dentry->d_name.name);
+ audit_inode_child(dentry->d_name.name, dentry->d_inode, inode->i_ino);
}
/*
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -2,6 +2,7 @@
* Handles all system-call specific auditing features.
*
* Copyright 2003-2004 Red Hat Inc., Durham, North Carolina.
+ * Copyright 2005 Hewlett-Packard Development Company, L.P.
* Copyright (C) 2005 IBM Corporation
* All Rights Reserved.
*
@@ -27,11 +28,15 @@
* this file -- see entry.S) is based on a GPL'd patch written by
* okir at suse.de and Copyright 2003 SuSE Linux AG.
*
+ * Modified by Amy Griffis <amy.griffis at hp.com> to collect additional
+ * filesystem information.
*/
#include <linux/init.h>
#include <asm/atomic.h>
#include <asm/types.h>
+#include <linux/fs.h>
+#include <linux/namei.h>
#include <linux/mm.h>
#include <linux/module.h>
#include <linux/mount.h>
@@ -93,12 +98,12 @@ enum audit_state {
struct audit_names {
const char *name;
unsigned long ino;
+ unsigned long pino;
dev_t dev;
umode_t mode;
uid_t uid;
gid_t gid;
dev_t rdev;
- unsigned flags;
};
struct audit_aux_data {
@@ -479,7 +484,8 @@ static int audit_filter_rules(struct tas
case AUDIT_INODE:
if (ctx) {
for (j = 0; j < ctx->name_count; j++) {
- if ( audit_comparator(ctx->names[j].ino, op, value)) {
+ if (audit_comparator(ctx->names[j].pino, op, value) ||
+ audit_comparator(ctx->names[j].pino, op, value)) {
++result;
break;
}
@@ -663,17 +670,17 @@ static inline void audit_free_names(stru
#if AUDIT_DEBUG == 2
if (context->auditable
||context->put_count + context->ino_count != context->name_count) {
- printk(KERN_ERR "audit.c:%d(:%d): major=%d in_syscall=%d"
+ printk(KERN_ERR "%s:%d(:%d): major=%d in_syscall=%d"
" name_count=%d put_count=%d"
" ino_count=%d [NOT freeing]\n",
- __LINE__,
+ __FILE__, __LINE__,
context->serial, context->major, context->in_syscall,
context->name_count, context->put_count,
context->ino_count);
for (i = 0; i < context->name_count; i++)
printk(KERN_ERR "names[%d] = %p = %s\n", i,
context->names[i].name,
- context->names[i].name);
+ context->names[i].name ?: "(null)");
dump_stack();
return;
}
@@ -899,27 +906,34 @@ static void audit_log_exit(struct audit_
}
}
for (i = 0; i < context->name_count; i++) {
+ unsigned long ino = context->names[i].ino;
+ unsigned long pino = context->names[i].pino;
+
ab = audit_log_start(context, GFP_KERNEL, AUDIT_PATH);
if (!ab)
continue; /* audit_panic has been called */
audit_log_format(ab, "item=%d", i);
- if (context->names[i].name) {
- audit_log_format(ab, " name=");
+
+ audit_log_format(ab, " name=");
+ if (context->names[i].name)
audit_log_untrustedstring(ab, context->names[i].name);
- }
- audit_log_format(ab, " flags=%x\n", context->names[i].flags);
-
- if (context->names[i].ino != (unsigned long)-1)
- audit_log_format(ab, " inode=%lu dev=%02x:%02x mode=%#o"
- " ouid=%u ogid=%u rdev=%02x:%02x",
- context->names[i].ino,
- MAJOR(context->names[i].dev),
- MINOR(context->names[i].dev),
- context->names[i].mode,
- context->names[i].uid,
- context->names[i].gid,
- MAJOR(context->names[i].rdev),
+ else
+ audit_log_format(ab, "(null)");
+
+ if (pino != (unsigned long)-1)
+ audit_log_format(ab, " parent=%lu", pino);
+ if (ino != (unsigned long)-1)
+ audit_log_format(ab, " inode=%lu", ino);
+ if ((pino != (unsigned long)-1) || (ino != (unsigned long)-1))
+ audit_log_format(ab, " dev=%02x:%02x mode=%#o"
+ " ouid=%u ogid=%u rdev=%02x:%02x",
+ MAJOR(context->names[i].dev),
+ MINOR(context->names[i].dev),
+ context->names[i].mode,
+ context->names[i].uid,
+ context->names[i].gid,
+ MAJOR(context->names[i].rdev),
MINOR(context->names[i].rdev));
audit_log_end(ab);
}
@@ -1146,7 +1160,7 @@ void audit_putname(const char *name)
for (i = 0; i < context->name_count; i++)
printk(KERN_ERR "name[%d] = %p = %s\n", i,
context->names[i].name,
- context->names[i].name);
+ context->names[i].name ?: "(null)");
}
#endif
__putname(name);
@@ -1166,7 +1166,7 @@ void audit_putname(const char *name)
/* Store the inode and device from a lookup. Called from
* fs/namei.c:path_lookup(). */
-void audit_inode(const char *name, const struct inode *inode, unsigned flags)
+void __audit_inode(const char *name, const struct inode *inode, unsigned flags)
{
int idx;
struct audit_context *context = current->audit_context;
@@ -1202,13 +1217,93 @@ void audit_inode(const char *name, const
++context->ino_count;
#endif
}
- context->names[idx].flags = flags;
- context->names[idx].ino = inode->i_ino;
context->names[idx].dev = inode->i_sb->s_dev;
context->names[idx].mode = inode->i_mode;
context->names[idx].uid = inode->i_uid;
context->names[idx].gid = inode->i_gid;
context->names[idx].rdev = inode->i_rdev;
+ if ((flags & LOOKUP_PARENT) && (strcmp(name, "/") != 0) &&
+ (strcmp(name, ".") != 0)) {
+ context->names[idx].ino = (unsigned long)-1;
+ context->names[idx].pino = inode->i_ino;
+ } else {
+ context->names[idx].ino = inode->i_ino;
+ context->names[idx].pino = (unsigned long)-1;
+ }
+}
+
+/**
+ * audit_inode_child - collect inode info for created/removed objects
+ * @dname: inode's dentry name
+ * @inode: inode being audited
+ * @pino: inode number of dentry parent
+ *
+ * For syscalls that create or remove filesystem objects, audit_inode
+ * can only collect information for the filesystem object's parent.
+ * This call updates the audit context with the child's information.
+ * Syscalls that create a new filesystem object must be hooked after
+ * the object is created. Syscalls that remove a filesystem object
+ * must be hooked prior, in order to capture the target inode during
+ * unsuccessful attempts.
+ */
+void __audit_inode_child(const char *dname, const struct inode *inode,
+ unsigned long pino)
+{
+ int idx;
+ struct audit_context *context = current->audit_context;
+
+ if (!context->in_syscall)
+ return;
+
+ /* determine matching parent */
+ if (dname)
+ for (idx = 0; idx < context->name_count; idx++)
+ if (context->names[idx].pino == pino) {
+ const char *n;
+ const char *name = context->names[idx].name;
+ int dlen = strlen(dname);
+ int nlen = name ? strlen(name) : 0;
+
+ if (nlen < dlen)
+ continue;
+
+ /* disregard trailing slashes */
+ n = name + nlen - 1;
+ while ((*n == '/') && (n > name))
+ n--;
+
+ /* find last path component */
+ n = n - dlen + 1;
+ if (n < name)
+ continue;
+ else if (n > name) {
+ if (*--n != '/')
+ continue;
+ else
+ n++;
+ }
+
+ if (strncmp(n, dname, dlen) == 0)
+ goto update_context;
+ }
+
+ /* catch-all in case match not found */
+ idx = context->name_count++;
+ context->names[idx].name = NULL;
+ context->names[idx].pino = pino;
+#if AUDIT_DEBUG
+ context->ino_count++;
+#endif
+
+update_context:
+ if (inode) {
+ context->names[idx].ino = inode->i_ino;
+ context->names[idx].dev = inode->i_sb->s_dev;
+ context->names[idx].mode = inode->i_mode;
+ context->names[idx].uid = inode->i_uid;
+ context->names[idx].gid = inode->i_gid;
+ context->names[idx].rdev = inode->i_rdev;
+ }
}
/**
--
Linux-audit mailing list
Linux-audit at redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
linux-2.6.13-unshare-core.patch:
fs/namespace.c | 41 +++++++---
include/linux/namespace.h | 1
kernel/fork.c | 188 ++++++++++++++++++++++++++++++++++++----------
3 files changed, 181 insertions(+), 49 deletions(-)
--- NEW FILE linux-2.6.13-unshare-core.patch ---
--- linux-2.6.13/fs/namespace.c.p20005 2005-10-25 17:00:59.000000000 +0100
+++ linux-2.6.13/fs/namespace.c 2005-10-25 17:01:02.000000000 +0100
@@ -1069,9 +1069,7 @@ int copy_namespace(int flags, struct tas
{
struct namespace *namespace = tsk->namespace;
struct namespace *new_ns;
- struct vfsmount *rootmnt = NULL, *pwdmnt = NULL, *altrootmnt = NULL;
- struct fs_struct *fs = tsk->fs;
- struct vfsmount *p, *q;
+ int err = 0;
if (!namespace)
return 0;
@@ -1082,10 +1080,35 @@ int copy_namespace(int flags, struct tas
return 0;
if (!capable(CAP_SYS_ADMIN)) {
- put_namespace(namespace);
- return -EPERM;
+ err = -EPERM;
+ goto out;
+ }
+
+ new_ns = dup_namespace(tsk);
+ if (!new_ns) {
+ err = -ENOMEM;
+ goto out;
}
+ tsk->namespace = new_ns;
+
+out:
+ put_namespace(namespace);
+ return err;
+}
+
+/*
+ * Allocate a new namespace structure and populate it with contents
+ * copied from the namespace of the passed in task structure.
+ */
+struct namespace *dup_namespace(struct task_struct *tsk)
+{
+ struct namespace *namespace = tsk->namespace;
+ struct namespace *new_ns;
+ struct vfsmount *rootmnt = NULL, *pwdmnt = NULL, *altrootmnt = NULL;
+ struct fs_struct *fs = tsk->fs;
+ struct vfsmount *p, *q;
+
new_ns = kmalloc(sizeof(struct namespace), GFP_KERNEL);
if (!new_ns)
goto out;
@@ -1134,8 +1157,6 @@ int copy_namespace(int flags, struct tas
}
up_write(&tsk->namespace->sem);
- tsk->namespace = new_ns;
-
if (rootmnt)
mntput(rootmnt);
if (pwdmnt)
@@ -1143,12 +1164,8 @@ int copy_namespace(int flags, struct tas
if (altrootmnt)
mntput(altrootmnt);
- put_namespace(namespace);
- return 0;
-
out:
- put_namespace(namespace);
- return -ENOMEM;
+ return new_ns;
}
asmlinkage long sys_mount(char __user * dev_name, char __user * dir_name,
--- linux-2.6.13/include/linux/namespace.h.p20005 2005-08-29 00:41:01.000000000 +0100
+++ linux-2.6.13/include/linux/namespace.h 2005-10-25 17:01:02.000000000 +0100
@@ -14,6 +14,7 @@ struct namespace {
extern int copy_namespace(int, struct task_struct *);
extern void __put_namespace(struct namespace *namespace);
+extern struct namespace *dup_namespace(struct task_struct *);
static inline void put_namespace(struct namespace *namespace)
{
--- linux-2.6.13/kernel/fork.c.p20005 2005-10-25 17:01:00.000000000 +0100
+++ linux-2.6.13/kernel/fork.c 2005-10-25 17:01:42.000000000 +0100
@@ -449,10 +449,58 @@ void mm_release(struct task_struct *tsk,
}
}
+/*
+ * Allocate a new mm structure and copy contents from the
+ * mm structure of the passed in task structure.
+ */
+static struct mm_struct *dup_mm(struct task_struct *tsk)
+{
+ struct mm_struct *mm, *oldmm = current->mm;
+ int err;
+
+ if (!oldmm)
+ return NULL;
+
+ mm = allocate_mm();
+ if (!mm)
+ goto fail_nomem;
+
+ memcpy(mm, oldmm, sizeof(*mm));
+
+ if (!mm_init(mm))
+ goto fail_nomem;
+
+ if (init_new_context(tsk, mm))
+ goto fail_nocontext;
+
+ err = dup_mmap(mm, oldmm);
+ if (err)
+ goto free_pt;
+
+ mm->hiwater_rss = get_mm_rss(mm);
+ mm->hiwater_vm = mm->total_vm;
+
+ return mm;
+
+free_pt:
+ mmput(mm);
+
+fail_nomem:
+ return NULL;
+
+fail_nocontext:
+ /*
+ * If init_new_context() failed, we cannot use mmput() to free the mm
+ * because it calls destroy_context()
+ */
+ mm_free_pgd(mm);
+ free_mm(mm);
+ return NULL;
+}
+
static int copy_mm(unsigned long clone_flags, struct task_struct * tsk)
{
struct mm_struct * mm, *oldmm;
- int retval;
tsk->min_flt = tsk->maj_flt = 0;
tsk->nvcsw = tsk->nivcsw = 0;
@@ -479,47 +527,15 @@ static int copy_mm(unsigned long clone_f
* is an example.
*/
spin_unlock_wait(&oldmm->page_table_lock);
- goto good_mm;
+ } else {
+ mm = dup_mm(tsk);
+ if (!mm)
+ return -ENOMEM;
}
- retval = -ENOMEM;
- mm = allocate_mm();
- if (!mm)
- goto fail_nomem;
-
- /* Copy the current MM stuff.. */
- memcpy(mm, oldmm, sizeof(*mm));
- if (!mm_init(mm))
- goto fail_nomem;
-
- if (init_new_context(tsk,mm))
- goto fail_nocontext;
-
- retval = dup_mmap(mm, oldmm);
- if (retval)
- goto free_pt;
-
- mm->hiwater_rss = get_mm_rss(mm);
- mm->hiwater_vm = mm->total_vm;
-
-good_mm:
tsk->mm = mm;
tsk->active_mm = mm;
return 0;
-
-free_pt:
- mmput(mm);
-fail_nomem:
- return retval;
-
-fail_nocontext:
- /*
- * If init_new_context() failed, we cannot use mmput() to free the mm
- * because it calls destroy_context()
- */
- mm_free_pgd(mm);
- free_mm(mm);
- return retval;
}
static inline struct fs_struct *__copy_fs_struct(struct fs_struct *old)
@@ -1322,3 +1338,101 @@ void __init proc_caches_init(void)
sizeof(struct mm_struct), 0,
SLAB_HWCACHE_ALIGN|SLAB_PANIC, NULL, NULL);
}
+
+/*
+ * Performs sanity checks on the flags passed to the unshare system
+ * call.
+ */
+static inline int check_unshare_flags(unsigned long unshare_flags)
+{
+ int err = -EINVAL;
+
+ if (unshare_flags & ~(CLONE_NEWNS | CLONE_VM))
+ goto errout;
+
+ /*
+ * Cannot unshare namespace if the fs structure is being shared
+ * through a previous call to clone()
+ */
+ if ((unshare_flags & CLONE_NEWNS) &&
+ (atomic_read(¤t->fs->count) > 1))
+ goto errout;
+
+ /*
+ * Cannot unshare vm if sighnal handlers are being shared through
+ * a previous call to clone()
+ */
+ if ((unshare_flags & CLONE_VM) &&
+ (atomic_read(¤t->sighand->count) > 1))
+ goto errout;
+
+ return 0;
+
+errout:
+ return err;
+
+}
+
+/*
+ * unshare allows a process to 'unshare' part of the process
+ * context which was originally shared using clone. copy_*
+ * functions used by do_fork() cannot be used here directly
+ * because they modify an inactive task_struct that is being
+ * constructed. Here we are modifying the current, active,
+ * task_struct.
+ */
+asmlinkage long sys_unshare(unsigned long unshare_flags)
+{
+ int err = 0;
+ struct namespace *new_ns = NULL, *ns = current->namespace;
+ struct mm_struct *new_mm = NULL, *active_mm = NULL, *mm = current->mm;
+
+ err = check_unshare_flags(unshare_flags);
+ if (err)
+ goto unshare_out;
+
+ if ((unshare_flags & CLONE_NEWNS) &&
+ (ns && atomic_read(&ns->count) > 1)) {
+ err = -EPERM;
+ if (!capable(CAP_SYS_ADMIN))
+ goto unshare_out;
+
+ err = -ENOMEM;
+ new_ns = dup_namespace(current);
+ if (!new_ns)
+ goto unshare_out;
+ }
+
+ if ((unshare_flags & CLONE_VM) && (atomic_read(&mm->mm_users) > 1)) {
+ err = -ENOMEM;
+ new_mm = dup_mm(current);
+ if (!new_mm)
+ goto unshare_cleanup_ns;
+ }
+
+ if (new_ns) {
+ task_lock(current);
+ current->namespace = new_ns;
+ task_unlock(current);
+ put_namespace(ns);
+ }
+
+ if (new_mm) {
+ task_lock(current);
+ active_mm = current->active_mm;
+ current->mm = new_mm;
+ current->active_mm = new_mm;
+ activate_mm(active_mm, new_mm);
+ task_unlock(current);
+ mmput(mm);
+ }
+
+ return 0;
+
+unshare_cleanup_ns:
+ if (new_ns)
+ put_namespace(new_ns);
+
+unshare_out:
+ return err;
+}
linux-2.6.13-unshare-i386.patch:
arch/i386/kernel/syscall_table.S | 1 +
include/asm-i386/unistd.h | 3 ++-
2 files changed, 3 insertions(+), 1 deletion(-)
--- NEW FILE linux-2.6.13-unshare-i386.patch ---
>From redhat-lspp-bounces at redhat.com Thu Oct 20 16:02:53 2005
Return-path: <redhat-lspp-bounces at redhat.com>
Envelope-to: dwmw2 at baythorne.infradead.org
Delivery-date: Thu, 20 Oct 2005 16:02:53 +0100
Received: from [2002:d592:9a28::1] (helo=pentafluge.infradead.org) by
baythorne.infradead.org with esmtps (Exim 4.52 #1 (Red Hat Linux)) id
1ESbwS-0005JS-Qt for dwmw2 at baythorne.infradead.org; Thu, 20 Oct 2005
16:02:53 +0100
Received: from hormel.redhat.com ([209.132.177.30]) by
pentafluge.infradead.org with esmtp (Exim 4.54 #1 (Red Hat Linux)) id
1ESbwQ-0007Kk-Ky for dwmw2 at infradead.org; Thu, 20 Oct 2005 16:02:52 +0100
Received: from listman.util.phx.redhat.com (listman.util.phx.redhat.com
[10.8.4.110]) by hormel.redhat.com (Postfix) with ESMTP id B9FC372F2D; Thu,
20 Oct 2005 11:02:49 -0400 (EDT)
Received: from int-mx1.corp.redhat.com (int-mx1.corp.redhat.com
[172.16.52.254]) by listman.util.phx.redhat.com (8.13.1/8.13.1) with ESMTP
id j9KF2m0E028224 for <redhat-lspp at listman.util.phx.redhat.com>; Thu, 20
Oct 2005 11:02:48 -0400
Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32]) by
int-mx1.corp.redhat.com (8.11.6/8.11.6) with ESMTP id j9KF2lV12298 for
<redhat-lspp at redhat.com>; Thu, 20 Oct 2005 11:02:47 -0400
Received: from e3.ny.us.ibm.com (e3.ny.us.ibm.com [32.97.182.143]) by
mx3.redhat.com (8.13.1/8.13.1) with ESMTP id j9KF2fuf028657 for
<redhat-lspp at redhat.com>; Thu, 20 Oct 2005 11:02:41 -0400
Received: from d01relay04.pok.ibm.com (d01relay04.pok.ibm.com
[9.56.227.236]) by e3.ny.us.ibm.com (8.12.11/8.12.11) with ESMTP id
j9KF2aa7029015 for <redhat-lspp at redhat.com>; Thu, 20 Oct 2005 11:02:36 -0400
Received: from d01av03.pok.ibm.com (d01av03.pok.ibm.com [9.56.224.217]) by
d01relay04.pok.ibm.com (8.12.10/NCO/VERS6.7) with ESMTP id j9KF2aiT069484
for <redhat-lspp at redhat.com>; Thu, 20 Oct 2005 11:02:36 -0400
Received: from d01av03.pok.ibm.com (loopback [127.0.0.1]) by
d01av03.pok.ibm.com (8.12.11/8.13.3) with ESMTP id j9KF2YWZ011028 for
<redhat-lspp at redhat.com>; Thu, 20 Oct 2005 11:02:34 -0400
Received: from localhost (sig-9-65-247-142.mts.ibm.com [9.65.247.142]) by
d01av03.pok.ibm.com (8.12.11/8.12.11) with ESMTP id j9KF2V9e010815 for
<redhat-lspp at redhat.com>; Thu, 20 Oct 2005 11:02:33 -0400
Date: Thu, 20 Oct 2005 11:02:30 -0400 (Eastern Daylight Time)
From: Janak Desai <janak at us.ibm.com>
To: redhat-lspp at redhat.com
Message-ID: <Pine.WNT.4.63.0510201100490.3392 at IBM-AIP3070F3AM>
X-X-Sender: janak at imap.linux.ibm.com
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-RedHat-Spam-Score: 0
X-loop: redhat-lspp at redhat.com
Subject: [redhat-lspp] [PATCH 2/2] New system call unshare
X-BeenThere: redhat-lspp at redhat.com
X-Mailman-Version: 2.1.5
Precedence: junk
List-Id: Red Hat LSPP / MLS Discussion <redhat-lspp.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/redhat-lspp>,
<mailto:redhat-lspp-request at redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/mailman/private/redhat-lspp>
List-Post: <mailto:redhat-lspp at redhat.com>
List-Help: <mailto:redhat-lspp-request at redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/redhat-lspp>,
<mailto:redhat-lspp-request at redhat.com?subject=subscribe>
Sender: redhat-lspp-bounces at redhat.com
Errors-To: redhat-lspp-bounces at redhat.com
X-Spam-Score: 0.0 (/)
X-Evolution-Source: imap://dwmw2@baythorne.infradead.org/
Content-Transfer-Encoding: 8bit
Part II of the patch that registers the new system call for
i386 architecture.
---------------------------------------------------------------
diff -Naurp 2.6.14-rc4-mm1/arch/i386/kernel/syscall_table.S 2.6.14-rc4-mm1+unshare+build/arch/i386/kernel/syscall_table.S
--- 2.6.14-rc4-mm1/arch/i386/kernel/syscall_table.S 2005-08-28 23:41:01.000000000 +0000
+++ 2.6.14-rc4-mm1+unshare+build/arch/i386/kernel/syscall_table.S 2005-10-17 18:23:11.000000000 +0000
@@ -294,3 +294,4 @@ ENTRY(sys_call_table)
.long sys_inotify_init
.long sys_inotify_add_watch
.long sys_inotify_rm_watch
+ .long sys_unshare
diff -Naurp 2.6.14-rc4-mm1/include/asm-i386/unistd.h 2.6.14-rc4-mm1+unshare+build/include/asm-i386/unistd.h
--- 2.6.14-rc4-mm1/include/asm-i386/unistd.h 2005-10-17 18:08:58.000000000 +0000
+++ 2.6.14-rc4-mm1+unshare+build/include/asm-i386/unistd.h 2005-10-17 18:22:08.000000000 +0000
@@ -299,8 +299,9 @@
#define __NR_inotify_init 291
#define __NR_inotify_add_watch 292
#define __NR_inotify_rm_watch 293
+#define __NR_unshare 294
-#define NR_syscalls 294
+#define NR_syscalls 295
/*
* user-visible error numbers are in the range -1 - -128: see
--
redhat-lspp mailing list
redhat-lspp at redhat.com
https://www.redhat.com/mailman/listinfo/redhat-lspp
linux-2.6.14-audit-filter-type.patch:
include/linux/audit.h | 5 ++-
linux-2.6.14-rc4-audit_ops-exclude/kernel/audit.c | 3 +
linux-2.6.14-rc4-audit_ops-exclude/kernel/auditsc.c | 33 +++++++++++++++++++-
3 files changed, 39 insertions(+), 2 deletions(-)
--- NEW FILE linux-2.6.14-audit-filter-type.patch ---
>From linux-audit-bounces at redhat.com Wed Nov 2 16:30:31 2005
Return-path: <linux-audit-bounces at redhat.com>
Envelope-to: dwmw2 at baythorne.infradead.org
Delivery-date: Wed, 02 Nov 2005 16:30:31 +0000
Received: from [2002:d592:9a28::1] (helo=pentafluge.infradead.org) by
baythorne.infradead.org with esmtps (Exim 4.54 #1 (Red Hat Linux)) id
1EXLVP-0008GS-5G for dwmw2 at baythorne.infradead.org; Wed, 02 Nov 2005
16:30:31 +0000
Received: from hormel.redhat.com ([209.132.177.30]) by
pentafluge.infradead.org with esmtp (Exim 4.54 #1 (Red Hat Linux)) id
1EXLVL-0000C6-Tp for dwmw2 at infradead.org; Wed, 02 Nov 2005 16:30:30 +0000
Received: from listman.util.phx.redhat.com (listman.util.phx.redhat.com
[10.8.4.110]) by hormel.redhat.com (Postfix) with ESMTP id 8123D72E88; Wed,
2 Nov 2005 11:30:26 -0500 (EST)
Received: from int-mx1.corp.redhat.com (int-mx1.corp.redhat.com
[172.16.52.254]) by listman.util.phx.redhat.com (8.13.1/8.13.1) with ESMTP
id jA2GUPrI024178 for <linux-audit at listman.util.phx.redhat.com>; Wed, 2 Nov
2005 11:30:25 -0500
Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31]) by
int-mx1.corp.redhat.com (8.11.6/8.11.6) with ESMTP id jA2GUPV02532 for
<linux-audit at redhat.com>; Wed, 2 Nov 2005 11:30:25 -0500
Received: from e36.co.us.ibm.com (e36.co.us.ibm.com [32.97.110.154]) by
mx1.redhat.com (8.12.11/8.12.11) with ESMTP id jA2GUO8V005427 for
<Linux-audit at redhat.com>; Wed, 2 Nov 2005 11:30:24 -0500
Received: from westrelay02.boulder.ibm.com (westrelay02.boulder.ibm.com
[9.17.195.11]) by e36.co.us.ibm.com (8.12.11/8.12.11) with ESMTP id
jA2GUIvP015815 for <Linux-audit at redhat.com>; Wed, 2 Nov 2005 11:30:18 -0500
Received: from d03av01.boulder.ibm.com (d03av01.boulder.ibm.com
[9.17.195.167]) by westrelay02.boulder.ibm.com (8.12.10/NCO/VERS6.7) with
ESMTP id jA2GUIrq487066 for <Linux-audit at redhat.com>; Wed, 2 Nov 2005
09:30:18 -0700
Received: from d03av01.boulder.ibm.com (loopback [127.0.0.1]) by
d03av01.boulder.ibm.com (8.12.11/8.13.3) with ESMTP id jA2GUInZ014640 for
<Linux-audit at redhat.com>; Wed, 2 Nov 2005 09:30:18 -0700
Received: from kirkland3.austin.ibm.com (kirkland3.austin.ibm.com
[9.53.95.24]) by d03av01.boulder.ibm.com (8.12.11/8.12.11) with ESMTP id
jA2GUIgp014597 for <Linux-audit at redhat.com>; Wed, 2 Nov 2005 09:30:18 -0700
From: Dustin Kirkland <dustin.kirkland at us.ibm.com>
To: Linux-audit at redhat.com
Date: Wed, 02 Nov 2005 10:30:16 -0600
Message-Id: <1130949016.2626.236.camel at kirkland3.austin.ibm.com>
Mime-Version: 1.0
X-Mailer: Evolution 2.2.3 (2.2.3-2.fc4)
X-RedHat-Spam-Score: 0
X-loop: linux-audit at redhat.com
Cc:
Subject: Re: [PATCH] (1/2) new audit filter allows excluding messages by
type (kernel)
X-BeenThere: linux-audit at redhat.com
X-Mailman-Version: 2.1.5
Precedence: junk
Reply-To: dustin.kirkland at us.ibm.com
List-Id: Linux Audit Discussion <linux-audit.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
<mailto:linux-audit-request at redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit at redhat.com>
List-Help: <mailto:linux-audit-request at redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
<mailto:linux-audit-request at redhat.com?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============0320553525=="
Sender: linux-audit-bounces at redhat.com
Errors-To: linux-audit-bounces at redhat.com
X-Bad-Reply: 'Re:' in Subject but no References or In-Reply-To headers
X-Spam-Score: 0.0 (/)
X-Evolution-Source: imap://dwmw2@pentafluge.infradead.org/
--===============0320553525==
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-MDLsQT+sGvPQRbuvTaPd"
--=-MDLsQT+sGvPQRbuvTaPd
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
On 11/2/05, Steve Grubb <sgrubb at redhat.com> wrote:
> On Tuesday 01 November 2005 17:53, Dustin Kirkland wrote:
> > - Define a new function audit_filter_exclude() that takes a message typ=
e
> > as input and examines all rules in the filter. It returns '1' if the
> > message is to be excluded, and '0' otherwise.
>=20
> You should check that the list is empty and short circuit. This will be t=
he
> case %99.99 of the time.
Ok. There's now a list_empty() check at the top of
audit_filter_exclude().
I also removed some unnecessary {} and fixed a couple of lines that were
>80 characters.
I duly note that there's an existing discussion as to whether this
filter belongs in the kernel or in userspace at all. But I'm keeping
the patch current with existing comments.
Updated patch here.
:-Dustin
diff -uprN linux-2.6.14-rc4-audit_ops/include/linux/audit.h
linux-2.6.14-rc4-audit_ops-exclude/include/linux/audit.h
--- linux-2.6.14-rc4-audit_ops/include/linux/audit.h 2005-10-26 16:12:42.000000000 -0500
+++ linux-2.6.14-rc4-audit_ops-exclude/include/linux/audit.h 2005-10-31 15:51:02.000000000 -0600
@@ -81,8 +81,9 @@
#define AUDIT_FILTER_ENTRY 0x02 /* Apply rule at syscall entry */
#define AUDIT_FILTER_WATCH 0x03 /* Apply rule to file system watches */
#define AUDIT_FILTER_EXIT 0x04 /* Apply rule at syscall exit */
+#define AUDIT_FILTER_EXCLUDE 0x05 /* Apply rule at audit_log_start */
-#define AUDIT_NR_FILTERS 5
+#define AUDIT_NR_FILTERS 6
#define AUDIT_FILTER_PREPEND 0x10 /* Prepend to front of list */
@@ -121,6 +122,7 @@
#define AUDIT_LOGINUID 9
#define AUDIT_PERS 10
#define AUDIT_ARCH 11
+#define AUDIT_MSGTYPE 12
/* These are ONLY useful when checking
* at syscall exit time (AUDIT_AT_EXIT). */
@@ -265,6 +267,7 @@ extern int audit_sockaddr(int len, void
extern int audit_avc_path(struct dentry *dentry, struct vfsmount *mnt);
extern void audit_signal_info(int sig, struct task_struct *t);
extern int audit_filter_user(struct netlink_skb_parms *cb, int type);
+extern int audit_filter_exclude(int type);
extern char *audit_ipc_context(struct kern_ipc_perm *ipcp);
extern int audit_set_macxattr(const char *name);
#else
diff -uprN linux-2.6.14-rc4-audit_ops/kernel/audit.c linux-2.6.14-rc4-audit_ops-exclude/kernel/audit.c
--- linux-2.6.14-rc4-audit_ops/kernel/audit.c 2005-10-21 12:35:50.000000000 -0500
+++ linux-2.6.14-rc4-audit_ops-exclude/kernel/audit.c 2005-11-02 04:44:40.000000000 -0600
@@ -659,6 +659,9 @@ struct audit_buffer *audit_log_start(str
if (!audit_initialized)
return NULL;
+ if (unlikely(audit_filter_exclude(type)))
+ return NULL;
+
if (gfp_mask & __GFP_WAIT)
reserve = 0;
else
diff -uprN linux-2.6.14-rc4-audit_ops/kernel/auditsc.c linux-2.6.14-rc4-audit_ops-exclude/kernel/auditsc.c
--- linux-2.6.14-rc4-audit_ops/kernel/auditsc.c 2005-10-27 14:17:41.000000000 -0500
+++ linux-2.6.14-rc4-audit_ops-exclude/kernel/auditsc.c 2005-11-02 10:12:04.000000000 -0600
@@ -181,7 +181,8 @@ static struct list_head audit_filter_lis
LIST_HEAD_INIT(audit_filter_list[2]),
LIST_HEAD_INIT(audit_filter_list[3]),
LIST_HEAD_INIT(audit_filter_list[4]),
-#if AUDIT_NR_FILTERS != 5
+ LIST_HEAD_INIT(audit_filter_list[5]),
+#if AUDIT_NR_FILTERS != 6
#error Fix audit_filter_list initialiser
#endif
};
@@ -663,6 +664,36 @@ int audit_filter_user(struct netlink_skb
return ret; /* Audit by default */
}
+int audit_filter_exclude(int type)
+{
+ struct audit_entry *e;
+ int result = 0;
+
+ rcu_read_lock();
+ if (sizeof(list_empty(&audit_filter_list[AUDIT_FILTER_EXCLUDE])))
+ goto unlock_and_return;
+
+ list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_EXCLUDE],
+ list) {
+ struct audit_rule *rule = &e->rule;
+ int i;
+ for (i = 0; i < rule->field_count; i++) {
+ u32 field = rule->fields[i] & ~AUDIT_OPERATORS;
+ u32 op = rule->fields[i] & AUDIT_OPERATORS;
+ u32 value = rule->values[i];
+ if ( field == AUDIT_MSGTYPE ) {
+ result = audit_comparator(type, op, value);
+ if (!result)
+ goto unlock_and_return;
+ }
+ }
+ }
+unlock_and_return:
+ rcu_read_unlock();
+ return result;
+}
+
+
/* This should be called with task_lock() held. */
static inline struct audit_context *audit_get_context(struct task_struct *tsk,
int return_valid,
--=-MDLsQT+sGvPQRbuvTaPd
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQBDaOmY0Pzjv0AkCfERAraoAJ0b0DwEbTWWGF2wYE4UexH7pT0DDgCaA5WX
XHoIvUnKb72apbbMzbZT2YU=
=AKAS
-----END PGP SIGNATURE-----
--=-MDLsQT+sGvPQRbuvTaPd--
--===============0320553525==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
--
Linux-audit mailing list
Linux-audit at redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
--===============0320553525==--
Index: kernel-2.6.spec
===================================================================
RCS file: /cvs/dist/rpms/kernel/devel/kernel-2.6.spec,v
retrieving revision 1.1639
retrieving revision 1.1639.2.1
diff -u -r1.1639 -r1.1639.2.1
--- kernel-2.6.spec 2 Nov 2005 22:24:54 -0000 1.1639
+++ kernel-2.6.spec 3 Nov 2005 15:25:44 -0000 1.1639.2.1
@@ -356,6 +356,15 @@
Patch10000: linux-2.6-kdump-needs-not-embedded.patch
Patch10001: linux-2.6-proc-vmcore-needs-not-embedded.patch
+Patch20000: linux-2.6.13-audit-operators.patch
+Patch20001: linux-2.6.13-audit-new-user-types.patch
+Patch20002: linux-2.6.13-audit_inode-augment-1.patch
+Patch20003: linux-2.6.13-audit_inode-augment-2.patch
+Patch20004: linux-2.6.13-audit-SE-context.patch
+Patch20005: linux-2.6.13-unshare-core.patch
+Patch20006: linux-2.6.13-unshare-i386.patch
+Patch20007: linux-2.6.14-audit-filter-type.patch
+
# END OF PATCH DEFINITIONS
BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
@@ -811,6 +820,14 @@
%patch10000 -p1
%patch10001 -p1
+%patch20000 -p1 -b .p20000
+%patch20001 -p1 -b .p20001
+%patch20002 -p1 -b .p20002
+%patch20003 -p1 -b .p20003
+%patch20004 -p1 -b .p20004
+%patch20005 -p1 -b .p20005
+%patch20006 -p1 -b .p20006
+%patch20007 -p1 -b .p20007
# END OF PATCH APPLICATIONS
More information about the fedora-cvs-commits
mailing list