[RFC] Obtaining PATH entry without audit userland
Steve Grubb
sgrubb at redhat.com
Thu Jan 10 15:19:50 UTC 2008
On Thursday 10 January 2008 03:42:38 Yuichi Nakamura wrote:
> Hi.
>
> When debugging SELinux policy, PATH audit entry is useful.
> In current audit,
> context->dummy should be 0 to obtain PATH entry,
> but it is set 1 if no audit rules are registered,
> so some audit rule should be registered to obtain PATH entry.
>
> To register audit rule, we need audit userland.
> However, in embedded devices
> we want as little userland as possible,
> because hardware resource is constrained and cross-compiling is tiresome.
>
> We want PATH entry to debug SELinux policy,
> we do not want to port audit userland for this purpose,
> so we want to do it in kernel.
>
> Following is simple patch to obtain PATH entry without audit userland.
> Does this sound reasonable??
I was under the impression that Al Viro has already sent a patch allowing for
PATH in all AVC messages. Al?
> Signed-off-by: Yuichi Nakamura<ynakam at hitachisoft.jp>
> ---
> init/Kconfig | 10 ++++++++++
> kernel/audit.h | 7 +++++++
> kernel/auditsc.c | 9 ++++++++-
> 3 files changed, 25 insertions(+), 1 deletion(-)
> diff -purN -X linux-2.6.22.1/Documentation/dontdiff
> linux-2.6.22.1.old/kernel/audit.h linux-2.6.22.1/kernel/audit.h ---
> linux-2.6.22.1.old/kernel/audit.h 2007-12-19 10:00:19.000000000 +0900 +++
> linux-2.6.22.1/kernel/audit.h 2008-01-09 09:04:28.000000000 +0900 @@ -143,6
> +143,13 @@ static inline int audit_signal_info(int
> extern enum audit_state audit_filter_inodes(struct task_struct *,
> struct audit_context *);
> extern void audit_set_auditable(struct audit_context *);
> +
> +#ifdef CONFIG_AUDIT_PATH
> +#define DEFAULT_AUDIT_PATH_ENTRY 1
> +#else
> +#define DEFAULT_AUDIT_PATH_ENTRY 0
> +#endif
> +
> #else
> #define audit_signal_info(s,t) AUDIT_DISABLED
> #define audit_filter_inodes(t,c) AUDIT_DISABLED
> diff -purN -X linux-2.6.22.1/Documentation/dontdiff
> linux-2.6.22.1.old/kernel/auditsc.c linux-2.6.22.1/kernel/auditsc.c ---
> linux-2.6.22.1.old/kernel/auditsc.c 2007-12-19 10:00:19.000000000 +0900 +++
> linux-2.6.22.1/kernel/auditsc.c 2008-01-09 08:57:44.000000000 +0900 @@
> -227,6 +227,8 @@ struct audit_context {
> #endif
> };
>
> +int audit_path_entry = DEFAULT_AUDIT_PATH_ENTRY;
> +
> #define ACC_MODE(x) ("\004\002\006\006"[(x)&O_ACCMODE])
> static inline int open_arg(int flags, int mask)
> {
> @@ -1198,7 +1200,12 @@ void audit_syscall_entry(int arch, int m
> context->argv[3] = a4;
>
> state = context->state;
> - context->dummy = !audit_n_rules;
> +
> + if (audit_path_entry)
> + context->dummy = 0;
> + else
> + context->dummy = !audit_n_rules;
> +
> if (!context->dummy && (state == AUDIT_SETUP_CONTEXT || state ==
> AUDIT_BUILD_CONTEXT)) state = audit_filter_syscall(tsk, context,
> &audit_filter_list[AUDIT_FILTER_ENTRY]); if (likely(state ==
> AUDIT_DISABLED))
> --- linux-2.6.22.1.old/init/Kconfig 2008-01-08 13:49:30.000000000 +0900
> +++ linux-2.6.22.1/init/Kconfig 2007-12-19 11:50:17.000000000 +0900
> @@ -245,6 +245,16 @@ config AUDITSYSCALL
> such as SELinux. To use audit's filesystem watch feature, please
> ensure that INOTIFY is configured.
>
> +config AUDIT_PATH
> + bool "Audit always PATH entry"
> + depends on AUDITSYSCALL
> + default n
> + help
> + By default, PATH entry is not audited unless
> + you register some audit rule.
> + With this option, PATH entry is always audited.
> + This is useful in debugging SELinux policy without audit userland.
> +
> config IKCONFIG
> tristate "Kernel .config support"
> ---help---
More information about the Linux-audit
mailing list