[PATCH] integrity: audit update
Steve Grubb
sgrubb at redhat.com
Tue Feb 10 22:19:15 UTC 2009
On Monday 09 February 2009 06:24:20 pm Mimi Zohar wrote:
> - Force audit result to be either 0 or 1.
> - make template names const
> - Add new stand-alone message type: AUDIT_INTEGRITY_RULE
>
> Signed-off-by: Mimi Zohar <zohar at us.ibm.com>
Acked-by: Steve Grubb <sgrubb at redhat.com>
> ---
> diff --git a/include/linux/audit.h b/include/linux/audit.h
> index 930939a..4fa2810 100644
> --- a/include/linux/audit.h
> +++ b/include/linux/audit.h
> @@ -36,7 +36,8 @@
> * 1500 - 1599 kernel LSPP events
> * 1600 - 1699 kernel crypto events
> * 1700 - 1799 kernel anomaly records
> - * 1800 - 1999 future kernel use (maybe integrity labels and related
> events) + * 1800 - 1899 kernel integrity events
> + * 1900 - 1999 future kernel use
> * 2000 is for otherwise unclassified kernel audit messages (legacy)
> * 2001 - 2099 unused (kernel)
> * 2100 - 2199 user space anomaly records
> @@ -130,6 +131,7 @@
> #define AUDIT_INTEGRITY_STATUS 1802 /* Integrity enable status */
> #define AUDIT_INTEGRITY_HASH 1803 /* Integrity HASH type */
> #define AUDIT_INTEGRITY_PCR 1804 /* PCR invalidation msgs */
> +#define AUDIT_INTEGRITY_RULE 1805 /* policy rule */
>
> #define AUDIT_KERNEL 2000 /* Asynchronous audit record. NOT A REQUEST. */
>
> diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
> index e3c16a2..165eb53 100644
> --- a/security/integrity/ima/ima.h
> +++ b/security/integrity/ima/ima.h
> @@ -47,7 +47,7 @@ struct ima_template_data {
>
> struct ima_template_entry {
> u8 digest[IMA_DIGEST_SIZE]; /* sha1 or md5 measurement hash */
> - char *template_name;
> + const char *template_name;
> int template_len;
> struct ima_template_data template;
> };
> diff --git a/security/integrity/ima/ima_api.c
> b/security/integrity/ima/ima_api.c index a148a25..3cd58b6 100644
> --- a/security/integrity/ima/ima_api.c
> +++ b/security/integrity/ima/ima_api.c
> @@ -15,7 +15,7 @@
> #include <linux/module.h>
>
> #include "ima.h"
> -static char *IMA_TEMPLATE_NAME = "ima";
> +static const char *IMA_TEMPLATE_NAME = "ima";
>
> /*
> * ima_store_template - store ima template measurements
> diff --git a/security/integrity/ima/ima_audit.c
> b/security/integrity/ima/ima_audit.c index 8a0f1e2..1e082bb 100644
> --- a/security/integrity/ima/ima_audit.c
> +++ b/security/integrity/ima/ima_audit.c
> @@ -22,16 +22,18 @@ static int ima_audit;
> static int __init ima_audit_setup(char *str)
> {
> unsigned long audit;
> - int rc;
> - char *op;
> + int rc, result = 0;
> + char *op = "ima_audit";
> + char *cause;
>
> rc = strict_strtoul(str, 0, &audit);
> if (rc || audit > 1)
> - printk(KERN_INFO "ima: invalid ima_audit value\n");
> + result = 1;
> else
> ima_audit = audit;
> - op = ima_audit ? "ima_audit_enabled" : "ima_audit_not_enabled";
> - integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL, NULL, NULL, op, 0, 0);
> + cause = ima_audit ? "enabled" : "not_enabled";
> + integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL, NULL,
> + op, cause, result, 0);
> return 1;
> }
> __setup("ima_audit=", ima_audit_setup);
> @@ -47,20 +49,21 @@ void integrity_audit_msg(int audit_msgno, struct inode
> *inode, return;
>
> ab = audit_log_start(current->audit_context, GFP_KERNEL, audit_msgno);
> - audit_log_format(ab, "integrity: pid=%d uid=%u auid=%u",
> + audit_log_format(ab, "integrity: pid=%d uid=%u auid=%u ses=%u",
> current->pid, current->cred->uid,
> - audit_get_loginuid(current));
> + audit_get_loginuid(current),
> + audit_get_sessionid(current));
> audit_log_task_context(ab);
> switch (audit_msgno) {
> case AUDIT_INTEGRITY_DATA:
> case AUDIT_INTEGRITY_METADATA:
> case AUDIT_INTEGRITY_PCR:
> + case AUDIT_INTEGRITY_STATUS:
> audit_log_format(ab, " op=%s cause=%s", op, cause);
> break;
> case AUDIT_INTEGRITY_HASH:
> audit_log_format(ab, " op=%s hash=%s", op, cause);
> break;
> - case AUDIT_INTEGRITY_STATUS:
> default:
> audit_log_format(ab, " op=%s", op);
> }
> @@ -73,6 +76,6 @@ void integrity_audit_msg(int audit_msgno, struct inode
> *inode, if (inode)
> audit_log_format(ab, " dev=%s ino=%lu",
> inode->i_sb->s_id, inode->i_ino);
> - audit_log_format(ab, " res=%d", result);
> + audit_log_format(ab, " res=%d", !result ? 0 : 1);
> audit_log_end(ab);
> }
> diff --git a/security/integrity/ima/ima_fs.c
> b/security/integrity/ima/ima_fs.c index 573780c..ffbe259 100644
> --- a/security/integrity/ima/ima_fs.c
> +++ b/security/integrity/ima/ima_fs.c
> @@ -137,7 +137,7 @@ static int ima_measurements_show(struct seq_file *m,
> void *v) ima_putc(m, &namelen, sizeof namelen);
>
> /* 4th: template name */
> - ima_putc(m, e->template_name, namelen);
> + ima_putc(m, (void *)e->template_name, namelen);
>
> /* 5th: template specific data */
> ima_template_show(m, (struct ima_template_data *)&e->template,
> diff --git a/security/integrity/ima/ima_init.c
> b/security/integrity/ima/ima_init.c index cf227db..0b0bb8c 100644
> --- a/security/integrity/ima/ima_init.c
> +++ b/security/integrity/ima/ima_init.c
> @@ -20,7 +20,7 @@
> #include "ima.h"
>
> /* name for boot aggregate entry */
> -static char *boot_aggregate_name = "boot_aggregate";
> +static const char *boot_aggregate_name = "boot_aggregate";
> int ima_used_chip;
>
> /* Add the boot aggregate to the IMA measurement list and extend
> diff --git a/security/integrity/ima/ima_policy.c
> b/security/integrity/ima/ima_policy.c index 23810e0..b5291ad 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -12,7 +12,6 @@
> */
> #include <linux/module.h>
> #include <linux/list.h>
> -#include <linux/audit.h>
> #include <linux/security.h>
> #include <linux/magic.h>
> #include <linux/parser.h>
> @@ -239,8 +238,7 @@ static int ima_parse_rule(char *rule, struct
> ima_measure_rule_entry *entry) char *p;
> int result = 0;
>
> - ab = audit_log_start(current->audit_context, GFP_KERNEL,
> - AUDIT_INTEGRITY_STATUS);
> + ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_INTEGRITY_RULE);
>
> entry->action = -1;
> while ((p = strsep(&rule, " \n")) != NULL) {
> @@ -345,15 +343,14 @@ static int ima_parse_rule(char *rule, struct
> ima_measure_rule_entry *entry) AUDIT_SUBJ_TYPE);
> break;
> case Opt_err:
> - printk(KERN_INFO "%s: unknown token: %s\n",
> - __FUNCTION__, p);
> + audit_log_format(ab, "UNKNOWN=%s ", p);
> break;
> }
> }
> if (entry->action == UNKNOWN)
> result = -EINVAL;
>
> - audit_log_format(ab, "res=%d", result);
> + audit_log_format(ab, "res=%d", !result ? 0 : 1);
> audit_log_end(ab);
> return result;
> }
> @@ -367,7 +364,7 @@ static int ima_parse_rule(char *rule, struct
> ima_measure_rule_entry *entry) */
> int ima_parse_add_rule(char *rule)
> {
> - const char *op = "add_rule";
> + const char *op = "update_policy";
> struct ima_measure_rule_entry *entry;
> int result = 0;
> int audit_info = 0;
> @@ -394,8 +391,12 @@ int ima_parse_add_rule(char *rule)
> mutex_lock(&ima_measure_mutex);
> list_add_tail(&entry->list, &measure_policy_rules);
> mutex_unlock(&ima_measure_mutex);
> - } else
> + } else {
> kfree(entry);
> + integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL,
> + NULL, op, "invalid policy", result,
> + audit_info);
> + }
> return result;
> }
More information about the Linux-audit
mailing list