[PATCH 4/5] audit: add netlink multicast group for log read

Steve Grubb sgrubb at redhat.com
Wed Mar 12 12:55:37 UTC 2014 

On Wednesday, February 19, 2014 01:08:22 PM Richard Guy Briggs wrote:
> Add a netlink multicast socket with one group to kaudit for "best-effort"
> delivery to read-only userspace clients such as systemd, in addition to the
> existing bidirectional unicast auditd userspace client.

One question...we do have to have the ability to separate of secadm_r and 
sysadm_r. By allowing this we will leak to a sysadmin that he is being audited 
by the security officer. In a lot of cases, they are one in the same person. But 
for others, they are not. I have a feeling this will cause problems for MLS 
systems.

-Steve


> Currently, auditd is intended to use the CAP_AUDIT_CONTROL and
> CAP_AUDIT_WRITE capabilities, but actually uses CAP_NET_ADMIN.  The
> CAP_AUDIT_READ capability is added for use by read-only AUDIT_NLGRP_READLOG
> netlink multicast group clients to the kaudit subsystem.
> 
> This will safely give access to services such as systemd to consume audit
> logs while ensuring write access remains restricted for integrity.
> 
> Signed-off-by: Richard Guy Briggs <rgb at redhat.com>
> ---
>  include/uapi/linux/audit.h          |    8 +++++++
>  include/uapi/linux/capability.h     |    7 +++++-
>  kernel/audit.c                      |   39
> +++++++++++++++++++++++++++++++++++ security/selinux/include/classmap.h |  
>  2 +-
>  4 files changed, 54 insertions(+), 2 deletions(-)
> 
> diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> index 2d48fe1..8aba976 100644
> --- a/include/uapi/linux/audit.h
> +++ b/include/uapi/linux/audit.h
> @@ -372,6 +372,14 @@ enum {
>   */
>  #define AUDIT_MESSAGE_TEXT_MAX	8560
> 
> +/* Multicast Netlink socket groups (default up to 32) */
> +enum audit_nlgrps {
> +	AUDIT_NLGRP_NONE,	/* Group 0 not used */
> +	AUDIT_NLGRP_READLOG,	/* "best effort" read only socket */
> +	__AUDIT_NLGRP_MAX
> +};
> +#define AUDIT_NLGRP_MAX                (__AUDIT_NLGRP_MAX - 1)
> +
>  struct audit_status {
>  	__u32		mask;		/* Bit mask for valid entries */
>  	__u32		enabled;	/* 1 = enabled, 0 = disabled */
> diff --git a/include/uapi/linux/capability.h
> b/include/uapi/linux/capability.h index 154dd6d..12c37a1 100644
> --- a/include/uapi/linux/capability.h
> +++ b/include/uapi/linux/capability.h
> @@ -347,7 +347,12 @@ struct vfs_cap_data {
> 
>  #define CAP_BLOCK_SUSPEND    36
> 
> -#define CAP_LAST_CAP         CAP_BLOCK_SUSPEND
> +/* Allow reading the audit log via multicast netlink socket */
> +
> +#define CAP_AUDIT_READ		37
> +
> +
> +#define CAP_LAST_CAP         CAP_AUDIT_READ
> 
>  #define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP)
> 
> diff --git a/kernel/audit.c b/kernel/audit.c
> index f2d2d61..0da57b6 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -424,6 +424,37 @@ static void kauditd_send_skb(struct sk_buff *skb)
>  }
> 
>  /*
> + * kauditd_send_multicast_skb - send the skb to multicast userspace
> listeners + *
> + * This function doesn't consume an skb as might be expected since it has
> to + * copy it anyways.
> + */
> +static void kauditd_send_multicast_skb(struct sk_buff *skb)
> +{
> +	struct sk_buff *copy;
> +	struct nlmsghdr *nlh;
> +
> +	/*
> +	 * The seemingly wasteful skb_copy() is necessary because the original
> +	 * kaudit unicast socket sends up messages with nlmsg_len set to the
> +	 * payload length rather than the entire message length.  This breaks
> +	 * the standard set by netlink.  The existing auditd daemon assumes
> +	 * this breakage.  Fixing this would require co-ordinating a change in
> +	 * the established protocol between the kaudit kernel subsystem and
> +	 * the auditd userspace code.  There is no reason for new multicast
> +	 * clients to continue with this non-compliance.
> +	 */
> +	copy = skb_copy(skb, GFP_KERNEL);
> +	if (!copy)
> +		return;
> +
> +	nlh = nlmsg_hdr(copy);
> +	nlh->nlmsg_len = copy->len;
> +
> +	nlmsg_multicast(audit_sock, copy, 0, AUDIT_NLGRP_READLOG, GFP_KERNEL);
> +}
> +
> +/*
>   * flush_hold_queue - empty the hold queue if auditd appears
>   *
>   * If auditd just started, drain the queue of messages already
> @@ -474,6 +505,12 @@ static int kauditd_thread(void *dummy)
>  		skb = skb_dequeue(&audit_skb_queue);
> 
>  		if (skb) {
> +			/* Don't bump skb refcount for multicast send since
> +			 * kauditd_send_multicast_skb() copies the skb anyway
> +			 * due to audit unicast netlink protocol
> +			 * non-compliance.
> +			 */
> +			kauditd_send_multicast_skb(skb);
>  			if (skb_queue_len(&audit_skb_queue) <= audit_backlog_limit)
>  				wake_up(&audit_backlog_wait);
>  			if (audit_pid)
> @@ -1064,6 +1101,8 @@ static int __net_init audit_net_init(struct net *net)
>  	struct netlink_kernel_cfg cfg = {
>  		.input	= audit_receive,
>  		.bind	= audit_bind,
> +		.flags	= NL_CFG_F_NONROOT_RECV,
> +		.groups	= AUDIT_NLGRP_MAX,
>  	};
> 
>  	struct audit_net *aunet = net_generic(net, audit_net_id);
> diff --git a/security/selinux/include/classmap.h
> b/security/selinux/include/classmap.h index 14d04e6..be491a7 100644
> --- a/security/selinux/include/classmap.h
> +++ b/security/selinux/include/classmap.h
> @@ -147,7 +147,7 @@ struct security_class_mapping secclass_map[] = {
>  	{ "peer", { "recv", NULL } },
>  	{ "capability2",
>  	  { "mac_override", "mac_admin", "syslog", "wake_alarm", "block_suspend",
> -	    NULL } },
> +	    "audit_read", NULL } },
>  	{ "kernel_service", { "use_as_override", "create_files_as", NULL } },
>  	{ "tun_socket",
>  	  { COMMON_SOCK_PERMS, "attach_queue", NULL } },

More information about the Linux-audit mailing list