[ARCHIVE DEBUG 03/13] audit_debug: proc instrumentation

Richard Guy Briggs rgb at redhat.com
Thu Oct 22 19:47:07 UTC 2015 

On 15/10/22, Steve Grubb wrote:
> What is the permissions on this? Who can view it?

proc_create() was called with mode 0, so I'm guessing it is 777.
Actually, it is 444.  That should be changed to 400 (S_IRUSR) for use on
a system that matters, but again, this is a debug patch set giving
internal read-only stats, not intended for upstream or production use.
Nice catch.

> -Steve
> 
> On Thursday, October 22, 2015 02:58:49 PM Richard Guy Briggs wrote:
> > Add a /proc/audit entry for debugging to instrument many audit subsystem
> > internal parameters not normally visible.
> > 
> > Signed-off-by: Richard Guy Briggs <rgb at redhat.com>
> > ---
> >  include/linux/skbuff.h |   16 ++++++++++++++++
> >  kernel/audit.c         |   48
> > ++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 64
> > insertions(+), 0 deletions(-)
> > 
> > diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
> > index f54d665..bcde922 100644
> > --- a/include/linux/skbuff.h
> > +++ b/include/linux/skbuff.h
> > @@ -180,6 +180,7 @@ struct sk_buff_head {
> > 
> >  	__u32		qlen;
> >  	spinlock_t	lock;
> > +	__u32		qlen_max;
> >  };
> > 
> >  struct sk_buff;
> > @@ -1301,6 +1302,11 @@ static inline __u32 skb_queue_len(const struct
> > sk_buff_head *list_) return list_->qlen;
> >  }
> > 
> > +static inline __u32 skb_queue_len_max(const struct sk_buff_head *list_)
> > +{
> > +	return list_->qlen_max;
> > +}
> > +
> >  /**
> >   *	__skb_queue_head_init - initialize non-spinlock portions of sk_buff_head
> > *	@list: queue to initialize
> > @@ -1354,6 +1360,8 @@ static inline void __skb_insert(struct sk_buff *newsk,
> > newsk->prev = prev;
> >  	next->prev  = prev->next = newsk;
> >  	list->qlen++;
> > +	if(list->qlen > list->qlen_max)
> > +		list->qlen_max = list->qlen;
> >  }
> > 
> >  static inline void __skb_queue_splice(const struct sk_buff_head *list,
> > @@ -1381,6 +1389,8 @@ static inline void skb_queue_splice(const struct
> > sk_buff_head *list, if (!skb_queue_empty(list)) {
> >  		__skb_queue_splice(list, (struct sk_buff *) head, head->next);
> >  		head->qlen += list->qlen;
> > +		if(head->qlen > head->qlen_max)
> > +			head->qlen_max = head->qlen;
> >  	}
> >  }
> > 
> > @@ -1397,6 +1407,8 @@ static inline void skb_queue_splice_init(struct
> > sk_buff_head *list, if (!skb_queue_empty(list)) {
> >  		__skb_queue_splice(list, (struct sk_buff *) head, head->next);
> >  		head->qlen += list->qlen;
> > +		if(head->qlen > head->qlen_max)
> > +			head->qlen_max = head->qlen;
> >  		__skb_queue_head_init(list);
> >  	}
> >  }
> > @@ -1412,6 +1424,8 @@ static inline void skb_queue_splice_tail(const struct
> > sk_buff_head *list, if (!skb_queue_empty(list)) {
> >  		__skb_queue_splice(list, head->prev, (struct sk_buff *) head);
> >  		head->qlen += list->qlen;
> > +		if(head->qlen > head->qlen_max)
> > +			head->qlen_max = head->qlen;
> >  	}
> >  }
> > 
> > @@ -1429,6 +1443,8 @@ static inline void skb_queue_splice_tail_init(struct
> > sk_buff_head *list, if (!skb_queue_empty(list)) {
> >  		__skb_queue_splice(list, head->prev, (struct sk_buff *) head);
> >  		head->qlen += list->qlen;
> > +		if(head->qlen > head->qlen_max)
> > +			head->qlen_max = head->qlen;
> >  		__skb_queue_head_init(list);
> >  	}
> >  }
> > diff --git a/kernel/audit.c b/kernel/audit.c
> > index d4e19fc..82df9fd 100644
> > --- a/kernel/audit.c
> > +++ b/kernel/audit.c
> > @@ -124,6 +124,7 @@ u32		audit_sig_sid = 0;
> >     4) suppressed due to audit_backlog_limit
> >  */
> >  static atomic_t    audit_lost = ATOMIC_INIT(0);
> > +static atomic_t    audit_hold_lost = ATOMIC_INIT(0);
> > 
> >  /* The netlink socket. */
> >  static struct sock *audit_sock;
> > @@ -381,7 +382,10 @@ static void audit_hold_skb(struct sk_buff *skb)
> >  	     skb_queue_len(&audit_skb_hold_queue) < audit_backlog_limit))
> >  		skb_queue_tail(&audit_skb_hold_queue, skb);
> >  	else
> > +	{
> >  		kfree_skb(skb);
> > +		atomic_inc(&audit_hold_lost);
> > +	}
> >  }
> > 
> >  /*
> > @@ -510,7 +514,10 @@ static void flush_hold_queue(void)
> >  	 * dequeued an skb we need to drop ref
> >  	 */
> >  	if (skb)
> > +	{
> >  		consume_skb(skb);
> > +		atomic_inc(&audit_hold_lost);
> > +	}
> >  }
> > 
> >  static int kauditd_thread(void *dummy)
> > @@ -1174,6 +1181,45 @@ static struct pernet_operations audit_net_ops
> > __net_initdata = { .size = sizeof(struct audit_net),
> >  };
> > 
> > +/* Display information about audit subsystem */
> > +static int proc_auditstats_show(struct seq_file *m, void *v)
> > +{
> > +	//seq_printf(m, "audit_initialized\t%d\n", audit_initialized);
> > +	//seq_printf(m, "audit_enabled\t%u\n", audit_enabled);
> > +	//seq_printf(m, "audit_ever_enabled\t%u\n", audit_ever_enabled);
> > +	//seq_printf(m, "audit_default\t%u\n", audit_default);
> > +	//seq_printf(m, "audit_failure\t%u\n", audit_failure);
> > +	seq_printf(m, "audit_pid\t\t\t%d\n", audit_pid);
> > +	//seq_printf(m, "audit_nlk_portid\t%u\n", audit_nlk_portid);
> > +	//seq_printf(m, "audit_rate_limit\t%u\n", audit_rate_limit);
> > +	//seq_printf(m, "audit_backlog_limit\t%u\n", audit_backlog_limit);
> > +	//seq_printf(m, "audit_backlog_wait_time\t%u\n", audit_backlog_wait_time);
> > +	//seq_printf(m, "audit_sig_uid\t%u\n", from_kuid(&init_user_ns,
> > audit_sig_uid)); +	//seq_printf(m, "audit_sig_pid\t%d\n", audit_sig_pid);
> > +	//seq_printf(m, "audit_sig_sid\t%u\n", audit_sig_sid);
> > +	seq_printf(m, "audit_lost\t\t\t%d\n", atomic_read(&audit_lost));
> > +	seq_printf(m, "audit_hold_lost\t\t\t%d\n", atomic_read(&audit_hold_lost));
> > +	seq_printf(m, "audit_freelist_count\t\t%u\n", audit_freelist_count);
> > +	seq_printf(m, "audit_skb_queue len\t\t%d\n",
> > skb_queue_len(&audit_skb_queue)); +	seq_printf(m, "audit_skb_queue
> > len_max\t\t%d\n", skb_queue_len_max(&audit_skb_queue)); +	seq_printf(m,
> > "audit_skb_hold_queue len\t%d\n", skb_queue_len(&audit_skb_hold_queue));
> > +	seq_printf(m, "audit_skb_hold_queue len_max\t%d\n",
> > skb_queue_len_max(&audit_skb_hold_queue)); +
> > +	return 0;
> > +}
> > +
> > +static int auditstats_open(struct inode *inode, struct file *file)
> > +{
> > +	return single_open(file, proc_auditstats_show, NULL);
> > +}
> > +
> > +static const struct file_operations proc_auditstats_operations = {
> > +	.open = auditstats_open,
> > +	.read = seq_read,
> > +	.llseek = seq_lseek,
> > +	.release = single_release,
> > +};
> > +
> >  /* Initialize audit support at boot time. */
> >  static int __init audit_init(void)
> >  {
> > @@ -1197,6 +1243,8 @@ static int __init audit_init(void)
> >  	for (i = 0; i < AUDIT_INODE_BUCKETS; i++)
> >  		INIT_LIST_HEAD(&audit_inode_hash[i]);
> > 
> > +	proc_create("audit", 0, NULL, &proc_auditstats_operations);
> > +
> >  	return 0;
> >  }
> >  __initcall(audit_init);
> 
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

- RGB

--
Richard Guy Briggs <rbriggs at redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545

More information about the Linux-audit mailing list