From 5adc8a6adc91c4c85a64c75a70a619fffc924817 Mon Sep 17 00:00:00 2001 From: Amy Griffis Date: Wed, 14 Jun 2006 18:45:21 -0400 Subject: [PATCH] add rule filterkey Add support for a rule key, which can be used to tie audit records to audit rules. This is useful when a watched file is accessed through a link or symlink, as well as for general audit log analysis. Because this patch uses a string key instead of an integer key, there is a bit of extra overhead to do the kstrdup() when a rule fires. However, we're also allocating memory for the audit record buffer, so it's probably not that significant. I went ahead with a string key because it seems more user-friendly. Note that the user must ensure that filterkeys are unique. The kernel only checks for duplicate rules. Signed-off-by: Amy Griffis --- include/linux/audit.h | 3 ++ kernel/audit.h | 1 + kernel/auditfilter.c | 95 ++++++++++++++++++++++++++++++++------------------- kernel/auditsc.c | 15 ++++++++ 4 files changed, 78 insertions(+), 36 deletions(-) diff --git a/include/linux/audit.h b/include/linux/audit.h index e051ff9..a489104 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -122,6 +122,7 @@ /* Rule structure sizes -- if these change, different AUDIT_ADD and * AUDIT_LIST commands must be implemented. */ #define AUDIT_MAX_FIELDS 64 +#define AUDIT_MAX_KEY_LEN 32 #define AUDIT_BITMASK_SIZE 64 #define AUDIT_WORD(nr) ((__u32)((nr)/32)) #define AUDIT_BIT(nr) (1 << ((nr) - AUDIT_WORD(nr)*32)) @@ -171,6 +172,8 @@ #define AUDIT_ARG2 (AUDIT_ARG0+2) #define AUDIT_ARG3 (AUDIT_ARG0+3) +#define AUDIT_FILTERKEY 210 + #define AUDIT_NEGATE 0x80000000 /* These are the supported operators. diff --git a/kernel/audit.h b/kernel/audit.h index 8323e41..6aa33b8 100644 --- a/kernel/audit.h +++ b/kernel/audit.h @@ -81,6 +81,7 @@ struct audit_krule { u32 mask[AUDIT_BITMASK_SIZE]; u32 buflen; /* for data alloc on list rules */ u32 field_count; + char *filterkey; /* ties events to rules */ struct audit_field *fields; struct audit_field *inode_f; /* quick access to an inode field */ struct audit_watch *watch; /* associated watch */ diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index 4c99d2c..e98db08 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -141,6 +141,7 @@ static inline void audit_free_rule(struct audit_entry *e) selinux_audit_rule_free(f->se_rule); } kfree(e->rule.fields); + kfree(e->rule.filterkey); kfree(e); } @@ -511,6 +512,16 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data, if (err) goto exit_free; break; + case AUDIT_FILTERKEY: + err = -EINVAL; + if (entry->rule.filterkey || f->val > AUDIT_MAX_KEY_LEN) + goto exit_free; + str = audit_unpack_string(&bufp, &remain, f->val); + if (IS_ERR(str)) + goto exit_free; + entry->rule.buflen += f->val; + entry->rule.filterkey = str; + break; default: goto exit_free; } @@ -612,6 +623,10 @@ static struct audit_rule_data *audit_krule_to_data(struct audit_krule *krule) data->buflen += data->values[i] = audit_pack_string(&bufp, krule->watch->path); break; + case AUDIT_FILTERKEY: + data->buflen += data->values[i] = + audit_pack_string(&bufp, krule->filterkey); + break; default: data->values[i] = f->val; } @@ -651,6 +666,11 @@ static int audit_compare_rule(struct audit_krule *a, struct audit_krule *b) if (strcmp(a->watch->path, b->watch->path)) return 1; break; + case AUDIT_FILTERKEY: + /* both filterkeys exist based on above type compare */ + if (strcmp(a->filterkey, b->filterkey)) + return 1; + break; default: if (a->fields[i].val != b->fields[i].val) return 1; @@ -730,6 +750,7 @@ static struct audit_entry *audit_dupe_rule(struct audit_krule *old, u32 fcount = old->field_count; struct audit_entry *entry; struct audit_krule *new; + char *fk; int i, err = 0; entry = audit_init_entry(fcount); @@ -760,6 +781,13 @@ static struct audit_entry *audit_dupe_rule(struct audit_krule *old, case AUDIT_SE_CLR: err = audit_dupe_selinux_field(&new->fields[i], &old->fields[i]); + break; + case AUDIT_FILTERKEY: + fk = kstrdup(old->filterkey, GFP_KERNEL); + if (unlikely(!fk)) + err = -ENOMEM; + else + new->filterkey = fk; } if (err) { audit_free_rule(entry); @@ -1245,6 +1273,34 @@ static void audit_list_rules(int pid, int seq, struct sk_buff_head *q) skb_queue_tail(q, skb); } +/* Log rule additions and removals */ +static void audit_log_rule_change(uid_t loginuid, u32 sid, char *action, + struct audit_krule *rule, int res) +{ + struct audit_buffer *ab; + + ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); + if (!ab) + return; + audit_log_format(ab, "auid=%u", loginuid); + if (sid) { + char *ctx = NULL; + u32 len; + if (selinux_ctxid_to_string(sid, &ctx, &len)) + audit_log_format(ab, " ssid=%u", sid); + else + audit_log_format(ab, " subj=%s", ctx); + kfree(ctx); + } + audit_log_format(ab, " %s rule key=", action); + if (rule->filterkey) + audit_log_untrustedstring(ab, rule->filterkey); + else + audit_log_format(ab, "(null)"); + audit_log_format(ab, " list=%d res=%d", rule->listnr, res); + audit_log_end(ab); +} + /** * audit_receive_filter - apply all rules to the specified message type * @type: audit message type @@ -1304,24 +1360,7 @@ int audit_receive_filter(int type, int pid, int uid, int seq, void *data, err = audit_add_rule(entry, &audit_filter_list[entry->rule.listnr]); - - if (sid) { - char *ctx = NULL; - u32 len; - if (selinux_ctxid_to_string(sid, &ctx, &len)) { - /* Maybe call audit_panic? */ - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, - "auid=%u ssid=%u add rule to list=%d res=%d", - loginuid, sid, entry->rule.listnr, !err); - } else - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, - "auid=%u subj=%s add rule to list=%d res=%d", - loginuid, ctx, entry->rule.listnr, !err); - kfree(ctx); - } else - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, - "auid=%u add rule to list=%d res=%d", - loginuid, entry->rule.listnr, !err); + audit_log_rule_change(loginuid, sid, "add", &entry->rule, !err); if (err) audit_free_rule(entry); @@ -1337,24 +1376,8 @@ int audit_receive_filter(int type, int pid, int uid, int seq, void *data, err = audit_del_rule(entry, &audit_filter_list[entry->rule.listnr]); - - if (sid) { - char *ctx = NULL; - u32 len; - if (selinux_ctxid_to_string(sid, &ctx, &len)) { - /* Maybe call audit_panic? */ - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, - "auid=%u ssid=%u remove rule from list=%d res=%d", - loginuid, sid, entry->rule.listnr, !err); - } else - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, - "auid=%u subj=%s remove rule from list=%d res=%d", - loginuid, ctx, entry->rule.listnr, !err); - kfree(ctx); - } else - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, - "auid=%u remove rule from list=%d res=%d", - loginuid, entry->rule.listnr, !err); + audit_log_rule_change(loginuid, sid, "remove", &entry->rule, + !err); audit_free_rule(entry); break; diff --git a/kernel/auditsc.c b/kernel/auditsc.c index dc5e3f0..3166578 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -186,6 +186,7 @@ struct audit_context { int auditable; /* 1 if record should be written */ int name_count; struct audit_names names[AUDIT_NAMES]; + char * filterkey; /* key for rule that triggered record */ struct dentry * pwd; struct vfsmount * pwdmnt; struct audit_context *previous; /* For nested syscalls */ @@ -348,11 +349,17 @@ static int audit_filter_rules(struct task_struct *tsk, if (ctx) result = audit_comparator(ctx->argv[f->type-AUDIT_ARG0], f->op, f->val); break; + case AUDIT_FILTERKEY: + /* ignore this field for filtering */ + result = 1; + break; } if (!result) return 0; } + if (rule->filterkey) + ctx->filterkey = kstrdup(rule->filterkey, GFP_ATOMIC); switch (rule->action) { case AUDIT_NEVER: *state = AUDIT_DISABLED; break; case AUDIT_ALWAYS: *state = AUDIT_RECORD_CONTEXT; break; @@ -627,6 +634,7 @@ static inline void audit_free_context(struct audit_context *context) } audit_free_names(context); audit_free_aux(context); + kfree(context->filterkey); kfree(context); context = previous; } while (context); @@ -735,6 +743,11 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts context->euid, context->suid, context->fsuid, context->egid, context->sgid, context->fsgid, tty); audit_log_task_info(ab, tsk); + if (context->filterkey) { + audit_log_format(ab, " key="); + audit_log_untrustedstring(ab, context->filterkey); + } else + audit_log_format(ab, " key=(null)"); audit_log_end(ab); for (aux = context->aux; aux; aux = aux->next) { @@ -1060,6 +1073,8 @@ void audit_syscall_exit(int valid, long return_code) } else { audit_free_names(context); audit_free_aux(context); + kfree(context->filterkey); + context->filterkey = NULL; tsk->audit_context = context; } } -- cgit v1.1 From 3a6b9f85c641a3b89420b0c8150ed377526a1fe1 Mon Sep 17 00:00:00 2001 From: Darrel Goeddel Date: Thu, 29 Jun 2006 16:56:39 -0500 Subject: [PATCH] audit: rename AUDIT_SE_* constants This patch renames some audit constant definitions and adds additional definitions used by the following patch. The renaming avoids ambiguity with respect to the new definitions. Signed-off-by: Darrel Goeddel include/linux/audit.h | 15 ++++++++---- kernel/auditfilter.c | 50 ++++++++++++++++++++--------------------- kernel/auditsc.c | 10 ++++---- security/selinux/ss/services.c | 32 +++++++++++++------------- 4 files changed, 56 insertions(+), 51 deletions(-) Signed-off-by: Al Viro --- include/linux/audit.h | 15 ++++++++----- kernel/auditfilter.c | 50 +++++++++++++++++++++--------------------- kernel/auditsc.c | 10 ++++----- security/selinux/ss/services.c | 32 +++++++++++++-------------- 4 files changed, 56 insertions(+), 51 deletions(-) diff --git a/include/linux/audit.h b/include/linux/audit.h index a489104..c211f0a 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -151,12 +151,17 @@ #define AUDIT_PERS 10 #define AUDIT_ARCH 11 #define AUDIT_MSGTYPE 12 -#define AUDIT_SE_USER 13 /* security label user */ -#define AUDIT_SE_ROLE 14 /* security label role */ -#define AUDIT_SE_TYPE 15 /* security label type */ -#define AUDIT_SE_SEN 16 /* security label sensitivity label */ -#define AUDIT_SE_CLR 17 /* security label clearance label */ +#define AUDIT_SUBJ_USER 13 /* security label user */ +#define AUDIT_SUBJ_ROLE 14 /* security label role */ +#define AUDIT_SUBJ_TYPE 15 /* security label type */ +#define AUDIT_SUBJ_SEN 16 /* security label sensitivity label */ +#define AUDIT_SUBJ_CLR 17 /* security label clearance label */ #define AUDIT_PPID 18 +#define AUDIT_OBJ_USER 19 +#define AUDIT_OBJ_ROLE 20 +#define AUDIT_OBJ_TYPE 21 +#define AUDIT_OBJ_LEV_LOW 22 +#define AUDIT_OBJ_LEV_HIGH 23 /* These are ONLY useful when checking * at syscall exit time (AUDIT_AT_EXIT). */ diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index e98db08..40a9931 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -470,11 +470,11 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data, case AUDIT_ARG2: case AUDIT_ARG3: break; - case AUDIT_SE_USER: - case AUDIT_SE_ROLE: - case AUDIT_SE_TYPE: - case AUDIT_SE_SEN: - case AUDIT_SE_CLR: + case AUDIT_SUBJ_USER: + case AUDIT_SUBJ_ROLE: + case AUDIT_SUBJ_TYPE: + case AUDIT_SUBJ_SEN: + case AUDIT_SUBJ_CLR: str = audit_unpack_string(&bufp, &remain, f->val); if (IS_ERR(str)) goto exit_free; @@ -611,11 +611,11 @@ static struct audit_rule_data *audit_krule_to_data(struct audit_krule *krule) data->fields[i] = f->type; data->fieldflags[i] = f->op; switch(f->type) { - case AUDIT_SE_USER: - case AUDIT_SE_ROLE: - case AUDIT_SE_TYPE: - case AUDIT_SE_SEN: - case AUDIT_SE_CLR: + case AUDIT_SUBJ_USER: + case AUDIT_SUBJ_ROLE: + case AUDIT_SUBJ_TYPE: + case AUDIT_SUBJ_SEN: + case AUDIT_SUBJ_CLR: data->buflen += data->values[i] = audit_pack_string(&bufp, f->se_str); break; @@ -654,11 +654,11 @@ static int audit_compare_rule(struct audit_krule *a, struct audit_krule *b) return 1; switch(a->fields[i].type) { - case AUDIT_SE_USER: - case AUDIT_SE_ROLE: - case AUDIT_SE_TYPE: - case AUDIT_SE_SEN: - case AUDIT_SE_CLR: + case AUDIT_SUBJ_USER: + case AUDIT_SUBJ_ROLE: + case AUDIT_SUBJ_TYPE: + case AUDIT_SUBJ_SEN: + case AUDIT_SUBJ_CLR: if (strcmp(a->fields[i].se_str, b->fields[i].se_str)) return 1; break; @@ -774,11 +774,11 @@ static struct audit_entry *audit_dupe_rule(struct audit_krule *old, * the originals will all be freed when the old rule is freed. */ for (i = 0; i < fcount; i++) { switch (new->fields[i].type) { - case AUDIT_SE_USER: - case AUDIT_SE_ROLE: - case AUDIT_SE_TYPE: - case AUDIT_SE_SEN: - case AUDIT_SE_CLR: + case AUDIT_SUBJ_USER: + case AUDIT_SUBJ_ROLE: + case AUDIT_SUBJ_TYPE: + case AUDIT_SUBJ_SEN: + case AUDIT_SUBJ_CLR: err = audit_dupe_selinux_field(&new->fields[i], &old->fields[i]); break; @@ -1537,11 +1537,11 @@ static inline int audit_rule_has_selinux(struct audit_krule *rule) for (i = 0; i < rule->field_count; i++) { struct audit_field *f = &rule->fields[i]; switch (f->type) { - case AUDIT_SE_USER: - case AUDIT_SE_ROLE: - case AUDIT_SE_TYPE: - case AUDIT_SE_SEN: - case AUDIT_SE_CLR: + case AUDIT_SUBJ_USER: + case AUDIT_SUBJ_ROLE: + case AUDIT_SUBJ_TYPE: + case AUDIT_SUBJ_SEN: + case AUDIT_SUBJ_CLR: return 1; } } diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 3166578..1d24fad 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -321,11 +321,11 @@ static int audit_filter_rules(struct task_struct *tsk, if (ctx) result = audit_comparator(ctx->loginuid, f->op, f->val); break; - case AUDIT_SE_USER: - case AUDIT_SE_ROLE: - case AUDIT_SE_TYPE: - case AUDIT_SE_SEN: - case AUDIT_SE_CLR: + case AUDIT_SUBJ_USER: + case AUDIT_SUBJ_ROLE: + case AUDIT_SUBJ_TYPE: + case AUDIT_SUBJ_SEN: + case AUDIT_SUBJ_CLR: /* NOTE: this may return negative values indicating a temporary error. We simply treat this as a match for now to avoid losing information that diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index e9548bc..92e80b9 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -1845,15 +1845,15 @@ int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, return -ENOTSUPP; switch (field) { - case AUDIT_SE_USER: - case AUDIT_SE_ROLE: - case AUDIT_SE_TYPE: + case AUDIT_SUBJ_USER: + case AUDIT_SUBJ_ROLE: + case AUDIT_SUBJ_TYPE: /* only 'equals' and 'not equals' fit user, role, and type */ if (op != AUDIT_EQUAL && op != AUDIT_NOT_EQUAL) return -EINVAL; break; - case AUDIT_SE_SEN: - case AUDIT_SE_CLR: + case AUDIT_SUBJ_SEN: + case AUDIT_SUBJ_CLR: /* we do not allow a range, indicated by the presense of '-' */ if (strchr(rulestr, '-')) return -EINVAL; @@ -1874,29 +1874,29 @@ int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, tmprule->au_seqno = latest_granting; switch (field) { - case AUDIT_SE_USER: + case AUDIT_SUBJ_USER: userdatum = hashtab_search(policydb.p_users.table, rulestr); if (!userdatum) rc = -EINVAL; else tmprule->au_ctxt.user = userdatum->value; break; - case AUDIT_SE_ROLE: + case AUDIT_SUBJ_ROLE: roledatum = hashtab_search(policydb.p_roles.table, rulestr); if (!roledatum) rc = -EINVAL; else tmprule->au_ctxt.role = roledatum->value; break; - case AUDIT_SE_TYPE: + case AUDIT_SUBJ_TYPE: typedatum = hashtab_search(policydb.p_types.table, rulestr); if (!typedatum) rc = -EINVAL; else tmprule->au_ctxt.type = typedatum->value; break; - case AUDIT_SE_SEN: - case AUDIT_SE_CLR: + case AUDIT_SUBJ_SEN: + case AUDIT_SUBJ_CLR: rc = mls_from_string(rulestr, &tmprule->au_ctxt, GFP_ATOMIC); break; } @@ -1948,7 +1948,7 @@ int selinux_audit_rule_match(u32 ctxid, u32 field, u32 op, /* a field/op pair that is not caught here will simply fall through without a match */ switch (field) { - case AUDIT_SE_USER: + case AUDIT_SUBJ_USER: switch (op) { case AUDIT_EQUAL: match = (ctxt->user == rule->au_ctxt.user); @@ -1958,7 +1958,7 @@ int selinux_audit_rule_match(u32 ctxid, u32 field, u32 op, break; } break; - case AUDIT_SE_ROLE: + case AUDIT_SUBJ_ROLE: switch (op) { case AUDIT_EQUAL: match = (ctxt->role == rule->au_ctxt.role); @@ -1968,7 +1968,7 @@ int selinux_audit_rule_match(u32 ctxid, u32 field, u32 op, break; } break; - case AUDIT_SE_TYPE: + case AUDIT_SUBJ_TYPE: switch (op) { case AUDIT_EQUAL: match = (ctxt->type == rule->au_ctxt.type); @@ -1978,9 +1978,9 @@ int selinux_audit_rule_match(u32 ctxid, u32 field, u32 op, break; } break; - case AUDIT_SE_SEN: - case AUDIT_SE_CLR: - level = (field == AUDIT_SE_SEN ? + case AUDIT_SUBJ_SEN: + case AUDIT_SUBJ_CLR: + level = (field == AUDIT_SUBJ_SEN ? &ctxt->range.level[0] : &ctxt->range.level[1]); switch (op) { case AUDIT_EQUAL: -- cgit v1.1 From 6e5a2d1d32596850a0ebf7fb3e54c0d69901dabd Mon Sep 17 00:00:00 2001 From: Darrel Goeddel Date: Thu, 29 Jun 2006 16:57:08 -0500 Subject: [PATCH] audit: support for object context filters This patch introduces object audit filters based on the elements of the SELinux context. Signed-off-by: Darrel Goeddel Acked-by: Stephen Smalley kernel/auditfilter.c | 25 +++++++++++++++++++++++++ kernel/auditsc.c | 40 ++++++++++++++++++++++++++++++++++++++++ security/selinux/ss/services.c | 18 +++++++++++++++++- 3 files changed, 82 insertions(+), 1 deletion(-) Signed-off-by: Al Viro --- kernel/auditfilter.c | 25 +++++++++++++++++++++++++ kernel/auditsc.c | 40 ++++++++++++++++++++++++++++++++++++++++ security/selinux/ss/services.c | 18 +++++++++++++++++- 3 files changed, 82 insertions(+), 1 deletion(-) diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index 40a9931..7f2ea8b 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -475,6 +475,11 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data, case AUDIT_SUBJ_TYPE: case AUDIT_SUBJ_SEN: case AUDIT_SUBJ_CLR: + case AUDIT_OBJ_USER: + case AUDIT_OBJ_ROLE: + case AUDIT_OBJ_TYPE: + case AUDIT_OBJ_LEV_LOW: + case AUDIT_OBJ_LEV_HIGH: str = audit_unpack_string(&bufp, &remain, f->val); if (IS_ERR(str)) goto exit_free; @@ -616,6 +621,11 @@ static struct audit_rule_data *audit_krule_to_data(struct audit_krule *krule) case AUDIT_SUBJ_TYPE: case AUDIT_SUBJ_SEN: case AUDIT_SUBJ_CLR: + case AUDIT_OBJ_USER: + case AUDIT_OBJ_ROLE: + case AUDIT_OBJ_TYPE: + case AUDIT_OBJ_LEV_LOW: + case AUDIT_OBJ_LEV_HIGH: data->buflen += data->values[i] = audit_pack_string(&bufp, f->se_str); break; @@ -659,6 +669,11 @@ static int audit_compare_rule(struct audit_krule *a, struct audit_krule *b) case AUDIT_SUBJ_TYPE: case AUDIT_SUBJ_SEN: case AUDIT_SUBJ_CLR: + case AUDIT_OBJ_USER: + case AUDIT_OBJ_ROLE: + case AUDIT_OBJ_TYPE: + case AUDIT_OBJ_LEV_LOW: + case AUDIT_OBJ_LEV_HIGH: if (strcmp(a->fields[i].se_str, b->fields[i].se_str)) return 1; break; @@ -779,6 +794,11 @@ static struct audit_entry *audit_dupe_rule(struct audit_krule *old, case AUDIT_SUBJ_TYPE: case AUDIT_SUBJ_SEN: case AUDIT_SUBJ_CLR: + case AUDIT_OBJ_USER: + case AUDIT_OBJ_ROLE: + case AUDIT_OBJ_TYPE: + case AUDIT_OBJ_LEV_LOW: + case AUDIT_OBJ_LEV_HIGH: err = audit_dupe_selinux_field(&new->fields[i], &old->fields[i]); break; @@ -1542,6 +1562,11 @@ static inline int audit_rule_has_selinux(struct audit_krule *rule) case AUDIT_SUBJ_TYPE: case AUDIT_SUBJ_SEN: case AUDIT_SUBJ_CLR: + case AUDIT_OBJ_USER: + case AUDIT_OBJ_ROLE: + case AUDIT_OBJ_TYPE: + case AUDIT_OBJ_LEV_LOW: + case AUDIT_OBJ_LEV_HIGH: return 1; } } diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 1d24fad..ae40ac8 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -342,6 +342,46 @@ static int audit_filter_rules(struct task_struct *tsk, ctx); } break; + case AUDIT_OBJ_USER: + case AUDIT_OBJ_ROLE: + case AUDIT_OBJ_TYPE: + case AUDIT_OBJ_LEV_LOW: + case AUDIT_OBJ_LEV_HIGH: + /* The above note for AUDIT_SUBJ_USER...AUDIT_SUBJ_CLR + also applies here */ + if (f->se_rule) { + /* Find files that match */ + if (name) { + result = selinux_audit_rule_match( + name->osid, f->type, f->op, + f->se_rule, ctx); + } else if (ctx) { + for (j = 0; j < ctx->name_count; j++) { + if (selinux_audit_rule_match( + ctx->names[j].osid, + f->type, f->op, + f->se_rule, ctx)) { + ++result; + break; + } + } + } + /* Find ipc objects that match */ + if (ctx) { + struct audit_aux_data *aux; + for (aux = ctx->aux; aux; + aux = aux->next) { + if (aux->type == AUDIT_IPC) { + struct audit_aux_data_ipcctl *axi = (void *)aux; + if (selinux_audit_rule_match(axi->osid, f->type, f->op, f->se_rule, ctx)) { + ++result; + break; + } + } + } + } + } + break; case AUDIT_ARG0: case AUDIT_ARG1: case AUDIT_ARG2: diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 92e80b9..d2e80e6 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -1848,12 +1848,17 @@ int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, case AUDIT_SUBJ_USER: case AUDIT_SUBJ_ROLE: case AUDIT_SUBJ_TYPE: + case AUDIT_OBJ_USER: + case AUDIT_OBJ_ROLE: + case AUDIT_OBJ_TYPE: /* only 'equals' and 'not equals' fit user, role, and type */ if (op != AUDIT_EQUAL && op != AUDIT_NOT_EQUAL) return -EINVAL; break; case AUDIT_SUBJ_SEN: case AUDIT_SUBJ_CLR: + case AUDIT_OBJ_LEV_LOW: + case AUDIT_OBJ_LEV_HIGH: /* we do not allow a range, indicated by the presense of '-' */ if (strchr(rulestr, '-')) return -EINVAL; @@ -1875,6 +1880,7 @@ int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, switch (field) { case AUDIT_SUBJ_USER: + case AUDIT_OBJ_USER: userdatum = hashtab_search(policydb.p_users.table, rulestr); if (!userdatum) rc = -EINVAL; @@ -1882,6 +1888,7 @@ int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, tmprule->au_ctxt.user = userdatum->value; break; case AUDIT_SUBJ_ROLE: + case AUDIT_OBJ_ROLE: roledatum = hashtab_search(policydb.p_roles.table, rulestr); if (!roledatum) rc = -EINVAL; @@ -1889,6 +1896,7 @@ int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, tmprule->au_ctxt.role = roledatum->value; break; case AUDIT_SUBJ_TYPE: + case AUDIT_OBJ_TYPE: typedatum = hashtab_search(policydb.p_types.table, rulestr); if (!typedatum) rc = -EINVAL; @@ -1897,6 +1905,8 @@ int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, break; case AUDIT_SUBJ_SEN: case AUDIT_SUBJ_CLR: + case AUDIT_OBJ_LEV_LOW: + case AUDIT_OBJ_LEV_HIGH: rc = mls_from_string(rulestr, &tmprule->au_ctxt, GFP_ATOMIC); break; } @@ -1949,6 +1959,7 @@ int selinux_audit_rule_match(u32 ctxid, u32 field, u32 op, without a match */ switch (field) { case AUDIT_SUBJ_USER: + case AUDIT_OBJ_USER: switch (op) { case AUDIT_EQUAL: match = (ctxt->user == rule->au_ctxt.user); @@ -1959,6 +1970,7 @@ int selinux_audit_rule_match(u32 ctxid, u32 field, u32 op, } break; case AUDIT_SUBJ_ROLE: + case AUDIT_OBJ_ROLE: switch (op) { case AUDIT_EQUAL: match = (ctxt->role == rule->au_ctxt.role); @@ -1969,6 +1981,7 @@ int selinux_audit_rule_match(u32 ctxid, u32 field, u32 op, } break; case AUDIT_SUBJ_TYPE: + case AUDIT_OBJ_TYPE: switch (op) { case AUDIT_EQUAL: match = (ctxt->type == rule->au_ctxt.type); @@ -1980,7 +1993,10 @@ int selinux_audit_rule_match(u32 ctxid, u32 field, u32 op, break; case AUDIT_SUBJ_SEN: case AUDIT_SUBJ_CLR: - level = (field == AUDIT_SUBJ_SEN ? + case AUDIT_OBJ_LEV_LOW: + case AUDIT_OBJ_LEV_HIGH: + level = ((field == AUDIT_SUBJ_SEN || + field == AUDIT_OBJ_LEV_LOW) ? &ctxt->range.level[0] : &ctxt->range.level[1]); switch (op) { case AUDIT_EQUAL: -- cgit v1.1 From b915543b46a2aa599fdd2169e51bcfd88812a12b Mon Sep 17 00:00:00 2001 From: Al Viro Date: Sat, 1 Jul 2006 03:56:16 -0400 Subject: [PATCH] audit syscall classes Allow to tie upper bits of syscall bitmap in audit rules to kernel-defined sets of syscalls. Infrastructure, a couple of classes (with 32bit counterparts for biarch targets) and actual tie-in on i386, amd64 and ia64. Signed-off-by: Al Viro --- arch/i386/kernel/Makefile | 1 + arch/i386/kernel/audit.c | 23 +++++++++++++++++++ arch/ia64/ia32/Makefile | 1 + arch/ia64/ia32/audit.c | 11 ++++++++++ arch/ia64/kernel/Makefile | 1 + arch/ia64/kernel/audit.c | 29 ++++++++++++++++++++++++ arch/x86_64/ia32/Makefile | 3 +++ arch/x86_64/ia32/audit.c | 11 ++++++++++ arch/x86_64/kernel/Makefile | 1 + arch/x86_64/kernel/audit.c | 29 ++++++++++++++++++++++++ include/asm-generic/audit_change_attr.h | 18 +++++++++++++++ include/asm-generic/audit_dir_write.h | 14 ++++++++++++ include/linux/audit.h | 7 ++++++ kernel/auditfilter.c | 39 +++++++++++++++++++++++++++++++++ 14 files changed, 188 insertions(+) create mode 100644 arch/i386/kernel/audit.c create mode 100644 arch/ia64/ia32/audit.c create mode 100644 arch/ia64/kernel/audit.c create mode 100644 arch/x86_64/ia32/audit.c create mode 100644 arch/x86_64/kernel/audit.c create mode 100644 include/asm-generic/audit_change_attr.h create mode 100644 include/asm-generic/audit_dir_write.h diff --git a/arch/i386/kernel/Makefile b/arch/i386/kernel/Makefile index 5e70c2f..cbc1184 100644 --- a/arch/i386/kernel/Makefile +++ b/arch/i386/kernel/Makefile @@ -38,6 +38,7 @@ obj-$(CONFIG_VM86) += vm86.o obj-$(CONFIG_EARLY_PRINTK) += early_printk.o obj-$(CONFIG_HPET_TIMER) += hpet.o obj-$(CONFIG_K8_NB) += k8.o +obj-$(CONFIG_AUDIT) += audit.o EXTRA_AFLAGS := -traditional diff --git a/arch/i386/kernel/audit.c b/arch/i386/kernel/audit.c new file mode 100644 index 0000000..5a53c6f --- /dev/null +++ b/arch/i386/kernel/audit.c @@ -0,0 +1,23 @@ +#include +#include +#include +#include + +static unsigned dir_class[] = { +#include +~0U +}; + +static unsigned chattr_class[] = { +#include +~0U +}; + +static int __init audit_classes_init(void) +{ + audit_register_class(AUDIT_CLASS_DIR_WRITE, dir_class); + audit_register_class(AUDIT_CLASS_CHATTR, chattr_class); + return 0; +} + +__initcall(audit_classes_init); diff --git a/arch/ia64/ia32/Makefile b/arch/ia64/ia32/Makefile index 61cb60a..baad8c7 100644 --- a/arch/ia64/ia32/Makefile +++ b/arch/ia64/ia32/Makefile @@ -4,6 +4,7 @@ obj-y := ia32_entry.o sys_ia32.o ia32_signal.o \ ia32_support.o ia32_traps.o binfmt_elf32.o ia32_ldt.o +obj-$(CONFIG_AUDIT) += audit.o # Don't let GCC uses f16-f31 so that save_ia32_fpstate_live() and # restore_ia32_fpstate_live() can be sure the live register contain user-level state. diff --git a/arch/ia64/ia32/audit.c b/arch/ia64/ia32/audit.c new file mode 100644 index 0000000..ab94f2e --- /dev/null +++ b/arch/ia64/ia32/audit.c @@ -0,0 +1,11 @@ +#include + +unsigned ia32_dir_class[] = { +#include +~0U +}; + +unsigned ia32_chattr_class[] = { +#include +~0U +}; diff --git a/arch/ia64/kernel/Makefile b/arch/ia64/kernel/Makefile index 09a0dbc..0e4553f 100644 --- a/arch/ia64/kernel/Makefile +++ b/arch/ia64/kernel/Makefile @@ -29,6 +29,7 @@ obj-$(CONFIG_CPU_FREQ) += cpufreq/ obj-$(CONFIG_IA64_MCA_RECOVERY) += mca_recovery.o obj-$(CONFIG_KPROBES) += kprobes.o jprobes.o obj-$(CONFIG_IA64_UNCACHED_ALLOCATOR) += uncached.o +obj-$(CONFIG_AUDIT) += audit.o mca_recovery-y += mca_drv.o mca_drv_asm.o # The gate DSO image is built using a special linker script. diff --git a/arch/ia64/kernel/audit.c b/arch/ia64/kernel/audit.c new file mode 100644 index 0000000..f251293 --- /dev/null +++ b/arch/ia64/kernel/audit.c @@ -0,0 +1,29 @@ +#include +#include +#include +#include + +static unsigned dir_class[] = { +#include +~0U +}; + +static unsigned chattr_class[] = { +#include +~0U +}; + +static int __init audit_classes_init(void) +{ +#ifdef CONFIG_IA32_SUPPORT + extern __u32 ia32_dir_class[]; + extern __u32 ia32_chattr_class[]; + audit_register_class(AUDIT_CLASS_DIR_WRITE_32, ia32_dir_class); + audit_register_class(AUDIT_CLASS_CHATTR_32, ia32_chattr_class); +#endif + audit_register_class(AUDIT_CLASS_DIR_WRITE, dir_class); + audit_register_class(AUDIT_CLASS_CHATTR, chattr_class); + return 0; +} + +__initcall(audit_classes_init); diff --git a/arch/x86_64/ia32/Makefile b/arch/x86_64/ia32/Makefile index e9263b4..62bc5f5 100644 --- a/arch/x86_64/ia32/Makefile +++ b/arch/x86_64/ia32/Makefile @@ -11,6 +11,9 @@ obj-$(CONFIG_IA32_EMULATION) += $(sysv-y) obj-$(CONFIG_IA32_AOUT) += ia32_aout.o +audit-class-$(CONFIG_AUDIT) := audit.o +obj-$(CONFIG_IA32_EMULATION) += $(audit-class-y) + $(obj)/syscall32_syscall.o: \ $(foreach F,sysenter syscall,$(obj)/vsyscall-$F.so) diff --git a/arch/x86_64/ia32/audit.c b/arch/x86_64/ia32/audit.c new file mode 100644 index 0000000..ab94f2e --- /dev/null +++ b/arch/x86_64/ia32/audit.c @@ -0,0 +1,11 @@ +#include + +unsigned ia32_dir_class[] = { +#include +~0U +}; + +unsigned ia32_chattr_class[] = { +#include +~0U +}; diff --git a/arch/x86_64/kernel/Makefile b/arch/x86_64/kernel/Makefile index aeb9c56..819e84e 100644 --- a/arch/x86_64/kernel/Makefile +++ b/arch/x86_64/kernel/Makefile @@ -35,6 +35,7 @@ obj-$(CONFIG_KPROBES) += kprobes.o obj-$(CONFIG_X86_PM_TIMER) += pmtimer.o obj-$(CONFIG_X86_VSMP) += vsmp.o obj-$(CONFIG_K8_NB) += k8.o +obj-$(CONFIG_AUDIT) += audit.o obj-$(CONFIG_MODULES) += module.o diff --git a/arch/x86_64/kernel/audit.c b/arch/x86_64/kernel/audit.c new file mode 100644 index 0000000..a067aa4 --- /dev/null +++ b/arch/x86_64/kernel/audit.c @@ -0,0 +1,29 @@ +#include +#include +#include +#include + +static unsigned dir_class[] = { +#include +~0U +}; + +static unsigned chattr_class[] = { +#include +~0U +}; + +static int __init audit_classes_init(void) +{ +#ifdef CONFIG_IA32_EMULATION + extern __u32 ia32_dir_class[]; + extern __u32 ia32_chattr_class[]; + audit_register_class(AUDIT_CLASS_DIR_WRITE_32, ia32_dir_class); + audit_register_class(AUDIT_CLASS_CHATTR_32, ia32_chattr_class); +#endif + audit_register_class(AUDIT_CLASS_DIR_WRITE, dir_class); + audit_register_class(AUDIT_CLASS_CHATTR, chattr_class); + return 0; +} + +__initcall(audit_classes_init); diff --git a/include/asm-generic/audit_change_attr.h b/include/asm-generic/audit_change_attr.h new file mode 100644 index 0000000..cb05bf6 --- /dev/null +++ b/include/asm-generic/audit_change_attr.h @@ -0,0 +1,18 @@ +__NR_chmod, +__NR_fchmod, +__NR_chown, +__NR_fchown, +__NR_lchown, +__NR_setxattr, +__NR_lsetxattr, +__NR_fsetxattr, +__NR_removexattr, +__NR_lremovexattr, +__NR_fremovexattr, +__NR_fchownat, +__NR_fchmodat, +#ifdef __NR_chown32 +__NR_chown32, +__NR_fchown32, +__NR_lchown32, +#endif diff --git a/include/asm-generic/audit_dir_write.h b/include/asm-generic/audit_dir_write.h new file mode 100644 index 0000000..161a7a5 --- /dev/null +++ b/include/asm-generic/audit_dir_write.h @@ -0,0 +1,14 @@ +__NR_rename, +__NR_mkdir, +__NR_rmdir, +__NR_creat, +__NR_link, +__NR_unlink, +__NR_symlink, +__NR_mknod, +__NR_mkdirat, +__NR_mknodat, +__NR_unlinkat, +__NR_renameat, +__NR_linkat, +__NR_symlinkat, diff --git a/include/linux/audit.h b/include/linux/audit.h index c211f0a..b27d7de 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -127,6 +127,12 @@ #define AUDIT_WORD(nr) ((__u32)((nr)/32)) #define AUDIT_BIT(nr) (1 << ((nr) - AUDIT_WORD(nr)*32)) +#define AUDIT_SYSCALL_CLASSES 16 +#define AUDIT_CLASS_DIR_WRITE 0 +#define AUDIT_CLASS_DIR_WRITE_32 1 +#define AUDIT_CLASS_CHATTR 2 +#define AUDIT_CLASS_CHATTR_32 3 + /* This bitmask is used to validate user input. It represents all bits that * are currently used in an audit field constant understood by the kernel. * If you are adding a new #define AUDIT_, please ensure that @@ -307,6 +313,7 @@ struct mqstat; #define AUDITSC_SUCCESS 1 #define AUDITSC_FAILURE 2 #define AUDITSC_RESULT(x) ( ((long)(x))<0?AUDITSC_FAILURE:AUDITSC_SUCCESS ) +extern int __init audit_register_class(int class, unsigned *list); #ifdef CONFIG_AUDITSYSCALL /* These are defined in auditsc.c */ /* Public API */ diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index 7f2ea8b..5b4e162 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -279,6 +279,29 @@ static int audit_to_watch(struct audit_krule *krule, char *path, int len, return 0; } +static __u32 *classes[AUDIT_SYSCALL_CLASSES]; + +int __init audit_register_class(int class, unsigned *list) +{ + __u32 *p = kzalloc(AUDIT_BITMASK_SIZE * sizeof(__u32), GFP_KERNEL); + if (!p) + return -ENOMEM; + while (*list != ~0U) { + unsigned n = *list++; + if (n >= AUDIT_BITMASK_SIZE * 32 - AUDIT_SYSCALL_CLASSES) { + kfree(p); + return -EINVAL; + } + p[AUDIT_WORD(n)] |= AUDIT_BIT(n); + } + if (class >= AUDIT_SYSCALL_CLASSES || classes[class]) { + kfree(p); + return -EINVAL; + } + classes[class] = p; + return 0; +} + /* Common user-space to kernel rule translation. */ static inline struct audit_entry *audit_to_entry_common(struct audit_rule *rule) { @@ -322,6 +345,22 @@ static inline struct audit_entry *audit_to_entry_common(struct audit_rule *rule) for (i = 0; i < AUDIT_BITMASK_SIZE; i++) entry->rule.mask[i] = rule->mask[i]; + for (i = 0; i < AUDIT_SYSCALL_CLASSES; i++) { + int bit = AUDIT_BITMASK_SIZE * 32 - i - 1; + __u32 *p = &entry->rule.mask[AUDIT_WORD(bit)]; + __u32 *class; + + if (!(*p & AUDIT_BIT(bit))) + continue; + *p &= ~AUDIT_BIT(bit); + class = classes[i]; + if (class) { + int j; + for (j = 0; j < AUDIT_BITMASK_SIZE; j++) + entry->rule.mask[j] |= class[j]; + } + } + return entry; exit_err: -- cgit v1.1