summaryrefslogtreecommitdiffstats
path: root/kernel/auditsc.c
AgeCommit message (Collapse)AuthorFilesLines
2005-08-27[AUDIT] Allow filtering on system call success _or_ failureDavid Woodhouse1-2/+6
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
2005-08-17AUDIT: Prevent duplicate syscall rulesAmy Griffis1-39/+56
The following patch against audit.81 prevents duplicate syscall rules in a given filter list by walking the list on each rule add. I also removed the unused struct audit_entry in audit.c and made the static inlines in auditsc.c consistent. Signed-off-by: Amy Griffis <amy.griffis@hp.com> Signed-off-by: David Woodhouse <dwmw2@infradead.org>
2005-08-17AUDIT: Speed up audit_filter_syscall() for the non-auditable case.David Woodhouse1-10/+12
It was showing up fairly high on profiles even when no rules were set. Make sure the common path stays as fast as possible. Signed-off-by: David Woodhouse <dwmw2@infradead.org>
2005-08-17AUDIT: Fix task refcount leak in audit_filter_syscall()David Woodhouse1-1/+2
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
2005-07-18AUDIT: Reduce contention in audit_serial()David Woodhouse1-1/+3
... by generating serial numbers only if an audit context is actually _used_, rather than doing so at syscall entry even when the context isn't necessarily marked auditable. Signed-off-by: David Woodhouse <dwmw2@infradead.org>
2005-07-14AUDIT: Fix compile error in audit_filter_syscallDavid Woodhouse1-1/+1
We didn't rename it to audit_tgid after all. Except once... Doh. Signed-off-by: David Woodhouse <dwmw2@infradead.org>
2005-07-13AUDIT: Avoid scheduling in idle threadDavid Woodhouse1-5/+8
When we flush a pending syscall audit record due to audit_free(), we might be doing that in the context of the idle thread. So use GFP_ATOMIC Signed-off-by: David Woodhouse <dwmw2@infradead.org>
2005-07-13AUDIT: Exempt the whole auditd thread-group from auditingDavid Woodhouse1-2/+2
and not just the one thread. Signed-off-by: David Woodhouse <dwmw2@infradead.org>
2005-07-02AUDIT: Really don't audit auditd.David Woodhouse1-2/+2
The pid in the audit context isn't always set up. Use tsk->pid when checking whether it's auditd in audit_filter_syscall(), instead of ctx->pid. Remove a band-aid which did the same elsewhere. Signed-off-by: David Woodhouse <dwmw2@infradead.org>
2005-06-24AUDIT: Clean up user message filteringDavid Woodhouse1-14/+42
Don't look up the task by its pid and then use the syscall filtering helper. Just implement our own filter helper which operates solely on the information in the netlink_skb_parms. Signed-off-by: David Woodhouse <dwmw2@infradead.org>
2005-06-24AUDIT: Return correct result from audit_filter_rules()David Woodhouse1-1/+1
When the task refcounting was added to audit_filter_rules() it became more of a problem that this function was violating the 'only one return from each function' rule. In fixing it to use a variable to store 'ret' I stupidly neglected to actually change the 'return 1;' at the end. This makes it not work very well. Signed-off-by: David Woodhouse <dwmw2@infradead.org>
2005-06-23AUDIT: No really, we don't want to audit auditd.David Woodhouse1-1/+1
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
2005-06-22AUDIT: Wait for backlog to clear when generating messages.David Woodhouse1-7/+7
Add a gfp_mask to audit_log_start() and audit_log(), to reduce the amount of GFP_ATOMIC allocation -- most of it doesn't need to be GFP_ATOMIC. Also if the mask includes __GFP_WAIT, then wait up to 60 seconds for the auditd backlog to clear instead of immediately abandoning the message. The timeout should probably be made configurable, but for now it'll suffice that it only happens if auditd is actually running. Signed-off-by: David Woodhouse <dwmw2@infradead.org>
2005-06-22AUDIT: Optimise the audit-disabled case for discarding user messagesDavid Woodhouse1-5/+16
Also exempt USER_AVC message from being discarded to preserve existing behaviour for SE Linux. Signed-off-by: David Woodhouse <dwmw2@infradead.org>
2005-06-21AUDIT: Spawn kernel thread to list filter rules.David Woodhouse1-8/+45
If we have enough rules to fill the netlink buffer space, it'll deadlock because auditctl isn't ever actually going to read from the socket until we return, and we aren't going to return until it reads... so we spawn a kernel thread to spew out the list and then exit. Signed-off-by: David Woodhouse <dwmw2@infradead.org>
2005-06-20AUDIT: Report lookup flags with path/inode records.David Woodhouse1-7/+11
When LOOKUP_PARENT is used, the inode which results is not the inode found at the pathname. Report the flags so that this doesn't generate misleading audit records. Signed-off-by: David Woodhouse <dwmw2@infradead.org>
2005-06-20AUDIT: Really exempt auditd from having its actions audited.David Woodhouse1-2/+8
We were only avoiding it on syscall exit before; now stop _everything_. Signed-off-by: David Woodhouse <dwmw2@infradead.org>
2005-06-19AUDIT: Allow filtering of user messagesDavid Woodhouse1-38/+54
Turn the field from a bitmask to an enumeration and add a list to allow filtering of messages generated by userspace. We also define a list for file system watches in anticipation of that feature. Signed-off-by: David Woodhouse <dwmw2@infradead.org>
2005-05-27AUDIT: Record working directory when syscall arguments are pathnamesDavid Woodhouse1-0/+23
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
2005-05-26AUDIT: Defer freeing aux items until audit_free_context()David Woodhouse1-8/+2
While they were all just simple blobs it made sense to just free them as we walked through and logged them. Now that there are pointers to other objects which need refcounting, we might as well revert to _only_ logging them in audit_log_exit(), and put the code to free them properly in only one place -- in audit_free_aux(). Signed-off-by: David Woodhouse <dwmw2@infradead.org> ----------------------------------------------------------
2005-05-23AUDIT: Escape comm when logging task infoDavid Woodhouse1-1/+2
It comes from the user; it needs to be escaped. Signed-off-by: David Woodhouse <dwmw2@infradead.org>
2005-05-23AUDIT: Unify auid reporting, put arch before syscall numberDavid Woodhouse1-4/+4
These changes make processing of audit logs easier. Based on a patch from Steve Grubb <sgrubb@redhat.com> Signed-off-by: David Woodhouse <dwmw2@infradead.org>
2005-05-21AUDIT: Assign serial number to non-syscall messagesDavid Woodhouse1-40/+6
Move audit_serial() into audit.c and use it to generate serial numbers on messages even when there is no audit context from syscall auditing. This allows us to disambiguate audit records when more than one is generated in the same millisecond. Based on a patch by Steve Grubb after he observed the problem. Signed-off-by: David Woodhouse <dwmw2@infradead.org>
2005-05-21AUDIT: Fix inconsistent use of loginuid vs. auid, signed vs. unsigned Steve Grubb1-6/+6
The attached patch changes all occurrences of loginuid to auid. It also changes everything to %u that is an unsigned type. Signed-off-by: Steve Grubb <sgrubb@redhat.com> Signed-off-by: David Woodhouse <dwmw2@infradead.org>
2005-05-21AUDIT: Avoid sleeping function in SElinux AVC audit.Stephen Smalley1-0/+40
This patch changes the SELinux AVC to defer logging of paths to the audit framework upon syscall exit, by saving a reference to the (dentry,vfsmount) pair in an auxiliary audit item on the current audit context for processing by audit_log_exit. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: David Woodhouse <dwmw2@infradead.org>
2005-05-19AUDIT: Quis Custodiet Ipsos Custodes?David Woodhouse1-3/+4
Nobody does. Really, it gets very silly if auditd is recording its own actions. Signed-off-by: David Woodhouse <dwmw2@infradead.org>
2005-05-17AUDIT: Capture sys_socketcall arguments and sockaddrs David Woodhouse1-2/+71
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
2005-05-13AUDIT: Fix some spelling errorsSteve Grubb1-2/+2
I'm going through the kernel code and have a patch that corrects several spelling errors in comments. From: Steve Grubb <sgrubb@redhat.com> Signed-off-by: David Woodhouse <dwmw2@infradead.org>
2005-05-13AUDIT: Add message types to audit recordsSteve Grubb1-17/+25
This patch adds more messages types to the audit subsystem so that audit analysis is quicker, intuitive, and more useful. Signed-off-by: Steve Grubb <sgrubb@redhat.com> --- I forgot one type in the big patch. I need to add one for user space originating SE Linux avc messages. This is used by dbus and nscd. -Steve --- Updated to 2.6.12-rc4-mm1. -dwmw2 Signed-off-by: David Woodhouse <dwmw2@infradead.org>
2005-05-11Add audit_log_typeChris Wright1-16/+7
Add audit_log_type to allow callers to specify type and pid when logging. Convert audit_log to wrapper around audit_log_type. Could have converted all audit_log callers directly, but common case is default of type AUDIT_KERNEL and pid 0. Update audit_log_start to take type and pid values when creating a new audit_buffer. Move sequences that did audit_log_start, audit_log_format, audit_set_type, audit_log_end, to simply call audit_log_type directly. This obsoletes audit_set_type and audit_set_pid, so remove them. Signed-off-by: Chris Wright <chrisw@osdl.org> Signed-off-by: David Woodhouse <dwmw2@infradead.org>
2005-05-11Move ifdef CONFIG_AUDITSYSCALL to headerChris Wright1-4/+3
Remove code conditionally dependent on CONFIG_AUDITSYSCALL from audit.c. Move these dependencies to audit.h with the rest. Signed-off-by: Chris Wright <chrisw@osdl.org> Signed-off-by: David Woodhouse <dwmw2@infradead.org>
2005-05-11Audit requires CONFIG_NETChris Wright1-2/+0
Audit now actually requires netlink. So make it depend on CONFIG_NET, and remove the inline dependencies on CONFIG_NET. Signed-off-by: Chris Wright <chrisw@osdl.org> Signed-off-by: David Woodhouse <dwmw2@infradead.org>
2005-05-06The attached patch addresses the problem with getting the audit daemon Steve Grubb1-0/+19
shutdown credential information. It creates a new message type AUDIT_TERM_INFO, which is used by the audit daemon to query who issued the shutdown. It requires the placement of a hook function that gathers the information. The hook is after the DAC & MAC checks and before the function returns. Racing threads could overwrite the uid & pid - but they would have to be root and have policy that allows signalling the audit daemon. That should be a manageable risk. The userspace component will be released later in audit 0.7.2. When it receives the TERM signal, it queries the kernel for shutdown information. When it receives it, it writes the message and exits. The message looks like this: type=DAEMON msg=auditd(1114551182.000) auditd normal halt, sending pid=2650 uid=525, auditd pid=1685 Signed-off-by: Steve Grubb <sgrubb@redhat.com> Signed-off-by: David Woodhouse <dwmw2@infradead.org>
2005-04-29[AUDIT] LOGIN message credentialsSteve Grubb1-4/+5
Attached is a new patch that solves the issue of getting valid credentials into the LOGIN message. The current code was assuming that the audit context had already been copied. This is not always the case for LOGIN messages. To solve the problem, the patch passes the task struct to the function that emits the message where it can get valid credentials. Signed-off-by: Steve Grubb <sgrubb@redhat.com> Signed-off-by: David Woodhouse <dwmw2@infradead.org>
2005-04-29Add audit uid to netlink credentialsSerge Hallyn1-1/+4
Most audit control messages are sent over netlink.In order to properly log the identity of the sender of audit control messages, we would like to add the loginuid to the netlink_creds structure, as per the attached patch. Signed-off-by: Serge Hallyn <serue@us.ibm.com> Signed-off-by: David Woodhouse <dwmw2@infradead.org>
2005-04-29audit: update pointer to userspace tools, remove emacs mode tags1-1/+1
2005-04-29[AUDIT] Fix signedness of 'serial' in various routines.Steve Grubb1-1/+1
Attached is a patch that corrects a signed/unsigned warning. I also noticed that we needlessly init serial to 0. That only needs to occur if the kernel was compiled without the audit system. -Steve Grubb Signed-off-by: David Woodhouse <dwmw2@infradead.org>
2005-04-29[AUDIT] Don't allow ptrace to fool auditing, log arch of audited syscalls.1-6/+16
We were calling ptrace_notify() after auditing the syscall and arguments, but the debugger could have _changed_ them before the syscall was actually invoked. Reorder the calls to fix that. While we're touching ever call to audit_syscall_entry(), we also make it take an extra argument: the architecture of the syscall which was made, because some architectures allow more than one type of syscall. Also add an explicit success/failure flag to audit_syscall_exit(), for the benefit of architectures which return that in a condition register rather than only returning a single register. Change type of syscall return value to 'long' not 'int'. Signed-off-by: David Woodhouse <dwmw2@infradead.org>
2005-04-29AUDIT: Avoid log pollution by untrusted strings.1-3/+4
We log strings from userspace, such as arguments to open(). These could be formatted to contain \n followed by fake audit log entries. Provide a function for logging such strings, which gives a hex dump when the string contains anything but basic printable ASCII characters. Use it for logging filenames. Signed-off-by: David Woodhouse <dwmw2@infradead.org>
2005-04-18[PATCH] SELinux: fix deadlock on dcache lockStephen Smalley1-0/+28
This fixes a deadlock on the dcache lock detected during testing at IBM by moving the logging of the current executable information from the SELinux avc_audit function to audit_log_exit (via an audit_log_task_info helper) for processing upon syscall exit. For consistency, the patch also removes the logging of other task-related information from avc_audit, deferring handling to audit_log_exit instead. This allows simplification of the avc_audit code, allows the exe information to be obtained more reliably, always includes the comm information (useful for scripts), and avoids including bogus task information for checks performed from irq or softirq. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@redhat.com> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-04-16Linux-2.6.12-rc2v2.6.12-rc2Linus Torvalds1-0/+1015
Initial git repository build. I'm not bothering with the full history, even though we have it. We can create a separate "historical" git archive of that later if we want to, and in the meantime it's about 3.2GB when imported into git - space that would just make the early git days unnecessarily complicated, when we don't have a lot of good infrastructure for it. Let it rip!