Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753298AbbGOSXq (ORCPT ); Wed, 15 Jul 2015 14:23:46 -0400 Received: from mx1.redhat.com ([209.132.183.28]:51687 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752588AbbGOSXo (ORCPT ); Wed, 15 Jul 2015 14:23:44 -0400 Date: Wed, 15 Jul 2015 14:23:40 -0400 From: Richard Guy Briggs To: Steve Grubb Cc: linux-audit@redhat.com, linux-kernel@vger.kernel.org, pmoore@redhat.com, eparis@redhat.com Subject: Re: [PATCH V6 0/4] audit by executable name Message-ID: <20150715182340.GC32473@madcap2.tricolour.ca> References: <2290951.jxBbQJQ7l8@x2> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <2290951.jxBbQJQ7l8@x2> User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 7166 Lines: 155 On 15/07/15, Steve Grubb wrote: > On Tuesday, July 14, 2015 11:50:22 AM Richard Guy Briggs wrote: > > Please see the accompanying userspace patchset: > > https://www.redhat.com/archives/linux-audit/2015-July/thread.html > > [[PATCH V2] 0/2] Log on the future execution of a path > > The userspace interface is not expected to change appreciably unless > > something important has been overlooked. Setting and deleting rules works > > as expected. > > > > If the path does not exist at rule creation time, it will be re-evaluated > > every time there is a change to the parent directory at which point the > > change in device and inode will be noted. > > Thanks for doing this. Its a much needed feature. > > In looking over it...does this add an AUDIT_VERSION_ define and use it in the > feature mask so that I can tell what kernels support this? I might have missed > it, but I can't find one. Ah, thanks for catching that! I thought about it several times and even backported the infrastructure. :-P > -Steve > > > Here's a sample run: > > Test for addition, trigger and deletion of tree executable rule: > > # auditctl -a always,exit -S all -F dir=/tmp -F exe=/usr/bin/touch -F > > key=exetest_tree ---- > > time->Sat Jul 11 10:41:50 2015 > > type=CONFIG_CHANGE msg=audit(1436629310.720:44711): auid=0 ses=1 > > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 op="add_rule" > > key="exetest_tree" list=4 res=1 ---- > > > > # /usr/bin/touch /tmp/test > > ---- > > time->Sat Jul 11 10:41:50 2015 > > type=PROCTITLE msg=audit(1436629310.757:44712): > > proctitle=2F7573722F62696E2F746F756368002F746D702F74657374 type=PATH > > msg=audit(1436629310.757:44712): item=1 name="/tmp/test" inode=166932 > > dev=00:24 mode=0100644 ouid=0 ogid=0 rdev=00:00 > > obj=unconfined_u:object_r:user_tmp_t:s0 nametype=CREATE type=PATH > > msg=audit(1436629310.757:44712): item=0 name="/tmp/" inode=11525 dev=00:24 > > mode=041777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmp_t:s0 > > nametype=PARENT type=CWD msg=audit(1436629310.757:44712): cwd="/root" > > type=SYSCALL msg=audit(1436629310.757:44712): arch=c000003e syscall=2 > > success=yes exit=3 a0=7ffdee2f9e27 a1=941 a2=1b6 a3=691 items=2 ppid=17655 > > pid=17762 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 > > tty=ttyS0 ses=1 comm="touch" exe="/usr/bin/touch" > > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > > key="exetest_tree" ---- > > > > # auditctl -d always,exit -S all -F dir=/tmp -F exe=/usr/bin/touch -F > > key=exetest_tree ---- > > time->Sat Jul 11 10:41:50 2015 > > type=CONFIG_CHANGE msg=audit(1436629310.839:44713): auid=0 ses=1 > > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 op="remove_rule" > > key="exetest_tree" list=4 res=1 ---- > > > > > > Revision history: > > v6: Explicitly declare prototypes as external. > > Rename audit_dup_exe() to audit_dupe_exe() consistent with rule, watch, > > lsm_field. Rebased on v4.1. > > Rename audit_remove_mark_rule() called from audit_mark_handle_event() to > > audit_autoremove_mark_rule() to avoid confusion with > > audit_remove_{watch,tree}_rule() usage. > > Add audit_remove_mark_rule() to provide similar interface as > > audit_remove_{watch,tree}_rule(). > > Simplify stubs to defines. > > Rename audit_free_fsnotify_mark() to audit_fsnotify_free_mark() in > > keeping with the naming convention of inotify_free_mark(), > > dnotify_free_mark(), fanotify_free_mark(), audit_watch_free_mark(). > > Return -ENOMEM rather than null in case of memory allocation failure for > > audit_mark in audit_alloc_mark(). > > Rename audit_free_mark() to audit_mark_free() to avoid association with > > {i,d,fa}notify_free_mark() and audit_watch_free_mark(). > > Clean up exe with similar interface as watch and tree. > > Clean up audit exe mark just before audit_free_rule() rather than in it > > to avoid mutex in software interrupt context. > > Fixed bug in audit_dupe_exe() that returned error rather than valid > > pointer. > > > > v5: Revert patch "Let audit_free_rule() take care of calling > > audit_remove_mark()." since it caused a group mark deadlock. > > https://www.redhat.com/archives/linux-audit/2014-October/msg00024.html > > > > v4: Re-order and squash down fixups > > Fix audit_dup_exe() to copy pathname string before calling > > audit_alloc_mark(). > > https://www.redhat.com/archives/linux-audit/2014-August/msg00065.html > > > > v3: Rationalize and rename some function names and clean up get/put and free > > code. Rename several "watch" references to "mark". > > Rename audit_remove_rule() to audit_remove_mark_rule(). > > Let audit_free_rule() take care of calling audit_remove_mark(). > > Put audit_alloc_mark() arguments in same order as watch, tree and inode. > > Move the access to the entry for audit_match_signal() to the beginning of > > the function in case the entry found is the same one passed in. This will > > enable it to be used by audit_remove_mark_rule(). > > https://www.redhat.com/archives/linux-audit/2014-July/msg00000.html > > > > v2: Misguided attempt to add in audit_exe similar to watches > > https://www.redhat.com/archives/linux-audit/2014-June/msg00066.html > > > > v1.5: eparis' switch to fsnotify > > https://www.redhat.com/archives/linux-audit/2014-May/msg00046.html > > https://www.redhat.com/archives/linux-audit/2014-May/msg00066.html > > > > v1: Change to path interface instead of inode > > https://www.redhat.com/archives/linux-audit/2014-May/msg00017.html > > > > v0: Peter Moodie's original patches > > https://www.redhat.com/archives/linux-audit/2012-August/msg00033.html > > > > > > Future step: > > Get full-path notify working. > > > > > > Eric Paris (1): > > audit: implement audit by executable > > > > Richard Guy Briggs (3): > > audit: clean simple fsnotify implementation > > audit: convert audit_exe to audit_fsnotify > > audit: avoid double copying the audit_exe path string > > > > include/linux/audit.h | 1 + > > include/uapi/linux/audit.h | 2 + > > kernel/Makefile | 2 +- > > kernel/audit.h | 33 ++++++ > > kernel/audit_exe.c | 50 +++++++++ > > kernel/audit_fsnotify.c | 246 > > ++++++++++++++++++++++++++++++++++++++++++++ kernel/audit_tree.c | > > 2 + > > kernel/audit_watch.c | 4 + > > kernel/auditfilter.c | 63 +++++++++++- > > kernel/auditsc.c | 16 +++ > > 10 files changed, 415 insertions(+), 4 deletions(-) > > create mode 100644 kernel/audit_exe.c > > create mode 100644 kernel/audit_fsnotify.c > - RGB -- Richard Guy Briggs Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/