Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753167AbbHGChM (ORCPT <rfc822;w@1wt.eu>);
	Thu, 6 Aug 2015 22:37:12 -0400
Received: from mx1.redhat.com ([209.132.183.28]:37428 "EHLO mx1.redhat.com"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1751541AbbHGChK (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
	Thu, 6 Aug 2015 22:37:10 -0400
From: Paul Moore <pmoore@redhat.com>
To: Richard Guy Briggs <rgb@redhat.com>
Cc: linux-audit@redhat.com, linux-kernel@vger.kernel.org, sgrubb@redhat.com,
        eparis@redhat.com, peter@hda3.com
Subject: Re: [PATCH V9 3/3] audit: add audit by children of executable path
Date: Thu, 06 Aug 2015 16:24:58 -0400
Message-ID: <5456503.IfTzUNfidJ@sifl>
Organization: Red Hat
User-Agent: KMail/4.14.10 (Linux/4.1.2-gentoo; KDE/4.14.10; x86_64; ; )
In-Reply-To: <d9b6e7ce17a8ffa71fe756a06922898f54ad78e5.1438801342.git.rgb@redhat.com>
References: <cover.1438801342.git.rgb@redhat.com> <d9b6e7ce17a8ffa71fe756a06922898f54ad78e5.1438801342.git.rgb@redhat.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="us-ascii"
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 3824
Lines: 112

On Wednesday, August 05, 2015 04:29:38 PM Richard Guy Briggs wrote:
> This adds the ability to audit the actions of children of a not-yet-running
> process.
> 
> This is a split-out of a heavily modified version of a patch originally
> submitted by Eric Paris with some ideas from Peter Moody.
> 
> Cc: Peter Moody <peter@hda3.com>
> Cc: Eric Paris <eparis@redhat.com>
> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> ---
>  include/uapi/linux/audit.h |    1 +
>  kernel/auditfilter.c       |    5 +++++
>  kernel/auditsc.c           |   11 +++++++++++
>  3 files changed, 17 insertions(+), 0 deletions(-)

I'm still not really comfortable with that loop and since there hasn't been a 
really convincing use case I'm going to pass on this patch for right now.  If 
someone comes up with a *really* compelling case in the future I'll reconsider 
it.

> diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> index e2ca600..55a8dec 100644
> --- a/include/uapi/linux/audit.h
> +++ b/include/uapi/linux/audit.h
> @@ -267,6 +267,7 @@
>  #define AUDIT_OBJ_GID	110
>  #define AUDIT_FIELD_COMPARE	111
>  #define AUDIT_EXE	112
> +#define AUDIT_EXE_CHILDREN	113
> 
>  #define AUDIT_ARG0      200
>  #define AUDIT_ARG1      (AUDIT_ARG0+1)
> diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
> index c662638..802f0cc 100644
> --- a/kernel/auditfilter.c
> +++ b/kernel/auditfilter.c
> @@ -406,6 +406,7 @@ static int audit_field_valid(struct audit_entry *entry,
> struct audit_field *f) return -EINVAL;
>  		break;
>  	case AUDIT_EXE:
> +	case AUDIT_EXE_CHILDREN:
>  		if (f->op != Audit_equal)
>  			return -EINVAL;
>  		if (entry->rule.listnr != AUDIT_FILTER_EXIT)
> @@ -547,6 +548,7 @@ static struct audit_entry *audit_data_to_entry(struct
> audit_rule_data *data, entry->rule.filterkey = str;
>  			break;
>  		case AUDIT_EXE:
> +		case AUDIT_EXE_CHILDREN:
>  			if (entry->rule.exe || f->val > PATH_MAX)
>  				goto exit_free;
>  			str = audit_unpack_string(&bufp, &remain, f->val);
> @@ -643,6 +645,7 @@ static struct audit_rule_data
> *audit_krule_to_data(struct audit_krule *krule) audit_pack_string(&bufp,
> krule->filterkey);
>  			break;
>  		case AUDIT_EXE:
> +		case AUDIT_EXE_CHILDREN:
>  			data->buflen += data->values[i] =
>  				audit_pack_string(&bufp, audit_mark_path(krule->exe));
>  			break;
> @@ -710,6 +713,7 @@ static int audit_compare_rule(struct audit_krule *a,
> struct audit_krule *b) return 1;
>  			break;
>  		case AUDIT_EXE:
> +		case AUDIT_EXE_CHILDREN:
>  			/* both paths exist based on above type compare */
>  			if (strcmp(audit_mark_path(a->exe),
>  				   audit_mark_path(b->exe)))
> @@ -838,6 +842,7 @@ struct audit_entry *audit_dupe_rule(struct audit_krule
> *old) new->filterkey = fk;
>  			break;
>  		case AUDIT_EXE:
> +		case AUDIT_EXE_CHILDREN:
>  			err = audit_dupe_exe(new, old);
>  			break;
>  		}
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index e9bac2b..4f2b515 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -469,6 +469,17 @@ static int audit_filter_rules(struct task_struct *tsk,
>  		case AUDIT_EXE:
>  			result = audit_exe_compare(tsk, rule->exe);
>  			break;
> +		case AUDIT_EXE_CHILDREN:
> +		{
> +			struct task_struct *ptsk;
> +			for (ptsk = tsk; ptsk->parent->pid > 0; ptsk =
> find_task_by_vpid(ptsk->parent->pid)) { +				if 
(audit_exe_compare(ptsk,
> rule->exe)) {
> +					++result;
> +					break;
> +				}
> +			}
> +		}
> +			break;
>  		case AUDIT_UID:
>  			result = audit_uid_comparator(cred->uid, f->op, f->uid);
>  			break;

-- 
paul moore
security @ redhat

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/