Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753167AbbHGChM (ORCPT ); Thu, 6 Aug 2015 22:37:12 -0400 Received: from mx1.redhat.com ([209.132.183.28]:37428 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751541AbbHGChK (ORCPT ); Thu, 6 Aug 2015 22:37:10 -0400 From: Paul Moore To: Richard Guy Briggs Cc: linux-audit@redhat.com, linux-kernel@vger.kernel.org, sgrubb@redhat.com, eparis@redhat.com, peter@hda3.com Subject: Re: [PATCH V9 3/3] audit: add audit by children of executable path Date: Thu, 06 Aug 2015 16:24:58 -0400 Message-ID: <5456503.IfTzUNfidJ@sifl> Organization: Red Hat User-Agent: KMail/4.14.10 (Linux/4.1.2-gentoo; KDE/4.14.10; x86_64; ; ) In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 3824 Lines: 112 On Wednesday, August 05, 2015 04:29:38 PM Richard Guy Briggs wrote: > This adds the ability to audit the actions of children of a not-yet-running > process. > > This is a split-out of a heavily modified version of a patch originally > submitted by Eric Paris with some ideas from Peter Moody. > > Cc: Peter Moody > Cc: Eric Paris > Signed-off-by: Richard Guy Briggs > --- > include/uapi/linux/audit.h | 1 + > kernel/auditfilter.c | 5 +++++ > kernel/auditsc.c | 11 +++++++++++ > 3 files changed, 17 insertions(+), 0 deletions(-) I'm still not really comfortable with that loop and since there hasn't been a really convincing use case I'm going to pass on this patch for right now. If someone comes up with a *really* compelling case in the future I'll reconsider it. > diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h > index e2ca600..55a8dec 100644 > --- a/include/uapi/linux/audit.h > +++ b/include/uapi/linux/audit.h > @@ -267,6 +267,7 @@ > #define AUDIT_OBJ_GID 110 > #define AUDIT_FIELD_COMPARE 111 > #define AUDIT_EXE 112 > +#define AUDIT_EXE_CHILDREN 113 > > #define AUDIT_ARG0 200 > #define AUDIT_ARG1 (AUDIT_ARG0+1) > diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c > index c662638..802f0cc 100644 > --- a/kernel/auditfilter.c > +++ b/kernel/auditfilter.c > @@ -406,6 +406,7 @@ static int audit_field_valid(struct audit_entry *entry, > struct audit_field *f) return -EINVAL; > break; > case AUDIT_EXE: > + case AUDIT_EXE_CHILDREN: > if (f->op != Audit_equal) > return -EINVAL; > if (entry->rule.listnr != AUDIT_FILTER_EXIT) > @@ -547,6 +548,7 @@ static struct audit_entry *audit_data_to_entry(struct > audit_rule_data *data, entry->rule.filterkey = str; > break; > case AUDIT_EXE: > + case AUDIT_EXE_CHILDREN: > if (entry->rule.exe || f->val > PATH_MAX) > goto exit_free; > str = audit_unpack_string(&bufp, &remain, f->val); > @@ -643,6 +645,7 @@ static struct audit_rule_data > *audit_krule_to_data(struct audit_krule *krule) audit_pack_string(&bufp, > krule->filterkey); > break; > case AUDIT_EXE: > + case AUDIT_EXE_CHILDREN: > data->buflen += data->values[i] = > audit_pack_string(&bufp, audit_mark_path(krule->exe)); > break; > @@ -710,6 +713,7 @@ static int audit_compare_rule(struct audit_krule *a, > struct audit_krule *b) return 1; > break; > case AUDIT_EXE: > + case AUDIT_EXE_CHILDREN: > /* both paths exist based on above type compare */ > if (strcmp(audit_mark_path(a->exe), > audit_mark_path(b->exe))) > @@ -838,6 +842,7 @@ struct audit_entry *audit_dupe_rule(struct audit_krule > *old) new->filterkey = fk; > break; > case AUDIT_EXE: > + case AUDIT_EXE_CHILDREN: > err = audit_dupe_exe(new, old); > break; > } > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > index e9bac2b..4f2b515 100644 > --- a/kernel/auditsc.c > +++ b/kernel/auditsc.c > @@ -469,6 +469,17 @@ static int audit_filter_rules(struct task_struct *tsk, > case AUDIT_EXE: > result = audit_exe_compare(tsk, rule->exe); > break; > + case AUDIT_EXE_CHILDREN: > + { > + struct task_struct *ptsk; > + for (ptsk = tsk; ptsk->parent->pid > 0; ptsk = > find_task_by_vpid(ptsk->parent->pid)) { + if (audit_exe_compare(ptsk, > rule->exe)) { > + ++result; > + break; > + } > + } > + } > + break; > case AUDIT_UID: > result = audit_uid_comparator(cred->uid, f->op, f->uid); > break; -- paul moore security @ redhat -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/