[PATCH -v3 5/5] AUDIT: emit new record type showing all capset information - Kernel

This is a discussion on [PATCH -v3 5/5] AUDIT: emit new record type showing all capset information - Kernel ; When the capset syscall is used it is not possible for audit to record the actual capbilities being added/removed. This patch adds a new record type which emits the target pid and the eff, inh, and perm cap sets. example ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: [PATCH -v3 5/5] AUDIT: emit new record type showing all capset information

  1. [PATCH -v3 5/5] AUDIT: emit new record type showing all capset information

    When the capset syscall is used it is not possible for audit to record the
    actual capbilities being added/removed. This patch adds a new record type
    which emits the target pid and the eff, inh, and perm cap sets.

    example output if you audit capset syscalls would be:

    type=SYSCALL msg=audit(1225743140.465:76): arch=c000003e syscall=126 success=yes exit=0 a0=17f2014 a1=17f201c a2=80000000 a3=7fff2ab7f060 items=0 ppid=2160 pid=2223 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="setcap" exe="/usr/sbin/setcap" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
    type=UNKNOWN[1322] msg=audit(1225743140.465:76): pid=0 cap_pi=ffffffffffffffff cap_pp=ffffffffffffffff cap_pe=ffffffffffffffff

    Signed-off-by: Eric Paris
    ---

    include/linux/audit.h | 10 ++++++++++
    kernel/auditsc.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
    kernel/capability.c | 5 +++++
    3 files changed, 63 insertions(+), 0 deletions(-)

    diff --git a/include/linux/audit.h b/include/linux/audit.h
    index 8cfb9fe..6fbebac 100644
    --- a/include/linux/audit.h
    +++ b/include/linux/audit.h
    @@ -100,6 +100,7 @@
    #define AUDIT_TTY 1319 /* Input on an administrative TTY */
    #define AUDIT_EOE 1320 /* End of multi-record event */
    #define AUDIT_BPRM_FCAPS 1321 /* Information about fcaps increasing perms */
    +#define AUDIT_CAPSET 1322 /* Record showing argument to sys_capset */

    #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */
    #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */
    @@ -454,6 +455,7 @@ extern int __audit_mq_timedreceive(mqd_t mqdes, size_t msg_len, unsigned int __u
    extern int __audit_mq_notify(mqd_t mqdes, const struct sigevent __user *u_notification);
    extern int __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat);
    extern void __audit_log_bprm_fcaps(struct linux_binprm *bprm, kernel_cap_t *pP, kernel_cap_t *pE);
    +extern int __audit_log_capset(pid_t pid, kernel_cap_t *eff, kernel_cap_t *inh, kernel_cap_t *perm);

    static inline int audit_ipc_obj(struct kern_ipc_perm *ipcp)
    {
    @@ -526,6 +528,13 @@ static inline void audit_log_bprm_fcaps(struct linux_binprm *bprm, kernel_cap_t
    __audit_log_bprm_fcaps(bprm, pP, pE);
    }

    +static inline int audit_log_capset(pid_t pid, kernel_cap_t *eff, kernel_cap_t *inh, kernel_cap_t *perm)
    +{
    + if (unlikely(!audit_dummy_context()))
    + return __audit_log_capset(pid, eff, inh, perm);
    + return 0;
    +}
    +
    extern int audit_n_rules;
    extern int audit_signals;
    #else
    @@ -558,6 +567,7 @@ extern int audit_signals;
    #define audit_mq_notify(d,n) ({ 0; })
    #define audit_mq_getsetattr(d,s) ({ 0; })
    #define audit_log_bprm_fcaps(b, p, e) do { ; } while (0)
    +#define audit_log_capset(pid, e, i, p) ({ 0; })
    #define audit_ptrace(t) ((void)0)
    #define audit_n_rules 0
    #define audit_signals 0
    diff --git a/kernel/auditsc.c b/kernel/auditsc.c
    index b8b5a2a..d1d45b4 100644
    --- a/kernel/auditsc.c
    +++ b/kernel/auditsc.c
    @@ -204,6 +204,12 @@ struct audit_aux_data_bprm_fcaps {
    struct audit_cap_data new_pcap;
    };

    +struct audit_aux_data_capset {
    + struct audit_aux_data d;
    + pid_t pid;
    + struct audit_cap_data cap;
    +};
    +
    struct audit_tree_refs {
    struct audit_tree_refs *next;
    struct audit_chunk *c[31];
    @@ -1397,6 +1403,14 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
    audit_log_cap(ab, "new_pe", &axs->new_pcap.effective);
    break; }

    + case AUDIT_CAPSET: {
    + struct audit_aux_data_capset *axs = (void *)aux;
    + audit_log_format(ab, "pid=%d", axs->pid);
    + audit_log_cap(ab, "cap_pi", &axs->cap.inheritable);
    + audit_log_cap(ab, "cap_pp", &axs->cap.permitted);
    + audit_log_cap(ab, "cap_pe", &axs->cap.effective);
    + break; }
    +
    }
    audit_log_end(ab);
    }
    @@ -2570,6 +2584,40 @@ void __audit_log_bprm_fcaps(struct linux_binprm *bprm, kernel_cap_t *pP, kernel_
    }

    /**
    + * __audit_log_capset - store information about the arguments to the capset syscall
    + * @pid target pid of the capset call
    + * @eff effective cap set
    + * @inh inheritible cap set
    + * @perm permited cap set
    + *
    + * Record the aguments userspace sent to sys_capset for later printing by the
    + * audit system if applicable
    + */
    +int __audit_log_capset(pid_t pid, kernel_cap_t *eff, kernel_cap_t *inh, kernel_cap_t *perm)
    +{
    + struct audit_aux_data_capset *ax;
    + struct audit_context *context = current->audit_context;
    +
    + if (likely(!audit_enabled || !context || context->dummy))
    + return 0;
    +
    + ax = kmalloc(sizeof(*ax), GFP_KERNEL);
    + if (!ax)
    + return -ENOMEM;
    +
    + ax->d.type = AUDIT_CAPSET;
    + ax->d.next = context->aux;
    + context->aux = (void *)ax;
    +
    + ax->pid = pid;
    + ax->cap.effective = *eff;
    + ax->cap.inheritable = *eff;
    + ax->cap.permitted = *perm;
    +
    + return 0;
    +}
    +
    +/**
    * audit_core_dumps - record information about processes that end abnormally
    * @signr: signal value
    *
    diff --git a/kernel/capability.c b/kernel/capability.c
    index 33e51e7..aaa2262 100644
    --- a/kernel/capability.c
    +++ b/kernel/capability.c
    @@ -7,6 +7,7 @@
    * 30 May 2002: Cleanup, Robert M. Love
    */

    +#include
    #include
    #include
    #include
    @@ -457,6 +458,10 @@ asmlinkage long sys_capset(cap_user_header_t header, const cap_user_data_t data)
    i++;
    }

    + ret = audit_log_capset(pid, &effective, &inheritable, &permitted);
    + if (ret)
    + return ret;
    +
    if (pid && (pid != task_pid_vnr(current)))
    ret = do_sys_capset_other_tasks(pid, &effective, &inheritable,
    &permitted);

    --
    To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
    the body of a message to majordomo@vger.kernel.org
    More majordomo info at http://vger.kernel.org/majordomo-info.html
    Please read the FAQ at http://www.tux.org/lkml/

  2. Re: [PATCH -v3 5/5] AUDIT: emit new record type showing all capset information

    Quoting Eric Paris (eparis@redhat.com):
    > When the capset syscall is used it is not possible for audit to record the
    > actual capbilities being added/removed. This patch adds a new record type
    > which emits the target pid and the eff, inh, and perm cap sets.
    >
    > example output if you audit capset syscalls would be:
    >
    > type=SYSCALL msg=audit(1225743140.465:76): arch=c000003e syscall=126 success=yes exit=0 a0=17f2014 a1=17f201c a2=80000000 a3=7fff2ab7f060 items=0 ppid=2160 pid=2223 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="setcap" exe="/usr/sbin/setcap" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
    > type=UNKNOWN[1322] msg=audit(1225743140.465:76): pid=0 cap_pi=ffffffffffffffff cap_pp=ffffffffffffffff cap_pe=ffffffffffffffff
    >
    > Signed-off-by: Eric Paris


    Acked-by: Serge Hallyn

    > ---
    >
    > include/linux/audit.h | 10 ++++++++++
    > kernel/auditsc.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
    > kernel/capability.c | 5 +++++
    > 3 files changed, 63 insertions(+), 0 deletions(-)
    >
    > diff --git a/include/linux/audit.h b/include/linux/audit.h
    > index 8cfb9fe..6fbebac 100644
    > --- a/include/linux/audit.h
    > +++ b/include/linux/audit.h
    > @@ -100,6 +100,7 @@
    > #define AUDIT_TTY 1319 /* Input on an administrative TTY */
    > #define AUDIT_EOE 1320 /* End of multi-record event */
    > #define AUDIT_BPRM_FCAPS 1321 /* Information about fcaps increasing perms */
    > +#define AUDIT_CAPSET 1322 /* Record showing argument to sys_capset */
    >
    > #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */
    > #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */
    > @@ -454,6 +455,7 @@ extern int __audit_mq_timedreceive(mqd_t mqdes, size_t msg_len, unsigned int __u
    > extern int __audit_mq_notify(mqd_t mqdes, const struct sigevent __user *u_notification);
    > extern int __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat);
    > extern void __audit_log_bprm_fcaps(struct linux_binprm *bprm, kernel_cap_t *pP, kernel_cap_t *pE);
    > +extern int __audit_log_capset(pid_t pid, kernel_cap_t *eff, kernel_cap_t *inh, kernel_cap_t *perm);
    >
    > static inline int audit_ipc_obj(struct kern_ipc_perm *ipcp)
    > {
    > @@ -526,6 +528,13 @@ static inline void audit_log_bprm_fcaps(struct linux_binprm *bprm, kernel_cap_t
    > __audit_log_bprm_fcaps(bprm, pP, pE);
    > }
    >
    > +static inline int audit_log_capset(pid_t pid, kernel_cap_t *eff, kernel_cap_t *inh, kernel_cap_t *perm)
    > +{
    > + if (unlikely(!audit_dummy_context()))
    > + return __audit_log_capset(pid, eff, inh, perm);
    > + return 0;
    > +}
    > +
    > extern int audit_n_rules;
    > extern int audit_signals;
    > #else
    > @@ -558,6 +567,7 @@ extern int audit_signals;
    > #define audit_mq_notify(d,n) ({ 0; })
    > #define audit_mq_getsetattr(d,s) ({ 0; })
    > #define audit_log_bprm_fcaps(b, p, e) do { ; } while (0)
    > +#define audit_log_capset(pid, e, i, p) ({ 0; })
    > #define audit_ptrace(t) ((void)0)
    > #define audit_n_rules 0
    > #define audit_signals 0
    > diff --git a/kernel/auditsc.c b/kernel/auditsc.c
    > index b8b5a2a..d1d45b4 100644
    > --- a/kernel/auditsc.c
    > +++ b/kernel/auditsc.c
    > @@ -204,6 +204,12 @@ struct audit_aux_data_bprm_fcaps {
    > struct audit_cap_data new_pcap;
    > };
    >
    > +struct audit_aux_data_capset {
    > + struct audit_aux_data d;
    > + pid_t pid;
    > + struct audit_cap_data cap;
    > +};
    > +
    > struct audit_tree_refs {
    > struct audit_tree_refs *next;
    > struct audit_chunk *c[31];
    > @@ -1397,6 +1403,14 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
    > audit_log_cap(ab, "new_pe", &axs->new_pcap.effective);
    > break; }
    >
    > + case AUDIT_CAPSET: {
    > + struct audit_aux_data_capset *axs = (void *)aux;
    > + audit_log_format(ab, "pid=%d", axs->pid);
    > + audit_log_cap(ab, "cap_pi", &axs->cap.inheritable);
    > + audit_log_cap(ab, "cap_pp", &axs->cap.permitted);
    > + audit_log_cap(ab, "cap_pe", &axs->cap.effective);
    > + break; }
    > +
    > }
    > audit_log_end(ab);
    > }
    > @@ -2570,6 +2584,40 @@ void __audit_log_bprm_fcaps(struct linux_binprm *bprm, kernel_cap_t *pP, kernel_
    > }
    >
    > /**
    > + * __audit_log_capset - store information about the arguments to the capset syscall
    > + * @pid target pid of the capset call
    > + * @eff effective cap set
    > + * @inh inheritible cap set
    > + * @perm permited cap set
    > + *
    > + * Record the aguments userspace sent to sys_capset for later printing by the
    > + * audit system if applicable
    > + */
    > +int __audit_log_capset(pid_t pid, kernel_cap_t *eff, kernel_cap_t *inh, kernel_cap_t *perm)
    > +{
    > + struct audit_aux_data_capset *ax;
    > + struct audit_context *context = current->audit_context;
    > +
    > + if (likely(!audit_enabled || !context || context->dummy))
    > + return 0;
    > +
    > + ax = kmalloc(sizeof(*ax), GFP_KERNEL);
    > + if (!ax)
    > + return -ENOMEM;
    > +
    > + ax->d.type = AUDIT_CAPSET;
    > + ax->d.next = context->aux;
    > + context->aux = (void *)ax;
    > +
    > + ax->pid = pid;
    > + ax->cap.effective = *eff;
    > + ax->cap.inheritable = *eff;
    > + ax->cap.permitted = *perm;
    > +
    > + return 0;
    > +}
    > +
    > +/**
    > * audit_core_dumps - record information about processes that end abnormally
    > * @signr: signal value
    > *
    > diff --git a/kernel/capability.c b/kernel/capability.c
    > index 33e51e7..aaa2262 100644
    > --- a/kernel/capability.c
    > +++ b/kernel/capability.c
    > @@ -7,6 +7,7 @@
    > * 30 May 2002: Cleanup, Robert M. Love
    > */
    >
    > +#include
    > #include
    > #include
    > #include
    > @@ -457,6 +458,10 @@ asmlinkage long sys_capset(cap_user_header_t header, const cap_user_data_t data)
    > i++;
    > }
    >
    > + ret = audit_log_capset(pid, &effective, &inheritable, &permitted);
    > + if (ret)
    > + return ret;
    > +
    > if (pid && (pid != task_pid_vnr(current)))
    > ret = do_sys_capset_other_tasks(pid, &effective, &inheritable,
    > &permitted);

    --
    To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
    the body of a message to majordomo@vger.kernel.org
    More majordomo info at http://vger.kernel.org/majordomo-info.html
    Please read the FAQ at http://www.tux.org/lkml/

+ Reply to Thread