From a5cb013da773a67ee48d1c19e96436c22a73a7eb Mon Sep 17 00:00:00 2001 From: Al Viro Date: Tue, 20 Mar 2007 13:58:35 -0400 Subject: [PATCH] auditing ptrace Signed-off-by: Al Viro --- include/linux/audit.h | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'include/linux') diff --git a/include/linux/audit.h b/include/linux/audit.h index 773e30df11e..f93ce78cecb 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -91,6 +91,7 @@ #define AUDIT_MQ_GETSETATTR 1315 /* POSIX MQ get/set attribute record type */ #define AUDIT_KERNEL_OTHER 1316 /* For use by 3rd party modules */ #define AUDIT_FD_PAIR 1317 /* audit record for pipe/socketpair */ +#define AUDIT_OBJ_PID 1318 /* ptrace target */ #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */ #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */ @@ -352,6 +353,8 @@ extern void __audit_inode(const char *name, const struct inode *inode); extern void __audit_inode_child(const char *dname, const struct inode *inode, const struct inode *parent); extern void __audit_inode_update(const struct inode *inode); +extern void __audit_ptrace(struct task_struct *t); + static inline int audit_dummy_context(void) { void *p = current->audit_context; @@ -377,6 +380,12 @@ static inline void audit_inode_update(const struct inode *inode) { __audit_inode_update(inode); } +static inline void audit_ptrace(struct task_struct *t) +{ + if (unlikely(!audit_dummy_context())) + __audit_ptrace(t); +} + /* Private API (for audit.c only) */ extern unsigned int audit_serial(void); extern void auditsc_get_stamp(struct audit_context *ctx, @@ -477,6 +486,7 @@ extern int audit_n_rules; #define audit_mq_timedreceive(d,l,p,t) ({ 0; }) #define audit_mq_notify(d,n) ({ 0; }) #define audit_mq_getsetattr(d,s) ({ 0; }) +#define audit_ptrace(t) ((void)0) #define audit_n_rules 0 #endif -- cgit v1.2.3 From 7f13da40e36c84d0d046b7adbd060af7d3717250 Mon Sep 17 00:00:00 2001 From: Amy Griffis Date: Thu, 29 Mar 2007 18:00:37 -0400 Subject: [PATCH] add SIGNAL syscall class (v3) Add a syscall class for sending signals. Signed-off-by: Amy Griffis Signed-off-by: Al Viro --- include/linux/audit.h | 2 ++ 1 file changed, 2 insertions(+) (limited to 'include/linux') diff --git a/include/linux/audit.h b/include/linux/audit.h index f93ce78cecb..f165308254d 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -149,6 +149,8 @@ #define AUDIT_CLASS_READ_32 5 #define AUDIT_CLASS_WRITE 6 #define AUDIT_CLASS_WRITE_32 7 +#define AUDIT_CLASS_SIGNAL 8 +#define AUDIT_CLASS_SIGNAL_32 9 /* This bitmask is used to validate user input. It represents all bits that * are currently used in an audit field constant understood by the kernel. -- cgit v1.2.3 From e54dc2431d740a79a6bd013babade99d71b1714f Mon Sep 17 00:00:00 2001 From: Amy Griffis Date: Thu, 29 Mar 2007 18:01:04 -0400 Subject: [PATCH] audit signal recipients When auditing syscalls that send signals, log the pid and security context for each target process. Optimize the data collection by adding a counter for signal-related rules, and avoiding allocating an aux struct unless we have more than one target process. For process groups, collect pid/context data in blocks of 16. Move the audit_signal_info() hook up in check_kill_permission() so we audit attempts where permission is denied. Signed-off-by: Amy Griffis Signed-off-by: Al Viro --- include/linux/audit.h | 3 +++ 1 file changed, 3 insertions(+) (limited to 'include/linux') diff --git a/include/linux/audit.h b/include/linux/audit.h index f165308254d..fde0f1420cd 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -340,6 +340,7 @@ struct mqstat; #define AUDITSC_RESULT(x) ( ((long)(x))<0?AUDITSC_FAILURE:AUDITSC_SUCCESS ) extern int __init audit_register_class(int class, unsigned *list); extern int audit_classify_syscall(int abi, unsigned syscall); +extern int audit_classify_arch(int arch); #ifdef CONFIG_AUDITSYSCALL /* These are defined in auditsc.c */ /* Public API */ @@ -458,6 +459,7 @@ static inline int audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat) return 0; } extern int audit_n_rules; +extern int audit_signals; #else #define audit_alloc(t) ({ 0; }) #define audit_free(t) do { ; } while (0) @@ -490,6 +492,7 @@ extern int audit_n_rules; #define audit_mq_getsetattr(d,s) ({ 0; }) #define audit_ptrace(t) ((void)0) #define audit_n_rules 0 +#define audit_signals 0 #endif #ifdef CONFIG_AUDIT -- cgit v1.2.3 From 4fc03b9beb2314f3adb9e72b7935a80c577954d1 Mon Sep 17 00:00:00 2001 From: Amy Griffis Date: Tue, 13 Feb 2007 14:15:01 -0500 Subject: [PATCH] complete message queue auditing Handle the edge cases for POSIX message queue auditing. Collect inode info when opening an existing mq, and for send/receive operations. Remove audit_inode_update() as it has really evolved into the equivalent of audit_inode(). Signed-off-by: Amy Griffis Signed-off-by: Al Viro --- include/linux/audit.h | 7 ------- 1 file changed, 7 deletions(-) (limited to 'include/linux') diff --git a/include/linux/audit.h b/include/linux/audit.h index fde0f1420cd..22976ddbd26 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -355,7 +355,6 @@ extern void audit_putname(const char *name); extern void __audit_inode(const char *name, const struct inode *inode); extern void __audit_inode_child(const char *dname, const struct inode *inode, const struct inode *parent); -extern void __audit_inode_update(const struct inode *inode); extern void __audit_ptrace(struct task_struct *t); static inline int audit_dummy_context(void) @@ -378,10 +377,6 @@ static inline void audit_inode_child(const char *dname, if (unlikely(!audit_dummy_context())) __audit_inode_child(dname, inode, parent); } -static inline void audit_inode_update(const struct inode *inode) { - if (unlikely(!audit_dummy_context())) - __audit_inode_update(inode); -} static inline void audit_ptrace(struct task_struct *t) { @@ -470,10 +465,8 @@ extern int audit_signals; #define audit_putname(n) do { ; } while (0) #define __audit_inode(n,i) do { ; } while (0) #define __audit_inode_child(d,i,p) do { ; } while (0) -#define __audit_inode_update(i) do { ; } while (0) #define audit_inode(n,i) do { ; } while (0) #define audit_inode_child(d,i,p) do { ; } while (0) -#define audit_inode_update(i) do { ; } while (0) #define auditsc_get_stamp(c,t,s) do { BUG(); } while (0) #define audit_get_loginuid(c) ({ -1; }) #define audit_log_task_context(b) do { ; } while (0) -- cgit v1.2.3 From 0a4ff8c2598b72f2fa9d50aae9e1809e684dbf41 Mon Sep 17 00:00:00 2001 From: Steve Grubb Date: Thu, 19 Apr 2007 10:28:21 -0400 Subject: [PATCH] Abnormal End of Processes Hi, I have been working on some code that detects abnormal events based on audit system events. One kind of event that we currently have no visibility for is when a program terminates due to segfault - which should never happen on a production machine. And if it did, you'd want to investigate it. Attached is a patch that collects these events and sends them into the audit system. Signed-off-by: Steve Grubb Signed-off-by: Al Viro --- include/linux/audit.h | 3 +++ 1 file changed, 3 insertions(+) (limited to 'include/linux') diff --git a/include/linux/audit.h b/include/linux/audit.h index 22976ddbd26..fccc6e50298 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -112,6 +112,7 @@ #define AUDIT_FIRST_KERN_ANOM_MSG 1700 #define AUDIT_LAST_KERN_ANOM_MSG 1799 #define AUDIT_ANOM_PROMISCUOUS 1700 /* Device changed promiscuous mode */ +#define AUDIT_ANOM_ABEND 1701 /* Process ended abnormally */ #define AUDIT_KERNEL 2000 /* Asynchronous audit record. NOT A REQUEST. */ @@ -377,6 +378,7 @@ static inline void audit_inode_child(const char *dname, if (unlikely(!audit_dummy_context())) __audit_inode_child(dname, inode, parent); } +void audit_core_dumps(long signr); static inline void audit_ptrace(struct task_struct *t) { @@ -467,6 +469,7 @@ extern int audit_signals; #define __audit_inode_child(d,i,p) do { ; } while (0) #define audit_inode(n,i) do { ; } while (0) #define audit_inode_child(d,i,p) do { ; } while (0) +#define audit_core_dumps(i) do { ; } while (0) #define auditsc_get_stamp(c,t,s) do { BUG(); } while (0) #define audit_get_loginuid(c) ({ -1; }) #define audit_log_task_context(b) do { ; } while (0) -- cgit v1.2.3