Commit 626abcd1 authored by Richard Guy Briggs's avatar Richard Guy Briggs Committed by Paul Moore
Browse files

audit: add syscall information to CONFIG_CHANGE records 

Tie syscall information to all CONFIG_CHANGE calls since they are all a
result of user actions.

Exclude user records from syscall context:
Since the function audit_log_common_recv_msg() is shared by a number of
AUDIT_CONFIG_CHANGE and the entire range of AUDIT_USER_* record types,
and since the AUDIT_CONFIG_CHANGE message type has been converted to a
syscall accompanied record type, special-case the AUDIT_USER_* range of
messages so they remain standalone records.

See: https://github.com/linux-audit/audit-kernel/issues/59
See: https://github.com/linux-audit/audit-kernel/issues/50



Signed-off-by: default avatarRichard Guy Briggs <rgb@redhat.com>
[PM: fix line lengths in kernel/audit.c]
Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
parent 9e36a5d4

kernel/audit.c

+19 −9
Original line number Diff line number Diff line
@@ -396,7 +396,7 @@ static int audit_log_config_change(char *function_name, u32 new, u32 old, 
	struct audit_buffer *ab;

	int rc = 0;



	ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);

	ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_CONFIG_CHANGE);

	if (unlikely(!ab))

		return rc;

	audit_log_format(ab, "op=set %s=%u old=%u ", function_name, new, old);
@@ -1053,7 +1053,8 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type) 
	return err;

}



static void audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type)

static void audit_log_common_recv_msg(struct audit_context *context,

					struct audit_buffer **ab, u16 msg_type)

{

	uid_t uid = from_kuid(&init_user_ns, current_uid());

	pid_t pid = task_tgid_nr(current);
@@ -1063,7 +1064,7 @@ static void audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type) 
		return;

	}



	*ab = audit_log_start(NULL, GFP_KERNEL, msg_type);

	*ab = audit_log_start(context, GFP_KERNEL, msg_type);

	if (unlikely(!*ab))

		return;

	audit_log_format(*ab, "pid=%d uid=%u ", pid, uid);
@@ -1071,6 +1072,12 @@ static void audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type) 
	audit_log_task_context(*ab);

}



static inline void audit_log_user_recv_msg(struct audit_buffer **ab,

					   u16 msg_type)

{

	audit_log_common_recv_msg(NULL, ab, msg_type);

}



int is_audit_feature_set(int i)

{

	return af.features & AUDIT_FEATURE_TO_MASK(i);
@@ -1338,7 +1345,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) 
				if (err)

					break;

			}

			audit_log_common_recv_msg(&ab, msg_type);

			audit_log_user_recv_msg(&ab, msg_type);

			if (msg_type != AUDIT_USER_TTY)

				audit_log_format(ab, " msg='%.*s'",

						 AUDIT_MESSAGE_TEXT_MAX,
@@ -1361,7 +1368,8 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) 
		if (nlmsg_len(nlh) < sizeof(struct audit_rule_data))

			return -EINVAL;

		if (audit_enabled == AUDIT_LOCKED) {

			audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE);

			audit_log_common_recv_msg(audit_context(), &ab,

						  AUDIT_CONFIG_CHANGE);

			audit_log_format(ab, " op=%s audit_enabled=%d res=0",

					 msg_type == AUDIT_ADD_RULE ?

						"add_rule" : "remove_rule",
@@ -1376,7 +1384,8 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) 
		break;

	case AUDIT_TRIM:

		audit_trim_trees();

		audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE);

		audit_log_common_recv_msg(audit_context(), &ab,

					  AUDIT_CONFIG_CHANGE);

		audit_log_format(ab, " op=trim res=1");

		audit_log_end(ab);

		break;
@@ -1406,8 +1415,8 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) 
		/* OK, here comes... */

		err = audit_tag_tree(old, new);



		audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE);



		audit_log_common_recv_msg(audit_context(), &ab,

					  AUDIT_CONFIG_CHANGE);

		audit_log_format(ab, " op=make_equiv old=");

		audit_log_untrustedstring(ab, old);

		audit_log_format(ab, " new=");
@@ -1474,7 +1483,8 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) 
		old.enabled = t & AUDIT_TTY_ENABLE;

		old.log_passwd = !!(t & AUDIT_TTY_LOG_PASSWD);



		audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE);

		audit_log_common_recv_msg(audit_context(), &ab,

					  AUDIT_CONFIG_CHANGE);

		audit_log_format(ab, " op=tty_set old-enabled=%d new-enabled=%d"

				 " old-log_passwd=%d new-log_passwd=%d res=%d",

				 old.enabled, s.enabled, old.log_passwd,

kernel/audit_fsnotify.c

+1 −1
Original line number Diff line number Diff line
@@ -127,7 +127,7 @@ static void audit_mark_log_rule_change(struct audit_fsnotify_mark *audit_mark, c 


	if (!audit_enabled)

		return;

	ab = audit_log_start(NULL, GFP_NOFS, AUDIT_CONFIG_CHANGE);

	ab = audit_log_start(audit_context(), GFP_NOFS, AUDIT_CONFIG_CHANGE);

	if (unlikely(!ab))

		return;

	audit_log_session_info(ab);

kernel/audit_watch.c

+1 −1
Original line number Diff line number Diff line
@@ -242,7 +242,7 @@ static void audit_watch_log_rule_change(struct audit_krule *r, struct audit_watc 


	if (!audit_enabled)

		return;

	ab = audit_log_start(NULL, GFP_NOFS, AUDIT_CONFIG_CHANGE);

	ab = audit_log_start(audit_context(), GFP_NOFS, AUDIT_CONFIG_CHANGE);

	if (!ab)

		return;

	audit_log_session_info(ab);

kernel/auditfilter.c

+1 −1
Original line number Diff line number Diff line
@@ -1091,7 +1091,7 @@ static void audit_log_rule_change(char *action, struct audit_krule *rule, int re 
	if (!audit_enabled)

		return;



	ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);

	ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_CONFIG_CHANGE);

	if (!ab)

		return;

	audit_log_session_info(ab);

CRA Git | Maintained and supported by SUSTech CRA and CCSE