| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 8 Aug 2015 10:23:03 -0400
From: Richard Guy Briggs <rgb@...hat.com>
To: linux-audit@...hat.com, linux-kernel@...r.kernel.org
Cc: Richard Guy Briggs <rgb@...hat.com>, sgrubb@...hat.com,
pmoore@...hat.com, eparis@...hat.com, peter@...3.com
Subject: [PATCH V10] audit: add audit by children of executable path
This adds the ability to audit the actions of children of a not-yet-running
process.
This is a split-out of a heavily modified version of a patch originally
submitted by Eric Paris with some ideas from Peter Moody.
V10: Always reference task_struct::pid in the initial PID namespace.
Cc: Peter Moody <peter@...3.com>
Cc: Eric Paris <eparis@...hat.com>
Signed-off-by: Richard Guy Briggs <rgb@...hat.com>
---
include/uapi/linux/audit.h | 1 +
kernel/auditfilter.c | 5 +++++
kernel/auditsc.c | 13 +++++++++++++
3 files changed, 19 insertions(+), 0 deletions(-)
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 5316495..9cad417 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -267,6 +267,7 @@
#define AUDIT_OBJ_GID 110
#define AUDIT_FIELD_COMPARE 111
#define AUDIT_EXE 112
+#define AUDIT_EXE_CHILDREN 113
#define AUDIT_ARG0 200
#define AUDIT_ARG1 (AUDIT_ARG0+1)
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index c662638..802f0cc 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -406,6 +406,7 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f)
return -EINVAL;
break;
case AUDIT_EXE:
+ case AUDIT_EXE_CHILDREN:
if (f->op != Audit_equal)
return -EINVAL;
if (entry->rule.listnr != AUDIT_FILTER_EXIT)
@@ -547,6 +548,7 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
entry->rule.filterkey = str;
break;
case AUDIT_EXE:
+ case AUDIT_EXE_CHILDREN:
if (entry->rule.exe || f->val > PATH_MAX)
goto exit_free;
str = audit_unpack_string(&bufp, &remain, f->val);
@@ -643,6 +645,7 @@ static struct audit_rule_data *audit_krule_to_data(struct audit_krule *krule)
audit_pack_string(&bufp, krule->filterkey);
break;
case AUDIT_EXE:
+ case AUDIT_EXE_CHILDREN:
data->buflen += data->values[i] =
audit_pack_string(&bufp, audit_mark_path(krule->exe));
break;
@@ -710,6 +713,7 @@ static int audit_compare_rule(struct audit_krule *a, struct audit_krule *b)
return 1;
break;
case AUDIT_EXE:
+ case AUDIT_EXE_CHILDREN:
/* both paths exist based on above type compare */
if (strcmp(audit_mark_path(a->exe),
audit_mark_path(b->exe)))
@@ -838,6 +842,7 @@ struct audit_entry *audit_dupe_rule(struct audit_krule *old)
new->filterkey = fk;
break;
case AUDIT_EXE:
+ case AUDIT_EXE_CHILDREN:
err = audit_dupe_exe(new, old);
break;
}
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index e9bac2b..e1f0da2 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -469,6 +469,19 @@ static int audit_filter_rules(struct task_struct *tsk,
case AUDIT_EXE:
result = audit_exe_compare(tsk, rule->exe);
break;
+ case AUDIT_EXE_CHILDREN:
+ {
+ struct task_struct *ptsk;
+
+ for (ptsk = tsk; ptsk->parent->pid > 0;
+ ptsk = find_task_by_pid_ns(ptsk->parent->pid, &init_pid_ns)) {
+ if (audit_exe_compare(ptsk, rule->exe)) {
+ ++result;
+ break;
+ }
+ }
+ }
+ break;
case AUDIT_UID:
result = audit_uid_comparator(cred->uid, f->op, f->uid);
break;
--
1.7.1
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists