lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Thu, 16 Jul 2015 21:45:47 -0400
From:	Paul Moore <pmoore@...hat.com>
To:	Richard Guy Briggs <rgb@...hat.com>
Cc:	linux-audit@...hat.com, linux-kernel@...r.kernel.org,
	sgrubb@...hat.com, eparis@...hat.com
Subject: Re: [PATCH V6 2/4] audit: clean simple fsnotify implementation

On Tuesday, July 14, 2015 11:50:24 AM Richard Guy Briggs wrote:
> This is to be used to audit by executable rules, but audit watches
> should be able to share this code eventually.
> 
> At the moment the audit watch code is a lot more complex, that code only
> creates one fsnotify watch per parent directory.  That 'audit_parent' in
> turn has a list of 'audit_watches' which contain the name, ino, dev of
> the specific object we care about.  This just creates one fsnotify watch
> per object we care about.  So if you watch 100 inodes in /etc this code
> will create 100 fsnotify watches on /etc.  The audit_watch code will
> instead create 1 fsnotify watch on /etc (the audit_parent) and then 100
> individual watches chained from that fsnotify mark.
> 
> We should be able to convert the audit_watch code to do one fsnotify
> mark per watch and simplify things/remove a whole lot of code.  After
> that conversion we should be able to convert the audit_fsnotify code to
> support that hierarchy if the optimization is necessary.
> 
> Signed-off-by: Eric Paris <eparis@...hat.com>
> 
> RGB: Move the access to the entry for audit_match_signal() to the beginning
> of the function in case the entry found is the same one passed in.  This
> will enable it to be used by audit_autoremove_mark_rule().
> RGB: Rename several "watch" references to "mark".
> RGB: Rename audit_remove_rule() to audit_autoremove_mark_rule().
> RGB: Put audit_alloc_mark() arguments in same order as watch, tree and
> inode. RGB: Remove space from audit log value text in
> audit_autoremove_mark_rule(). RGB: Explicitly declare prototypes as extern.
> RGB: Rename audit_remove_mark_rule() called from audit_mark_handle_event()
> to audit_autoremove_mark_rule() to avoid confusion with
> audit_remove_{watch,tree}_rule() usage.
> RGB: Add audit_remove_mark_rule() to provide similar interface as
> audit_remove_{watch,tree}_rule().
> RGB: Simplify stubs to defines.
> RGB: Rename audit_free_fsnotify_mark() to audit_fsnotify_free_mark() in
> keeping with the naming convention of inotify_free_mark(),
> dnotify_free_mark(), fanotify_free_mark(), audit_watch_free_mark().
> RGB: Return -ENOMEM rather than null in case of memory allocation failure
> for audit_mark. RGB: Rename audit_free_mark() to audit_mark_free() to avoid
> association with {i,d,fa}notify_free_mark() and audit_watch_free_mark().

Definitely enough changes here to call this your own; credit Eric in the 
description and just stick with your sign off.

> Based-on-code-by: Eric Paris <eparis@...hat.com>
> Signed-off-by: Richard Guy Briggs <rgb@...hat.com>

Based on the patch description, should this be patch 1/4 instead of 2/4?

> diff --git a/kernel/Makefile b/kernel/Makefile
> index a7ea330..397109e 100644
> --- a/kernel/Makefile
> +++ b/kernel/Makefile
> @@ -64,7 +64,7 @@ obj-$(CONFIG_SMP) += stop_machine.o
>  obj-$(CONFIG_KPROBES_SANITY_TEST) += test_kprobes.o
>  obj-$(CONFIG_AUDIT) += audit.o auditfilter.o
>  obj-$(CONFIG_AUDITSYSCALL) += auditsc.o
> -obj-$(CONFIG_AUDIT_WATCH) += audit_watch.o audit_exe.o
> +obj-$(CONFIG_AUDIT_WATCH) += audit_watch.o audit_exe.o audit_fsnotify.o
>  obj-$(CONFIG_AUDIT_TREE) += audit_tree.o
>  obj-$(CONFIG_GCOV_KERNEL) += gcov/
>  obj-$(CONFIG_KPROBES) += kprobes.o
> diff --git a/kernel/audit.h b/kernel/audit.h
> index 3aca24f..491bd4b 100644
> --- a/kernel/audit.h
> +++ b/kernel/audit.h
> @@ -286,6 +294,20 @@ extern int audit_exe_compare(struct task_struct *tsk,
> struct audit_exe *exe); #define audit_watch_path(w) ""
>  #define audit_watch_compare(w, i, d) 0
> 
> +#define audit_alloc_mark(k, p, l) (ERR_PTR(-EINVAL))
> +static inline char *audit_mark_path(struct audit_fsnotify_mark *mark)
> +{
> +	BUG();
> +	return "";
> +}
> +#define audit_remove_mark(m) BUG()
> +#define audit_remove_mark_rule(k) BUG()
> +static inline int audit_mark_compare(struct audit_fsnotify_mark *mark,
> unsigned long ino, dev_t dev) +{
> +	BUG();
> +	return 0;
> +}

No BUG(), we've got enough of those things already.

> diff --git a/kernel/audit_fsnotify.c b/kernel/audit_fsnotify.c
> new file mode 100644
> index 0000000..a4e7b16
> --- /dev/null
> +++ b/kernel/audit_fsnotify.c
> @@ -0,0 +1,253 @@
> +/* audit_fsnotify.c -- tracking inodes
> + *
> + * Copyright 2003-2009,2014-2015 Red Hat, Inc.
> + * Copyright 2005 Hewlett-Packard Development Company, L.P.
> + * Copyright 2005 IBM Corporation
> + *
> + * This program is free software; you can redistribute it and/or modify
> + * it under the terms of the GNU General Public License as published by
> + * the Free Software Foundation; either version 2 of the License, or
> + * (at your option) any later version.
> + *
> + * This program is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> + * GNU General Public License for more details.
> + */

...

> +static void audit_fsnotify_free_mark(struct fsnotify_mark *mark)
> +{
> +	struct audit_fsnotify_mark *audit_mark;
> +
> +	audit_mark = container_of(mark, struct audit_fsnotify_mark, mark);
> +	audit_mark_free(audit_mark);
> +}

It seems like audit_fsnotify_mark_free() might be more consistent with the 
rest of the naming, yes?

> +#if 0 /* not sure if we need these... */
> +static void audit_get_mark(struct audit_fsnotify_mark *audit_mark)
> +{
> +	if (likely(audit_mark))
> +		fsnotify_get_mark(&audit_mark->mark);
> +}
> +
> +static void audit_put_mark(struct audit_fsnotify_mark *audit_mark)
> +{
> +	if (likely(audit_mark))
> +		fsnotify_put_mark(&audit_mark->mark);
> +}
> +#endif

If this code is '#if 0' let's dump it.  We need it or we don't, keeping it 
around as dead weight is dangerous.

> +char *audit_mark_path(struct audit_fsnotify_mark *mark)
> +{
> +	return mark->path;
> +}
> +
> +int audit_mark_compare(struct audit_fsnotify_mark *mark, unsigned long ino,
> dev_t dev) +{
> +	if (mark->ino == (unsigned long)-1)
> +		return 0;
> +	return (mark->ino == ino) && (mark->dev == dev);
> +}

It seems like there should be a #define for -1 inodes, did you check?  I 
generally hate magic numbers like this because I'm pretty stupid and tend to 
forget their meaning over time ....

Also, at some point we should make (or find?) some generic inode comparison 
function/macro.  I'm amazed at home many times I see (i_foo == ino && i_dev == 
dev).

> +struct audit_fsnotify_mark *audit_alloc_mark(struct audit_krule *krule,
> char *pathname, int len) +{
> +	struct audit_fsnotify_mark *audit_mark;
> +	struct path path;
> +	struct dentry *dentry;
> +	struct inode *inode;
> +	unsigned long ino;
> +	char *local_pathname;
> +	dev_t dev;
> +	int ret;
> +
> +	if (pathname[0] != '/' || pathname[len-1] == '/')
> +		return ERR_PTR(-EINVAL);
> +
> +	dentry = kern_path_locked(pathname, &path);
> +	if (IS_ERR(dentry))
> +		return (void *)dentry; /* returning an error */
> +	inode = path.dentry->d_inode;
> +	mutex_unlock(&inode->i_mutex);
> +
> +	if (!dentry->d_inode) {
> +		ino = (unsigned long)-1;
> +		dev = (unsigned)-1;
> +	} else {
> +		dev = dentry->d_inode->i_sb->s_dev;
> +		ino = dentry->d_inode->i_ino;
> +	}

My comments on the ino and dev variables from the other patch apply here.

> +	audit_mark = ERR_PTR(-ENOMEM);
> +	local_pathname = kstrdup(pathname, GFP_KERNEL);
> +	if (!local_pathname)
> +		goto out;

Why not just kstrdup() into audit_mark->path directly?  I don't get the 
fascination with local variables.  Also, why bother with the strdup if the 
audit_mark malloc is going to fail?

> +	audit_mark = kzalloc(sizeof(*audit_mark), GFP_KERNEL);
> +	if (unlikely(!audit_mark)) {
> +		kfree(local_pathname);
> +		audit_mark = ERR_PTR(-ENOMEM);
> +		goto out;
> +	}
> +
> +	fsnotify_init_mark(&audit_mark->mark, audit_fsnotify_free_mark);
> +	audit_mark->mark.mask = AUDIT_FS_EVENTS;
> +	audit_mark->path = local_pathname;
> +	audit_mark->ino = ino;
> +	audit_mark->dev = dev;
> +	audit_mark->rule = krule;
> +
> +	ret = fsnotify_add_mark(&audit_mark->mark, audit_fsnotify_group, inode,
> NULL, true); +	if (ret < 0) {
> +		audit_mark_free(audit_mark);
> +		audit_mark = ERR_PTR(ret);
> +	}
> +out:
> +	dput(dentry);
> +	path_put(&path);
> +	return audit_mark;
> +}

...

> +static void audit_mark_log_rule_change(struct audit_fsnotify_mark
> *audit_mark, char *op)
> +{

That is a lot of letters ... who about audit_mark_log_change()?

> +/* Update mark data in audit rules based on fsnotify events. */
> +static int audit_mark_handle_event(struct fsnotify_group *group,
> +				    struct inode *to_tell,
> +				    struct fsnotify_mark *inode_mark,
> +				    struct fsnotify_mark *vfsmount_mark,
> +				    u32 mask, void *data, int data_type,
> +				    const unsigned char *dname, u32 cookie)
> +{
> +	struct audit_fsnotify_mark *audit_mark;
> +	struct inode *inode = NULL;
> +
> +	audit_mark = container_of(inode_mark, struct audit_fsnotify_mark, mark);
> +
> +	BUG_ON(group != audit_fsnotify_group);

What happens when BUG_ON() is compiled out?  Let's back this up with some 
normal error checking if you think this is a real concern.  If it isn't a real 
concern, why do we have a BUG_ON()?  This doesn't strike me as something that 
is going to be a real problem.

> +	switch (data_type) {
> +	case (FSNOTIFY_EVENT_PATH):
> +		inode = ((struct path *)data)->dentry->d_inode;
> +		break;
> +	case (FSNOTIFY_EVENT_INODE):
> +		inode = (struct inode *)data;
> +		break;
> +	default:
> +		BUG();
> +		return 0;
> +	};

We can do better than BUG() in the default catch-all above.  Maybe a 
prink(KERN_ERR ...)?

> diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
> index 09041b2..bbb39ec 100644
> --- a/kernel/auditfilter.c
> +++ b/kernel/auditfilter.c
> @@ -977,7 +977,7 @@ error:
>  }
> 
>  /* Remove an existing rule from filterlist. */
> -static inline int audit_del_rule(struct audit_entry *entry)
> +int audit_del_rule(struct audit_entry *entry)
>  {
>  	struct audit_entry  *e;
>  	struct audit_tree *tree = entry->rule.tree;
> @@ -985,6 +985,7 @@ static inline int audit_del_rule(struct audit_entry
> *entry) int ret = 0;
>  #ifdef CONFIG_AUDITSYSCALL
>  	int dont_count = 0;
> +	int match = audit_match_signal(entry);
> 
>  	/* If either of these, don't count towards total */
>  	if (entry->rule.listnr == AUDIT_FILTER_USER ||
> @@ -1017,7 +1018,7 @@ static inline int audit_del_rule(struct audit_entry
> *entry) if (!dont_count)
>  		audit_n_rules--;
> 
> -	if (!audit_match_signal(entry))
> +	if (!match)
>  		audit_signals--;
>  #endif
>  	mutex_unlock(&audit_filter_mutex);

Is the bit above worthy of it's own bugfix patch independent of this fsnotify 
implementation, or is it only an issue with this new fsnotify code?

-- 
paul moore
security @ redhat

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ