lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20150801200310.GA24289@madcap2.tricolour.ca>
Date:	Sat, 1 Aug 2015 16:03:10 -0400
From:	Richard Guy Briggs <rgb@...hat.com>
To:	Paul Moore <pmoore@...hat.com>
Cc:	linux-audit@...hat.com, linux-kernel@...r.kernel.org,
	sgrubb@...hat.com, eparis@...hat.com
Subject: Re: [PATCH V6 2/4] audit: clean simple fsnotify implementation

On 15/07/16, Paul Moore wrote:
> On Tuesday, July 14, 2015 11:50:24 AM Richard Guy Briggs wrote:
> > This is to be used to audit by executable rules, but audit watches
> > should be able to share this code eventually.
> > 
> > At the moment the audit watch code is a lot more complex, that code only
> > creates one fsnotify watch per parent directory.  That 'audit_parent' in
> > turn has a list of 'audit_watches' which contain the name, ino, dev of
> > the specific object we care about.  This just creates one fsnotify watch
> > per object we care about.  So if you watch 100 inodes in /etc this code
> > will create 100 fsnotify watches on /etc.  The audit_watch code will
> > instead create 1 fsnotify watch on /etc (the audit_parent) and then 100
> > individual watches chained from that fsnotify mark.
> > 
> > We should be able to convert the audit_watch code to do one fsnotify
> > mark per watch and simplify things/remove a whole lot of code.  After
> > that conversion we should be able to convert the audit_fsnotify code to
> > support that hierarchy if the optimization is necessary.
> > 
> > Signed-off-by: Eric Paris <eparis@...hat.com>
> > 
> > RGB: Move the access to the entry for audit_match_signal() to the beginning
> > of the function in case the entry found is the same one passed in.  This
> > will enable it to be used by audit_autoremove_mark_rule().
> > RGB: Rename several "watch" references to "mark".
> > RGB: Rename audit_remove_rule() to audit_autoremove_mark_rule().
> > RGB: Put audit_alloc_mark() arguments in same order as watch, tree and
> > inode. RGB: Remove space from audit log value text in
> > audit_autoremove_mark_rule(). RGB: Explicitly declare prototypes as extern.
> > RGB: Rename audit_remove_mark_rule() called from audit_mark_handle_event()
> > to audit_autoremove_mark_rule() to avoid confusion with
> > audit_remove_{watch,tree}_rule() usage.
> > RGB: Add audit_remove_mark_rule() to provide similar interface as
> > audit_remove_{watch,tree}_rule().
> > RGB: Simplify stubs to defines.
> > RGB: Rename audit_free_fsnotify_mark() to audit_fsnotify_free_mark() in
> > keeping with the naming convention of inotify_free_mark(),
> > dnotify_free_mark(), fanotify_free_mark(), audit_watch_free_mark().
> > RGB: Return -ENOMEM rather than null in case of memory allocation failure
> > for audit_mark. RGB: Rename audit_free_mark() to audit_mark_free() to avoid
> > association with {i,d,fa}notify_free_mark() and audit_watch_free_mark().
> 
> Definitely enough changes here to call this your own; credit Eric in the 
> description and just stick with your sign off.

Done.

> > Based-on-code-by: Eric Paris <eparis@...hat.com>
> > Signed-off-by: Richard Guy Briggs <rgb@...hat.com>
> 
> Based on the patch description, should this be patch 1/4 instead of 2/4?

Or 1/2 as you have suggested.

> > diff --git a/kernel/Makefile b/kernel/Makefile
> > index a7ea330..397109e 100644
> > --- a/kernel/Makefile
> > +++ b/kernel/Makefile
> > @@ -64,7 +64,7 @@ obj-$(CONFIG_SMP) += stop_machine.o
> >  obj-$(CONFIG_KPROBES_SANITY_TEST) += test_kprobes.o
> >  obj-$(CONFIG_AUDIT) += audit.o auditfilter.o
> >  obj-$(CONFIG_AUDITSYSCALL) += auditsc.o
> > -obj-$(CONFIG_AUDIT_WATCH) += audit_watch.o audit_exe.o
> > +obj-$(CONFIG_AUDIT_WATCH) += audit_watch.o audit_exe.o audit_fsnotify.o
> >  obj-$(CONFIG_AUDIT_TREE) += audit_tree.o
> >  obj-$(CONFIG_GCOV_KERNEL) += gcov/
> >  obj-$(CONFIG_KPROBES) += kprobes.o
> > diff --git a/kernel/audit.h b/kernel/audit.h
> > index 3aca24f..491bd4b 100644
> > --- a/kernel/audit.h
> > +++ b/kernel/audit.h
> > @@ -286,6 +294,20 @@ extern int audit_exe_compare(struct task_struct *tsk,
> > struct audit_exe *exe); #define audit_watch_path(w) ""
> >  #define audit_watch_compare(w, i, d) 0
> > 
> > +#define audit_alloc_mark(k, p, l) (ERR_PTR(-EINVAL))
> > +static inline char *audit_mark_path(struct audit_fsnotify_mark *mark)
> > +{
> > +	BUG();
> > +	return "";
> > +}
> > +#define audit_remove_mark(m) BUG()
> > +#define audit_remove_mark_rule(k) BUG()
> > +static inline int audit_mark_compare(struct audit_fsnotify_mark *mark,
> > unsigned long ino, dev_t dev) +{
> > +	BUG();
> > +	return 0;
> > +}
> 
> No BUG(), we've got enough of those things already.

Cleaned them out...

> > diff --git a/kernel/audit_fsnotify.c b/kernel/audit_fsnotify.c
> > new file mode 100644
> > index 0000000..a4e7b16
> > --- /dev/null
> > +++ b/kernel/audit_fsnotify.c
> > @@ -0,0 +1,253 @@
> > +/* audit_fsnotify.c -- tracking inodes
> > + *
> > + * Copyright 2003-2009,2014-2015 Red Hat, Inc.
> > + * Copyright 2005 Hewlett-Packard Development Company, L.P.
> > + * Copyright 2005 IBM Corporation
> > + *
> > + * This program is free software; you can redistribute it and/or modify
> > + * it under the terms of the GNU General Public License as published by
> > + * the Free Software Foundation; either version 2 of the License, or
> > + * (at your option) any later version.
> > + *
> > + * This program is distributed in the hope that it will be useful,
> > + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> > + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> > + * GNU General Public License for more details.
> > + */
> 
> ...
> 
> > +static void audit_fsnotify_free_mark(struct fsnotify_mark *mark)
> > +{
> > +	struct audit_fsnotify_mark *audit_mark;
> > +
> > +	audit_mark = container_of(mark, struct audit_fsnotify_mark, mark);
> > +	audit_mark_free(audit_mark);
> > +}
> 
> It seems like audit_fsnotify_mark_free() might be more consistent with the 
> rest of the naming, yes?

Uh, yes, ok.

> > +#if 0 /* not sure if we need these... */
> > +static void audit_get_mark(struct audit_fsnotify_mark *audit_mark)
> > +{
> > +	if (likely(audit_mark))
> > +		fsnotify_get_mark(&audit_mark->mark);
> > +}
> > +
> > +static void audit_put_mark(struct audit_fsnotify_mark *audit_mark)
> > +{
> > +	if (likely(audit_mark))
> > +		fsnotify_put_mark(&audit_mark->mark);
> > +}
> > +#endif
> 
> If this code is '#if 0' let's dump it.  We need it or we don't, keeping it 
> around as dead weight is dangerous.

Agreed.  Missed that.

> > +char *audit_mark_path(struct audit_fsnotify_mark *mark)
> > +{
> > +	return mark->path;
> > +}
> > +
> > +int audit_mark_compare(struct audit_fsnotify_mark *mark, unsigned long ino,
> > dev_t dev) +{
> > +	if (mark->ino == (unsigned long)-1)
> > +		return 0;
> > +	return (mark->ino == ino) && (mark->dev == dev);
> > +}
> 
> It seems like there should be a #define for -1 inodes, did you check?  I 
> generally hate magic numbers like this because I'm pretty stupid and tend to 
> forget their meaning over time ....

I found nothing obvious, but it does surprise me a bit too...

> Also, at some point we should make (or find?) some generic inode comparison 
> function/macro.  I'm amazed at home many times I see (i_foo == ino && i_dev == 
> dev).

It would make sense if there were two structs that both included ino and
dev members to call a funciton/macro with pointers to the two structs,
or even one struct and an ino dev tuple, but when the four are discreet,
it starts to lose its utility...

> > +struct audit_fsnotify_mark *audit_alloc_mark(struct audit_krule *krule,
> > char *pathname, int len) +{
> > +	struct audit_fsnotify_mark *audit_mark;
> > +	struct path path;
> > +	struct dentry *dentry;
> > +	struct inode *inode;
> > +	unsigned long ino;
> > +	char *local_pathname;
> > +	dev_t dev;
> > +	int ret;
> > +
> > +	if (pathname[0] != '/' || pathname[len-1] == '/')
> > +		return ERR_PTR(-EINVAL);
> > +
> > +	dentry = kern_path_locked(pathname, &path);
> > +	if (IS_ERR(dentry))
> > +		return (void *)dentry; /* returning an error */
> > +	inode = path.dentry->d_inode;
> > +	mutex_unlock(&inode->i_mutex);
> > +
> > +	if (!dentry->d_inode) {
> > +		ino = (unsigned long)-1;
> > +		dev = (unsigned)-1;
> > +	} else {
> > +		dev = dentry->d_inode->i_sb->s_dev;
> > +		ino = dentry->d_inode->i_ino;
> > +	}
> 
> My comments on the ino and dev variables from the other patch apply here.
> 
> > +	audit_mark = ERR_PTR(-ENOMEM);
> > +	local_pathname = kstrdup(pathname, GFP_KERNEL);
> > +	if (!local_pathname)
> > +		goto out;
> 
> Why not just kstrdup() into audit_mark->path directly?  I don't get the 
> fascination with local variables.  Also, why bother with the strdup if the 
> audit_mark malloc is going to fail?

Yeah, I didn't like it either, that's why 4/4 exists...

> > +	audit_mark = kzalloc(sizeof(*audit_mark), GFP_KERNEL);
> > +	if (unlikely(!audit_mark)) {
> > +		kfree(local_pathname);
> > +		audit_mark = ERR_PTR(-ENOMEM);
> > +		goto out;
> > +	}
> > +
> > +	fsnotify_init_mark(&audit_mark->mark, audit_fsnotify_free_mark);
> > +	audit_mark->mark.mask = AUDIT_FS_EVENTS;
> > +	audit_mark->path = local_pathname;
> > +	audit_mark->ino = ino;
> > +	audit_mark->dev = dev;
> > +	audit_mark->rule = krule;
> > +
> > +	ret = fsnotify_add_mark(&audit_mark->mark, audit_fsnotify_group, inode,
> > NULL, true); +	if (ret < 0) {
> > +		audit_mark_free(audit_mark);
> > +		audit_mark = ERR_PTR(ret);
> > +	}
> > +out:
> > +	dput(dentry);
> > +	path_put(&path);
> > +	return audit_mark;
> > +}
> 
> ...
> 
> > +static void audit_mark_log_rule_change(struct audit_fsnotify_mark
> > *audit_mark, char *op)
> > +{
> 
> That is a lot of letters ... who about audit_mark_log_change()?

I used audit_watch_log_rule_change() and audit_tree_log_remove_rule() as
references...  I think it is fine.

> > +/* Update mark data in audit rules based on fsnotify events. */
> > +static int audit_mark_handle_event(struct fsnotify_group *group,
> > +				    struct inode *to_tell,
> > +				    struct fsnotify_mark *inode_mark,
> > +				    struct fsnotify_mark *vfsmount_mark,
> > +				    u32 mask, void *data, int data_type,
> > +				    const unsigned char *dname, u32 cookie)
> > +{
> > +	struct audit_fsnotify_mark *audit_mark;
> > +	struct inode *inode = NULL;
> > +
> > +	audit_mark = container_of(inode_mark, struct audit_fsnotify_mark, mark);
> > +
> > +	BUG_ON(group != audit_fsnotify_group);
> 
> What happens when BUG_ON() is compiled out?  Let's back this up with some 
> normal error checking if you think this is a real concern.  If it isn't a real 
> concern, why do we have a BUG_ON()?  This doesn't strike me as something that 
> is going to be a real problem.

It should not be, if the code is correct.  I have no reason to believe
otherwise since we are the only callers and no case should trigger it.

> > +	switch (data_type) {
> > +	case (FSNOTIFY_EVENT_PATH):
> > +		inode = ((struct path *)data)->dentry->d_inode;
> > +		break;
> > +	case (FSNOTIFY_EVENT_INODE):
> > +		inode = (struct inode *)data;
> > +		break;
> > +	default:
> > +		BUG();
> > +		return 0;
> > +	};
> 
> We can do better than BUG() in the default catch-all above.  Maybe a 
> prink(KERN_ERR ...)?

Oh dang, missed this one in the patchsets I just sent out.

This too was a development debug aid.  I don't expect this condition to
be hit, but pr_err(...) would work fine here.

> > diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
> > index 09041b2..bbb39ec 100644
> > --- a/kernel/auditfilter.c
> > +++ b/kernel/auditfilter.c
> > @@ -977,7 +977,7 @@ error:
> >  }
> > 
> >  /* Remove an existing rule from filterlist. */
> > -static inline int audit_del_rule(struct audit_entry *entry)
> > +int audit_del_rule(struct audit_entry *entry)
> >  {
> >  	struct audit_entry  *e;
> >  	struct audit_tree *tree = entry->rule.tree;
> > @@ -985,6 +985,7 @@ static inline int audit_del_rule(struct audit_entry
> > *entry) int ret = 0;
> >  #ifdef CONFIG_AUDITSYSCALL
> >  	int dont_count = 0;
> > +	int match = audit_match_signal(entry);
> > 
> >  	/* If either of these, don't count towards total */
> >  	if (entry->rule.listnr == AUDIT_FILTER_USER ||
> > @@ -1017,7 +1018,7 @@ static inline int audit_del_rule(struct audit_entry
> > *entry) if (!dont_count)
> >  		audit_n_rules--;
> > 
> > -	if (!audit_match_signal(entry))
> > +	if (!match)
> >  		audit_signals--;
> >  #endif
> >  	mutex_unlock(&audit_filter_mutex);
> 
> Is the bit above worthy of it's own bugfix patch independent of this fsnotify 
> implementation, or is it only an issue with this new fsnotify code?

I've split it out and added a note to the cover letter.  Er, I should
have included the removal of "static inline" in that split out patch...

> paul moore

- RGB

--
Richard Guy Briggs <rbriggs@...hat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ