lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20160627211248.GJ29695@madcap2.tricolour.ca>
Date:	Mon, 27 Jun 2016 17:12:48 -0400
From:	Richard Guy Briggs <rgb@...hat.com>
To:	Paul Moore <paul@...l-moore.com>
Cc:	linux-audit@...hat.com, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v4] audit: add fields to exclude filter by reusing user
 filter

On 2016-06-27 11:18, Paul Moore wrote:
> On Fri, Jun 24, 2016 at 4:35 PM, Richard Guy Briggs <rgb@...hat.com> wrote:
> > RFE: add additional fields for use in audit filter exclude rules
> > https://github.com/linux-audit/audit-kernel/issues/5
> >
> > Re-factor and combine audit_filter_type() with audit_filter_user() to
> > use audit_filter_user_rules() to enable the exclude filter to
> > additionally filter on PID, UID, GID, AUID, LOGINUID_SET, SUBJ_*.
> >
> > The process of combining the similar audit_filter_user() and
> > audit_filter_type() functions, required inverting the meaning and
> > including the ALWAYS action of the latter.
> >
> > Include audit_filter_user_rules() into audit_filter(), removing unneeded
> > logic in the process.
> >
> > Keep the check to quit early if the list is empty.
> >
> > Signed-off-by: Richard Guy Briggs <rgb@...hat.com>
> > ---
> > v4: rebase on 4.6-based audit/next.
> >
> > v3: pull audit_filter_user_rules() into audit_filter() and simplify
> > logic.
> >
> > v2: combine audit_filter_user() and audit_filter_type() into
> > audit_filter().
> > ---
> >  include/linux/audit.h |    2 -
> >  kernel/audit.c        |    4 +-
> >  kernel/audit.h        |    2 +
> >  kernel/auditfilter.c  |  151 +++++++++++++++++--------------------------------
> >  4 files changed, 57 insertions(+), 102 deletions(-)
> 
> Merged, thanks.  Please remember to run scripts/checkpatch.pl on your
> submissions, I had to fix up a couple of whitespace damaged lines.

Oops, sorry, thanks for the touch-ups.

> > diff --git a/include/linux/audit.h b/include/linux/audit.h
> > index e38e3fc..9d4443f 100644
> > --- a/include/linux/audit.h
> > +++ b/include/linux/audit.h
> > @@ -163,8 +163,6 @@ extern void audit_log_task_info(struct audit_buffer *ab,
> >  extern int                 audit_update_lsm_rules(void);
> >
> >                                 /* Private API (for audit.c only) */
> > -extern int audit_filter_user(int type);
> > -extern int audit_filter_type(int type);
> >  extern int audit_rule_change(int type, __u32 portid, int seq,
> >                                 void *data, size_t datasz);
> >  extern int audit_list_rules_send(struct sk_buff *request_skb, int seq);
> > diff --git a/kernel/audit.c b/kernel/audit.c
> > index 678c3f0..994588e 100644
> > --- a/kernel/audit.c
> > +++ b/kernel/audit.c
> > @@ -934,7 +934,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
> >                 if (!audit_enabled && msg_type != AUDIT_USER_AVC)
> >                         return 0;
> >
> > -               err = audit_filter_user(msg_type);
> > +               err = audit_filter(msg_type, AUDIT_FILTER_USER);
> >                 if (err == 1) { /* match or error */
> >                         err = 0;
> >                         if (msg_type == AUDIT_USER_TTY) {
> > @@ -1382,7 +1382,7 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask,
> >         if (audit_initialized != AUDIT_INITIALIZED)
> >                 return NULL;
> >
> > -       if (unlikely(audit_filter_type(type)))
> > +       if (unlikely(!audit_filter(type, AUDIT_FILTER_TYPE)))
> >                 return NULL;
> >
> >         if (gfp_mask & __GFP_DIRECT_RECLAIM) {
> > diff --git a/kernel/audit.h b/kernel/audit.h
> > index cbbe6bb..1879f02 100644
> > --- a/kernel/audit.h
> > +++ b/kernel/audit.h
> > @@ -327,6 +327,8 @@ extern pid_t audit_sig_pid;
> >  extern kuid_t audit_sig_uid;
> >  extern u32 audit_sig_sid;
> >
> > +extern int audit_filter(int msgtype, unsigned int listtype);
> > +
> >  #ifdef CONFIG_AUDITSYSCALL
> >  extern int __audit_signal_info(int sig, struct task_struct *t);
> >  static inline int audit_signal_info(int sig, struct task_struct *t)
> > diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
> > index ff59a5e..3a67acf 100644
> > --- a/kernel/auditfilter.c
> > +++ b/kernel/auditfilter.c
> > @@ -1290,117 +1290,72 @@ int audit_compare_dname_path(const char *dname, const char *path, int parentlen)
> >         return strncmp(p, dname, dlen);
> >  }
> >
> > -static int audit_filter_user_rules(struct audit_krule *rule, int type,
> > -                                  enum audit_state *state)
> > -{
> > -       int i;
> > -
> > -       for (i = 0; i < rule->field_count; i++) {
> > -               struct audit_field *f = &rule->fields[i];
> > -               pid_t pid;
> > -               int result = 0;
> > -               u32 sid;
> > -
> > -               switch (f->type) {
> > -               case AUDIT_PID:
> > -                       pid = task_pid_nr(current);
> > -                       result = audit_comparator(pid, f->op, f->val);
> > -                       break;
> > -               case AUDIT_UID:
> > -                       result = audit_uid_comparator(current_uid(), f->op, f->uid);
> > -                       break;
> > -               case AUDIT_GID:
> > -                       result = audit_gid_comparator(current_gid(), f->op, f->gid);
> > -                       break;
> > -               case AUDIT_LOGINUID:
> > -                       result = audit_uid_comparator(audit_get_loginuid(current),
> > -                                                 f->op, f->uid);
> > -                       break;
> > -               case AUDIT_LOGINUID_SET:
> > -                       result = audit_comparator(audit_loginuid_set(current),
> > -                                                 f->op, f->val);
> > -                       break;
> > -               case AUDIT_MSGTYPE:
> > -                       result = audit_comparator(type, f->op, f->val);
> > -                       break;
> > -               case AUDIT_SUBJ_USER:
> > -               case AUDIT_SUBJ_ROLE:
> > -               case AUDIT_SUBJ_TYPE:
> > -               case AUDIT_SUBJ_SEN:
> > -               case AUDIT_SUBJ_CLR:
> > -                       if (f->lsm_rule) {
> > -                               security_task_getsecid(current, &sid);
> > -                               result = security_audit_rule_match(sid,
> > -                                                                  f->type,
> > -                                                                  f->op,
> > -                                                                  f->lsm_rule,
> > -                                                                  NULL);
> > -                       }
> > -                       break;
> > -               }
> > -
> > -               if (result <= 0)
> > -                       return result;
> > -       }
> > -       switch (rule->action) {
> > -       case AUDIT_NEVER:
> > -               *state = AUDIT_DISABLED;
> > -               break;
> > -       case AUDIT_ALWAYS:
> > -               *state = AUDIT_RECORD_CONTEXT;
> > -               break;
> > -       }
> > -       return 1;
> > -}
> > -
> > -int audit_filter_user(int type)
> > -{
> > -       enum audit_state state = AUDIT_DISABLED;
> > -       struct audit_entry *e;
> > -       int rc, ret;
> > -
> > -       ret = 1; /* Audit by default */
> > -
> > -       rcu_read_lock();
> > -       list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_USER], list) {
> > -               rc = audit_filter_user_rules(&e->rule, type, &state);
> > -               if (rc) {
> > -                       if (rc > 0 && state == AUDIT_DISABLED)
> > -                               ret = 0;
> > -                       break;
> > -               }
> > -       }
> > -       rcu_read_unlock();
> > -
> > -       return ret;
> > -}
> > -
> > -int audit_filter_type(int type)
> > +int audit_filter(int msgtype, unsigned int listtype)
> >  {
> >         struct audit_entry *e;
> > -       int result = 0;
> > +       int ret = 1; /* Audit by default */
> >
> >         rcu_read_lock();
> > -       if (list_empty(&audit_filter_list[AUDIT_FILTER_TYPE]))
> > +       if (list_empty(&audit_filter_list[listtype]))
> >                 goto unlock_and_return;
> > +       list_for_each_entry_rcu(e, &audit_filter_list[listtype], list) {
> > +               int i, result = 0;
> >
> > -       list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TYPE],
> > -                               list) {
> > -               int i;
> >                 for (i = 0; i < e->rule.field_count; i++) {
> >                         struct audit_field *f = &e->rule.fields[i];
> > -                       if (f->type == AUDIT_MSGTYPE) {
> > -                               result = audit_comparator(type, f->op, f->val);
> > -                               if (!result)
> > -                                       break;
> > +                       pid_t pid;
> > +                       u32 sid;
> > +
> > +                       switch (f->type) {
> > +                       case AUDIT_PID:
> > +                               pid = task_pid_nr(current);
> > +                               result = audit_comparator(pid, f->op, f->val);
> > +                               break;
> > +                       case AUDIT_UID:
> > +                               result = audit_uid_comparator(current_uid(), f->op, f->uid);
> > +                               break;
> > +                       case AUDIT_GID:
> > +                               result = audit_gid_comparator(current_gid(), f->op, f->gid);
> > +                               break;
> > +                       case AUDIT_LOGINUID:
> > +                               result = audit_uid_comparator(audit_get_loginuid(current),
> > +                                                       f->op, f->uid);
> > +                               break;
> > +                       case AUDIT_LOGINUID_SET:
> > +                               result = audit_comparator(audit_loginuid_set(current),
> > +                                                       f->op, f->val);
> > +                               break;
> > +                       case AUDIT_MSGTYPE:
> > +                               result = audit_comparator(msgtype, f->op, f->val);
> > +                               break;
> > +                       case AUDIT_SUBJ_USER:
> > +                       case AUDIT_SUBJ_ROLE:
> > +                       case AUDIT_SUBJ_TYPE:
> > +                       case AUDIT_SUBJ_SEN:
> > +                       case AUDIT_SUBJ_CLR:
> > +                               if (f->lsm_rule) {
> > +                                       security_task_getsecid(current, &sid);
> > +                                       result = security_audit_rule_match(sid,
> > +                                                       f->type, f->op, f->lsm_rule, NULL);
> > +                               }
> > +                               break;
> > +                       default:
> > +                               goto unlock_and_return;
> >                         }
> > +                       if (result < 0) /* error */
> > +                               goto unlock_and_return;
> > +                       if (!result)
> > +                               break;
> > +               }
> > +               if (result > 0) {
> > +                       if (e->rule.action == AUDIT_NEVER || listtype == AUDIT_FILTER_TYPE)
> > +                               ret = 0;
> > +                       break;
> >                 }
> > -               if (result)
> > -                       goto unlock_and_return;
> >         }
> >  unlock_and_return:
> >         rcu_read_unlock();
> > -       return result;
> > +       return ret;
> >  }
> >
> >  static int update_lsm_rule(struct audit_krule *r)
> > --
> > 1.7.1
> 
> paul moore

- RGB

--
Richard Guy Briggs <rgb@...hat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ