| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 22 Nov 2019 16:19:55 -0500
From: Paul Moore <paul@...l-moore.com>
To: Jiri Olsa <jolsa@...hat.com>
Cc: Alexei Starovoitov <alexei.starovoitov@...il.com>,
linux-audit@...hat.com, Jiri Olsa <jolsa@...nel.org>,
Daniel Borkmann <daniel@...earbox.net>,
Alexei Starovoitov <ast@...nel.org>,
Network Development <netdev@...r.kernel.org>,
bpf <bpf@...r.kernel.org>, Andrii Nakryiko <andriin@...com>,
Yonghong Song <yhs@...com>, Martin KaFai Lau <kafai@...com>,
Jakub Kicinski <jakub.kicinski@...ronome.com>,
Steve Grubb <sgrubb@...hat.com>,
David Miller <davem@...hat.com>,
Eric Paris <eparis@...hat.com>, Jiri Benc <jbenc@...hat.com>
Subject: Re: [PATCH] bpf: emit audit messages upon successful prog load and unload
On Fri, Nov 22, 2019 at 2:24 PM Jiri Olsa <jolsa@...hat.com> wrote:
> Paul,
> would following output be ok:
>
> type=SYSCALL msg=audit(1574445211.897:28015): arch=c000003e syscall=321 success=no exit=-13 a0=5 a1=7fff09ac6c60 a2=78 a3=6 items=0 ppid=1408 pid=9266 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="test_verifier" exe="/home/jolsa/linux/tools/testing/selftests/bpf/test_verifier" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)ARCH=x86_64 SYSCALL=bpf AUID="jolsa" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
> type=PROCTITLE msg=audit(1574445211.897:28015): proctitle="./test_verifier"
> type=BPF msg=audit(1574445211.897:28016): prog-id=8103 event=LOAD
>
> type=SYSCALL msg=audit(1574445211.897:28016): arch=c000003e syscall=321 success=yes exit=14 a0=5 a1=7fff09ac6b80 a2=78 a3=0 items=0 ppid=1408 pid=9266 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="test_verifier" exe="/home/jolsa/linux/tools/testing/selftests/bpf/test_verifier" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)ARCH=x86_64 SYSCALL=bpf AUID="jolsa" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
> type=PROCTITLE msg=audit(1574445211.897:28016): proctitle="./test_verifier"
> type=BPF msg=audit(1574445211.897:28017): prog-id=8103 event=UNLOAD
There is some precedence in using "op=" instead of "event=" (an audit
"event" is already a thing, using "event=" here might get confusing).
I suppose if we are getting really nit-picky you might want to
lower-case the LOAD/UNLOAD, but generally Steve cares more about these
things than I do.
For reference, we have a searchable database of fields here:
* https://github.com/linux-audit/audit-documentation/blob/master/specs/fields/field-dictionary.csv
> I assume for audit-userspace and audit-testsuite the change will
> go in as github PR, right? I have the auditd change ready and will
> add test shortly.
You can submit the audit-testsuite either as a GH PR or as a
patch(set) to the linux-audit mailing list, both work equally well. I
believe has the same policy for his userspace tools, but I'll let him
speak for himself.
> diff --git a/include/linux/audit.h b/include/linux/audit.h
> index 18925d924c73..c69d2776d197 100644
> --- a/include/linux/audit.h
> +++ b/include/linux/audit.h
> @@ -358,8 +358,6 @@ static inline void audit_ptrace(struct task_struct *t)
> __audit_ptrace(t);
> }
>
> -extern void audit_log_task(struct audit_buffer *ab);
> -
> /* Private API (for audit.c only) */
> extern void __audit_ipc_obj(struct kern_ipc_perm *ipcp);
> extern void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode);
> @@ -648,8 +646,6 @@ static inline void audit_ntp_log(const struct audit_ntp_data *ad)
> static inline void audit_ptrace(struct task_struct *t)
> { }
>
> -static inline void audit_log_task(struct audit_buffer *ab)
> -{ }
> #define audit_n_rules 0
> #define audit_signals 0
> #endif /* CONFIG_AUDITSYSCALL */
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index 9bf1045fedfa..4effe01ebbe2 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -2545,7 +2545,7 @@ void __audit_ntp_log(const struct audit_ntp_data *ad)
> audit_log_ntp_val(ad, "adjust", AUDIT_NTP_ADJUST);
> }
>
> -void audit_log_task(struct audit_buffer *ab)
> +static void audit_log_task(struct audit_buffer *ab)
I'm slightly concerned that this is based on top of your other patch
which was NACK'ed. I might not have been clear before, but with the
merge window set to open in a few days, and this change affecting the
kernel interface (uapi, etc.) and lacking a test, this isn't something
that I see as a candidate for the upcoming merge window. *Please*
revert your original patch first; if you think I'm cranky now I can
promise I'll be a lot more cranky if I see the original patch in -rc1
;)
> diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
> index b51ecb9644d0..e3a7fa4d7a82 100644
> --- a/kernel/bpf/syscall.c
> +++ b/kernel/bpf/syscall.c
> @@ -1334,7 +1334,6 @@ static const char * const bpf_event_audit_str[] = {
>
> static void bpf_audit_prog(const struct bpf_prog *prog, enum bpf_event event)
> {
> - bool has_task_context = event == BPF_EVENT_LOAD;
> struct audit_buffer *ab;
>
> if (audit_enabled == AUDIT_OFF)
> @@ -1342,10 +1341,7 @@ static void bpf_audit_prog(const struct bpf_prog *prog, enum bpf_event event)
> ab = audit_log_start(audit_context(), GFP_ATOMIC, AUDIT_BPF);
> if (unlikely(!ab))
> return;
> - if (has_task_context)
> - audit_log_task(ab);
> - audit_log_format(ab, "%sprog-id=%u event=%s",
> - has_task_context ? " " : "",
> + audit_log_format(ab, "prog-id=%u event=%s",
> prog->aux->id, bpf_event_audit_str[event]);
Other than the "op" instead of "event", this looks reasonable to me.
I would give Steve a chance to comment on it from the userspace side
of things.
> audit_log_end(ab);
> }
--
paul moore
www.paul-moore.com
Powered by blists - more mailing lists