* [RFC PATCH] audit: force seccomp event logging to honor the audit_enabled flag
@ 2015-11-23 22:20 Paul Moore
2015-11-23 22:20 ` Tony Jones
0 siblings, 1 reply; 4+ messages in thread
From: Paul Moore @ 2015-11-23 22:20 UTC (permalink / raw)
To: linux-audit; +Cc: linux-security-module, Tony Jones
Previously we were emitting seccomp audit records regardless of the
audit_enabled setting, a deparature from the rest of audit. This
patch makes seccomp auditing consistent with the rest of the audit
record generation code in that when audit_enabled=0 nothing is logged
by the audit subsystem.
The bulk of this patch is moving the CONFIG_AUDIT block ahead of the
CONFIG_AUDITSYSCALL block in include/linux/audit.h; the only real
code change was in the audit_seccomp() definition.
Reported-by: Tony Jones <tonyj@suse.de>
Signed-off-by: Paul Moore <pmoore@redhat.com>
---
include/linux/audit.h | 204 +++++++++++++++++++++++++------------------------
1 file changed, 104 insertions(+), 100 deletions(-)
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 20eba1e..476bc12 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -113,6 +113,107 @@ struct filename;
extern void audit_log_session_info(struct audit_buffer *ab);
+#ifdef CONFIG_AUDIT
+/* These are defined in audit.c */
+ /* Public API */
+extern __printf(4, 5)
+void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type,
+ const char *fmt, ...);
+
+extern struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type);
+extern __printf(2, 3)
+void audit_log_format(struct audit_buffer *ab, const char *fmt, ...);
+extern void audit_log_end(struct audit_buffer *ab);
+extern bool audit_string_contains_control(const char *string,
+ size_t len);
+extern void audit_log_n_hex(struct audit_buffer *ab,
+ const unsigned char *buf,
+ size_t len);
+extern void audit_log_n_string(struct audit_buffer *ab,
+ const char *buf,
+ size_t n);
+extern void audit_log_n_untrustedstring(struct audit_buffer *ab,
+ const char *string,
+ size_t n);
+extern void audit_log_untrustedstring(struct audit_buffer *ab,
+ const char *string);
+extern void audit_log_d_path(struct audit_buffer *ab,
+ const char *prefix,
+ const struct path *path);
+extern void audit_log_key(struct audit_buffer *ab,
+ char *key);
+extern void audit_log_link_denied(const char *operation,
+ struct path *link);
+extern void audit_log_lost(const char *message);
+#ifdef CONFIG_SECURITY
+extern void audit_log_secctx(struct audit_buffer *ab, u32 secid);
+#else
+static inline void audit_log_secctx(struct audit_buffer *ab, u32 secid)
+{ }
+#endif
+
+extern int audit_log_task_context(struct audit_buffer *ab);
+extern void audit_log_task_info(struct audit_buffer *ab,
+ struct task_struct *tsk);
+
+extern int audit_update_lsm_rules(void);
+
+ /* Private API (for audit.c only) */
+extern int audit_filter_user(int type);
+extern int audit_filter_type(int type);
+extern int audit_rule_change(int type, __u32 portid, int seq,
+ void *data, size_t datasz);
+extern int audit_list_rules_send(struct sk_buff *request_skb, int seq);
+
+extern u32 audit_enabled;
+#else /* CONFIG_AUDIT */
+static inline __printf(4, 5)
+void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type,
+ const char *fmt, ...)
+{ }
+static inline struct audit_buffer *audit_log_start(struct audit_context *ctx,
+ gfp_t gfp_mask, int type)
+{
+ return NULL;
+}
+static inline __printf(2, 3)
+void audit_log_format(struct audit_buffer *ab, const char *fmt, ...)
+{ }
+static inline void audit_log_end(struct audit_buffer *ab)
+{ }
+static inline void audit_log_n_hex(struct audit_buffer *ab,
+ const unsigned char *buf, size_t len)
+{ }
+static inline void audit_log_n_string(struct audit_buffer *ab,
+ const char *buf, size_t n)
+{ }
+static inline void audit_log_n_untrustedstring(struct audit_buffer *ab,
+ const char *string, size_t n)
+{ }
+static inline void audit_log_untrustedstring(struct audit_buffer *ab,
+ const char *string)
+{ }
+static inline void audit_log_d_path(struct audit_buffer *ab,
+ const char *prefix,
+ const struct path *path)
+{ }
+static inline void audit_log_key(struct audit_buffer *ab, char *key)
+{ }
+static inline void audit_log_link_denied(const char *string,
+ const struct path *link)
+{ }
+static inline void audit_log_secctx(struct audit_buffer *ab, u32 secid)
+{ }
+static inline int audit_log_task_context(struct audit_buffer *ab)
+{
+ return 0;
+}
+static inline void audit_log_task_info(struct audit_buffer *ab,
+ struct task_struct *tsk)
+{ }
+#define audit_enabled 0
+#endif /* CONFIG_AUDIT */
+
#ifdef CONFIG_AUDIT_COMPAT_GENERIC
#define audit_is_compat(arch) (!((arch) & __AUDIT_ARCH_64BIT))
#else
@@ -212,6 +313,9 @@ void audit_core_dumps(long signr);
static inline void audit_seccomp(unsigned long syscall, long signr, int code)
{
+ if (!audit_enabled)
+ return;
+
/* Force a record to be reported if a signal was delivered. */
if (signr || unlikely(!audit_dummy_context()))
__audit_seccomp(syscall, signr, code);
@@ -446,106 +550,6 @@ static inline bool audit_loginuid_set(struct task_struct *tsk)
return uid_valid(audit_get_loginuid(tsk));
}
-#ifdef CONFIG_AUDIT
-/* These are defined in audit.c */
- /* Public API */
-extern __printf(4, 5)
-void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type,
- const char *fmt, ...);
-
-extern struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type);
-extern __printf(2, 3)
-void audit_log_format(struct audit_buffer *ab, const char *fmt, ...);
-extern void audit_log_end(struct audit_buffer *ab);
-extern bool audit_string_contains_control(const char *string,
- size_t len);
-extern void audit_log_n_hex(struct audit_buffer *ab,
- const unsigned char *buf,
- size_t len);
-extern void audit_log_n_string(struct audit_buffer *ab,
- const char *buf,
- size_t n);
-extern void audit_log_n_untrustedstring(struct audit_buffer *ab,
- const char *string,
- size_t n);
-extern void audit_log_untrustedstring(struct audit_buffer *ab,
- const char *string);
-extern void audit_log_d_path(struct audit_buffer *ab,
- const char *prefix,
- const struct path *path);
-extern void audit_log_key(struct audit_buffer *ab,
- char *key);
-extern void audit_log_link_denied(const char *operation,
- struct path *link);
-extern void audit_log_lost(const char *message);
-#ifdef CONFIG_SECURITY
-extern void audit_log_secctx(struct audit_buffer *ab, u32 secid);
-#else
-static inline void audit_log_secctx(struct audit_buffer *ab, u32 secid)
-{ }
-#endif
-
-extern int audit_log_task_context(struct audit_buffer *ab);
-extern void audit_log_task_info(struct audit_buffer *ab,
- struct task_struct *tsk);
-
-extern int audit_update_lsm_rules(void);
-
- /* Private API (for audit.c only) */
-extern int audit_filter_user(int type);
-extern int audit_filter_type(int type);
-extern int audit_rule_change(int type, __u32 portid, int seq,
- void *data, size_t datasz);
-extern int audit_list_rules_send(struct sk_buff *request_skb, int seq);
-
-extern u32 audit_enabled;
-#else /* CONFIG_AUDIT */
-static inline __printf(4, 5)
-void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type,
- const char *fmt, ...)
-{ }
-static inline struct audit_buffer *audit_log_start(struct audit_context *ctx,
- gfp_t gfp_mask, int type)
-{
- return NULL;
-}
-static inline __printf(2, 3)
-void audit_log_format(struct audit_buffer *ab, const char *fmt, ...)
-{ }
-static inline void audit_log_end(struct audit_buffer *ab)
-{ }
-static inline void audit_log_n_hex(struct audit_buffer *ab,
- const unsigned char *buf, size_t len)
-{ }
-static inline void audit_log_n_string(struct audit_buffer *ab,
- const char *buf, size_t n)
-{ }
-static inline void audit_log_n_untrustedstring(struct audit_buffer *ab,
- const char *string, size_t n)
-{ }
-static inline void audit_log_untrustedstring(struct audit_buffer *ab,
- const char *string)
-{ }
-static inline void audit_log_d_path(struct audit_buffer *ab,
- const char *prefix,
- const struct path *path)
-{ }
-static inline void audit_log_key(struct audit_buffer *ab, char *key)
-{ }
-static inline void audit_log_link_denied(const char *string,
- const struct path *link)
-{ }
-static inline void audit_log_secctx(struct audit_buffer *ab, u32 secid)
-{ }
-static inline int audit_log_task_context(struct audit_buffer *ab)
-{
- return 0;
-}
-static inline void audit_log_task_info(struct audit_buffer *ab,
- struct task_struct *tsk)
-{ }
-#define audit_enabled 0
-#endif /* CONFIG_AUDIT */
static inline void audit_log_string(struct audit_buffer *ab, const char *buf)
{
audit_log_n_string(ab, buf, strlen(buf));
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [RFC PATCH] audit: force seccomp event logging to honor the audit_enabled flag
2015-11-23 22:20 [RFC PATCH] audit: force seccomp event logging to honor the audit_enabled flag Paul Moore
@ 2015-11-23 22:20 ` Tony Jones
2015-11-23 22:35 ` Paul Moore
0 siblings, 1 reply; 4+ messages in thread
From: Tony Jones @ 2015-11-23 22:20 UTC (permalink / raw)
To: Paul Moore, linux-audit; +Cc: linux-security-module
On 11/23/2015 02:20 PM, Paul Moore wrote:
> Previously we were emitting seccomp audit records regardless of the
> audit_enabled setting, a deparature from the rest of audit. This
> patch makes seccomp auditing consistent with the rest of the audit
> record generation code in that when audit_enabled=0 nothing is logged
> by the audit subsystem.
>
> The bulk of this patch is moving the CONFIG_AUDIT block ahead of the
> CONFIG_AUDITSYSCALL block in include/linux/audit.h; the only real
> code change was in the audit_seccomp() definition.
>
> Reported-by: Tony Jones <tonyj@suse.de>
> Signed-off-by: Paul Moore <pmoore@redhat.com>
Seems pretty much the same (functionally) as the patch I posted to audit
list on 10/12/2015 except that didn't hoist the entire block.
Signed-off-by: Tony Jones <tonyj@suse.de>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [RFC PATCH] audit: force seccomp event logging to honor the audit_enabled flag
2015-11-23 22:20 ` Tony Jones
@ 2015-11-23 22:35 ` Paul Moore
2015-11-24 18:57 ` Paul Moore
0 siblings, 1 reply; 4+ messages in thread
From: Paul Moore @ 2015-11-23 22:35 UTC (permalink / raw)
To: Tony Jones; +Cc: Paul Moore, linux-audit, linux-security-module
On Mon, Nov 23, 2015 at 5:20 PM, Tony Jones <tonyj@suse.de> wrote:
> On 11/23/2015 02:20 PM, Paul Moore wrote:
>> Previously we were emitting seccomp audit records regardless of the
>> audit_enabled setting, a deparature from the rest of audit. This
>> patch makes seccomp auditing consistent with the rest of the audit
>> record generation code in that when audit_enabled=0 nothing is logged
>> by the audit subsystem.
>>
>> The bulk of this patch is moving the CONFIG_AUDIT block ahead of the
>> CONFIG_AUDITSYSCALL block in include/linux/audit.h; the only real
>> code change was in the audit_seccomp() definition.
>>
>> Reported-by: Tony Jones <tonyj@suse.de>
>> Signed-off-by: Paul Moore <pmoore@redhat.com>
>
> Seems pretty much the same (functionally) as the patch I posted to audit
> list on 10/12/2015 except that didn't hoist the entire block.
Yep, I prefered to move the block as I think it should have been that
way anyway from the start. IMHO we got to many audit Kconfig knobs
as-is and splitting that block for just the audit_enabled flag made
things worse.
> Signed-off-by: Tony Jones <tonyj@suse.de>
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [RFC PATCH] audit: force seccomp event logging to honor the audit_enabled flag
2015-11-23 22:35 ` Paul Moore
@ 2015-11-24 18:57 ` Paul Moore
0 siblings, 0 replies; 4+ messages in thread
From: Paul Moore @ 2015-11-24 18:57 UTC (permalink / raw)
To: linux-audit; +Cc: Tony Jones, linux-security-module
On Monday, November 23, 2015 05:35:58 PM Paul Moore wrote:
> On Mon, Nov 23, 2015 at 5:20 PM, Tony Jones <tonyj@suse.de> wrote:
> > On 11/23/2015 02:20 PM, Paul Moore wrote:
> >> Previously we were emitting seccomp audit records regardless of the
> >> audit_enabled setting, a deparature from the rest of audit. This
> >> patch makes seccomp auditing consistent with the rest of the audit
> >> record generation code in that when audit_enabled=0 nothing is logged
> >> by the audit subsystem.
> >>
> >> The bulk of this patch is moving the CONFIG_AUDIT block ahead of the
> >> CONFIG_AUDITSYSCALL block in include/linux/audit.h; the only real
> >> code change was in the audit_seccomp() definition.
> >>
> >> Reported-by: Tony Jones <tonyj@suse.de>
> >> Signed-off-by: Paul Moore <pmoore@redhat.com>
> >
> > Seems pretty much the same (functionally) as the patch I posted to audit
> > list on 10/12/2015 except that didn't hoist the entire block.
>
> Yep, I prefered to move the block as I think it should have been that
> way anyway from the start. IMHO we got to many audit Kconfig knobs
> as-is and splitting that block for just the audit_enabled flag made
> things worse.
>
> > Signed-off-by: Tony Jones <tonyj@suse.de>
I just merged this patch into audit#next, the only change is I replaced the
"Reported-by" for Tony with his sign-off.
--
paul moore
security @ redhat
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2015-11-24 18:57 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-11-23 22:20 [RFC PATCH] audit: force seccomp event logging to honor the audit_enabled flag Paul Moore
2015-11-23 22:20 ` Tony Jones
2015-11-23 22:35 ` Paul Moore
2015-11-24 18:57 ` Paul Moore
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.