From ca96a895a6bae7efe7b11a35d9f43e6228467562 Mon Sep 17 00:00:00 2001 From: Jiri Pirko Date: Fri, 9 Jan 2009 16:44:16 +0100 Subject: audit: EXECVE record - removed bogus newline (updated) Added hunk that changes the comment, the rest is the same. EXECVE records contain a newline after every argument. auditd converts "\n" to " " so you cannot see newlines even in raw logs, but they're there nevertheless. If you're not using auditd, you need to work round them. These '\n' chars are can be easily replaced by spaces when creating record in kernel. Note there is no need for trailing '\n' in an audit record. record before this patch: "type=EXECVE msg=audit(1231421801.566:31): argc=4 a0=\"./test\"\na1=\"a\"\na2=\"b\"\na3=\"c\"\n" record after this patch: "type=EXECVE msg=audit(1231421801.566:31): argc=4 a0=\"./test\" a1=\"a\" a2=\"b\" a3=\"c\"" Signed-off-by: Jiri Pirko Acked-by: Eric Paris Signed-off-by: Al Viro --- kernel/auditsc.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 2bfc6478676..738c03695b7 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -1024,7 +1024,7 @@ static int audit_log_single_execve_arg(struct audit_context *context, { char arg_num_len_buf[12]; const char __user *tmp_p = p; - /* how many digits are in arg_num? 3 is the length of a=\n */ + /* how many digits are in arg_num? 3 is the length of " a=" */ size_t arg_num_len = snprintf(arg_num_len_buf, 12, "%d", arg_num) + 3; size_t len, len_left, to_send; size_t max_execve_audit_len = MAX_EXECVE_AUDIT_LEN; @@ -1110,7 +1110,7 @@ static int audit_log_single_execve_arg(struct audit_context *context, * so we can be sure nothing was lost. */ if ((i == 0) && (too_long)) - audit_log_format(*ab, "a%d_len=%zu ", arg_num, + audit_log_format(*ab, " a%d_len=%zu", arg_num, has_cntl ? 2*len : len); /* @@ -1130,7 +1130,7 @@ static int audit_log_single_execve_arg(struct audit_context *context, buf[to_send] = '\0'; /* actually log it */ - audit_log_format(*ab, "a%d", arg_num); + audit_log_format(*ab, " a%d", arg_num); if (too_long) audit_log_format(*ab, "[%d]", i); audit_log_format(*ab, "="); @@ -1138,7 +1138,6 @@ static int audit_log_single_execve_arg(struct audit_context *context, audit_log_n_hex(*ab, buf, to_send); else audit_log_format(*ab, "\"%s\"", buf); - audit_log_format(*ab, "\n"); p += to_send; len_left -= to_send; @@ -1166,7 +1165,7 @@ static void audit_log_execve_info(struct audit_context *context, p = (const char __user *)axi->mm->arg_start; - audit_log_format(*ab, "argc=%d ", axi->argc); + audit_log_format(*ab, "argc=%d", axi->argc); /* * we need some kernel buffer to hold the userspace args. Just -- cgit v1.2.3-70-g09d2 From 6b96255998053a89f45c0855de954b71f5c3887b Mon Sep 17 00:00:00 2001 From: Randy Dunlap Date: Mon, 5 Jan 2009 13:41:13 -0800 Subject: auditsc: fix kernel-doc notation Fix auditsc kernel-doc notation: Warning(linux-2.6.28-git7//kernel/auditsc.c:2156): No description found for parameter 'attr' Warning(linux-2.6.28-git7//kernel/auditsc.c:2156): Excess function parameter 'u_attr' description in '__audit_mq_open' Warning(linux-2.6.28-git7//kernel/auditsc.c:2204): No description found for parameter 'notification' Warning(linux-2.6.28-git7//kernel/auditsc.c:2204): Excess function parameter 'u_notification' description in '__audit_mq_notify' Signed-off-by: Randy Dunlap cc: Al Viro cc: Eric Paris Signed-off-by: Al Viro --- kernel/auditsc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 738c03695b7..b344b86557a 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -2149,7 +2149,7 @@ int audit_set_loginuid(struct task_struct *task, uid_t loginuid) * __audit_mq_open - record audit data for a POSIX MQ open * @oflag: open flag * @mode: mode bits - * @u_attr: queue attributes + * @attr: queue attributes * */ void __audit_mq_open(int oflag, mode_t mode, struct mq_attr *attr) @@ -2196,7 +2196,7 @@ void __audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, /** * __audit_mq_notify - record audit data for a POSIX MQ notify * @mqdes: MQ descriptor - * @u_notification: Notification event + * @notification: Notification event * */ -- cgit v1.2.3-70-g09d2 From c28bb7da74ab74a2860d652493aaff7de104d79e Mon Sep 17 00:00:00 2001 From: Zhenwen Xu Date: Thu, 12 Mar 2009 22:16:12 +0800 Subject: make the e->rule.xxx shorter in kernel auditfilter.c make the e->rule.xxx shorter in kernel/auditfilter.c -- --------------------------------- Zhenwen Xu - Open and Free Home Page: http://zhwen.org My Studio: http://dim4.cn >From 99692dc640b278f1cb1a15646ce42f22e89c0f77 Mon Sep 17 00:00:00 2001 From: Zhenwen Xu Date: Thu, 12 Mar 2009 22:04:59 +0800 Subject: [PATCH] make the e->rule.xxx shorter in kernel/auditfilter.c Signed-off-by: Zhenwen Xu Signed-off-by: Al Viro --- kernel/auditfilter.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index fbf24d121d9..a6fe71fd5d1 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -135,18 +135,18 @@ static void audit_remove_watch(struct audit_watch *watch) static inline void audit_free_rule(struct audit_entry *e) { int i; - + struct audit_krule *erule = &e->rule; /* some rules don't have associated watches */ - if (e->rule.watch) - audit_put_watch(e->rule.watch); - if (e->rule.fields) - for (i = 0; i < e->rule.field_count; i++) { - struct audit_field *f = &e->rule.fields[i]; + if (erule->watch) + audit_put_watch(erule->watch); + if (erule->fields) + for (i = 0; i < erule->field_count; i++) { + struct audit_field *f = &erule->fields[i]; kfree(f->lsm_str); security_audit_rule_free(f->lsm_rule); } - kfree(e->rule.fields); - kfree(e->rule.filterkey); + kfree(erule->fields); + kfree(erule->filterkey); kfree(e); } -- cgit v1.2.3-70-g09d2 From b3897f567100d18e0597f638b911d23aa5e0dd23 Mon Sep 17 00:00:00 2001 From: Miloslav Trmac Date: Thu, 19 Mar 2009 09:48:27 -0400 Subject: Audit: fix handling of 'strings' with NULL characters currently audit_log_n_untrustedstring() uses audit_string_contains_control() to check if the 'string' has any control characters. If the 'string' has an embedded NULL audit_string_contains_control() will return that the data has no control characters and will then pass the string to audit_log_n_string with the total length, not the length up to the first NULL. audit_log_n_string() does a memcpy of the entire length and so the actual audit record emitted may then contain a NULL and then whatever random memory is after the NULL. Since we want to log the entire octet stream (if we can't trust the data to be a string we can't trust that a NULL isn't actually a part of it) we should just consider NULL as a control character. If the caller is certain they want to stop at the first NULL they should be using audit_log_untrustedstring. Signed-off-by: Eric Paris Signed-off-by: Al Viro --- kernel/audit.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/audit.c b/kernel/audit.c index ce6d8ea3131..fa3805516df 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -1382,7 +1382,7 @@ void audit_log_n_string(struct audit_buffer *ab, const char *string, int audit_string_contains_control(const char *string, size_t len) { const unsigned char *p; - for (p = string; p < (const unsigned char *)string + len && *p; p++) { + for (p = string; p < (const unsigned char *)string + len; p++) { if (*p == '"' || *p < 0x21 || *p > 0x7e) return 1; } -- cgit v1.2.3-70-g09d2 From 55ad2f8d340678397de5916b9cd960f17ebd7150 Mon Sep 17 00:00:00 2001 From: Miloslav Trmac Date: Thu, 19 Mar 2009 09:52:47 -0400 Subject: audit: ignore terminating NUL in AUDIT_USER_TTY messages AUDIT_USER_TTY, like all other messages sent from user-space, is sent NUL-terminated. Unlike other user-space audit messages, which come only from trusted sources, AUDIT_USER_TTY messages are processed using audit_log_n_untrustedstring(). This patch modifies AUDIT_USER_TTY handling to ignore the trailing NUL and use the "quoted_string" representation of the message if possible. Signed-off-by: Miloslav Trmac Cc: Eric Paris Cc: Al Viro Cc: Steve Grubb Signed-off-by: Andrew Morton Signed-off-by: Al Viro --- kernel/audit.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/kernel/audit.c b/kernel/audit.c index fa3805516df..5560390cb0f 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -766,6 +766,9 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) audit_log_format(ab, " msg="); size = nlmsg_len(nlh); + if (size > 0 && + ((unsigned char *)data)[size - 1] == '\0') + size--; audit_log_n_untrustedstring(ab, data, size); } audit_set_pid(ab, pid); -- cgit v1.2.3-70-g09d2 From 6d208da89aabee8502debe842832ca0ab298d16d Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Wed, 1 Apr 2009 15:47:27 -0400 Subject: audit: Fix possible return value truncation in audit_get_context() The audit subsystem treats syscall return codes as type long, unfortunately the audit_get_context() function mistakenly converts the return code to an int type in the parameters which could cause problems on systems where the sizeof(int) != sizeof(long). Signed-off-by: Paul Moore Signed-off-by: Al Viro --- kernel/auditsc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/auditsc.c b/kernel/auditsc.c index b344b86557a..e821d626dfe 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -752,7 +752,7 @@ static void audit_set_auditable(struct audit_context *ctx) static inline struct audit_context *audit_get_context(struct task_struct *tsk, int return_valid, - int return_code) + long return_code) { struct audit_context *context = tsk->audit_context; -- cgit v1.2.3-70-g09d2 From 318b6d3d7ddbcad3d6867e630711b8a705d873d7 Mon Sep 17 00:00:00 2001 From: Eric Paris Date: Tue, 13 Jan 2009 17:32:40 -0500 Subject: audit: incorrect ref counting in audit tree tag_chunk tag_chunk has bad exit paths in which the inotify ref counting is wrong. At the top of the function we found &old_watch using inotify_find_watch(). inotify_find_watch takes a reference to the watch. This is never dropped on an error path. Signed-off-by: Eric Paris Signed-off-by: Al Viro --- kernel/audit_tree.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/kernel/audit_tree.c b/kernel/audit_tree.c index 8ad9545b8db..917ab952556 100644 --- a/kernel/audit_tree.c +++ b/kernel/audit_tree.c @@ -385,6 +385,7 @@ static int tag_chunk(struct inode *inode, struct audit_tree *tree) mutex_lock(&inode->inotify_mutex); if (inotify_clone_watch(&old->watch, &chunk->watch) < 0) { mutex_unlock(&inode->inotify_mutex); + put_inotify_watch(&old->watch); free_chunk(chunk); return -ENOSPC; } @@ -394,6 +395,7 @@ static int tag_chunk(struct inode *inode, struct audit_tree *tree) chunk->dead = 1; inotify_evict_watch(&chunk->watch); mutex_unlock(&inode->inotify_mutex); + put_inotify_watch(&old->watch); put_inotify_watch(&chunk->watch); return 0; } -- cgit v1.2.3-70-g09d2 From 679173b724631f49e537a15fa48ea2000bdc1808 Mon Sep 17 00:00:00 2001 From: Eric Paris Date: Mon, 26 Jan 2009 18:09:45 -0500 Subject: audit: audit_set_auditable defined but not used MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit after 0590b9335a1c72a3f0defcc6231287f7817e07c8 audit_set_auditable() is now only used by the audit tree code. If CONFIG_AUDIT_TREE is unset it will be defined but unused. This patch simply moves the function inside a CONFIG_AUDIT_TREE block. cc1: warnings being treated as errors /home/acme_unencrypted/git/linux-2.6-tip/kernel/auditsc.c:745: error: ‘audit_set_auditable’ defined but not used make[2]: *** [kernel/auditsc.o] Error 1 make[1]: *** [kernel] Error 2 make[1]: *** Waiting for unfinished jobs.... Signed-off-by: Eric Paris Signed-off-by: Al Viro --- kernel/auditsc.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/kernel/auditsc.c b/kernel/auditsc.c index e821d626dfe..aa0428e0836 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -329,6 +329,14 @@ static int audit_match_filetype(struct audit_context *ctx, int which) */ #ifdef CONFIG_AUDIT_TREE +static void audit_set_auditable(struct audit_context *ctx) +{ + if (!ctx->prio) { + ctx->prio = 1; + ctx->current_state = AUDIT_RECORD_CONTEXT; + } +} + static int put_tree_ref(struct audit_context *ctx, struct audit_chunk *chunk) { struct audit_tree_refs *p = ctx->trees; @@ -742,14 +750,6 @@ void audit_filter_inodes(struct task_struct *tsk, struct audit_context *ctx) rcu_read_unlock(); } -static void audit_set_auditable(struct audit_context *ctx) -{ - if (!ctx->prio) { - ctx->prio = 1; - ctx->current_state = AUDIT_RECORD_CONTEXT; - } -} - static inline struct audit_context *audit_get_context(struct task_struct *tsk, int return_valid, long return_code) -- cgit v1.2.3-70-g09d2 From def57543418a5f47debae28a0a9dea2effc11692 Mon Sep 17 00:00:00 2001 From: Eric Paris Date: Tue, 10 Mar 2009 18:00:14 -0400 Subject: Audit: remove spaces from audit_log_d_path audit_log_d_path had spaces in the strings which would be emitted on the error paths. This patch simply replaces those spaces with an _ or removes the needless spaces entirely. Signed-off-by: Eric Paris Signed-off-by: Al Viro --- kernel/audit.c | 4 ++-- kernel/auditsc.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/kernel/audit.c b/kernel/audit.c index 5560390cb0f..9442c3533ba 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -1440,13 +1440,13 @@ void audit_log_d_path(struct audit_buffer *ab, const char *prefix, /* We will allow 11 spaces for ' (deleted)' to be appended */ pathname = kmalloc(PATH_MAX+11, ab->gfp_mask); if (!pathname) { - audit_log_format(ab, ""); + audit_log_string(ab, ""); return; } p = d_path(path, pathname, PATH_MAX+11); if (IS_ERR(p)) { /* Should never happen since we send PATH_MAX */ /* FIXME: can we save some information here? */ - audit_log_format(ab, ""); + audit_log_string(ab, ""); } else audit_log_untrustedstring(ab, p); kfree(pathname); diff --git a/kernel/auditsc.c b/kernel/auditsc.c index aa0428e0836..7d6ac7c1f41 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -1478,7 +1478,7 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts case 0: /* name was specified as a relative path and the * directory component is the cwd */ - audit_log_d_path(ab, " name=", &context->pwd); + audit_log_d_path(ab, "name=", &context->pwd); break; default: /* log the name's directory component */ -- cgit v1.2.3-70-g09d2