Commit Graph

430 Commits

Author SHA1 Message Date
David Woodhouse b7d1125817 AUDIT: Send netlink messages from a separate kernel thread
netlink_unicast() will attempt to reallocate and will free messages if
the socket's rcvbuf limit is reached unless we give it an infinite 
timeout. So do that, from a kernel thread which is dedicated to spewing
stuff up the netlink socket.

Signed-off-by: David Woodhouse <dwmw2@infradead.org>
2005-05-19 10:56:58 +01:00
Steve Grubb 168b717395 AUDIT: Clean up logging of untrusted strings
* If vsnprintf returns -1, it will mess up the sk buffer space accounting. 
This is fixed by not calling skb_put with bogus len values.

* audit_log_hex was a loop that called audit_log_vformat with %02X for each 
character. This is very inefficient since conversion from unsigned character 
to Ascii representation is essentially masking, shifting, and byte lookups. 
Also, the length of the converted string is well known - it's twice the 
original. Fixed by rewriting the function.

* audit_log_untrustedstring had no comments. This makes it hard for 
someone to understand what the string format will be.

* audit_log_d_path was never fixed to use untrustedstring. This could mess
up user space parsers. This was fixed to make a temp buffer, call d_path, 
and log temp buffer using untrustedstring. 

From: Steve Grubb <sgrubb@redhat.com>
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
2005-05-19 10:24:22 +01:00
David Woodhouse 209aba0324 AUDIT: Treat all user messages identically.
It's silly to have to add explicit entries for new userspace messages
as we invent them. Just treat all messages in the user range the same.

Signed-off-by: David Woodhouse <dwmw2@infradead.org>
2005-05-18 10:21:07 +01:00
David Woodhouse 5e014b10ef AUDIT: fix max_t thinko.
Der... if you use max_t it helps if you give it a type. 

Note to self: Always just apply the tested patches, don't try to port 
them by hand. You're not clever enough.

Signed-off-by: David Woodhouse <dwmw2@infradead.org>
2005-05-13 18:50:33 +01:00
Steve Grubb 23f32d18aa AUDIT: Fix some spelling errors
I'm going through the kernel code and have a patch that corrects 
several spelling errors in comments.

From: Steve Grubb <sgrubb@redhat.com>
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
2005-05-13 18:35:15 +01:00
Steve Grubb c04049939f AUDIT: Add message types to audit records
This patch adds more messages types to the audit subsystem so that audit 
analysis is quicker, intuitive, and more useful.

Signed-off-by: Steve Grubb <sgrubb@redhat.com>
---
I forgot one type in the big patch. I need to add one for user space 
originating SE Linux avc messages. This is used by dbus and nscd.

-Steve
---
Updated to 2.6.12-rc4-mm1.
-dwmw2

Signed-off-by: David Woodhouse <dwmw2@infradead.org>
2005-05-13 18:17:42 +01:00
David Woodhouse 9ea74f0655 AUDIT: Round up audit skb expansion to AUDIT_BUFSIZ.
Otherwise, we will be repeatedly reallocating, even if we're only
adding a few bytes at a time. Pointed out by Steve Grubb.

Signed-off-by: David Woodhouse <dwmw2@infradead.org>
2005-05-13 16:35:19 +01:00
Chris Wright c1b773d87e Add audit_log_type
Add audit_log_type to allow callers to specify type and pid when logging.
Convert audit_log to wrapper around audit_log_type.  Could have
converted all audit_log callers directly, but common case is default
of type AUDIT_KERNEL and pid 0.  Update audit_log_start to take type
and pid values when creating a new audit_buffer.  Move sequences that
did audit_log_start, audit_log_format, audit_set_type, audit_log_end,
to simply call audit_log_type directly.  This obsoletes audit_set_type
and audit_set_pid, so remove them.

Signed-off-by: Chris Wright <chrisw@osdl.org>
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
2005-05-11 10:55:10 +01:00
Chris Wright 197c69c6af Move ifdef CONFIG_AUDITSYSCALL to header
Remove code conditionally dependent on CONFIG_AUDITSYSCALL from audit.c.
Move these dependencies to audit.h with the rest.

Signed-off-by: Chris Wright <chrisw@osdl.org>
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
2005-05-11 10:54:05 +01:00
Chris Wright 804a6a49d8 Audit requires CONFIG_NET
Audit now actually requires netlink.  So make it depend on CONFIG_NET, 
and remove the inline dependencies on CONFIG_NET.

Signed-off-by: Chris Wright <chrisw@osdl.org>
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
2005-05-11 10:52:45 +01:00
Chris Wright 5a241d7703 AUDIT: Properly account for alignment difference in nlmsg_len.
Signed-off-by: Chris Wright <chrisw@osdl.org>
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
2005-05-11 10:43:07 +01:00
David Woodhouse eecb0a7338 AUDIT: Fix abuse of va_args.
We're not allowed to use args twice; we need to use va_copy.

Signed-off-by: David Woodhouse <dwmw2@infradead.org>
2005-05-10 18:58:51 +01:00
David Woodhouse e3b926b4c1 AUDIT: pass size argument to audit_expand().
Let audit_expand() know how much it's expected to grow the buffer, in 
the case that we have that information to hand.

Signed-off-by: David Woodhouse <dwmw2@infradead.org>
2005-05-10 18:56:08 +01:00
Steve Grubb 8c5aa40c94 AUDIT: Fix reported length of audit messages.
We were setting nlmsg_len to skb->len, but we should be subtracting
the size of the header.

From: Steve Grubb <sgrubb@redhat.com>
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
2005-05-10 18:53:07 +01:00
David Woodhouse 4332bdd332 AUDIT: Honour gfp_mask in audit_buffer_alloc()
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
2005-05-06 15:59:57 +01:00
Chris Wright 5ac52f33b6 AUDIT: buffer audit msgs directly to skb
Drop the use of a tmp buffer in the audit_buffer, and just buffer
directly to the skb.  All header data that was temporarily stored in
the audit_buffer can now be stored directly in the netlink header in
the skb.  Resize skb as needed.  This eliminates the extra copy (and
the audit_log_move function which was responsible for copying).

Signed-off-by: Chris Wright <chrisw@osdl.org>
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
2005-05-06 15:54:53 +01:00
Chris Wright 8fc6115c2a AUDIT: expand audit tmp buffer as needed
Introduce audit_expand and make the audit_buffer use a dynamic buffer
which can be resized.  When audit buffer is moved to skb it will not
be fragmented across skb's, so we can eliminate the sklist in the
audit_buffer.  During audit_log_move, we simply copy the full buffer
into a single skb, and then audit_log_drain sends it on.

Signed-off-by: Chris Wright <chrisw@osdl.org>
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
2005-05-06 15:54:17 +01:00
Chris Wright 16e1904e69 AUDIT: Add helper functions to allocate and free audit_buffers.
Signed-off-by: Chris Wright <chrisw@osdl.org>
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
2005-05-06 15:53:34 +01:00
Steve Grubb c2f0c7c356 The attached patch addresses the problem with getting the audit daemon
shutdown credential information. It creates a new message type 
AUDIT_TERM_INFO, which is used by the audit daemon to query who issued the 
shutdown. 

It requires the placement of a hook function that gathers the information. The 
hook is after the DAC & MAC checks and before the function returns. Racing 
threads could overwrite the uid & pid - but they would have to be root and 
have policy that allows signalling the audit daemon. That should be a 
manageable risk.

The userspace component will be released later in audit 0.7.2. When it 
receives the TERM signal, it queries the kernel for shutdown information. 
When it receives it, it writes the message and exits. The message looks 
like this:

type=DAEMON msg=auditd(1114551182.000) auditd normal halt, sending pid=2650 
uid=525, auditd pid=1685

Signed-off-by: Steve Grubb <sgrubb@redhat.com>
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
2005-05-06 12:38:39 +01:00
David Woodhouse bfd4bda097 Merge with master.kernel.org:/pub/scm/linux/kernel/git/torvalds/linux-2.6.git 2005-05-05 13:59:37 +01:00
Herbert Xu 2a0a6ebee1 [NETLINK]: Synchronous message processing.
Let's recap the problem.  The current asynchronous netlink kernel
message processing is vulnerable to these attacks:

1) Hit and run: Attacker sends one or more messages and then exits
before they're processed.  This may confuse/disable the next netlink
user that gets the netlink address of the attacker since it may
receive the responses to the attacker's messages.

Proposed solutions:

a) Synchronous processing.
b) Stream mode socket.
c) Restrict/prohibit binding.

2) Starvation: Because various netlink rcv functions were written
to not return until all messages have been processed on a socket,
it is possible for these functions to execute for an arbitrarily
long period of time.  If this is successfully exploited it could
also be used to hold rtnl forever.

Proposed solutions:

a) Synchronous processing.
b) Stream mode socket.

Firstly let's cross off solution c).  It only solves the first
problem and it has user-visible impacts.  In particular, it'll
break user space applications that expect to bind or communicate
with specific netlink addresses (pid's).

So we're left with a choice of synchronous processing versus
SOCK_STREAM for netlink.

For the moment I'm sticking with the synchronous approach as
suggested by Alexey since it's simpler and I'd rather spend
my time working on other things.

However, it does have a number of deficiencies compared to the
stream mode solution:

1) User-space to user-space netlink communication is still vulnerable.

2) Inefficient use of resources.  This is especially true for rtnetlink
since the lock is shared with other users such as networking drivers.
The latter could hold the rtnl while communicating with hardware which
causes the rtnetlink user to wait when it could be doing other things.

3) It is still possible to DoS all netlink users by flooding the kernel
netlink receive queue.  The attacker simply fills the receive socket
with a single netlink message that fills up the entire queue.  The
attacker then continues to call sendmsg with the same message in a loop.

Point 3) can be countered by retransmissions in user-space code, however
it is pretty messy.

In light of these problems (in particular, point 3), we should implement
stream mode netlink at some point.  In the mean time, here is a patch
that implements synchronous processing.  

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2005-05-03 14:55:09 -07:00
Chris Wright 0dd8e06bda [PATCH] add new audit data to last skb
When adding more formatted audit data to an skb for delivery to userspace,
the kernel will attempt to reuse an skb that has spare room.  However, if
the audit message has already been fragmented to multiple skb's, the search
for spare room in the skb uses the head of the list.  This will corrupt the
audit message with trailing bytes being placed midway through the stream.
Fix is to look at the end of the list.

Signed-off-by: Chris Wright <chrisw@osdl.org>
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
2005-05-03 14:01:15 +01:00
Chris Wright 37509e749d [AUDIT] Requeue messages at head of queue, up to audit_backlog
If netlink_unicast() fails, requeue the skb back at the head of the queue
it just came from, instead of the tail. And do so unless we've exceeded
the audit_backlog limit; not according to some other arbitrary limit.

From: Chris Wright <chrisw@osdl.org>
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
2005-04-29 17:19:14 +01:00
Serge Hallyn c94c257c88 Add audit uid to netlink credentials
Most audit control messages are sent over netlink.In order to properly
log the identity of the sender of audit control messages, we would like
to add the loginuid to the netlink_creds structure, as per the attached
patch.

Signed-off-by: Serge Hallyn <serue@us.ibm.com>
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
2005-04-29 16:27:17 +01:00
85c8721ff3 audit: update pointer to userspace tools, remove emacs mode tags 2005-04-29 16:23:29 +01:00
Peter Martuccelli c7fcb0ee74 [AUDIT] Avoid using %*.*s format strings.
They don't seem to work correctly (investigation ongoing), but we don't
actually need to do it anyway.

Patch from Peter Martuccelli <peterm@redhat.com>
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
2005-04-29 16:10:24 +01:00
Steve Grubb d812ddbb89 [AUDIT] Fix signedness of 'serial' in various routines.
Attached is a patch that corrects a signed/unsigned warning. I also noticed
that we needlessly init serial to 0. That only needs to occur if the kernel
was compiled without the audit system.

-Steve Grubb

Signed-off-by: David Woodhouse <dwmw2@infradead.org>
2005-04-29 16:09:52 +01:00
Andrew Morton 81b7854d52 audit_log_untrustedstring() warning fix
kernel/audit.c: In function `audit_log_untrustedstring':
kernel/audit.c:736: warning: comparison is always false due to limited range of data type

Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
2005-04-29 15:59:11 +01:00
83c7d09173 AUDIT: Avoid log pollution by untrusted strings.
We log strings from userspace, such as arguments to open(). These could
be formatted to contain \n followed by fake audit log entries. Provide
a function for logging such strings, which gives a hex dump when the
string contains anything but basic printable ASCII characters. Use it
for logging filenames.

Signed-off-by: David Woodhouse <dwmw2@infradead.org>
2005-04-29 15:54:44 +01:00
Linus Torvalds 1da177e4c3 Linux-2.6.12-rc2
Initial git repository build. I'm not bothering with the full history,
even though we have it. We can create a separate "historical" git
archive of that later if we want to, and in the meantime it's about
3.2GB when imported into git - space that would just make the early
git days unnecessarily complicated, when we don't have a lot of good
infrastructure for it.

Let it rip!
2005-04-16 15:20:36 -07:00