[RFC] linux-2.6.10-auditfs-tc1.patch

Chris Wright chrisw at osdl.org
Fri Jan 21 17:15:28 UTC 2005


[much easier to comment on patches if they are inline, and shorter lines
to keep linewrap down]

* Darrel Goeddel (dgoeddel at trustedcs.com) wrote:
> Serge Hallyn wrote:
> > Perhaps we should print out current->cap_effective?  Or is that
> > overkill?  Or perhaps an actual "security_identify_process(task, buf,
> > len)" hook would be useful, where commoncap could print out the
> > capabilities, and selinux could print out the context.  Maybe that's
> > closer to debug info...
> > 
> 
> This hook, and a similar security_identify_inode(...), hook will be necessary 
> for an LSM to go through a LSPP evaluation.  The label information is required 
> to be included in the audit record for all subjects/objects/information involved 
> in the event.  I have a quick-and-dirty patch that implemented this 
> functionality.  Note that this patch uses pre-allocated 1K buffers (limits info 
> and sucks up a lot of memory).  A proper memory allocation scheme needs to be 
> worked up and the patch probably needs to be rebased to newer code.  I planned 
> on getting back to this in the near future.  If someone else is working on this 
> functionality, please let me know, otherwise I can bump this up on my TODO list.
> 
> This patch also includes uid/gid/mode for filesystem objects.  I felt that this 
> was a needed addition to determine the cause of filesystem related denials.  Do 
> others agree with this addition to the records, and is there anything else that 
> we could possibly want?

This would be redundant to the audit info that Tim's trying to push out.
Security label should stand alone, and be a simple string.


> -			    nd->dentry->d_inode->i_ino,
> -			    nd->dentry->d_inode->i_rdev);
> +		audit_inode(name, nd->dentry->d_inode);

Makes sense.  But this is only for path lookup.  Doesn't account, for
example, for the audit msg partway through failed path resolution --
failed for security reason, for example.

>  	return retval;
>  }
>  
> Index: include/linux/audit.h
> ===================================================================
> RCS file: /source/cvsroots/fedora-cd/fedora-cd/src/linux-2.6/include/linux/audit.h,v
> retrieving revision 1.1.1.1
> diff -u -p -r1.1.1.1 audit.h
> --- include/linux/audit.h	26 May 2004 18:05:58 -0000	1.1.1.1
> +++ include/linux/audit.h	12 Jan 2005 19:48:40 -0000
> @@ -147,7 +147,9 @@ extern void audit_syscall_entry(struct t
>  extern void audit_syscall_exit(struct task_struct *task, int return_code);
>  extern void audit_getname(const char *name);
>  extern void audit_putname(const char *name);
> -extern void audit_inode(const char *name, unsigned long ino, dev_t rdev);
> +
> +struct inode;
> +extern void audit_inode(const char *name, struct inode *inode);
>  
>  				/* Private API (for audit.c only) */
>  extern int  audit_receive_filter(int type, int pid, int uid, int seq,
> @@ -162,7 +164,7 @@ extern int  audit_set_loginuid(struct au
>  #define audit_syscall_exit(t,r) do { ; } while (0)
>  #define audit_getname(n) do { ; } while (0)
>  #define audit_putname(n) do { ; } while (0)
> -#define audit_inode(n,i,d) do { ; } while (0)
> +#define audit_inode(n,i) do { ; } while (0)
>  #endif
>  
>  #ifdef CONFIG_AUDIT
> Index: include/linux/security.h
> ===================================================================
> RCS file: /source/cvsroots/fedora-cd/fedora-cd/src/linux-2.6/include/linux/security.h,v
> retrieving revision 1.35
> diff -u -p -r1.35 security.h
> --- include/linux/security.h	11 Jan 2005 19:10:15 -0000	1.35
> +++ include/linux/security.h	12 Jan 2005 19:48:40 -0000
> @@ -413,6 +413,11 @@ struct open_request;
>   *	is specified by @buffer_size.  @buffer may be NULL to request
>   *	the size of the buffer required.
>   *	Returns number of bytes used/required on success.
> + * @inode_audit_augment:
> + *	Copy a NULL terminated string representing @inode's security relevant
> + *	data into @buffer.  @buffer_size is the size of buffer that is being
> + *	written to.  You only have this much space and this call can not return
> + *	an error, so manage the space wisely...
>   *
>   * Security hooks for file operations
>   *
> @@ -632,6 +637,11 @@ struct open_request;
>   * 	security attributes, e.g. for /proc/pid inodes.
>   *	@p contains the task_struct for the task.
>   *	@inode contains the inode structure for the inode.
> + * @task_audit_augment:
> + *	Copy a NULL terminated string representing @p's security relevant
> + *	data into @buffer.  @buffer_size is the size of buffer that is being
> + *	written to.  You only have this much space and this call can not return
> + *	an error, so manage the space wisely...

This should simply get back a char*, and the caller is responsible for
freeing, or something like that.  Also, this is needed for _every_ label,
not just inode and task.  SELinux already has this function internally,
see getprocattr->security_sid_to_context.  Perhaps a better solution is
to make the name be part of a label.

thanks,
-chris
-- 
Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net




More information about the Linux-audit mailing list