[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[PATCH] auditfsify the audit-0.6.7 userspace package



Hello,

This patch is updated for audit-0.6.7.  The most notable change is the removal 
of runtime enablement/disablement of the filesystem auditing mechanism.  
Though I don't envision many more changes on my part, to the userspace 
package,  I have to reiterate that the mixed-spacing is atrocious and that we 
should just "indent -i8 -kr" the entire audit userspace package so we can get 
some normalcy going.

A patch for auditfs against linux-2.6.11 should follow suit.  I just need to 
do a little more testing of the newer logic.

Please note, it's probably best to patch with a seperate audit-0.6.7 package 
and ./configure it with an sbindir other then the one you used for your 
original audit-0.6.7 install.

-tim

diff -Nurp audit-0.6.7/lib/libaudit.c auditfs-audit-0.6.7/lib/libaudit.c
--- audit-0.6.7/lib/libaudit.c	2005-03-09 12:11:39.000000000 -0600
+++ auditfs-audit-0.6.7/lib/libaudit.c	2005-03-14 00:29:58.000000000 -0600
@@ -200,6 +200,17 @@ uid_t audit_getloginuid(void)
 		return uid;
 }
 
+/* req->namelen is used for kernel->user traffic only */
+int audit_insert_watch(int fd, struct audit_watch *req)
+{
+    return audit_send(fd, AUDIT_WATCH_INS, req, sizeof(*req));
+}
+
+int audit_remove_watch(int fd, struct audit_watch *req)
+{
+    return audit_send(fd, AUDIT_WATCH_REM, req, sizeof(*req));
+}
+
 int audit_send_message(int fd, const char *message)
 {
 	if (fd >= 0) {
diff -Nurp audit-0.6.7/lib/libaudit.h auditfs-audit-0.6.7/lib/libaudit.h
--- audit-0.6.7/lib/libaudit.h	2005-03-08 12:56:09.000000000 -0600
+++ auditfs-audit-0.6.7/lib/libaudit.h	2005-03-14 00:32:50.000000000 -0600
@@ -45,6 +45,7 @@ struct audit_reply {
     struct audit_status  *status;
     struct audit_rule    *rule;
     struct audit_login   *login;
+    int			 watch;
     const char           *message;
     struct nlmsgerr      *error;
 };
@@ -120,6 +121,11 @@ extern int  audit_set_loginuid(uid_t uid
 extern int  audit_login_message(int fd, const char *arg);
 extern int  audit_logout_message(int fd, const char *arg);
 
+/* INSERT WATCH */
+extern int audit_insert_watch(int fd, struct audit_watch *req);
+/* REMOVE WATCH */
+extern int audit_remove_watch(int fd, struct audit_watch *req);
+
 /* Rule-building helper functions */
 extern struct audit_rule *audit_rule_alloc(void);
 extern int  audit_rule_syscall(struct audit_rule *rule, int syscall);
diff -Nurp audit-0.6.7/lib/netlink.c auditfs-audit-0.6.7/lib/netlink.c
--- audit-0.6.7/lib/netlink.c	2005-03-08 12:55:31.000000000 -0600
+++ auditfs-audit-0.6.7/lib/netlink.c	2005-03-14 00:32:31.000000000 -0600
@@ -124,6 +124,7 @@ static int adjust_reply(struct audit_rep
     rep->type    = rep->msg.nlh.nlmsg_type;
     rep->len     = rep->msg.nlh.nlmsg_len;
     rep->nlh     = &rep->msg.nlh;
+    rep->watch	 = 0;
     rep->status  = NULL;
     rep->rule    = NULL;
     rep->message = NULL;
@@ -146,6 +147,10 @@ static int adjust_reply(struct audit_rep
     case AUDIT_USER:  
 	rep->message = NLMSG_DATA(rep->nlh); 
 	break;
+    case AUDIT_WATCH_INS:
+    case AUDIT_WATCH_REM:
+	memcpy(&rep->watch, NLMSG_DATA(rep->nlh), sizeof(int));
+	break;
     }
     return len;
 }
diff -Nurp audit-0.6.7/linux/audit.h auditfs-audit-0.6.7/linux/audit.h
--- audit-0.6.7/linux/audit.h	1969-12-31 17:00:00.000000000 -0700
+++ auditfs-audit-0.6.7/linux/audit.h	2005-03-14 00:35:27.000000000 -0600
@@ -0,0 +1,268 @@
+/* audit.h -- Auditing support -*- linux-c -*-
+ *
+ * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina.
+ * All Rights Reserved.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+ *
+ * Written by Rickard E. (Rik) Faith <faith redhat com>
+ *
+ */
+
+#ifndef _LINUX_AUDIT_H_
+#define _LINUX_AUDIT_H_
+
+#ifdef __KERNEL__
+#include <linux/list.h>
+#include <linux/spinlock.h>
+#include <asm/atomic.h>
+#endif
+
+/* Request and reply types */
+#define AUDIT_GET      	1000	/* Get status */
+#define AUDIT_SET      	1001	/* Set status (enable/disable/auditd) */
+#define AUDIT_LIST     	1002	/* List filtering rules */
+#define AUDIT_ADD      	1003	/* Add filtering rule */
+#define AUDIT_DEL      	1004	/* Delete filtering rule */
+#define AUDIT_USER     	1005	/* Send a message from user-space */
+#define AUDIT_LOGIN    	1006    /* Define the login id and information */
+#define AUDIT_WATCH_INS	1007    /* Insert file/dir watch entry */
+#define AUDIT_WATCH_REM	1008	/* Remove file/dir watch entry */
+#define AUDIT_KERNEL   	2000	/* Asynchronous audit record. NOT A REQUEST. */
+
+/* Rule flags */
+#define AUDIT_PER_TASK 0x01	/* Apply rule at task creation (not syscall) */
+#define AUDIT_AT_ENTRY 0x02	/* Apply rule at syscall entry */
+#define AUDIT_AT_EXIT  0x04	/* Apply rule at syscall exit */
+#define AUDIT_PREPEND  0x10	/* Prepend to front of list */
+
+/* Rule actions */
+#define AUDIT_NEVER    0	/* Do not build context if rule matches */
+#define AUDIT_POSSIBLE 1	/* Build context if rule matches  */
+#define AUDIT_ALWAYS   2	/* Generate audit record if rule matches */
+
+/* Rule structure sizes -- if these change, different AUDIT_ADD and
+ * AUDIT_LIST commands must be implemented. */
+#define AUDIT_MAX_FIELDS   64
+#define AUDIT_BITMASK_SIZE 64
+#define AUDIT_WORD(nr) ((__u32)((nr)/32))
+#define AUDIT_BIT(nr)  (1 << ((nr) - AUDIT_WORD(nr)*32))
+
+/* Rule fields */
+				/* These are useful when checking the
+				 * task structure at task creation time
+				 * (AUDIT_PER_TASK).  */
+#define AUDIT_PID	0
+#define AUDIT_UID	1
+#define AUDIT_EUID	2
+#define AUDIT_SUID	3
+#define AUDIT_FSUID	4
+#define AUDIT_GID	5
+#define AUDIT_EGID	6
+#define AUDIT_SGID	7
+#define AUDIT_FSGID	8
+#define AUDIT_LOGINUID	9
+#define AUDIT_PERS	10
+
+				/* These are ONLY useful when checking
+				 * at syscall exit time (AUDIT_AT_EXIT). */
+#define AUDIT_DEVMAJOR	100
+#define AUDIT_DEVMINOR	101
+#define AUDIT_INODE	102
+#define AUDIT_EXIT	103
+#define AUDIT_SUCCESS   104	/* exit >= 0; value ignored */
+
+#define AUDIT_ARG0      200
+#define AUDIT_ARG1      (AUDIT_ARG0+1)
+#define AUDIT_ARG2      (AUDIT_ARG0+2)
+#define AUDIT_ARG3      (AUDIT_ARG0+3)
+
+#define AUDIT_NEGATE    0x80000000
+
+
+/* Status symbols */
+				/* Mask values */
+#define AUDIT_STATUS_ENABLED		0x0001
+#define AUDIT_STATUS_FAILURE		0x0002
+#define AUDIT_STATUS_PID		0x0004
+#define AUDIT_STATUS_RATE_LIMIT		0x0008
+#define AUDIT_STATUS_BACKLOG_LIMIT	0x0010
+
+				/* Failure-to-log actions */
+#define AUDIT_FAIL_SILENT	0
+#define AUDIT_FAIL_PRINTK	1
+#define AUDIT_FAIL_PANIC	2
+
+/* 32 byte max key size */
+#define AUDIT_FILTERKEY_MAX	32
+
+#ifndef __KERNEL__
+struct audit_message {
+	struct nlmsghdr nlh;
+	char		data[1200];
+};
+#endif
+
+struct audit_status {
+	__u32		mask;		/* Bit mask for valid entries */
+	__u32		enabled;	/* 1 = enabled, 0 = disbaled */
+	__u32		failure;	/* Failure-to-log action */
+	__u32		pid;		/* pid of auditd process */
+	__u32		rate_limit;	/* messages rate limit (per second) */
+	__u32		backlog_limit;	/* waiting messages limit */
+	__u32		lost;		/* messages lost */
+	__u32		backlog;	/* messages waiting in queue */
+};
+
+struct audit_rule {		/* for AUDIT_LIST, AUDIT_ADD, and AUDIT_DEL */
+	__u32		flags;	/* AUDIT_PER_{TASK,CALL}, AUDIT_PREPEND */
+	__u32		action;	/* AUDIT_NEVER, AUDIT_POSSIBLE, AUDIT_ALWAYS */
+	__u32		field_count;
+	__u32		mask[AUDIT_BITMASK_SIZE];
+	__u32		fields[AUDIT_MAX_FIELDS];
+	__u32		values[AUDIT_MAX_FIELDS];
+};
+
+struct audit_watch {
+	int	namelen;
+	int 	fklen;
+	char	*name;
+	char	*filterkey;
+	__u32	perms;
+};
+
+#ifdef __KERNEL__
+
+struct audit_data {
+	struct audit_wentry	*wentry;
+	struct list_head 	watchlist;
+	rwlock_t 		watchlist_lock;
+	struct list_head	link;
+};
+
+struct audit_wentry {
+	struct list_head 	w_list;
+	atomic_t 		w_count;
+	struct audit_watch	*w_watch;
+	unsigned int		w_valid;
+	unsigned int		w_cached;
+
+};
+
+#ifdef CONFIG_AUDIT
+struct audit_buffer;
+struct audit_context;
+#endif
+
+#ifdef CONFIG_AUDITSYSCALL
+/* These are defined in auditsc.c */
+				/* Public API */
+extern int  audit_alloc(struct task_struct *task);
+extern void audit_free(struct task_struct *task);
+extern void audit_syscall_entry(struct task_struct *task,
+				int major, unsigned long a0, unsigned long a1,
+				unsigned long a2, unsigned long a3);
+extern void audit_syscall_exit(struct task_struct *task, int return_code);
+extern void audit_getname(const char *name);
+extern void audit_putname(const char *name);
+extern void audit_inode(const char *name, unsigned long ino, dev_t rdev);
+
+				/* Private API (for audit.c only) */
+extern int  audit_receive_filter(int type, int pid, int uid, int seq,
+				 void *data);
+extern void audit_get_stamp(struct audit_context *ctx,
+			    struct timespec *t, int *serial);
+extern int  audit_set_loginuid(struct audit_context *ctx, uid_t loginuid);
+extern uid_t audit_get_loginuid(struct audit_context *ctx);
+#ifdef CONFIG_AUDITFILESYSTEM
+extern int audit_notify_watch(struct inode *inode, int mask);
+#else
+#define audit_notify_watch(i,m) ({ 0; })
+#endif
+#else
+#define audit_alloc(t) ({ 0; })
+#define audit_free(t) do { ; } while (0)
+#define audit_syscall_entry(t,a,b,c,d,e) do { ; } while (0)
+#define audit_syscall_exit(t,r) do { ; } while (0)
+#define audit_getname(n) do { ; } while (0)
+#define audit_putname(n) do { ; } while (0)
+#define audit_inode(n,i,d) do { ; } while (0)
+#define audit_get_loginuid(c) ({ -1; })
+#define audit_notify_watch(i,m) ({ 0; })
+#endif
+
+#ifdef CONFIG_AUDITFILESYSTEM
+extern void audit_receive_watch(int type, int pid, int uid, int seq,
+			       struct audit_watch *req);
+extern int audit_filesystem_init(void);
+extern void audit_inode_alloc(struct inode *inode);
+extern void audit_inode_free(struct inode *inode);
+extern void audit_watch(struct dentry *dentry, int remove);
+extern void audit_wentry_put(struct audit_wentry *wentry);
+extern struct audit_wentry *audit_wentry_get(struct audit_wentry *wentry);
+#else
+#define audit_receive_watch(t,p,u,s,r) ({ -EOPNOTSUPP; })
+#define audit_filesystem_init() ({ 0; })
+#define audit_inode_alloc(i) do { ; } while(0)
+#define audit_inode_free(i) do { ; } while(0)
+#define audit_watch(d,r) do { ; } while (0)
+#define audit_watch_put(w) do { ; } while(0)
+#define audit_watch_get(w) ({ 0; })
+#endif
+
+#ifdef CONFIG_AUDIT
+/* These are defined in audit.c */
+				/* Public API */
+extern void		    audit_log(struct audit_context *ctx,
+				      const char *fmt, ...)
+			    __attribute__((format(printf,2,3)));
+
+extern struct audit_buffer *audit_log_start(struct audit_context *ctx);
+extern void		    audit_log_format(struct audit_buffer *ab,
+					     const char *fmt, ...)
+			    __attribute__((format(printf,2,3)));
+extern void		    audit_log_end(struct audit_buffer *ab);
+extern void		    audit_log_end_fast(struct audit_buffer *ab);
+extern void		    audit_log_end_irq(struct audit_buffer *ab);
+extern void		    audit_log_d_path(struct audit_buffer *ab,
+					     const char *prefix,
+					     struct dentry *dentry,
+					     struct vfsmount *vfsmnt);
+extern int		    audit_set_rate_limit(int limit);
+extern int		    audit_set_backlog_limit(int limit);
+extern int		    audit_set_enabled(int state);
+extern int		    audit_set_failure(int state);
+
+				/* Private API (for auditsc.c only) */
+extern void		    audit_send_reply(int pid, int seq, int type,
+					     int done, int multi,
+					     void *payload, int size);
+extern void		    audit_log_lost(const char *message);
+#else
+#define audit_log(t,f,...) do { ; } while (0)
+#define audit_log_start(t) ({ NULL; })
+#define audit_log_vformat(b,f,a) do { ; } while (0)
+#define audit_log_format(b,f,...) do { ; } while (0)
+#define audit_log_end(b) do { ; } while (0)
+#define audit_log_end_fast(b) do { ; } while (0)
+#define audit_log_end_irq(b) do { ; } while (0)
+#define audit_log_d_path(b,p,d,v) do { ; } while (0)
+#define audit_set_rate_limit(l) do { ; } while (0)
+#define audit_set_backlog_limit(l) do { ; } while (0)
+#define audit_set_enabled(s) do { ; } while (0)
+#define audit_set_failure(s) do { ; } while (0)
+#endif
+#endif
+#endif
diff -Nurp audit-0.6.7/src/auditctl.c auditfs-audit-0.6.7/src/auditctl.c
--- audit-0.6.7/src/auditctl.c	2005-03-14 00:45:01.000000000 -0600
+++ auditfs-audit-0.6.7/src/auditctl.c	2005-03-14 00:39:49.000000000 -0600
@@ -49,6 +49,14 @@
  */
 #define LINE_SIZE 1600
 
+#define WATCH_MAY_EXEC		1
+#define WATCH_MAY_WRITE		2
+#define WATCH_MAY_READ		4
+#define WATCH_MAY_APPEND	8
+
+#define WATCH_NAME		1
+#define WATCH_FILTERKEY		2
+#define WATCH_PERMS		3
 
 /* Global functions */
 static int handle_request(int status);
@@ -61,7 +69,9 @@ static int fd = -1;
 static int list_requested = 0;
 static int syscalladded = 0;
 static int add = 0, del = 0, action = 0;
+static int ins = 0, rem = 0;
 static struct audit_rule  rule;
+static struct audit_watch watch;
 
 /*
  * This function will reset everything used for each loop when loading 
@@ -73,8 +83,11 @@ static int reset_vars(void)
 	syscalladded = 0;
 	add = 0;
 	del = 0;
+	ins = 0;
+	rem = 0;
 	action = 0;
 	memset(&rule, 0, sizeof(rule));
+	memset(&watch, 0, sizeof(watch));
 	if ((fd = audit_open()) < 0) {
 		fprintf(stderr, "Cannot open netlink audit socket\n");
 		return 1;
@@ -104,6 +117,11 @@ static void usage(void)
      "       -s           Report status\n"
      "       -S syscall   Build rule: syscall name or number\n"
      "       -t <syscall> Translate syscall number to syscall name\n"
+     "       -w <path>    Insert watch at <path>\n"
+     "       -W <path>    Remove watch at <path>\n"
+     "       -p [r|w|e|a] Set permissions filter on watch:\n"
+     "                      r=read, w=write, e=execute, a=append\n"
+     "       -k <key>     Set filterkey on watch\n"
      );
 }
 
@@ -128,6 +146,84 @@ static int audit_rule_setup(const char *
     return 0;
 }
 
+/* Setup a watch.  The "name" of the watch in userspace will be the <path> to
+ * the watch.  When this potential watch reaches the kernel, it will resolve
+ * down to <name> (of terminating file or directory).
+ */
+static int audit_watch_setup(int type, struct audit_watch *req,
+			     const char *opt)
+{
+	int i;
+	int ret = 0;
+
+	if (!opt)
+		goto audit_watch_setup_exit;
+
+	switch (type) {
+		case WATCH_NAME:
+			if (!req->name && opt) {
+				req->namelen = strlen(opt) + 1;
+	    			req->name = (char *) malloc(req->namelen);
+	    			if (!req->name)
+	    				goto audit_watch_setup_exit;
+	    			strcpy(req->name, opt);
+	    			ret = 1;
+			}
+		break;
+    		case WATCH_FILTERKEY:
+			if (!req->filterkey && opt) {
+	    			req->fklen = strlen(opt) + 1;
+	    			req->filterkey = (char *) malloc(req->fklen);
+	    			if (!req->filterkey)
+	    				goto audit_watch_setup_exit;
+	    			strcpy(req->filterkey, opt);
+	    			ret = 1;
+			}
+		break;
+		case WATCH_PERMS:
+			if (strlen(opt) > 4)
+				goto audit_watch_setup_exit;
+
+			for (i = 0; i < strlen(opt); i++) {
+			switch (opt[i]) {
+				case 'r':
+					if (!(req->perms & WATCH_MAY_READ))
+						req->perms |= WATCH_MAY_READ;
+					else
+						goto audit_watch_setup_exit;
+					break;
+	    			case 'w':
+					if (!(req->perms & WATCH_MAY_WRITE))
+					req->perms |= WATCH_MAY_WRITE;
+					else
+						goto audit_watch_setup_exit;
+					break;
+				case 'e':
+					if (!(req->perms & WATCH_MAY_EXEC))
+						req->perms |= WATCH_MAY_EXEC;
+					else
+						goto audit_watch_setup_exit;
+					break;
+	    			case 'a':
+					if (!(req->perms & WATCH_MAY_APPEND))
+						req->perms |= WATCH_MAY_APPEND;
+					else
+						goto audit_watch_setup_exit;
+					break;
+	    			default:
+					goto audit_watch_setup_exit;
+			}
+		}
+
+		ret = 1;
+
+		default:
+			break;
+	}
+audit_watch_setup_exit:
+	return ret;
+}
+
 /*
  * returns: < 0 error - noreply, 0 success - reply, > 0 success - rule
  */
@@ -138,8 +234,8 @@ static int setopt(int count, char *vars[
 
     optind = 0;
     opterr = 0;
-    while ((c = getopt(count, vars, "hslDe:f:r:b:a:A:d:S:F:m:t:R:")) != EOF 
&&
-		retval != -1) {
+    while ((c = getopt(count, vars, 
"hslDf:e:E:r:b:a:A:d:S:F:m:t:R:W:w:k:p:"))
+    		!= EOF && retval != -1) {
         switch (c) {
         case 'h':
 		usage();
@@ -291,6 +387,38 @@ static int setopt(int count, char *vars[
 	case 'D':
 		retval = delete_all_rules();
 		break;
+	case 'W':
+		if (audit_watch_setup(WATCH_NAME, &watch, optarg))
+			rem = retval = 1;
+		else {
+			usage();
+			retval = -1;
+		}
+		break;
+	case 'w':
+		if (audit_watch_setup(WATCH_NAME, &watch, optarg))
+			ins = retval = 1;
+		else {
+			usage();
+			retval = -1;
+		}
+		break;
+	case 'k':
+		if (ins && audit_watch_setup(WATCH_FILTERKEY, &watch, optarg))
+			retval = 1;
+		else {
+			usage();
+			retval = -1;
+		}
+		break;
+	case 'p':
+		if (ins && audit_watch_setup(WATCH_PERMS, &watch, optarg))
+			retval = 1;
+		else {
+			usage();
+			retval = -1;
+		}
+		break;
         default: 
 		usage();
 		retval = -1;
@@ -458,6 +586,10 @@ static int handle_request(int status)
 		rc = audit_add_rule(fd, &rule, add, action);
 	else if (del & 0x07) 
 		rc = audit_delete_rule(fd, &rule, del, action);
+	else if (ins && !rem)
+		rc = audit_insert_watch(fd, &watch);
+	else if (rem && !ins)
+		rc = audit_remove_watch(fd, &watch);
 	else {
         	usage();
     		audit_close(fd);
@@ -577,6 +709,18 @@ static int audit_print_reply(struct audi
         }
         printf("\n");
         return 1;               /* get more messages, until NLMSG_DONE */
+   case AUDIT_WATCH_INS:
+   	if (rep->watch < 0)
+		printf("AUDIT_WATCH : INSERT : %s\n", strerror(-(rep->watch)));
+	else
+		printf("AUDIT_WATCH : INSERT : SUCCESS\n");
+	return 0;
+    case AUDIT_WATCH_REM:
+    	if (rep->watch < 0)
+		printf("AUDIT_WATCH : REMOVE : %s\n", strerror(-(rep->watch)));
+	else
+		printf("AUDIT_WATCH : REMOVE : SUCCESS\n");
+	return 0;
     default:
         printf("Unknown: type=%d, len=%d\n", rep->type, rep->nlh->nlmsg_len);
         return 0;


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]