1. 23 Feb, 2015 1 commit
    • Imre Palik's avatar
      audit: move the tree pruning to a dedicated thread · f1aaf262
      Imre Palik authored
      When file auditing is enabled, during a low memory situation, a memory
      allocation with __GFP_FS can lead to pruning the inode cache.  Which can,
      in turn lead to audit_tree_freeing_mark() being called.  This can call
      audit_schedule_prune(), that tries to fork a pruning thread, and
      waits until the thread is created.  But forking needs memory, and the
      memory allocations there are done with __GFP_FS.
      
      So we are waiting merrily for some __GFP_FS memory allocations to complete,
      while holding some filesystem locks.  This can take a while ...
      
      This patch creates a single thread for pruning the tree from
      audit_add_tree_rule(), and thus avoids the deadlock that the on-demand
      thread creation can cause.
      Reported-by: default avatarMatt Wilson <msw@amazon.com>
      Cc: Matt Wilson <msw@amazon.com>
      Signed-off-by: default avatarImre Palik <imrep@amazon.de>
      Reviewed-by: default avatarRichard Guy Briggs <rgb@redhat.com>
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
      f1aaf262
  2. 20 Jan, 2015 1 commit
  3. 30 Dec, 2014 1 commit
    • Paul Moore's avatar
      audit: create private file name copies when auditing inodes · fcf22d82
      Paul Moore authored
      Unfortunately, while commit 4a928436 ("audit: correctly record file
      names with different path name types") fixed a problem where we were
      not recording filenames, it created a new problem by attempting to use
      these file names after they had been freed.  This patch resolves the
      issue by creating a copy of the filename which the audit subsystem
      frees after it is done with the string.
      
      At some point it would be nice to resolve this issue with refcounts,
      or something similar, instead of having to allocate/copy strings, but
      that is almost surely beyond the scope of a -rcX patch so we'll defer
      that for later.  On the plus side, only audit users should be impacted
      by the string copying.
      Reported-by: default avatarToralf Foerster <toralf.foerster@gmx.de>
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
      fcf22d82
  4. 23 Dec, 2014 1 commit
    • Richard Guy Briggs's avatar
      audit: restore AUDIT_LOGINUID unset ABI · 041d7b98
      Richard Guy Briggs authored
      A regression was caused by commit 780a7654:
      	 audit: Make testing for a valid loginuid explicit.
      (which in turn attempted to fix a regression caused by e1760bd5)
      
      When audit_krule_to_data() fills in the rules to get a listing, there was a
      missing clause to convert back from AUDIT_LOGINUID_SET to AUDIT_LOGINUID.
      
      This broke userspace by not returning the same information that was sent and
      expected.
      
      The rule:
      	auditctl -a exit,never -F auid=-1
      gives:
      	auditctl -l
      		LIST_RULES: exit,never f24=0 syscall=all
      when it should give:
      		LIST_RULES: exit,never auid=-1 (0xffffffff) syscall=all
      
      Tag it so that it is reported the same way it was set.  Create a new
      private flags audit_krule field (pflags) to store it that won't interact with
      the public one from the API.
      
      Cc: stable@vger.kernel.org # v3.10-rc1+
      Signed-off-by: default avatarRichard Guy Briggs <rgb@redhat.com>
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
      041d7b98
  5. 22 Dec, 2014 1 commit
    • Paul Moore's avatar
      audit: correctly record file names with different path name types · 4a928436
      Paul Moore authored
      There is a problem with the audit system when multiple audit records
      are created for the same path, each with a different path name type.
      The root cause of the problem is in __audit_inode() when an exact
      match (both the path name and path name type) is not found for a
      path name record; the existing code creates a new path name record,
      but it never sets the path name in this record, leaving it NULL.
      This patch corrects this problem by assigning the path name to these
      newly created records.
      
      There are many ways to reproduce this problem, but one of the
      easiest is the following (assuming auditd is running):
      
        # mkdir /root/tmp/test
        # touch /root/tmp/test/567
        # auditctl -a always,exit -F dir=/root/tmp/test
        # touch /root/tmp/test/567
      
      Afterwards, or while the commands above are running, check the audit
      log and pay special attention to the PATH records.  A faulty kernel
      will display something like the following for the file creation:
      
        type=SYSCALL msg=audit(1416957442.025:93): arch=c000003e syscall=2
          success=yes exit=3 ... comm="touch" exe="/usr/bin/touch"
        type=CWD msg=audit(1416957442.025:93):  cwd="/root/tmp"
        type=PATH msg=audit(1416957442.025:93): item=0 name="test/"
          inode=401409 ... nametype=PARENT
        type=PATH msg=audit(1416957442.025:93): item=1 name=(null)
          inode=393804 ... nametype=NORMAL
        type=PATH msg=audit(1416957442.025:93): item=2 name=(null)
          inode=393804 ... nametype=NORMAL
      
      While a patched kernel will show the following:
      
        type=SYSCALL msg=audit(1416955786.566:89): arch=c000003e syscall=2
          success=yes exit=3 ... comm="touch" exe="/usr/bin/touch"
        type=CWD msg=audit(1416955786.566:89):  cwd="/root/tmp"
        type=PATH msg=audit(1416955786.566:89): item=0 name="test/"
          inode=401409 ... nametype=PARENT
        type=PATH msg=audit(1416955786.566:89): item=1 name="test/567"
          inode=393804 ... nametype=NORMAL
      
      This issue was brought up by a number of people, but special credit
      should go to hujianyang@huawei.com for reporting the problem along
      with an explanation of the problem and a patch.  While the original
      patch did have some problems (see the archive link below), it did
      demonstrate the problem and helped kickstart the fix presented here.
      
        * https://lkml.org/lkml/2014/9/5/66Reported-by: default avatarhujianyang <hujianyang@huawei.com>
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
      Acked-by: default avatarRichard Guy Briggs <rgb@redhat.com>
      4a928436
  6. 19 Dec, 2014 2 commits
    • Richard Guy Briggs's avatar
      audit: use supplied gfp_mask from audit_buffer in kauditd_send_multicast_skb · 54dc77d9
      Richard Guy Briggs authored
      Eric Paris explains: Since kauditd_send_multicast_skb() gets called in
      audit_log_end(), which can come from any context (aka even a sleeping context)
      GFP_KERNEL can't be used.  Since the audit_buffer knows what context it should
      use, pass that down and use that.
      
      See: https://lkml.org/lkml/2014/12/16/542
      
      BUG: sleeping function called from invalid context at mm/slab.c:2849
      in_atomic(): 1, irqs_disabled(): 0, pid: 885, name: sulogin
      2 locks held by sulogin/885:
        #0:  (&sig->cred_guard_mutex){+.+.+.}, at: [<ffffffff91152e30>] prepare_bprm_creds+0x28/0x8b
        #1:  (tty_files_lock){+.+.+.}, at: [<ffffffff9123e787>] selinux_bprm_committing_creds+0x55/0x22b
      CPU: 1 PID: 885 Comm: sulogin Not tainted 3.18.0-next-20141216 #30
      Hardware name: Dell Inc. Latitude E6530/07Y85M, BIOS A15 06/20/2014
        ffff880223744f10 ffff88022410f9b8 ffffffff916ba529 0000000000000375
        ffff880223744f10 ffff88022410f9e8 ffffffff91063185 0000000000000006
        0000000000000000 0000000000000000 0000000000000000 ffff88022410fa38
      Call Trace:
        [<ffffffff916ba529>] dump_stack+0x50/0xa8
        [<ffffffff91063185>] ___might_sleep+0x1b6/0x1be
        [<ffffffff910632a6>] __might_sleep+0x119/0x128
        [<ffffffff91140720>] cache_alloc_debugcheck_before.isra.45+0x1d/0x1f
        [<ffffffff91141d81>] kmem_cache_alloc+0x43/0x1c9
        [<ffffffff914e148d>] __alloc_skb+0x42/0x1a3
        [<ffffffff914e2b62>] skb_copy+0x3e/0xa3
        [<ffffffff910c263e>] audit_log_end+0x83/0x100
        [<ffffffff9123b8d3>] ? avc_audit_pre_callback+0x103/0x103
        [<ffffffff91252a73>] common_lsm_audit+0x441/0x450
        [<ffffffff9123c163>] slow_avc_audit+0x63/0x67
        [<ffffffff9123c42c>] avc_has_perm+0xca/0xe3
        [<ffffffff9123dc2d>] inode_has_perm+0x5a/0x65
        [<ffffffff9123e7ca>] selinux_bprm_committing_creds+0x98/0x22b
        [<ffffffff91239e64>] security_bprm_committing_creds+0xe/0x10
        [<ffffffff911515e6>] install_exec_creds+0xe/0x79
        [<ffffffff911974cf>] load_elf_binary+0xe36/0x10d7
        [<ffffffff9115198e>] search_binary_handler+0x81/0x18c
        [<ffffffff91153376>] do_execveat_common.isra.31+0x4e3/0x7b7
        [<ffffffff91153669>] do_execve+0x1f/0x21
        [<ffffffff91153967>] SyS_execve+0x25/0x29
        [<ffffffff916c61a9>] stub_execve+0x69/0xa0
      
      Cc: stable@vger.kernel.org #v3.16-rc1
      Reported-by: default avatarValdis Kletnieks <Valdis.Kletnieks@vt.edu>
      Signed-off-by: default avatarRichard Guy Briggs <rgb@redhat.com>
      Tested-by: default avatarValdis Kletnieks <Valdis.Kletnieks@vt.edu>
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
      54dc77d9
    • Paul Moore's avatar
      audit: don't attempt to lookup PIDs when changing PID filtering audit rules · 3640dcfa
      Paul Moore authored
      Commit f1dc4867 ("audit: anchor all pid references in the initial pid
      namespace") introduced a find_vpid() call when adding/removing audit
      rules with PID/PPID filters; unfortunately this is problematic as
      find_vpid() only works if there is a task with the associated PID
      alive on the system.  The following commands demonstrate a simple
      reproducer.
      
      	# auditctl -D
      	# auditctl -l
      	# autrace /bin/true
      	# auditctl -l
      
      This patch resolves the problem by simply using the PID provided by
      the user without any additional validation, e.g. no calls to check to
      see if the task/PID exists.
      
      Cc: stable@vger.kernel.org # 3.15
      Cc: Richard Guy Briggs <rgb@redhat.com>
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
      Acked-by: default avatarEric Paris <eparis@redhat.com>
      Reviewed-by: default avatarRichard Guy Briggs <rgb@redhat.com>
      3640dcfa
  7. 09 Dec, 2014 1 commit
  8. 17 Nov, 2014 1 commit
    • Richard Guy Briggs's avatar
      audit: convert status version to a feature bitmap · 0288d718
      Richard Guy Briggs authored
      The version field defined in the audit status structure was found to have
      limitations in terms of its expressibility of features supported.  This is
      distict from the get/set features call to be able to command those features
      that are present.
      
      Converting this field from a version number to a feature bitmap will allow
      distributions to selectively backport and support certain features and will
      allow upstream to be able to deprecate features in the future.  It will allow
      userspace clients to first query the kernel for which features are actually
      present and supported.  Currently, EINVAL is returned rather than EOPNOTSUP,
      which isn't helpful in determining if there was an error in the command, or if
      it simply isn't supported yet.  Past features are not represented by this
      bitmap, but their use may be converted to EOPNOTSUP if needed in the future.
      
      Since "version" is too generic to convert with a #define, use a union in the
      struct status, introducing the member "feature_bitmap" unionized with
      "version".
      
      Convert existing AUDIT_VERSION_* macros over to AUDIT_FEATURE_BITMAP*
      counterparts, leaving the former for backwards compatibility.
      Signed-off-by: default avatarRichard Guy Briggs <rgb@redhat.com>
      [PM: minor whitespace tweaks]
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
      0288d718
  9. 11 Nov, 2014 1 commit
    • Miklos Szeredi's avatar
      audit: keep inode pinned · 799b6014
      Miklos Szeredi authored
      Audit rules disappear when an inode they watch is evicted from the cache.
      This is likely not what we want.
      
      The guilty commit is "fsnotify: allow marks to not pin inodes in core",
      which didn't take into account that audit_tree adds watches with a zero
      mask.
      
      Adding any mask should fix this.
      
      Fixes: 90b1e7a5 ("fsnotify: allow marks to not pin inodes in core")
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@suse.cz>
      Cc: stable@vger.kernel.org # 2.6.36+
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
      799b6014
  10. 30 Oct, 2014 1 commit
  11. 20 Oct, 2014 1 commit
  12. 10 Oct, 2014 4 commits
  13. 26 Sep, 2014 1 commit
    • Guenter Roeck's avatar
      next: openrisc: Fix build · 29075fea
      Guenter Roeck authored
      openrisc:defconfig fails to build in next-20140926 with the following error.
      
      In file included from arch/openrisc/kernel/signal.c:31:0:
      ./arch/openrisc/include/asm/syscall.h: In function 'syscall_get_arch':
      ./arch/openrisc/include/asm/syscall.h:77:9: error: 'EM_OPENRISC' undeclared
      
      Fix by moving EM_OPENRISC to include/uapi/linux/elf-em.h.
      
      Fixes: ce5d1128 ("ARCH: AUDIT: implement syscall_get_arch for all arches")
      Cc: Eric Paris <eparis@redhat.com>
      Cc: Stefan Kristiansson <stefan.kristiansson@saunalahti.fi>
      Cc: Geert Uytterhoeven <geert@linux-m68k.org>
      Cc: Stephen Rothwell <sfr@canb.auug.org.au>
      Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      29075fea
  14. 23 Sep, 2014 23 commits