Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
L
linux
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
linux
Commits
473ae30b
Commit
473ae30b
authored
Apr 26, 2006
by
Al Viro
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
[PATCH] execve argument logging
Signed-off-by:
Al Viro
<
viro@zeniv.linux.org.uk
>
parent
9044e6bc
Changes
4
Hide whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
67 additions
and
4 deletions
+67
-4
fs/exec.c
fs/exec.c
+6
-0
include/linux/audit.h
include/linux/audit.h
+5
-1
kernel/audit.c
kernel/audit.c
+5
-3
kernel/auditsc.c
kernel/auditsc.c
+51
-0
No files found.
fs/exec.c
View file @
473ae30b
...
@@ -49,6 +49,7 @@
...
@@ -49,6 +49,7 @@
#include <linux/rmap.h>
#include <linux/rmap.h>
#include <linux/acct.h>
#include <linux/acct.h>
#include <linux/cn_proc.h>
#include <linux/cn_proc.h>
#include <linux/audit.h>
#include <asm/uaccess.h>
#include <asm/uaccess.h>
#include <asm/mmu_context.h>
#include <asm/mmu_context.h>
...
@@ -1085,6 +1086,11 @@ int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs)
...
@@ -1085,6 +1086,11 @@ int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs)
/* kernel module loader fixup */
/* kernel module loader fixup */
/* so we don't try to load run modprobe in kernel space. */
/* so we don't try to load run modprobe in kernel space. */
set_fs
(
USER_DS
);
set_fs
(
USER_DS
);
retval
=
audit_bprm
(
bprm
);
if
(
retval
)
return
retval
;
retval
=
-
ENOENT
;
retval
=
-
ENOENT
;
for
(
try
=
0
;
try
<
2
;
try
++
)
{
for
(
try
=
0
;
try
<
2
;
try
++
)
{
read_lock
(
&
binfmt_lock
);
read_lock
(
&
binfmt_lock
);
...
...
include/linux/audit.h
View file @
473ae30b
...
@@ -83,6 +83,7 @@
...
@@ -83,6 +83,7 @@
#define AUDIT_CONFIG_CHANGE 1305
/* Audit system configuration change */
#define AUDIT_CONFIG_CHANGE 1305
/* Audit system configuration change */
#define AUDIT_SOCKADDR 1306
/* sockaddr copied as syscall arg */
#define AUDIT_SOCKADDR 1306
/* sockaddr copied as syscall arg */
#define AUDIT_CWD 1307
/* Current working directory */
#define AUDIT_CWD 1307
/* Current working directory */
#define AUDIT_EXECVE 1309
/* execve arguments */
#define AUDIT_IPC_SET_PERM 1311
/* IPC new permissions record type */
#define AUDIT_IPC_SET_PERM 1311
/* IPC new permissions record type */
#define AUDIT_AVC 1400
/* SE Linux avc denial or grant */
#define AUDIT_AVC 1400
/* SE Linux avc denial or grant */
...
@@ -283,6 +284,7 @@ struct audit_buffer;
...
@@ -283,6 +284,7 @@ struct audit_buffer;
struct
audit_context
;
struct
audit_context
;
struct
inode
;
struct
inode
;
struct
netlink_skb_parms
;
struct
netlink_skb_parms
;
struct
linux_binprm
;
#define AUDITSC_INVALID 0
#define AUDITSC_INVALID 0
#define AUDITSC_SUCCESS 1
#define AUDITSC_SUCCESS 1
...
@@ -322,6 +324,7 @@ extern int audit_set_loginuid(struct task_struct *task, uid_t loginuid);
...
@@ -322,6 +324,7 @@ extern int audit_set_loginuid(struct task_struct *task, uid_t loginuid);
extern
uid_t
audit_get_loginuid
(
struct
audit_context
*
ctx
);
extern
uid_t
audit_get_loginuid
(
struct
audit_context
*
ctx
);
extern
int
audit_ipc_obj
(
struct
kern_ipc_perm
*
ipcp
);
extern
int
audit_ipc_obj
(
struct
kern_ipc_perm
*
ipcp
);
extern
int
audit_ipc_set_perm
(
unsigned
long
qbytes
,
uid_t
uid
,
gid_t
gid
,
mode_t
mode
,
struct
kern_ipc_perm
*
ipcp
);
extern
int
audit_ipc_set_perm
(
unsigned
long
qbytes
,
uid_t
uid
,
gid_t
gid
,
mode_t
mode
,
struct
kern_ipc_perm
*
ipcp
);
extern
int
audit_bprm
(
struct
linux_binprm
*
bprm
);
extern
int
audit_socketcall
(
int
nargs
,
unsigned
long
*
args
);
extern
int
audit_socketcall
(
int
nargs
,
unsigned
long
*
args
);
extern
int
audit_sockaddr
(
int
len
,
void
*
addr
);
extern
int
audit_sockaddr
(
int
len
,
void
*
addr
);
extern
int
audit_avc_path
(
struct
dentry
*
dentry
,
struct
vfsmount
*
mnt
);
extern
int
audit_avc_path
(
struct
dentry
*
dentry
,
struct
vfsmount
*
mnt
);
...
@@ -342,6 +345,7 @@ extern int audit_set_macxattr(const char *name);
...
@@ -342,6 +345,7 @@ extern int audit_set_macxattr(const char *name);
#define audit_get_loginuid(c) ({ -1; })
#define audit_get_loginuid(c) ({ -1; })
#define audit_ipc_obj(i) ({ 0; })
#define audit_ipc_obj(i) ({ 0; })
#define audit_ipc_set_perm(q,u,g,m,i) ({ 0; })
#define audit_ipc_set_perm(q,u,g,m,i) ({ 0; })
#define audit_bprm(p) ({ 0; })
#define audit_socketcall(n,a) ({ 0; })
#define audit_socketcall(n,a) ({ 0; })
#define audit_sockaddr(len, addr) ({ 0; })
#define audit_sockaddr(len, addr) ({ 0; })
#define audit_avc_path(dentry, mnt) ({ 0; })
#define audit_avc_path(dentry, mnt) ({ 0; })
...
@@ -364,7 +368,7 @@ extern void audit_log_end(struct audit_buffer *ab);
...
@@ -364,7 +368,7 @@ extern void audit_log_end(struct audit_buffer *ab);
extern
void
audit_log_hex
(
struct
audit_buffer
*
ab
,
extern
void
audit_log_hex
(
struct
audit_buffer
*
ab
,
const
unsigned
char
*
buf
,
const
unsigned
char
*
buf
,
size_t
len
);
size_t
len
);
extern
void
audit_log_untrustedstring
(
struct
audit_buffer
*
ab
,
extern
const
char
*
audit_log_untrustedstring
(
struct
audit_buffer
*
ab
,
const
char
*
string
);
const
char
*
string
);
extern
void
audit_log_d_path
(
struct
audit_buffer
*
ab
,
extern
void
audit_log_d_path
(
struct
audit_buffer
*
ab
,
const
char
*
prefix
,
const
char
*
prefix
,
...
...
kernel/audit.c
View file @
473ae30b
...
@@ -1026,18 +1026,20 @@ void audit_log_hex(struct audit_buffer *ab, const unsigned char *buf,
...
@@ -1026,18 +1026,20 @@ void audit_log_hex(struct audit_buffer *ab, const unsigned char *buf,
* or a space. Unescaped strings will start and end with a double quote mark.
* or a space. Unescaped strings will start and end with a double quote mark.
* Strings that are escaped are printed in hex (2 digits per char).
* Strings that are escaped are printed in hex (2 digits per char).
*/
*/
void
audit_log_untrustedstring
(
struct
audit_buffer
*
ab
,
const
char
*
string
)
const
char
*
audit_log_untrustedstring
(
struct
audit_buffer
*
ab
,
const
char
*
string
)
{
{
const
unsigned
char
*
p
=
string
;
const
unsigned
char
*
p
=
string
;
size_t
len
=
strlen
(
string
);
while
(
*
p
)
{
while
(
*
p
)
{
if
(
*
p
==
'"'
||
*
p
<
0x21
||
*
p
>
0x7f
)
{
if
(
*
p
==
'"'
||
*
p
<
0x21
||
*
p
>
0x7f
)
{
audit_log_hex
(
ab
,
string
,
strlen
(
string
)
);
audit_log_hex
(
ab
,
string
,
len
);
return
;
return
string
+
len
+
1
;
}
}
p
++
;
p
++
;
}
}
audit_log_format
(
ab
,
"
\"
%s
\"
"
,
string
);
audit_log_format
(
ab
,
"
\"
%s
\"
"
,
string
);
return
p
+
1
;
}
}
/* This is a helper-function to print the escaped d_path */
/* This is a helper-function to print the escaped d_path */
...
...
kernel/auditsc.c
View file @
473ae30b
...
@@ -59,6 +59,7 @@
...
@@ -59,6 +59,7 @@
#include <linux/list.h>
#include <linux/list.h>
#include <linux/tty.h>
#include <linux/tty.h>
#include <linux/selinux.h>
#include <linux/selinux.h>
#include <linux/binfmts.h>
#include "audit.h"
#include "audit.h"
...
@@ -110,6 +111,13 @@ struct audit_aux_data_ipcctl {
...
@@ -110,6 +111,13 @@ struct audit_aux_data_ipcctl {
u32
osid
;
u32
osid
;
};
};
struct
audit_aux_data_execve
{
struct
audit_aux_data
d
;
int
argc
;
int
envc
;
char
mem
[
0
];
};
struct
audit_aux_data_socketcall
{
struct
audit_aux_data_socketcall
{
struct
audit_aux_data
d
;
struct
audit_aux_data
d
;
int
nargs
;
int
nargs
;
...
@@ -667,6 +675,16 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
...
@@ -667,6 +675,16 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
kfree
(
ctx
);
kfree
(
ctx
);
}
}
break
;
}
break
;
}
case
AUDIT_EXECVE
:
{
struct
audit_aux_data_execve
*
axi
=
(
void
*
)
aux
;
int
i
;
const
char
*
p
;
for
(
i
=
0
,
p
=
axi
->
mem
;
i
<
axi
->
argc
;
i
++
)
{
audit_log_format
(
ab
,
"a%d="
,
i
);
p
=
audit_log_untrustedstring
(
ab
,
p
);
audit_log_format
(
ab
,
"
\n
"
);
}
break
;
}
case
AUDIT_SOCKETCALL
:
{
case
AUDIT_SOCKETCALL
:
{
int
i
;
int
i
;
...
@@ -1231,6 +1249,39 @@ int audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode,
...
@@ -1231,6 +1249,39 @@ int audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode,
return
0
;
return
0
;
}
}
int
audit_bprm
(
struct
linux_binprm
*
bprm
)
{
struct
audit_aux_data_execve
*
ax
;
struct
audit_context
*
context
=
current
->
audit_context
;
unsigned
long
p
,
next
;
void
*
to
;
if
(
likely
(
!
audit_enabled
||
!
context
))
return
0
;
ax
=
kmalloc
(
sizeof
(
*
ax
)
+
PAGE_SIZE
*
MAX_ARG_PAGES
-
bprm
->
p
,
GFP_KERNEL
);
if
(
!
ax
)
return
-
ENOMEM
;
ax
->
argc
=
bprm
->
argc
;
ax
->
envc
=
bprm
->
envc
;
for
(
p
=
bprm
->
p
,
to
=
ax
->
mem
;
p
<
MAX_ARG_PAGES
*
PAGE_SIZE
;
p
=
next
)
{
struct
page
*
page
=
bprm
->
page
[
p
/
PAGE_SIZE
];
void
*
kaddr
=
kmap
(
page
);
next
=
(
p
+
PAGE_SIZE
)
&
~
(
PAGE_SIZE
-
1
);
memcpy
(
to
,
kaddr
+
(
p
&
(
PAGE_SIZE
-
1
)),
next
-
p
);
to
+=
next
-
p
;
kunmap
(
page
);
}
ax
->
d
.
type
=
AUDIT_EXECVE
;
ax
->
d
.
next
=
context
->
aux
;
context
->
aux
=
(
void
*
)
ax
;
return
0
;
}
/**
/**
* audit_socketcall - record audit data for sys_socketcall
* audit_socketcall - record audit data for sys_socketcall
* @nargs: number of args
* @nargs: number of args
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment