On Tuesday 19 April 2005 11:23, Steve Grubb wrote:

I wanted to start a discussion about an old topic that we last discussed
back in December. The problem basically centers around the audit message
type being too coarse to be of any real use.

Attached is my current working patch for people to review and comment on. It
is not a final patch. I still need to review all messages to ensure we have
everything that its supposed to be. The patch is against the .31 kernel will
all my previous patches applied.

If there are no objections or concerns, I will finalize this patch and release
matching user space tools.

-Steve
diff -ur linux-2.6.9.orig/include/linux/audit.h linux-2.6.9/include/linux/audit.h
--- linux-2.6.9.orig/include/linux/audit.h 2005-05-10 08:24:41.000000000 -0400
+++ linux-2.6.9/include/linux/audit.h 2005-05-10 08:24:11.000000000 -0400
@@ -34,18 +34,52 @@
struct atomic_t;

endif

-/* Request and reply types /
+/ The netlink messages for the audit system is divided into blocks:

• • 1000 - 1099 are for commanding the audit system
• • 1100 - 1199 user space trusted application messages
• • 1200 - 1299 messages internal to the audit daemon
• • 1300 - 1399 audit event messages
• • 1400 - 1499 SE Linux use
• • 1500 - 1999 future use
• • 2000 is for otherwise unclassified kernel audit messages
• • Messages from 1000-1199 are bi-directional. 1200-1299 are exclusively user
• • space. Anything over that is kernel --> user space communication.
• */

define AUDIT_GET 1000 /* Get status */

define AUDIT_SET 1001 /* Set status (enable/disable/auditd) */

define AUDIT_LIST 1002 /* List filtering rules */

define AUDIT_ADD 1003 /* Add filtering rule */

define AUDIT_DEL 1004 /* Delete filtering rule */

define AUDIT_USER 1005 /* Send a message from user-space */

-#define AUDIT_LOGIN 1006 /* Define the login id and information /
+#define AUDIT_LOGIN 1006 / /proc/pid/loginuid change event */

define AUDIT_WATCH_INS 1007 /* Insert file/dir watch entry */

define AUDIT_WATCH_REM 1008 /* Remove file/dir watch entry */

define AUDIT_WATCH_LIST 1009 /* List all watches */

-#define AUDIT_SIGNAL_INFO 1010 /* Get information about sender of signal/
+#define AUDIT_SIGNAL_INFO 1010 / Get info about sender of signal/
+
+#define AUDIT_USER_AUTH 1100 / User space authentication /
+#define AUDIT_USER_ACCT 1101 / User space acct change /
+#define AUDIT_USER_MGMT 1102 / User space acct management /
+#define AUDIT_CRED_ACQ 1103 / User space credential acquired /
+#define AUDIT_CRED_DISP 1104 / User space credential disposed /
+#define AUDIT_USER_START 1105 / User space session start /
+#define AUDIT_USER_END 1106 / User space session end /
+
+#define AUDIT_DAEMON_START 1200 / Daemon startup record /
+#define AUDIT_DAEMON_END 1201 / Daemon normal stop record /
+#define AUDIT_DAEMON_ABORT 1202 / Daemon error stop record /
+#define AUDIT_DAEMON_CONFIG 1203 / Daemon config change /
+
+#define AUDIT_SYSCALL 1300 / Syscall event /
+#define AUDIT_FS_WATCH 1301 / Filesystem watch event /
+#define AUDIT_PATH 1302 / Filname path information /
+#define AUDIT_IPC 1303 / IPC record /
+#define AUDIT_SOCKET 1304 / Socket record /
+#define AUDIT_CONFIG_CHANGE 1305 / Audit system configuration change /
+
+#define AUDIT_AVC 1400 / SE Linux avc denial or grant /
+#define AUDIT_SELINUX_ERR 1401 / Internal SE Linux Errors */

define AUDIT_KERNEL 2000 /* Asynchronous audit record. NOT A REQUEST. */

@@ -284,11 +318,11 @@

ifdef CONFIG_AUDIT

/* These are defined in audit.c /
/ Public API */
-extern void audit_log(struct audit_context *ctx,
+extern void audit_log(struct audit_context *ctx, int type,
const char *fmt, ...)

• attribute((format(printf,2,3)));

• attribute((format(printf,3,4)));

-extern struct audit_buffer *audit_log_start(struct audit_context *ctx);
+extern struct audit_buffer *audit_log_start(struct audit_context *ctx,int type);
extern void audit_log_format(struct audit_buffer *ab,
const char *fmt, ...)
attribute((format(printf,2,3)));
@@ -314,8 +348,8 @@
void *payload, int size);
extern void audit_log_lost(const char *message);

else

-#define audit_log(t,f,...) do { ; } while (0)
-#define audit_log_start(t) ({ NULL; })
+#define audit_log(c,t,f,...) do { ; } while (0)
+#define audit_log_start(c,t) ({ NULL; })

define audit_log_vformat(b,f,a) do { ; } while (0)

define audit_log_format(b,f,...) do { ; } while (0)

define audit_log_end(b) do { ; } while (0)

diff -ur linux-2.6.9.orig/kernel/audit.c linux-2.6.9/kernel/audit.c
--- linux-2.6.9.orig/kernel/audit.c 2005-05-10 08:24:46.000000000 -0400
+++ linux-2.6.9/kernel/audit.c 2005-05-10 08:24:11.000000000 -0400
@@ -242,7 +242,8 @@
{
int old = audit_rate_limit;
audit_rate_limit = limit;

• audit_log(NULL, "audit_rate_limit=%d old=%d by auid %u",

• audit_log(NULL, AUDIT_CONFIG_CHANGE,
• "audit_rate_limit=%d old=%d by auid %u",
  audit_rate_limit, old, loginuid);
  return old;
  }
  @@ -251,7 +252,8 @@
  {
  int old = audit_backlog_limit;
  audit_backlog_limit = limit;

• audit_log(NULL, "audit_backlog_limit=%d old=%d by auid %u",

• audit_log(NULL, AUDIT_CONFIG_CHANGE,
• "audit_backlog_limit=%d old=%d by auid %u",
  audit_backlog_limit, old, loginuid);
  return old;
  }
  @@ -262,8 +264,9 @@
  if (state != 0 && state != 1)
  return -EINVAL;
  audit_enabled = state;

• audit_log(NULL, "audit_enabled=%d old=%d by auid %u",
• audit_enabled, old, loginuid);

• audit_log(NULL, AUDIT_CONFIG_CHANGE,
• "audit_enabled=%d old=%d by auid %u",
• audit_enabled, old, loginuid);
  return old;
  }

@@ -275,8 +278,9 @@
&& state != AUDIT_FAIL_PANIC)
return -EINVAL;
audit_failure = state;

• audit_log(NULL, "audit_failure=%d old=%d by auid %u",
• audit_failure, old, loginuid);

• audit_log(NULL, AUDIT_CONFIG_CHANGE,
• "audit_failure=%d old=%d by auid %u",
• audit_failure, old, loginuid);
  return old;
  }

@@ -387,7 +391,8 @@
if (status_get->mask & AUDIT_STATUS_PID) {
int old = audit_pid;
audit_pid = status_get->pid;

• audit_log(NULL, "audit_pid=%d old=%d by auid %u",

• audit_log(NULL, AUDIT_CONFIG_CHANGE,
• "audit_pid=%d old=%d by auid %u",
  audit_pid, old, loginuid);
  }
  if (status_get->mask & AUDIT_STATUS_RATE_LIMIT)
  @@ -397,7 +402,7 @@
  loginuid);
  break;
  case AUDIT_USER:

• ab = audit_log_start(NULL);

• ab = audit_log_start(NULL, AUDIT_USER);
  if (!ab)
  break; /* audit_panic has been called */
  audit_log_format(ab,
  @@ -407,7 +412,6 @@
  (int)(nlh->nlmsg_len
  - ((char *)data - (char *)nlh)),
  loginuid, (char *)data);

• audit_set_type(ab, AUDIT_USER);
  audit_set_pid(ab, pid);
  audit_log_end(ab);
  break;
  @@ -538,7 +542,7 @@

  audit_initialized = 1;
  audit_enabled = audit_default;

• audit_log(NULL, "initialized");

• audit_log(NULL, AUDIT_KERNEL, "initialized");
  return 0;
  }

@@ -565,7 +569,7 @@

audit_initialized = 1;
audit_enabled = audit_default;

• audit_log(NULL, "initialized");

• audit_log(NULL, AUDIT_KERNEL, "initialized");
  return 0;
  }

endif

@@ -605,7 +609,7 @@
}

static struct audit_buffer * audit_buffer_alloc(struct audit_context *ctx,

• int gfp_mask)

• int gfp_mask, int type)
  {
  unsigned long flags;
  struct audit_buffer *ab = NULL;
  @@ -633,7 +637,7 @@

  ab->ctx = ctx;
  nlh = (struct nlmsghdr *)skb_put(ab->skb, NLMSG_SPACE(0));

• nlh->nlmsg_type = AUDIT_KERNEL;

• nlh->nlmsg_type = type;
  nlh->nlmsg_flags = 0;
  nlh->nlmsg_pid = 0;
  nlh->nlmsg_seq = 0;
  @@ -649,7 +653,7 @@

• syscall, then the syscall is marked as auditable and an audit record
• will be written at syscall exit. If there is no associated task, tsk
• should be NULL. */
  -struct audit_buffer *audit_log_start(struct audit_context *ctx)
  +struct audit_buffer *audit_log_start(struct audit_context *ctx, int type)
  {
  struct audit_buffer *ab = NULL;
  struct timespec t;
  @@ -670,7 +674,7 @@
  return NULL;
  }

• ab = audit_buffer_alloc(ctx, GFP_ATOMIC);

• ab = audit_buffer_alloc(ctx, GFP_ATOMIC, type);
  if (!ab) {
  audit_log_lost("out of memory in audit_log_start");
  return NULL;
  @@ -877,12 +881,12 @@
  /* Log an audit record. This is a convenience function that calls

• audit_log_start, audit_log_vformat, and audit_log_end. It may be
• called in any context. */
  -void audit_log(struct audit_context *ctx, const char *fmt, ...)
  +void audit_log(struct audit_context *ctx, int type, const char *fmt, ...)
  {
  struct audit_buffer *ab;
  va_list args;

• ab = audit_log_start(ctx);

• ab = audit_log_start(ctx, type);
  if (ab) {
  va_start(args, fmt);
  audit_log_vformat(ab, fmt, args);
  diff -ur linux-2.6.9.orig/kernel/auditfs.c linux-2.6.9/kernel/auditfs.c
  --- linux-2.6.9.orig/kernel/auditfs.c 2005-05-10 08:24:46.000000000 -0400
  +++ linux-2.6.9/kernel/auditfs.c 2005-05-10 08:24:11.000000000 -0400
  @@ -384,7 +384,8 @@

  /* __d_lookup will attach the audit data, if nd.last exists. */
  dput(d_lookup(nd.dentry, &nd.last));

• audit_log(NULL, "auid %u added a watch\n", loginuid);

• audit_log(NULL, AUDIT_CONFIG_CHANGE, "auid %u added a watch\n",
• loginuid);

audit_insert_watch_release:
path_release(&nd);
@@ -418,7 +419,8 @@
audit_destroy_wentry(wentry);
audit_wentry_put(wentry);
write_unlock(&data->lock);

• audit_log(NULL, "auid %u removed a watch\n", loginuid);

• audit_log(NULL, AUDIT_CONFIG_CHANGE, "auid %u removed a watch\n",

• loginuid);

  ret = 0;

diff -ur linux-2.6.9.orig/kernel/auditsc.c linux-2.6.9/kernel/auditsc.c
--- linux-2.6.9.orig/kernel/auditsc.c 2005-05-10 08:24:46.000000000 -0400
+++ linux-2.6.9/kernel/auditsc.c 2005-05-10 08:24:11.000000000 -0400
@@ -298,7 +298,8 @@
err = audit_add_rule(entry, &audit_entlist);
if (!err && (flags & AUDIT_AT_EXIT))
err = audit_add_rule(entry, &audit_extlist);

• audit_log(NULL, "auid %u added an audit rule\n", loginuid);

• audit_log(NULL, AUDIT_CONFIG_CHANGE,
• "auid %u added an audit rule\n", loginuid);
  break;
  case AUDIT_DEL:
  flags =((struct audit_rule *)data)->flags;
  @@ -308,7 +309,8 @@
  err = audit_del_rule(data, &audit_entlist);
  if (!err && (flags & AUDIT_AT_EXIT))
  err = audit_del_rule(data, &audit_extlist);

• audit_log(NULL, "auid %u removed an audit rule\n", loginuid);

• audit_log(NULL, AUDIT_CONFIG_CHANGE,
• "auid %u removed an audit rule\n", loginuid);
  break;
  default:
  return -EINVAL;
  @@ -657,12 +659,14 @@
  up_read(&mm->mmap_sem);
  }

+extern void audit_set_type(struct audit_buffer *ab, int type);
+
static void audit_log_exit(struct audit_context *context)
{
int i;
struct audit_buffer *ab;

• ab = audit_log_start(context);

• ab = audit_log_start(context, AUDIT_SYSCALL);
  if (!ab)
  return; /* audit_panic has been called */
  audit_log_format(ab, "syscall=%d", context->major);
  @@ -694,7 +698,7 @@
  while (context->aux) {
  struct audit_aux_data *aux;

• ab = audit_log_start(context);

• ab = audit_log_start(context, AUDIT_KERNEL);
  if (!ab)
  continue; /* audit_panic has been called */

@@ -705,6 +709,8 @@
switch (aux->type) {
case AUDIT_AUX_IPCPERM: {
struct audit_aux_data_ipcctl *axi = (void *)aux;
+

• audit_set_type(ab, AUDIT_IPC);
  audit_log_format(ab,
  " qbytes=%lx uid=%d gid=%d mode=%x",
  axi->qbytes, axi->uid, axi->gid, axi->mode);
  @@ -713,6 +719,7 @@

  case AUDIT_AUX_WATCH: {
  struct audit_aux_data_watched *axi = (void *)aux;

• audit_set_type(ab, AUDIT_FS_WATCH);
  audit_log_format(ab, " watch=");
  audit_log_untrustedstring(ab, axi->wentry->w_watch->name);
  audit_log_format(ab,
  @@ -733,7 +740,7 @@
  }

  for (i = 0; i < context->name_count; i++) {

• ab = audit_log_start(context);

• ab = audit_log_start(context, AUDIT_PATH);
  if (!ab)
  continue; /* audit_panic has been called */
  audit_log_format(ab, "item=%d", i);
  @@ -1037,20 +1044,17 @@
  }
  }

-extern int audit_set_type(struct audit_buffer *ab, int type);

int audit_set_loginuid(struct task_struct *task, uid_t loginuid)
{
if (task->audit_context) {
struct audit_buffer *ab;

• ab = audit_log_start(NULL);

• ab = audit_log_start(NULL, AUDIT_LOGIN);
  if (ab) {
  audit_log_format(ab, "login pid=%d uid=%u "
  "old loginuid=%u new loginuid=%u",
  task->pid, task->uid,
  task->audit_context->loginuid, loginuid);

• audit_set_type(ab, AUDIT_LOGIN);
  audit_log_end(ab);
  }
  task->audit_context->loginuid = loginuid;
  diff -ur linux-2.6.9.orig/security/selinux/avc.c linux-2.6.9/security/selinux/avc.c
  --- linux-2.6.9.orig/security/selinux/avc.c 2005-05-10 08:24:51.000000000 -0400
  +++ linux-2.6.9/security/selinux/avc.c 2005-05-10 08:24:11.000000000 -0400
  @@ -204,7 +204,7 @@
  avc_node_cachep = kmem_cache_create("avc_node", sizeof(struct avc_node),
  0, SLAB_PANIC, NULL, NULL);

• audit_log(current->audit_context, "AVC INITIALIZED\n");

• audit_log(current->audit_context, AUDIT_KERNEL, "AVC INITIALIZED\n");
  }

int avc_get_hash_stats(char *page)
@@ -511,7 +511,7 @@
return;
}

• ab = audit_log_start(current->audit_context);

• ab = audit_log_start(current->audit_context, AUDIT_AVC);
  if (!ab)
  return; /* audit_panic has been called */
  audit_log_format(ab, "avc: %s ", denied ? "denied" : "granted");
  diff -ur linux-2.6.9.orig/security/selinux/nlmsgtab.c linux-2.6.9/security/selinux/nlmsgtab.c
  --- linux-2.6.9.orig/security/selinux/nlmsgtab.c 2005-05-10 08:24:51.000000000 -0400
  +++ linux-2.6.9/security/selinux/nlmsgtab.c 2005-05-10 08:27:26.507095128 -0400
  @@ -98,6 +98,13 @@
  { AUDIT_WATCH_INS, NETLINK_AUDIT_SOCKET__NLMSG_WRITE },
  { AUDIT_WATCH_REM, NETLINK_AUDIT_SOCKET__NLMSG_WRITE },
  { AUDIT_WATCH_LIST, NETLINK_AUDIT_SOCKET__NLMSG_READPRIV },
• { AUDIT_USER_AUTH, NETLINK_AUDIT_SOCKET__NLMSG_RELAY },
• { AUDIT_USER_ACCT, NETLINK_AUDIT_SOCKET__NLMSG_RELAY },
• { AUDIT_USER_MGMT, NETLINK_AUDIT_SOCKET__NLMSG_RELAY },
• { AUDIT_CRED_ACQ, NETLINK_AUDIT_SOCKET__NLMSG_RELAY },
• { AUDIT_CRED_DISP, NETLINK_AUDIT_SOCKET__NLMSG_RELAY },
• { AUDIT_USER_START, NETLINK_AUDIT_SOCKET__NLMSG_RELAY },
• { AUDIT_USER_END, NETLINK_AUDIT_SOCKET__NLMSG_RELAY },
  };

diff -ur linux-2.6.9.orig/security/selinux/ss/services.c linux-2.6.9/security/selinux/ss/services.c
--- linux-2.6.9.orig/security/selinux/ss/services.c 2005-05-10 08:24:51.000000000 -0400
+++ linux-2.6.9/security/selinux/ss/services.c 2005-05-10 08:24:11.000000000 -0400
@@ -579,7 +579,7 @@
goto out;
if (context_struct_to_string(newcontext, &n, &nlen) < 0)
goto out;

• audit_log(current->audit_context,

• audit_log(current->audit_context, AUDIT_SELINUX_ERR,
  "security_compute_sid: invalid context %s"
  " for scontext=%s"
  " tcontext=%s"