Q: log subject attributes for tree rule removal - Githubissues

linux-audit / audit-kernel

GitHub mirror of the Linux Kernel's audit repository

https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git

Other

140 stars 37 forks source link

Q: log subject attributes for tree rule removal #50

Closed rgbriggs closed 5 years ago

rgbriggs commented 7 years ago

Currently audit tree rule removal is an unaccompanied record that has no subject attributes.

kernel/audit_tree.c:audit_tree_log_remove_rule() compare with:
kernel/audit_watch.c:audit_watch_log_rule_change()

Add "auid" and "ses".

rgbriggs commented 7 years ago

See also: https://github.com/linux-audit/audit-kernel/issues/59

pcmoore commented 6 years ago

If possible, I think the right solution is to make this an accompanied record. However, I believe that these events are not always triggered by a user action (i.e. SYSCALL record).

I think the answer is to make this an accompanied record when there is a valid SYSCALL-record/audit_context, and leave it unaccompanied when the event happens asynchronously.

rgbriggs commented 6 years ago

Watch events are triggered by user action via fsnotify, so adding current->audit_context should fix that.

      audit_update_watch(), 
          audit_watch_handle_event()
      audit_remove_parent_watches()
          audit_watch_handle_event()

For tree events, kill_rules() is called from:

trim_marked()
- audit_add_tree_rule(): AUDIT_ADD_RULE, accompaniable
- audit_trim_trees(): AUDIT_TRIM, accompaniable
- audit_tag_tree(): AUDIT_MAKE_EQUIV, accompaniable
audit_kill_trees() called from __audit_syscall_exit()/__audit_free() after ctx taken from current, so need to hand newly confiscated ctx to audit_kill_trees() to then hand to kill_rules()
evict_chunk() called from audit_tree_ops.freeing_mark
- moves to audit_context->killed_trees (postponed) if ctx or ctx->in_syscall
- calls kill_rules() first and then sends to prune_list which is purged by prune_thread() which is async adding ctx to tree rule reap.

rgbriggs commented 6 years ago

Another similar call/record is kernel/audit_fsnotify.c:audit_mark_log_rule_change() which could be made accompanied to a syscall record.

pcmoore commented 6 years ago

So it sounds like we could get a valid audit context for all of the triggering events?

rgbriggs commented 6 years ago

On 2018-04-06 20:41, Paul Moore wrote:

So it sounds like we could get a valid audit context for all of the triggering events?

It isn't currently available for audit_kill_trees(), but can be arranged without too much trouble.

rgbriggs commented 6 years ago

RFC V1 posted upstream: https://www.redhat.com/archives/linux-audit/2018-June/msg00083.html

Question to Viro about TRIM and MAKE_EQUIV: https://www.redhat.com/archives/linux-audit/2018-June/msg00093.html

rgbriggs commented 6 years ago

2018-09-26: Ping-ed viro on irc about TRIM and MAKE_EQIV question. He needed to dig it up and has yet to reply.

rgbriggs commented 5 years ago

All tree records now have an associated syscall context. Closing.

pcmoore commented 5 years ago

Thanks @rgbriggs.