Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 583319 Details for
Bug 816567
pam_tty_audit is broken
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
Work-in progress patch
audit-no-netlink-credentials.patch (text/plain), 7.08 KB, created by
Miloslav Trmač
on 2012-05-09 14:55:55 UTC
(
hide
)
Description:
Work-in progress patch
Filename:
MIME Type:
Creator:
Miloslav Trmač
Created:
2012-05-09 14:55:55 UTC
Size:
7.08 KB
patch
obsolete
>From: Miloslav TrmaÄ <mitr@redhat.com> > >Commit 16e5726269611b71c930054ffe9b858c1cea88eb changed >AF_UNIX to not send credentials by default, also affecting AF_NETLINK: >NETLINK_CREDS().uid and pid are zero unless the calling application explictily >sends credentials. > >This boroke existing user-space applications (all invocations of auditctl >are logged as pid=0, uid=0; AUDIT_TTY_[GS]ET can not find the invoking process >because it is looing for PID 0). > >Actually, using NETLINK_CREDS is not necessary because the netlink requests >are always handled within the sending process, so we can just use "current" and >simplify the code. > >Commit fd778461524849afd035679030ae8e8873c72b81 started moving in this >direction, this patch finishes the move. > >Signed-Off-By: Miloslav TrmaÄ <mitr@redhat.com> > >--- > >I think I got the locking and the decision to use euid and not ruid (like >SCM_CREDENTIALS do) right, but careful review would be appreciated. > >I'm really unsure about handling of PID/UID namespaces - AFAICS the old code >used to use PIDs and UIDs in the calling process namespace, but they went >into the system-wide audit log, so it seems to me that they should use a >system-wide namespace instead. I'm not at all certain sure that I'm using the >PID/UID namespace API correctly, either. > >diff -ur linux-3.3.4-4.fc16.x86_64/include/linux/audit.h kernel-3.3.fc16/linux-3.3.4-4.fc16.x86_64/include/linux/audit.h >--- linux-3.3.4-4.fc16.x86_64/include/linux/audit.h 2012-03-19 00:15:34.000000000 +0100 >+++ linux-3.3.4-4.fc16.x86_64/include/linux/audit.h 2012-05-07 18:14:17.624566743 +0200 >@@ -697,9 +697,9 @@ > extern int audit_update_lsm_rules(void); > > /* Private API (for audit.c only) */ >-extern int audit_filter_user(struct netlink_skb_parms *cb); >+extern int audit_filter_user(void); > extern int audit_filter_type(int type); >-extern int audit_receive_filter(int type, int pid, int uid, int seq, >+extern int audit_receive_filter(int type, int pid, int seq, > void *data, size_t datasz, uid_t loginuid, > u32 sessionid, u32 sid); > extern int audit_enabled; >diff -ur linux-3.3.4-4.fc16.x86_64/kernel/audit.c kernel-3.3.fc16/linux-3.3.4-4.fc16.x86_64/kernel/audit.c >--- linux-3.3.4-4.fc16.x86_64/kernel/audit.c 2012-03-19 00:15:34.000000000 +0100 >+++ linux-3.3.4-4.fc16.x86_64/kernel/audit.c 2012-05-07 18:53:23.435738768 +0200 >@@ -467,24 +467,6 @@ > return 0; > } > >-static int audit_prepare_user_tty(pid_t pid, uid_t loginuid, u32 sessionid) >-{ >- struct task_struct *tsk; >- int err; >- >- rcu_read_lock(); >- tsk = find_task_by_vpid(pid); >- if (!tsk) { >- rcu_read_unlock(); >- return -ESRCH; >- } >- get_task_struct(tsk); >- rcu_read_unlock(); >- err = tty_audit_push_task(tsk, loginuid, sessionid); >- put_task_struct(tsk); >- return err; >-} >- > int audit_send_list(void *_dest) > { > struct audit_netlink_list *dest = _dest; >@@ -674,8 +656,8 @@ > return err; > } > >- pid = NETLINK_CREDS(skb)->pid; >- uid = NETLINK_CREDS(skb)->uid; >+ pid = task_tgid_nr(current); >+ uid = current_euid(); > loginuid = audit_get_loginuid(current); > sessionid = audit_get_sessionid(current); > security_task_getsecid(current, &sid); >@@ -737,12 +719,12 @@ > if (!audit_enabled && msg_type != AUDIT_USER_AVC) > return 0; > >- err = audit_filter_user(&NETLINK_CB(skb)); >+ err = audit_filter_user(); > if (err == 1) { > err = 0; > if (msg_type == AUDIT_USER_TTY) { >- err = audit_prepare_user_tty(pid, loginuid, >- sessionid); >+ err = tty_audit_push_task(current, loginuid, >+ sessionid); > if (err) > break; > } >@@ -782,7 +764,7 @@ > /* fallthrough */ > case AUDIT_LIST: > err = audit_receive_filter(msg_type, NETLINK_CB(skb).pid, >- uid, seq, data, nlmsg_len(nlh), >+ seq, data, nlmsg_len(nlh), > loginuid, sessionid, sid); > break; > case AUDIT_ADD_RULE: >@@ -801,7 +783,7 @@ > /* fallthrough */ > case AUDIT_LIST_RULES: > err = audit_receive_filter(msg_type, NETLINK_CB(skb).pid, >- uid, seq, data, nlmsg_len(nlh), >+ seq, data, nlmsg_len(nlh), > loginuid, sessionid, sid); > break; > case AUDIT_TRIM: >@@ -880,14 +862,12 @@ > struct task_struct *tsk; > unsigned long flags; > >- rcu_read_lock(); >- tsk = find_task_by_vpid(pid); >- if (tsk && lock_task_sighand(tsk, &flags)) { >+ tsk = current; >+ if (lock_task_sighand(tsk, &flags)) { > s.enabled = tsk->signal->audit_tty != 0; > unlock_task_sighand(tsk, &flags); > } else > err = -ESRCH; >- rcu_read_unlock(); > > if (!err) > audit_send_reply(NETLINK_CB(skb).pid, seq, >@@ -904,14 +884,12 @@ > s = data; > if (s->enabled != 0 && s->enabled != 1) > return -EINVAL; >- rcu_read_lock(); >- tsk = find_task_by_vpid(pid); >- if (tsk && lock_task_sighand(tsk, &flags)) { >+ tsk = current; >+ if (lock_task_sighand(tsk, &flags)) { > tsk->signal->audit_tty = s->enabled != 0; > unlock_task_sighand(tsk, &flags); > } else > err = -ESRCH; >- rcu_read_unlock(); > break; > } > default: >diff -ur linux-3.3.4-4.fc16.x86_64/kernel/auditfilter.c kernel-3.3.fc16/linux-3.3.4-4.fc16.x86_64/kernel/auditfilter.c >--- linux-3.3.4-4.fc16.x86_64/kernel/auditfilter.c 2012-03-19 00:15:34.000000000 +0100 >+++ linux-3.3.4-4.fc16.x86_64/kernel/auditfilter.c 2012-05-07 18:21:04.475902826 +0200 >@@ -1090,7 +1090,6 @@ > * audit_receive_filter - apply all rules to the specified message type > * @type: audit message type > * @pid: target pid for netlink audit messages >- * @uid: target uid for netlink audit messages > * @seq: netlink audit message sequence (serial) number > * @data: payload data > * @datasz: size of payload data >@@ -1098,7 +1097,7 @@ > * @sessionid: sessionid for netlink audit message > * @sid: SE Linux Security ID of sender > */ >-int audit_receive_filter(int type, int pid, int uid, int seq, void *data, >+int audit_receive_filter(int type, int pid, int seq, void *data, > size_t datasz, uid_t loginuid, u32 sessionid, u32 sid) > { > struct task_struct *tsk; >@@ -1236,8 +1235,7 @@ > return strncmp(p, dname, dlen); > } > >-static int audit_filter_user_rules(struct netlink_skb_parms *cb, >- struct audit_krule *rule, >+static int audit_filter_user_rules(struct audit_krule *rule, > enum audit_state *state) > { > int i; >@@ -1249,13 +1247,13 @@ > > switch (f->type) { > case AUDIT_PID: >- result = audit_comparator(cb->creds.pid, f->op, f->val); >+ result = audit_comparator(task_tgid_nr(current), f->op, f->val); > break; > case AUDIT_UID: >- result = audit_comparator(cb->creds.uid, f->op, f->val); >+ result = audit_comparator(current_euid(), f->op, f->val); > break; > case AUDIT_GID: >- result = audit_comparator(cb->creds.gid, f->op, f->val); >+ result = audit_comparator(current_egid(), f->op, f->val); > break; > case AUDIT_LOGINUID: > result = audit_comparator(audit_get_loginuid(current), >@@ -1287,7 +1285,7 @@ > return 1; > } > >-int audit_filter_user(struct netlink_skb_parms *cb) >+int audit_filter_user(void) > { > enum audit_state state = AUDIT_DISABLED; > struct audit_entry *e; >@@ -1295,7 +1293,7 @@ > > rcu_read_lock(); > list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_USER], list) { >- if (audit_filter_user_rules(cb, &e->rule, &state)) { >+ if (audit_filter_user_rules(&e->rule, &state)) { > if (state == AUDIT_DISABLED) > ret = 0; > break;
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 816567
: 583319