Commit f2840fcc authored by Serge Hallyn's avatar Serge Hallyn Committed by Linus Torvalds

[PATCH] Fix audit control message checks

The audit control messages are sent over netlink.  Permission checks are
done on the process receiving the message, which may not be the same as the
process sending the message.  This patch switches the netlink_send security
hooks to calculate the effective capabilities based on the sender.  Then
audit_receive_msg performs capability checks based on that.

It also introduces the CAP_AUDIT_WRITE and CAP_AUDIT_CONTROL capabilities,
and replaces the previous CAP_SYS_ADMIN checks in audit code with the
appropriate checks.

- Simplified dummy_netlink_send given that dummy now keeps track of
  capabilities.

- Many fixes based on feedback from <linux-audit@redhat.com> list.

- Removed the netlink_msg_type helper function.

- Switch to using CAP_AUDIT_WRITE and CAP_AUDIT_CONTROL.
Signed-off-by: default avatarSerge Hallyn <serue@us.ibm.com>
Signed-off-by: default avatarStephen Smalley <sds@epoch.ncsc.mil>
Signed-off-by: default avatarChris Wright <chrisw@osdl.org>
Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
parent fe00c037
...@@ -284,6 +284,10 @@ typedef __u32 kernel_cap_t; ...@@ -284,6 +284,10 @@ typedef __u32 kernel_cap_t;
#define CAP_LEASE 28 #define CAP_LEASE 28
#define CAP_AUDIT_WRITE 29
#define CAP_AUDIT_CONTROL 30
#ifdef __KERNEL__ #ifdef __KERNEL__
/* /*
* Bounding set * Bounding set
......
...@@ -300,21 +300,55 @@ void audit_send_reply(int pid, int seq, int type, int done, int multi, ...@@ -300,21 +300,55 @@ void audit_send_reply(int pid, int seq, int type, int done, int multi,
kfree_skb(skb); kfree_skb(skb);
} }
/*
* Check for appropriate CAP_AUDIT_ capabilities on incoming audit
* control messages.
*/
static int audit_netlink_ok(kernel_cap_t eff_cap, u16 msg_type)
{
int err = 0;
switch (msg_type) {
case AUDIT_GET:
case AUDIT_LIST:
case AUDIT_SET:
case AUDIT_LOGIN:
case AUDIT_ADD:
case AUDIT_DEL:
if (!cap_raised(eff_cap, CAP_AUDIT_CONTROL))
err = -EPERM;
break;
case AUDIT_USER:
if (!cap_raised(eff_cap, CAP_AUDIT_WRITE))
err = -EPERM;
break;
default: /* bad msg */
err = -EINVAL;
}
return err;
}
static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
{ {
u32 uid, pid, seq; u32 uid, pid, seq;
void *data; void *data;
struct audit_status *status_get, status_set; struct audit_status *status_get, status_set;
struct audit_login *login; struct audit_login *login;
int err = 0; int err;
struct audit_buffer *ab; struct audit_buffer *ab;
u16 msg_type = nlh->nlmsg_type;
err = audit_netlink_ok(NETLINK_CB(skb).eff_cap, msg_type);
if (err)
return err;
pid = NETLINK_CREDS(skb)->pid; pid = NETLINK_CREDS(skb)->pid;
uid = NETLINK_CREDS(skb)->uid; uid = NETLINK_CREDS(skb)->uid;
seq = nlh->nlmsg_seq; seq = nlh->nlmsg_seq;
data = NLMSG_DATA(nlh); data = NLMSG_DATA(nlh);
switch (nlh->nlmsg_type) { switch (msg_type) {
case AUDIT_GET: case AUDIT_GET:
status_set.enabled = audit_enabled; status_set.enabled = audit_enabled;
status_set.failure = audit_failure; status_set.failure = audit_failure;
...@@ -327,8 +361,8 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) ...@@ -327,8 +361,8 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
&status_set, sizeof(status_set)); &status_set, sizeof(status_set));
break; break;
case AUDIT_SET: case AUDIT_SET:
if (!capable(CAP_SYS_ADMIN)) if (nlh->nlmsg_len < sizeof(struct audit_status))
return -EPERM; return -EINVAL;
status_get = (struct audit_status *)data; status_get = (struct audit_status *)data;
if (status_get->mask & AUDIT_STATUS_ENABLED) { if (status_get->mask & AUDIT_STATUS_ENABLED) {
err = audit_set_enabled(status_get->enabled); err = audit_set_enabled(status_get->enabled);
...@@ -364,8 +398,8 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) ...@@ -364,8 +398,8 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
audit_log_end(ab); audit_log_end(ab);
break; break;
case AUDIT_LOGIN: case AUDIT_LOGIN:
if (!capable(CAP_SYS_ADMIN)) if (nlh->nlmsg_len < sizeof(struct audit_login))
return -EPERM; return -EINVAL;
login = (struct audit_login *)data; login = (struct audit_login *)data;
ab = audit_log_start(NULL); ab = audit_log_start(NULL);
if (ab) { if (ab) {
...@@ -384,9 +418,12 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) ...@@ -384,9 +418,12 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
login->loginuid); login->loginuid);
#endif #endif
break; break;
case AUDIT_LIST:
case AUDIT_ADD: case AUDIT_ADD:
case AUDIT_DEL: case AUDIT_DEL:
if (nlh->nlmsg_len < sizeof(struct audit_rule))
return -EINVAL;
/* fallthrough */
case AUDIT_LIST:
#ifdef CONFIG_AUDITSYSCALL #ifdef CONFIG_AUDITSYSCALL
err = audit_receive_filter(nlh->nlmsg_type, pid, uid, seq, err = audit_receive_filter(nlh->nlmsg_type, pid, uid, seq,
data); data);
......
...@@ -250,8 +250,6 @@ int audit_receive_filter(int type, int pid, int uid, int seq, void *data) ...@@ -250,8 +250,6 @@ int audit_receive_filter(int type, int pid, int uid, int seq, void *data)
audit_send_reply(pid, seq, AUDIT_LIST, 1, 1, NULL, 0); audit_send_reply(pid, seq, AUDIT_LIST, 1, 1, NULL, 0);
break; break;
case AUDIT_ADD: case AUDIT_ADD:
if (!capable(CAP_SYS_ADMIN))
return -EPERM;
if (!(entry = kmalloc(sizeof(*entry), GFP_KERNEL))) if (!(entry = kmalloc(sizeof(*entry), GFP_KERNEL)))
return -ENOMEM; return -ENOMEM;
if (audit_copy_rule(&entry->rule, data)) { if (audit_copy_rule(&entry->rule, data)) {
......
...@@ -685,10 +685,7 @@ static int dummy_sem_semop (struct sem_array *sma, ...@@ -685,10 +685,7 @@ static int dummy_sem_semop (struct sem_array *sma,
static int dummy_netlink_send (struct sock *sk, struct sk_buff *skb) static int dummy_netlink_send (struct sock *sk, struct sk_buff *skb)
{ {
if (current->euid == 0) NETLINK_CB(skb).eff_cap = current->cap_effective;
cap_raise (NETLINK_CB (skb).eff_cap, CAP_NET_ADMIN);
else
NETLINK_CB (skb).eff_cap = 0;
return 0; return 0;
} }
......
...@@ -3502,12 +3502,20 @@ static inline int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb) ...@@ -3502,12 +3502,20 @@ static inline int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb) static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
{ {
int err = 0; struct task_security_struct *tsec;
struct av_decision avd;
int err;
if (capable(CAP_NET_ADMIN)) err = secondary_ops->netlink_send(sk, skb);
cap_raise (NETLINK_CB (skb).eff_cap, CAP_NET_ADMIN); if (err)
else return err;
NETLINK_CB(skb).eff_cap = 0;
tsec = current->security;
avd.allowed = 0;
avc_has_perm_noaudit(tsec->sid, tsec->sid,
SECCLASS_CAPABILITY, ~0, &avd);
cap_mask(NETLINK_CB(skb).eff_cap, avd.allowed);
if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS) if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
err = selinux_nlmsg_perm(sk, skb); err = selinux_nlmsg_perm(sk, skb);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment