From 120548d8a2810ceb860fa6ae016d02fce47c6a93 Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Tue, 17 Sep 2019 15:00:30 -0400 Subject: [PATCH 1/2] audit: add a Linux Audit specific README.md and SECURITY.md DO NOT SUBMIT UPSTREAM --- README | 25 +++++++++------------ README.md | 62 +++++++++++++++++++++++++++++++++++++++++++++++++++++ README.orig | 18 ++++++++++++++++ SECURITY.md | 16 ++++++++++++++ 4 files changed, 106 insertions(+), 15 deletions(-) create mode 100644 README.md create mode 100644 README.orig create mode 100644 SECURITY.md diff --git a/README b/README index 669ac7c322927..8e948882f470d 100644 --- a/README +++ b/README @@ -1,18 +1,13 @@ -Linux kernel -============ +Linux Kernel Audit Subsystem +============================================================================= +https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git +https://github.com/linux-audit/audit-kernel -There are several guides for kernel developers and users. These guides can -be rendered in a number of formats, like HTML and PDF. Please read -Documentation/admin-guide/README.rst first. +The original Linux Kernel README file: +* https://github.com/linux-audit/audit-kernel/blob/main/README.orig -In order to build the documentation, use ``make htmldocs`` or -``make pdfdocs``. The formatted documentation can also be read online at: +The Linux Kernel audit subsystem README.md file: +* https://github.com/linux-audit/audit-kernel/blob/main/README.md - https://www.kernel.org/doc/html/latest/ - -There are various text files in the Documentation/ subdirectory, -several of them using the Restructured Text markup notation. - -Please read the Documentation/process/changes.rst file, as it contains the -requirements for building and running the kernel, and information about -the problems which may result by upgrading your kernel. +The latest official Linux Kernel documentation: +* https://www.kernel.org/doc/html/latest diff --git a/README.md b/README.md new file mode 100644 index 0000000000000..36e5968f03603 --- /dev/null +++ b/README.md @@ -0,0 +1,62 @@ +Linux Kernel Audit Subsystem +============================================================================= +https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git +https://github.com/linux-audit/audit-kernel + +The Linux Audit subsystem provides a secure logging framework that is used to +capture and record security relevant events. It consists of a kernel component +which generates audit records based on system activity, a userspace daemon +which logs these records to a local file or a remote aggregation server, and a +set of userspace tools to for audit log inspection and post-processing. + +The main Linux Kernel README can be found at +[Documentation/admin-guide/README.rst](./Documentation/admin-guide/README.rst) + +## Online Resources + +The canonical audit kernel repository is hosted by kernel.org: + +* https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git +* git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git + +There is also an officially maintained GitHub mirror: + +* https://github.com/linux-audit/audit-kernel + +## Kernel Tree Process + +After the merge window closes upstream, a decision will be made regarding the +need to rebase the next branch on top of the current Linux -rc1 release. If +there have been a number of subsystem related changes outside of the +subsystem's next branch, or if the branch's base is too far behind +linux/master, it may be necessary to rebase the next branch. If a rebase is +needed, it should be done before any patches are merged, and rebasing the next +branch during the remaining -rcX releases should only be done in extreme cases. + +Patches will be merged into the subsystem's next branch during the development +cycle which extends from merge window close up until the merge window reopens. +However, it is important to note that large, complicated, or invasive patches +sent late in the development cycle may be deferred until the next cycle. As a +general rule, only small patches or critical fixes will be merged after +-rc5/-rc6. + +Any patches deemed necessary for the current Linux -rcX releases will be merged +into the current stable-X.Y branch, marked with a signed tag, and a pull +request sent against linux/master as soon as it is reasonable to do so. + +During the development cycle Fedora Rawhide test kernels will be generated +using the next and most recent stable-X.Y branches on a weekly basis, if not +more often. These kernels will be tested against the SELinux test suite and +audit test suite as well as being made available to everyone for additional +testing. + +Once the merge window opens, the next branch will be copied to a new branch, +stable-X.Y, and the branch will be marked with a signed tag in the format +audit-pr-YYYYMMDD. A pull request will be sent against the linux/master +branch using the signed tag. + +## Userspace Tools and Test Suites + +The audit userspace tools and test suites are hosted by GitHub: + +* https://github.com/linux-audit diff --git a/README.orig b/README.orig new file mode 100644 index 0000000000000..669ac7c322927 --- /dev/null +++ b/README.orig @@ -0,0 +1,18 @@ +Linux kernel +============ + +There are several guides for kernel developers and users. These guides can +be rendered in a number of formats, like HTML and PDF. Please read +Documentation/admin-guide/README.rst first. + +In order to build the documentation, use ``make htmldocs`` or +``make pdfdocs``. The formatted documentation can also be read online at: + + https://www.kernel.org/doc/html/latest/ + +There are various text files in the Documentation/ subdirectory, +several of them using the Restructured Text markup notation. + +Please read the Documentation/process/changes.rst file, as it contains the +requirements for building and running the kernel, and information about +the problems which may result by upgrading your kernel. diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000000000..07836ff5f4385 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,16 @@ +Audit Kernel Subsystem Security Policy +============================================================================= + +The audit kernel developers take security very seriously and if you think you +have found a serious problem or security vulnerability in the audit kernel +code you are encouraged to send email to the current audit kernel maintainer +who is listed below: + +* Paul Moore, paul@paul-moore.com + +## Linux Kernel General Security Policy + +In addition to the contact information above, the Linux Kernel also has a +security policy documented in the link below: + +* https://github.com/linux-audit/audit-kernel/blob/main/Documentation/admin-guide/security-bugs.rst From a3f0ed3f07b3262461c74c68df101e7c04adaa06 Mon Sep 17 00:00:00 2001 From: huqinghong Date: Fri, 28 Jul 2023 09:38:44 +0800 Subject: [PATCH 2/2] Influence: audit log fix:audit.log can't record correctly when rm the dir end with '/' step: 1. mkdir test 2. touch test/111.txt 3. rm -r test/ Log: type=PATH msg=audit(1690506313.361:2505): item=1 name=(null) inode=1049357 dev=fc:03 mode=040755 ouid=1000 ogid=1000 rdev=00:00 obj=unconfined_u:object_r:user_home_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 type=PATH msg=audit(1690506313.361:2505): item=2 name=(null) inode=1049384 dev=fc:03 mode=040775 ouid=1000 ogid=1000 rdev=00:00 obj=unconfined_u:object_r:user_home_t:s0 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 Change-Id: I6b242a062ced1e3db129b9b9e5f155c681561c2a --- kernel/auditsc.c | 26 +++++++++++++++++++++++--- 1 file changed, 23 insertions(+), 3 deletions(-) diff --git a/kernel/auditsc.c b/kernel/auditsc.c index addeed3df15d3..2308812889f14 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -2416,6 +2416,10 @@ void __audit_inode_child(struct inode *parent, struct audit_entry *e; struct list_head *list = &audit_filter_list[AUDIT_FILTER_FS]; int i; + char *n_file_name = NULL; + int dlen; + int name_len; + bool special_end = false; if (context->context == AUDIT_CTX_UNUSED) return; @@ -2439,23 +2443,39 @@ void __audit_inode_child(struct inode *parent, if (inode) handle_one(inode); + n_file_name = kmalloc(PATH_MAX, GFP_KERNEL); + if (n_file_name) { + memset(n_file_name, '\0', PATH_MAX); + } + dlen = strlen(dname); /* look for a parent entry first */ list_for_each_entry(n, &context->names_list, list) { if (!n->name || (n->type != AUDIT_TYPE_PARENT && n->type != AUDIT_TYPE_UNKNOWN)) continue; - + name_len = strlen(n->name->name); + if (n_file_name && dname[dlen -1] != '/' && n->name->name[name_len - 1] == '/') + { + strncpy(n_file_name, n->name->name, name_len - 1); + special_end = true; + } if (n->ino == parent->i_ino && n->dev == parent->i_sb->s_dev && !audit_compare_dname_path(dname, - n->name->name, n->name_len)) { + special_end ? n_file_name : n->name->name, n->name_len)) { if (n->type == AUDIT_TYPE_UNKNOWN) n->type = AUDIT_TYPE_PARENT; found_parent = n; break; } + if (special_end) { + memset(n_file_name, '\0', name_len + 1); + } + special_end = false; + } + if (n_file_name) { + kfree(n_file_name); } - /* is there a matching child entry? */ list_for_each_entry(n, &context->names_list, list) { /* can only match entries that have a name */