[AUDIT] add session id to audit messages
Eric Paris [Tue, 8 Jan 2008 15:06:53 +0000 (10:06 -0500)]
In order to correlate audit records to an individual login add a session
id.  This is incremented every time a user logs in and is included in
almost all messages which currently output the auid.  The field is
labeled ses=  or oses=

Signed-off-by: Eric Paris <eparis@redhat.com>

drivers/char/tty_audit.c
include/linux/audit.h
include/linux/init_task.h
include/linux/sched.h
kernel/auditsc.c
net/core/dev.c
security/selinux/selinuxfs.c
security/selinux/ss/services.c

index c590fc4..bacded0 100644 (file)
@@ -73,6 +73,7 @@ static void tty_audit_buf_put(struct tty_audit_buf *buf)
  *     @tsk with @loginuid.  @buf->mutex must be locked.
  */
 static void tty_audit_buf_push(struct task_struct *tsk, uid_t loginuid,
+                              unsigned int sessionid,
                               struct tty_audit_buf *buf)
 {
        struct audit_buffer *ab;
@@ -85,9 +86,9 @@ static void tty_audit_buf_push(struct task_struct *tsk, uid_t loginuid,
        if (ab) {
                char name[sizeof(tsk->comm)];
 
-               audit_log_format(ab, "tty pid=%u uid=%u auid=%u major=%d "
-                                "minor=%d comm=", tsk->pid, tsk->uid,
-                                loginuid, buf->major, buf->minor);
+               audit_log_format(ab, "tty pid=%u uid=%u auid=%u ses=%u "
+                                "major=%d minor=%d comm=", tsk->pid, tsk->uid,
+                                loginuid, sessionid, buf->major, buf->minor);
                get_task_comm(name, tsk);
                audit_log_untrustedstring(ab, name);
                audit_log_format(ab, " data=");
@@ -105,7 +106,9 @@ static void tty_audit_buf_push(struct task_struct *tsk, uid_t loginuid,
  */
 static void tty_audit_buf_push_current(struct tty_audit_buf *buf)
 {
-       tty_audit_buf_push(current, audit_get_loginuid(current), buf);
+       uid_t auid = audit_get_loginuid(current);
+       unsigned int sessionid = audit_get_sessionid(current);
+       tty_audit_buf_push(current, auid, sessionid, buf);
 }
 
 /**
@@ -151,6 +154,11 @@ void tty_audit_fork(struct signal_struct *sig)
 void tty_audit_push_task(struct task_struct *tsk, uid_t loginuid)
 {
        struct tty_audit_buf *buf;
+       /* FIXME I think this is correct.  Check against netlink once that is
+        * I really need to read this code more closely.  But that's for
+        * another patch.
+        */
+       unsigned int sessionid = audit_get_sessionid(tsk);
 
        spin_lock_irq(&tsk->sighand->siglock);
        buf = tsk->signal->tty_audit_buf;
@@ -161,7 +169,7 @@ void tty_audit_push_task(struct task_struct *tsk, uid_t loginuid)
                return;
 
        mutex_lock(&buf->mutex);
-       tty_audit_buf_push(tsk, loginuid, buf);
+       tty_audit_buf_push(tsk, loginuid, sessionid, buf);
        mutex_unlock(&buf->mutex);
 
        tty_audit_buf_put(buf);
index d7c6a12..52f1b12 100644 (file)
@@ -410,6 +410,7 @@ extern void auditsc_get_stamp(struct audit_context *ctx,
                              struct timespec *t, unsigned int *serial);
 extern int  audit_set_loginuid(struct task_struct *task, uid_t loginuid);
 #define audit_get_loginuid(t) ((t)->loginuid)
+#define audit_get_sessionid(t) ((t)->sessionid)
 extern void audit_log_task_context(struct audit_buffer *ab);
 extern int __audit_ipc_obj(struct kern_ipc_perm *ipcp);
 extern int __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode);
@@ -489,6 +490,7 @@ extern int audit_signals;
 #define audit_core_dumps(i) do { ; } while (0)
 #define auditsc_get_stamp(c,t,s) do { BUG(); } while (0)
 #define audit_get_loginuid(t) (-1)
+#define audit_get_sessionid(t) (-1)
 #define audit_log_task_context(b) do { ; } while (0)
 #define audit_ipc_obj(i) ({ 0; })
 #define audit_ipc_set_perm(q,u,g,m) ({ 0; })
index ea3e9ef..f42663e 100644 (file)
@@ -116,7 +116,8 @@ extern struct group_info init_groups;
 
 #ifdef CONFIG_AUDITSYSCALL
 #define INIT_IDS \
-       .loginuid = -1,
+       .loginuid = -1, \
+       .sessionid = -1,
 #else
 #define INIT_IDS
 #endif
index 5e27303..af6947e 100644 (file)
@@ -1141,6 +1141,7 @@ struct task_struct {
        struct audit_context *audit_context;
 #ifdef CONFIG_AUDITSYSCALL
        uid_t loginuid;
+       unsigned int sessionid;
 #endif
        seccomp_t seccomp;
 
index a222e73..4e67abb 100644 (file)
@@ -178,6 +178,7 @@ struct audit_aux_data_pids {
        pid_t                   target_pid[AUDIT_AUX_PIDS];
        uid_t                   target_auid[AUDIT_AUX_PIDS];
        uid_t                   target_uid[AUDIT_AUX_PIDS];
+       unsigned int            target_sessionid[AUDIT_AUX_PIDS];
        u32                     target_sid[AUDIT_AUX_PIDS];
        char                    target_comm[AUDIT_AUX_PIDS][TASK_COMM_LEN];
        int                     pid_count;
@@ -219,6 +220,7 @@ struct audit_context {
        pid_t               target_pid;
        uid_t               target_auid;
        uid_t               target_uid;
+       unsigned int        target_sessionid;
        u32                 target_sid;
        char                target_comm[TASK_COMM_LEN];
 
@@ -936,7 +938,8 @@ static void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk
 }
 
 static int audit_log_pid_context(struct audit_context *context, pid_t pid,
-                                uid_t auid, uid_t uid, u32 sid, char *comm)
+                                uid_t auid, uid_t uid, unsigned int sessionid,
+                                u32 sid, char *comm)
 {
        struct audit_buffer *ab;
        char *s = NULL;
@@ -947,7 +950,8 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid,
        if (!ab)
                return 1;
 
-       audit_log_format(ab, "opid=%d oauid=%d ouid=%d", pid, auid, uid);
+       audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid, auid,
+                        uid, sessionid);
        if (selinux_sid_to_string(sid, &s, &len)) {
                audit_log_format(ab, " obj=(none)");
                rc = 1;
@@ -1056,7 +1060,7 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
                  " a0=%lx a1=%lx a2=%lx a3=%lx items=%d"
                  " ppid=%d pid=%d auid=%u uid=%u gid=%u"
                  " euid=%u suid=%u fsuid=%u"
-                 " egid=%u sgid=%u fsgid=%u tty=%s",
+                 " egid=%u sgid=%u fsgid=%u tty=%s ses=%u",
                  context->argv[0],
                  context->argv[1],
                  context->argv[2],
@@ -1068,7 +1072,8 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
                  context->uid,
                  context->gid,
                  context->euid, context->suid, context->fsuid,
-                 context->egid, context->sgid, context->fsgid, tty);
+                 context->egid, context->sgid, context->fsgid, tty,
+                 tsk->sessionid);
 
        mutex_unlock(&tty_mutex);
 
@@ -1187,6 +1192,7 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
                        if (audit_log_pid_context(context, axs->target_pid[i],
                                                  axs->target_auid[i],
                                                  axs->target_uid[i],
+                                                 axs->target_sessionid[i],
                                                  axs->target_sid[i],
                                                  axs->target_comm[i]))
                                call_panic = 1;
@@ -1195,6 +1201,7 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
        if (context->target_pid &&
            audit_log_pid_context(context, context->target_pid,
                                  context->target_auid, context->target_uid,
+                                 context->target_sessionid,
                                  context->target_sid, context->target_comm))
                        call_panic = 1;
 
@@ -1787,6 +1794,9 @@ void auditsc_get_stamp(struct audit_context *ctx,
        ctx->auditable = 1;
 }
 
+/* global counter which is incremented every time something logs in */
+static atomic_t session_id = ATOMIC_INIT(0);
+
 /**
  * audit_set_loginuid - set a task's audit_context loginuid
  * @task: task whose audit context is being modified
@@ -1798,6 +1808,7 @@ void auditsc_get_stamp(struct audit_context *ctx,
  */
 int audit_set_loginuid(struct task_struct *task, uid_t loginuid)
 {
+       unsigned int sessionid = atomic_inc_return(&session_id);
        struct audit_context *context = task->audit_context;
 
        if (context && context->in_syscall) {
@@ -1806,12 +1817,15 @@ int audit_set_loginuid(struct task_struct *task, uid_t loginuid)
                ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN);
                if (ab) {
                        audit_log_format(ab, "login pid=%d uid=%u "
-                               "old auid=%u new auid=%u",
+                               "old auid=%u new auid=%u"
+                               " old ses=%u new ses=%u",
                                task->pid, task->uid,
-                               task->loginuid, loginuid);
+                               task->loginuid, loginuid,
+                               task->sessionid, sessionid);
                        audit_log_end(ab);
                }
        }
+       task->sessionid = sessionid;
        task->loginuid = loginuid;
        return 0;
 }
@@ -2200,6 +2214,7 @@ void __audit_ptrace(struct task_struct *t)
        context->target_pid = t->pid;
        context->target_auid = audit_get_loginuid(t);
        context->target_uid = t->uid;
+       context->target_sessionid = audit_get_sessionid(t);
        selinux_get_task_sid(t, &context->target_sid);
        memcpy(context->target_comm, t->comm, TASK_COMM_LEN);
 }
@@ -2240,6 +2255,7 @@ int __audit_signal_info(int sig, struct task_struct *t)
                ctx->target_pid = t->tgid;
                ctx->target_auid = audit_get_loginuid(t);
                ctx->target_uid = t->uid;
+               ctx->target_sessionid = audit_get_sessionid(t);
                selinux_get_task_sid(t, &ctx->target_sid);
                memcpy(ctx->target_comm, t->comm, TASK_COMM_LEN);
                return 0;
@@ -2260,6 +2276,7 @@ int __audit_signal_info(int sig, struct task_struct *t)
        axp->target_pid[axp->pid_count] = t->tgid;
        axp->target_auid[axp->pid_count] = audit_get_loginuid(t);
        axp->target_uid[axp->pid_count] = t->uid;
+       axp->target_sessionid[axp->pid_count] = audit_get_sessionid(t);
        selinux_get_task_sid(t, &axp->target_sid[axp->pid_count]);
        memcpy(axp->target_comm[axp->pid_count], t->comm, TASK_COMM_LEN);
        axp->pid_count++;
@@ -2278,6 +2295,8 @@ void audit_core_dumps(long signr)
 {
        struct audit_buffer *ab;
        u32 sid;
+       uid_t auid = audit_get_loginuid(current);
+       unsigned int sessionid = audit_get_sessionid(current);
 
        if (!audit_enabled)
                return;
@@ -2286,9 +2305,8 @@ void audit_core_dumps(long signr)
                return;
 
        ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND);
-       audit_log_format(ab, "auid=%u uid=%u gid=%u",
-                       audit_get_loginuid(current),
-                       current->uid, current->gid);
+       audit_log_format(ab, "auid=%u uid=%u gid=%u ses=%u",
+                       auid, current->uid, current->gid, sessionid);
        selinux_get_task_sid(current, &sid);
        if (sid) {
                char *ctx = NULL;
index c0b69b3..ba075a9 100644 (file)
@@ -2754,10 +2754,11 @@ static void __dev_set_promiscuity(struct net_device *dev, int inc)
                                                               "left");
                audit_log(current->audit_context, GFP_ATOMIC,
                        AUDIT_ANOM_PROMISCUOUS,
-                       "dev=%s prom=%d old_prom=%d auid=%u",
+                       "dev=%s prom=%d old_prom=%d auid=%u ses=%u",
                        dev->name, (dev->flags & IFF_PROMISC),
                        (old_flags & IFF_PROMISC),
-                       audit_get_loginuid(current));
+                       audit_get_loginuid(current),
+                       audit_get_sessionid(current));
 
                if (dev->change_rx_flags)
                        dev->change_rx_flags(dev, IFF_PROMISC);
index bee9694..0341567 100644 (file)
@@ -172,9 +172,10 @@ static ssize_t sel_write_enforce(struct file * file, const char __user * buf,
                if (length)
                        goto out;
                audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_STATUS,
-                       "enforcing=%d old_enforcing=%d auid=%u", new_value, 
-                       selinux_enforcing,
-                       audit_get_loginuid(current));
+                       "enforcing=%d old_enforcing=%d auid=%u ses=%u",
+                       new_value, selinux_enforcing,
+                       audit_get_loginuid(current),
+                       audit_get_sessionid(current));
                selinux_enforcing = new_value;
                if (selinux_enforcing)
                        avc_ss_reset(0);
@@ -243,8 +244,9 @@ static ssize_t sel_write_disable(struct file * file, const char __user * buf,
                if (length < 0)
                        goto out;
                audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_STATUS,
-                       "selinux=0 auid=%u",
-                       audit_get_loginuid(current));
+                       "selinux=0 auid=%u ses=%u",
+                       audit_get_loginuid(current),
+                       audit_get_sessionid(current));
        }
 
        length = count;
@@ -356,8 +358,9 @@ out1:
                (security_get_allow_unknown() ? "allow" : "deny")));
 
        audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_POLICY_LOAD,
-               "policy loaded auid=%u",
-               audit_get_loginuid(current));
+               "policy loaded auid=%u ses=%u",
+               audit_get_loginuid(current),
+               audit_get_sessionid(current));
 out:
        mutex_unlock(&sel_mutex);
        vfree(data);
index 819a6f9..fced6bc 100644 (file)
@@ -1905,11 +1905,12 @@ int security_set_bools(int len, int *values)
                if (!!values[i] != policydb.bool_val_to_struct[i]->state) {
                        audit_log(current->audit_context, GFP_ATOMIC,
                                AUDIT_MAC_CONFIG_CHANGE,
-                               "bool=%s val=%d old_val=%d auid=%u",
+                               "bool=%s val=%d old_val=%d auid=%u ses=%u",
                                policydb.p_bool_val_to_name[i],
                                !!values[i],
                                policydb.bool_val_to_struct[i]->state,
-                               audit_get_loginuid(current));
+                               audit_get_loginuid(current),
+                               audit_get_sessionid(current));
                }
                if (values[i]) {
                        policydb.bool_val_to_struct[i]->state = 1;