integrity: audit update
Mimi Zohar [Wed, 11 Feb 2009 16:12:28 +0000 (11:12 -0500)]
Based on discussions on linux-audit, as per Steve Grubb's request
http://lkml.org/lkml/2009/2/6/269, the following changes were made:
- forced audit result to be either 0 or 1.
- made template names const
- Added new stand-alone message type: AUDIT_INTEGRITY_RULE

Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
Acked-by: Steve Grubb <sgrubb@redhat.com>
Signed-off-by: James Morris <jmorris@namei.org>

include/linux/audit.h
security/integrity/ima/ima.h
security/integrity/ima/ima_api.c
security/integrity/ima/ima_audit.c
security/integrity/ima/ima_fs.c
security/integrity/ima/ima_init.c
security/integrity/ima/ima_policy.c

index 930939a..4fa2810 100644 (file)
@@ -36,7 +36,8 @@
  * 1500 - 1599 kernel LSPP events
  * 1600 - 1699 kernel crypto events
  * 1700 - 1799 kernel anomaly records
- * 1800 - 1999 future kernel use (maybe integrity labels and related events)
+ * 1800 - 1899 kernel integrity events
+ * 1900 - 1999 future kernel use
  * 2000 is for otherwise unclassified kernel audit messages (legacy)
  * 2001 - 2099 unused (kernel)
  * 2100 - 2199 user space anomaly records
 #define AUDIT_INTEGRITY_STATUS     1802 /* Integrity enable status */
 #define AUDIT_INTEGRITY_HASH       1803 /* Integrity HASH type */
 #define AUDIT_INTEGRITY_PCR        1804 /* PCR invalidation msgs */
+#define AUDIT_INTEGRITY_RULE       1805 /* policy rule */
 
 #define AUDIT_KERNEL           2000    /* Asynchronous audit record. NOT A REQUEST. */
 
index e3c16a2..165eb53 100644 (file)
@@ -47,7 +47,7 @@ struct ima_template_data {
 
 struct ima_template_entry {
        u8 digest[IMA_DIGEST_SIZE];     /* sha1 or md5 measurement hash */
-       char *template_name;
+       const char *template_name;
        int template_len;
        struct ima_template_data template;
 };
index a148a25..3cd58b6 100644 (file)
@@ -15,7 +15,7 @@
 #include <linux/module.h>
 
 #include "ima.h"
-static char *IMA_TEMPLATE_NAME = "ima";
+static const char *IMA_TEMPLATE_NAME = "ima";
 
 /*
  * ima_store_template - store ima template measurements
index 8a0f1e2..1e082bb 100644 (file)
@@ -22,16 +22,18 @@ static int ima_audit;
 static int __init ima_audit_setup(char *str)
 {
        unsigned long audit;
-       int rc;
-       char *op;
+       int rc, result = 0;
+       char *op = "ima_audit";
+       char *cause;
 
        rc = strict_strtoul(str, 0, &audit);
        if (rc || audit > 1)
-               printk(KERN_INFO "ima: invalid ima_audit value\n");
+               result = 1;
        else
                ima_audit = audit;
-       op = ima_audit ? "ima_audit_enabled" : "ima_audit_not_enabled";
-       integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL, NULL, NULL, op, 0, 0);
+       cause = ima_audit ? "enabled" : "not_enabled";
+       integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL, NULL,
+                           op, cause, result, 0);
        return 1;
 }
 __setup("ima_audit=", ima_audit_setup);
@@ -47,20 +49,21 @@ void integrity_audit_msg(int audit_msgno, struct inode *inode,
                return;
 
        ab = audit_log_start(current->audit_context, GFP_KERNEL, audit_msgno);
-       audit_log_format(ab, "integrity: pid=%d uid=%u auid=%u",
+       audit_log_format(ab, "integrity: pid=%d uid=%u auid=%u ses=%u",
                         current->pid, current->cred->uid,
-                        audit_get_loginuid(current));
+                        audit_get_loginuid(current),
+                        audit_get_sessionid(current));
        audit_log_task_context(ab);
        switch (audit_msgno) {
        case AUDIT_INTEGRITY_DATA:
        case AUDIT_INTEGRITY_METADATA:
        case AUDIT_INTEGRITY_PCR:
+       case AUDIT_INTEGRITY_STATUS:
                audit_log_format(ab, " op=%s cause=%s", op, cause);
                break;
        case AUDIT_INTEGRITY_HASH:
                audit_log_format(ab, " op=%s hash=%s", op, cause);
                break;
-       case AUDIT_INTEGRITY_STATUS:
        default:
                audit_log_format(ab, " op=%s", op);
        }
@@ -73,6 +76,6 @@ void integrity_audit_msg(int audit_msgno, struct inode *inode,
        if (inode)
                audit_log_format(ab, " dev=%s ino=%lu",
                                 inode->i_sb->s_id, inode->i_ino);
-       audit_log_format(ab, " res=%d", result);
+       audit_log_format(ab, " res=%d", !result ? 0 : 1);
        audit_log_end(ab);
 }
index 573780c..ffbe259 100644 (file)
@@ -137,7 +137,7 @@ static int ima_measurements_show(struct seq_file *m, void *v)
        ima_putc(m, &namelen, sizeof namelen);
 
        /* 4th:  template name */
-       ima_putc(m, e->template_name, namelen);
+       ima_putc(m, (void *)e->template_name, namelen);
 
        /* 5th:  template specific data */
        ima_template_show(m, (struct ima_template_data *)&e->template,
index cf227db..0b0bb8c 100644 (file)
@@ -20,7 +20,7 @@
 #include "ima.h"
 
 /* name for boot aggregate entry */
-static char *boot_aggregate_name = "boot_aggregate";
+static const char *boot_aggregate_name = "boot_aggregate";
 int ima_used_chip;
 
 /* Add the boot aggregate to the IMA measurement list and extend
index 23810e0..b5291ad 100644 (file)
@@ -12,7 +12,6 @@
  */
 #include <linux/module.h>
 #include <linux/list.h>
-#include <linux/audit.h>
 #include <linux/security.h>
 #include <linux/magic.h>
 #include <linux/parser.h>
@@ -239,8 +238,7 @@ static int ima_parse_rule(char *rule, struct ima_measure_rule_entry *entry)
        char *p;
        int result = 0;
 
-       ab = audit_log_start(current->audit_context, GFP_KERNEL,
-                            AUDIT_INTEGRITY_STATUS);
+       ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_INTEGRITY_RULE);
 
        entry->action = -1;
        while ((p = strsep(&rule, " \n")) != NULL) {
@@ -345,15 +343,14 @@ static int ima_parse_rule(char *rule, struct ima_measure_rule_entry *entry)
                                                   AUDIT_SUBJ_TYPE);
                        break;
                case Opt_err:
-                       printk(KERN_INFO "%s: unknown token: %s\n",
-                              __FUNCTION__, p);
+                       audit_log_format(ab, "UNKNOWN=%s ", p);
                        break;
                }
        }
        if (entry->action == UNKNOWN)
                result = -EINVAL;
 
-       audit_log_format(ab, "res=%d", result);
+       audit_log_format(ab, "res=%d", !result ? 0 : 1);
        audit_log_end(ab);
        return result;
 }
@@ -367,7 +364,7 @@ static int ima_parse_rule(char *rule, struct ima_measure_rule_entry *entry)
  */
 int ima_parse_add_rule(char *rule)
 {
-       const char *op = "add_rule";
+       const char *op = "update_policy";
        struct ima_measure_rule_entry *entry;
        int result = 0;
        int audit_info = 0;
@@ -394,8 +391,12 @@ int ima_parse_add_rule(char *rule)
                mutex_lock(&ima_measure_mutex);
                list_add_tail(&entry->list, &measure_policy_rules);
                mutex_unlock(&ima_measure_mutex);
-       } else
+       } else {
                kfree(entry);
+               integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL,
+                                   NULL, op, "invalid policy", result,
+                                   audit_info);
+       }
        return result;
 }