diff options
author | Anthony G. Basile <basile@opensource.dyc.edu> | 2010-07-04 09:17:12 -0400 |
---|---|---|
committer | Anthony G. Basile <basile@opensource.dyc.edu> | 2010-07-04 09:17:12 -0400 |
commit | d4ab24f8155494cf10d165a0bde7b84aacb8b016 (patch) | |
tree | 80f2c3267795040812396faf1827929327a8acc1 /2.6.32/4440_selinux-avc_audit-log-curr_ip.patch | |
parent | Removing 2.6.31 because it will not be supported (diff) | |
download | hardened-patchset-d4ab24f8155494cf10d165a0bde7b84aacb8b016.tar.gz hardened-patchset-d4ab24f8155494cf10d165a0bde7b84aacb8b016.tar.bz2 hardened-patchset-d4ab24f8155494cf10d165a0bde7b84aacb8b016.zip |
Reorganized directory structure
Diffstat (limited to '2.6.32/4440_selinux-avc_audit-log-curr_ip.patch')
-rw-r--r-- | 2.6.32/4440_selinux-avc_audit-log-curr_ip.patch | 65 |
1 files changed, 65 insertions, 0 deletions
diff --git a/2.6.32/4440_selinux-avc_audit-log-curr_ip.patch b/2.6.32/4440_selinux-avc_audit-log-curr_ip.patch new file mode 100644 index 0000000..b004fd4 --- /dev/null +++ b/2.6.32/4440_selinux-avc_audit-log-curr_ip.patch @@ -0,0 +1,65 @@ +From: Gordon Malm <gengor@gentoo.org> + +This is a reworked version of the original +*_selinux-avc_audit-log-curr_ip.patch carried in earlier releases of +hardened-sources. + +Dropping the patch, or simply fixing the #ifdef of the original patch +could break automated logging setups so this route was necessary. + +Suggestions for improving the help text are welcome. + +The original patch's description is still accurate and included below. + +--- +Provides support for a new field ipaddr within the SELinux +AVC audit log, relying in task_struct->curr_ip (ipv4 only) +provided by grSecurity patch to be applied before. + +Signed-off-by: Lorenzo Hernandez Garcia-Hierro <lorenzo@gnu.org> +--- + +--- a/grsecurity/Kconfig ++++ b/grsecurity/Kconfig +@@ -1368,6 +1368,27 @@ + menu "Logging Options" + depends on GRKERNSEC + ++config GRKERNSEC_SELINUX_AVC_LOG_IPADDR ++ def_bool n ++ prompt "Add source IP address to SELinux AVC log messages" ++ depends on GRKERNSEC && SECURITY_SELINUX ++ help ++ If you say Y here, a new field "ipaddr=" will be added to many SELinux ++ AVC log messages. The value of this field in any given message ++ represents the source IP address of the remote machine/user that created ++ the offending process. ++ ++ This information is sourced from task_struct->curr_ip provided by ++ grsecurity's GRKERNSEC top-level configuration option. One limitation ++ is that only IPv4 is supported. ++ ++ In many instances SELinux AVC log messages already log a superior level ++ of information that also includes source port and destination ip/port. ++ Additionally, SELinux's AVC log code supports IPv6. ++ ++ However, grsecurity's task_struct->curr_ip will sometimes (often?) ++ provide the offender's IP address where stock SELinux logging fails to. ++ + config GRKERNSEC_FLOODTIME + int "Seconds in between log messages (minimum)" + default 10 +--- a/security/selinux/avc.c ++++ b/security/selinux/avc.c +@@ -203,6 +203,11 @@ static void avc_dump_query(struct audit_ + char *scontext; + u32 scontext_len; + ++#ifdef CONFIG_GRKERNSEC_SELINUX_AVC_LOG_IPADDR ++ if (current->signal->curr_ip) ++ audit_log_format(ab, "ipaddr=%u.%u.%u.%u ", NIPQUAD(current->signal->curr_ip)); ++#endif ++ + rc = security_sid_to_context(ssid, &scontext, &scontext_len); + if (rc) + audit_log_format(ab, "ssid=%d", ssid); |