From a6383ddcf48aac166b64e6008cbceb4476975279 Mon Sep 17 00:00:00 2001 From: "Anthony G. Basile" Date: Sat, 22 Apr 2017 12:08:04 -0400 Subject: grsecurity-3.1-4.9.24-201704220732 --- 4.9.24/4465_selinux-avc_audit-log-curr_ip.patch | 73 +++++++++++++++++++++++++ 1 file changed, 73 insertions(+) create mode 100644 4.9.24/4465_selinux-avc_audit-log-curr_ip.patch (limited to '4.9.24/4465_selinux-avc_audit-log-curr_ip.patch') diff --git a/4.9.24/4465_selinux-avc_audit-log-curr_ip.patch b/4.9.24/4465_selinux-avc_audit-log-curr_ip.patch new file mode 100644 index 0000000..06a5294 --- /dev/null +++ b/4.9.24/4465_selinux-avc_audit-log-curr_ip.patch @@ -0,0 +1,73 @@ +From: Anthony G. Basile + +Removed deprecated NIPQUAD macro in favor of %pI4. +See bug #346333. + +--- +From: Gordon Malm + +This is a reworked version of the original +*_selinux-avc_audit-log-curr_ip.patch carried in earlier releases of +hardened-sources. + +Dropping the patch, or simply fixing the #ifdef of the original patch +could break automated logging setups so this route was necessary. + +Suggestions for improving the help text are welcome. + +The original patch's description is still accurate and included below. + +--- +Provides support for a new field ipaddr within the SELinux +AVC audit log, relying in task_struct->curr_ip (ipv4 only) +provided by grSecurity patch to be applied before. + +Signed-off-by: Lorenzo Hernandez Garcia-Hierro +--- + +diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig +--- a/grsecurity/Kconfig 2011-04-17 19:25:54.000000000 -0400 ++++ b/grsecurity/Kconfig 2011-04-17 19:32:53.000000000 -0400 +@@ -1177,6 +1177,27 @@ + menu "Logging Options" + depends on GRKERNSEC + ++config GRKERNSEC_SELINUX_AVC_LOG_IPADDR ++ def_bool n ++ prompt "Add source IP address to SELinux AVC log messages" ++ depends on GRKERNSEC && SECURITY_SELINUX ++ help ++ If you say Y here, a new field "ipaddr=" will be added to many SELinux ++ AVC log messages. The value of this field in any given message ++ represents the source IP address of the remote machine/user that created ++ the offending process. ++ ++ This information is sourced from task_struct->curr_ip provided by ++ grsecurity's GRKERNSEC top-level configuration option. One limitation ++ is that only IPv4 is supported. ++ ++ In many instances SELinux AVC log messages already log a superior level ++ of information that also includes source port and destination ip/port. ++ Additionally, SELinux's AVC log code supports IPv6. ++ ++ However, grsecurity's task_struct->curr_ip will sometimes (often?) ++ provide the offender's IP address where stock SELinux logging fails to. ++ + config GRKERNSEC_FLOODTIME + int "Seconds in between log messages (minimum)" + default 10 +diff -Naur a/security/selinux/avc.c b/security/selinux/avc.c +--- a/security/selinux/avc.c 2011-04-17 19:04:47.000000000 -0400 ++++ b/security/selinux/avc.c 2011-04-17 19:32:53.000000000 -0400 +@@ -149,6 +149,11 @@ + char *scontext; + u32 scontext_len; + ++#ifdef CONFIG_GRKERNSEC_SELINUX_AVC_LOG_IPADDR ++ if (current->signal->curr_ip) ++ audit_log_format(ab, "ipaddr=%pI4 ", ¤t->signal->curr_ip); ++#endif ++ + rc = security_sid_to_context(ssid, &scontext, &scontext_len); + if (rc) + audit_log_format(ab, "ssid=%d", ssid); -- cgit v1.2.3-18-g5258