| Patrick Williams | 0ca19cc | 2021-08-16 14:03:13 -0500 | [diff] [blame] | 1 | From 759318f11352d01b45bbab62c7bf0a53fb781083 Mon Sep 17 00:00:00 2001 |
| 2 | From: Steve Grubb <sgrubb@redhat.com> |
| 3 | Date: Tue, 10 Aug 2021 11:27:16 -0400 |
| 4 | Subject: [PATCH] flush uid/gid caches when user/group added/deleted/modified |
| 5 | |
| 6 | It was reported in issue #209 that in the enriched format that auditd |
| 7 | is creating the wrong account associations. This is due to caching |
| 8 | previous lookups. The fix is to monitor for account lifecycle changes |
| 9 | and flush the LRUs if any are seen. |
| 10 | |
| 11 | Upstream-Status: Backport |
| 12 | [https://github.com/linux-audit/audit-userspace/commit/8662f61108f8b9365f96ef49ca8ca331a7880f24] |
| 13 | |
| 14 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> |
| 15 | --- |
| 16 | auparse/auparse-idata.h | 3 ++- |
| 17 | auparse/interpret.c | 12 ++++++++++++ |
| 18 | src/auditd-event.c | 27 +++++++++++++++++++++++++-- |
| 19 | 3 files changed, 39 insertions(+), 3 deletions(-) |
| 20 | |
| 21 | diff --git a/auparse/auparse-idata.h b/auparse/auparse-idata.h |
| 22 | index 660901a..eaca86a 100644 |
| 23 | --- a/auparse/auparse-idata.h |
| 24 | +++ b/auparse/auparse-idata.h |
| 25 | @@ -1,6 +1,6 @@ |
| 26 | /* |
| 27 | * idata.h - Header file for ausearch-lookup.c |
| 28 | -* Copyright (c) 2013,2016-17 Red Hat Inc., Durham, North Carolina. |
| 29 | +* Copyright (c) 2013,2016-17,2021 Red Hat Inc. |
| 30 | * All Rights Reserved. |
| 31 | * |
| 32 | * This library is free software; you can redistribute it and/or |
| 33 | @@ -45,6 +45,7 @@ char *auparse_do_interpretation(int type, const idata *id, |
| 34 | void _auparse_load_interpretations(const char *buf); |
| 35 | void _auparse_free_interpretations(void); |
| 36 | const char *_auparse_lookup_interpretation(const char *name); |
| 37 | +void _auparse_flush_caches(void); |
| 38 | |
| 39 | #endif |
| 40 | |
| 41 | diff --git a/auparse/interpret.c b/auparse/interpret.c |
| 42 | index 046867b..eef377a 100644 |
| 43 | --- a/auparse/interpret.c |
| 44 | +++ b/auparse/interpret.c |
| 45 | @@ -653,6 +653,18 @@ void aulookup_destroy_gid_list(void) |
| 46 | gid_cache_created = 0; |
| 47 | } |
| 48 | |
| 49 | +void _auparse_flush_caches(void) |
| 50 | +{ |
| 51 | + if (uid_cache_created) { |
| 52 | + destroy_lru(uid_cache); |
| 53 | + uid_cache_created = 0; |
| 54 | + } |
| 55 | + if (gid_cache_created) { |
| 56 | + destroy_lru(gid_cache); |
| 57 | + gid_cache_created = 0; |
| 58 | + } |
| 59 | +} |
| 60 | + |
| 61 | static const char *print_uid(const char *val, unsigned int base) |
| 62 | { |
| 63 | int uid; |
| 64 | diff --git a/src/auditd-event.c b/src/auditd-event.c |
| 65 | index cb29fee..3655726 100644 |
| 66 | --- a/src/auditd-event.c |
| 67 | +++ b/src/auditd-event.c |
| 68 | @@ -42,6 +42,7 @@ |
| 69 | #include "libaudit.h" |
| 70 | #include "private.h" |
| 71 | #include "auparse.h" |
| 72 | +#include "auparse-idata.h" |
| 73 | |
| 74 | /* This is defined in auditd.c */ |
| 75 | extern volatile int stop; |
| 76 | @@ -56,7 +57,7 @@ static void do_space_left_action(int admin); |
| 77 | static void do_disk_full_action(void); |
| 78 | static void do_disk_error_action(const char *func, int err); |
| 79 | static void fix_disk_permissions(void); |
| 80 | -static void check_excess_logs(void); |
| 81 | +static void check_excess_logs(void); |
| 82 | static void rotate_logs_now(void); |
| 83 | static void rotate_logs(unsigned int num_logs, unsigned int keep_logs); |
| 84 | static void shift_logs(void); |
| 85 | @@ -394,7 +395,7 @@ static const char *format_enrich(const struct audit_reply *rep) |
| 86 | snprintf(format_buf, MAX_AUDIT_MESSAGE_LENGTH, |
| 87 | "type=DAEMON_ERR op=format-enriched msg=NULL res=failed"); |
| 88 | } else { |
| 89 | - int rc; |
| 90 | + int rc, rtype; |
| 91 | size_t mlen, len; |
| 92 | char *message; |
| 93 | // Do raw format to get event started |
| 94 | @@ -427,6 +428,17 @@ static const char *format_enrich(const struct audit_reply *rep) |
| 95 | |
| 96 | // Loop over all fields while possible to add field |
| 97 | rc = auparse_first_record(au); |
| 98 | + rtype = auparse_get_type(au); |
| 99 | + switch (rtype) |
| 100 | + { // Flush before adding to pickup new associations |
| 101 | + case AUDIT_ADD_USER: |
| 102 | + case AUDIT_ADD_GROUP: |
| 103 | + _auparse_flush_caches(); |
| 104 | + break; |
| 105 | + default: |
| 106 | + break; |
| 107 | + } |
| 108 | + |
| 109 | while (rc > 0 && len > MIN_SPACE_LEFT) { |
| 110 | // See what kind of field we have |
| 111 | size_t vlen; |
| 112 | @@ -454,6 +466,17 @@ static const char *format_enrich(const struct audit_reply *rep) |
| 113 | rc = auparse_next_field(au); |
| 114 | } |
| 115 | |
| 116 | + switch(rtype) |
| 117 | + { // Flush after modification to remove stale entries |
| 118 | + case AUDIT_USER_MGMT: |
| 119 | + case AUDIT_DEL_USER: |
| 120 | + case AUDIT_DEL_GROUP: |
| 121 | + case AUDIT_GRP_MGMT: |
| 122 | + _auparse_flush_caches(); |
| 123 | + break; |
| 124 | + default: |
| 125 | + break; |
| 126 | + } |
| 127 | free(message); |
| 128 | } |
| 129 | return format_buf; |
| 130 | -- |
| 131 | 2.17.1 |
| 132 | |