task_tgid_nr(task), oldcontid, contid,
> +task_tgid_nr(current), uid,
> +from_kuid(&init_user_ns,
> audit_get_loginuid(current)),
> +tty ? tty_name(tty) : "(none)",
> +
ULL;
> + kmem_cache_free(audit_task_cache, info);
> kfree(key);
> audit_log_lost("out of memory in audit_alloc");
> return -ENOMEM;
> @@ -962,6 +982,12 @@ int audit_alloc(struct task_struct *tsk)
> return 0;
> }
>
> +struct audit_task_info init_struct_audit = {
> + .loginuid = INVALID_UID,
> + .sessionid = AUDIT_SID_UNSET,
> + .ctx = NULL,
> +};
> +
> static inline void audit_free_context(struct audit_context *context)
> {
> audit_free_names(context);
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
merge fallout if/when it happens.
Local contexts are a last resort. If you ever find yourself writing
code that generates a local context, you should first be 100% certain
that the event is not the the result of a process initiated action (in
which case it should take from the task's conte
unsigned long flags, struct
> task_struct *tsk)
> struct nsproxy *old_ns = tsk->nsproxy;
> struct user_namespace *user_ns = task_cred_xxx(tsk, user_ns);
> struct nsproxy *new_ns;
> + u64 contid = audit_get_contid(tsk);
>
> if (likely(!(flags & (C
b = audit_log_start(context, GFP_ATOMIC, AUDIT_NETFILTER_PKT);
> if (ab == NULL)
> goto errout;
>
> @@ -104,7 +107,12 @@ static bool audit_ip6(struct audit_buffer *ab, struct
> sk_buff *skb)
>
> audit_log_end(ab);
>
> + net = xt_net(par);
> + audit_log_netns_contid_list(net, context);
> +
> errout:
> + audit_free_context(context);
> +out:
> return XT_CONTINUE;
> }
>
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
_CONTAINER_ID here over AUDIT_CONTAINER. If you feel strongly
about keeping it as-is with AUDIT_CONTAINER I suppose I could live
with that, but it is isn't my first choice.
However, I do care about the "op" field in this record. It just
doesn't make any sense; the way you are
int audit_log_pid_context(struct audit_context *context, pid_t pid,
> kuid_t auid, kuid_t uid, unsigned int
> sessionid,
> @@ -2024,7 +2047,7 @@ void __audit_inode_child(struct inode *parent,
> int auditsc_get_stamp(struct audit_context *ctx,
>struct timespec64 *t, unsigned int *serial)
> {
> - if (!ctx->in_syscall)
> + if (!ctx->in_syscall && !ctx->local)
> return 0;
> if (!ctx->serial)
> ctx->serial = audit_serial();
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
t; audit_log_end(ab);
> return 0;
> }
My previous comments still apply: these audit_log_contid() changes
should be done earlier in the patchset when you first define
audit_log_contid().
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
A quick FYI to let everyone know there is no audit pull request for
the v4.20 merge window because there is nothing queued up in the
audit/next branch. I do expect we will have a few things ready for
v4.21.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
On Wed, Oct 24, 2018 at 11:15 AM Richard Guy Briggs wrote:
> On 2018-10-19 19:16, Paul Moore wrote:
> > On Sun, Aug 5, 2018 at 4:32 AM Richard Guy Briggs wrote:
> > > Create a new audit record AUDIT_CONTAINER to document the audit
> > > container identifier of
On October 25, 2018 1:43:16 AM Richard Guy Briggs wrote:
> On 2018-10-24 16:55, Paul Moore wrote:
>> On Wed, Oct 24, 2018 at 11:15 AM Richard Guy Briggs wrote:
>>> On 2018-10-19 19:16, Paul Moore wrote:
>>>> On Sun, Aug 5, 2018 at 4:32 AM Richard Guy Briggs wrote
On Thu, Oct 25, 2018 at 2:06 AM Steve Grubb wrote:
> On Wed, 24 Oct 2018 20:42:55 -0400
> Richard Guy Briggs wrote:
> > On 2018-10-24 16:55, Paul Moore wrote:
> > > On Wed, Oct 24, 2018 at 11:15 AM Richard Guy Briggs
> > > wrote:
> > > > On 2018-10-19
first implement audit and then seccomp.
FYI, while small and far from comprehensive, we do have a test suite
we use for basic validation of the audit kernel bits which may be
helpful while you're working on the audit enablement:
* https://github.com/linux-audit/audit-testsuite
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
On Thu, Oct 25, 2018 at 1:38 PM Richard Guy Briggs wrote:
> On 2018-10-25 17:57, Steve Grubb wrote:
> > On Thu, 25 Oct 2018 08:27:32 -0400
> > Richard Guy Briggs wrote:
> >
> > > On 2018-10-25 06:49, Paul Moore wrote:
> > > > On Thu, Oct 25,
re is a need for additional container operation auditing (note
well that I did not say audit container id here) then those audit
records can, and should, be generated by the container runtime itself,
similar to what we do with libvirt for virtualization.
--
paul moore
www.paul-moore.com
--
Lin
| 4 ++--
> arch/riscv/kernel/ptrace.c | 5 +
> include/uapi/linux/audit.h | 2 ++
> 7 files changed, 31 insertions(+), 2 deletions(-)
Thanks for the patches David, I'll be able to take a closer look next
week once the merge window is closed.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
. Also a reminder that
linking the GH issue doesn't remove the need for you to adequately
describe the patch in the commit message. The git log needs to
standalone as a useful source of information. This particular patch
does a good job of that; this is just a reminder for others who
On Wed, Oct 31, 2018 at 4:54 AM Ondrej Mosnacek wrote:
> On Wed, Sep 19, 2018 at 5:44 PM Paul Moore wrote:
> > On Wed, Sep 19, 2018 at 7:01 AM Ondrej Mosnacek wrote:
> > > On Wed, Sep 19, 2018 at 3:35 AM Paul Moore wrote:
> > > > On Thu, Sep 13, 2018 at 10:13 AM P
t;owners[n].list, &p->list);
> > - }
> > + p = &chunk->owners[chunk->count - 1];
> > p->index = (chunk->count - 1) | (1U<<31);
> > p->owner = tree;
> > get_tree(tree);
> > list_add(&p->list, &tree
nt tag_chunk(struct inode *inode, struct
> audit_tree *tree)
> * This has to go last when updating chunk as once replace_chunk() is
> * called, new RCU readers can see the new chunk.
> */
> - replace_chunk(chunk, old, NULL);
> + replace_chunk(chunk, old);
> spin_unlock(&hash_lock);
> fsnotify_detach_mark(old_entry);
> mutex_unlock(&audit_tree_group->mark_mutex);
> --
> 2.16.4
>
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
hes.
We will probably need to make that ABI dependent in the test suite.
> audit-testsuite with adjustments:
> https://github.com/davidlt/audit-testsuite/tree/riscv64
>
> Depends on:
> [PATCH 1/2] Move EM_RISCV into elf-em.h
> http://lists.infradead.org/pipermail/linux-riscv/2018-Oc
On Tue, Nov 6, 2018 at 3:23 PM Richard Guy Briggs wrote:
> On 2018-11-05 17:05, Paul Moore wrote:
> > On Wed, Oct 10, 2018 at 4:24 PM Richard Guy Briggs wrote:
> > > Empty executable arguments were being skipped when printing out the list
> > > of arguments in an EXEC
On Tue, Nov 6, 2018 at 3:09 AM Ondrej Mosnacek wrote:
> On Tue, Nov 6, 2018 at 12:30 AM Paul Moore wrote:
> > Let's reset this discussion a bit ... if we abolish relative paths and
> > make everything absolute, is there even a need to log PARENT?
>
> If there ever was
On Wed, Nov 7, 2018 at 4:55 AM Jan Kara wrote:
> On Tue 06-11-18 08:58:36, Paul Moore wrote:
> > On Thu, Oct 18, 2018 at 3:27 PM Richard Guy Briggs wrote:
> > > On 2018-10-17 12:14, Jan Kara wrote:
> > > > Chunk replacement code is very similar for the cases where w
On Fri, Nov 9, 2018 at 9:45 AM Paul Moore wrote:
> On Wed, Nov 7, 2018 at 4:55 AM Jan Kara wrote:
> > On Tue 06-11-18 08:58:36, Paul Moore wrote:
> > > On Thu, Oct 18, 2018 at 3:27 PM Richard Guy Briggs
> > > wrote:
> > > > On 2018-10-17 12:14, Jan Kara
On Tue, Nov 13, 2018 at 10:25 AM Ondrej Mosnacek wrote:
> On Tue, Nov 6, 2018 at 9:19 PM Paul Moore wrote:
> > On Tue, Nov 6, 2018 at 3:09 AM Ondrej Mosnacek wrote:
> > > On Tue, Nov 6, 2018 at 12:30 AM Paul Moore wrote:
> > > > Let's reset this discussi
gt; /* do not define AUDIT_ARCH_PPCLE since it is not supported by audit */
> > #define AUDIT_ARCH_PPC64 (EM_PPC64|__AUDIT_ARCH_64BIT)
> > #define AUDIT_ARCH_PPC64LE (EM_PPC64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
> > +#define AUDIT_ARCH_RISCV32 (EM_RISCV|__AUDIT_ARCH_LE)
&
(my $j=0; $j < $dirs; $j++) {
> + mkdir $dir."/dir".$i."/subdir".$j;
> + }
> +}
> +mkdir "$dir/mnt";
> +for (my $i=0; $i < $dirs; $i++) {
> + mkdir "$dir/mnt/mnt$i";
> + mkdir "$dir/leaf$i";
> If not, there is no need for it to check or have CAP_AUDIT_READ
>
> I thought that the prime audit connection requires a capability check
> to ensure a process without proper privilege does not replace the audit
> daemon...since that's now possible.
Establishing an audit daemon
On Wed, Nov 14, 2018 at 7:16 AM Jan Kara wrote:
> On Tue 13-11-18 19:34:18, Paul Moore wrote:
> > On Tue, Sep 4, 2018 at 12:06 PM Jan Kara wrote:
> > > Add stress test for stressing audit tree watches by adding and deleting
> > > rules while events are generated
sg(&ab, msg_type);
> + __audit_log_common_recv_msg(NULL, &ab, msg_type);
> if (msg_type != AUDIT_USER_TTY)
> audit_log_format(ab, " msg='%.*s'",
> AUDIT_MESSAGE_TEXT_MAX,
> --
> 1.8.3.1
>
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
tfilter.c
> index bf309f2..26a80a9 100644
> --- a/kernel/auditfilter.c
> +++ b/kernel/auditfilter.c
> @@ -1091,7 +1091,7 @@ static void audit_log_rule_change(char *action, struct
> audit_krule *rule, int re
> if (!audit_enabled)
> return;
>
>
's not be clever here, this just makes it harder to grep for
"op=add_rule"; make the ternary statement return "add_rule" or
"remove_rule".
> +audit_enabled);
> audit_log_end(ab);
> return -EPERM;
> }
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
uct *tsk)
> if (context->in_syscall && context->current_state ==
> AUDIT_RECORD_CONTEXT)
> audit_log_exit(context, tsk);
> if (!list_empty(&context->killed_trees))
> - audit_kill_trees(&context->killed_trees)
gt; "remove_rule(watch:parent)");
> if (e->rule.exe)
> audit_remove_mark(e->rule.exe);
> list_del(&r->rlist);
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index 55fd2a3..bb56c3e 100644
> --- a/kernel/
;in_syscall && context->current_state ==
> AUDIT_RECORD_CONTEXT)
> audit_log_exit(context, current);
>
> context->in_syscall = 0;
> context->prio = context->state == AUDIT_RECORD_CONTEXT ? ~0ULL : 0;
>
> - if (!list_empty
ab = audit_log_start(NULL, GFP_NOFS, AUDIT_CONFIG_CHANGE);
> if (!ab)
> return;
> - audit_log_format(ab, "auid=%u ses=%u op=%s",
> -from_kuid(&init_user_ns,
> audit_get_loginuid(current)),
> -
const struct dentry *dentry,
> struct inode *inode);
> --
> 1.8.3.1
>
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
now.
> + audit_log_format(ab, " %s=", prefix);
> + CAP_FOR_EACH_U32(i)
> + audit_log_format(ab, "%08x", cap->cap[CAP_LAST_U32 -
> i]);
> + } else {
> + audit_log_format(ab, " %s=0&qu
chunk *chunk;
> @@ -1627,12 +1620,10 @@ static inline void handle_one(const struct inode
> *inode)
> return;
> }
> put_tree_ref(context, chunk);
> -#endif
> }
>
> static void handle_path(const struct dentry *dentry)
> {
> -#ifd
On Mon, Nov 19, 2018 at 4:52 PM Richard Guy Briggs wrote:
>
> On 2018-11-19 16:22, Paul Moore wrote:
> > On Fri, Nov 16, 2018 at 12:10 PM Richard Guy Briggs wrote:
> > >
> > > Since the vast majority of files (99.993% on a typical system) have no
> > > fcap
lude/uapi/linux/audit.h | 15 +++
> include/uapi/linux/elf-em.h | 7 +++
> 15 files changed, 110 insertions(+), 12 deletions(-)
> create mode 100644 arch/m68k/include/asm/syscall.h
> create mode 100644 arch/unicore32/include/asm/syscall.h
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
There are some cases where we are making multiple audit_log_format()
calls in a row, for no apparent reason. Squash these down to a
single audit_log_format() call whenever possible.
Signed-off-by: Paul Moore
---
kernel/audit.c | 11 +--
kernel/audit_fsnotify.c |3
: Paul Moore
---
drivers/tty/tty_audit.c | 13 ++--
include/linux/audit.h|6 +-
kernel/audit.c | 34 +-
kernel/audit.h |2 -
kernel/auditsc.c | 131 ++
security
On Sun, Nov 25, 2018 at 12:11 PM Richard Guy Briggs wrote:
> On 2018-02-15 15:42, Paul Moore wrote:
> > On Mon, Feb 12, 2018 at 7:29 AM, Richard Guy Briggs wrote:
> > > The arch_f pointer was added to the struct audit_krule in commit:
> > > e54dc2431d740a79a6bd013babad
ot
be used to configure the audit subsystem, you must use an audit
specific tool.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
On Mon, Nov 26, 2018 at 12:06 PM William Roberts
wrote:
> On Mon, Nov 26, 2018 at 8:48 AM Paul Moore wrote:
> > On Fri, Nov 23, 2018 at 6:47 PM Ranran wrote:
> > > Hello,
> > >
> > > Is it possible to log all messages from within kernel, (without any
&g
On Mon, Nov 26, 2018 at 2:21 PM Richard Guy Briggs wrote:
> On 2018-11-26 11:37, Paul Moore wrote:
> > On Sun, Nov 25, 2018 at 12:11 PM Richard Guy Briggs wrote:
> > > On 2018-02-15 15:42, Paul Moore wrote:
> > > > On Mon, Feb 12, 2018 at 7:29 AM, Rich
ts.
> diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c
> index 787c7afdf829..8c8b1a87fd2b 100644
> --- a/kernel/audit_watch.c
> +++ b/kernel/audit_watch.c
> @@ -21,10 +21,8 @@
>
> #include
> #include
> -#include
> #include
> #include
> -#include
> #in
e
> #include
> -#include
> #include
> #include
> #include
> --
> 2.17.0
>
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
e
> #include
> #include
> -#include
> #include
> #include
> #include
> --
> 2.17.0
>
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
de
>
> -#include
> -
> #include
> #include
> -#include
> #ifdef CONFIG_SECURITY
> #include
> #endif
> --
> 2.17.0
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
@
> #include
> #include
> #include
> -#include
> #include
> #include
> #include
> --
> 2.17.0
>
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
On Thu, Nov 22, 2018 at 5:29 PM Richard Guy Briggs wrote:
>
> On 2018-11-21 18:23, Paul Moore wrote:
> > There are some cases where we are making multiple audit_log_format()
> > calls in a row, for no apparent reason. Squash these down to a
> > single audit_log_format(
On Thu, Nov 22, 2018 at 5:44 PM Richard Guy Briggs wrote:
> On 2018-11-21 18:24, Paul Moore wrote:
> > There are many places, notably audit_log_task_info() and
> > audit_log_exit(), that take task_struct pointers but in reality they
> > are always working on the curr
On Mon, Nov 26, 2018 at 8:03 PM Frank Lee wrote:
> On Tue, Nov 27, 2018 at 7:36 AM Paul Moore wrote:
> > On Mon, Nov 26, 2018 at 9:51 AM Yangtao Li wrote:
> > >
> > > audit.h and skbuff.h are included twice.It's unnecessary.
> > > hence just remove th
On Sat, Dec 1, 2018 at 11:50 AM Steve Grubb wrote:
> On Tuesday, November 13, 2018 11:30:55 AM EST Paul Moore wrote:
> > On Tue, Nov 13, 2018 at 10:25 AM Ondrej Mosnacek
> wrote:
> > > On Tue, Nov 6, 2018 at 9:19 PM Paul Moore wrote:
> > > > On Tue, Nov 6
gt;cap[CAP_LAST_U32 - i]);
> + if (cap_isclear(*cap)) {
> + audit_log_format(ab, " %s=0", prefix);
> + return;
> }
> + audit_log_format(ab, " %s=", prefix);
> + CAP_FOR_EACH_U32(i)
> + audit_lo
On Tue, Dec 4, 2018 at 3:07 AM Ondrej Mosnacek wrote:
> On Sat, Dec 1, 2018 at 5:50 PM Steve Grubb wrote:
> > On Tuesday, November 13, 2018 11:30:55 AM EST Paul Moore wrote:
> > > On Tue, Nov 13, 2018 at 10:25 AM Ondrej Mosnacek
> > wrote:
> > > > On Tu
e changes
>
> kernel/audit.c | 33 +++------
> kernel/audit.h | 4 ++--
> kernel/audit_fsnotify.c | 4 ++--
> kernel/audit_tree.c | 28 +++-
> kernel/audit_watch.c| 8 +---
> kernel/auditfilter.c| 2 +-
> kernel/auditsc.c| 12 ++--
> 7 files changed, 54 insertions(+), 37 deletions(-)
In order to make sure expectations are set appropriately, as we are at
-rc6 right now this is not something that would go into audit/next now
(assuming everything looks okay on review), it would go into
audit/next *after* the upcoming merge window.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
On Tue, Dec 11, 2018 at 5:41 PM Richard Guy Briggs wrote:
> On 2018-12-11 17:31, Paul Moore wrote:
> > On Mon, Dec 10, 2018 at 5:18 PM Richard Guy Briggs wrote:
...
> > > Richard Guy Briggs (4):
> > > audit: give a clue what CONFIG_CHANGE op was involved
On Tue, Dec 11, 2018 at 9:45 PM Richard Guy Briggs wrote:
> On 2018-12-11 18:26, Paul Moore wrote:
> > On Tue, Dec 11, 2018 at 5:41 PM Richard Guy Briggs wrote:
> > > On 2018-12-11 17:31, Paul Moore wrote:
> > > > On Mon, Dec 10, 2018 at 5:18 PM Rich
), 9 deletions(-)
Just to get this out of the way, don't use "moar", spell it properly.
Beyond that, it's not clear to me from your cover letter if you are
proposing these patches as an "or" or as an "and"; assuming the
patch(es) are reasonable, do you
From: Paul Moore
Add the ability to filter out tests based on the host system's ABI
as determined by "uname -m". This allows the test to run
successfully on aarch64, and likely many other non-x86 ABIs as well.
Signed-off-by: Paul Moore
---
tests/Makefile | 17 ++
On Wed, Dec 12, 2018 at 5:11 PM Paul Moore wrote:
>
> From: Paul Moore
>
> Add the ability to filter out tests based on the host system's ABI
> as determined by "uname -m". This allows the test to run
> successfully on aarch64, and likely many other non-x86 ABIs
From: Paul Moore
If the point of the lost_reset test is to flood the system with audit
records, why are we restricting ourselves with a filter? Let's log
everything.
Signed-off-by: Paul Moore
---
tests/lost_reset/test |4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --
On Thu, Dec 13, 2018 at 6:17 PM Paul Moore wrote:
>
> From: Paul Moore
>
> If the point of the lost_reset test is to flood the system with audit
> records, why are we restricting ourselves with a filter? Let's log
> everything.
>
> Signed-off-by: Paul Moore
&
reviously included header files, I
like leaving it as an explicit include to help document the dependency
and protect us from changes in the other header files.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
On Thu, Dec 13, 2018 at 8:59 PM Richard Guy Briggs wrote:
> On 2018-12-13 18:23, Paul Moore wrote:
> > On Thu, Dec 13, 2018 at 6:17 PM Paul Moore wrote:
> > > If the point of the lost_reset test is to flood the system with audit
> > > records, why are we restrict
On Thu, Dec 13, 2018 at 8:33 PM YueHaibing wrote:
> On 2018/12/14 7:42, Paul Moore wrote:
> > On Sun, Dec 9, 2018 at 1:25 AM YueHaibing wrote:
> >> Remove duplicated include.
> >>
> >> Signed-off-by: YueHaibing
> >> ---
> >>
On Fri, Dec 14, 2018 at 11:12 AM Richard Guy Briggs wrote:
> On 2018-12-14 10:53, Paul Moore wrote:
> > On Thu, Dec 13, 2018 at 8:59 PM Richard Guy Briggs wrote:
> > > On 2018-12-13 18:23, Paul Moore wrote:
> > > > On Thu, Dec 13, 2018 at 6:17 PM Paul Moore wrot
dd asm/syscall.h
> syscall_get_arch: add "struct task_struct *" argument
> selftests/ptrace: add a test case for PTRACE_GET_SYSCALL_INFO
>
> Elvira Khabirova (2):
> powerpc/ptrace: replace ptrace_report_syscall() with a tracehook call
> ptrace: add PTRACE_GET_SYSC
On Fri, Dec 14, 2018 at 11:27 AM Richard Guy Briggs wrote:
> On 2018-12-12 08:03, Paul Moore wrote:
> > On Fri, Nov 16, 2018 at 12:34 PM Richard Guy Briggs wrote:
> > > On user and remote filesystems, a forced umount can still hang due to
> > > attemting to f
pendently of chunk
audit: Guarantee forward progress of chunk untagging
audit: Drop all unused chunk nodes during deletion
audit: Simplify locking around untag_chunk()
audit: Replace chunk attached to mark instead of replacing mark
audit: Use 'mark' name for fsnotify_m
On Thu, Dec 27, 2018 at 10:34 AM Richard Guy Briggs wrote:
> On 2018-10-31 15:30, Richard Guy Briggs wrote:
> > On 2018-10-19 19:18, Paul Moore wrote:
> > > On Sun, Aug 5, 2018 at 4:33 AM Richard Guy Briggs wrote:
> > > > Add audit container identifier auxili
On Thu, Nov 1, 2018 at 6:07 PM Richard Guy Briggs wrote:
> On 2018-10-19 19:15, Paul Moore wrote:
> > On Sun, Aug 5, 2018 at 4:32 AM Richard Guy Briggs
wrote:
> > > The audit-related parameters in struct task_struct
should ideally be
> > > collected together and access
On Thu, Nov 1, 2018 at 2:49 PM Richard Guy Briggs wrote:
> On 2018-10-19 19:17, Paul Moore wrote:
> > On Sun, Aug 5, 2018 at 4:33 AM Richard Guy Briggs
wrote:
> > > Standalone audit records have the timestamp and serial
number generated
> > > on the fly and as s
On Wed, Oct 31, 2018 at 5:17 PM Richard Guy Briggs wrote:
> On 2018-10-19 19:17, Paul Moore wrote:
> > On Sun, Aug 5, 2018 at 4:33 AM Richard Guy Briggs
wrote:
> > > Add audit container identifier auxiliary record to tty
logging rule
> > > event standalone records
with other upstream review to get other angles and to
> take some of the load and responsibility off the primary maintainer.
>
> I expect to submit a v5 within a week without having had those questions
> directly answered, but with some ideas of what to check and verify
> before I r
he entire set first before commenting.
The most recent reply to patch 0/10 wasn't saved as a draft before sending.
> On 2019-01-03 15:10, Paul Moore wrote:
> > On Thu, Nov 1, 2018 at 6:07 PM Richard Guy Briggs wrote:
> > > On 2018-10-19 19:15, Paul Moore wrote:
> > &g
On Thu, Jan 10, 2019 at 5:59 PM Richard Guy Briggs wrote:
> On 2019-01-03 15:11, Paul Moore wrote:
> > On Wed, Oct 31, 2018 at 5:17 PM Richard Guy Briggs wrote:
> > > On 2018-10-19 19:17, Paul Moore wrote:
> > > > On Sun, Aug 5, 2018 at 4:33 AM Richard Guy Briggs
&
On Thu, Jan 10, 2019 at 10:39 PM Richard Guy Briggs wrote:
> On 2019-01-10 20:12, Paul Moore wrote:
> > On Thu, Jan 10, 2019 at 5:59 PM Richard Guy Briggs wrote:
> > > On 2019-01-03 15:11, Paul Moore wrote:
> > > > On Wed, Oct 31, 2018 at 5:17 PM Richard Guy Briggs
,
> audit_enabled);
> + audit_log_format(ab, " op=%s audit_enabled=%d res=0",
> +msg_type == AUDIT_ADD_RULE ?
> "add_rule" : "remove_rule",
> +audit_enabled);
> audit_log_end(ab);
> return -EPERM;
> }
> --
> 1.8.3.1
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
, ab, msg_type);
> +}
This makes sense because this is used by "user" records ...
> +static inline void audit_log_config_change_alt(struct audit_buffer **ab)
> +{
> + audit_log_common_recv_msg(audit_context(), ab, AUDIT_CONFIG_CHANGE);
> +}
... and I don't bel
ontext->killed_trees))
> + audit_kill_trees(context);
> +
> if (!context->dummy && context->in_syscall) {
> if (success)
> context->return_valid = AUDITSC_SUCCESS;
> @@ -1571,9 +1574,6 @@ void __audit_syscall_exit(int success, long return_code)
> context->in_syscall = 0;
> context->prio = context->state == AUDIT_RECORD_CONTEXT ? ~0ULL : 0;
>
> - if (!list_empty(&context->killed_trees))
> - audit_kill_trees(&context->killed_trees);
> -
> audit_free_names(context);
> unroll_tree_refs(context, NULL, 0);
> audit_free_aux(context);
> --
> 1.8.3.1
>
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
the previous revision of this patchset I mentioned not wanting to
change right now, I stand by that in this patchset.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
On Tue, Jan 15, 2019 at 11:21 AM Richard Guy Briggs wrote:
>
> On 2019-01-14 17:58, Paul Moore wrote:
> > On Mon, Dec 10, 2018 at 5:18 PM Richard Guy Briggs wrote:
> > > Tie syscall information to all CONFIG_CHANGE calls since they are all a
> > > result of user act
On Thu, Jan 17, 2019 at 4:33 AM Steve Grubb wrote:
> On Mon, 14 Jan 2019 17:58:58 -0500
> Paul Moore wrote:
>
> > On Mon, Dec 10, 2018 at 5:18 PM Richard Guy Briggs
> > wrote:
> > >
> > > Tie syscall information to all CONFIG_CHANGE calls since they
On Thu, Jan 17, 2019 at 11:08 AM Steve Grubb wrote:
> On Thu, 17 Jan 2019 08:21:40 -0500
> Paul Moore wrote:
>
> > On Thu, Jan 17, 2019 at 4:33 AM Steve Grubb wrote:
> > > On Mon, 14 Jan 2019 17:58:58 -0500
> > > Paul Moore wrote:
> > >
> >
On Thu, Jan 17, 2019 at 10:34 AM Richard Guy Briggs wrote:
>
> On 2019-01-17 08:21, Paul Moore wrote:
> > On Thu, Jan 17, 2019 at 4:33 AM Steve Grubb wrote:
> > > On Mon, 14 Jan 2019 17:58:58 -0500 Paul Moore wrote:
> > > > On Mon, Dec 10, 2018 at 5:18 PM R
On Thu, Jan 17, 2019 at 2:26 PM Richard Guy Briggs wrote:
> On 2019-01-17 12:36, Paul Moore wrote:
> > On Thu, Jan 17, 2019 at 11:08 AM Steve Grubb wrote:
> > > On Thu, 17 Jan 2019 08:21:40 -0500 Paul Moore wrote:
> > > > On Thu, Jan 17, 2019 at 4:33 AM Steve Grub
On Thu, Jan 17, 2019 at 6:19 PM Richard Guy Briggs wrote:
> On 2019-01-17 12:58, Paul Moore wrote:
> > On Thu, Jan 17, 2019 at 10:34 AM Richard Guy Briggs wrote:
> > >
> > > On 2019-01-17 08:21, Paul Moore wrote:
> > > > On Thu, Jan 17, 2019 at 4:33 AM S
= audit_log_start(NULL, GFP_NOFS, AUDIT_CONFIG_CHANGE);
> + ab = audit_log_start(audit_context(), GFP_NOFS, AUDIT_CONFIG_CHANGE);
> if (!ab)
> return;
> audit_log_session_info(ab);
> diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
> index bf309f2592c4..26a80a9d43a9 100644
> --- a/kernel/auditfilter.c
> +++ b/kernel/auditfilter.c
> @@ -1091,7 +1091,7 @@ static void audit_log_rule_change(char *action, struct
> audit_krule *rule, int re
> if (!audit_enabled)
> return;
>
> - ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
> + ab = audit_log_start(audit_context(), GFP_KERNEL,
> AUDIT_CONFIG_CHANGE);
> if (!ab)
> return;
> audit_log_session_info(ab);
> --
> 1.8.3.1
>
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
> -
> - rc = security_sid_to_context(state, tsid, &scontext, &scontext_len);
> - if (rc)
> - audit_log_format(ab, " tsid=%d", tsid);
> - else {
> - audit_log_format(ab, " tcontext=%s", scontext);
> - kfre
On Fri, Jan 25, 2019 at 4:53 AM Ondrej Mosnacek wrote:
> On Tue, Jan 22, 2019 at 8:42 PM Paul Moore wrote:
> > On Mon, Jan 21, 2019 at 10:36 AM Ondrej Mosnacek
> > wrote:
> > > In case a file has an invalid context set, in an AVC record generated
> > > upo
nux/sched.h | 2 +-
> init/init_task.c | 2 +-
> kernel/audit.c| 85
> +++
> kernel/auditsc.c | 84 --
> 6 files changed, 113 insertions(+), 108 deletions(-)
Looks good
> completely */
Removed "exact" from the comment above so it fits an 80 char line
width. Please watch for this in your patches, I care a lot about line
widths.
Otherwise as long as Serge is happy with the capabilities bits, I'm
happy with the audit bits; merged.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
}
> + if (f->type == AUDIT_FSTYPE
> + && audit_comparator(parent->i_sb->s_magic,
> + f->op, f->val)
> + && e->rule.action == AUDIT_NEVER) {
> + rcu_read_unlock();
> + return;
> }
> }
> }
> --
> 1.8.3.1
>
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
opy_inode(n, dentry, inode, flags & AUDIT_INODE_NOEVAL);
> }
>
> void __audit_file(const struct file *file)
> @@ -1952,7 +1952,7 @@ void __audit_inode_child(struct inode *parent,
> n = audit_alloc_name(context, AUDIT_TYPE_PARENT);
> if (!n)
> return;
> - audit_copy_inode(n, NULL, parent);
> + audit_copy_inode(n, NULL, parent, 0);
> }
>
> if (!found_child) {
> @@ -1971,7 +1971,7 @@ void __audit_inode_child(struct inode *parent,
> }
>
> if (inode)
> - audit_copy_inode(found_child, dentry, inode);
> + audit_copy_inode(found_child, dentry, inode, 0);
> else
> found_child->ino = AUDIT_INO_UNSET;
> }
> --
> 1.8.3.1
>
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
_exe(struct audit_buffer *ab,
>
> extern int audit_filter(int msgtype, unsigned int listtype);
>
> -#ifdef CONFIG_AUDITSYSCALL
> -extern int audit_signal_info(int sig, struct task_struct *t);
> -extern void audit_filter_inodes(struct task_struct *tsk, struct
> audit_context *ct
101 - 200 of 2305 matches
Mail list logo
