On Fri, Oct 25, 2019 at 3:20 PM Richard Guy Briggs wrote:
> On 2019-10-10 20:39, Paul Moore wrote:
> > On Wed, Sep 18, 2019 at 9:25 PM Richard Guy Briggs wrote:
> > > Add audit container identifier support to the action of signalling the
> > > audit daemon.
> >
On Thu, Oct 24, 2019 at 5:23 PM Richard Guy Briggs wrote:
> On 2019-10-10 20:38, Paul Moore wrote:
> > On Fri, Sep 27, 2019 at 8:52 AM Neil Horman wrote:
> > > On Wed, Sep 18, 2019 at 09:22:23PM -0400, Richard Guy Briggs wrote:
> > > > Set an arbitrary limit on
On Fri, Oct 25, 2019 at 5:00 PM Richard Guy Briggs wrote:
> On 2019-10-10 20:38, Paul Moore wrote:
> > On Wed, Sep 18, 2019 at 9:24 PM Richard Guy Briggs wrote:
> > > Store the audit container identifier in a refcounted kernel object that
> > > is added to the mas
n't want this new BPF record to look like how
you've coded it up in bpf_audit_prog(); duplicating the fields with
audit_log_task() is wrong, you've either already got them via an
associated record (which you get from passing non-NULL as the first
parameter to audit_log_start()), or y
On Thu, Nov 21, 2019 at 7:23 PM Alexei Starovoitov
wrote:
> On Thu, Nov 21, 2019 at 06:41:31PM -0500, Paul Moore wrote:
> > On Wed, Nov 20, 2019 at 4:49 PM Alexei Starovoitov
> > wrote:
> > > On Wed, Nov 20, 2019 at 1:46 PM Daniel Borkmann
> > > wrote:
> &
On Thu, Nov 21, 2019 at 7:25 PM Daniel Borkmann wrote:
> On 11/22/19 12:41 AM, Paul Moore wrote:
> > On Wed, Nov 20, 2019 at 4:49 PM Alexei Starovoitov
> > wrote:
> >> On Wed, Nov 20, 2019 at 1:46 PM Daniel Borkmann
> >> wrote:
> >>> On 11/20/19 1
if (audit_enabled == AUDIT_OFF)
> @@ -1342,10 +1341,7 @@ static void bpf_audit_prog(const struct bpf_prog
> *prog, enum bpf_event event)
> ab = audit_log_start(audit_context(), GFP_ATOMIC, AUDIT_BPF);
> if (unlikely(!ab))
> return;
> - if (has_task
| 8 ++--
include/linux/audit.h | 5 +++--
include/uapi/linux/audit.h | 1 +
kernel/audit.c | 15 ---
4 files changed, 18 insertions(+), 11 deletions(-)
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/ma
d to mention this in case
you weren't already aware.
If you do keep it in syscall.c, I don't think there is a need to
implement a no-op version dependent on CONFIG_AUDITSYSCALL; that will
just clutter the code.
If you do move it to auditsc.c please change the name to
audit_bpf()/__audit_bpf() so it matches the other functions; if you
keep it in syscall.c you can name it whatever you like :)
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
gt; * or the associated spinlock for writing.
> > */
> > -static struct auditd_connection {
> > +struct auditd_connection {
> > struct pid *pid;
> > u32 portid;
> > struct net *net;
> > struct rcu_head rcu;
> > -} *auditd
On Tue, Dec 3, 2019 at 4:38 AM Jiri Olsa wrote:
> On Mon, Dec 02, 2019 at 06:00:14PM -0500, Paul Moore wrote:
> > On Thu, Nov 28, 2019 at 4:16 AM Jiri Olsa wrote:
...
> > > --- a/kernel/bpf/syscall.c
> > > +++ b/kernel/bpf/syscall.c
> > > @@ -23,6 +23,7
> @@ -1830,6 +1859,7 @@ static int bpf_prog_load(union bpf_attr *attr, union
> bpf_attr __user *uattr)
> */
> bpf_prog_kallsyms_add(prog);
> perf_event_bpf_event(prog, PERF_BPF_EVENT_PROG_LOAD, 0);
> + bpf_audit_prog(prog, BPF_AUDIT_LOAD);
>
> err = bpf_prog_new_fd(prog);
> if (err < 0)
> --
> 2.23.0
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
nt)) {
> perf_event_bpf_event(prog, PERF_BPF_EVENT_PROG_UNLOAD, 0);
> + bpf_audit_prog(prog, BPF_AUDIT_UNLOAD);
> /* bpf_prog_free_id() must be called first */
> bpf_prog_free_id(prog, do_idr_lock);
> __bpf_prog_put_noref(prog, true);
> @@ -1830,6 +1862,7 @@ static int bpf_prog_load(union bpf_attr *attr, union
> bpf_attr __user *uattr)
> */
> bpf_prog_kallsyms_add(prog);
> perf_event_bpf_event(prog, PERF_BPF_EVENT_PROG_LOAD, 0);
> + bpf_audit_prog(prog, BPF_AUDIT_LOAD);
>
> err = bpf_prog_new_fd(prog);
> if (err < 0)
> --
> 2.21.0
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
On Fri, Dec 6, 2019 at 4:28 PM Jiri Olsa wrote:
> On Fri, Dec 06, 2019 at 04:11:13PM -0500, Paul Moore wrote:
> > Other than that, this looks good to me, and I see Steve has already
> > given the userspace portion a thumbs-up. Have you started on the
> > audit-testsu
t; > Co-developed-by: Jiri Olsa
> > Signed-off-by: Jiri Olsa
>
> Paul, Steve, given the merge window is closed by now, does this version look
> okay to you for proceeding to merge into bpf-next?
Given the change to audit UAPI I was hoping to merge this via the
audit/next tree, is that okay with you?
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
On Mon, Dec 2, 2019 at 6:35 PM Joel Fernandes wrote:
> On Mon, Dec 02, 2019 at 06:24:29PM -0500, Paul Moore wrote:
> > On Mon, Dec 2, 2019 at 4:19 PM Joel Fernandes
> > wrote:
> > > Good idea to CC the following on RCU patches:
> > > Paul McKenney
> > &g
ns(-)
While I remain concerned about the granularity, I think this is about
as good as we can get right now without potentially messing things up
in the future. Applied to selinux/next, thanks Stephen.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
On Mon, Dec 9, 2019 at 6:19 PM Daniel Borkmann wrote:
> On 12/9/19 3:56 PM, Paul Moore wrote:
> > On Mon, Dec 9, 2019 at 7:15 AM Daniel Borkmann wrote:
> >> On Fri, Dec 06, 2019 at 10:49:34PM +0100, Jiri Olsa wrote:
> >>> From: Daniel Borkmann
> >>>
&g
On Tue, Dec 10, 2019 at 10:37 AM Jiri Olsa wrote:
> On Mon, Dec 09, 2019 at 06:53:23PM -0500, Paul Moore wrote:
> > On Mon, Dec 9, 2019 at 6:19 PM Daniel Borkmann wrote:
> > > On 12/9/19 3:56 PM, Paul Moore wrote:
> > > > On Mon, Dec 9, 2019 at 7:15 AM D
On Wed, Dec 11, 2019 at 8:20 AM Daniel Borkmann wrote:
> On Tue, Dec 10, 2019 at 05:45:59PM -0500, Paul Moore wrote:
> > On Tue, Dec 10, 2019 at 10:37 AM Jiri Olsa wrote:
> > > On Mon, Dec 09, 2019 at 06:53:23PM -0500, Paul Moore wrote:
> > > > On Mon, Dec 9, 2
audit_remove_mark(oentry->rule.exe);
>
> - audit_watch_log_rule_change(r, owatch,
> "updated_rules");
> -
> call_rcu(&oentry->rcu, audit_free_rule_rcu);
> }
>
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
On Tue, Jan 7, 2020 at 5:52 PM Steve Grubb wrote:
> On Monday, January 6, 2020 8:47:33 PM EST Paul Moore wrote:
> > On Sun, Jan 5, 2020 at 10:22 AM Steve Grubb wrote:
> > > Common Criteria calls out for any action that modifies the audit trail to
> > > be recorded. Tha
ve_mark(oentry->rule.exe);
>
> - audit_watch_log_rule_change(r, owatch,
> "updated_rules");
> -
> call_rcu(&oentry->rcu, audit_free_rule_rcu);
> }
>
> --
> 2.24.1
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
/linux-audit/audit-kernel/issues/25
> > See: https://github.com/linux-audit/audit-kernel/issues/35
> > See: https://github.com/linux-audit/audit-kernel/issues/43
> > See: https://github.com/linux-audit/audit-kernel/issues/44
>
> What tree is this batch targeted to?
I believe Richard was targeting this for the audit tree.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
ACID); this
seems wrong to me. I think the proper behavior would be to either add
a "res=" field to indicate success/failure or only emit the record
when we actually change a task's ACID. Considering the impact that
the ACID value will potentially have on the audit stream, it seems
like always logging the record and including a "res=" field may be the
safer choice.
> + return rc;
> +}
> +
> /**
> * audit_log_end - end one audit record
> * @ab: the audit_buffer
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
list_add_rcu(&newcont->list,
> &audit_contid_hash[h]);
> + spin_unlock(&audit_contobj_list_lock);
I think we might have a problem where multiple tasks could race adding
the same audit container ID and since there is no check inside the
s
ce acting as an
orchestrator and creating a new nested level of audit container IDs,
is a privileged operation I think we can equate this to the infamous
"shooting oneself in the foot" problem. Let's leave this limitation
out of the patchset for now, if it becomes a problem in the
task_tgid_nr(task), contid, oldcontid);
> + audit_log_format(ab, "op=set opid=%d contid=", task_tgid_nr(task));
> + audit_log_contid(ab, contid);
> + audit_log_format(ab, " old-contid=");
> + audit_log_contid(ab, oldcontid);
t;
> + }
> + cont = kmalloc(sizeof(*cont), GFP_ATOMIC);
> + if (cont) {
> + INIT_LIST_HEAD(&cont->list);
> + cont->id = contid;
> + refcount_set(&cont->refcount, 1);
> + spin_lock(&aunet->contid_list_lock);
> + list_add_rcu(&cont->list, contid_list);
> + spin_unlock(&aunet->contid_list_lock);
> + }
> +out:
> + rcu_read_unlock();
> +}
See my comments about refcount_t, spinlocks, and list manipulation
races from earlier in the patchset; the same thing applies to the
function above.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
++
> kernel/audit.h | 7 +
> kernel/fork.c | 10 +--
> kernel/nsproxy.c | 27 +++---
> 7 files changed, 107 insertions(+), 25 deletions(-)
Similar to my comments in patch 14, let's defer this to a later time
if we need to do
k that audit container ID from being
reused immediately, but since we are talking about one number out of
2^64 that seems like a reasonable tradeoff.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
t_user_ns) {
if (!ns_capable(CAP_AUDIT_CONTROL) || !audit_get_capcontid())
rc = -EPERM;
} else if (!capable(CAP_AUDIT_CONTROL))
rc = -EPERM;
> + }
> + if (!rc)
> + task->audit->capcontid = enable;
> +
> + if (!audit_enabled)
> + return rc;
> +
> + ab = audit_log_start(audit_context(), GFP_KERNEL,
> AUDIT_SET_CAPCONTID);
> + if (!ab)
> + return rc;
> +
> + audit_log_format(ab,
> +"opid=%d capcontid=%u old-capcontid=%u",
> +task_tgid_nr(task), enable, oldcapcontid);
> + audit_log_end(ab);
My prior comments about recording the success/failure, or not emitting
the record on failure, seem relevant here too.
> + return rc;
> +}
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
tsc.c
> @@ -1568,6 +1568,8 @@ static void audit_log_exit(void)
>
> audit_log_proctitle();
>
> + audit_log_container_drop();
> +
> /* Send end of event record to help user space know we are finished */
> ab = audit_log_start(context, GFP_KERNEL, AUDIT_EOE);
> if (ab)
> --
> 1.8.3.1
>
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
r code for each
failure case, but this is getting silly. Let's group the descendent
checks under the same error code.
> + /* only allow contid setting again if nesting */
> + if (audit_contid_set(task) && audit_contid_isowner(task))
> rc = -ECHILD;
Should that be "!audit_contid_isowner()"?
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
t_put_tty(tty);
> + audit_log_task_context(ab); /* subj= */
Also part of the syscall record.
> + audit_log_format(ab, " comm=");
> + audit_log_untrustedstring(ab, get_task_comm(comm, current));
Again.
> + audit_log_d_path_exe(ab, curre
On Wed, Jan 22, 2020 at 6:07 PM Richard Guy Briggs wrote:
> On 2020-01-22 17:40, Paul Moore wrote:
> > On Fri, Jan 17, 2020 at 3:21 PM Richard Guy Briggs wrote:
...
> > > diff --git a/kernel/audit.c b/kernel/audit.c
> > > index 17b0d523afb3..478259f3fa53 100644
On Thu, Jan 23, 2020 at 11:14 AM Richard Guy Briggs wrote:
> On 2020-01-23 09:32, Paul Moore wrote:
> > On Wed, Jan 22, 2020 at 6:07 PM Richard Guy Briggs wrote:
> > > On 2020-01-22 17:40, Paul Moore wrote:
> > > > On Fri, Jan 17, 2020 at 3:21 PM Rich
On Thu, Jan 23, 2020 at 11:29 AM Richard Guy Briggs wrote:
> On 2020-01-22 16:28, Paul Moore wrote:
> > On Tue, Dec 31, 2019 at 2:50 PM Richard Guy Briggs wrote:
> > >
> > > Add audit container identifier support to the action of signalling the
> > > audit
On Thu, Jan 23, 2020 at 1:52 PM Richard Guy Briggs wrote:
> On 2020-01-23 11:57, Paul Moore wrote:
> > On Thu, Jan 23, 2020 at 11:14 AM Richard Guy Briggs wrote:
> > > On 2020-01-23 09:32, Paul Moore wrote:
> > > > On Wed, Jan 22, 2020 at 6:07 PM Richard Guy Briggs
On Thu, Jan 23, 2020 at 3:04 PM Richard Guy Briggs wrote:
> On 2020-01-23 12:09, Paul Moore wrote:
> > On Thu, Jan 23, 2020 at 11:29 AM Richard Guy Briggs wrote:
> > > On 2020-01-22 16:28, Paul Moore wrote:
> > > > On Tue, Dec 31, 2019 at 2:50 PM Rich
On Thu, Jan 23, 2020 at 3:15 PM Richard Guy Briggs wrote:
> On 2020-01-23 14:07, Paul Moore wrote:
> > On Thu, Jan 23, 2020 at 1:52 PM Richard Guy Briggs wrote:
> > > On 2020-01-23 11:57, Paul Moore wrote:
> > > > On Thu, Jan 23, 2020 at 11:14 AM Richard Guy Briggs
On Thu, Jan 23, 2020 at 4:03 PM Richard Guy Briggs wrote:
> On 2020-01-22 16:29, Paul Moore wrote:
> > On Tue, Dec 31, 2019 at 2:51 PM Richard Guy Briggs wrote:
> > >
> > > Require the target task to be a descendant of the container
> > > orchestrator/engin
)
audit/stable-5.6 PR 20200127
Amol Grover (1):
audit: Add __rcu annotation to RCU pointer
kernel/audit.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--
paul moore
www.paul
egarding style chanes also applies here.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
ase don't do it here.
> + audit_log_format(ab, "table=%s family=%u entries=%u",
> +name, af, nentries);
> + audit_log_end(ab);
> +}
> +EXPORT_SYMBOL_GPL(__audit_nf_cfg);
> +
> static void audit_log_task(struct audit_buffer *ab)
> {
> kuid_t auid, uid;
> --
> 1.8.3.1
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
> 1 file changed, 18 insertions(+), 25 deletions(-)
Considering that this patch is a style change in code outside of
audit, and we want to merge this via the audit tree, I think it is
best if you drop the style changes from this patchset. You can always
submit them later to the net
*input_table,
> *res = NULL;
> }
>
> + if (audit_enabled)
> + audit_nf_cfg(repl->name, AF_BRIDGE, repl->nentries);
> return ret;
> free_unlock:
> mutex_unlock(&ebt_mutex);
> --
> 1.8.3.1
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
, 13 deletions(-)
My comments from the first patch regarding style changes also applies here.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
-1466,6 +1466,8 @@ void *xt_unregister_table(struct xt_table *table)
> private = table->private;
> list_del(&table->list);
> mutex_unlock(&xt[table->af].mutex);
> + if (audit_enabled)
> + audit_nf_cfg(table->name, table->af, private->number, 2);
> kfree(table);
>
> return private;
> --
> 1.8.3.1
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
an example, you can pick something else.
I agree. Also, please just merge this into patch 4; I don't see a
solid reason why it shouldn't be there.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
h_log_rule_change(r, owatch,
> "updated_rules");
> -
> call_rcu(&oentry->rcu, audit_free_rule_rcu);
> }
>
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
; here we
probably want to special case that as I don't think we want to display
audit container IDs as signed numbers in general.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
On Tue, Feb 4, 2020 at 5:52 PM Richard Guy Briggs wrote:
> On 2020-01-22 16:28, Paul Moore wrote:
> > On Tue, Dec 31, 2019 at 2:50 PM Richard Guy Briggs wrote:
> > >
> > > Store the audit container identifier in a refcounted kernel object that
> > > is added t
On Tue, Feb 4, 2020 at 6:15 PM Richard Guy Briggs wrote:
> On 2020-01-23 16:35, Paul Moore wrote:
> > On Thu, Jan 23, 2020 at 3:04 PM Richard Guy Briggs wrote:
> > > On 2020-01-23 12:09, Paul Moore wrote:
> > > > On Thu, Jan 23, 2020 at 11:29 AM Richard Guy Briggs
On Tue, Feb 4, 2020 at 6:43 PM Richard Guy Briggs wrote:
> On 2020-01-22 16:28, Paul Moore wrote:
> > On Tue, Dec 31, 2019 at 2:51 PM Richard Guy Briggs wrote:
> > >
> > > This also adds support to qualify NETFILTER_PKT records.
> > >
> > > Aud
On Tue, Feb 4, 2020 at 7:39 PM Richard Guy Briggs wrote:
> On 2020-01-22 16:29, Paul Moore wrote:
> > On Tue, Dec 31, 2019 at 2:51 PM Richard Guy Briggs wrote:
> > >
> > > Provide a mechanism similar to CAP_AUDIT_CONTROL to explicitly give a
> > > proc
On Tue, Feb 4, 2020 at 1:12 PM Steve Grubb wrote:
> On Tuesday, February 4, 2020 10:52:36 AM EST Paul Moore wrote:
> > On Tue, Feb 4, 2020 at 10:47 AM Steve Grubb wrote:
> > > On Tuesday, February 4, 2020 8:19:44 AM EST Richard Guy Briggs wrote:
> > > > > The est
On Thu, Jan 30, 2020 at 2:28 PM Richard Guy Briggs wrote:
> On 2020-01-22 16:29, Paul Moore wrote:
> > On Tue, Dec 31, 2019 at 2:51 PM Richard Guy Briggs wrote:
> > >
> > > Track the parent container of a container to be able to filter and
> > > report nesting
on vacation, and only dealing with emergencies as they
arise - this isn't one of those. I'm not sure what Richard is doing, but
you'll get an answer when I'm back in "the office" if Richard doesn't comment
first.
That said, it's always okay to file a GH issue.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
On Fri, Feb 7, 2020 at 4:56 PM Paul Moore wrote:
> On February 7, 2020 2:18:33 PM Steve Grubb wrote:
> > On Thursday, February 6, 2020 1:33:19 PM EST Lenny Bruzenak wrote:
> >>> Doesn't seem much better:
> >>>
> >>> type=PROCTITLE msg=audit(02/0
On Mon, Feb 10, 2020 at 6:05 PM Orion Poplawski wrote:
> On 2/10/20 3:54 PM, Paul Moore wrote:
> > On Fri, Feb 7, 2020 at 4:56 PM Paul Moore wrote:
> >> On February 7, 2020 2:18:33 PM Steve Grubb wrote:
> >>> On Thursday, February 6, 2020 1:33:19 PM EST Lenny B
were intending this patchset to go
in via some tree other than audit?
Acked-by: Paul Moore
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index 4effe01ebbe2..d3510513cdd1 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -430,24 +430,19 @@ static int audit_field
On Wed, Feb 12, 2020 at 5:39 PM Steve Grubb wrote:
> On Wednesday, February 5, 2020 5:50:28 PM EST Paul Moore wrote:
> > > > > > ... When we record the audit container ID in audit_signal_info() we
> > > > > > take an extra reference to the audit container ID
formats properly designed to handle this without too much problem (I'm
not entirely sure we do)?
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
On Wed, Feb 5, 2020 at 6:51 PM Richard Guy Briggs wrote:
> On 2020-02-05 18:05, Paul Moore wrote:
> > On Thu, Jan 30, 2020 at 2:28 PM Richard Guy Briggs wrote:
> > > On 2020-01-22 16:29, Paul Moore wrote:
> > > > On Tue, Dec 31, 2019 at 2:51 PM Rich
On Thu, Feb 6, 2020 at 7:52 AM Richard Guy Briggs wrote:
> On 2020-02-05 17:56, Paul Moore wrote:
> > On Tue, Feb 4, 2020 at 7:39 PM Richard Guy Briggs wrote:
> > > On 2020-01-22 16:29, Paul Moore wrote:
> > > > On Tue, Dec 31, 2019 at 2:51 PM Rich
ist (no html mail) 2) this mailing list is for the discussion and
development of the Linux audit subsystem in the upstream (or close to
upstream) code. If you are looking for RHEL, or any other enterprise
Linux distro, support please use the appropriate support channels.
Thank you.
--
pa
d to be kfree()'d (see
audit_free_lsm_field()), then we could run into problems if we end up
following an error path in audit_data_to_entry() before the lsm_str
field is populated with an actual string.
If the above reasoning proves to be correct, it looks like the problem
was caused by 219ca
tmail.com
Signed-off-by: Paul Moore
---
kernel/auditfilter.c | 71 +++---
1 file changed, 39 insertions(+), 32 deletions(-)
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index b0126e9c0743..026e34da4ace 100644
--- a/kernel/auditf
]
> __se_compat_sys_sendmsg net/compat.c:646 [inline]
> __ia32_compat_sys_sendmsg+0xed/0x130 net/compat.c:646
> do_syscall_32_irqs_on arch/x86/entry/common.c:339 [inline]
> do_fast_syscall_32+0x3c7/0x6e0 arch/x86/entry/common.c:410
> entry_SYSENTER_compat+0x68/0x77 arch/x86/entry/entry_64_compat.S:139
> =
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
ys_sendmsg net/compat.c:646 [inline]
> __ia32_compat_sys_sendmsg+0xed/0x130 net/compat.c:646
> do_syscall_32_irqs_on arch/x86/entry/common.c:339 [inline]
> do_fast_syscall_32+0x3c7/0x6e0 arch/x86/entry/common.c:410
> entry_SYSENTER_compat+0x68/0x77 arch/x86/entry/entry_64_compat.
000 R15:
> Kernel Offset: disabled
> Rebooting in 86400 seconds..
Has the syzbot audit related configuration recently changed? At the
very least it looks like you want to configure the system so that it
doesn't panic when an audit record is lost (printk/AUDIT_F
> syzbot will keep track of this bug report. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> For information about bisection process see: https://goo.gl/tpsmEJ#bisection
> syzbot can test patches for this bug, for details see:
> https://goo.gl/tpsmEJ#testing-patches
Similar to syzbot report 72461ac44b36c98f58e5, see my comments there.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
, good catch :) I saw the panic and instinctively chalked
that up to a mistaken config, not expecting that it was what was being
tested.
> On Mon, 2020-02-24 at 17:38 -0500, Paul Moore wrote:
> > On Mon, Feb 24, 2020 at 3:18 AM syzbot
> > wrote:
> > > Hello,
> > &
...@syzkaller.appspotmail.com
Signed-off-by: Paul Moore
---
kernel/audit.c | 43 +++
1 file changed, 23 insertions(+), 20 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 17b0d523afb3..6e8b176bdb68 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1101,13 +1101,11
On Mon, Feb 24, 2020 at 5:53 PM Paul Moore wrote:
> This patch ensures that we always check the netlink payload length
> in audit_receive_msg() before we take any action on the payload
> itself.
>
> Cc: sta...@vger.kernel.org
> Reported-by: syzbot+399c44bf1f43b8747...@syzkall
On Mon, Feb 24, 2020 at 5:53 PM Paul Moore wrote:
>
> This patch ensures that we always check the netlink payload length
> in audit_receive_msg() before we take any action on the payload
> itself.
>
> Cc: sta...@vger.kernel.org
> Reported-by: syzbot+399c44bf1f43b8747...@syzk
...@syzkaller.appspotmail.com
Signed-off-by: Paul Moore
---
kernel/audit.c | 40 +---
1 file changed, 21 insertions(+), 19 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 17b0d523afb3..9ddfe2aa6671 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1101,13 +1101,11
On Mon, Feb 24, 2020 at 4:31 PM Paul Moore wrote:
>
> Commit 219ca39427bf ("audit: use union for audit_field values since
> they are mutually exclusive") combined a number of separate fields in
> the audit_field struct into a single union. Generally this worked
> j
On Tue, Feb 25, 2020 at 12:50 PM Paul Moore wrote:
>
> This patch ensures that we always check the netlink payload length
> in audit_receive_msg() before we take any action on the payload
> itself.
>
> Cc: sta...@vger.kernel.org
> Reported-by: syzbot+399c44bf1f43b8747...@syzk
7aa3d19a93:
audit: always check the netlink payload length in audit_receive_msg()
(2020-02-24 16:38:57 -0500)
audit/stable-5.6 PR 20200226
----
Paul Moore (2):
audit:
On Thu, Feb 27, 2020 at 10:40 AM Dmitry Vyukov wrote:
> On Mon, Feb 24, 2020 at 11:47 PM Paul Moore wrote:
> > On Mon, Feb 24, 2020 at 5:43 PM Eric Paris wrote:
> > > https://syzkaller.appspot.com/x/repro.syz?x=151b1109e0 (the
> > > reproducer listed) looks like
in auditsc_get_stamp() and not
someplace a bit more obvious like audit_log_start()? Is it because
auditsc_get_stamp() only gets called once per event? I'm willing to
take the "hit" of one extra assignment in audit_log_start() to keep
this in a more obvious place and not buried in
tty ? tty_name(tty) : "(none)",
> +audit_get_sessionid(current));
> + audit_put_tty(tty);
> + audit_log_task_context(ab); /* subj= */
> + audit_log_format(ab, " comm=");
> + audit_log_untrustedstring(ab, get_task_comm(comm, current));
> + audit_log_d_path_exe(ab, current->mm); /* exe= */
> + audit_log_format(ab, " nl-mcgrp=%d op=%s res=%d", group, op, !err);
> + audit_log_end(ab);
> +}
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
ctionality not present in the redhat.com archive.
* https://lore.kernel.org/linux-audit
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
nk you.
>
> I have to start pushing on this series. If the audit community
> hasn't any additional feedback, I'll take it that what's here is
> acceptable and move my lobbying efforts elsewhere.
I'll take another look later this week.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
ikely to be some merge fuzz in
kernel/auditfilter.c; I just had to fix some of the code you are
touching (it is in Linus' tree). The merge should be trivial, but if
you are uncertain let me know.
Acked-by: Paul Moore
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
all get the same
value, and then do their match. I'm assuming this will make more
sense as I progress through the rest of the patchset, but right now it
seems like we could get by just fine with a u32 here.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
at it is hard to make individual patches do something
meaningful when you are making such sweeping changes, but in these
cases you need to document it until there is no doubt about why this
patch exists.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
t/iteration.
> Reviewed-by: Kees Cook
> Reviewed-by: John Johansen
> Acked-by: Stephen Smalley
> Signed-off-by: Casey Schaufler
> ---
> include/linux/security.h | 7 ---
> kernel/auditsc.c | 5 -
> security/security.c | 12 +---
> 3 fil
etions(-)
There is some undefined scaffolding in the IMA section, but I'll leave
that to Mimi if she cares or not. One small suggestion below, but I'm
okay if you ignore that, it's pretty minor.
Acked-by: Paul Moore
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> i
| 7 ++---
> security/security.c | 10 +++++--
> 12 files changed, 76 insertions(+), 120 deletions(-)
Acked-by: Paul Moore
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
ng choices, but considering none
of it is visible to userspace it isn't worth worrying about.
Acked-by: Paul Moore
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
regard my previous ACK.
We should treat "subj=" similar to how we treat "obj="; if there is
more than one LSM loaded the "subj=" should be set to "?" with the
"subj_XXX=" set to the appropriate label for the named LSM. This
patch looks like it is always using LSMBLOB_FIRST and not "?" when
multiple LSMs are present.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
t me tell you one of my most hated mantras: "new audit
fields MUST go at the end of the audit record". The "MUST" is in all
caps because either I'm being clever and reusing some IETF RFC
concepts, or I'm tired of arguing this point and feel like
capitalization is the best I can do for stress relief; maybe it is a
combination of the two. Feel free to pick whichever reason you find
most pleasing.
Either way, the "obj=" field should stay where it is, but the
"obj_XXX=" fields need to find their way to the end of the record.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
On Mon, Mar 9, 2020 at 1:45 PM Casey Schaufler wrote:
> On 3/6/2020 6:31 PM, Paul Moore wrote:
> > Either way, the "obj=" field should stay where it is, but the
> > "obj_XXX=" fields need to find their way to the end of the record.
>
> As Steve pointed
On Mon, Mar 9, 2020 at 4:31 PM Richard Guy Briggs wrote:
> On 2020-02-27 20:02, Paul Moore wrote:
> > On Tue, Feb 18, 2020 at 4:01 PM Richard Guy Briggs wrote:
> > >
> > > When there are no audit rules registered, mandatory records (config,
> > > etc.) ar
On Mon, Mar 9, 2020 at 7:58 PM Casey Schaufler wrote:
> On 3/6/2020 2:01 PM, Paul Moore wrote:
> > On Fri, Feb 21, 2020 at 7:04 PM Casey Schaufler
> > wrote:
> >> Change the secid parameter of security_audit_rule_match
> >> to a lsmblob structure pointer. Pas
On Mon, Mar 9, 2020 at 8:59 PM Richard Guy Briggs wrote:
>
> On 2020-03-09 19:55, Paul Moore wrote:
> > On Mon, Mar 9, 2020 at 4:31 PM Richard Guy Briggs wrote:
> > > On 2020-02-27 20:02, Paul Moore wrote:
> > > > On Tue, Feb 18, 2020 at 4:01 PM R
On Mon, Mar 9, 2020 at 7:01 PM Casey Schaufler wrote:
> On 3/9/2020 10:59 AM, Paul Moore wrote:
> > On Mon, Mar 9, 2020 at 1:45 PM Casey Schaufler
> > wrote:
> >> On 3/6/2020 6:31 PM, Paul Moore wrote:
> >>> Either way, the "obj=" field should sta
401 - 500 of 2305 matches
Mail list logo
