Re: [GIT PULL] Audit patches for v5.12
The pull request you sent on Mon, 15 Feb 2021 17:10:37 -0500: > git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git > tags/audit-pr-20210215 has been merged into torvalds/linux.git: https://git.kernel.org/torvalds/c/23b6ba45f321bd5c4cddde4b8c85b3f71da3cdb8 Thank you! -- Deet-doot-dot, I am a bot. https://korg.docs.kernel.org/prtracker.html
[GIT PULL] Audit patches for v5.12
Hi Linus, Three very trivial patches for audit this time. All pass the audit-testsuite and apply cleanly to your tree as of a few minutes ago; please merge these for v5.12. Thanks, -Paul -- The following changes since commit e71ba9452f0b5b2e8dc8aa5445198cd9214a6a62: Linux 5.11-rc2 (2021-01-03 15:55:30 -0800) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git tags/audit-pr-20210215 for you to fetch changes up to 127c8c5f0589cea2208c329bff7dcb36e375f46c: audit: Make audit_filter_syscall() return void (2021-01-27 21:55:14 -0500) audit/stable-5.12 PR 20210215 Davidlohr Bueso (1): audit: Remove leftover reference to the audit_tasklet Yang Yang (1): audit: Make audit_filter_syscall() return void Zheng Yongjun (1): kernel/audit: convert comma to semicolon kernel/audit.c | 4 ++-- kernel/auditsc.c | 16 2 files changed, 10 insertions(+), 10 deletions(-) -- paul moore www.paul-moore.com
Re: [GIT PULL] Audit patches for v5.11
The pull request you sent on Mon, 14 Dec 2020 20:57:59 -0500: > git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git > tags/audit-pr-20201214 has been merged into torvalds/linux.git: https://git.kernel.org/torvalds/c/3d5de2ddc6ba924d7c10460a1dc3aae8786b9d52 Thank you! -- Deet-doot-dot, I am a bot. https://korg.docs.kernel.org/prtracker.html
[GIT PULL] Audit patches for v5.11
Hi Linus, A small set of audit patches for v5.11 with four patches in total and only one of any real significance. Richard's patch to trigger accompanying records causes the kernel to emit additional related records when an audit event occurs; helping provide some much needed context to events in the audit log. It is also worth mentioning that this is a revised patch based on an earlier attempt that had to be reverted in the v5.8 time frame. Everything passes our test suite, and with no problems reported please merge this for v5.11. Thanks, -Paul -- The following changes since commit 3650b228f83adda7e5ee532e2b90429c03f7b9ec: Linux 5.10-rc1 (2020-10-25 15:14:11 -0700) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git tags/audit-pr-20201214 for you to fetch changes up to 6b3211842a115d697fbf78d09f3e83852200e413: audit: replace atomic_add_return() (2020-12-02 22:52:16 -0500) audit/stable-5.11 PR 20201214 Alex Shi (1): audit: fix macros warnings Mauro Carvalho Chehab (1): audit: fix a kernel-doc markup Richard Guy Briggs (1): audit: trigger accompanying records when no rules present Yejune Deng (1): audit: replace atomic_add_return() include/linux/audit.h | 8 kernel/audit.c| 9 ++--- kernel/auditsc.c | 38 -- security/lsm_audit.c | 5 - 4 files changed, 18 insertions(+), 42 deletions(-) -- paul moore www.paul-moore.com
Re: [GIT PULL] Audit patches for v5.10
The pull request you sent on Mon, 12 Oct 2020 20:51:22 -0400: > git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git stable-5.10 has been merged into torvalds/linux.git: https://git.kernel.org/torvalds/c/01fb1e2f42d607ef5eb7a7ca54a0f0901fb5856c Thank you! -- Deet-doot-dot, I am a bot. https://korg.docs.kernel.org/prtracker.html
Re: [GIT PULL] Audit patches for v5.10
On Mon, Oct 12, 2020 at 8:54 PM Paul Moore wrote: > On Mon, Oct 12, 2020 at 8:51 PM Paul Moore wrote: > > > > Hi Linus, > > > > A small set of audit patches for v5.10. There are only three patches > > in total, and all three are trivial fixes that don't really warrant > > any explanations beyond their descriptions. As usual, all three > > patches pass our test suite and as of a few minutes ago they applied > > cleanly to your tree. Please merge for v5.10. > > > > Thanks, > > -Paul > > > > -- > > The following changes since commit 9123e3a74ec7b934a4a099e98af6a61c2f80bbf5: > > > > Linux 5.9-rc1 (2020-08-16 13:04:57 -0700) > > > > are available in the Git repository at: > > > > git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git > >stable-5.10 > > My apologies, I mistakenly sent the branch and not the signed tag, the > proper PR tag is below: > > git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git > audit-pr-20201012 Today is just not my day, of course the tag reference above is missing the "tags/" prefix. Sorry for all the noise. > > for you to fetch changes up to c07203516439b9cd9f7b3cbed82a77164de5af40: > > > > audit: Remove redundant null check (2020-08-26 09:10:39 -0400) > > > > > > Jules Irenge (2): > > audit: change unnecessary globals into statics > > audit: uninitialize variable audit_sig_sid > > > > Xu Wang (1): > > audit: Remove redundant null check > > > > kernel/audit.c | 9 - > > kernel/audit.h | 4 > > 2 files changed, 4 insertions(+), 9 deletions(-) > > > > -- > > paul moore > > www.paul-moore.com > > > > -- > paul moore > www.paul-moore.com -- paul moore www.paul-moore.com
Re: [GIT PULL] Audit patches for v5.10
On Mon, Oct 12, 2020 at 8:51 PM Paul Moore wrote: > > Hi Linus, > > A small set of audit patches for v5.10. There are only three patches > in total, and all three are trivial fixes that don't really warrant > any explanations beyond their descriptions. As usual, all three > patches pass our test suite and as of a few minutes ago they applied > cleanly to your tree. Please merge for v5.10. > > Thanks, > -Paul > > -- > The following changes since commit 9123e3a74ec7b934a4a099e98af6a61c2f80bbf5: > > Linux 5.9-rc1 (2020-08-16 13:04:57 -0700) > > are available in the Git repository at: > > git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git >stable-5.10 My apologies, I mistakenly sent the branch and not the signed tag, the proper PR tag is below: git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git audit-pr-20201012 > for you to fetch changes up to c07203516439b9cd9f7b3cbed82a77164de5af40: > > audit: Remove redundant null check (2020-08-26 09:10:39 -0400) > > > Jules Irenge (2): > audit: change unnecessary globals into statics > audit: uninitialize variable audit_sig_sid > > Xu Wang (1): > audit: Remove redundant null check > > kernel/audit.c | 9 - > kernel/audit.h | 4 > 2 files changed, 4 insertions(+), 9 deletions(-) > > -- > paul moore > www.paul-moore.com -- paul moore www.paul-moore.com
[GIT PULL] Audit patches for v5.10
Hi Linus, A small set of audit patches for v5.10. There are only three patches in total, and all three are trivial fixes that don't really warrant any explanations beyond their descriptions. As usual, all three patches pass our test suite and as of a few minutes ago they applied cleanly to your tree. Please merge for v5.10. Thanks, -Paul -- The following changes since commit 9123e3a74ec7b934a4a099e98af6a61c2f80bbf5: Linux 5.9-rc1 (2020-08-16 13:04:57 -0700) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git stable-5.10 for you to fetch changes up to c07203516439b9cd9f7b3cbed82a77164de5af40: audit: Remove redundant null check (2020-08-26 09:10:39 -0400) Jules Irenge (2): audit: change unnecessary globals into statics audit: uninitialize variable audit_sig_sid Xu Wang (1): audit: Remove redundant null check kernel/audit.c | 9 - kernel/audit.h | 4 2 files changed, 4 insertions(+), 9 deletions(-) -- paul moore www.paul-moore.com
Re: [GIT PULL] Audit patches for v5.9
The pull request you sent on Mon, 3 Aug 2020 21:00:01 -0400: > git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git > tags/audit-pr-20200803 has been merged into torvalds/linux.git: https://git.kernel.org/torvalds/c/fd76a74d940ae3d6b8b2395cd12914630c7e1739 Thank you! -- Deet-doot-dot, I am a bot. https://korg.wiki.kernel.org/userdoc/prtracker
[GIT PULL] Audit patches for v5.9
Hi Linus, Here are the audit patches for the v5.9 merge window. All of the patches in this pull request pass our test suite and merged cleanly with your tree from a few hours ago. Aside from some smaller bug fixes, here are the highlights: - Add a new backlog wait metric to the audit status message, this is intended to help admins determine how long processes have been waiting for the audit backlog queue to clear - Generate audit records for nftables configuration changes - Generate CWD audit records for for the relevant LSM audit records Please merge for v5.9, thanks, -Paul -- The following changes since commit b3a9e3b9622ae10064826dccb4f7a52bd88c7407: Linux 5.8-rc1 (2020-06-14 12:45:04 -0700) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git tags/audit-pr-20200803 for you to fetch changes up to b43870c74f3fdf0cd06bf5f1b7a5ed70a2cd4ed2: audit: report audit wait metric in audit status reply (2020-07-21 11:21:44 -0400) audit/stable-5.9 PR 20200803 Gustavo A. R. Silva (1): audit: Use struct_size() helper in alloc_chunk Max Englander (1): audit: report audit wait metric in audit status reply Paul Moore (1): audit: use the proper gfp flags in the audit_log_nfcfg() calls Richard Guy Briggs (5): audit: log nftables configuration change events audit: add gfp parameter to audit_log_nfcfg audit: remove unused !CONFIG_AUDITSYSCALL __audit_inode* stubs audit: issue CWD record to accompany LSM_AUDIT_DATA_* records audit: purge audit_log_string from the intra-kernel audit API include/linux/audit.h | 46 +++-- include/uapi/linux/audit.h | 18 --- kernel/audit.c | 39 +- kernel/audit_tree.c | 4 +- kernel/auditsc.c| 45 +--- net/bridge/netfilter/ebtables.c | 6 +-- net/netfilter/nf_tables_api.c | 112 net/netfilter/x_tables.c| 5 +- security/apparmor/audit.c | 10 ++-- security/apparmor/file.c| 25 +++-- security/apparmor/ipc.c | 46 - security/apparmor/net.c | 14 ++--- security/lsm_audit.c| 9 +++- 13 files changed, 273 insertions(+), 106 deletions(-) -- paul moore www.paul-moore.com
Re: [GIT PULL] Audit patches for v5.8
The pull request you sent on Mon, 1 Jun 2020 20:48:59 -0400: > git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git > tags/audit-pr-20200601 has been merged into torvalds/linux.git: https://git.kernel.org/torvalds/c/9d99b1647fa56805c1cfef2d81ee7b9855359b62 Thank you! -- Deet-doot-dot, I am a bot. https://korg.wiki.kernel.org/userdoc/prtracker
Re: [GIT PULL] Audit patches for v5.8
On Mon, Jun 1, 2020 at 5:49 PM Paul Moore wrote:
>
> Unfortunately I just noticed
> that one of the commit subject lines is truncated - sorry about that,
> it's my fault not Richard's - but since the important part is there
> ("add subj creds to NETFILTER_CFG") I opted to leave it as-is and not
> disrupt the git log. If you would rather have the subject line fixed,
> let me know and I'll correct it.
It looks a bit odd, but not worth the churn of fixing up. Thanks, pulled,
Linus
[GIT PULL] Audit patches for v5.8
Hi Linus,
Here is the set of audit patches for the v5.8 merge window, all
patches pass our test suite and as of a few minutes ago they also
merge cleanly with the top of your tree. Unfortunately I just noticed
that one of the commit subject lines is truncated - sorry about that,
it's my fault not Richard's - but since the important part is there
("add subj creds to NETFILTER_CFG") I opted to leave it as-is and not
disrupt the git log. If you would rather have the subject line fixed,
let me know and I'll correct it.
A quick summary of the significant patches:
- Record information about binds/unbinds to the audit multicast
socket. This helps identify which processes have/had access to the
information in the audit stream.
- Cleanup and add some additional information to the netfilter
configuration events collected by audit.
- Fix some of the audit error handling code so we don't leak network
namespace references.
Thanks,
-Paul
--
The following changes since commit 8f3d9f354286745c751374f5f1fcafee6b3f3136:
Linux 5.7-rc1 (2020-04-12 12:35:55 -0700)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git
tags/audit-pr-20200601
for you to fetch changes up to 9d44a121c5a79bc8a9d67c058456bd52a83c79e7:
audit: add subj creds to NETFILTER_CFG record to
(2020-05-20 18:09:19 -0400)
audit/stable-5.8 PR 20200601
Gustavo A. R. Silva (1):
audit: Replace zero-length array with flexible-array
Paul Moore (2):
audit: fix a net reference leak in audit_send_reply()
audit: fix a net reference leak in audit_list_rules_send()
Richard Guy Briggs (4):
audit: log audit netlink multicast bind and unbind
audit: tidy and extend netfilter_cfg x_tables
netfilter: add audit table unregister actions
audit: add subj creds to NETFILTER_CFG record to
Zheng Bin (1):
audit: make symbol 'audit_nfcfgs' static
include/linux/audit.h | 24 +-
include/uapi/linux/audit.h | 1 +
kernel/audit.c | 100 +++-
kernel/audit.h | 2 +-
kernel/auditfilter.c| 16 +++
kernel/auditsc.c| 31 +
net/bridge/netfilter/ebtables.c | 14 +++---
net/netfilter/x_tables.c| 14 ++
8 files changed, 148 insertions(+), 54 deletions(-)
--
paul moore
www.paul-moore.com
Re: [GIT PULL] Audit patches for v5.3
The pull request you sent on Tue, 2 Jul 2019 13:28:33 -0400: > git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git > tags/audit-pr-20190702 has been merged into torvalds/linux.git: https://git.kernel.org/torvalds/c/61fc5771f5e729a2ce235af42f69c8506725e84a Thank you! -- Deet-doot-dot, I am a bot. https://korg.wiki.kernel.org/userdoc/prtracker
Re: [GIT PULL] Audit patches for v5.2
The pull request you sent on Tue, 7 May 2019 13:23:05 -0400: > git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git > tags/audit-pr-20190507 has been merged into torvalds/linux.git: https://git.kernel.org/torvalds/c/02aff8db6438ce29371fd9cd54c57213f4bb4536 Thank you! -- Deet-doot-dot, I am a bot. https://korg.wiki.kernel.org/userdoc/prtracker
[GIT PULL] Audit patches for v5.2
Hi Linus, We've got a reasonably broad set of audit patches for the v5.2 merge window, the highlights are below: - The biggest change, and the source of all the arch/* changes, is the patchset from Dmitry to help enable some of the work he is doing around PTRACE_GET_SYSCALL_INFO. To be honest, including this in the audit tree is a bit of a stretch, but it does help move audit a little further along towards proper syscall auditing for all arches, and everyone else seemed to agree that audit was a "good" spot for this to land (or maybe they just didn't want to merge it? dunno.). - We can now audit time/NTP adjustments. - We continue the work to connect associated audit records into a single event. As a FYI, you will likely run into two minor merge problems in kernel/seccomp.c and arch/mips/kernel/ptrace.c; both are very similar and have to do with the change to syscall_get_arch() and syscall_get_arguments(). It should be easy to sort this out (you'll see what I mean), but if you have any questions just let us know. Please pull this for v5.2, -Paul -- The following changes since commit 9e98c678c2d6ae3a17cb2de55d17f69dddaa231b: Linux 5.1-rc1 (2019-03-17 14:22:26 -0700) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git tags/audit-pr-20190507 for you to fetch changes up to 70c4cf17e445264453bc5323db3e50aa0ac9e81f: audit: fix a memory leak bug (2019-04-22 11:22:03 -0400) audit/stable-5.2 PR 20190507 Dmitry V. Levin (13): Move EM_ARCOMPACT and EM_ARCV2 to uapi/linux/elf-em.h arc: define syscall_get_arch() c6x: define syscall_get_arch() h8300: define syscall_get_arch() Move EM_HEXAGON to uapi/linux/elf-em.h hexagon: define syscall_get_arch() m68k: define syscall_get_arch() Move EM_NDS32 to uapi/linux/elf-em.h nds32: define syscall_get_arch() nios2: define syscall_get_arch() Move EM_UNICORE to uapi/linux/elf-em.h unicore32: define syscall_get_arch() syscall_get_arch: add "struct task_struct *" argument Li RongQing (1): audit: fix a memleak caused by auditing load module Ondrej Mosnacek (2): timekeeping: Audit clock adjustments ntp: Audit NTP parameters adjustment Richard Guy Briggs (3): audit: connect LOGIN record to its syscall record audit: link integrity evm_write_xattrs record to syscall event audit: purge unnecessary list_empty calls Wenwen Wang (1): audit: fix a memory leak bug YueHaibing (1): audit: Make audit_log_cap and audit_copy_inode static arch/alpha/include/asm/syscall.h | 2 +- arch/arc/include/asm/elf.h| 6 +- arch/arc/include/asm/syscall.h| 11 arch/arm/include/asm/syscall.h| 2 +- arch/arm64/include/asm/syscall.h | 4 +- arch/c6x/include/asm/syscall.h| 7 +++ arch/csky/include/asm/syscall.h | 2 +- arch/h8300/include/asm/syscall.h | 6 ++ arch/hexagon/include/asm/elf.h| 6 +- arch/hexagon/include/asm/syscall.h| 8 +++ arch/ia64/include/asm/syscall.h | 2 +- arch/m68k/include/asm/syscall.h | 12 arch/microblaze/include/asm/syscall.h | 2 +- arch/mips/include/asm/syscall.h | 6 +- arch/mips/kernel/ptrace.c | 2 +- arch/nds32/include/asm/elf.h | 3 +- arch/nds32/include/asm/syscall.h | 9 +++ arch/nios2/include/asm/syscall.h | 6 ++ arch/openrisc/include/asm/syscall.h | 2 +- arch/parisc/include/asm/syscall.h | 4 +- arch/powerpc/include/asm/syscall.h| 10 ++- arch/riscv/include/asm/syscall.h | 2 +- arch/s390/include/asm/syscall.h | 4 +- arch/sh/include/asm/syscall_32.h | 2 +- arch/sh/include/asm/syscall_64.h | 2 +- arch/sparc/include/asm/syscall.h | 5 +- arch/unicore32/include/asm/elf.h | 3 +- arch/unicore32/include/asm/syscall.h | 12 arch/x86/include/asm/syscall.h| 8 ++- arch/x86/um/asm/syscall.h | 2 +- arch/xtensa/include/asm/syscall.h | 2 +- include/asm-generic/syscall.h | 5 +- include/linux/audit.h | 75 +++ include/uapi/linux/audit.h| 14 + include/uapi/linux/elf-em.h | 6 ++ kernel/audit.c| 2 +- kernel/auditfilter.c | 14 ++--- kernel/auditsc.c | 115 + kernel/seccomp.c | 4 +- kernel/time/ntp.c | 22 ++- kernel/time/ntp_internal.h| 4 +- kernel/time/timekeeping.c | 13 +++- security/integrity/evm/evm_secfs.c| 10 +-- 43 files changed, 331 insertions(+), 107 deletions(-) create mode 100644 arch/m68k/include/asm/syscall.h create mode 100644 arch/unicore32/include/asm/syscall.h -- paul moore www.paul-moore.com
Re: [GIT PULL] Audit patches for v5.1
The pull request you sent on Tue, 5 Mar 2019 17:35:35 -0500: > git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git > tags/audit-pr-20190305 has been merged into torvalds/linux.git: https://git.kernel.org/torvalds/c/be37f21a08ce65c7632c7f45e1755a4b07f278a0 Thank you! -- Deet-doot-dot, I am a bot. https://korg.wiki.kernel.org/userdoc/prtracker
[GIT PULL] Audit patches for v5.1
Hi Linus, A lucky 13 audit patches for v5.1. Despite the rather large diffstat, most of the changes are from two bug fix patches that move code from one Kconfig option to another. Beyond that bit of churn, the remaining changes are largely cleanups and bug-fixes as we slowly march towards container auditing. It isn't all boring though, we do have a couple of new things: file capabilities v3 support, and expanded support for filtering on filesystems to solve problems with remote filesystems. All changes pass the audit-testsuite. Please merge for v5.1. Thanks, -Paul -- The following changes since commit bfeffd155283772bbe78c6a05dec7c0128ee500c: Linux 5.0-rc1 (2019-01-06 17:08:20 -0800) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git tags/audit-pr-20190305 for you to fetch changes up to 131d34cb07957151c369366b158690057d2bce5e: audit: mark expected switch fall-through (2019-02-12 20:17:13 -0500) audit/stable-5.1 PR 20190305 Gustavo A. R. Silva (1): audit: mark expected switch fall-through Richard Guy Briggs (12): audit: give a clue what CONFIG_CHANGE op was involved audit: hand taken context to audit_kill_trees for syscall logging audit: add syscall information to CONFIG_CHANGE records audit: move loginuid and sessionid from CONFIG_AUDITSYSCALL to CONFIG_AUDIT audit: add support for fcaps v3 audit: more filter PATH records keyed on filesystem magic audit: clean up AUDITSYSCALL prototypes and stubs audit: ignore fcaps on umount audit: remove unused actx param from audit_rule_match audit: remove audit_context when CONFIG_ AUDIT and not AUDITSYSCALL audit: join tty records to their syscall audit: hide auditsc_get_stamp and audit_serial prototypes drivers/tty/tty_audit.c | 2 +- fs/namei.c | 2 +- fs/namespace.c | 2 + fs/proc/base.c | 6 +- include/linux/audit.h | 66 include/linux/capability.h | 5 +- include/linux/lsm_hooks.h | 4 +- include/linux/namei.h | 3 + include/linux/sched.h | 4 +- include/linux/security.h| 5 +- init/init_task.c| 2 +- kernel/audit.c | 267 -- kernel/audit.h | 81 + kernel/audit_fsnotify.c | 2 +- kernel/audit_tree.c | 19 ++- kernel/audit_watch.c| 2 +- kernel/auditfilter.c| 6 +- kernel/auditsc.c| 320 +++- security/apparmor/audit.c | 3 +- security/apparmor/include/audit.h | 3 +- security/commoncap.c| 2 + security/integrity/ima/ima.h| 3 +- security/integrity/ima/ima_policy.c | 6 +- security/security.c | 6 +- security/selinux/include/audit.h| 4 +- security/selinux/ss/services.c | 3 +- security/smack/smack_lsm.c | 4 +- 27 files changed, 440 insertions(+), 392 deletions(-) -- paul moore www.paul-moore.com
Re: [GIT PULL] Audit patches for v4.21
The pull request you sent on Mon, 24 Dec 2018 11:26:40 -0500: > git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git > tags/audit-pr-20181224 has been merged into torvalds/linux.git: https://git.kernel.org/torvalds/c/047ce6d380e8e66cfb6cbc22e873af89dd0c216c Thank you! -- Deet-doot-dot, I am a bot. https://korg.wiki.kernel.org/userdoc/prtracker
[GIT PULL] Audit patches for v4.21
Hi Linus, In the finest of holiday of traditions, I have a number of gifts to share today. While most of them are re-gifts from others, unlike the typical re-gift, these are things you will want in and around your tree; I promise. This pull request is perhaps a bit larger than our typical PR, but most of it comes from Jan's rework of audit's fanotify code; a very welcome improvement. We ran this through our normal regression tests, as well as some newly created stress tests and everything looks good. Richard added a few patches, mostly cleaning up a few things and and shortening some of the audit records that we send to userspace; a change the userspace folks are quite happy about. Finally YueHaibing and I kick in a few patches to simplify things a bit and make the code less prone to errors. Lastly, I want to say thanks one more time to everyone who has contributed patches, testing, and code reviews for the audit subsystem over the past year. The project is what it is due to your help and contributions - thank you. Thanks, -Paul -- The following changes since commit 651022382c7f8da46cb4872a545ee1da6d097d2a: Linux 4.20-rc1 (2018-11-04 15:37:52 -0800) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git tags/audit-pr-20181224 for you to fetch changes up to d406db524c32ca35bd85cada28a547fff3115715: audit: remove duplicated include from audit.c (2018-12-14 12:09:30 -0500) audit/stable-4.21 PR 20181224 Jan Kara (14): audit_tree: Remove mark->lock locking audit: Fix possible spurious -ENOSPC error audit: Fix possible tagging failures audit: Embed key into chunk audit: Make hash table insertion safe against concurrent lookups audit: Factor out chunk replacement code audit: Remove pointless check in insert_hash() audit: Provide helper for dropping mark's chunk reference audit: Allocate fsnotify mark independently of chunk audit: Guarantee forward progress of chunk untagging audit: Drop all unused chunk nodes during deletion audit: Simplify locking around untag_chunk() audit: Replace chunk attached to mark instead of replacing mark audit: Use 'mark' name for fsnotify_mark variables Paul Moore (2): audit: minimize our use of audit_log_format() audit: use current whenever possible Richard Guy Briggs (5): audit: print empty EXECVE args audit: localize audit_log_session_info prototype audit: use session_info helper audit: remove WATCH and TREE config options audit: shorten PATH cap values when zero YueHaibing (1): audit: remove duplicated include from audit.c drivers/tty/tty_audit.c | 13 +- include/linux/audit.h| 8 +- init/Kconfig | 9 - kernel/Makefile | 4 +- kernel/audit.c | 62 ++--- kernel/audit.h | 10 +- kernel/audit_fsnotify.c | 6 +- kernel/audit_tree.c | 498 kernel/audit_watch.c | 6 +- kernel/auditsc.c | 150 ++-- security/integrity/ima/ima_api.c | 2 +- 11 files changed, 395 insertions(+), 373 deletions(-) -- paul moore www.paul-moore.com
[GIT PULL] Audit patches for v4.17
Hi Linus, We didn't have anything to send for v4.16, but we're back with a little more than usual for v4.17. Eleven patches in total, most fall into the small fix category, but there are three non-trivial changes worth calling out: the audit entry filter is being removed after deprecating it for quite a while (years of no one really using it because it turns out to be not very practical), created our own version of "__mutex_owner()" because the locking folks were upset we were using theirs, improved our handling of kernel command line parameters to make them more forgiving, and we fixed auditing of symlink operations. Everything passes the audit-testsuite and as of a few minutes ago it merges well with your tree. Please pull, thanks. -Paul -- The following changes since commit d8a5b80568a9cb66810e75b182018e9edb68e8ff: Linux 4.15 (2018-01-28 13:20:33 -0800) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git tags/audit-pr- 20180403 for you to fetch changes up to ea841bafda3f7f9aa8b06a09f0f3e41c207af84f: audit: add refused symlink to audit_names (2018-03-21 11:31:03 -0400) audit/stable-4.17 PR 20180403 Greg Edwards (1): audit: do not panic on invalid boot parameter Paul Moore (1): audit: track the owner of the command mutex ourselves Richard Guy Briggs (9): audit: update bugtracker and source URIs audit: session ID should not set arch quick field pointer audit: deprecate the AUDIT_FILTER_ENTRY filter audit: bail before bug check if audit disabled audit: return on memory error to avoid null pointer dereference audit: make ANOM_LINK obey audit_enabled and audit_dummy_context audit: link denied should not directly generate PATH record audit: remove path param from link denied function audit: add refused symlink to audit_names Documentation/admin-guide/kernel-parameters.txt | 14 +-- MAINTAINERS | 1 - fs/namei.c | 5 +- include/linux/audit.h | 6 +- kernel/audit.c | 108 +--- kernel/audit.h | 3 +- kernel/audit_tree.c | 8 +- kernel/auditfilter.c| 5 +- kernel/auditsc.c| 22 +++-- 9 files changed, 106 insertions(+), 66 deletions(-) -- paul moore www.paul-moore.com
[GIT PULL] Audit patches for v4.17
Hi Linus, We didn't have anything to send for v4.16, but we're back with a little more than usual for v4.17. Eleven patches in total, most fall into the small fix category, but there are three non-trivial changes worth calling out: the audit entry filter is being removed after deprecating it for quite a while (years of no one really using it because it turns out to be not very practical), created our own version of "__mutex_owner()" because the locking folks were upset we were using theirs, improved our handling of kernel command line parameters to make them more forgiving, and we fixed auditing of symlink operations. Everything passes the audit-testsuite and as of a few minutes ago it merges well with your tree. Please pull, thanks. -Paul -- The following changes since commit d8a5b80568a9cb66810e75b182018e9edb68e8ff: Linux 4.15 (2018-01-28 13:20:33 -0800) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git tags/audit-pr- 20180403 for you to fetch changes up to ea841bafda3f7f9aa8b06a09f0f3e41c207af84f: audit: add refused symlink to audit_names (2018-03-21 11:31:03 -0400) audit/stable-4.17 PR 20180403 Greg Edwards (1): audit: do not panic on invalid boot parameter Paul Moore (1): audit: track the owner of the command mutex ourselves Richard Guy Briggs (9): audit: update bugtracker and source URIs audit: session ID should not set arch quick field pointer audit: deprecate the AUDIT_FILTER_ENTRY filter audit: bail before bug check if audit disabled audit: return on memory error to avoid null pointer dereference audit: make ANOM_LINK obey audit_enabled and audit_dummy_context audit: link denied should not directly generate PATH record audit: remove path param from link denied function audit: add refused symlink to audit_names Documentation/admin-guide/kernel-parameters.txt | 14 +-- MAINTAINERS | 1 - fs/namei.c | 5 +- include/linux/audit.h | 6 +- kernel/audit.c | 108 +--- kernel/audit.h | 3 +- kernel/audit_tree.c | 8 +- kernel/auditfilter.c| 5 +- kernel/auditsc.c| 22 +++-- 9 files changed, 106 insertions(+), 66 deletions(-) -- paul moore www.paul-moore.com
[GIT PULL] Audit patches for v4.15
Hi Linus, Another relatively small pull request for audit, nine patches total. The only real new bit of functionality is the patch from Richard which adds the ability to filter records based on the filesystem type. The remainder are bug fixes and cleanups; the bug fix highlights include: ensuring that we properly audit init/PID-1 (me), and allowing the audit daemon to shutdown the kernel/auditd connection cleanly by setting the audit PID to zero (Steve). Please merge for v4.14. Thanks, -Paul --- The following changes since commit 196a5085592c62ffa4eb739d7ce49c040c2953a1: audit: update the function comments (2017-09-05 09:46:59 -0400) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git tags/audit-pr-20171113 for you to fetch changes up to 42d5e37654e4cdb9fb2e2f3ab30045fee35c42d8: audit: filter PATH records keyed on filesystem magic (2017-11-10 16:08:56 -0500) audit/stable-4.15 PR 20171113 Casey Schaufler (1): Audit: remove unused audit_log_secctx function Paul Moore (5): audit: ensure that 'audit=1' actually enables audit for PID 1 audit: initialize the audit subsystem as early as possible audit: don't use simple_strtol() anymore audit: convert audit_ever_enabled to a boolean audit: use audit_set_enabled() in audit_enable() Richard Guy Briggs (1): audit: filter PATH records keyed on filesystem magic Steve Grubb (2): audit: Add new syscalls to the perm=w filter audit: Allow auditd to set pid to 0 to end auditing include/asm-generic/audit_dir_write.h | 3 ++ include/asm-generic/audit_write.h | 3 ++ include/linux/audit.h | 8 include/uapi/linux/audit.h| 8 +++- kernel/audit.c| 76 +++ kernel/audit.h| 2 +- kernel/auditfilter.c | 39 ++ kernel/auditsc.c | 23 +++ 8 files changed, 97 insertions(+), 65 deletions(-) -- paul moore www.paul-moore.com
[GIT PULL] Audit patches for v4.15
Hi Linus, Another relatively small pull request for audit, nine patches total. The only real new bit of functionality is the patch from Richard which adds the ability to filter records based on the filesystem type. The remainder are bug fixes and cleanups; the bug fix highlights include: ensuring that we properly audit init/PID-1 (me), and allowing the audit daemon to shutdown the kernel/auditd connection cleanly by setting the audit PID to zero (Steve). Please merge for v4.14. Thanks, -Paul --- The following changes since commit 196a5085592c62ffa4eb739d7ce49c040c2953a1: audit: update the function comments (2017-09-05 09:46:59 -0400) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git tags/audit-pr-20171113 for you to fetch changes up to 42d5e37654e4cdb9fb2e2f3ab30045fee35c42d8: audit: filter PATH records keyed on filesystem magic (2017-11-10 16:08:56 -0500) audit/stable-4.15 PR 20171113 Casey Schaufler (1): Audit: remove unused audit_log_secctx function Paul Moore (5): audit: ensure that 'audit=1' actually enables audit for PID 1 audit: initialize the audit subsystem as early as possible audit: don't use simple_strtol() anymore audit: convert audit_ever_enabled to a boolean audit: use audit_set_enabled() in audit_enable() Richard Guy Briggs (1): audit: filter PATH records keyed on filesystem magic Steve Grubb (2): audit: Add new syscalls to the perm=w filter audit: Allow auditd to set pid to 0 to end auditing include/asm-generic/audit_dir_write.h | 3 ++ include/asm-generic/audit_write.h | 3 ++ include/linux/audit.h | 8 include/uapi/linux/audit.h| 8 +++- kernel/audit.c| 76 +++ kernel/audit.h| 2 +- kernel/auditfilter.c | 39 ++ kernel/auditsc.c | 23 +++ 8 files changed, 97 insertions(+), 65 deletions(-) -- paul moore www.paul-moore.com
[GIT PULL] Audit patches for v4.14
Hi Linus, A small pull request for audit this time, only four patches and only two with any real code changes. Those two changes are the removal of a pointless SELinux AVC initialization audit event and a fix to improve the audit timestamp overhead. The other two patches are comment cleanup and administrative updates, nothing very exciting. Everything passes our tests so please merge for v4.14. Thanks, -Paul --- The following changes since commit 569dbb88e80deb68974ef6fdd6a13edb9d686261: Linux 4.13 (2017-09-03 13:56:17 -0700) are available in the git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git \ tags/audit-pr-20170907 for you to fetch changes up to 196a5085592c62ffa4eb739d7ce49c040c2953a1: audit: update the function comments (2017-09-05 09:46:59 -0400) audit/stable-4.14 PR 20170907 Geliang Tang (1): audit: update the function comments Mel Gorman (1): audit: Reduce overhead using a coarse clock Paul Moore (1): audit: update the audit info in MAINTAINERS Richard Guy Briggs (1): selinux: remove AVC init audit log message MAINTAINERS| 7 --- kernel/audit.c | 4 ++-- kernel/auditsc.c | 20 ++-- security/selinux/avc.c | 2 -- 4 files changed, 16 insertions(+), 17 deletions(-) -- paul moore www.paul-moore.com
[GIT PULL] Audit patches for v4.14
Hi Linus, A small pull request for audit this time, only four patches and only two with any real code changes. Those two changes are the removal of a pointless SELinux AVC initialization audit event and a fix to improve the audit timestamp overhead. The other two patches are comment cleanup and administrative updates, nothing very exciting. Everything passes our tests so please merge for v4.14. Thanks, -Paul --- The following changes since commit 569dbb88e80deb68974ef6fdd6a13edb9d686261: Linux 4.13 (2017-09-03 13:56:17 -0700) are available in the git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git \ tags/audit-pr-20170907 for you to fetch changes up to 196a5085592c62ffa4eb739d7ce49c040c2953a1: audit: update the function comments (2017-09-05 09:46:59 -0400) audit/stable-4.14 PR 20170907 Geliang Tang (1): audit: update the function comments Mel Gorman (1): audit: Reduce overhead using a coarse clock Paul Moore (1): audit: update the audit info in MAINTAINERS Richard Guy Briggs (1): selinux: remove AVC init audit log message MAINTAINERS| 7 --- kernel/audit.c | 4 ++-- kernel/auditsc.c | 20 ++-- security/selinux/avc.c | 2 -- 4 files changed, 16 insertions(+), 17 deletions(-) -- paul moore www.paul-moore.com
[GIT PULL] Audit patches for v4.13
Hi Linus, Things are relatively quiet on the audit front for v4.13, just five patches for a total diffstat of 102 lines. There are two patches from Richard to consistently record the POSIX capabilities and add the ambient capability information as well. I also chipped in two patches to fix a race condition with the auditd tracking code and ensure we don't skip sending any records to the audit multicast group. Finally a single style fix that I accepted because I must have been in a good mood that day. Everything passes our test suite, and should be relatively harmless, please merge for v4.13. Thanks, -Paul --- The following changes since commit 48d0e023af9799cd7220335baf8e3ba61eeafbeb: audit: fix the RCU locking for the auditd_connection structure (2017-05-02 10: 16:05 -0400) are available in the git repository at: git://git.infradead.org/users/pcmoore/audit stable-4.13 for you to fetch changes up to cd33f5f2cbfaadc21270f3ddac7c3c33e0a1a28c: audit: make sure we never skip the multicast broadcast (2017-06-16 11:51:00 -0400) Derek Robson (1): audit: style fix Paul Moore (2): audit: fix a race condition with the auditd tracking code audit: make sure we never skip the multicast broadcast Richard Guy Briggs (2): audit: unswing cap_* fields in PATH records audit: add ambient capabilities to CAPSET and BPRM_FCAPS records kernel/audit.c | 61 +--- kernel/audit.h | 29 ++- kernel/auditsc.c | 12 --- 3 files changed, 53 insertions(+), 49 deletions(-) -- paul moore www.paul-moore.com
[GIT PULL] Audit patches for v4.13
Hi Linus, Things are relatively quiet on the audit front for v4.13, just five patches for a total diffstat of 102 lines. There are two patches from Richard to consistently record the POSIX capabilities and add the ambient capability information as well. I also chipped in two patches to fix a race condition with the auditd tracking code and ensure we don't skip sending any records to the audit multicast group. Finally a single style fix that I accepted because I must have been in a good mood that day. Everything passes our test suite, and should be relatively harmless, please merge for v4.13. Thanks, -Paul --- The following changes since commit 48d0e023af9799cd7220335baf8e3ba61eeafbeb: audit: fix the RCU locking for the auditd_connection structure (2017-05-02 10: 16:05 -0400) are available in the git repository at: git://git.infradead.org/users/pcmoore/audit stable-4.13 for you to fetch changes up to cd33f5f2cbfaadc21270f3ddac7c3c33e0a1a28c: audit: make sure we never skip the multicast broadcast (2017-06-16 11:51:00 -0400) Derek Robson (1): audit: style fix Paul Moore (2): audit: fix a race condition with the auditd tracking code audit: make sure we never skip the multicast broadcast Richard Guy Briggs (2): audit: unswing cap_* fields in PATH records audit: add ambient capabilities to CAPSET and BPRM_FCAPS records kernel/audit.c | 61 +--- kernel/audit.h | 29 ++- kernel/auditsc.c | 12 --- 3 files changed, 53 insertions(+), 49 deletions(-) -- paul moore www.paul-moore.com
[GIT PULL] Audit patches for v4.12
Hi Linus, Fourteen audit patches for v4.12 that span the full range of fixes, new features, and internal cleanups. We have a patches to move to 64-bit timestamps, convert refcounts from atomic_t to refcount_t, track PIDs using the pid struct instead of pid_t, convert our own private audit buffer cache to a standard kmem_cache, log kernel module names when they are unloaded, and normalize the NETFILTER_PKT to make the userspace folks happier. From a fixes perspective, the most important is likely the auditd connection tracking RCU fix; it was a rather brain dead bug that I'll take the blame for, but thankfully it didn't seem to affect many people (only one report). I think the patch subject lines and commit descriptions do a pretty good job of explaining the details and why the changes are important so I'll point you there instead of duplicating it here; as usual, if you have any questions you know where to find us. We also manage to take out more code than we put in this time, that always makes me happy :) Please merge for v4.12. -Paul --- The following changes since commit a351e9b9fc24e982ec2f0e76379a49826036da12: Linux 4.11 (2017-04-30 19:47:48 -0700) are available in the git repository at: git://git.infradead.org/users/pcmoore/audit stable-4.12 for you to fetch changes up to 48d0e023af9799cd7220335baf8e3ba61eeafbeb: audit: fix the RCU locking for the auditd_connection structure (2017-05-02 10:16:05 -0400) Deepa Dinamani (1): audit: Use timespec64 to represent audit timestamps Elena Reshetova (2): audit: convert audit_tree.count from atomic_t to refcount_t audit: convert audit_watch.count from atomic_t to refcount_t Nicholas Mc Guire (3): audit: remove unnecessary semicolon in audit_field_valid() audit: remove unnecessary semicolon in audit_mark_handle_event() audit: remove unnecessary semicolon in audit_watch_handle_event() Paul Moore (5): audit: combine audit_receive() and audit_receive_skb() audit: kernel generated netlink traffic should have a portid of 0 audit: store the auditd PID as a pid struct instead of pid_t audit: use kmem_cache to manage the audit_buffer cache audit: fix the RCU locking for the auditd_connection structure Richard Guy Briggs (3): audit: log module name on delete_module netfilter: use consistent ipv4 network offset in xt_AUDIT audit: normalize NETFILTER_PKT include/linux/audit.h| 7 +- kernel/audit.c | 319 +++ kernel/audit.h | 7 +- kernel/audit_fsnotify.c | 2 +- kernel/audit_tree.c | 9 +- kernel/audit_watch.c | 11 +- kernel/auditfilter.c | 18 ++- kernel/auditsc.c | 6 +- kernel/module.c | 2 + net/netfilter/xt_AUDIT.c | 126 +-- 10 files changed, 232 insertions(+), 275 deletions(-) -- paul moore www.paul-moore.com
[GIT PULL] Audit patches for v4.12
Hi Linus, Fourteen audit patches for v4.12 that span the full range of fixes, new features, and internal cleanups. We have a patches to move to 64-bit timestamps, convert refcounts from atomic_t to refcount_t, track PIDs using the pid struct instead of pid_t, convert our own private audit buffer cache to a standard kmem_cache, log kernel module names when they are unloaded, and normalize the NETFILTER_PKT to make the userspace folks happier. From a fixes perspective, the most important is likely the auditd connection tracking RCU fix; it was a rather brain dead bug that I'll take the blame for, but thankfully it didn't seem to affect many people (only one report). I think the patch subject lines and commit descriptions do a pretty good job of explaining the details and why the changes are important so I'll point you there instead of duplicating it here; as usual, if you have any questions you know where to find us. We also manage to take out more code than we put in this time, that always makes me happy :) Please merge for v4.12. -Paul --- The following changes since commit a351e9b9fc24e982ec2f0e76379a49826036da12: Linux 4.11 (2017-04-30 19:47:48 -0700) are available in the git repository at: git://git.infradead.org/users/pcmoore/audit stable-4.12 for you to fetch changes up to 48d0e023af9799cd7220335baf8e3ba61eeafbeb: audit: fix the RCU locking for the auditd_connection structure (2017-05-02 10:16:05 -0400) Deepa Dinamani (1): audit: Use timespec64 to represent audit timestamps Elena Reshetova (2): audit: convert audit_tree.count from atomic_t to refcount_t audit: convert audit_watch.count from atomic_t to refcount_t Nicholas Mc Guire (3): audit: remove unnecessary semicolon in audit_field_valid() audit: remove unnecessary semicolon in audit_mark_handle_event() audit: remove unnecessary semicolon in audit_watch_handle_event() Paul Moore (5): audit: combine audit_receive() and audit_receive_skb() audit: kernel generated netlink traffic should have a portid of 0 audit: store the auditd PID as a pid struct instead of pid_t audit: use kmem_cache to manage the audit_buffer cache audit: fix the RCU locking for the auditd_connection structure Richard Guy Briggs (3): audit: log module name on delete_module netfilter: use consistent ipv4 network offset in xt_AUDIT audit: normalize NETFILTER_PKT include/linux/audit.h| 7 +- kernel/audit.c | 319 +++ kernel/audit.h | 7 +- kernel/audit_fsnotify.c | 2 +- kernel/audit_tree.c | 9 +- kernel/audit_watch.c | 11 +- kernel/auditfilter.c | 18 ++- kernel/auditsc.c | 6 +- kernel/module.c | 2 + net/netfilter/xt_AUDIT.c | 126 +-- 10 files changed, 232 insertions(+), 275 deletions(-) -- paul moore www.paul-moore.com
[GIT PULL] Audit patches for v4.11
Hi Linux, The audit changes for v4.11 are relatively small compared to what we did for v4.10, both in terms of size and impact. The two patches from Steve tweak the formatting for some of the audit records to make them more consistent with other audit records. The three patches from Richard record the name of a module on module load, fix the logging of sockaddr information when using socketcall() on 32-bit systems, and add the ability to reset audit's lost record counter. My lone patch just fixes an annoying style nit that I was reminded about by one of Richard's patches. All these patches pass our test suite, please merge them for v4.11. Thanks, -Paul --- The following changes since commit 533c7b69c764ad5febb3e716899f43a75564fcab: audit: use proper refcount locking on audit_sock (2016-12-14 13:06:04 -0500) are available in the git repository at: git://git.infradead.org/users/pcmoore/audit stable-4.11 for you to fetch changes up to fe8e52b9b9100c486051aaf5208dbf4072bb87b1: audit: remove unnecessary curly braces from switch/case statements (2017-02-14 13:32:12 -0500) Paul Moore (1): audit: remove unnecessary curly braces from switch/case statements Richard Guy Briggs (3): audit: add feature audit_lost reset audit: log 32-bit socketcalls audit: log module name on init_module Steve Grubb (2): audit: Make AUDIT_KERNEL event conform to the specification audit: Make AUDIT_ANOM_ABEND event normalized include/linux/audit.h | 32 include/uapi/linux/audit.h | 7 ++- kernel/audit.c | 12 ++-- kernel/audit.h | 3 +++ kernel/auditsc.c | 40 +++- kernel/module.c| 5 - net/compat.c | 17 ++--- 7 files changed, 96 insertions(+), 20 deletions(-) -- paul moore security @ redhat
[GIT PULL] Audit patches for v4.11
Hi Linux, The audit changes for v4.11 are relatively small compared to what we did for v4.10, both in terms of size and impact. The two patches from Steve tweak the formatting for some of the audit records to make them more consistent with other audit records. The three patches from Richard record the name of a module on module load, fix the logging of sockaddr information when using socketcall() on 32-bit systems, and add the ability to reset audit's lost record counter. My lone patch just fixes an annoying style nit that I was reminded about by one of Richard's patches. All these patches pass our test suite, please merge them for v4.11. Thanks, -Paul --- The following changes since commit 533c7b69c764ad5febb3e716899f43a75564fcab: audit: use proper refcount locking on audit_sock (2016-12-14 13:06:04 -0500) are available in the git repository at: git://git.infradead.org/users/pcmoore/audit stable-4.11 for you to fetch changes up to fe8e52b9b9100c486051aaf5208dbf4072bb87b1: audit: remove unnecessary curly braces from switch/case statements (2017-02-14 13:32:12 -0500) Paul Moore (1): audit: remove unnecessary curly braces from switch/case statements Richard Guy Briggs (3): audit: add feature audit_lost reset audit: log 32-bit socketcalls audit: log module name on init_module Steve Grubb (2): audit: Make AUDIT_KERNEL event conform to the specification audit: Make AUDIT_ANOM_ABEND event normalized include/linux/audit.h | 32 include/uapi/linux/audit.h | 7 ++- kernel/audit.c | 12 ++-- kernel/audit.h | 3 +++ kernel/auditsc.c | 40 +++- kernel/module.c| 5 - net/compat.c | 17 ++--- 7 files changed, 96 insertions(+), 20 deletions(-) -- paul moore security @ redhat
[GIT PULL] Audit patches for v4.10
Hi Linus,
After the small number of patches for v4.9, we've got a much bigger pile for
v4.10.
The bulk of these patches involve a rework of the audit backlog queue to
enable us to move the netlink multicasting out of the task/thread that
generates the audit record and into the kernel thread that emits the record
(just like we do for the audit unicast to auditd). While we were playing
with the backlog queue(s) we fixed a number of other little problems with
the code, and from all the testing so far things look to be in much better
shape now. Doing this also allowed us to re-enable disabling IRQs for some
netns operations ("netns: avoid disabling irq for netns id"). The remaining
patches fix some small problems that are well documented in the commit
descriptions, as well as adding session ID filtering support.
You will likely hit two merge conflicts, one in net/core/net_namespace.c and
one in include/uapi/linux/audit.h, both are easily resolved so I won't
bother you with that here. If you have questions, you know how to find me.
Thanks,
-Paul
---
The following changes since commit c8d2bc9bc39ebea8437fd974fdbc21847bb897a3:
Linux 4.8 (2016-10-02 16:24:33 -0700)
are available in the git repository at:
git://git.infradead.org/users/pcmoore/audit stable-4.10
for you to fetch changes up to 533c7b69c764ad5febb3e716899f43a75564fcab:
audit: use proper refcount locking on audit_sock
(2016-12-14 13:06:04 -0500)
Alexey Dobriyan (1):
audit: less stack usage for /proc/*/loginuid
Paul Moore (9):
audit: fixup audit_init()
audit: queue netlink multicast sends just like we do for unicast sends
audit: rename the queues and kauditd related functions
audit: rework the audit queue handling
audit: rework audit_log_start()
audit: wake up kauditd_thread after auditd registers
audit: handle a clean auditd shutdown with grace
audit: don't ever sleep on a command record/message
netns: avoid disabling irq for netns id
Richard Guy Briggs (5):
audit: tame initialization warning len_abuf in audit_log_execve_info
audit: skip sessionid sentinel value when auto-incrementing
audit: add support for session ID user filter
audit: move kaudit thread start from auditd registration to
kaudit init (#2)
audit: use proper refcount locking on audit_sock
Steve Grubb (1):
audit: fix formatting of AUDIT_CONFIG_CHANGE events
fs/proc/base.c | 2 +-
include/uapi/linux/audit.h | 5 +-
kernel/audit.c | 532 ---
kernel/audit_fsnotify.c| 5 +-
kernel/audit_tree.c| 3 +-
kernel/audit_watch.c | 5 +-
kernel/auditfilter.c | 5 +-
kernel/auditsc.c | 12 +-
net/core/net_namespace.c | 35 ++-
9 files changed, 361 insertions(+), 243 deletions(-)
--
paul moore
security @ redhat
[GIT PULL] Audit patches for v4.10
Hi Linus,
After the small number of patches for v4.9, we've got a much bigger pile for
v4.10.
The bulk of these patches involve a rework of the audit backlog queue to
enable us to move the netlink multicasting out of the task/thread that
generates the audit record and into the kernel thread that emits the record
(just like we do for the audit unicast to auditd). While we were playing
with the backlog queue(s) we fixed a number of other little problems with
the code, and from all the testing so far things look to be in much better
shape now. Doing this also allowed us to re-enable disabling IRQs for some
netns operations ("netns: avoid disabling irq for netns id"). The remaining
patches fix some small problems that are well documented in the commit
descriptions, as well as adding session ID filtering support.
You will likely hit two merge conflicts, one in net/core/net_namespace.c and
one in include/uapi/linux/audit.h, both are easily resolved so I won't
bother you with that here. If you have questions, you know how to find me.
Thanks,
-Paul
---
The following changes since commit c8d2bc9bc39ebea8437fd974fdbc21847bb897a3:
Linux 4.8 (2016-10-02 16:24:33 -0700)
are available in the git repository at:
git://git.infradead.org/users/pcmoore/audit stable-4.10
for you to fetch changes up to 533c7b69c764ad5febb3e716899f43a75564fcab:
audit: use proper refcount locking on audit_sock
(2016-12-14 13:06:04 -0500)
Alexey Dobriyan (1):
audit: less stack usage for /proc/*/loginuid
Paul Moore (9):
audit: fixup audit_init()
audit: queue netlink multicast sends just like we do for unicast sends
audit: rename the queues and kauditd related functions
audit: rework the audit queue handling
audit: rework audit_log_start()
audit: wake up kauditd_thread after auditd registers
audit: handle a clean auditd shutdown with grace
audit: don't ever sleep on a command record/message
netns: avoid disabling irq for netns id
Richard Guy Briggs (5):
audit: tame initialization warning len_abuf in audit_log_execve_info
audit: skip sessionid sentinel value when auto-incrementing
audit: add support for session ID user filter
audit: move kaudit thread start from auditd registration to
kaudit init (#2)
audit: use proper refcount locking on audit_sock
Steve Grubb (1):
audit: fix formatting of AUDIT_CONFIG_CHANGE events
fs/proc/base.c | 2 +-
include/uapi/linux/audit.h | 5 +-
kernel/audit.c | 532 ---
kernel/audit_fsnotify.c| 5 +-
kernel/audit_tree.c| 3 +-
kernel/audit_watch.c | 5 +-
kernel/auditfilter.c | 5 +-
kernel/auditsc.c | 12 +-
net/core/net_namespace.c | 35 ++-
9 files changed, 361 insertions(+), 243 deletions(-)
--
paul moore
security @ redhat
[GIT PULL] Audit patches for v4.9
Hi Linus, Another relatively small pull request for v4.9 with just two patches. The patch from Richard updates the list of features we support and report back to userspace; this should of been sent earlier with the rest of the v4.8 patches but it got lost in my inbox. The second patch fixes a problem reported by our Android friends where we weren't very consistent in recording PIDs. Please merge these patches for v4.9. Thanks, -Paul --- The following changes since commit 523d939ef98fd712632d93a5a2b588e477a7565e: Linux 4.7 (2016-07-24 12:23:50 -0700) are available in the git repository at: git://git.infradead.org/users/pcmoore/audit stable-4.9 for you to fetch changes up to 7ff89ac608d9e856cae6fa651553fa0709bf9c50: audit: add exclude filter extension to feature bitmap (2016-09-29 13:12:09 -0400) Paul Moore (1): audit: consistently record PIDs with task_tgid_nr() Richard Guy Briggs (1): audit: add exclude filter extension to feature bitmap include/uapi/linux/audit.h | 4 +++- kernel/audit.c | 8 +++- kernel/auditsc.c | 12 ++-- security/lsm_audit.c | 4 ++-- 4 files changed, 18 insertions(+), 10 deletions(-) -- paul moore security @ redhat
[GIT PULL] Audit patches for v4.9
Hi Linus, Another relatively small pull request for v4.9 with just two patches. The patch from Richard updates the list of features we support and report back to userspace; this should of been sent earlier with the rest of the v4.8 patches but it got lost in my inbox. The second patch fixes a problem reported by our Android friends where we weren't very consistent in recording PIDs. Please merge these patches for v4.9. Thanks, -Paul --- The following changes since commit 523d939ef98fd712632d93a5a2b588e477a7565e: Linux 4.7 (2016-07-24 12:23:50 -0700) are available in the git repository at: git://git.infradead.org/users/pcmoore/audit stable-4.9 for you to fetch changes up to 7ff89ac608d9e856cae6fa651553fa0709bf9c50: audit: add exclude filter extension to feature bitmap (2016-09-29 13:12:09 -0400) Paul Moore (1): audit: consistently record PIDs with task_tgid_nr() Richard Guy Briggs (1): audit: add exclude filter extension to feature bitmap include/uapi/linux/audit.h | 4 +++- kernel/audit.c | 8 +++- kernel/auditsc.c | 12 ++-- security/lsm_audit.c | 4 ++-- 4 files changed, 18 insertions(+), 10 deletions(-) -- paul moore security @ redhat
[GIT PULL] Audit patches for 4.8
Hi Linus, Six audit patches for 4.8. There are a couple of style and minor whitespace tweaks for the logs, as well as a minor fixup to catch errors on user filter rules, however the major improvements are a fix to the s390 syscall argument masking code (reviewed by the nice s390 folks), some consolidation around the exclude filtering (less code, always a win), and a double-fetch fix for recording the execve arguments. Please pull for 4.8. Thanks, -Paul --- The following changes since commit 2dcd0af568b0cf583645c8a317dd12e344b1c72a: Linux 4.6 (2016-05-15 15:43:13 -0700) are available in the git repository at: git://git.infradead.org/users/pcmoore/audit stable-4.8 for you to fetch changes up to 43761473c254b45883a64441dd0bc85a42f3645c: audit: fix a double fetch in audit_log_single_execve_arg() (2016-07-20 14:15:46 -0400) Paul Moore (3): audit: fix some horrible switch statement style crimes s390: ensure that syscall arguments are properly masked on s390 audit: fix a double fetch in audit_log_single_execve_arg() Richard Guy Briggs (2): audit: fixup: log on errors from filter user rules audit: add fields to exclude filter by reusing user filter Steve Grubb (1): audit: fix whitespace in CWD record arch/s390/kernel/ptrace.c | 10 +- include/linux/audit.h | 2 - kernel/audit.c| 4 +- kernel/audit.h| 2 + kernel/auditfilter.c | 147 +++- kernel/auditsc.c | 342 +- 6 files changed, 235 insertions(+), 272 deletions(-) -- paul moore security @ redhat
[GIT PULL] Audit patches for 4.8
Hi Linus, Six audit patches for 4.8. There are a couple of style and minor whitespace tweaks for the logs, as well as a minor fixup to catch errors on user filter rules, however the major improvements are a fix to the s390 syscall argument masking code (reviewed by the nice s390 folks), some consolidation around the exclude filtering (less code, always a win), and a double-fetch fix for recording the execve arguments. Please pull for 4.8. Thanks, -Paul --- The following changes since commit 2dcd0af568b0cf583645c8a317dd12e344b1c72a: Linux 4.6 (2016-05-15 15:43:13 -0700) are available in the git repository at: git://git.infradead.org/users/pcmoore/audit stable-4.8 for you to fetch changes up to 43761473c254b45883a64441dd0bc85a42f3645c: audit: fix a double fetch in audit_log_single_execve_arg() (2016-07-20 14:15:46 -0400) Paul Moore (3): audit: fix some horrible switch statement style crimes s390: ensure that syscall arguments are properly masked on s390 audit: fix a double fetch in audit_log_single_execve_arg() Richard Guy Briggs (2): audit: fixup: log on errors from filter user rules audit: add fields to exclude filter by reusing user filter Steve Grubb (1): audit: fix whitespace in CWD record arch/s390/kernel/ptrace.c | 10 +- include/linux/audit.h | 2 - kernel/audit.c| 4 +- kernel/audit.h| 2 + kernel/auditfilter.c | 147 +++- kernel/auditsc.c | 342 +- 6 files changed, 235 insertions(+), 272 deletions(-) -- paul moore security @ redhat
[GIT PULL] Audit patches for 4.7
Hi Linus, Four small audit patches for 4.7; two are simple cleanups around the audit thread management code, one adds a tty field to AUDIT_LOGIN events, and the final patch makes tty_name() usable regardless of CONFIG_TTY. Nothing controversial, and it all passes our regression test. Please pull for 4.7. Thanks, -Paul --- The following changes since commit b562e44f507e863c6792946e4e1b1449fbbac85d: Linux 4.5 (2016-03-13 21:28:54 -0700) are available in the git repository at: git://git.infradead.org/users/pcmoore/audit stable-4.7 for you to fetch changes up to 188e3c5cd2b672620291e64a21f1598fe91e40b6: tty: provide tty_name() even without CONFIG_TTY (2016-04-27 17:12:58 -0400) Arnd Bergmann (1): tty: provide tty_name() even without CONFIG_TTY Jiri Slaby (1): audit: cleanup prune_tree_thread Paul Moore (1): audit: we don't need to __set_current_state(TASK_RUNNING) Richard Guy Briggs (1): audit: add tty field to LOGIN event include/linux/audit.h | 24 include/linux/tty.h | 4 +++- kernel/audit.c| 30 ++ kernel/audit_tree.c | 12 +--- kernel/auditsc.c | 8 ++-- 5 files changed, 48 insertions(+), 30 deletions(-) -- paul moore security @ redhat
[GIT PULL] Audit patches for 4.7
Hi Linus, Four small audit patches for 4.7; two are simple cleanups around the audit thread management code, one adds a tty field to AUDIT_LOGIN events, and the final patch makes tty_name() usable regardless of CONFIG_TTY. Nothing controversial, and it all passes our regression test. Please pull for 4.7. Thanks, -Paul --- The following changes since commit b562e44f507e863c6792946e4e1b1449fbbac85d: Linux 4.5 (2016-03-13 21:28:54 -0700) are available in the git repository at: git://git.infradead.org/users/pcmoore/audit stable-4.7 for you to fetch changes up to 188e3c5cd2b672620291e64a21f1598fe91e40b6: tty: provide tty_name() even without CONFIG_TTY (2016-04-27 17:12:58 -0400) Arnd Bergmann (1): tty: provide tty_name() even without CONFIG_TTY Jiri Slaby (1): audit: cleanup prune_tree_thread Paul Moore (1): audit: we don't need to __set_current_state(TASK_RUNNING) Richard Guy Briggs (1): audit: add tty field to LOGIN event include/linux/audit.h | 24 include/linux/tty.h | 4 +++- kernel/audit.c| 30 ++ kernel/audit_tree.c | 12 +--- kernel/auditsc.c | 8 ++-- 5 files changed, 48 insertions(+), 30 deletions(-) -- paul moore security @ redhat
[GIT PULL] Audit patches for 4.6
Hi Linus, A small set of patches for audit this time; just three in total and one is a spelling fix. The two patches with actual content are designed to help prevent new instances of auditd from displacing an existing, functioning auditd and to generate a log of the attempt. Not to worry, dead/stuck auditd instances can still be replaced by a new instance without problem. Nothing controversial, and everything passes our regression suite; please pull for Linux 4.6. Thanks, -Paul --- The following changes since commit cb74ed278f8054fddf79ed930495b9e214f7c7b2: audit: always enable syscall auditing when supported and audit is enabled (2016-01-13 09:18:55 -0500) are available in the git repository at: git://git.infradead.org/users/pcmoore/audit stable-4.6 for you to fetch changes up to fd97646b05957348e01be3d9de5c3d979b25c819: audit: Fix typo in comment (2016-02-08 11:25:39 -0500) Richard Guy Briggs (2): audit: stop an old auditd being starved out by a new auditd audit: log failed attempts to change audit_pid configuration Wei Yuan (1): audit: Fix typo in comment include/uapi/linux/audit.h | 1 + kernel/audit.c | 20 +++- kernel/audit_watch.c | 2 +- kernel/auditfilter.c | 6 +++--- 4 files changed, 24 insertions(+), 5 deletions(-) -- paul moore security @ redhat
[GIT PULL] Audit patches for 4.6
Hi Linus, A small set of patches for audit this time; just three in total and one is a spelling fix. The two patches with actual content are designed to help prevent new instances of auditd from displacing an existing, functioning auditd and to generate a log of the attempt. Not to worry, dead/stuck auditd instances can still be replaced by a new instance without problem. Nothing controversial, and everything passes our regression suite; please pull for Linux 4.6. Thanks, -Paul --- The following changes since commit cb74ed278f8054fddf79ed930495b9e214f7c7b2: audit: always enable syscall auditing when supported and audit is enabled (2016-01-13 09:18:55 -0500) are available in the git repository at: git://git.infradead.org/users/pcmoore/audit stable-4.6 for you to fetch changes up to fd97646b05957348e01be3d9de5c3d979b25c819: audit: Fix typo in comment (2016-02-08 11:25:39 -0500) Richard Guy Briggs (2): audit: stop an old auditd being starved out by a new auditd audit: log failed attempts to change audit_pid configuration Wei Yuan (1): audit: Fix typo in comment include/uapi/linux/audit.h | 1 + kernel/audit.c | 20 +++- kernel/audit_watch.c | 2 +- kernel/auditfilter.c | 6 +++--- 4 files changed, 24 insertions(+), 5 deletions(-) -- paul moore security @ redhat
[GIT PULL] Audit patches for 4.4
Hi Linus, Seven audit patches for 4.4, but really only one of any significant value, the remainder are trivial cleanups that are described well enough in the patch descriptions. The one significant patch is an attempt to make communication between the kernel's audit subsystem and the userspace audit daemon a bit more robust by retrying on certain transient error conditions. All in all, it's a pretty small set of patches this time around with just fixes and cleanups, please pull for 4.4. Thanks, -Paul --- The following changes since commit 6a13feb9c82803e2b815eca72fa7a9f5561d7861: Linux 4.3 (2015-11-01 16:05:25 -0800) are available in the git repository at: git://git.infradead.org/users/pcmoore/audit upstream for you to fetch changes up to 233a68667cf4c134d07ef7e22bdd77786b5c7360: audit: make audit_log_common_recv_msg() a void function (2015-11-04 08:23:52 -0500) Paul Moore (1): audit: make audit_log_common_recv_msg() a void function Richard Guy Briggs (1): audit: try harder to send to auditd upon netlink failure Saurabh Sengar (1): audit: removing unused variable Scott Matheina (1): audit: fix comment block whitespace Yaowei Bai (3): audit: audit_dummy_context can be boolean audit: audit_string_contains_control can be boolean audit: audit_tree_match can be boolean include/linux/audit.h | 8 kernel/audit.c| 42 -- kernel/audit.h| 2 +- kernel/audit_tree.c | 6 +++--- kernel/auditfilter.c | 14 +++--- 5 files changed, 43 insertions(+), 29 deletions(-) -- paul moore security @ redhat -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[GIT PULL] Audit patches for 4.4
Hi Linus, Seven audit patches for 4.4, but really only one of any significant value, the remainder are trivial cleanups that are described well enough in the patch descriptions. The one significant patch is an attempt to make communication between the kernel's audit subsystem and the userspace audit daemon a bit more robust by retrying on certain transient error conditions. All in all, it's a pretty small set of patches this time around with just fixes and cleanups, please pull for 4.4. Thanks, -Paul --- The following changes since commit 6a13feb9c82803e2b815eca72fa7a9f5561d7861: Linux 4.3 (2015-11-01 16:05:25 -0800) are available in the git repository at: git://git.infradead.org/users/pcmoore/audit upstream for you to fetch changes up to 233a68667cf4c134d07ef7e22bdd77786b5c7360: audit: make audit_log_common_recv_msg() a void function (2015-11-04 08:23:52 -0500) Paul Moore (1): audit: make audit_log_common_recv_msg() a void function Richard Guy Briggs (1): audit: try harder to send to auditd upon netlink failure Saurabh Sengar (1): audit: removing unused variable Scott Matheina (1): audit: fix comment block whitespace Yaowei Bai (3): audit: audit_dummy_context can be boolean audit: audit_string_contains_control can be boolean audit: audit_tree_match can be boolean include/linux/audit.h | 8 kernel/audit.c| 42 -- kernel/audit.h| 2 +- kernel/audit_tree.c | 6 +++--- kernel/auditfilter.c | 14 +++--- 5 files changed, 43 insertions(+), 29 deletions(-) -- paul moore security @ redhat -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[GIT PULL] Audit patches for 4.3
Hi Linus, This is one of the larger audit patchsets in recent history, consisting of eight patches and almost 400 lines of changes. The bulk of the patchset is the new "audit by executable" functionality which allows admins to set an audit watch based on the executable on disk. Prior to this, admins could only track an application by PID, which has some obvious limitations. Beyond the new functionality we also have some refcnt fixes and a few minor cleanups. Please pull for 4.3. Thanks, -Paul --- The following changes since commit 0b08c5e59441d08ab4b5e72afefd5cd98a4d83df: audit: Fix check of return value of strnlen_user() (2015-06-11 15:49:54 -0400) are available in the git repository at: git://git.infradead.org/users/pcmoore/audit upstream for you to fetch changes up to 15ce414b82b07acb99afda6e4d9bd14f317b6011: fixup: audit: implement audit by executable (2015-08-12 22:04:07 -0400) Paul Moore (1): audit: fix uninitialized variable in audit_add_rule() Richard Guy Briggs (7): audit: eliminate unnecessary extra layer of watch references audit: eliminate unnecessary extra layer of watch parent references audit: make audit_del_rule() more robust audit: use macros for unset inode and device values audit: clean simple fsnotify implementation audit: implement audit by executable fixup: audit: implement audit by executable include/linux/audit.h | 4 + include/uapi/linux/audit.h | 5 +- kernel/Makefile| 2 +- kernel/audit.c | 2 +- kernel/audit.h | 18 kernel/audit_fsnotify.c| 216 ++ kernel/audit_tree.c| 2 + kernel/audit_watch.c | 56 +--- kernel/auditfilter.c | 83 - kernel/auditsc.c | 9 +- 10 files changed, 359 insertions(+), 38 deletions(-) create mode 100644 kernel/audit_fsnotify.c -- paul moore security @ redhat -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[GIT PULL] Audit patches for 4.3
Hi Linus, This is one of the larger audit patchsets in recent history, consisting of eight patches and almost 400 lines of changes. The bulk of the patchset is the new "audit by executable" functionality which allows admins to set an audit watch based on the executable on disk. Prior to this, admins could only track an application by PID, which has some obvious limitations. Beyond the new functionality we also have some refcnt fixes and a few minor cleanups. Please pull for 4.3. Thanks, -Paul --- The following changes since commit 0b08c5e59441d08ab4b5e72afefd5cd98a4d83df: audit: Fix check of return value of strnlen_user() (2015-06-11 15:49:54 -0400) are available in the git repository at: git://git.infradead.org/users/pcmoore/audit upstream for you to fetch changes up to 15ce414b82b07acb99afda6e4d9bd14f317b6011: fixup: audit: implement audit by executable (2015-08-12 22:04:07 -0400) Paul Moore (1): audit: fix uninitialized variable in audit_add_rule() Richard Guy Briggs (7): audit: eliminate unnecessary extra layer of watch references audit: eliminate unnecessary extra layer of watch parent references audit: make audit_del_rule() more robust audit: use macros for unset inode and device values audit: clean simple fsnotify implementation audit: implement audit by executable fixup: audit: implement audit by executable include/linux/audit.h | 4 + include/uapi/linux/audit.h | 5 +- kernel/Makefile| 2 +- kernel/audit.c | 2 +- kernel/audit.h | 18 kernel/audit_fsnotify.c| 216 ++ kernel/audit_tree.c| 2 + kernel/audit_watch.c | 56 +--- kernel/auditfilter.c | 83 - kernel/auditsc.c | 9 +- 10 files changed, 359 insertions(+), 38 deletions(-) create mode 100644 kernel/audit_fsnotify.c -- paul moore security @ redhat -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[GIT PULL] Audit patches for 4.2
Hi Linus, Four small audit patches for v4.2, all bug fixes. Only 10 lines of change this time so very unremarkable, the patch subject lines pretty much tell the whole story. Please pull. Thanks, -Paul --- The following changes since commit 39a8804455fb23f09157341d3ba7db6d7ae6ee76: Linux 4.0 (2015-04-12 15:12:50 -0700) are available in the git repository at: git://git.infradead.org/users/pcmoore/audit upstream for you to fetch changes up to 0b08c5e59441d08ab4b5e72afefd5cd98a4d83df: audit: Fix check of return value of strnlen_user() (2015-06-11 15:49:54 -0400) Jan Kara (1): audit: Fix check of return value of strnlen_user() Mikhail Klementyev (1): audit: obsolete audit_context check is removed in audit_filter_rules() Richard Guy Briggs (1): lsm: rename duplicate labels in LSM_AUDIT_DATA_TASK audit message type Shailendra Verma (1): audit: fix for typo in comment to function audit_log_link_denied() kernel/audit.c | 2 +- kernel/auditsc.c | 6 ++ security/lsm_audit.c | 2 +- 3 files changed, 4 insertions(+), 6 deletions(-) -- paul moore security @ redhat -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[GIT PULL] Audit patches for 4.2
Hi Linus, Four small audit patches for v4.2, all bug fixes. Only 10 lines of change this time so very unremarkable, the patch subject lines pretty much tell the whole story. Please pull. Thanks, -Paul --- The following changes since commit 39a8804455fb23f09157341d3ba7db6d7ae6ee76: Linux 4.0 (2015-04-12 15:12:50 -0700) are available in the git repository at: git://git.infradead.org/users/pcmoore/audit upstream for you to fetch changes up to 0b08c5e59441d08ab4b5e72afefd5cd98a4d83df: audit: Fix check of return value of strnlen_user() (2015-06-11 15:49:54 -0400) Jan Kara (1): audit: Fix check of return value of strnlen_user() Mikhail Klementyev (1): audit: obsolete audit_context check is removed in audit_filter_rules() Richard Guy Briggs (1): lsm: rename duplicate labels in LSM_AUDIT_DATA_TASK audit message type Shailendra Verma (1): audit: fix for typo in comment to function audit_log_link_denied() kernel/audit.c | 2 +- kernel/auditsc.c | 6 ++ security/lsm_audit.c | 2 +- 3 files changed, 4 insertions(+), 6 deletions(-) -- paul moore security @ redhat -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[GIT PULL] Audit patches for 4.1
Hi Linus, Seven audit patches for v4.1, all bug fixes. The largest, and perhaps most significant commit helps resolve some memory pressure issues related to the inode cache and audit, there are also a few small commits which help resolve some timing issues with the audit log queue, and the rest fall into the always popular "code clean-up" category. In general, nothing really substantial, just a nice set of maintenance patches. Thanks, -Paul --- The following changes since commit 2fded7f44b8fcf79e274c3f0cfbd0298f95308f3: audit: remove vestiges of vers_ops (2015-01-20 10:48:32 -0500) are available in the git repository at: git://git.infradead.org/users/pcmoore/audit upstream for you to fetch changes up to 724e7bfcc566375158219c1454b4b6fc416b2c4a: audit: Remove condition which always evaluates to false (2015-03-13 17:32:52 -0400) Ameen Ali (1): audit: code clean up Davidlohr Bueso (2): audit: consolidate handling of mm->exe_file audit: reduce mmap_sem hold for mm->exe_file Imre Palik (1): audit: move the tree pruning to a dedicated thread Pranith Kumar (1): audit: Remove condition which always evaluates to false Richard Guy Briggs (2): audit: don't lose set wait time on first successful call to audit_log_start() audit: don't reset working wait time accidentally with auditd kernel/audit.c | 47 +--- kernel/audit.h | 3 ++ kernel/audit_tree.c | 88 ++ kernel/auditsc.c| 9 +- 4 files changed, 94 insertions(+), 53 deletions(-) -- paul moore security @ redhat -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[GIT PULL] Audit patches for 4.1
Hi Linus, Seven audit patches for v4.1, all bug fixes. The largest, and perhaps most significant commit helps resolve some memory pressure issues related to the inode cache and audit, there are also a few small commits which help resolve some timing issues with the audit log queue, and the rest fall into the always popular code clean-up category. In general, nothing really substantial, just a nice set of maintenance patches. Thanks, -Paul --- The following changes since commit 2fded7f44b8fcf79e274c3f0cfbd0298f95308f3: audit: remove vestiges of vers_ops (2015-01-20 10:48:32 -0500) are available in the git repository at: git://git.infradead.org/users/pcmoore/audit upstream for you to fetch changes up to 724e7bfcc566375158219c1454b4b6fc416b2c4a: audit: Remove condition which always evaluates to false (2015-03-13 17:32:52 -0400) Ameen Ali (1): audit: code clean up Davidlohr Bueso (2): audit: consolidate handling of mm-exe_file audit: reduce mmap_sem hold for mm-exe_file Imre Palik (1): audit: move the tree pruning to a dedicated thread Pranith Kumar (1): audit: Remove condition which always evaluates to false Richard Guy Briggs (2): audit: don't lose set wait time on first successful call to audit_log_start() audit: don't reset working wait time accidentally with auditd kernel/audit.c | 47 +--- kernel/audit.h | 3 ++ kernel/audit_tree.c | 88 ++ kernel/auditsc.c| 9 +- 4 files changed, 94 insertions(+), 53 deletions(-) -- paul moore security @ redhat -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[GIT PULL] Audit patches for 3.19
Hi Linus, Two small patches from the audit next branch; only one of which has any real significant code changes, the other is simply a MAINTAINERS update for audit. The single code patch is pretty small and rather straightforward, it changes the audit "version" number reported to userspace from an integer to a bitmap which is used to indicate the functionality of the running kernel. This really doesn't have much impact on the kernel, but it will make life easier for the audit userspace folks. Thankfully we were still on a version number which allowed us to do this without breaking userspace. For what it is worth, as of a few minutes ago, the branch below applied cleanly on top of your tree. Thanks, -Paul --- The following changes since commit 799b601451b21ebe7af0e6e8f6e2ccd4683c5064: audit: keep inode pinned (2014-11-11 14:20:22 -0500) are available in the git repository at: git://git.infradead.org/users/pcmoore/audit upstream for you to fetch changes up to 0f7e94ee40d06f7a04e039392dfee8244bd8a7e0: Merge branch 'next' into upstream for v3.19 (2014-12-09 14:38:30 -0500) Paul Moore (2): audit: add Paul Moore to the MAINTAINERS entry Merge branch 'next' into upstream for v3.19 Richard Guy Briggs (1): audit: convert status version to a feature bitmap MAINTAINERS| 5 +++-- include/uapi/linux/audit.h | 17 + kernel/audit.c | 2 +- 3 files changed, 17 insertions(+), 7 deletions(-) -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[GIT PULL] Audit patches for 3.19
Hi Linus, Two small patches from the audit next branch; only one of which has any real significant code changes, the other is simply a MAINTAINERS update for audit. The single code patch is pretty small and rather straightforward, it changes the audit version number reported to userspace from an integer to a bitmap which is used to indicate the functionality of the running kernel. This really doesn't have much impact on the kernel, but it will make life easier for the audit userspace folks. Thankfully we were still on a version number which allowed us to do this without breaking userspace. For what it is worth, as of a few minutes ago, the branch below applied cleanly on top of your tree. Thanks, -Paul --- The following changes since commit 799b601451b21ebe7af0e6e8f6e2ccd4683c5064: audit: keep inode pinned (2014-11-11 14:20:22 -0500) are available in the git repository at: git://git.infradead.org/users/pcmoore/audit upstream for you to fetch changes up to 0f7e94ee40d06f7a04e039392dfee8244bd8a7e0: Merge branch 'next' into upstream for v3.19 (2014-12-09 14:38:30 -0500) Paul Moore (2): audit: add Paul Moore to the MAINTAINERS entry Merge branch 'next' into upstream for v3.19 Richard Guy Briggs (1): audit: convert status version to a feature bitmap MAINTAINERS| 5 +++-- include/uapi/linux/audit.h | 17 + kernel/audit.c | 2 +- 3 files changed, 17 insertions(+), 7 deletions(-) -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[git pull] audit patches (first series)
Adds new predicate ("event happened in subtree under ").
audit-subtree stuff; sat in -mm for several months.
Please, pull from
git://git.kernel.org/pub/scm/linux/kernel/git/viro/audit-current.git/ audit.b42
Al Viro <[EMAIL PROTECTED]>
[PATCH] audit: watching subtrees
[PATCH] new helper - inotify_evict_watch()
[PATCH] new helper - inotify_clone_watch()
[PATCH] new helpers - collect_mounts() and release_collected_mounts()
[PATCH] pass dentry to audit_inode()/audit_inode_child()
fs/dcache.c |2 +-
fs/debugfs/inode.c |2 +-
fs/inotify.c | 43 +++
fs/namei.c | 10 +-
fs/namespace.c | 22 +-
fs/open.c|4 +-
fs/pnode.h |1 +
fs/xattr.c |8 +-
include/linux/audit.h| 19 +-
include/linux/dcache.h |1 +
include/linux/fs.h |2 +
include/linux/fsnotify.h |9 +-
include/linux/inotify.h |2 +
init/Kconfig |4 +
ipc/mqueue.c |8 +-
kernel/Makefile |1 +
kernel/audit.c | 87 +
kernel/audit.h | 34 ++-
kernel/audit_tree.c | 903 ++
kernel/auditfilter.c | 64 +++-
kernel/auditsc.c | 225 -
21 files changed, 1411 insertions(+), 40 deletions(-)
create mode 100644 kernel/audit_tree.c
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[git pull] audit patches (first series)
Adds new predicate (event happened in subtree under pathname). audit-subtree stuff; sat in -mm for several months. Please, pull from git://git.kernel.org/pub/scm/linux/kernel/git/viro/audit-current.git/ audit.b42 Al Viro [EMAIL PROTECTED] [PATCH] audit: watching subtrees [PATCH] new helper - inotify_evict_watch() [PATCH] new helper - inotify_clone_watch() [PATCH] new helpers - collect_mounts() and release_collected_mounts() [PATCH] pass dentry to audit_inode()/audit_inode_child() fs/dcache.c |2 +- fs/debugfs/inode.c |2 +- fs/inotify.c | 43 +++ fs/namei.c | 10 +- fs/namespace.c | 22 +- fs/open.c|4 +- fs/pnode.h |1 + fs/xattr.c |8 +- include/linux/audit.h| 19 +- include/linux/dcache.h |1 + include/linux/fs.h |2 + include/linux/fsnotify.h |9 +- include/linux/inotify.h |2 + init/Kconfig |4 + ipc/mqueue.c |8 +- kernel/Makefile |1 + kernel/audit.c | 87 + kernel/audit.h | 34 ++- kernel/audit_tree.c | 903 ++ kernel/auditfilter.c | 64 +++- kernel/auditsc.c | 225 - 21 files changed, 1411 insertions(+), 40 deletions(-) create mode 100644 kernel/audit_tree.c - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[patch 1/1] selinux: always initialize arguments to security_sid_to_context (Was: Re: [GIT PULL] audit patches)
On Thu, 2007-02-22 at 13:19 -0800, Andrew Morton wrote:
> > On Thu, 22 Feb 2007 08:22:47 -0500 Stephen Smalley <[EMAIL PROTECTED]>
> > wrote:
> > On Wed, 2007-02-21 at 16:03 -0800, Andrew Morton wrote:
> > >
> > > Looking at the changes to audit_receive_msg():
> > >
> > >
> > > if (sid) {
> > > if (selinux_sid_to_string(
> > > sid, , )) {
> > > audit_log_format(ab,
> > > " ssid=%u", sid);
> > > /* Maybe call audit_panic? */
> > > } else
> > > audit_log_format(ab,
> > > " subj=%s", ctx);
> > > kfree(ctx);
> > > }
> > >
> > > This is assuming that selinux_sid_to_string() always initialises `ctx'.
> > >
> > > But AFAICT there are two error paths in security_sid_to_context() which
> > > forget to do that, so we end up doing kfree(uninitialised-local).
> > >
> > > I'd consider that a shortcoming in security_sid_to_context(), so not a
> > > problem in this patch, as long as people agree with my blaming above.
> >
> > I wouldn't assume that the function initializes an argument if it
> > returns an error, and at least some of the callers (in auditsc.c) appear
> > to correctly initialize ctx to NULL themselves before calling
> > selinux_sid_to_string(). But if you'd prefer the function to always
> > handle it, we can do that.
> >
>
> Well we now have (at least) one caller which assumes that *ctx is
> initialied in error cases.
>
> And I think it's sane to make it do that: safer, and will simplify coding
> in the callers.
Ok, patch below.
Always initialize *scontext and *scontext_len in security_sid_to_context.
Signed-off-by: Stephen Smalley <[EMAIL PROTECTED]>
---
security/selinux/ss/services.c |3 +++
1 file changed, 3 insertions(+)
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index ca9154d..1e52356 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -609,6 +609,9 @@ int security_sid_to_context(u32 sid, char **scontext, u32
*scontext_len)
struct context *context;
int rc = 0;
+ *scontext = NULL;
+ *scontext_len = 0;
+
if (!ss_initialized) {
if (sid <= SECINITSID_NUM) {
char *scontextp;
--
Stephen Smalley
National Security Agency
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[patch 1/1] selinux: always initialize arguments to security_sid_to_context (Was: Re: [GIT PULL] audit patches)
On Thu, 2007-02-22 at 13:19 -0800, Andrew Morton wrote:
On Thu, 22 Feb 2007 08:22:47 -0500 Stephen Smalley [EMAIL PROTECTED]
wrote:
On Wed, 2007-02-21 at 16:03 -0800, Andrew Morton wrote:
Looking at the changes to audit_receive_msg():
if (sid) {
if (selinux_sid_to_string(
sid, ctx, len)) {
audit_log_format(ab,
ssid=%u, sid);
/* Maybe call audit_panic? */
} else
audit_log_format(ab,
subj=%s, ctx);
kfree(ctx);
}
This is assuming that selinux_sid_to_string() always initialises `ctx'.
But AFAICT there are two error paths in security_sid_to_context() which
forget to do that, so we end up doing kfree(uninitialised-local).
I'd consider that a shortcoming in security_sid_to_context(), so not a
problem in this patch, as long as people agree with my blaming above.
I wouldn't assume that the function initializes an argument if it
returns an error, and at least some of the callers (in auditsc.c) appear
to correctly initialize ctx to NULL themselves before calling
selinux_sid_to_string(). But if you'd prefer the function to always
handle it, we can do that.
Well we now have (at least) one caller which assumes that *ctx is
initialied in error cases.
And I think it's sane to make it do that: safer, and will simplify coding
in the callers.
Ok, patch below.
Always initialize *scontext and *scontext_len in security_sid_to_context.
Signed-off-by: Stephen Smalley [EMAIL PROTECTED]
---
security/selinux/ss/services.c |3 +++
1 file changed, 3 insertions(+)
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index ca9154d..1e52356 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -609,6 +609,9 @@ int security_sid_to_context(u32 sid, char **scontext, u32
*scontext_len)
struct context *context;
int rc = 0;
+ *scontext = NULL;
+ *scontext_len = 0;
+
if (!ss_initialized) {
if (sid = SECINITSID_NUM) {
char *scontextp;
--
Stephen Smalley
National Security Agency
-
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Re: [GIT PULL] audit patches
> On Thu, 22 Feb 2007 08:22:47 -0500 Stephen Smalley <[EMAIL PROTECTED]> wrote:
> On Wed, 2007-02-21 at 16:03 -0800, Andrew Morton wrote:
> >
> > Looking at the changes to audit_receive_msg():
> >
> >
> > if (sid) {
> > if (selinux_sid_to_string(
> > sid, , )) {
> > audit_log_format(ab,
> > " ssid=%u", sid);
> > /* Maybe call audit_panic? */
> > } else
> > audit_log_format(ab,
> > " subj=%s", ctx);
> > kfree(ctx);
> > }
> >
> > This is assuming that selinux_sid_to_string() always initialises `ctx'.
> >
> > But AFAICT there are two error paths in security_sid_to_context() which
> > forget to do that, so we end up doing kfree(uninitialised-local).
> >
> > I'd consider that a shortcoming in security_sid_to_context(), so not a
> > problem in this patch, as long as people agree with my blaming above.
>
> I wouldn't assume that the function initializes an argument if it
> returns an error, and at least some of the callers (in auditsc.c) appear
> to correctly initialize ctx to NULL themselves before calling
> selinux_sid_to_string(). But if you'd prefer the function to always
> handle it, we can do that.
>
Well we now have (at least) one caller which assumes that *ctx is
initialied in error cases.
And I think it's sane to make it do that: safer, and will simplify coding
in the callers.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Re: [GIT PULL] audit patches
On Wed, 2007-02-21 at 16:03 -0800, Andrew Morton wrote:
> On Sun, 18 Feb 2007 04:01:27 + Al Viro <[EMAIL PROTECTED]> wrote:
>
> > Misc audit patches (resend again...); the most intrusive one is
> > AUDIT_FD_PAIR,
> > allowing to log descriptor numbers from syscalls that do not return them in
> > usual way (i.e. pipe() and socketpair()). It took some massage of
> > the failure exits in sys_socketpair(); the rest is absolutely trivial.
> > Please, pull from
> > git.kernel.org/pub/scm/linux/kernel/git/viro/audit-current.git/ audit.b37
>
> Please send patches to the list for review if practical? In this case it
> was. I trust davem has had a look at the non-trivial changes to
> sys_socketpair().
>
>
>
> Looking at the changes to audit_receive_msg():
>
>
> if (sid) {
> if (selinux_sid_to_string(
> sid, , )) {
> audit_log_format(ab,
> " ssid=%u", sid);
> /* Maybe call audit_panic? */
> } else
> audit_log_format(ab,
> " subj=%s", ctx);
> kfree(ctx);
> }
>
> This is assuming that selinux_sid_to_string() always initialises `ctx'.
>
> But AFAICT there are two error paths in security_sid_to_context() which
> forget to do that, so we end up doing kfree(uninitialised-local).
>
> I'd consider that a shortcoming in security_sid_to_context(), so not a
> problem in this patch, as long as people agree with my blaming above.
I wouldn't assume that the function initializes an argument if it
returns an error, and at least some of the callers (in auditsc.c) appear
to correctly initialize ctx to NULL themselves before calling
selinux_sid_to_string(). But if you'd prefer the function to always
handle it, we can do that.
>
> The coding style in there is a bit odd-looking.
>
> The new __audit_fd_pair() has unneeded braces in it.
--
Stephen Smalley
National Security Agency
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Re: [GIT PULL] audit patches
On Wed, 2007-02-21 at 16:03 -0800, Andrew Morton wrote:
On Sun, 18 Feb 2007 04:01:27 + Al Viro [EMAIL PROTECTED] wrote:
Misc audit patches (resend again...); the most intrusive one is
AUDIT_FD_PAIR,
allowing to log descriptor numbers from syscalls that do not return them in
usual way (i.e. pipe() and socketpair()). It took some massage of
the failure exits in sys_socketpair(); the rest is absolutely trivial.
Please, pull from
git.kernel.org/pub/scm/linux/kernel/git/viro/audit-current.git/ audit.b37
Please send patches to the list for review if practical? In this case it
was. I trust davem has had a look at the non-trivial changes to
sys_socketpair().
Looking at the changes to audit_receive_msg():
if (sid) {
if (selinux_sid_to_string(
sid, ctx, len)) {
audit_log_format(ab,
ssid=%u, sid);
/* Maybe call audit_panic? */
} else
audit_log_format(ab,
subj=%s, ctx);
kfree(ctx);
}
This is assuming that selinux_sid_to_string() always initialises `ctx'.
But AFAICT there are two error paths in security_sid_to_context() which
forget to do that, so we end up doing kfree(uninitialised-local).
I'd consider that a shortcoming in security_sid_to_context(), so not a
problem in this patch, as long as people agree with my blaming above.
I wouldn't assume that the function initializes an argument if it
returns an error, and at least some of the callers (in auditsc.c) appear
to correctly initialize ctx to NULL themselves before calling
selinux_sid_to_string(). But if you'd prefer the function to always
handle it, we can do that.
The coding style in there is a bit odd-looking.
The new __audit_fd_pair() has unneeded braces in it.
--
Stephen Smalley
National Security Agency
-
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Re: [GIT PULL] audit patches
On Thu, 22 Feb 2007 08:22:47 -0500 Stephen Smalley [EMAIL PROTECTED] wrote:
On Wed, 2007-02-21 at 16:03 -0800, Andrew Morton wrote:
Looking at the changes to audit_receive_msg():
if (sid) {
if (selinux_sid_to_string(
sid, ctx, len)) {
audit_log_format(ab,
ssid=%u, sid);
/* Maybe call audit_panic? */
} else
audit_log_format(ab,
subj=%s, ctx);
kfree(ctx);
}
This is assuming that selinux_sid_to_string() always initialises `ctx'.
But AFAICT there are two error paths in security_sid_to_context() which
forget to do that, so we end up doing kfree(uninitialised-local).
I'd consider that a shortcoming in security_sid_to_context(), so not a
problem in this patch, as long as people agree with my blaming above.
I wouldn't assume that the function initializes an argument if it
returns an error, and at least some of the callers (in auditsc.c) appear
to correctly initialize ctx to NULL themselves before calling
selinux_sid_to_string(). But if you'd prefer the function to always
handle it, we can do that.
Well we now have (at least) one caller which assumes that *ctx is
initialied in error cases.
And I think it's sane to make it do that: safer, and will simplify coding
in the callers.
-
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Re: [GIT PULL] audit patches
On Sun, 18 Feb 2007 04:01:27 + Al Viro <[EMAIL PROTECTED]> wrote:
> Misc audit patches (resend again...); the most intrusive one is AUDIT_FD_PAIR,
> allowing to log descriptor numbers from syscalls that do not return them in
> usual way (i.e. pipe() and socketpair()). It took some massage of
> the failure exits in sys_socketpair(); the rest is absolutely trivial.
> Please, pull from
> git.kernel.org/pub/scm/linux/kernel/git/viro/audit-current.git/ audit.b37
Please send patches to the list for review if practical? In this case it
was. I trust davem has had a look at the non-trivial changes to
sys_socketpair().
Looking at the changes to audit_receive_msg():
if (sid) {
if (selinux_sid_to_string(
sid, , )) {
audit_log_format(ab,
" ssid=%u", sid);
/* Maybe call audit_panic? */
} else
audit_log_format(ab,
" subj=%s", ctx);
kfree(ctx);
}
This is assuming that selinux_sid_to_string() always initialises `ctx'.
But AFAICT there are two error paths in security_sid_to_context() which
forget to do that, so we end up doing kfree(uninitialised-local).
I'd consider that a shortcoming in security_sid_to_context(), so not a
problem in this patch, as long as people agree with my blaming above.
The coding style in there is a bit odd-looking.
The new __audit_fd_pair() has unneeded braces in it.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Re: [GIT PULL] audit patches
On Sun, 18 Feb 2007 04:01:27 + Al Viro [EMAIL PROTECTED] wrote:
Misc audit patches (resend again...); the most intrusive one is AUDIT_FD_PAIR,
allowing to log descriptor numbers from syscalls that do not return them in
usual way (i.e. pipe() and socketpair()). It took some massage of
the failure exits in sys_socketpair(); the rest is absolutely trivial.
Please, pull from
git.kernel.org/pub/scm/linux/kernel/git/viro/audit-current.git/ audit.b37
Please send patches to the list for review if practical? In this case it
was. I trust davem has had a look at the non-trivial changes to
sys_socketpair().
Looking at the changes to audit_receive_msg():
if (sid) {
if (selinux_sid_to_string(
sid, ctx, len)) {
audit_log_format(ab,
ssid=%u, sid);
/* Maybe call audit_panic? */
} else
audit_log_format(ab,
subj=%s, ctx);
kfree(ctx);
}
This is assuming that selinux_sid_to_string() always initialises `ctx'.
But AFAICT there are two error paths in security_sid_to_context() which
forget to do that, so we end up doing kfree(uninitialised-local).
I'd consider that a shortcoming in security_sid_to_context(), so not a
problem in this patch, as long as people agree with my blaming above.
The coding style in there is a bit odd-looking.
The new __audit_fd_pair() has unneeded braces in it.
-
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[GIT PULL] audit patches
Misc audit patches (resend again...); the most intrusive one is AUDIT_FD_PAIR, allowing to log descriptor numbers from syscalls that do not return them in usual way (i.e. pipe() and socketpair()). It took some massage of the failure exits in sys_socketpair(); the rest is absolutely trivial. Please, pull from git.kernel.org/pub/scm/linux/kernel/git/viro/audit-current.git/ audit.b37 Al Viro (1): AUDIT_FD_PAIR Steve Grubb (2): minor update to rule add/delete messages (ver 2) audit config lockdown fs/pipe.c |7 ++ include/linux/audit.h |9 ++ kernel/audit.c| 216 +++- kernel/auditfilter.c |9 +- kernel/auditsc.c | 40 + net/socket.c | 52 +--- 6 files changed, 257 insertions(+), 76 deletions(-) - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[GIT PULL] audit patches
Misc audit patches (resend again...); the most intrusive one is AUDIT_FD_PAIR, allowing to log descriptor numbers from syscalls that do not return them in usual way (i.e. pipe() and socketpair()). It took some massage of the failure exits in sys_socketpair(); the rest is absolutely trivial. Please, pull from git.kernel.org/pub/scm/linux/kernel/git/viro/audit-current.git/ audit.b37 Al Viro (1): AUDIT_FD_PAIR Steve Grubb (2): minor update to rule add/delete messages (ver 2) audit config lockdown fs/pipe.c |7 ++ include/linux/audit.h |9 ++ kernel/audit.c| 216 +++- kernel/auditfilter.c |9 +- kernel/auditsc.c | 40 + net/socket.c | 52 +--- 6 files changed, 257 insertions(+), 76 deletions(-) - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
