On 15/07/16, Paul Moore wrote:
> On Tuesday, July 14, 2015 11:50:24 AM Richard Guy Briggs wrote:
> > This is to be used to audit by executable rules, but audit watches
> > should be able to share this code eventually.
> >
> > At the moment the audit watch code is a lot more complex, that code only
Please see the accompanying userspace patchset:
https://www.redhat.com/archives/linux-audit/2015-July/thread.html
[[PATCH V2] 0/2] Log on the future execution of a path
The userspace interface is not expected to change appreciably unless something
important has been overlooked. Set
This is to be used to audit by executable path rules, but audit watches should
be able to share this code eventually.
At the moment the audit watch code is a lot more complex. That code only
creates one fsnotify watch per parent directory. That 'audit_parent' in
turn has a list of 'audit_watches
This adds the ability audit the actions of a not-yet-running process.
This patch implements the ability to filter on the executable path. Instead of
just hard coding the ino and dev of the executable we care about at the moment
the rule is inserted into the kernel, use the new audit_fsnotify
infr
This adds the ability to audit the actions of children of a not-yet-running
process.
This is a split-out of a heavily modified version of a patch originally
submitted by Eric Paris with some ideas from Peter Moody.
Cc: Peter Moody
Cc: Eric Paris
Signed-off-by: Richard Guy Briggs
---
include/u
Move the access to the entry for audit_match_signal() to the beginning of the
function in case the entry found is the same one passed in. This will enable
it to be used by audit_remove_mark_rule().
Signed-off-by: Richard Guy Briggs
---
kernel/auditfilter.c |3 ++-
1 files changed, 2 inserti
This patch was split out from the audit by executable path patch set due to the
potential to use it elsewhere.
In particular, some questions came up while assessing the potential for code
reuse:
Why does audit_remove_parent_watches() not call audit_del_rule() for
each entry found?
This is a patch to clean up a number of places were casted magic numbers are
used to represent unset inode and device numbers inpreparation for the audit by
executable path patch set.
Richard Guy Briggs (1):
audit: use macros for unset inode and device values
include/uapi/linux/audit.h |2
The audit watch parent count was imbalanced, adding an unnecessary layer of
watch parent references. Decrement the additional parent reference when a
watch is reused, already having a reference to the parent.
audit_find_parent() gets a reference to the parent, if the parent is
already known. Thi
Signed-off-by: Richard Guy Briggs
---
include/uapi/linux/audit.h |2 ++
kernel/audit.c |2 +-
kernel/audit_watch.c |8
kernel/auditsc.c |6 +++---
4 files changed, 10 insertions(+), 8 deletions(-)
diff --git a/include/uapi/linux/audit.h b/incl
The audit watch count was imbalanced, adding an unnecessary layer of watch
references. Only add the second reference when it is added to a parent.
Signed-off-by: Richard Guy Briggs
---
kernel/audit_watch.c |5 ++---
kernel/auditfilter.c | 16 +++-
2 files changed, 5 insertions
While working on the audit by executable path feature, it was discovered that
watches and parent references were slightly imbalanced and deeper than
necessary.
Only bump up references when they are actually used and decrease when removed.
v4: Eliminate unnecessary gotos and call return directly.
12 matches
Mail list logo
