Re: [PATCH 1/1] audit: Record fanotify access control decisions

Hello Jan, On Friday, September 8, 2017 6:55:45 AM EDT Jan Kara wrote: > Hello Steve, > > On Thu 07-09-17 11:47:35, Steve Grubb wrote: > > > > On Thursday, September 7, 2017 6:18:05 AM EDT Jan Kara wrote: > > > On Wed 06-09-17 13:34:32, Steve Grubb wrote: > > > > On Wednesday, September 6, 2017 1

Re: [PATCH V4 10/10] capabilities: audit log other surprising conditions

On Tue, Sep 5, 2017 at 2:46 AM, Richard Guy Briggs wrote: > The existing condition tested for process effective capabilities set by > file attributes but intended to ignore the change if the result was > unsurprisingly an effective full set in the case root is special with a > setuid root executab

Re: [PATCH V4 09/10] capabilities: fix logic for effective root or real root

On Wed, Sep 20, 2017 at 6:25 PM, Kees Cook wrote: > On Wed, Sep 20, 2017 at 3:11 PM, Paul Moore wrote: >> On Tue, Sep 5, 2017 at 2:46 AM, Richard Guy Briggs wrote: >>> Now that the logic is inverted, it is much easier to see that both real >>> root and effective root conditions had to be met to

Re: [PATCH V4 09/10] capabilities: fix logic for effective root or real root

On Wed, Sep 20, 2017 at 3:11 PM, Paul Moore wrote: > On Tue, Sep 5, 2017 at 2:46 AM, Richard Guy Briggs wrote: >> Now that the logic is inverted, it is much easier to see that both real >> root and effective root conditions had to be met to avoid printing the >> BPRM_FCAPS record with audit sysca

Re: [PATCH V4 09/10] capabilities: fix logic for effective root or real root

On Tue, Sep 5, 2017 at 2:46 AM, Richard Guy Briggs wrote: > Now that the logic is inverted, it is much easier to see that both real > root and effective root conditions had to be met to avoid printing the > BPRM_FCAPS record with audit syscalls. This meant that any setuid root > applications woul

Re: [RFC PATCH 0/5] Fix some early boot audit problems

On Fri, Sep 1, 2017 at 9:44 AM, Paul Moore wrote: > Unfortunately it turns out that we are not properly enabling audit > early enough in the boot process to tag PID 1 (init/systemd/etc.) > with the special audit magic necessary to cause PID 1 events to > be audited. This patch set fixes this prob

Re: [PATCH ALT4 V3 1/2] audit: show fstype:pathname for entries with anonymous parents

On Wed, Aug 23, 2017 at 7:03 AM, Richard Guy Briggs wrote: > Tracefs or debugfs were causing hundreds to thousands of null PATH > records to be associated with the init_module and finit_module SYSCALL > records on a few modules when the following rule was in place for > startup: > -a alway