On 2017-10-20 01:29, James Morris wrote:
> On Thu, 19 Oct 2017, Richard Guy Briggs wrote:
>
> > On 2017-10-11 20:57, Richard Guy Briggs wrote:
> > > The audit subsystem is adding a BPRM_FCAPS record when auditing setuid
> > > application execution (SYSCALL execve). This is not expected as it was
>
On Thursday, October 19, 2017 7:11:33 PM EDT Aleksa Sarai wrote:
> >>> The registration is a pseudo filesystem (proc, since PID tree already
> >>> exists) write of a u8[16] UUID representing the container ID to a file
> >>> representing a process that will become the first process in a new
> >>> co
On Thu, 19 Oct 2017, Richard Guy Briggs wrote:
> On 2017-10-11 20:57, Richard Guy Briggs wrote:
> > The audit subsystem is adding a BPRM_FCAPS record when auditing setuid
> > application execution (SYSCALL execve). This is not expected as it was
> > supposed to be limited to when the file system a
The registration is a pseudo filesystem (proc, since PID tree already
exists) write of a u8[16] UUID representing the container ID to a file
representing a process that will become the first process in a new
container. This write might place restrictions on mount namespaces
required to define a c
The registration is a pseudo filesystem (proc, since PID tree already
exists) write of a u8[16] UUID representing the container ID to a file
representing a process that will become the first process in a new
container. This write might place restrictions on mount namespaces
required to define a c
On 2017-10-12 15:45, Steve Grubb wrote:
> On Thursday, October 12, 2017 10:14:00 AM EDT Richard Guy Briggs wrote:
> > Containers are a userspace concept. The kernel knows nothing of them.
> >
> > The Linux audit system needs a way to be able to track the container
> > provenance of events and act
On Thursday, October 19, 2017 1:08:22 PM EDT Brad Zynda wrote:
> >> grep perm_mod /etc/audit/audit.rules
> >> -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000
> >> -F auid!=4294967295 -k perm_mod
> >> -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000
> >
On 2017-10-19 19:58, Paul Moore wrote:
> On Wed, Aug 23, 2017 at 7:03 AM, Richard Guy Briggs wrote:
> > Tracefs or debugfs were causing hundreds to thousands of PATH records to
> > be associated with the init_module and finit_module SYSCALL records on a
> > few modules when the following rule was
On Wed, Aug 23, 2017 at 7:03 AM, Richard Guy Briggs wrote:
> Tracefs or debugfs were causing hundreds to thousands of PATH records to
> be associated with the init_module and finit_module SYSCALL records on a
> few modules when the following rule was in place for startup:
> -a always,exit
On Tue, Oct 17, 2017 at 6:29 PM, Steve Grubb wrote:
> The API to end auditing has historically been for auditd to set the
> pid to 0. This patch restores that functionality.
>
> See: https://github.com/linux-audit/audit-kernel/issues/69
>
> Reviewed-by: Richard Guy Briggs
> Signed-off-by: Steve G
On Thu, Oct 19, 2017 at 12:25 PM, Eric W. Biederman
wrote:
> Paul Moore writes:
>
>> On Wed, Oct 18, 2017 at 8:43 PM, Eric W. Biederman
>> wrote:
>>> Aleksa Sarai writes:
>> The security implications are that anything that can change the label
>> could also hide itself and its doings fr
On 2017-10-19 15:39, Richard Guy Briggs wrote:
> On 2017-10-18 22:31, Paul Moore wrote:
> > On Tue, Oct 17, 2017 at 6:29 PM, Steve Grubb wrote:
> > > The API to end auditing has historically been for auditd to set the
> > > pid to 0. This patch restores that functionality.
> > >
> > > See: https:/
On 10/18/2017 07:27 PM, Steve Grubb wrote:
> On Wednesday, October 18, 2017 12:32:15 PM EDT Brad Zynda wrote:
>> On 10/18/2017 12:26 PM, Steve Grubb wrote:
>>> On Wednesday, October 18, 2017 12:13:13 PM EDT Brad Zynda wrote:
So now you have to comment out a rule at a time and watch for
On Wed, Oct 18, 2017 at 8:43 PM, Eric W. Biederman
wrote:
> Aleksa Sarai writes:
The security implications are that anything that can change the label
could also hide itself and its doings from the audit system and thus
would be used as a means to evade detection. I actually think
Paul Moore writes:
> On Wed, Oct 18, 2017 at 8:43 PM, Eric W. Biederman
> wrote:
>> Aleksa Sarai writes:
> The security implications are that anything that can change the label
> could also hide itself and its doings from the audit system and thus
> would be used as a means to evade
On Thu, Oct 19, 2017 at 9:32 AM, Casey Schaufler wrote:
> On 10/18/2017 5:05 PM, Richard Guy Briggs wrote:
>> On 2017-10-17 01:10, Casey Schaufler wrote:
>>> On 10/16/2017 5:33 PM, Richard Guy Briggs wrote:
On 2017-10-12 16:33, Casey Schaufler wrote:
> On 10/12/2017 7:14 AM, Richard Guy B
On 2017-10-18 22:31, Paul Moore wrote:
> On Tue, Oct 17, 2017 at 6:29 PM, Steve Grubb wrote:
> > The API to end auditing has historically been for auditd to set the
> > pid to 0. This patch restores that functionality.
> >
> > See: https://github.com/linux-audit/audit-kernel/issues/69
> >
> > Revi
On 10/18/2017 5:05 PM, Richard Guy Briggs wrote:
> On 2017-10-17 01:10, Casey Schaufler wrote:
>> On 10/16/2017 5:33 PM, Richard Guy Briggs wrote:
>>> On 2017-10-12 16:33, Casey Schaufler wrote:
On 10/12/2017 7:14 AM, Richard Guy Briggs wrote:
> Containers are a userspace concept. The ker
On 2017-10-11 20:57, Richard Guy Briggs wrote:
> The audit subsystem is adding a BPRM_FCAPS record when auditing setuid
> application execution (SYSCALL execve). This is not expected as it was
> supposed to be limited to when the file system actually had capabilities
> in an extended attribute. It
19 matches
Mail list logo
