On 2018-02-15 18:19, Richard Guy Briggs wrote:
> On 2018-02-15 18:07, Steve Grubb wrote:
> > On Monday, February 12, 2018 12:02:21 AM EST Richard Guy Briggs wrote:
> > > Tracefs or debugfs were causing hundreds to thousands of null PATH
> > > records to be associated with the init_module and finit_
On 2018-02-15 18:07, Steve Grubb wrote:
> On Monday, February 12, 2018 12:02:21 AM EST Richard Guy Briggs wrote:
> > Tracefs or debugfs were causing hundreds to thousands of null PATH
> > records to be associated with the init_module and finit_module SYSCALL
> > records on a few modules when the fo
On 2018-02-15 18:34, Paul Moore wrote:
> On Wed, Feb 14, 2018 at 11:18 AM, Richard Guy Briggs wrote:
> > Audit link denied events for symlinks were missing the parent PATH
> > record. Add it. Since the full pathname may not be available,
> > reconstruct it from the path in the nameidata supplied
On Wed, Feb 14, 2018 at 11:18 AM, Richard Guy Briggs wrote:
> Audit link denied events for symlinks were missing the parent PATH
> record. Add it. Since the full pathname may not be available,
> reconstruct it from the path in the nameidata supplied.
>
> See: https://github.com/linux-audit/audit
On 2018-02-15 18:07, Steve Grubb wrote:
> On Monday, February 12, 2018 12:02:21 AM EST Richard Guy Briggs wrote:
> > Tracefs or debugfs were causing hundreds to thousands of null PATH
> > records to be associated with the init_module and finit_module SYSCALL
> > records on a few modules when the fo
On 2018-02-15 15:43, Paul Moore wrote:
> On Mon, Feb 12, 2018 at 7:29 AM, Richard Guy Briggs wrote:
> > Signed-off-by: Richard Guy Briggs
> > ---
> > kernel/auditfilter.c | 4 +++-
> > 1 file changed, 3 insertions(+), 1 deletion(-)
>
> I realize this is an RFC patchset, but considering recent p
On Monday, February 12, 2018 12:02:21 AM EST Richard Guy Briggs wrote:
> Tracefs or debugfs were causing hundreds to thousands of null PATH
> records to be associated with the init_module and finit_module SYSCALL
> records on a few modules when the following rule was in place for
> startup:
>
On Thu, Feb 15, 2018 at 1:16 AM, Kees Cook wrote:
> On Wed, Feb 14, 2018 at 6:33 PM, Richard Guy Briggs wrote:
>> On 2018-02-14 09:51, Kees Cook wrote:
>>> On Wed, Feb 14, 2018 at 8:18 AM, Richard Guy Briggs wrote:
>>> > Audit link denied events emit disjointed records when audit is disabled.
>>
On Mon, Feb 12, 2018 at 12:02 AM, Richard Guy Briggs wrote:
> More than one filesystem was causing hundreds to thousands of null PATH
> records to be associated with the *init_module SYSCALL records on a few
> modules with corresponding audit syscall rules.
>
> This patchset adds extra information
On Mon, Feb 12, 2018 at 7:29 AM, Richard Guy Briggs wrote:
> Signed-off-by: Richard Guy Briggs
> ---
> kernel/auditfilter.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
I realize this is an RFC patchset, but considering recent patchsets I
feel some clarification might be helpful t
On Mon, Feb 12, 2018 at 7:29 AM, Richard Guy Briggs wrote:
> The arch_f pointer was added to the struct audit_krule in commit:
> e54dc2431d740a79a6bd013babade99d71b1714f ("audit signal recipients")
>
> This is only used on addition and deletion of rules which isn't time
> critical and the arch fie
On Wed, Feb 14, 2018 at 9:47 PM, Richard Guy Briggs wrote:
> These fixes should speed up audit syscall entry by doing away with the
> audit entry filter check, moving up the valid connection check before
> filling in the context and not caring if there is a bug when audit is
> disabled.
>
> Passes
12 matches
Mail list logo
