[PATCH ghak82 v3] audit: Fix extended comparison of GID/EGID

The audit_filter_rules() function in auditsc.c used the in_[e]group_p() functions to check GID/EGID match, but these functions use the current task's credentials, while the comparison should use the credentials of the task given to audit_filter_rules() as a parameter (tsk). Note that we can use gr

Re: [RFC PATCH 1/2] audit: allow other filter list types for AUDIT_EXE

2018-06-04 22:41 GMT+02:00 Paul Moore : > On Wed, May 30, 2018 at 4:45 AM, Ondrej Mosnacek wrote: >> This patch removes the restriction of the AUDIT_EXE field to only >> SYSCALL filter and teaches audit_filter to recognize this field. >> >> This makes it possible to write rule lists such as: >> >>

Re: [RFC PATCH 2/2] [WIP] audit: allow other filter list types for AUDIT_DIR

2018-06-05 0:19 GMT+02:00 Paul Moore : > On Fri, Jun 1, 2018 at 4:05 PM, Richard Guy Briggs wrote: >> On 2018-06-01 10:12, Ondrej Mosnacek wrote: > > ... > >>> audit_receive_msg -- this function doesn't work with context at all, >>> so I wasn't sure if audit_filter should consider it being NULL

Re: [PATCH v3 4/4] ima: Differentiate auditing policy rules from "audit" actions

Hi Paul, On Mon, 2018-06-04 at 20:21 -0400, Paul Moore wrote: > On Mon, Jun 4, 2018 at 4:54 PM, Stefan Berger > wrote: > > The AUDIT_INTEGRITY_RULE is used for auditing IMA policy rules and > > the IMA "audit" policy action. This patch defines > > AUDIT_INTEGRITY_POLICY_RULE to reflect the IMA p

[PATCH ghak89 V3] audit: rename FILTER_TYPE to FILTER_EXCLUDE

The AUDIT_FILTER_TYPE name is vague and misleading due to not describing where or when the filter is applied and obsolete due to its available filter fields having been expanded. Userspace has already renamed it from AUDIT_FILTER_TYPE to AUDIT_FILTER_EXCLUDE without checking if it already exists.

Re: [PATCH v3 4/4] ima: Differentiate auditing policy rules from "audit" actions

On Tue, Jun 5, 2018 at 10:15 AM, Mimi Zohar wrote: > Hi Paul, > > On Mon, 2018-06-04 at 20:21 -0400, Paul Moore wrote: >> On Mon, Jun 4, 2018 at 4:54 PM, Stefan Berger >> wrote: >> > The AUDIT_INTEGRITY_RULE is used for auditing IMA policy rules and >> > the IMA "audit" policy action. This patch

[RFC PATCH ghak86 V1] audit: eliminate audit_enabled magic number comparison

Remove comparison of audit_enabled to magic numbers outside of audit. Related: https://github.com/linux-audit/audit-kernel/issues/86 Signed-off-by: Richard Guy Briggs --- drivers/tty/tty_audit.c | 2 +- include/linux/audit.h| 5 - include/net/xfrm.h | 2 +- kernel/aud

[GIT PULL] Audit patches for v4.18

el.org/pub/scm/linux/kernel/git/pcmoore/audit.git tags/audit-pr-20180605 for you to fetch changes up to 5b71388663c0920848c0ee7de946970a2692b76d: audit: Fix wrong task in comparison of session ID (2018-05-21 14:27:43 -0400) au