On Thu, Mar 18, 2021 at 4:57 PM Casey Schaufler wrote:
>
> On 3/18/2021 1:42 PM, Paul Moore wrote:
> > Of the three LSMs that implement the security_task_getsecid() LSM
> > hook, all three LSMs provide the task's objective security
> > credentials. This turns out to be unfortunate as most of the
Side note:
I found on some previous versions of CentOS 7 that if you audit a system call
that often comes before the exec() system call (e.g., auditing close() which is
called a number of times after a fork but before an exec), the PROCTITLE field
will be for the parent process and not the new
Hi Richard,
Thank you for the patch! Yet something to improve:
[auto build test ERROR on pcmoore-audit/next]
[also build test ERROR on nf/master nf-next/master linux/master linus/master
v5.12-rc3 next-20210318]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when
On Thu, Mar 18, 2021 at 3:19 PM Richard Guy Briggs wrote:
>
> Describe the /proc/PID/loginuid interface in Documentation/ABI/stable that
> was added 2008-03-13 in commit 1e0bd7550ea9 ("[PATCH] export sessionid
> alongside the loginuid in procfs")
>
> Signed-off-by: Richard Guy Briggs
> ---
> Doc
On Thu, Mar 18, 2021 at 3:19 PM Richard Guy Briggs wrote:
>
> Describe the /proc/PID/loginuid interface in Documentation/ABI/stable that
> was added 2005-02-01 by commit 1e2d1492e178 ("[PATCH] audit: handle
> loginuid through proc")
>
> Signed-off-by: Richard Guy Briggs
> ---
> Documentation/ABI
On 3/18/2021 1:42 PM, Paul Moore wrote:
> Of the three LSMs that implement the security_task_getsecid() LSM
> hook, all three LSMs provide the task's objective security
> credentials. This turns out to be unfortunate as most of the hook's
> callers seem to expect the task's subjective credentials,
SELinux has a function, task_sid(), which returns the task's
objective credentials, but unfortunately is used in a few places
where the subjective task credentials should be used. Most notably
in the new security_task_getsecid_subj() LSM hook.
This patch fixes this and attempts to make things mor
With the split of the security_task_getsecid() into subjective and
objective variants it's time to update Smack to ensure it is using
the correct task creds.
Acked-by: Casey Schaufler
Reviewed-by: Richard Guy Briggs
Reviewed-by: John Johansen
Signed-off-by: Paul Moore
---
security/smack/smack
An update on the previous RFC patchset found here:
https://lore.kernel.org/linux-security-module/161377712068.87807.12246856567527156637.stgit@sifl/
Aside from being rebased to the current SELinux next branch (which
in turn is based on v5.12-rc2), this revision changes the binder
related code to
Of the three LSMs that implement the security_task_getsecid() LSM
hook, all three LSMs provide the task's objective security
credentials. This turns out to be unfortunate as most of the hook's
callers seem to expect the task's subjective credentials, although
a small handful of callers do correctl
On 2021-03-18 16:31, Alan Evangelista wrote:
> I'm trying to audit commands run in bash, including the commands arguments.
> The proctitle parameter in the PROCTITLE record seems to be the most
> reliable source to get that, but it does not contain exactly the "rm"
> command I have typed on bash. E
OM> Perhaps a shell alias? What does `type rm` say?
# type rm
rm is aliased to `rm -i'
Thanks!
On Thu, Mar 18, 2021 at 5:01 PM Ondrej Mosnacek wrote:
> On Thu, Mar 18, 2021 at 8:32 PM Alan Evangelista
> wrote:
> > I'm trying to audit commands run in bash, including the commands
> arguments. T
On Thu, Mar 18, 2021 at 8:32 PM Alan Evangelista wrote:
> I'm trying to audit commands run in bash, including the commands arguments.
> The proctitle parameter in the PROCTITLE record seems to be the most reliable
> source to get that, but it does not contain exactly the "rm" command I have
> t
I'm trying to audit commands run in bash, including the commands arguments.
The proctitle parameter in the PROCTITLE record seems to be the most
reliable source to get that, but it does not contain exactly the "rm"
command I have typed on bash. Example:
1) rm /data/test2,txt -f
type=SYSCALL msg=a
Describe the /proc/PID/loginuid interface in Documentation/ABI/stable that
was added 2008-03-13 in commit 1e0bd7550ea9 ("[PATCH] export sessionid
alongside the loginuid in procfs")
Signed-off-by: Richard Guy Briggs
---
Documentation/ABI/stable/procfs-audit_loginuid | 12
1 file chan
Add Documentation/ABI entries for audit interfaces in /proc/PID/ that have
been stable for more than a decade.
Richard Guy Briggs (2):
audit: document /proc/PID/loginuid
audit: document /proc/PID/sessionid
.../ABI/stable/procfs-audit_loginuid | 27 +++
1 file changed
Describe the /proc/PID/loginuid interface in Documentation/ABI/stable that
was added 2005-02-01 by commit 1e2d1492e178 ("[PATCH] audit: handle
loginuid through proc")
Signed-off-by: Richard Guy Briggs
---
Documentation/ABI/stable/procfs-audit_loginuid | 15 +++
1 file changed, 15 ins
On Wed, Mar 17, 2021 at 9:51 PM Richard Guy Briggs wrote:
>
> Describe the /proc/PID/loginuid interface in Documentation/ABI/stable that
> was added 2008-03-13 in commit 1e0bd7550ea9 ("[PATCH] export sessionid
> alongside the loginuid in procfs")
>
> Signed-off-by: Richard Guy Briggs
> ---
> Doc
On Wed, Mar 17, 2021 at 9:51 PM Richard Guy Briggs wrote:
>
> Describe the /proc/PID/loginuid interface in Documentation/ABI/stable that
> was added 2005-02-01 by commit 1e2d1492e178 ("[PATCH] audit: handle
> loginuid through proc")
>
> Signed-off-by: Richard Guy Briggs
> ---
> Documentation/ABI
On Wed, Mar 17, 2021 at 9:49 PM Richard Guy Briggs wrote:
>
> Add files maintaned by the audit subsystem.
>
> Files from arch/*/*/*audit*.[ch] and arch/x86/include/asm/audit.h were not
> added due to concern of the list not holding up over time. There exist
> already exceptions that caused the ne
On 2021-03-18 17:30, Phil Sutter wrote:
> Hi,
>
> On Thu, Mar 18, 2021 at 11:39:52AM -0400, Richard Guy Briggs wrote:
> > Reduce logging of nftables events to a level similar to iptables.
> > Restore the table field to list the table, adding the generation.
>
> This looks much better, a few remar
On Thu, Mar 18, 2021 at 1:45 PM Paul Moore wrote:
> On Thu, Mar 18, 2021 at 1:44 PM Paul Moore wrote:
> > On Thu, Mar 18, 2021 at 12:57 PM Serhei Makarov wrote:
> > > On Thu, Mar 18, 2021 at 10:43 AM Serhei Makarov
> > > wrote:
> > > > Jiri Olsa also reports seeing a similar deadlock at v5.10.
On Thu, Mar 18, 2021 at 1:44 PM Paul Moore wrote:
> On Thu, Mar 18, 2021 at 12:57 PM Serhei Makarov wrote:
> > On Thu, Mar 18, 2021 at 10:43 AM Serhei Makarov wrote:
> > > Jiri Olsa also reports seeing a similar deadlock at v5.10. I'm in the
> > > middle of double-checking my bisection which end
On Thu, Mar 18, 2021 at 12:57 PM Serhei Makarov wrote:
> On Thu, Mar 18, 2021 at 10:43 AM Serhei Makarov wrote:
> > Jiri Olsa also reports seeing a similar deadlock at v5.10. I'm in the
> > middle of double-checking my bisection which ended up at a
> > seemingly-unrelated commit [2]
> >
> > [1] h
On Thu, Mar 18, 2021 at 11:39:52AM -0400, Richard Guy Briggs wrote:
> Reduce logging of nftables events to a level similar to iptables.
> Restore the table field to list the table, adding the generation.
>
> Indicate the op as the most significant operation in the event.
>
> A couple of sample ev
On Thu, Mar 18, 2021 at 10:43 AM Serhei Makarov wrote:
> Jiri Olsa also reports seeing a similar deadlock at v5.10. I'm in the
> middle of double-checking my bisection which ended up at a
> seemingly-unrelated commit [2]
>
> [1] https://bugzilla.redhat.com/show_bug.cgi?id=1938312
> [2]
> https://
Hi,
On Thu, Mar 18, 2021 at 11:39:52AM -0400, Richard Guy Briggs wrote:
> Reduce logging of nftables events to a level similar to iptables.
> Restore the table field to list the table, adding the generation.
This looks much better, a few remarks below:
[...]
> +static const u8 nft2audit_op[] = {
Reduce logging of nftables events to a level similar to iptables.
Restore the table field to list the table, adding the generation.
Indicate the op as the most significant operation in the event.
A couple of sample events:
type=PROCTITLE msg=audit(2021-03-18 09:30:49.801:143) :
proctitle=/usr/b
Moving this discussion to kernel mailing lists.
Problem description:
Upstream kernel 5.11.0-rc7 and later was found to deadlock during a
bpf_probe_read_compat call within a sched_switch tracepoint. The
problem is reproducible with the reg_alloc3 testcase from SystemTap's
BPF backend testsuite on
On Wed, Mar 17, 2021 at 09:47:16PM -0400, Richard Guy Briggs wrote:
> The openat2(2) syscall was added in v5.6. Add support for openat2 to the
> audit syscall classifier and for recording openat2 parameters that cannot
> be captured in the syscall parameters of the SYSCALL record.
>
> Supporting
[+Cc Aleksa, the author of openat2()]
and a comment below. :)
On Wed, Mar 17, 2021 at 09:47:17PM -0400, Richard Guy Briggs wrote:
> The openat2(2) syscall was added in kernel v5.6 with commit fddb5d430ad9
> ("open: introduce openat2(2) syscall")
>
> Add the openat2(2) syscall to the audit syscal
On Thu, Mar 18, 2021 at 11:48:45AM +0100, Christian Brauner wrote:
> [+Cc Aleksa, the author of openat2()]
>
> and a comment below. :)
>
> On Wed, Mar 17, 2021 at 09:47:17PM -0400, Richard Guy Briggs wrote:
> > The openat2(2) syscall was added in kernel v5.6 with commit fddb5d430ad9
> > ("open: i
On 2021-03-18 11:48, Christian Brauner wrote:
> [+Cc Aleksa, the author of openat2()]
Ah! Thanks for pulling in Aleksa. I thought I caught everyone...
> and a comment below. :)
Same...
> On Wed, Mar 17, 2021 at 09:47:17PM -0400, Richard Guy Briggs wrote:
> > The openat2(2) syscall was added i
On 2021-03-18 11:52, Christian Brauner wrote:
> On Thu, Mar 18, 2021 at 11:48:45AM +0100, Christian Brauner wrote:
> > On Wed, Mar 17, 2021 at 09:47:17PM -0400, Richard Guy Briggs wrote:
> > > The openat2(2) syscall was added in kernel v5.6 with commit fddb5d430ad9
> > > ("open: introduce openat2(2
Lenny,
When checkpoint was initially added, such activity (one by one event
consumption)
was not envisaged. If this is needed I can look into providing it.
Pls advise.
Rgds
Burn
On Wed, 2021-03-17 at 19:02 -0500, Lenny Bruzenak wrote:
> I'm trying to use the ausearch checkpoint feature in conj
35 matches
Mail list logo