Re: [PATCH] audit: allow logging of user events in non-initial namespace.

2021-05-11 Thread Richard Guy Briggs
On 2021-05-10 18:48, Paul Moore wrote: > On Sun, May 9, 2021 at 2:33 PM Michael Weiß > wrote: > > > > Audit subsystem was disabled in total for user namespaces other than > > the initial namespace. > > > > If audit is enabled by kernel command line or audtid in initial namespace, > > it is now

Re: [PATCH v3 1/3] audit: replace magic audit syscall class numbers with macros

2021-05-11 Thread Richard Guy Briggs
On 2021-05-10 21:23, Paul Moore wrote: > On Fri, Apr 30, 2021 at 4:36 PM Richard Guy Briggs wrote: > > > > Replace audit syscall class magic numbers with macros. > > > > This required putting the macros into new header file > > include/linux/auditscm.h since the syscall macros were included for

Re: [PATCH v3 1/3] audit: replace magic audit syscall class numbers with macros

2021-05-11 Thread Paul Moore
On Tue, May 11, 2021 at 1:14 PM Richard Guy Briggs wrote: > > On 2021-05-10 21:23, Paul Moore wrote: > > On Fri, Apr 30, 2021 at 4:36 PM Richard Guy Briggs wrote: > > > > > > Replace audit syscall class magic numbers with macros. > > > > > > This required putting the macros into new header file

Re: [PATCH v3 1/3] audit: replace magic audit syscall class numbers with macros

2021-05-11 Thread Richard Guy Briggs
On 2021-05-10 21:23, Paul Moore wrote: > On Fri, Apr 30, 2021 at 4:36 PM Richard Guy Briggs wrote: > > > > Replace audit syscall class magic numbers with macros. > > > > This required putting the macros into new header file > > include/linux/auditscm.h since the syscall macros were included for

Re: [PATCH V1] audit: log xattr args not covered by syscall record

2021-05-11 Thread Paul Moore
On Tue, May 11, 2021 at 10:00 AM Casey Schaufler wrote: > On 5/10/2021 6:28 PM, Paul Moore wrote: > > On Mon, May 10, 2021 at 8:37 PM Casey Schaufler > > wrote: > >> On 5/10/2021 4:52 PM, Paul Moore wrote: > >>> On Mon, May 10, 2021 at 12:30 PM Casey Schaufler > >>> wrote: > On 5/7/2021

Re: [PATCH v2 3/3] audit: Use syscall_get_return_value to get syscall return code in audit_syscall_exit

2021-05-11 Thread Paul Moore
On Mon, May 10, 2021 at 11:19 PM He Zhe wrote: > On 5/11/21 6:38 AM, Paul Moore wrote: > > On Fri, Apr 23, 2021 at 6:36 AM He Zhe wrote: > >> regs_return_value for some architectures like arm64 simply retrieve > >> register value from pt_regs without sign extension in 32-bit compatible > >> case

Re: [PATCH V1] audit: log xattr args not covered by syscall record

2021-05-11 Thread Casey Schaufler
On 5/10/2021 6:28 PM, Paul Moore wrote: > On Mon, May 10, 2021 at 8:37 PM Casey Schaufler > wrote: >> On 5/10/2021 4:52 PM, Paul Moore wrote: >>> On Mon, May 10, 2021 at 12:30 PM Casey Schaufler >>> wrote: On 5/7/2021 6:54 PM, Richard Guy Briggs wrote: > On 2021-05-07 14:03, Casey

Re: [PATCH v2 3/3] audit: Use syscall_get_return_value to get syscall return code in audit_syscall_exit

2021-05-11 Thread He Zhe
On 5/11/21 6:38 AM, Paul Moore wrote: > On Fri, Apr 23, 2021 at 6:36 AM He Zhe wrote: >> regs_return_value for some architectures like arm64 simply retrieve >> register value from pt_regs without sign extension in 32-bit compatible >> case and cause audit to have false syscall return code. For