https://syzkaller.appspot.com/x/repro.syz?x=151b1109e0 (the
reproducer listed) looks like it is literally fuzzing the AUDIT_SET.
Which seems like this is working as designed if it is setting the
failure mode to 2.
On Mon, 2020-02-24 at 17:38 -0500, Paul Moore wrote:
> On Mon, Feb 24, 2020 at
Is this the thing where systemd is listening on the multicast netlink
socket and causes everything to come out kmesg as well?
On Mon, 2019-09-23 at 15:49 -0400, Dave Jones wrote:
> On Mon, Sep 23, 2019 at 02:57:08PM -0400, Paul Moore wrote:
> > On Mon, Sep 23, 2019 at 12:58 PM Dave Jones <
>
On Tue, 2018-07-24 at 15:55 -0400, Paul Moore wrote:
> On Tue, Jul 24, 2018 at 7:39 AM Eric Paris wrote:
> > Would it make more sense to actually check for failure on
> > allocation
> > rather than try to remember to deal with it later? How about we
> > just
> >
Would it make more sense to actually check for failure on allocation
rather than try to remember to deal with it later? How about we just
have audit_log_kern_module return an error and fail if we are OOM?
(also this seems like a good place to use kstrdup, instead of
kmalloc+strcpy)
On Tue,
I think if we went back and looked at history we'd see that all of the
code originally had none of the if(!ab) checks after allocation and
they just sorta slowly crept in over time. I prefer this pattern, but
it used to be the opposite everywhere.
On Wed, 2018-02-21 at 19:02 -0500, Paul Moore
On Sat, 2017-12-09 at 10:28 -0800, Casey Schaufler wrote:
> On 12/9/2017 2:20 AM, Micka�l Sala�n wrote:
> > What about automatically create
> > and assign an ID to a process when it enters a namespace different
> > than
> > one of its parent process? This delegates the (permission)
> >
On Tue, 2017-02-28 at 21:49 +, Joan Jani wrote:
> This patch fixes the following checkpath.pl warning
> WARNING: Block comments use a trailing */ on a separate line
>
> like
>
> kernel/audit.c:135: WARNING: Block comments use a trailing */ on a
> separate line
> kernel/audit.c:170: WARNING:
On Fri, 2017-01-13 at 04:51 -0500, Richard Guy Briggs wrote:
> 32-bit socketcalls were not being logged by audit on x86_64 systems.
> Log them. This is basically a duplicate of the call from
> net/socket.c:sys_socketcall(), but it addresses the impedance
> mismatch
> between 32-bit userspace
On Fri, 2017-01-13 at 10:06 -0500, Richard Guy Briggs wrote:
> On 2017-01-13 09:42, Eric Paris wrote:
> > On Fri, 2017-01-13 at 04:51 -0500, Richard Guy Briggs wrote:
> > > diff --git a/include/linux/audit.h b/include/linux/audit.h
> > > index 9d4443f..43d8003 10064
ays reaches a SECCOMP_KILL or more likely
> > SECCOMP_RET_ERRNO in the rule set.
> >
> > The seccomp auditing was originally added by Eric with
> >
> > commit 85e7bac33b8d5edafc4e219c7dfdb3d48e0b4e31
> > Author: Eric Paris <epa...@redhat.com>
> > Dat
This is already going to be in the audit log, right? We're going to
send a CONFIG_CHANGE record with old_pid == the existing auditd. I bet
it gets delivered to the old auditd.
But why is this a printk(KERN_WARN) ?
On Mon, 2015-09-07 at 12:48 -0400, Richard Guy Briggs wrote:
> Nothing prevents a
I have to admit, I'm partial to not merging this (with the other
patches). Changing object lifetimes in what i seem to remember is long
standing code (auditfilter, not auditexe) seems to me like something we
really would want to be git bisectable, not mushed with an unrelated
feature addition.
On Thu, 2014-12-18 at 11:45 -0500, valdis.kletni...@vt.edu wrote:
On Tue, 16 Dec 2014 20:09:54 -0500, Valdis Kletnieks said:
Spotted these two while booting single-user on 20141216. 20141208
doesn't throw these, so it's something in the last week or so..
Gaah! Turns out that 20141208
On Thu, 2014-12-18 at 12:46 -0500, Richard Guy Briggs wrote:
On 14/12/18, Eric Paris wrote:
On Thu, 2014-12-18 at 11:45 -0500, valdis.kletni...@vt.edu wrote:
On Tue, 16 Dec 2014 20:09:54 -0500, Valdis Kletnieks said:
Spotted these two while booting single-user on 20141216. 20141208
I haven't looked into it, but I'd place my first bet on the audit
multicast code...
Richard?
On Tue, 2014-12-16 at 20:09 -0500, Valdis Kletnieks wrote:
Not sure who's to blame here, but I'm tending towards selinux based on
who was holding the locks...
Spotted these two while booting
Lets say I and in the non-init pid namespace.
I run audictl -a exit,always -S all -F pid=1
Is the audit system going to show records for what I think is pid=1 or
what the initial pid namespace thinks is pid=1 ?
Which is correct? (hint, it's impossible to know pids above my
namespace, or even to
On Mon, 2014-12-15 at 13:50 -0500, Richard Guy Briggs wrote:
On 14/12/15, Eric Paris wrote:
Lets say I and in the non-init pid namespace.
I run audictl -a exit,always -S all -F pid=1
That's easy (for now). Line 675 of kernel/audit.c in audit_netlink_ok()
called from audit_receive_msg
On Mon, 2014-12-15 at 16:14 -0500, Steve Grubb wrote:
We don't want any events from within a container unless we also
have an audit name space. Everything inside the container is potentially
operating out side the security policy of the system.
I am not arguing with any of the
On Wed, 2014-10-29 at 17:54 -0400, Richard Guy Briggs wrote:
On 14/10/29, Steve Grubb wrote:
On Wednesday, October 29, 2014 03:48:40 PM Richard Guy Briggs wrote:
On 14/10/21, Paul Moore wrote:
Can anyone think of anything else that might be affected by this?
No one uses this
that
now useless junk off the stack (pair of pops) and reload %eax with the
original syscall so other stuff can keep going about it's business.
Reported-by: Paulo Zanoni przan...@gmail.com
Signed-off-by: Eric Paris epa...@redhat.com
Signed-off-by: Richard Guy Briggs r...@redhat.com
Cc
On Mon, 2014-10-27 at 10:02 -0700, H. Peter Anvin wrote:
On 10/27/2014 06:55 AM, Eric Paris wrote:
My patch was already committed to the -tip urgent branch. I believe any
optimization should be based on that branch, Richard. If you are trying
to wrangle every bit of speed out
On Mon, 2014-10-27 at 21:52 +0100, Thomas Gleixner wrote:
On Sun, 26 Oct 2014, Richard Guy Briggs wrote:
diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S
index b553ed8..344b63f 100644
--- a/arch/x86/kernel/entry_32.S
+++ b/arch/x86/kernel/entry_32.S
@@ -447,15
On Thu, 2014-10-23 at 11:39 -0700, Andy Lutomirski wrote:
On 10/22/2014 09:04 PM, Eric Paris wrote:
git commit b4f0d3755c5e9cc86292d5fd78261903b4f23d4a was very very dumb.
It was writing over %esp/pt_regs semi-randomly on i686 with the expected
system can't boot results. As noted
On Thu, 2014-10-23 at 12:20 -0700, Andy Lutomirski wrote:
On Thu, Oct 23, 2014 at 12:15 PM, Eric Paris epa...@redhat.com wrote:
On Thu, 2014-10-23 at 11:39 -0700, Andy Lutomirski wrote:
On 10/22/2014 09:04 PM, Eric Paris wrote:
git commit b4f0d3755c5e9cc86292d5fd78261903b4f23d4a was very
On Thu, 2014-10-23 at 15:30 -0400, Eric Paris wrote:
On Thu, 2014-10-23 at 12:20 -0700, Andy Lutomirski wrote:
On Thu, Oct 23, 2014 at 12:15 PM, Eric Paris epa...@redhat.com wrote:
On Thu, 2014-10-23 at 11:39 -0700, Andy Lutomirski wrote:
On 10/22/2014 09:04 PM, Eric Paris wrote:
git
On Wed, 2014-10-22 at 10:25 -0400, Steve Grubb wrote:
12) The struct audit_status was extended to include version and
backlog_wait_time. I cannot determine at runtime if they exist, meaning that
software compiled on a new kernel runs on an old kernel, it will be reading
random stack or
On Wed, 2014-10-22 at 10:36 -0400, Steve Grubb wrote:
On Wednesday, October 22, 2014 10:30:12 AM Eric Paris wrote:
On Wed, 2014-10-22 at 10:25 -0400, Steve Grubb wrote:
12) The struct audit_status was extended to include version and
backlog_wait_time. I cannot determine at runtime
On Wed, 2014-10-22 at 10:25 -0400, Steve Grubb wrote:
1) For the *at syscalls, can we get the path from the FD being passed to be
able to reconstruct what is being accessed?
You might sometimes be able to get A path. But every time anyone ever
says THE path they've already lost. There is no
On Wed, 2014-10-22 at 10:51 -0500, LC Bruzenak wrote:
On 10/22/2014 10:12 AM, Eric Paris wrote:
On Wed, 2014-10-22 at 10:25 -0400, Steve Grubb wrote:
1) For the *at syscalls, can we get the path from the FD being passed to be
able to reconstruct what is being accessed?
You might
That's really serious. Looking now.
On Wed, 2014-10-22 at 16:08 -0200, Paulo Zanoni wrote:
Hi
(Cc'ing everybody mentioned in the original patch)
I work for Intel, on our Linux Graphics driver - aka i915.ko - and our
QA team recently reported a regression on:
commit
On Wed, 2014-10-22 at 23:36 +0200, Thomas Gleixner wrote:
On Wed, 22 Oct 2014, Eric Paris wrote:
That's really serious. Looking now.
Indeed its serious. And it's even more serious as this masterpiece of
assembly wreckage was pulled in via your tree w/o having an acked-by
one of the x86
Moore pmo...@redhat.com
Acked-by: Eric Paris epa...@redhat.com
---
MAINTAINERS |5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/MAINTAINERS b/MAINTAINERS
index c2066f4..86c24fd 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -1689,10 +1689,11 @@ S:Supported
On Tue, 2014-10-21 at 17:56 -0400, Paul Moore wrote:
* Change the audit_status.version field comment in include/uapi/linux/audit.h
to /* audit functionality bitmap */, or similar. We can't really change
the
structure now, but the comment is fair game.
Trying to think how to do things
On Mon, 2014-10-20 at 16:25 -0400, Steve Grubb wrote:
On Thursday, October 02, 2014 11:06:51 PM Richard Guy Briggs wrote:
This is a part of Peter Moody, my and Eric Paris' work to implement
audit by executable name.
Does this patch set define an AUDIT_VERSION_SOMETHING and then set
()
Burn Alting (1):
audit: invalid op= values for rules
Eric Paris (11):
audit: drop unused struct audit_rule definition
SH: define syscall_get_arch() for superh
UM: implement syscall_get_arch()
Alpha: define syscall_get_arch()
ARCH: AUDIT: implement
On Thu, 2014-10-02 at 22:05 -0400, Richard Guy Briggs wrote:
Re-factor audit_rule_change() to reduce the amount of code redundancy and
simplify the logic.
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
kernel/auditfilter.c | 20 +++-
1 files changed, 7
On Thu, 2014-10-02 at 22:05 -0400, Richard Guy Briggs wrote:
New tree rules copy the path twice and discard the intermediary copy.
This saves one pointer at the expense of one path string copy.
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
kernel/audit_tree.c |9 +
Having a hard time convincing myself of the next 2... Doesn't mean
they're wrong or bad, but my brain isn't seeing it today...
On Thu, 2014-10-02 at 22:05 -0400, Richard Guy Briggs wrote:
Remove extra layer of audit_{get,put}_watch() calls.
Signed-off-by: Richard Guy Briggs r...@redhat.com
On Tue, 2014-10-07 at 14:23 -0400, Richard Guy Briggs wrote:
Log the event when a client attempts to connect to the netlink audit multicast
socket, requiring CAP_AUDIT_READ capability, binding to the
AUDIT_NLGRP_READLOG
group. Log the disconnect too.
Sample output:
time-Tue Oct 7
On Mon, 2014-09-08 at 14:53 -0400, Steve Grubb wrote:
Hell Richard,
On Sunday, August 24, 2014 06:34:04 PM Richard Guy Briggs wrote:
This is a part of Peter Moody, my and Eric Paris' work to implement
audit by executable name.
So, what's the status on this? Is it scheduled for the next
I just pushed a clean copy of Linus' tree to my audit tree. So my API
change is gone when he next pull for -next. I'm on vacation this week
and really wanted to get it fixed right before I left. It didn't
happen. when I push a new tree into next I will pick up the arm audit
patch and fix the
On Tue, 2014-08-05 at 12:48 -0400, Steve Grubb wrote:
On Tuesday, August 05, 2014 10:36:17 AM Gisela Cheng wrote:
Would this trigger the creation of the audit record?
I don't think anything in the config file would affect this. The requirements
are
to record all starts and stops. I
On Fri, 2014-07-11 at 12:11 -0400, Paul Moore wrote:
On Thursday, July 10, 2014 09:06:02 PM H. Peter Anvin wrote:
Incidentally: do seccomp users know that on an x86-64 system you can
recevie system calls from any of the x86 architectures, regardless of
how the program is invoked? (This is
On Fri, 2014-07-11 at 12:21 -0400, Paul Moore wrote:
On Friday, July 11, 2014 12:16:47 PM Eric Paris wrote:
On Fri, 2014-07-11 at 12:11 -0400, Paul Moore wrote:
On Thursday, July 10, 2014 09:06:02 PM H. Peter Anvin wrote:
Incidentally: do seccomp users know that on an x86-64 system you
On Fri, 2014-07-11 at 12:32 -0400, Paul Moore wrote:
On Friday, July 11, 2014 12:23:33 PM Eric Paris wrote:
On Fri, 2014-07-11 at 12:21 -0400, Paul Moore wrote:
On Friday, July 11, 2014 12:16:47 PM Eric Paris wrote:
On Fri, 2014-07-11 at 12:11 -0400, Paul Moore wrote:
On Thursday
On Tue, 17 Jun 2014 23:09:39 -0400
Richard Guy Briggs r...@redhat.com wrote:
Remove unnecessary space.
---
kernel/auditfilter.c |1 -
1 files changed, 0 insertions(+), 1 deletions(-)
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 30091ce..94b6af1 100644
---
Whew, lot going on in here
On Tue, 17 Jun 2014 23:09:48 -0400
Richard Guy Briggs r...@redhat.com wrote:
---
include/linux/audit.h |1 +
kernel/audit.h |1 +
kernel/audit_fsnotify.c | 15 +++
kernel/auditfilter.c| 21 -
4 files
Aside from the refcounting in the previous patch being bad, which you
likely didn't make any better here, I think I'm ok with
audit_put_mark/audit_get_mark being exposed and used instead of the
fsnotify_* calls being used directly...
On Tue, 17 Jun 2014 23:09:49 -0400
Richard Guy Briggs
On Tue, 17 Jun 2014 16:09:32 +0200
Laurent Bigonville bi...@debian.org wrote:
Le Tue, 17 Jun 2014 09:29:21 -0400,
Steve Grubb sgr...@redhat.com a écrit :
On Monday, June 16, 2014 05:20:10 PM Eric Paris wrote:
[...]
I'd call this a pretty clear userspace bug where it just
completely
On Tue, 17 Jun 2014 10:56:24 -0400
Steve Grubb sgr...@redhat.com wrote:
On Tuesday, June 17, 2014 10:31:25 AM Eric Paris wrote:
On Tue, 17 Jun 2014 16:09:32 +0200
2) Userspace silently throws records which are 'malformed' away,
instead of just printing them...
ausearch -m LOGIN
On Sat, 2014-06-14 at 13:53 +0200, Laurent Bigonville wrote:
Le Thu, 5 Jun 2014 19:34:04 +0200,
Laurent Bigonville bi...@debian.org a écrit :
Le Wed, 04 Jun 2014 19:04:52 -0400,
Steve Grubb sgr...@redhat.com a écrit :
[...]
You are missing a type=LOGIN event right here. If you do a cat
On Mon, 2014-06-16 at 17:20 -0400, Eric Paris wrote:
I'd call this a pretty clear userspace bug where it just completely
drops records, even if it can't parse them...
Definitely a userspace bug...
[root@localhost eparis]# ausearch -m login
no matches
[root@localhost eparis]# cat /var/log
On Mon, 2014-06-09 at 16:36 -0700, Linus Torvalds wrote:
On Mon, Jun 9, 2014 at 3:56 PM, Andy Lutomirski l...@amacapital.net wrote:
In this particular case, it's my patch, and I've never sent you a pull
request. I sort of assumed that secur...@kernel.org magically caused
acknowledged
NAK
On Wed, 2014-05-28 at 18:44 -0700, Andy Lutomirski wrote:
Here are some issues with the code:
- It thinks that syscalls have four arguments.
Not true at all. It records the registers that would hold the first 4
entries on syscall entry, for use later if needed, as getting those
later on
On Wed, 2014-05-28 at 18:44 -0700, Andy Lutomirski wrote:
Fixes an easy DoS and possible information disclosure.
This does nothing about the broken state of x32 auditing.
Cc: sta...@vger.kernel.org
Signed-off-by: Andy Lutomirski l...@amacapital.net
---
kernel/auditsc.c | 27
On Wed, 2014-05-28 at 19:40 -0700, Andy Lutomirski wrote:
On Wed, May 28, 2014 at 7:09 PM, Eric Paris epa...@redhat.com wrote:
NAK
On Wed, 2014-05-28 at 18:44 -0700, Andy Lutomirski wrote:
Here are some issues with the code:
- It thinks that syscalls have four arguments.
Not true
stop selecting it.
Signed-off-by: Eric Paris epa...@redhat.com
Cc: Andy Lutomirski l...@amacapital.net
---
arch/x86/Kconfig | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 56f47ca..e11c4da 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86
On Tue, 2014-05-20 at 09:12 -0400, Richard Guy Briggs wrote:
The purpose is to track namespaces in use by logged processes from the
perspective of init_*_ns.
1/6 defines a function to generate them and assigns them.
Use a serial number per namespace (unique across one boot of one kernel)
On Tue, 2014-05-20 at 18:35 +0300, Ismail Yenigul wrote:
Thanks for prompt reply.
The kernel versions are very close.
Not really. RHEL kernels are vastly different than the old 2.6.32
kernel. In this case, the RHEL kernel gives some very very new
information which didn't exist back in
On Tue, 2014-05-13 at 11:13 -0400, Richard Guy Briggs wrote:
On 14/05/13, Richard Guy Briggs wrote:
On 14/05/10, Eric Paris wrote:
On Fri, 2014-05-09 at 20:27 -0400, Richard Guy Briggs wrote:
Generate and assign a serial number per namespace instance since boot.
Use a serial
On Tue, 2014-05-13 at 11:30 -0400, Eric Paris wrote:
On Tue, 2014-05-13 at 11:13 -0400, Richard Guy Briggs wrote:
On 14/05/13, Richard Guy Briggs wrote:
On 14/05/10, Eric Paris wrote:
On Fri, 2014-05-09 at 20:27 -0400, Richard Guy Briggs wrote:
Generate and assign a serial number
that hierarchy if the optomization is necessary.
Signed-off-by: Eric Paris epa...@redhat.com
---
kernel/Makefile | 2 +-
kernel/audit.h | 29 ++
kernel/audit_fsnotify.c | 251
kernel/auditfilter.c| 2 +-
4 files changed, 282
-off-by: Eric Paris epa...@redhat.com
---
include/linux/audit.h | 2 +-
kernel/audit.h| 31 +-
kernel/audit_exe.c| 87 +++
kernel/auditfilter.c | 18 ++-
4 files changed, 31 insertions(+), 107 deletions(-)
diff
On Fri, 2014-05-09 at 20:27 -0400, Richard Guy Briggs wrote:
Generate and assign a serial number per namespace instance since boot.
Use a serial number per namespace (unique across one boot of one kernel)
instead of the inode number (which is claimed to have had the right to change
reserved
On Fri, 2014-05-09 at 20:27 -0400, Richard Guy Briggs wrote:
Log the namespace serial numbers of a task in audit_log_task_info() which
is used by syscall audits, among others..
Idea first presented:
https://www.redhat.com/archives/linux-audit/2013-March/msg00020.html
Typical output
On Fri, 2014-05-09 at 20:27 -0400, Richard Guy Briggs wrote:
Not so relevant because you delete all of this code later... But
still...
+#ifdef CONFIG_NAMESPACES
+void audit_log_namespace_info(struct audit_buffer *ab, struct task_struct
*tsk)
+{
+ struct nsproxy *nsproxy;
+
+
.
Based-on-user-interface-by: Richard Guy Briggs r...@redhat.com
Cc: r...@redhat.com
Based-on-idea-by: Peter Moody pmo...@google.com
Cc: pmo...@google.com
Signed-off-by: Eric Paris epa...@redhat.com
---
include/linux/audit.h | 1 +
include/uapi/linux/audit.h | 2 +
kernel/Makefile
On Mon, 2014-05-05 at 17:10 -0400, Steve Grubb wrote:
On Mon, 5 May 2014 16:41:53 -0400
Richard Guy Briggs r...@redhat.com wrote:
Only problem is, it doesn't work. What assumptions am I making that
aren't valid about the approach in this kernel code?
I also considered adding the
On Tue, 2014-04-29 at 16:54 -0700, Stephen Smalley wrote:
Requested for Android in order to distinguish denials that are not in
fact breaking anything yet due to permissive domains versus denials
that are being enforced, but seems generally useful. result field was
already in the selinux
...@redhat.com wrote:
Meaning looking at the journal would be equivalent to looking at
/var/log/audit/audit.log.
On 04/23/2014 11:37 AM, Eric Paris wrote:
On Wed, 2014-04-23 at 11:36 -0400, Daniel J Walsh wrote:
I guess the problem would be that the sysadm_t would be able to look
see individual records? so secadm_t running journalctl would see
them and sysadm running journalctl wouldn't see them?
Sounds elegant. Who is going to code it? *NOT IT!*
On 04/24/2014 09:22 AM, Eric Paris wrote:
They would be equivalent if and only if journald had CAP_AUDIT_READ.
I
What's the kernel in question? audit hasn't used inotify in a long
time. We now use fsnotify. but in either case, the inodes aren't
supposed to be able to be kicked out of core...
On Wed, 2014-04-23 at 09:04 +0100, Peter Grandi wrote:
[ ... ]
Thus I have come up with a potential
On Wed, 2014-04-23 at 09:40 -0400, Daniel J Walsh wrote:
Here are the capabilities we currently give to sysadm_t with
sysadm_secadm1.0.0Disabled
allow sysadm_t sysadm_t : capability { chown dac_override
dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable
On Wed, 2014-04-23 at 11:36 -0400, Daniel J Walsh wrote:
I guess the problem would be that the sysadm_t would be able to look at
the journal which would now contain the audit content.
right. so include it in the sysadm_secadm bool
On 04/23/2014 10:42 AM, Eric Paris wrote:
On Wed, 2014-04
-by: Richard Guy Briggs r...@redhat.com
Cc: Thomas Gleixner t...@linutronix.de
Cc: Ingo Molnar mi...@redhat.com
Cc: H. Peter Anvin h...@zytor.com
Cc: x...@kernel.org
Cc: linux-ker...@vger.kernel.org
Cc: linux-audit@redhat.com
Signed-off-by: Eric Paris epa...@redhat.com
---
As this patch relies
On Tue, 2014-04-22 at 22:25 -0400, Steve Grubb wrote:
On Tuesday, April 22, 2014 09:31:52 PM Richard Guy Briggs wrote:
This is a patch set Eric Paris and I have been working on to add a
restricted capability read-only netlink multicast socket to kernel audit to
enable userspace clients
On Mon, 2014-04-21 at 11:35 -0700, lists_t...@mac.com wrote:
On Apr 21, 2014, at 11:28 AM, Steve Grubb sgr...@redhat.com wrote:
What happens is that the text path that you put in a watch is a
human
convenience. The kernel doesn't understand strings, it understands
numbers. It
)
AKASHI Takahiro (2):
audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL
audit: Add generic compat syscall support
Chris Metcalf (1):
AUDIT: make audit_is_compat depend on CONFIG_AUDIT_COMPAT_GENERIC
Eric Paris (7):
audit: include subject
merged. This patch should be applied as part of the merge
conflict, as both sides of the merge are correct and the failure happens
AT the merge.
The fix is simple. The task is always current. Use current.
Signed-off-by: Eric Paris epa...@redhat.com
Cc: markos.chand...@imgtec.com
Cc: Paul Burton
to the MIPS people. I hope
that you can apply it as part of the merge itself...
On Thu, 2014-04-10 at 19:53 -0400, Eric Paris wrote:
Linus,
Please pull the audit tree for v3.15. You will have merge conflicts.
I'll publish my branch merge-test where I attempted to resolve them
the way you
To the best of my knowledge there is no way to generate every record
type. I did send sgrubb the beginnings of me trying to write a suite of
programs to exercise some of them for hopeful eventual inclusion in the
auparse checker tool...
I really think such a thing would be useful...
On Wed,
On Fri, 2014-04-04 at 08:43 -0400, Steve Grubb wrote:
Hello,
In checking a system with newish kernel, 3.13.7, I noticed that sometimes
finit_module is producing PATH records. Why?
Because the module created all of those files while it was loading...
--
Linux-audit mailing list
On Mon, 2014-04-07 at 12:50 -0400, Steve Grubb wrote:
On Monday, April 07, 2014 12:37:48 PM Eric Paris wrote:
On Fri, 2014-04-04 at 08:43 -0400, Steve Grubb wrote:
Hello,
In checking a system with newish kernel, 3.13.7, I noticed that sometimes
finit_module is producing PATH
On Thu, 2014-04-03 at 14:48 +0100, David Woodhouse wrote:
On Thu, 2014-04-03 at 11:32 +0200, Ralf Baechle wrote:
There's probably the odd bitfield or similar where it might matter? I
did dig a bit in the history of the auditing code and found no code
that uses __AUDIT_ARCH_LE other than
On Wed, 2014-04-02 at 12:13 +0200, Manuel Lauss wrote:
From: Ralf Baechle r...@linux-mips.org
this is the first cut of the MIPS auditing patches. MIPS doesn't quite
fit into the existing pattern of other architectures and I'd appreciate
your comments and maybe even an Acked-by.
- MIPS
On Wed, 2014-04-02 at 14:12 -0400, Mimi Zohar wrote:
On Wed, 2014-04-02 at 14:00 -0400, Steve Grubb wrote:
Hello Mimi,
On Wednesday, April 02, 2014 01:39:47 PM Mimi Zohar wrote:
This change is already being upstreamed as commit 73a6b44 Integrity:
Pass commname via get_task_comm().
an...@tomt.net
Reported-by: Adam Richter adam_richter2...@yahoo.com
Signed-off-by: Eric Paris epa...@redhat.com
---
kernel/audit.c | 12 +++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 3392d3e..95a20f3 100644
--- a/kernel/audit.c
On Thu, 2014-03-20 at 03:01 +0300, Sergei Shtylyov wrote:
Hello.
On 03/20/2014 01:04 AM, Eric Paris wrote:
This patch defines syscall_get_arch() for the superh platform. It does
so in both syscall_32.h and syscall_64.h. I'm not certain if the
implementation in syscall_64.h couldn't
On Mon, 2014-03-17 at 13:14 -0700, Tony Luck wrote:
On Thu, Jan 23, 2014 at 11:32 AM, Richard Guy Briggs r...@redhat.com wrote:
Added the functions task_ppid_nr_ns() and task_ppid_nr() to abstract the
lookup
of the PPID (real_parent's pid_t) of a process, including rcu locking, in
the
On Wed, 2014-03-12 at 08:55 -0400, Steve Grubb wrote:
On Wednesday, February 19, 2014 01:08:22 PM Richard Guy Briggs wrote:
Add a netlink multicast socket with one group to kaudit for best-effort
delivery to read-only userspace clients such as systemd, in addition to the
existing
On Wed, 2014-03-12 at 08:22 -0400, Steve Grubb wrote:
On Tuesday, March 11, 2014 06:15:17 PM Richard Guy Briggs wrote:
Is zero a valid value for the pid member of the AUDIT_SIGNAL_INFO message?
Well, pid=0 would be the kernel. So, its valid but unlikely.
Actually, signals from the kernel
On Wed, 2014-03-12 at 14:21 -0400, Richard Guy Briggs wrote:
On 14/03/12, Eric Paris wrote:
On Wed, 2014-03-12 at 08:22 -0400, Steve Grubb wrote:
On Tuesday, March 11, 2014 06:15:17 PM Richard Guy Briggs wrote:
Is zero a valid value for the pid member of the AUDIT_SIGNAL_INFO
The syscall.h headers were including linux/audit.h but really only
needed the uapi/linux/audit.h to get the requisite defines. Switch to
the uapi headers.
Signed-off-by: Eric Paris epa...@redhat.com
Cc: linux-arm-ker...@lists.infradead.org
Cc: linux-m...@linux-mips.org
Cc: linux-s
On Tue, 2014-03-11 at 18:15 -0400, Richard Guy Briggs wrote:
Steve,
Subject says it all...
Is zero a valid value for the pid member of the AUDIT_SIGNAL_INFO message?
No...
Given that userspace requests AUDIT_SIGNAL_INFO after it gets a signal,
and that audit_sig_{uid,pid,...} get filled
On Sun, 2014-03-09 at 20:06 -0700, Eric W. Biederman wrote:
Linus,
Please pull the for-linus branch from the git tree:
git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace.git
for-linus
HEAD: d211f177b28ec070c25b3d0b960aa55f352f731f audit: Update kdoc for
On Mon, 2014-03-10 at 15:30 -0400, David Miller wrote:
From: Eric Paris epa...@redhat.com
Date: Fri, 07 Mar 2014 17:52:02 -0500
The second user Eric patched, audit_send_list(), can grow without bound.
The number of skb's is going to be the size of the number of audit rules
that root
On Mon, 2014-03-10 at 18:25 -0400, Steve Grubb wrote:
On Monday, March 10, 2014 05:48:06 PM Steve Grubb wrote:
Hello,
I was looking at a new kernel and see that the audit_status structure has
changed. The first member of the structure is a bit mask that tells what all
is in the
On Fri, 2014-03-07 at 19:48 -0500, David Miller wrote:
From: Eric Paris epa...@redhat.com
Date: Fri, 07 Mar 2014 17:52:02 -0500
Audit is non-tolerant to failure and loss.
Netlink is not a loss-less transport.
I'm happy to accept that (and know it to be true). How can I better
architect
On Wed, 2014-02-19 at 13:08 -0500, Richard Guy Briggs wrote:
Register a netlink per-protocol bind fuction for audit to check userspace
process capabilities before allowing a multicast group connection.
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
kernel/audit.c | 10 ++
On Tue, 2014-02-18 at 19:09 -0800, Andy Lutomirski wrote:
On Tue, Feb 18, 2014 at 11:39 AM, Eric Paris epa...@redhat.com wrote:
Al just indicated to me that on at least ia64, syscall_get_arguments()
is really expensive. So maybe not a deal breaker, but sounds like we'd
lose a lot
1 - 100 of 382 matches
Mail list logo