Join the two fields that comprise an audit timestamp into a common
structure. This will be used further in later commits.
Signed-off-by: Ondrej Mosnacek
---
include/linux/audit.h | 5 +
kernel/audit.c| 16
kernel/audit.h| 4 ++--
kernel/auditsc.c | 9
(Resending due to an error on the first attempt.)
This series allows to match the SELinux AVC trace events to the
corresponding audit events via the audit event timestamp. This
will help with troubleshooting SELinux denials.
Ondrej Mosnacek (2):
audit: introduce a struct to represent an audit
resentation includes the timestamp in the same
format as used in the audit log - e.g. "audit_ts=1671454430.092:1671".
Signed-off-by: Ondrej Mosnacek
---
include/linux/audit.h | 8
include/trace/events/avc.h | 25 +
kernel/audit.c | 15 +++
Join the two fields that comprise an audit timestamp into a common
structure. This will be used further in later commits.
Signed-off-by: Ondrej Mosnacek
---
include/linux/audit.h | 5 +
kernel/audit.c| 16
kernel/audit.h| 4 ++--
kernel/auditsc.c | 9
This series allows to match the SELinux AVC trace events to the
corresponding audit events via the audit event timestamp. This
will help with troubleshooting SELinux denials.
Ondrej Mosnacek (2):
audit: introduce a struct to represent an audit timestamp
selinux: provide matching audit
nfo actually confuse audit userspace, which tries to interpret the
number as a hex-encoded string, thus showing garbage for example in the
ausearch "interpret" output mode.
Hence, change it to "ipc_key" to fix both issues and also make the
meaning of this field more clear.
Signe
.
The ibendport variable goes out of scope at the end of the function
anyway, so the lifetime of the dev_name pointer will never be shorter
than that of ibendport, thus we can safely just pass the dev_name
pointer and be done with it.
Signed-off-by: Ondrej Mosnacek
---
include/linux/lsm_audit.h | 8
pe=DELETE
> cap_fp= cap_fi= cap_fe=0 cap_fver=0
> type=PROCTITLE msg=audit(1616095201.302:40381):
> proctitle=726D002D69002F646174612F74657374322E747874002D66
>
> The proctitle value 726D002D69002F646174612F74657374322E747874002D66 is
> equal to "rm-i /data/test2.txt
t;/data/test5.txt", AT_FDCWD, "/data/test6.txt", 0) = 0
> (...)
>
> However, I don't see any events recorded in the auditd log file when I move
> files using the "mv" command. Am I doing something wrong?
>
>
> Thanks in advance.
> --
> Linu
rf.data file you can analyze later
perf record -a -e avc:selinux_audited -g --call-graph=dwarf sleep infinity
# dump all collected backtraces from the perf.data file
perf script
It's a bit complicated if you want to have it running in the
background permanently as a service (you need to tell p
on all files that
are rebuilt during that make run. For example, if I fully build the
kernel and then revert commit
cb5172d96d16df72db8b55146b0ec00bfd97f079, I get:
$ make [...] C=1
[...]
CHECK [...]/kernel/audit.c
[...]/kernel/audit.c:218:14: error: incompatible types in comparison
expression (d
d28ad9f52cd2f99213e1371b2
> + ab = audit_log_start(audit_context(),
> +GFP_ATOMIC,
> +AUDIT_SELINUX_ERR);
> + audit_log_format(ab,
> "op
On Wed, Jun 12, 2019 at 12:56 AM Paul Moore wrote:
> On Tue, Jun 11, 2019 at 4:07 AM Ondrej Mosnacek wrote:
> > These strings may come from untrusted sources (e.g. file xattrs) so they
> > need to be properly escaped.
> >
> > Reproducer:
> > # seten
at the generated AVCs)
Actual result:
type=AVC [...] trawcon=kuřecí řízek
Expected result:
type=AVC [...] trawcon=6B75C5996563C3AD20C599C3AD7A656B
Fixes: fede148324c3 ("selinux: log invalid contexts in AVCs")
Cc: sta...@vger.kernel.org # v5.1+
Signed-off-by: Ondrej Mosnacek
---
security/sel
t-testsuite/issues/64
> > Please see the github audit wiki for the feature overview:
> > https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID
> > Signed-off-by: Richard Guy Briggs
> > Acked-by: Serge Hallyn
> > Acked-by: Steve Grubb
> &
urn -EINVAL;
> @@ -425,11 +438,10 @@ static int audit_field_valid(struct audit_entry *entry,
> struct audit_field *f)
> if (f->val > AUDIT_MAX_FIELD_COMPARE)
> return -EINVAL;
> break;
> - case AUDIT_EXE:
> - if (f->op != Audit_not_equal && f->op != Audit_equal)
> - return -EINVAL;
> + default:
> break;
> }
> +
> return 0;
> }
>
> --
> 1.8.3.1
--
Ondrej Mosnacek
Software Engineer, Security Technologies
Red Hat, Inc.
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
-by: Ondrej Mosnacek
Reviewed-by: Richard Guy Briggs
Reviewed-by: Thomas Gleixner
---
include/linux/audit.h | 61 ++
include/uapi/linux/audit.h | 1 +
kernel/auditsc.c | 22 ++
kernel/time/ntp.c | 22 --
kernel
=audit(1530616049.652:13): sec=-16 nsec=124887145
The records of this type will be associated with the corresponding
syscall records.
Signed-off-by: Ondrej Mosnacek
Reviewed-by: Richard Guy Briggs
Reviewed-by: Thomas Gleixner
---
include/linux/audit.h | 14 ++
include/uapi/linux
l
[1] https://www.niap-ccevs.org/MMO/PP/pp_ca_v2.1.pdf -- section 5.1,
table 4
Ondrej Mosnacek (2):
timekeeping: Audit clock adjustments
ntp: Audit NTP parameters adjustment
include/linux/audit.h | 75 ++
include/uapi/linux/audit.h | 2 +
kernel/a
On Wed, Apr 10, 2019 at 9:03 AM Thomas Gleixner wrote:
> On Tue, 9 Apr 2019, Ondrej Mosnacek wrote:
> > diff --git a/include/linux/audit.h b/include/linux/audit.h
> > index 2c62c046..1c372ad7ebe9 100644
> > --- a/include/linux/audit.h
> > +++ b/include/linux/
On Tue, Apr 9, 2019 at 4:40 PM Richard Guy Briggs wrote:
> On 2019-04-09 14:31, Ondrej Mosnacek wrote:
> > Emit an audit record every time selected NTP parameters are modified
> > from userspace (via adjtimex(2) or clock_adjtime(2)). These parameters
> > may be used to ind
On Tue, Apr 9, 2019 at 4:26 PM Richard Guy Briggs wrote:
> On 2019-04-09 14:31, Ondrej Mosnacek wrote:
> > Emit an audit record whenever the system clock is changed (i.e. shifted
> > by a non-zero offset) by a syscall from userspace. The syscalls than can
> > (at the tim
On Tue, Apr 9, 2019 at 3:49 PM Neil Horman wrote:
> On Tue, Apr 09, 2019 at 09:40:58AM -0400, Paul Moore wrote:
> > On Tue, Apr 9, 2019 at 8:58 AM Ondrej Mosnacek wrote:
> > >
> > > On Tue, Apr 9, 2019 at 5:40 AM Richard Guy Briggs wrote:
> > > >
ated with a new
> audit_sig_info2 struct. Corresponding support is required in the
> userspace code to reflect the new record request and reply type.
> An older userspace won't break since it won't know to request this
> record type.
>
> Signed-off-by: Richard Guy Briggs
This looks good to
is set (NOT AUDITED)
time_adjust -- can temporarily speed up or slow down the clock by up
to 0.05% (AUDITED)
tick_usec -- a more extreme version of time_freq; can speed up or
slow down the clock by up to 10% (AUDITED)
Signed-off-by: Ondrej Mosnacek
=audit(1530616049.652:13): sec=-16 nsec=124887145
The records of this type will be associated with the corresponding
syscall records.
Signed-off-by: Ondrej Mosnacek
---
include/linux/audit.h | 14 ++
include/uapi/linux/audit.h | 1 +
kernel/auditsc.c | 6 ++
kernel
.redhat.com/archives/linux-audit/2018-June/msg00095.html
[1] https://www.niap-ccevs.org/MMO/PP/pp_ca_v2.1.pdf -- section 5.1,
table 4
Ondrej Mosnacek (2):
timekeeping: Audit clock adjustments
ntp: Audit NTP parameters adjustment
include/linux/audit.h | 68 +++
On Tue, Apr 2, 2019 at 11:33 AM Thomas Gleixner wrote:
> On Mon, 1 Apr 2019, Ondrej Mosnacek wrote:
> > On Thu, Mar 28, 2019 at 1:02 AM Thomas Gleixner wrote:
> > > On Thu, 7 Mar 2019, Ondrej Mosnacek wrote:
> > > > /* adjtime() i
On Thu, Mar 28, 2019 at 12:00 AM Paul Moore wrote:
> On Mon, Mar 25, 2019 at 10:50 AM Paul Moore wrote:
> > On Thu, Mar 7, 2019 at 7:33 AM Ondrej Mosnacek wrote:
> > > This patchset implements auditing of (syscall-triggered) changes that
> > > can modify or indirec
On Thu, Mar 28, 2019 at 1:09 AM Thomas Gleixner wrote:
> On Thu, 7 Mar 2019, Ondrej Mosnacek wrote:
> > --- a/kernel/auditsc.c
> > +++ b/kernel/auditsc.c
> > @@ -2512,6 +2512,14 @@ void __audit_fanotify(unsigned int response)
> > AUDIT_FA
On Thu, Mar 28, 2019 at 12:27 AM John Stultz wrote:
> On Thu, Mar 7, 2019 at 4:33 AM Ondrej Mosnacek wrote:
> >
> > Emit an audit record whenever the system clock is changed (i.e. shifted
> > by a non-zero offset) by a syscall from userspace. The syscalls than can
> &
On Thu, Mar 28, 2019 at 1:02 AM Thomas Gleixner wrote:
> On Thu, 7 Mar 2019, Ondrej Mosnacek wrote:
>
> > Emit an audit record every time selected NTP parameters are modified
> > from userspace (via adjtimex(2) or clock_adjtime(2)).
> >
> > Such events wil
On Thu, Mar 28, 2019 at 2:12 AM Richard Guy Briggs wrote:
> On 2019-03-27 23:42, Ondrej Mosnacek wrote:
> > On Fri, Mar 15, 2019 at 7:35 PM Richard Guy Briggs wrote:
> > > Audit events could happen in a network namespace outside of a task
> > > context due to pa
hard Guy Briggs
Reviewed-by: Ondrej Mosnacek
(Just note another "%llu"/u64 occurence, in case you plan to add the casts.)
> ---
> include/linux/audit.h| 5 +
> kernel/audit.c | 41 +
> net/netfilter/nft_log.c | 11 ++
xy *new_ns;
> + u64 contid = audit_get_contid(tsk);
>
> if (likely(!(flags & (CLONE_NEWNS | CLONE_NEWUTS | CLONE_NEWIPC |
> CLONE_NEWPID | CLONE_NEWNET |
> @@ -167,6 +169,7 @@ int copy_namespaces(unsigned long flags, struct
> task_stru
On Tue, Mar 19, 2019 at 12:47 AM Richard Guy Briggs wrote:
> On 2019-03-18 21:02, Ondrej Mosnacek wrote:
> > On Fri, Mar 15, 2019 at 7:35 PM Richard Guy Briggs wrote:
> > >
> > > Implement audit container identifier filtering using the AUDIT_CONTID
> > > fiel
On Fri, Mar 15, 2019 at 7:34 PM Richard Guy Briggs wrote:
> Add audit container identifier auxiliary record to user event standalone
> records.
>
> Signed-off-by: Richard Guy Briggs
Reviewed-by: Ondrej Mosnacek
> ---
> kernel/audit.c | 13 ++---
> 1 file change
be used only for a standalone record and its auxiliary record(s). The
> context is discarded immediately after the local associated records are
> produced.
>
> Signed-off-by: Richard Guy Briggs
> Acked-by: Serge Hallyn
Reviewed-by: Ondrej Mosnacek
> ---
> include/linux/audit.
arget_sid);
> + ctx->target_cid = audit_get_contid(t);
> memcpy(ctx->target_comm, t->comm, TASK_COMM_LEN);
> return 0;
> }
> @@ -2421,6 +2431,7 @@ int audit_signal_info(int sig, struct task_struct *t)
> axp->target_uid[axp->pid_count] = t_uid;
> axp->target_sessionid[axp->pid_count] = audit_get_sessionid(t);
> security_task_getsecid(t, >target_sid[axp->pid_count]);
> + axp->target_cid[axp->pid_count] = audit_get_contid(t);
> memcpy(axp->target_comm[axp->pid_count], t->comm, TASK_COMM_LEN);
> axp->pid_count++;
>
> --
> 1.8.3.1
>
--
Ondrej Mosnacek
Software Engineer, Security Technologies
Red Hat, Inc.
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
Richard Guy Briggs
> Acked-by: Serge Hallyn
> Acked-by: Steve Grubb
> Signed-off-by: Richard Guy Briggs
Barring one minor nit below,
Reviewed-by: Ondrej Mosnacek
> ---
> include/linux/audit.h | 5 +
> include/uapi/linux/audit.h | 1 +
> kernel/audit.c
iggs
> Acked-by: Serge Hallyn
> Acked-by: Steve Grubb
> Signed-off-by: Richard Guy Briggs
Note that you have duplicate Signed-off here ^^
Took me a while to understand the flow in audit_set_contid(), but once
understood it all made perfect sense, so:
Reviewed-by: Ondrej Mosnacek
/issues/81
> but that issue has been closed with this patch included with
> https://github.com/linux-audit/audit-kernel/issues/90
>
> Signed-off-by: Richard Guy Briggs
Reviewed-by: Ondrej Mosnacek
> ---
> include/linux/audit.h | 49 +++
> include/li
e, f->op,
> f->val);
> break;
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index aa5d13b4fbbb..2d74238e9638 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -616,6 +616,9 @@ static int audit_filter_rules(struct task_struct *tsk,
> case AUDIT_LOGINUID_SET:
> result = audit_comparator(audit_loginuid_set(tsk),
> f->op, f->val);
> break;
> + case AUDIT_CONTID:
> + result = audit_comparator64(audit_get_contid(tsk),
> f->op, f->val64);
> + break;
> case AUDIT_SUBJ_USER:
> case AUDIT_SUBJ_ROLE:
> case AUDIT_SUBJ_TYPE:
> --
> 1.8.3.1
>
--
Ondrej Mosnacek
Associate Software Engineer, Security Technologies
Red Hat, Inc.
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
On Fri, Mar 8, 2019 at 9:26 PM Richard Guy Briggs wrote:
> On 2019-03-07 13:32, Ondrej Mosnacek wrote:
> > This patchset implements auditing of (syscall-triggered) changes that
> > can modify or indirectly affect the system clock. Some of these
> > changes can already
inform userspace applications
(NOT AUDITED)
time_constant -- controls the speed of the clock adjustments that
are made when time_offset is set (NOT AUDITED)
time_adjust -- can temporarily speed up or slow down the clock by up
inux-audit/2018-June/msg00095.html
[1] https://www.niap-ccevs.org/MMO/PP/pp_ca_v2.1.pdf -- section 5.1,
table 4
Ondrej Mosnacek (2):
timekeeping: Audit clock adjustments
ntp: Audit NTP parameters adjustment
include/linux/audit.h | 29 +
include/uap
*after* the syscall was
executed, so they contain the current (new) values as set from the
kernel, except of the 'modes' field, which contains the original value
sent by the caller.)
Signed-off-by: Ondrej Mosnacek
---
include/linux/audit.h | 15 +++
include/uapi/linux/audit.h | 1
On Fri, Jan 25, 2019 at 2:49 PM Stephen Smalley wrote:
> On 1/25/19 5:06 AM, Ondrej Mosnacek wrote:
> > These BUG_ONs do not really protect from any catastrophic situation so
> > there is no need to have them there.
>
> They are to catch bugs in callers that pass requested=
These BUG_ONs do not really protect from any catastrophic situation so
there is no need to have them there.
Signed-off-by: Ondrej Mosnacek
---
security/selinux/avc.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index 5ebad47391c9
We don't need to crash the machine in these cases. Let's just detect the
buggy state early and error out with a warning.
Signed-off-by: Ondrej Mosnacek
---
security/selinux/avc.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/security/selinux/avc.c b/security/selinux
://lore.kernel.org/selinux/20190121153605.26847-1-omosn...@redhat.com/T/
Changes in v2:
- rename new fields to *rawcon
v1:
https://lore.kernel.org/selinux/20190118100429.11703-1-omosn...@redhat.com/T/
Ondrej Mosnacek (4):
selinux: inline some AVC functions used only once
selinux: replace some BUG_ON
avc_dump_av() and avc_dump_query() are each used only in one place. Get
rid of them and open code their contents in the call sites.
Signed-off-by: Ondrej Mosnacek
---
security/selinux/avc.c | 140 +
1 file changed, 58 insertions(+), 82 deletions(-)
diff
le permissive=1
trawcon=system_u:object_r:banana_t:s0
Note that it is also possible to encounter this situation with the
'scontext' field - e.g. when a new policy is loaded while a process is
running, whose context is not valid in the new policy.
Cc: Daniel Walsh
Link: https://bugzilla.redha
On Tue, Jan 22, 2019 at 8:42 PM Paul Moore wrote:
> On Mon, Jan 21, 2019 at 10:36 AM Ondrej Mosnacek wrote:
> > In case a file has an invalid context set, in an AVC record generated
> > upon access to such file, the target context is always reported as
> > unlabeled. This pa
n=system_u:object_r:banana_t:s0 tclass=file permissive=1
Cc: Daniel Walsh
Link: https://bugzilla.redhat.com/show_bug.cgi?id=1135683
Signed-off-by: Ondrej Mosnacek
---
v2: Rename fields to "(s|t)rawcon".
security/selinux/avc.c | 49 +-
1 file cha
On Mon, Jan 21, 2019 at 11:26 AM Steve Grubb wrote:
> On Mon, 21 Jan 2019 09:36:43 +0100
> Ondrej Mosnacek wrote:
>
> > On Sat, Jan 19, 2019 at 2:23 PM Richard Guy Briggs
> > wrote:
> > > On 2019-01-18 11:04, Ondrej Mosnacek wrote:
> > > > In case a
On Sat, Jan 19, 2019 at 2:23 PM Richard Guy Briggs wrote:
> On 2019-01-18 11:04, Ondrej Mosnacek wrote:
> > In case a file has an invalid context set, in an AVC record generated
> > upon access to such file, the target context is always reported as
> > unlabeled. This pa
t:s0 tclass=file permissive=1
Cc: Daniel Walsh
Link: https://bugzilla.redhat.com/show_bug.cgi?id=1135683
Signed-off-by: Ondrej Mosnacek
---
security/selinux/avc.c | 49 +-
1 file changed, 29 insertions(+), 20 deletions(-)
I'm not entirely sure about the record f
back then...
So, in the umount2 test this:
system("cd $basedir/$clientdir; echo \$\$ > $stdout; exec ./$client -f
-s $tmpdir &");
should be replaced with this (along with dropping the "$pid_fuse += 1;" line):
system("cd $basedir/$clientdir; exec ./$client -f -s $tmpdir & echo
\$! > $stdout;");
That said, I think the code in the lost_reset test is doing the right
thing and I wouldn't expect it to get the ping PID wrong.
Hope that helps,
--
Ondrej Mosnacek
Associate Software Engineer, Security Technologies
Red Hat, Inc.
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
On Sat, Dec 1, 2018 at 5:50 PM Steve Grubb wrote:
> On Tuesday, November 13, 2018 11:30:55 AM EST Paul Moore wrote:
> > On Tue, Nov 13, 2018 at 10:25 AM Ondrej Mosnacek
> wrote:
> > > On Tue, Nov 6, 2018 at 9:19 PM Paul Moore wrote:
> > > > On Tue, Nov 6
On Tue, Nov 6, 2018 at 9:19 PM Paul Moore wrote:
> On Tue, Nov 6, 2018 at 3:09 AM Ondrej Mosnacek wrote:
> > On Tue, Nov 6, 2018 at 12:30 AM Paul Moore wrote:
> > > Let's reset this discussion a bit ... if we abolish relative paths and
> > > make everything absolute,
On Mon, Nov 12, 2018 at 12:32 PM Ondrej Mosnacek wrote:
> On Sun, Nov 11, 2018 at 11:36 PM Richard Guy Briggs wrote:
> > On 2018-11-11 17:24, Ondrej Mosnacek wrote:
> > > Hi Richard,
> > > On Fri, Nov 9, 2018 at 11:04 PM Richard Guy Briggs
> >
On Mon, Nov 12, 2018 at 2:32 PM Richard Guy Briggs wrote:
> On 2018-11-12 12:32, Ondrej Mosnacek wrote:
> > On Sun, Nov 11, 2018 at 11:36 PM Richard Guy Briggs wrote:
> > > On 2018-11-11 17:24, Ondrej Mosnacek wrote:
> > > > Hi Richard,
> > > > On Fri,
On Sun, Nov 11, 2018 at 11:36 PM Richard Guy Briggs wrote:
> On 2018-11-11 17:24, Ondrej Mosnacek wrote:
> > Hi Richard,
> > On Fri, Nov 9, 2018 at 11:04 PM Richard Guy Briggs wrote:
> > > Hi Paul, Ondrej,
> > >
> > > I've got a couple of patche
simulate the hung filesystem.
>
>
> - RGB
>
> --
> Richard Guy Briggs
> Sr. S/W Engineer, Kernel Security, Base Operating Systems
> Remote, Ottawa, Red Hat Canada
> IRC: rgb, SunRaycer
> Voice: +1.647.777.2635, Internal: (81) 32635
>
> --
> Linux-audit mail
On Tue, Nov 6, 2018 at 12:30 AM Paul Moore wrote:
> On Wed, Oct 31, 2018 at 4:54 AM Ondrej Mosnacek wrote:
> > On Wed, Sep 19, 2018 at 5:44 PM Paul Moore wrote:
> > > On Wed, Sep 19, 2018 at 7:01 AM Ondrej Mosnacek
> > > wrote:
> > > > On Wed, Se
Sorry for the long-delayed reply, the SELinux world is keeping me
quite busy right now :)
On Wed, Sep 19, 2018 at 5:44 PM Paul Moore wrote:
> On Wed, Sep 19, 2018 at 7:01 AM Ondrej Mosnacek wrote:
> > On Wed, Sep 19, 2018 at 3:35 AM Paul Moore wrote:
> > > On Thu, Sep 13, 201
On Mon, Sep 17, 2018 at 4:51 PM Paul Moore wrote:
> On Mon, Sep 17, 2018 at 8:38 AM Ondrej Mosnacek wrote:
> >
> > On Fri, Sep 14, 2018 at 5:19 AM Paul Moore wrote:
> > > On Fri, Aug 24, 2018 at 8:00 AM Ondrej Mosnacek
> > > wrote:
> > > &g
On Wed, Sep 19, 2018 at 3:35 AM Paul Moore wrote:
> On Thu, Sep 13, 2018 at 10:13 AM Paul Moore wrote:
> > On Thu, Sep 13, 2018 at 9:58 AM Ondrej Mosnacek wrote:
> > > Paul, could you please answer this question so I can move forward? :)
> >
> > Yep, sorry for the
On Fri, Sep 14, 2018 at 5:19 AM Paul Moore wrote:
> On Fri, Aug 24, 2018 at 8:00 AM Ondrej Mosnacek wrote:
> > This patch adds two auxiliary record types that will be used to annotate
> > the adjtimex SYSCALL records with the NTP/timekeeping values that have
> > been
On Fri, Sep 14, 2018 at 5:09 AM Paul Moore wrote:
> On Thu, Sep 13, 2018 at 9:59 AM Ondrej Mosnacek wrote:
> > On Mon, Aug 27, 2018 at 6:38 PM Steve Grubb wrote:
> > > On Monday, August 27, 2018 5:13:17 AM EDT Ondrej Mosnacek wrote:
> > > > On Mon, Aug 27, 20
On Thu, Sep 13, 2018 at 5:59 PM Richard Guy Briggs wrote:
> On 2018-08-27 10:28, Ondrej Mosnacek wrote:
> > On Fri, Aug 24, 2018 at 8:33 PM John Stultz wrote:
> > > On Fri, Aug 24, 2018 at 5:00 AM, Ondrej Mosnacek
> > > wrote:
> > > > Thi
On Mon, Aug 27, 2018 at 6:38 PM Steve Grubb wrote:
> On Monday, August 27, 2018 5:13:17 AM EDT Ondrej Mosnacek wrote:
> > On Mon, Aug 27, 2018 at 9:50 AM Miroslav Lichvar
> wrote:
> > > On Fri, Aug 24, 2018 at 02:00:00PM +0200, Ondrej Mosnacek wrote:
> > > > Thi
On Fri, Aug 24, 2018 at 4:56 PM Steve Grubb wrote:
> On Wednesday, August 22, 2018 5:27:17 PM EDT Paul Moore wrote:
> > On Tue, Aug 21, 2018 at 3:21 AM Miroslav Lichvar
> wrote:
> > > > On Mon, 20 Aug 2018, Ondrej Mosnacek wrote:
> > > > > @John
On Mon, Aug 27, 2018 at 3:00 PM Ondrej Mosnacek wrote:
> On Fri, Aug 24, 2018 at 4:09 PM Paul Moore wrote:
> >
> > On Fri, Aug 3, 2018 at 3:08 AM Ondrej Mosnacek wrote:
> > > On Fri, Aug 3, 2018 at 12:24 AM Paul Moore wrote:
> > > > On Thu, Au
On Fri, Aug 24, 2018 at 4:09 PM Paul Moore wrote:
>
> On Fri, Aug 3, 2018 at 3:08 AM Ondrej Mosnacek wrote:
> > On Fri, Aug 3, 2018 at 12:24 AM Paul Moore wrote:
> > > On Thu, Aug 2, 2018 at 7:45 AM Ondrej Mosnacek
> > > wrote:
> > > >
> > >
On Fri, Aug 24, 2018 at 5:14 PM Steve Grubb wrote:
> On Friday, August 24, 2018 11:00:35 AM EDT Paul Moore wrote:
> > On Thu, Aug 2, 2018 at 8:03 PM Paul Moore wrote:
> > > On Thu, Aug 2, 2018 at 7:45 AM Ondrej Mosnacek
> wrote:
> > > > When a relative path h
On Fri, Aug 24, 2018 at 9:51 PM Richard Guy Briggs wrote:
> On 2018-08-24 14:00, Ondrej Mosnacek wrote:
> > This patch adds logging of all attempts to either inject an offset into
> > the clock (producing an AUDIT_TIME_INJOFFSET record) or adjust an NTP
> >
On Mon, Aug 27, 2018 at 9:50 AM Miroslav Lichvar wrote:
> On Fri, Aug 24, 2018 at 02:00:00PM +0200, Ondrej Mosnacek wrote:
> > This patch adds two auxiliary record types that will be used to annotate
> > the adjtimex SYSCALL records with the NTP/timekeeping values that have
&
On Fri, Aug 24, 2018 at 8:33 PM John Stultz wrote:
> On Fri, Aug 24, 2018 at 5:00 AM, Ondrej Mosnacek wrote:
> > This patch adds two auxiliary record types that will be used to annotate
> > the adjtimex SYSCALL records with the NTP/timekeeping values that have
> > been
On Thu, Aug 2, 2018 at 1:45 PM Ondrej Mosnacek wrote:
> When a relative path has just a single component and we want to emit a
> nametype=PARENT record, the current implementation just reports the full
> CWD path (which is alrady available in the audit context).
>
> This is
- corresponding to the time_adjust variable
tick - corresponding to the tick_usec variable
tai- corresponding to the timekeeping's TAI offset
old - the old value
new - the new value
Signed-off-by: Ondrej Mosnacek
---
include/linux/audit.h | 21
are made when time_offset is set (NOT AUDITED)
time_adjust -- can temporarily speed up or slow down the clock by up
to 0.05% (AUDITED)
tick_usec -- a more extreme version of time_freq; can speed up or
slow down the clock by up to 10% (AUDITED)
Cc: Miroslav
ead-only.
v1: https://www.redhat.com/archives/linux-audit/2018-June/msg00095.html
Ondrej Mosnacek (2):
audit: Add functions to log time adjustments
timekeeping/ntp: Audit clock/NTP params adjustments
include/linux/audit.h | 21 +
include/uapi/linux/audit.h | 2 ++
kernel/audi
On Wed, Aug 22, 2018 at 11:27 PM Paul Moore wrote:
> On Tue, Aug 21, 2018 at 3:21 AM Miroslav Lichvar wrote:
> > > On Mon, 20 Aug 2018, Ondrej Mosnacek wrote:
> > > > @John or other timekeeping/NTP folks: We had a discussion on the audit
> > > > ML on w
tai- corresponding to the timekeeping's TAI offset
old - the old value
new - the new value
Signed-off-by: Ondrej Mosnacek
---
include/linux/audit.h | 21 +
include/uapi/linux/audit.h | 2 ++
kernel/auditsc.c | 15
bil=0, jitcnt=0, calcnt=0,
errcnt=0, stbcnt=0, tai=0}) = 5 (TIME_ERROR)
(The struct timex fields above are from *after* the syscall was
executed, so they contain the current (new) values as set from the
kernel, except of the 'modes' field, which contains the original value
sent by the caller.)
Note t
compact records.
- The audit_adjtime() call has been moved to do_adjtimex() in
timekeeping.c
- Added an additional patch (for review) that simplifies the detection
if the syscall is read-only.
v1: https://www.redhat.com/archives/linux-audit/2018-June/msg00095.html
Ondrej Mosnacek (2):
audit:
On Fri, Aug 3, 2018 at 12:24 AM Paul Moore wrote:
> On Thu, Aug 2, 2018 at 7:45 AM Ondrej Mosnacek wrote:
> >
> > When a relative path has just a single component and we want to emit a
> > nametype=PARENT record, the current implementation just reports the full
> >
On Fri, Aug 3, 2018 at 1:58 AM Paul Moore wrote:
> On Thu, Jul 26, 2018 at 5:13 AM Ondrej Mosnacek wrote:
> > On Thu, Jul 26, 2018 at 10:12 AM Ondrej Mosnacek
> > wrote:
> > > I think it should be possible to collect that information by putting
> > > hooks in t
making multiple audit_log_format() calls
> in a row, for no apparent reason.
>
> This patch fixes the problems above in the core audit code, the other
> kernel subsystems are left for another time.
>
> Signed-off-by: Paul Moore
FWIW,
Reviewed-by: Ondrej Mosnacek
> -
om/linux-audit/audit-kernel/issues/95
Fixes: 9c937dcc7102 ("[PATCH] log more info for directory entry change events")
Signed-off-by: Ondrej Mosnacek
---
kernel/audit.c | 9 -
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 2a8
On Thu, Jul 26, 2018 at 10:12 AM Ondrej Mosnacek wrote:
> I think it should be possible to collect that information by putting
> hooks in the right places of the filesystem code (and fixing the
> current ones).
Hm, after closer look, it seems this won't be doable (at least not
easily).
On Wed, Jul 25, 2018 at 3:11 PM Steve Grubb wrote:
> On Wednesday, July 25, 2018 9:02:50 AM EDT Ondrej Mosnacek wrote:
> > On Wed, Jul 25, 2018 at 2:48 PM Steve Grubb wrote:
> > > On Wednesday, July 25, 2018 3:44:07 AM EDT Ondrej Mosnacek wrote:
> > > > On Wed,
On Wed, Jul 25, 2018 at 2:48 PM Steve Grubb wrote:
> On Wednesday, July 25, 2018 3:44:07 AM EDT Ondrej Mosnacek wrote:
> > On Wed, Jul 25, 2018 at 3:11 AM Steve Grubb wrote:
> > > On Tuesday, July 24, 2018 6:15:54 PM EDT Paul Moore wrote:
> > > > On Tue, Jul 24, 20
On Wed, Jul 25, 2018 at 3:11 AM Steve Grubb wrote:
> On Tuesday, July 24, 2018 6:15:54 PM EDT Paul Moore wrote:
> > On Tue, Jul 24, 2018 at 10:12 AM Ondrej Mosnacek
> > > Beyond that, there is really no information in the records that would
> > > allow reconstructin
On Mon, Jul 23, 2018 at 10:49 PM Paul Moore wrote:
> On Fri, Jul 20, 2018 at 6:12 AM Ondrej Mosnacek wrote:
> > On Wed, Jul 18, 2018 at 10:41 PM Paul Moore wrote:
> > > On Thu, Jul 12, 2018 at 7:36 AM Ondrej Mosnacek
> > > wrote:
> > > > This
On Wed, Jul 18, 2018 at 10:41 PM Paul Moore wrote:
> On Thu, Jul 12, 2018 at 7:36 AM Ondrej Mosnacek wrote:
> > This patchset is a prototype implementation of the feature requested in
> > GHAK issue #9 [1]. I decided for a simple auxiliary record with just 2
> >
is just not sufficient, we need
to log some or all of the variable adjustments and let the people
analyzing the logs figure out how that influenced the clock later (NTP
algorithm is just too complex).
I hope this explanation makes the situation a bit more clear. Time is
hard [1] and this particula
On Sat, Jul 14, 2018 at 6:26 PM Steve Grubb wrote:
> On Thursday, July 12, 2018 7:36:32 AM EDT Ondrej Mosnacek wrote:
> > The function logs an FD_PATH record that is associated with the current
> > syscall. The record associates the given file descriptor with the
> > cur
1 - 100 of 152 matches
Mail list logo
