On Tue, Dec 14, 2021 at 11:16 AM Paul Moore wrote:
>
> Due to the audit control mutex necessary for serializing audit
> userspace messages we haven't been able to block/penalize userspace
> processes that attempt to send audit records while the system is
> under audit pres
tree.c | 2 +-
> kernel/auditfilter.c | 2 +-
> 3 files changed, 3 insertions(+), 3 deletions(-)
Merged into audit/next, thanks!
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
cessary this is, but it looks correct to me.
Acked-by: Paul Moore
> diff --git a/kernel/audit.c b/kernel/audit.c
> index 121d37e700a6..56ea91014180 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -1034,7 +1034,7 @@ static int audit_netlink_ok(struct sk_buff *skb, u16
opped the audit
control mutex, but before they return to userspace.
Reported-by: Gaosheng Cui
Signed-off-by: Paul Moore
---
kernel/audit.c | 18 +-
1 file changed, 17 insertions(+), 1 deletion(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 4cebadb5f30d..eab7282668ab 1
needed to send SIGSTOP to the audit daemon), it
is likely not worth exposing this as a tunable at present. This can
always be done at a later date if it proves necessary.
Cc: sta...@vger.kernel.org
Fixes: 5b52330bbfe63 ("audit: fix auditd/kernel connection state tracking")
Reported-by: Gaos
time
> > > 0 rules 3597.78ns
> > > 1 rules13498.73ns
> > > 10 rules13122.57ns
> > > 20 rules12874.88ns
> > > 30 rules14351.99ns
> > > 40 rules14181.07ns
> > > 50 rules13806.45ns
> > > 100 rule
; kernel/audit.h | 12 +---
> kernel/auditsc.c | 22 +-
> 3 files changed, 27 insertions(+), 24 deletions(-)
Acked-by: Paul Moore
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
| 37 ---
> 4 files changed, 72 insertions(+), 32 deletions(-)
My comments on 24/28 and 25/28 should also apply to this patch.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
i ? " " : "",
> + lsm_slot_to_name(i));
> + } else {
> + audit_log_format(mab,
> "%ssubj_%s=\"%s\"",
Same as above.
> +i ? " " : "",
> +lsm_slot_to_name(i),
> +lcontext.context);
> + security_release_secctx(&lcontext);
> + }
> + }
> + break;
> default:
> audit_panic("Unknown type in audit_log_end");
> break;
> --
> 2.31.1
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
x27;t recommend this as a
solution even if we were running into problems in audit_log_exit().
The "context" field in the audit_context struct is to identify the
execution context of the task which is generating the audit record(s).
I'm trying to think of a case in this patchset where y
inline int security_audit_rule_match(struct lsmblob *blob secid,
> + u32 field, u32 op,
> struct audit_rules *lsmrules)
> {
> return 0;
Assuming you fixup the typo above that the test robot found it looks
reasonable to me.
Acked-by:
fler
> ---
> kernel/audit.h | 2 +-
> kernel/auditsc.c | 22 --
> 2 files changed, 9 insertions(+), 15 deletions(-)
Acked-by: Paul Moore
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
t; + boollsm_isset;
> + char*lsm_str;
> + struct audit_rules lsm_rules;
> };
Is lsm_isset strictly necessary? Unless I missed something it seems
like a NULL check on lsm_str would serve the same purpose.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
iles changed, 47 insertions(+), 26 deletions(-)
Acked-by: Paul Moore # audit
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
13122.57ns
> 20 rules12874.88ns
> 30 rules 14351.99ns
> 40 rules14181.07ns
> 50 rules13806.45ns
> 100 rules13890.85ns
> 130 rules14441.45ns
>
> As the result showed, the interval is linearly increased before
> optimization while the interval remains stable after optimization. Note
> that audit skips some operations if there are no rules, so there is a gap
> between 0 rule and 1 rule set.
It looks like a single rule like the one below could effectively
disable this optimization, is that correct?
% auditctl -a exit,always -F uid=1001
% auditctl -l
-a always,exit -S all -F uid=1001
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
before you posted v30. I've added the latest revision to
my todo list and hopefully I can get to them before the end of the
week.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
On Fri, Nov 19, 2021 at 1:02 PM Richard Guy Briggs wrote:
> On 2021-11-19 11:15, Paul Moore wrote:
> > On Thu, Nov 4, 2021 at 5:53 PM Richard Guy Briggs wrote:
> > > On 2021-11-04 17:29, Paul Moore wrote:
> > > > On Thu, Nov 4, 2021 at 5:00 PM Rich
o that of
the "null" syscall. In other phrasing, if we can process 160 rules in
~4ms in the "null" case, why does it take us ~86ms in the "open" case?
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
On Thu, Nov 4, 2021 at 5:53 PM Richard Guy Briggs wrote:
> On 2021-11-04 17:29, Paul Moore wrote:
> > On Thu, Nov 4, 2021 at 5:00 PM Richard Guy Briggs wrote:
> > >
> > > AUDIT_TIME_* events are generated when there are syscall rules present
> > > that a
simply add the relevant information to the commit description[1]
and omit the link entirely. Since this is just an RFC, please don't
resend the patch just to include that information, you can simply
reply to this thread with the additional info.
--
paul moore
www.paul-moore.com
--
Linux-a
ing series.
I'm not 100% clear on what you are talking about, but since you are
currently working on the next revision to the LSM stacking patchset
perhaps it's best to just wait and see what the code looks like.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
ranch" would be helpful. Although I guess that would
require either the revert having the right metadata, e.g. "Cc:", or
that prior mentioned logic to find the original commit so the proper
To/CC lines could be generated.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
On Tue, Nov 2, 2021 at 7:19 PM Michael Ellerman wrote:
> Paul Moore writes:
> > On Tue, Nov 2, 2021 at 7:38 AM Michael Ellerman
> > wrote:
> >>
> >> On Tue, 24 Aug 2021 13:36:13 + (UTC), Christophe Leroy wrote:
> >> > Commit e65e1fc2d24b
t: Convert powerpc to AUDIT_ARCH_COMPAT_GENERIC
>
> https://git.kernel.org/powerpc/c/566af8cda399c088763d07464463dc871c943b54
Did the test failure discussed earlier in this thread ever get
resolved? If not, this really shouldn't be in linux-next IMO.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
t.c | 15 +++
security/lsm_audit.c | 2 +-
23 files changed, 184 insertions(+), 98 deletions(-)
create mode 100644 include/linux/audit_arch.h
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
On Wed, Oct 27, 2021 at 4:57 PM Mike Snitzer wrote:
>
> On Tue, Oct 26 2021 at 10:22P -0400,
> Paul Moore wrote:
>
> > On Tue, Oct 19, 2021 at 9:17 PM Paul Moore wrote:
> > > On Tue, Oct 19, 2021 at 9:15 PM Paul Moore wrote:
> > > >
> > > > D
On Tue, Oct 19, 2021 at 9:17 PM Paul Moore wrote:
> On Tue, Oct 19, 2021 at 9:15 PM Paul Moore wrote:
> >
> > Due to conflict with the audit and SELinux trees the device mapper
> > audit record types need to be renumbered before landing in Linus'
> >
changed, 1 insertion(+), 1 deletion(-)
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
On Tue, Oct 19, 2021 at 9:15 PM Paul Moore wrote:
>
> Due to conflict with the audit and SELinux trees the device mapper
> audit record types need to be renumbered before landing in Linus'
> tree.
>
> Link:
> https://lore.kernel.org/lkml/cahc9vhtlmzdqpqsj+vybn
ent module for device mapper")
Signed-off-by: Paul Moore
---
include/uapi/linux/audit.h |4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 6650ab6def2a..809e4c2041b3 100644
--- a/include/uapi/linux/audit.
on't keep
> calling only to return ?
Patches are welcome ... ;)
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
y, so return early if the rule has
> a lower priority.
>
> Signed-off-by: Gaosheng Cui
> ---
> kernel/auditsc.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
Merged to audit/next, thanks!
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@r
inus later this week once it
has gone through some additional testing.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
0;
> if (rule->filterkey) {
> kfree(ctx->filterkey);
> ctx->filterkey = kstrdup(rule->filterkey, GFP_ATOMIC);
> --
> 2.30.0
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
result =
> audit_comparator(ctx->sockaddr->ss_family,
> f->op, f->val);
> break;
> --
> 2.30.0
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
tch the commit description, I was expecting something more like
this:
int audit_set_capcontid(...)
{
/* ... */
rc = -EPERM;
if (tsk == current || !task_is_descendant(current, tsk))
rc = -EXDEV;
else if (current_user_ns() == &init_user_ns &&
capable(CAP_AUDIT_CONTROL))
rc = 0;
else if (audit_get_capcontid(current))
rc = 0;
if (!rc)
info->capcontid = !!enable;
/* ... */
}
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
the
1336 value is already in use by AUDIT_URINGOP. It wasn't caught
during my initial build test as the LSM/audit io_uring patches are in
selinux/next and not audit/next, it wasn't until the kernel-secnext
build was merging everything for its test run that the collision
occurred. I'll be updating the audit/next tree with the new value
shortly.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
On Fri, Oct 1, 2021 at 4:34 PM Paul Moore wrote:
> Okay, so long as you are okay with the header rename I'll go ahead and
> take care of that, although probably not today as merging
> cross-subsystem changes late on a Friday seems like a problem waiting
> to happen.
>
>
On Mon, Oct 4, 2021 at 8:40 AM Richard Guy Briggs wrote:
> On 2021-10-03 19:21, Paul Moore wrote:
> > On Sat, Oct 2, 2021 at 9:16 AM Steve Grubb wrote:
> > > On Thursday, September 9, 2021 8:58:58 PM EDT Richard Guy Briggs wrote:
> > > > > I spent some time th
. Did that change? Are we really going to allow auditing reads on ioring?
Only certain io_uring operations are audited, you can see the patch
here in the selinux/next tree (look for the io_op_defs struct changes
and the "audit_skip" field):
https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git/commit/?h=next&id=5bd2182d58e9d9c6279b7a8a2f9b41add0e7f9cb
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
On Fri, Oct 1, 2021 at 3:53 PM Richard Guy Briggs wrote:
> On 2021-09-30 16:38, Paul Moore wrote:
> > On Thu, Aug 5, 2021 at 6:01 PM Paul Moore wrote:
> > > On Wed, May 19, 2021 at 4:01 PM Richard Guy Briggs
> > > wrote:
> > > > Replace audit
On Thu, Aug 5, 2021 at 6:01 PM Paul Moore wrote:
>
> On Wed, May 19, 2021 at 4:01 PM Richard Guy Briggs wrote:
> >
> > Replace audit syscall class magic numbers with macros.
> >
> > This required putting the macros into new header file
> > include/linux/aud
On Tue, Sep 14, 2021 at 10:49 AM Paul Moore wrote:
>
> On Tue, Sep 14, 2021 at 9:15 AM Ondrej Mosnacek wrote:
> >
> > The "key" field is used to associate records with the rule that
> > triggered them, os it's not a good idea to overload it with an
> &
On Wed, Sep 15, 2021 at 12:49 PM Paul Moore wrote:
>
> A quick update to the v3 patchset with a small change to the audit
> record format (remove the audit login ID on io_uring records) and
> a subject line fix on the Smack patch. I also caught a few minor
> things in the code com
On Thu, Sep 16, 2021 at 10:19 AM Richard Guy Briggs wrote:
> On 2021-09-16 10:02, Paul Moore wrote:
> > On Thu, Sep 16, 2021 at 9:33 AM Richard Guy Briggs wrote:
> > > On 2021-09-15 12:49, Paul Moore wrote:
> > > > This patch adds basic auditing to io_u
On Thu, Sep 16, 2021 at 9:33 AM Richard Guy Briggs wrote:
> On 2021-09-15 12:49, Paul Moore wrote:
> > This patch adds basic auditing to io_uring operations, regardless of
> > their context. This is accomplished by allocating audit_context
> > structures for the io-wq worke
arguments.
Acked-by: Mickaël Salaün
Signed-off-by: Paul Moore
---
v4:
- no change
v3:
- no change
v2:
- no change
v1:
- initial draft
---
fs/anon_inodes.c| 29 +
include/linux/anon_inodes.h |4
2 files changed, 33 insertions(+)
diff --git a/fs
smack_uring_* funcs static, remove debug code]
Signed-off-by: Paul Moore
---
v4:
- updated subject line
v3:
- removed debug code
v2:
- made the smack_uring_* funcs static
v1:
- initial draft
---
security/smack/smack_lsm.c | 46
1 file changed, 46
de_creds sqpoll }
These permissions can be seen in the two simple policy statements
below:
allow domA_t domB_t : io_uring { override_creds };
allow domA_t self : io_uring { sqpoll };
Signed-off-by: Paul Moore
---
v4:
- no change
v3:
- removed work-in-progress warning from the description
e application making the request.
With a SQPOLL thread, we can no longer compare requested
credential changes against the application making the request,
the comparison is made against the ring's credentials.
Signed-off-by: Paul Moore
---
v4:
- no change
v3:
- removed work-in-
tions.
Signed-off-by: Paul Moore
---
v4:
- no change
v3:
- no change
v2:
- no change
v1:
- initial draft
---
fs/io_uring.c |4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/io_uring.c b/fs/io_uring.c
index 388754b24785..56cc9aba0d01 100644
--- a/fs/io_uring.c
+++ b/fs/io_ur
0
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
key=(null)
AUID="root" UID="root" GID="root" EUID="root" SUID="root"
FSUID="root" EGID="root" SGID="root" FSGID="root"
Thanks to Richard Guy
_EXIT/audit_filter_list[7].
Thanks to Richard Guy Briggs for his review, feedback, and work on
the corresponding audit userspace changes.
Signed-off-by: Paul Moore
---
v4:
- no change
v3:
- removed work-in-progress warning from the description
v2:
- incorporate feedback from Richard
v1:
- initial
the tree/branch below:
git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git
(checkout branch "working-io_uring")
---
Casey Schaufler (1):
Smack: Brutalist io_uring support
Paul Moore (7):
audit: prepare audit_context for use in calling contexts beyond syscalls
->in_syscall flag into an enum which
can be used to by future patches to indicate a calling context other
than the syscall context.
Thanks to Richard Guy Briggs for review and feedback.
Acked-by: Richard Guy Briggs
Signed-off-by: Paul Moore
---
v4:
- fix some spelling errors in the comments
small code change, it is somewhat significant so I'll post an
updated v4 patchset later today once it passes through a round of
testing.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
ata(struct audit_buffer
> *ab,
> case LSM_AUDIT_DATA_NONE:
> return;
> case LSM_AUDIT_DATA_IPC:
> - audit_log_format(ab, " key=%d ", a->u.ipc_id);
> + audit_log_format(ab, " ipc_key=%d ", a->u.ipc_id);
tsc.c | 15 +--
> 1 file changed, 1 insertion(+), 14 deletions(-)
Merged into audit/next, thanks!
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
On Tue, Sep 14, 2021 at 10:26 AM Casey Schaufler wrote:
>
> On 9/13/2021 8:33 PM, Paul Moore wrote:
> > From: Casey Schaufler
> >
> > Add Smack privilege checks for io_uring. Use CAP_MAC_OVERRIDE
> > for the override_creds case and CAP_MAC_ADMIN for creating a
>
tions.
Signed-off-by: Paul Moore
---
v3:
- no change
v2:
- no change
v1:
- initial draft
---
fs/io_uring.c |4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/io_uring.c b/fs/io_uring.c
index 388754b24785..56cc9aba0d01 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -10
smack_uring_* funcs static, remove debug code]
Signed-off-by: Paul Moore
---
v3:
- removed debug code
v2:
- made the smack_uring_* funcs static
v1:
- initial draft
---
security/smack/smack_lsm.c | 46
1 file changed, 46 insertions(+)
diff --git a
de_creds sqpoll }
These permissions can be seen in the two simple policy statements
below:
allow domA_t domB_t : io_uring { override_creds };
allow domA_t self : io_uring { sqpoll };
Signed-off-by: Paul Moore
---
v3:
- removed work-in-progress warning from the description
v2:
- made the
e application making the request.
With a SQPOLL thread, we can no longer compare requested
credential changes against the application making the request,
the comparison is made against the ring's credentials.
Signed-off-by: Paul Moore
---
v3:
- removed work-in-progress warning from
arguments.
Acked-by: Mickaël Salaün
Signed-off-by: Paul Moore
---
v3:
- no change
v2:
- no change
v1:
- initial draft
---
fs/anon_inodes.c| 29 +
include/linux/anon_inodes.h |4
2 files changed, 33 insertions(+)
diff --git a/fs/anon_inodes.c b/fs
_EXIT/audit_filter_list[7].
Thanks to Richard Guy Briggs for his review, feedback, and work on
the corresponding audit userspace changes.
Signed-off-by: Paul Moore
---
v3:
- removed work-in-progress warning from the description
v2:
- incorporate feedback from Richard
v1:
- initial draft
---
include
0
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
key=(null)
AUID="root" UID="root" GID="root" EUID="root" SUID="root"
FSUID="root" EGID="root" SGID="root" FSGID="root"
Thanks to Richard
->in_syscall flag into an enum which
can be used to by future patches to indicate a calling context other
than the syscall context.
Thanks to Richard Guy Briggs for review and feedback.
Acked-by: Richard Guy Briggs
Signed-off-by: Paul Moore
---
v3:
- removed work-in-progress warning from
orking-io_uring")
-Paul
---
Casey Schaufler (1):
Smack: Brutalist io_uring support with debug
Paul Moore (7):
audit: prepare audit_context for use in calling contexts beyond syscalls
audit,io_uring,io-wq: add some basic audit support to io_uring
audit: add filtering
On Mon, Sep 13, 2021 at 9:50 PM Paul Moore wrote:
> On Mon, Sep 13, 2021 at 3:23 PM Paul Moore wrote:
> > On Thu, Sep 9, 2021 at 8:59 PM Richard Guy Briggs wrote:
> > > On 2021-09-01 15:21, Paul Moore wrote:
> > > > On Sun, Aug 29, 2021 at 11:18 AM Paul Moore w
On Mon, Sep 13, 2021 at 3:23 PM Paul Moore wrote:
> On Thu, Sep 9, 2021 at 8:59 PM Richard Guy Briggs wrote:
> > On 2021-09-01 15:21, Paul Moore wrote:
> > > On Sun, Aug 29, 2021 at 11:18 AM Paul Moore wrote:
> > > > On Sat, Aug 28, 2021 at 11:04 AM Rich
On Tue, Sep 7, 2021 at 11:45 AM LEROY Christophe
wrote:
> > -Message d'origine-
> > De : Paul Moore
> > On Mon, Sep 6, 2021 at 2:41 AM LEROY Christophe
> > wrote:
> > > Le 03/09/2021 à 19:06, Paul Moore a écrit :
> > > > On Fri, Sep 3
a copy of the GNU General Public License
> - * along with this program; if not, write to the Free Software
> - * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
> - *
> * Written by Rickard E. (Rik) Faith
> *
> * Many of the ideas implemented
On Thu, Sep 9, 2021 at 8:59 PM Richard Guy Briggs wrote:
> On 2021-09-01 15:21, Paul Moore wrote:
> > On Sun, Aug 29, 2021 at 11:18 AM Paul Moore wrote:
> > > On Sat, Aug 28, 2021 at 11:04 AM Richard Guy Briggs
> > > wrote:
> > > > I did set a syscall fi
On Mon, Sep 6, 2021 at 2:41 AM LEROY Christophe
wrote:
> Le 03/09/2021 à 19:06, Paul Moore a écrit :
> > On Fri, Sep 3, 2021 at 11:48 AM Christophe Leroy
> > wrote:
> >>
> >> struct node defined in kernel/audit_tree.c conflicts with
> >> s
sector=?", dev_major,
> +dev_minor);
> + break;
> + }
> + audit_log_format(ab, " res=%d", result);
> + audit_log_end(ab);
> +}
> +EXPORT_SYMBOL_GPL(dm_audit_log_ti);
Just checking, but are you okay when
struct node *node;
> + struct audit_node *node;
> spin_lock(&hash_lock);
> list_for_each_entry(node, &tree->chunks, list)
> node->index &= ~(1U<<31);
> @@ -938,7 +938,7 @@ int audit_tag_tree(char *old, char *new)
> mutex_unlock(&audit_filter_mutex);
>
> if (!failed) {
> - struct node *node;
> + struct audit_node *node;
> spin_lock(&hash_lock);
> list_for_each_entry(node, &tree->chunks, list)
> node->index &= ~(1U<<31);
> --
> 2.25.0
>
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
On Sun, Aug 29, 2021 at 11:18 AM Paul Moore wrote:
> On Sat, Aug 28, 2021 at 11:04 AM Richard Guy Briggs wrote:
> > I did set a syscall filter for
> > -a exit,always -F arch=b64 -S
> > io_uring_enter,io_uring_setup,io_uring_register -F key=iouringsyscall
>
On Tue, Aug 31, 2021 at 11:03 AM Casey Schaufler wrote:
> On 8/31/2021 7:44 AM, Paul Moore wrote:
> >
> > Casey, with the idea of posting a v3 towards the end of the merge
> > window next week, without the RFC tag and with the intention of
> > merging it into -next duri
On Wed, Aug 11, 2021 at 4:49 PM Paul Moore wrote:
>
> From: Casey Schaufler
>
> Add Smack privilege checks for io_uring. Use CAP_MAC_OVERRIDE
> for the override_creds case and CAP_MAC_ADMIN for creating a
> polling thread. These choices are based on conjecture regarding
&
to kernel/audit.h
Richard Guy Briggs (1):
audit: move put_tree() to avoid trim_trees refcount underflow and UAF
kernel/audit.h | 5 +
kernel/audit_tree.c | 2 +-
2 files changed, 6 insertions(+), 1 deletion(-)
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@
ecution context returns to userspace and in the case of
sqpoll the processing is handled by a separate kernel thread with no
association to a process thread.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
On Fri, Aug 27, 2021 at 9:36 AM Richard Guy Briggs wrote:
> On 2021-08-26 15:14, Paul Moore wrote:
> > On Thu, Aug 26, 2021 at 12:32 PM Richard Guy Briggs wrote:
> > > I'm getting:
> > > # ./iouring.2
> > > Kernel thread io_uring-sq is n
On Thu, Aug 26, 2021 at 10:37 AM Michael Ellerman wrote:
> Paul Moore writes:
> > On Tue, Aug 24, 2021 at 1:11 PM Christophe Leroy
> > wrote:
> >> Le 24/08/2021 à 16:47, Paul Moore a écrit :
> >> > On Tue, Aug 24, 2021 at 9:36 AM Christophe Leroy
&
ted, pid = 2082
> >>> memfd created, fd = 3
> io_uring_queue_init: Permission denied
>
> I have CONFIG_IO_URING=y set, what else is needed?
I'm not sure how you tried to run those tests, but try running as root
and with SELinux in permissive mode.
--
paul moor
On Wed, Aug 25, 2021 at 9:16 PM Richard Guy Briggs wrote:
>
> On 2021-08-24 16:57, Richard Guy Briggs wrote:
> > On 2021-08-11 16:48, Paul Moore wrote:
> > > Draft #2 of the patchset which brings auditing and proper LSM access
> > > controls to the io_uring subsyst
On Tue, Aug 24, 2021 at 9:21 PM Richard Guy Briggs wrote:
>
> On 2021-06-02 13:46, Paul Moore wrote:
> > On Wed, Jun 2, 2021 at 1:29 PM Richard Guy Briggs wrote:
> > > On 2021-05-21 17:49, Paul Moore wrote:
> > > > WARNING - This is a work in progress and shou
On Tue, Aug 24, 2021 at 1:11 PM Christophe Leroy
wrote:
> Le 24/08/2021 à 16:47, Paul Moore a écrit :
> > On Tue, Aug 24, 2021 at 9:36 AM Christophe Leroy
> > wrote:
> >>
> >> Commit e65e1fc2d24b ("[PATCH] syscall class hookup for all normal
> >>
27;m
going to simply add the -stable marking and merge it into audit/next
to get pushed up to Linus early next week, assuming we see v5.14
released this Sunday. If for some reason we see a v5.14-rc8 next week
I'll adjust things and send it to Linus as a -stable patch.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
can be important,
but the bug is *really* important; even if you don't have a fix for
that, just a description of the problem would be good.
--
paul moore
www.paul-moore.com
/*
* io_uring test tool to exercise LSM/SELinux and audit kernel code paths
* Author: Paul Moore
*
* Copyright 2021
On Tue, Aug 24, 2021 at 11:20 AM Casey Schaufler wrote:
> On 8/24/2021 7:45 AM, Paul Moore wrote:
> > On Fri, Aug 20, 2021 at 7:48 PM Casey Schaufler
> > wrote:
> >>> On 8/20/2021 12:06 PM, Paul Moore wrote:
> >>>> Unless you explicitly enable audit o
it: Add generic compat syscall support")
> added generic support for bi-arch.
>
> Convert powerpc to that bi-arch generic audit support.
>
> Cc: Paul Moore
> Cc: Eric Paris
> Signed-off-by: Christophe Leroy
> ---
> Resending v2 with Audit people in Cc
>
> v2:
On Fri, Aug 20, 2021 at 7:48 PM Casey Schaufler wrote:
> > On 8/20/2021 12:06 PM, Paul Moore wrote:
> >> Unless you explicitly enable audit on the kernel cmdline, e.g.
> >> "audit=1", processes started before userspace enables audit will not
> >> have
On Thu, Aug 19, 2021 at 6:41 PM Casey Schaufler wrote:
> On 8/18/2021 5:56 PM, Casey Schaufler wrote:
> > On 8/18/2021 5:47 PM, Paul Moore wrote:
> >> ...
> >> I just spent a few minutes tracing the code paths up from audit
> >> through netlink and then through
On Wed, Aug 18, 2021 at 5:59 PM Casey Schaufler wrote:
>
> On 8/16/2021 11:57 AM, Paul Moore wrote:
> > On Fri, Aug 13, 2021 at 5:47 PM Casey Schaufler
> > wrote:
> >> On 8/13/2021 1:43 PM, Paul Moore wrote:
> ...
> > Yeah, the thought occurred to me, but we
d"
"... module=%s dev=%s op=%s error_msg='%s' res=%d"
"... module=%s dev=%s op=%s res=%d"
The first thing that jumps out is that some fields, e.g. "sector", are
not always present in the record; we typically handle this by using a
"?" for t
On Fri, Aug 13, 2021 at 5:47 PM Casey Schaufler wrote:
> On 8/13/2021 1:43 PM, Paul Moore wrote:
> > On Fri, Aug 13, 2021 at 2:48 PM Casey Schaufler
> > wrote:
> >> On 8/13/2021 8:31 AM, Paul Moore wrote:
> >>> On Thu, Aug 12, 2021 at 6:38 PM Casey Schaufler
On Fri, Aug 13, 2021 at 2:48 PM Casey Schaufler wrote:
> On 8/13/2021 8:31 AM, Paul Moore wrote:
> > On Thu, Aug 12, 2021 at 6:38 PM Casey Schaufler
> > wrote:
> >> On 8/12/2021 1:59 PM, Paul Moore wrote:
> >>> On Wed, Jul 21, 2021 at 9:12 PM Casey Schaufle
On Thu, Aug 12, 2021 at 6:38 PM Casey Schaufler wrote:
> On 8/12/2021 1:59 PM, Paul Moore wrote:
> > On Wed, Jul 21, 2021 at 9:12 PM Casey Schaufler
> > wrote:
> >> Create a new audit record type to contain the subject information
> >> when there are multiple s
inition of a local
audit_context. However, there really should be no reason why we have
to distinguish between a proper and local audtit_context when it comes
to free'ing the memory, just call audit_free_context() in both cases.
> @@ -1036,7 +1042,7 @@ static int audit_log_pid_context(struct audit_context
> *context, pid_t pid,
> from_kuid(&init_user_ns, auid),
> from_kuid(&init_user_ns, uid), sessionid);
> if (lsmblob_is_set(blob)) {
> - if (security_secid_to_secctx(blob, &lsmctx)) {
> + if (security_secid_to_secctx(blob, &lsmctx, LSMBLOB_FIRST)) {
Misplaced code change?
Actually, there are a lot of these below, I'm not going to comment on
all of them as I think you get the idea ... and I very well may be
wrong so I'll save you all of my wrongness in that case :)
> diff --git a/security/security.c b/security/security.c
> index cb359e185d1a..5d7fd982f84a 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -2309,7 +2309,7 @@ int security_setprocattr(const char *lsm, const char
> *name, void *value,
> hlist_for_each_entry(hp, &security_hook_heads.setprocattr,
> list) {
> rc = hp->hook.setprocattr(name, value, size);
> - if (rc < 0)
> + if (rc < 0 && rc != -EINVAL)
> return rc;
> }
This really looks misplaced ... ?
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
On Thu, Aug 12, 2021 at 5:32 AM Mickaël Salaün wrote:
> On 11/08/2021 22:48, Paul Moore wrote:
> > Extending the secure anonymous inode support to other subsystems
> > requires that we have a secure anon_inode_getfile() variant in
> > addition to the existing secure anon_
301 - 400 of 2305 matches
Mail list logo
