nt to
add to it in the future. What do you think about something like
"audit_arch.h" instead?
If that change is okay with you I can go ahead and do the rename while
I'm merging the patches, I'll consider it penance for letting this
patchset sit for so long :/
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
least the kernel/auditsc.c file still makes use of the
timespec64 struct which is defined in include/linux/time64.h which is
brought in by include/linux/time.h and *not* by
include/linux/timekeeping.h. As long as we make use of the timespec64
struct and the definition remains in time64.h let's ke
On Fri, Jul 16, 2021 at 8:30 AM wrote:
> From: MaYuming
>
> avoid include file to multi include.
>
> Signed-off-by: MaYuming
> ---
> kernel/audit.h | 5 +
> 1 file changed, 5 insertions(+)
Merged into audit/next, thanks.
--
paul moore
www.paul-moore.com
/audit_tree.c| 12 +++--
kernel/auditsc.c | 63 --
security/lsm_audit.c | 1 -
5 files changed, 53 insertions(+), 37 deletions(-)
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https
On Mon, Jun 28, 2021 at 1:58 PM Thomas Weißschuh wrote:
>
> Hi again!
!!! :)
> On Mo, 2021-06-28T13:34-0400, Paul Moore wrote:
> > On Mon, Jun 28, 2021 at 1:13 PM Thomas Weißschuh
> > wrote:
> > > On Mo, 2021-06-28T12:59-0400, Paul Moore wrote:
> > > &
On Mon, Jun 28, 2021 at 1:13 PM Thomas Weißschuh wrote:
>
> Hi Paul,
>
> thanks for your response!
Hi :)
> On Mo, 2021-06-28T12:59-0400, Paul Moore wrote:
> > On Mon, Jun 28, 2021 at 9:25 AM Thomas Weißschuh
> > wrote:
> > >
> > > Hi everyone
the audit arch matching the syscall numbers in
> the uapi headers?
Yes, which is why the existing headers do so ;) If you don't see the
header files I mentioned above, it may be worth checking your kernel
source repository and your distribution's installed kernel header
files.
--
paul mo
>
> Signed-off-by: Zhen Lei
> ---
> include/uapi/linux/audit.h | 4 ++--
> kernel/audit.h | 2 +-
> kernel/auditsc.c | 8
> 3 files changed, 7 insertions(+), 7 deletions(-)
Merged into audit/next.
--
paul moore
www.paul-moore.com
--
Linux
ification Richard. I just wanted to
make sure since the contribution format was a bit unusual given the
context :)
Regardless, thanks again for the feedback, I'll get this incorporated.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.co
to audit/next, thank you.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
num audit_state used in syscall audit code only. This patch changes
> enum audit_state constants prefix AUDIT to AUDIT_STATE to avoid
> AUDIT_DISABLED redefinition.
>
> v2: the comments of Richard Guy Briggs and Paul Moore were taken into account
>
> Signed-off-by: Sergey Nazaro
On Mon, Jun 7, 2021 at 2:40 PM Richard Guy Briggs wrote:
> On 2021-06-05 23:23, Paul Moore wrote:
> > [NOTE: As this is an RFC patch, I wanted to add some commentary at
> > the top of the patch description explaining where this patch came
> > from and what testing has b
On Mon, Jun 7, 2021 at 1:51 PM Richard Guy Briggs wrote:
> On 2021-06-07 13:07, Paul Moore wrote:
> > On Mon, Jun 7, 2021 at 5:58 AM Sergey Nazarov wrote:
> > > Hi, Paul!
> > > I think this could be easer. It's enouth to rename AUDIT_DISABLE only.
> > >
new
> patch version.
Hi Sergey,
I personally prefer the AUDIT_STATE_* enums and would rather see that.
> В Сб, 05/06/2021 в 22:40 -0400, Paul Moore пишет:
> > On Fri, Jun 4, 2021 at 7:21 AM Sergey Nazarov
> > wrote:
> > >
> > > AUDIT_DISABLED defined in ker
of new records. When the thread returns to execution
it checks the queue and if there are any records present it
immediately starts processing them, if the queue is empty the
kauditd thread goes back to sleep.
Signed-off-by: Paul Moore
---
kernel/audit.c | 66
TE_ prefix? As that may get a
bit long, I might suggest dropping the _CONTEXT from the enums too
such that you would end up with the following:
enum audit_state {
AUDIT_STATE_DISABLED,
AUDIT_STATE_BUILD,
AUDIT_STATE_RECORD,
};
Thoughts?
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
On Thu, Jun 3, 2021 at 11:54 AM Jens Axboe wrote:
> On 5/28/21 10:02 AM, Paul Moore wrote:
> > On Wed, May 26, 2021 at 4:19 PM Paul Moore wrote:
> >> ... If we moved the _entry
> >> and _exit calls into the individual operation case blocks (quick
> >> openat
On Wed, Jun 2, 2021 at 1:29 PM Richard Guy Briggs wrote:
> On 2021-05-21 17:49, Paul Moore wrote:
> > WARNING - This is a work in progress and should not be merged
> > anywhere important. It is almost surely not complete, and while it
> > probably compiles it like
On Wed, Jun 2, 2021 at 4:27 AM Pavel Begunkov wrote:
> On 5/28/21 5:02 PM, Paul Moore wrote:
> > On Wed, May 26, 2021 at 4:19 PM Paul Moore wrote:
> >> ... If we moved the _entry
> >> and _exit calls into the individual operation case blocks (quick
> >> openat
On Wed, Jun 2, 2021 at 11:38 AM Richard Guy Briggs wrote:
> On 2021-06-01 21:40, Paul Moore wrote:
> > On Mon, May 31, 2021 at 9:44 AM Richard Guy Briggs wrote:
> > > On 2021-05-30 11:26, Paul Moore wrote:
> > > > On Fri, May 28, 2021 at 6:36 PM Rich
On Mon, May 31, 2021 at 9:44 AM Richard Guy Briggs wrote:
> On 2021-05-30 11:26, Paul Moore wrote:
> > On Fri, May 28, 2021 at 6:36 PM Richard Guy Briggs wrote:
> > > On 2021-05-21 17:50, Paul Moore wrote:
...
> > > > diff --git a/kernel/auditsc.c b/kernel/audits
On Fri, May 28, 2021 at 6:36 PM Richard Guy Briggs wrote:
> On 2021-05-21 17:50, Paul Moore wrote:
> > WARNING - This is a work in progress and should not be merged
> > anywhere important. It is almost surely not complete, and while it
> > probably compiles it like
On Wed, May 26, 2021 at 4:19 PM Paul Moore wrote:
> ... If we moved the _entry
> and _exit calls into the individual operation case blocks (quick
> openat example below) so that only certain operations were able to be
> audited would that be acceptable assuming the high freque
io_register_personality()
> only captures the value of get_current_cred(), so the process already has
> changed to
> the credentials (at least once for the
> io_uring_register(IORING_REGISTER_PERSONALITY)
> call).
>
> metze
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
On Wed, May 26, 2021 at 3:44 PM Jens Axboe wrote:
> On 5/26/21 12:44 PM, Paul Moore wrote:
> > On Wed, May 26, 2021 at 2:01 PM Jens Axboe wrote:
> >> On 5/26/21 11:54 AM, Jens Axboe wrote:
> >>> On 5/26/21 11:31 AM, Jens Axboe wrote:
> >>>> On 5/26/2
On Wed, May 26, 2021 at 3:06 PM Jeff Moyer wrote:
> Paul Moore writes:
>
> > On Wed, May 26, 2021 at 10:59 AM Jeff Moyer wrote:
> >> Paul Moore writes:
> >>
> >> > Also, any pointers to easy-to-run io_uring tests would be helpful. I
> >> &
On Wed, May 26, 2021 at 2:57 PM Pavel Begunkov wrote:
> On 5/26/21 7:44 PM, Paul Moore wrote:
> > On Wed, May 26, 2021 at 2:01 PM Jens Axboe wrote:
> >> On 5/26/21 11:54 AM, Jens Axboe wrote:
> >>> On 5/26/21 11:31 AM, Jens Axboe wrote:
> >>>> On 5/2
On Wed, May 26, 2021 at 10:59 AM Jeff Moyer wrote:
> Paul Moore writes:
>
> > Also, any pointers to easy-to-run io_uring tests would be helpful. I
> > am particularly interested in tests which make use of the personality
> > option, share urings across process
On Wed, May 26, 2021 at 2:01 PM Jens Axboe wrote:
> On 5/26/21 11:54 AM, Jens Axboe wrote:
> > On 5/26/21 11:31 AM, Jens Axboe wrote:
> >> On 5/26/21 11:15 AM, Jens Axboe wrote:
> >>> On 5/25/21 8:04 PM, Paul Moore wrote:
> >>>> On Tue, May 25, 2021
On Wed, May 26, 2021 at 1:54 PM Jens Axboe wrote:
> On 5/26/21 11:31 AM, Jens Axboe wrote:
> > On 5/26/21 11:15 AM, Jens Axboe wrote:
> >> On 5/25/21 8:04 PM, Paul Moore wrote:
> >>> On Tue, May 25, 2021 at 9:11 PM Jens Axboe wrote:
> >>>> On 5/24/21
On Wed, May 26, 2021 at 6:19 AM Pavel Begunkov wrote:
> On 5/26/21 3:04 AM, Paul Moore wrote:
> > On Tue, May 25, 2021 at 9:11 PM Jens Axboe wrote:
> >> On 5/24/21 1:59 PM, Paul Moore wrote:
> >>> That said, audit is not for everyone, and we have build time and
>
On Tue, May 25, 2021 at 9:11 PM Jens Axboe wrote:
> On 5/24/21 1:59 PM, Paul Moore wrote:
> > That said, audit is not for everyone, and we have build time and
> > runtime options to help make life easier. Beyond simply disabling
> > audit at compile time a number o
On Tue, May 25, 2021 at 4:27 AM Pavel Begunkov wrote:
> On 5/24/21 8:59 PM, Paul Moore wrote:
> > On Sun, May 23, 2021 at 4:26 PM Pavel Begunkov
> > wrote:
> >> On 5/22/21 3:36 AM, Paul Moore wrote:
> >>> On Fri, May 21, 2021 at 8:22 PM Pavel Begunkov
>
context->mmap.flags);
> > break;
> > + case AUDIT_OPENAT2:
> > + audit_log_format(ab, "oflag=0%llo mode=0%llo resolve=0x%llx",
>
> Hm, should we maybe follow the struct member names for all entries, i.e.
> replace s/oflag/flags?
There is some precedence for using "oflags" to refer to "open" flags,
my guess is Richard is trying to be consistent here. I agree it's a
little odd, but it looks like the right thing to me from an audit
perspective; the audit perspective is a little odd after all :)
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
, casting and masking all at once. Maybe a
> small static inline helper would be good for the sake of legibility? Sm
> like:
>
> static inline u32 audit_openat2_acc(struct open_how *how, int mask)
> {
> u32 flags = how->flags;
> return mask & ACC_MODE(flags
On Sun, May 23, 2021 at 4:26 PM Pavel Begunkov wrote:
> On 5/22/21 3:36 AM, Paul Moore wrote:
> > On Fri, May 21, 2021 at 8:22 PM Pavel Begunkov
> > wrote:
> >> On 5/21/21 10:49 PM, Paul Moore wrote:
> [...]
> >>>
> >>> + if (req->opcode
On Fri, May 21, 2021 at 8:22 PM Pavel Begunkov wrote:
> On 5/21/21 10:49 PM, Paul Moore wrote:
> > WARNING - This is a work in progress and should not be merged
> > anywhere important. It is almost surely not complete, and while it
> > probably compiles it likely hasn't be
On Fri, May 21, 2021 at 6:05 PM Casey Schaufler wrote:
> On 5/21/2021 1:19 PM, Paul Moore wrote:
> > On Thu, May 13, 2021 at 4:32 PM Casey Schaufler
> > wrote:
> >> Create a new audit record type to contain the subject information
> >> when there are multi
On Fri, May 21, 2021 at 8:53 PM Tetsuo Handa
wrote:
> On 2021/05/22 6:49, Paul Moore wrote:
> > I've provided the SELinux
> > implementation, Casey has been nice enough to provide a Smack patch,
> > and John is working on an AppArmor patch as I write this. I've
&g
: io_uring { sqpoll };
Signed-off-by: Paul Moore
---
security/selinux/hooks.c| 67 +++
security/selinux/include/classmap.h |2 +
2 files changed, 69 insertions(+)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index ea
-by: Paul Moore
---
security/smack/smack_lsm.c | 64
1 file changed, 64 insertions(+)
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 223a6da0e6dc..f6423c0096e9 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack
on is made against the ring's credentials.
Signed-off-by: Paul Moore
---
fs/io_uring.c | 10 ++
include/linux/lsm_hook_defs.h |5 +
include/linux/lsm_hooks.h | 13 +
include/linux/security.h | 16
security/
.
Signed-off-by: Paul Moore
---
fs/io_uring.c |4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/io_uring.c b/fs/io_uring.c
index e9941d1ad8fd..6ff769c9b7d3 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -9562,8 +9562,8 @@ static struct file *io_uring_get_file(struct
arguments.
Signed-off-by: Paul Moore
---
fs/anon_inodes.c| 29 +
include/linux/anon_inodes.h |4
2 files changed, 33 insertions(+)
diff --git a/fs/anon_inodes.c b/fs/anon_inodes.c
index a280156138ed..e0c3e33c4177 100644
--- a/fs/anon_inodes.c
+++ b/fs
of the
existing audit filtering infrastructure as possible. In order to do
this we reuse the audit filter rule's syscall mask for the io_uring
operation and we create a new filter for io_uring operations as
AUDIT_FILTER_URING_EXIT/audit_filter_list[7].
Signed-off-by: Paul Moore
---
include/uapi
WARNING - This patch is intended only to aid in the initial dev/test
of the audit/io_uring support, it is not intended to be merged.
With this patch, you can emit io_uring operation audit records with
the following commands (the first clears any blocking rules):
% auditctl -D
% auditctl -a
below:
%
Thanks to Richard Guy Briggs for review and feedback.
Signed-off-by: Paul Moore
---
fs/io-wq.c |4 +
fs/io_uring.c | 11 +++
include/linux/audit.h | 17
include/uapi/linux/audit.h |1
kernel/audit.h |2 +
kernel
the early/rough nature of these patches).
git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git
(checkout branch "working-io_uring")
Thanks in advance,
-Paul
---
Casey Schaufler (1):
Smack: Brutalist io_uring support with debug
Paul Moore (8):
audit: prepare aud
hes to indicate a calling context other
than the syscall context.
Thanks to Richard Guy Briggs for review and feedback.
Acked-by: Richard Guy Briggs
Signed-off-by: Paul Moore
---
kernel/audit.h |5 +
kernel/auditsc.c | 255 +++---
2 files chan
MIC, AUDIT_MAC_TASK_CONTEXTS);
> + if (!ab)
> + return; /* audit_panic or being filtered */
We should be consistent with our use of audit_panic() when we bail on
error; we use it below, but not here - why?
> + for (i = 0; i < LSMBLOB_ENTRIES; i++) {
> + if (context->lsm.secid[i] == 0)
> + continue;
> + error = security_secid_to_secctx(>lsm, , i);
> + if (error && error != -EINVAL) {
> + audit_panic("error in audit_log_lsm");
> + return;
> + }
> +
> + audit_log_format(ab, "%ssubj_%s=%s", sep ? " " : "",
> +lsm_slot_to_name(i), lsmdata.context);
> + sep = true;
> + security_release_secctx();
> + }
> + audit_log_end(ab);
> + context->lsmdone = true;
Maybe I missed it, but why do we need this flag?
> +}
> +
> +void audit_log_lsm(struct audit_context *context)
> +{
> + if (!context->lsmdone)
> + audit_log_lsm_common(context);
> +}
I think I was distracted with the local context issue and I've lost
track of the details here, perhaps it's best to fix the local context
issue first (that should be a big change to this patch) and then we
can take another look.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
uct.
> >>
> >> Setting the "interface_lsm" requires that all security modules using
> >> setprocattr hooks allow the action. Each security module is
> >> responsible for defining its policy.
> >>
> >> AppArmor hook provided by John Johansen
++-
> net/netfilter/nf_conntrack_standalone.c | 4 ++-
> net/netfilter/nfnetlink_queue.c | 13 ++---
> net/netlabel/netlabel_unlabeled.c | 19 +++---
> net/netlabel/netlabel_user.c| 4 ++-
> security/security.c | 11
> 15 fi
> Signed-off-by: Casey Schaufler
> Cc: net...@vger.kernel.org
> Cc: netfilter-de...@vger.kernel.org
> ---
> net/netfilter/nfnetlink_queue.c | 37 +
> 1 file changed, 14 insertions(+), 23 deletions(-)
Acked-by: Paul Moore
--
paul moore
www.paul-mo
cords, but that is a problem for another day.
Acked-by: Paul Moore
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
+++-
> 6 files changed, 85 insertions(+), 25 deletions(-)
Acked-by: Paul Moore
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
ll. This allows for the
> possibility that more than one module may be called upon
> to translate a secid to a string, as can occur in the
> audit code.
>
> Signed-off-by: Casey Schaufler
> Cc: net...@vger.kernel.org
> Cc: linux-audit@redhat.com
> Cc: netfilter-de...@vger.kernel.org
&g
yet another review by the end of the week.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
dev_name
> pointer and be done with it.
>
> Signed-off-by: Ondrej Mosnacek
> ---
> include/linux/lsm_audit.h | 8
> security/selinux/hooks.c | 2 +-
> 2 files changed, 5 insertions(+), 5 deletions(-)
Much better, merged into selinux/next. Thanks.
--
paul moore
www.paul
On Wed, May 12, 2021 at 4:43 AM He Zhe wrote:
> On 5/11/21 10:51 PM, Paul Moore wrote:
> > On Mon, May 10, 2021 at 11:19 PM He Zhe wrote:
> >> On 5/11/21 6:38 AM, Paul Moore wrote:
> >>> On Fri, Apr 23, 2021 at 6:36 AM He Zhe wrote:
> >>>> regs_r
On Tue, May 11, 2021 at 1:14 PM Richard Guy Briggs wrote:
>
> On 2021-05-10 21:23, Paul Moore wrote:
> > On Fri, Apr 30, 2021 at 4:36 PM Richard Guy Briggs wrote:
> > >
> > > Replace audit syscall class magic numbers with macros.
> > >
> > > This
On Tue, May 11, 2021 at 10:00 AM Casey Schaufler wrote:
> On 5/10/2021 6:28 PM, Paul Moore wrote:
> > On Mon, May 10, 2021 at 8:37 PM Casey Schaufler
> > wrote:
> >> On 5/10/2021 4:52 PM, Paul Moore wrote:
> >>> On Mon, May 10, 2021 at 12:30 PM Casey Schaufl
On Mon, May 10, 2021 at 11:19 PM He Zhe wrote:
> On 5/11/21 6:38 AM, Paul Moore wrote:
> > On Fri, Apr 23, 2021 at 6:36 AM He Zhe wrote:
> >> regs_return_value for some architectures like arm64 simply retrieve
> >> register value from pt_regs without sign extension in
On Mon, May 10, 2021 at 8:37 PM Casey Schaufler wrote:
> On 5/10/2021 4:52 PM, Paul Moore wrote:
> > On Mon, May 10, 2021 at 12:30 PM Casey Schaufler
> > wrote:
> >> On 5/7/2021 6:54 PM, Richard Guy Briggs wrote:
> >>> On 2021-05-07 14:03, Casey Schaufle
t; +
> +enum auditsc_class_t {
> + AUDITSC_NATIVE = 0,
> + AUDITSC_COMPAT,
> + AUDITSC_OPEN,
> + AUDITSC_OPENAT,
> + AUDITSC_SOCKETCALL,
> + AUDITSC_EXECVE,
> +
> + AUDITSC_NVALS /* count */
> +};
> +
> +#endif
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
f that is information you'd
> want to see in a audit record. On the other hand, if the xattr was an
> eBPF program used to make access control decisions, you would want at
> least a reference to it in the audit record.
It would be interesting to see how this code would handle arbitrarily
large
USER:
> case AUDIT_FIRST_USER_MSG ... AUDIT_LAST_USER_MSG:
> case AUDIT_FIRST_USER_MSG2 ... AUDIT_LAST_USER_MSG2:
> - if (!netlink_capable(skb, CAP_AUDIT_WRITE))
> + if (!netlink_ns_capable(skb, current_user_ns(),
> CAP_AUDIT_WRITE))
>
d, 21 insertions(+)
Merged into audit/next.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
);
> + long return_code = syscall_get_return_value(current, pt_regs);
>
> __audit_syscall_exit(success, return_code);
> }
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
| 12 ++--
kernel/auditsc.c | 11 ---
4 files changed, 39 insertions(+), 13 deletions(-)
create mode 100644 Documentation/ABI/stable/procfs-audit_loginuid
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
command which causes a
> warning. Documentation/ABI/README describes the valid fields.
>
> Reported-by: Mauro Carvalho Chehab
> Signed-off-by: Richard Guy Briggs
> ---
> .../ABI/stable/procfs-audit_loginuid | 22 +--
> 1 file changed, 11 insertions(+), 11 de
invalid. Line
> Format: %u
>
> You should either drop it or add it to the parser and to the README
> file, if the ABI maintainers are ok with such new field.
Thanks Mauro, I didn't realize there were tools that parsed these files.
Richa
On Tue, Mar 30, 2021 at 6:53 PM Pablo Neira Ayuso wrote:
> On Sun, Mar 28, 2021 at 08:50:45PM -0400, Paul Moore wrote:
> [...]
> > Netfilter folks, were you planning to pull this via your tree/netdev
> > or would you like me to merge this via the audit tree? If the latter,
>
you planning to pull this via your tree/netdev
or would you like me to merge this via the audit tree? If the latter,
I would appreciate it if I could get an ACK from one of you; if the
former, my ACK is below.
Acked-by: Paul Moore
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
[NFT_MSG_NEWFLOWTABLE] = AUDIT_NFT_OP_FLOWTABLE_REGISTER,
> + [NFT_MSG_GETFLOWTABLE] = AUDIT_NFT_OP_INVALID,
> + [NFT_MSG_DELFLOWTABLE] = AUDIT_NFT_OP_FLOWTABLE_UNREGISTER,
> +};
The previously reported problem with this as a static still exists,
correct? It does seem like this should live in nf_tables_api.c
doesn't it?
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
do { } while (0)" instead, and change a
> few more that were (void)0, for consistency.
>
> Signed-off-by: Arnd Bergmann
> ---
> v2: convert two more macros
> ---
> kernel/audit.h | 12 ++--
> 1 file changed, 6 insertions(+), 6 deletions(-)
Merged into audit/next
On Thu, Mar 18, 2021 at 4:42 PM Paul Moore wrote:
>
> An update on the previous RFC patchset found here:
>
> https://lore.kernel.org/linux-security-module/161377712068.87807.12246856567527156637.stgit@sifl/
>
> Aside from being rebased to the current SELinux next branch (which
On Thu, Mar 18, 2021 at 4:57 PM Casey Schaufler wrote:
>
> On 3/18/2021 1:42 PM, Paul Moore wrote:
> > Of the three LSMs that implement the security_task_getsecid() LSM
> > hook, all three LSMs provide the task's objective security
> > credentials. This turns out t
d-off-by: Richard Guy Briggs
> ---
> Documentation/ABI/stable/procfs-audit_loginuid | 12
> 1 file changed, 12 insertions(+)
Merged into audit/next, thanks.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
iggs
> ---
> Documentation/ABI/stable/procfs-audit_loginuid | 15 +++
> 1 file changed, 15 insertions(+)
> create mode 100644 Documentation/ABI/stable/procfs-audit_loginuid
Merged into audit/next, thanks.
--
paul moore
www.paul-moore.com
--
Linux-audit m
, but it basically boils down to the
simple fact that we can't safely access another task's subjective
credentials so in the case of binder we need to stick with the
objective credentials regardless.
Signed-off-by: Paul Moore
---
security/selinux/hooks.c | 112 ++
1
With the split of the security_task_getsecid() into subjective and
objective variants it's time to update Smack to ensure it is using
the correct task creds.
Acked-by: Casey Schaufler
Reviewed-by: Richard Guy Briggs
Reviewed-by: John Johansen
Signed-off-by: Paul Moore
---
security/smack
it for IMA and that code
didn't change.
---
Paul Moore (3):
lsm: separate security_task_getsecid() into subjective and objective
variants
selinux: clarify task subjective and objective credentials
smack: differentiate between subjective and objective task credentials
(IMA)
Signed-off-by: Paul Moore
---
drivers/android/binder.c | 11 ++-
include/linux/cred.h |2 +-
include/linux/lsm_hook_defs.h |5 -
include/linux/lsm_hooks.h | 12 +---
include/linux/security.h | 10
udit@redhat.com
> +Format:%u (u32)
> +Users: auditd, libaudit, audit-testsuite, login
> +Description:
> + The /proc/$pid/sessionid pseudofile is read to get the
> + audit login session ID of process $pid. It is set
> +
e
tools/libraries here. I recognize that you like the specificity, but
I do not, and I fear that it will become invalid over time either due
to deprecation of old packages or omission of new ones; the fact that
we are just now adding an entry from 2005 shows how this area of
Documentation can oft
ptions that caused the need for this specificity.
>
> Signed-off-by: Richard Guy Briggs
> ---
> MAINTAINERS | 2 ++
> 1 file changed, 2 insertions(+)
Merged into audit/next, thanks.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.
On Thu, Mar 18, 2021 at 1:45 PM Paul Moore wrote:
> On Thu, Mar 18, 2021 at 1:44 PM Paul Moore wrote:
> > On Thu, Mar 18, 2021 at 12:57 PM Serhei Makarov wrote:
> > > On Thu, Mar 18, 2021 at 10:43 AM Serhei Makarov
> > > wrote:
> > > > Jiri Olsa also rep
On Thu, Mar 18, 2021 at 1:44 PM Paul Moore wrote:
> On Thu, Mar 18, 2021 at 12:57 PM Serhei Makarov wrote:
> > On Thu, Mar 18, 2021 at 10:43 AM Serhei Makarov wrote:
> > > Jiri Olsa also reports seeing a similar deadlock at v5.10. I'm in the
> > > middle of double-
read that I saw can be found here
via the linux-audit list:
https://lore.kernel.org/linux-audit/canyvdqn7h5tvp47fbycrasv4xf07eubsdwt_edchxjuj43j...@mail.gmail.com/
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
On Wed, Mar 10, 2021 at 11:32 PM Paul Moore wrote:
> On Tue, Mar 9, 2021 at 10:06 PM John Johansen
> wrote:
> > On 2/19/21 3:29 PM, Paul Moore wrote:
...
> > > @@ -2034,11 +2047,8 @@ static inline u32 open_file_to_av(struct file
> > >
>
> Do you know in which kernel version this mechanism was fixed?
> This information would help me decide which distro I should move to.
Ignoring any backporting that may have taken place, I believe all of
the critical patches were present in Linux v4.13 with a few
nice-to-have patches i
n't say for certain (I
don't work for RH/IBM).
>From an upstream perspective - which is what this mailing list focuses
on - there isn't much for us to do here unless you are seeing problems
with a more current kernel.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
e/asm-generic/audit_*.h
> F: include/linux/audit.h
> F: include/uapi/linux/audit.h
> F: kernel/audit*
> +F: lib/*audit.c
>
> AUXILIARY DISPLAY DRIVERS
> M: Miguel Ojeda Sandonis
> --
> 2.27.0
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
filter")
>
> Signed-off-by: Richard Guy Briggs
> ---
> kernel/auditsc.c | 11 ---
> 1 file changed, 4 insertions(+), 7 deletions(-)
Looks good, merged. Thanks.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
u32
> +Users: auditd, libaudit, audit-testsuite, login
This should be obvious, but just to be safe - my comment from patch
1/2 also applies here.
> +Description:
> + The /proc/$pid/sessionid pseudofile is read to get the
> + audit login session ID
f
> + AUDIT_FEATURE_LOGINUID_IMMUTABLE is enabled. It cannot be
> + unset if AUDIT_FEATURE_ONLY_UNSET_LOGINUID is enabled.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
On Tue, Mar 9, 2021 at 10:06 PM John Johansen
wrote:
> On 2/19/21 3:29 PM, Paul Moore wrote:
> > SELinux has a function, task_sid(), which returns the task's
> > objective credentials, but unfortunately is used in a few places
> > where the subjective task credentials
On Wed, Mar 10, 2021 at 3:21 AM Jeffrey Vander Stoep wrote:
> On Fri, Mar 5, 2021 at 12:44 AM Paul Moore wrote:
> >
> > On Thu, Mar 4, 2021 at 5:04 AM Jeffrey Vander Stoep
> > wrote:
> > > On Sat, Feb 20, 2021 at 3:45 PM Paul Moore wrote:
> > > > On
On Tue, Mar 9, 2021 at 8:03 PM John Johansen
wrote:
> On 2/19/21 3:29 PM, Paul Moore wrote:
> > Of the three LSMs that implement the security_task_getsecid() LSM
> > hook, all three LSMs provide the task's objective security
> > credentials. This turns out to be unfortunate
On Wed, Mar 3, 2021 at 7:44 PM Paul Moore wrote:
> On Sun, Feb 21, 2021 at 7:51 AM John Johansen
> wrote:
> > On 2/19/21 3:29 PM, Paul Moore wrote:
> > > Of the three LSMs that implement the security_task_getsecid() LSM
> > > hook, all three LSMs provide
401 - 500 of 2156 matches
Mail list logo