Re: Sycall Rules vs Watch Rules

like to verify if what I mentioned earlier is accurate, and I have an > additional point but depends on whether this is accurate. > > Ali - RGB -- Richard Guy Briggs Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada Upstream IRC: SunRaycer Voice:

Re: [nf PATCH 1/2] netfilter: nf_tables: Audit log setelem reset

d, thanks Phil Thanks Phil, Pablo. If it isn't too late, please add my Reviewed-by: Richard Guy Briggs - RGB -- Richard Guy Briggs Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada Upstream IRC: SunRaycer Voice: +1.613.860 2354 SMS: +1.613.518.6570

Re: [PATCH] audit: add task history record

+= snprintf(cp, buf - cp + sizeof(buf) - 1, > +";start=%04u%02u%02u%02u%02u%02u", (int) tm.tm_year + > 1900, > +tm.tm_mon + 1, tm.tm_mday, tm.tm_hour, tm.tm_min, > +tm.tm_sec); > + /* Terminate the buffer. */ > + if

Re: Comprehensive Documentation on the Linux Audit Framework

; is as one word (no space between the "SE" and "Linux") and > with the first three letters capitalized. I know we can be a little > lazy with capitalization, I definitely am, but writing it as one word > is the important part. > > -- > paul-moore

Re: No more report of quantity of rules successfully loaded

n too, but I was wondering if this is planned or if I am > > looking in the wrong place, or what to do. > > It has never done that and is not planned. > > -Steve - RGB -- Richard Guy Briggs Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Can

Re: "service auditd start" fails inside a container

thub.com/linux-audit/audit-kernel/issues/90 https://github.com/linux-audit/audit-kernel/issues/91 https://github.com/linux-audit/audit-kernel/issues/92 https://github.com/linux-audit/audit-kernel/issues/75 - RGB -- Richard Guy Briggs Sr. S/W Engineer, Kernel Security, Ba

Re: Clarification Around File System Auditing

; called > > > > for every syscall? Could you point me to the code where the evaluation > > > > happens only once? > > > > > > There is a file, kernel/audit_watch.c, that implements the interface > > > between > > > audit and fsnotify. You would want to l

Re: Auditing nftables changes

;audit event" which is a collection of audit records with the same timestamp and serial number correspond to *one* event of interest to the audit subsystem either due to internal rules or added audit rules that when triggered record audit information into a set of records that are all related to

Re: Auditing nftables changes

ith file IO > > it's easy to distinguish that file opens are worth auditing but file > > reads and writes would be insane to audit. It's not so clear for me > > for sockets. > > This is going to be dependent on both the workloads and applications > used on the system, there i

Re: [PATCH v2] io_uring,audit: don't log IORING_OP_MADVISE

hursday, February 9, 2023 5:37:22 PM EST Paul Moore wrote: > > >>>> On Thu, Feb 9, 2023 at 4:53 PM Richard Guy Briggs > > >>>> wrote: > > >>>>> On 2023-02-01 16:18, Paul Moore wrote: > > >>>>>> On Wed, Feb 1, 2023

Re: [PATCH v2] io_uring,audit: don't log IORING_OP_MADVISE

On 2023-02-01 16:18, Paul Moore wrote: > On Wed, Feb 1, 2023 at 3:34 PM Richard Guy Briggs wrote: > > fadvise and madvise both provide hints for caching or access pattern for > > file and memory respectively. Skip them. > > You forgot to update the first sentence in the com

Re: [PATCH v7 0/3] fanotify: Allow user space to pass back additional audit info

> > > > > On Tue, Feb 7, 2023 at 7:09 AM Jan Kara wrote: > > > > > > On Fri 03-02-23 16:35:13, Richard Guy Briggs wrote: > > > > > > > The Fanotify API can be used for access control by requesting > > > > > > > permission &

[PATCH v7 3/3] fanotify, audit: Allow audit to use the full permission event response

:284): resp=1 fan_type=0 fan_info=0 subj_trust=2 obj_trust=2 Suggested-by: Steve Grubb Link: https://lore.kernel.org/r/3075502.aeNJFYEL58@x2 Signed-off-by: Richard Guy Briggs --- fs/notify/fanotify/fanotify.c | 3 ++- include/linux/audit.h | 9 + kernel/auditsc.c

[PATCH v7 2/3] fanotify: define struct members to hold response decision context

. It will return the expected size but not issue an audit record. Suggested-by: Steve Grubb Link: https://lore.kernel.org/r/2745105.e9J7NaK4W3@x2 Suggested-by: Jan Kara Link: https://lore.kernel.org/r/20201001101219.ge17...@quack2.suse.cz Signed-off-by: Richard Guy Briggs --- fs/notify/fanotify

[PATCH v7 1/3] fanotify: Ensure consistent variable type for response

-by: Richard Guy Briggs Acked-by: Paul Moore --- fs/notify/fanotify/fanotify.h | 2 +- fs/notify/fanotify/fanotify_user.c | 6 +++--- include/linux/audit.h | 6 +++--- kernel/auditsc.c | 2 +- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/fs

[PATCH v7 0/3] fanotify: Allow user space to pass back additional audit info

2.git@redhat.com v7: - change non FAN_INFO case to "0" - change from if-return to switch(type)-case, which now ignores non-audit info Link: https://lore.kernel.org/all/cover.1675373475.git@redhat.com Richard Guy Briggs (3): fanotify: Ensure consistent variable type for resp

[PATCH v2] io_uring,audit: don't log IORING_OP_MADVISE

fadvise and madvise both provide hints for caching or access pattern for file and memory respectively. Skip them. Fixes: 5bd2182d58e9 ("audit,io_uring,io-wq: add some basic audit support to io_uring") Signed-off-by: Richard Guy Briggs --- changelog v2: - drop *GETXATTR patch - dr

Re: [PATCH v1 2/2] io_uring,audit: do not log IORING_OP_*GETXATTR

On 2023-01-27 19:06, Paul Moore wrote: > On Fri, Jan 27, 2023 at 6:01 PM Richard Guy Briggs wrote: > > On 2023-01-27 17:43, Paul Moore wrote: > > > On Fri, Jan 27, 2023 at 12:24 PM Richard Guy Briggs > > > wrote: > > > > Getting XATTRs is not

Re: [PATCH v1 1/2] io_uring,audit: audit IORING_OP_FADVISE but not IORING_OP_MADVISE

On 2023-01-27 16:03, Jens Axboe wrote: > On 1/27/23 4:02 PM, Richard Guy Briggs wrote: > > On 2023-01-27 15:45, Jens Axboe wrote: > >> On 1/27/23 3:35?PM, Paul Moore wrote: > >>> On Fri, Jan 27, 2023 at 12:24 PM Richard Guy Briggs > >>> wrote: >

Re: [PATCH v1 0/2] two suggested iouring op audit updates

23 12:42 PM, Paul Moore wrote: > >>>>> On Fri, Jan 27, 2023 at 12:40 PM Jens Axboe wrote: > >>>>>> On 1/27/23 10:23 AM, Richard Guy Briggs wrote: > >>>>>>> A couple of updates to the iouring ops audit bypass selections > >>>>

Re: [PATCH v1 1/2] io_uring,audit: audit IORING_OP_FADVISE but not IORING_OP_MADVISE

On 2023-01-27 15:45, Jens Axboe wrote: > On 1/27/23 3:35?PM, Paul Moore wrote: > > On Fri, Jan 27, 2023 at 12:24 PM Richard Guy Briggs wrote: > >> > >> Since FADVISE can truncate files and MADVISE operates on memory, reverse > >> the audit_skip tags. > >&

Re: [PATCH v1 2/2] io_uring,audit: do not log IORING_OP_*GETXATTR

On 2023-01-27 17:43, Paul Moore wrote: > On Fri, Jan 27, 2023 at 12:24 PM Richard Guy Briggs wrote: > > Getting XATTRs is not particularly interesting security-wise. > > > > Suggested-by: Steve Grubb > > Fixes: a56834e0fafe ("io_uring: add fgetxattr and g

Re: [PATCH v1 1/2] io_uring,audit: audit IORING_OP_FADVISE but not IORING_OP_MADVISE

On 2023-01-27 17:35, Paul Moore wrote: > On Fri, Jan 27, 2023 at 12:24 PM Richard Guy Briggs wrote: > > > > Since FADVISE can truncate files and MADVISE operates on memory, reverse > > the audit_skip tags. > > > > Fixes: 5bd2182d58e9 ("audit,io_uri

[PATCH v1 2/2] io_uring,audit: do not log IORING_OP_*GETXATTR

Getting XATTRs is not particularly interesting security-wise. Suggested-by: Steve Grubb Fixes: a56834e0fafe ("io_uring: add fgetxattr and getxattr support") Signed-off-by: Richard Guy Briggs --- io_uring/opdef.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/io_uring/opdef.c

[PATCH v1 0/2] two suggested iouring op audit updates

A couple of updates to the iouring ops audit bypass selections suggested in consultation with Steve Grubb. Richard Guy Briggs (2): io_uring,audit: audit IORING_OP_FADVISE but not IORING_OP_MADVISE io_uring,audit: do not log IORING_OP_*GETXATTR io_uring/opdef.c | 4 +++- 1 file changed, 3

[PATCH v1 1/2] io_uring, audit: audit IORING_OP_FADVISE but not IORING_OP_MADVISE

Since FADVISE can truncate files and MADVISE operates on memory, reverse the audit_skip tags. Fixes: 5bd2182d58e9 ("audit,io_uring,io-wq: add some basic audit support to io_uring") Signed-off-by: Richard Guy Briggs --- io_uring/opdef.c | 2 +- 1 file changed, 1 insertion(+),

Re: [PATCH v6 3/3] fanotify,audit: Allow audit to use the full permission event response

On 2023-01-20 13:58, Paul Moore wrote: > On Tue, Jan 17, 2023 at 4:14 PM Richard Guy Briggs wrote: > > > > This patch passes the full response so that the audit function can use all > > of it. The audit function was updated to log the additional information in > >

Re: [PATCH v6 3/3] fanotify,audit: Allow audit to use the full permission event response

3F > > as the default value when no additional info was sent? Would it be better to > > just make it 0? > > ... > > > On Tuesday, January 17, 2023 4:14:07 PM EST Richard Guy Briggs wrote: > > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > > &

[PATCH v6 2/3] fanotify: define struct members to hold response decision context

. It will return the expected size but not issue an audit record. Suggested-by: Steve Grubb Link: https://lore.kernel.org/r/2745105.e9J7NaK4W3@x2 Suggested-by: Jan Kara Link: https://lore.kernel.org/r/20201001101219.ge17...@quack2.suse.cz Signed-off-by: Richard Guy Briggs --- fs/notify/fanotify

[PATCH v6 1/3] fanotify: Ensure consistent variable type for response

-by: Richard Guy Briggs Acked-by: Paul Moore --- fs/notify/fanotify/fanotify.h | 2 +- fs/notify/fanotify/fanotify_user.c | 6 +++--- include/linux/audit.h | 6 +++--- kernel/auditsc.c | 2 +- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/fs

[PATCH v6 3/3] fanotify, audit: Allow audit to use the full permission event response

:284): resp=1 fan_type=0 fan_info=3F subj_trust=2 obj_trust=2 Suggested-by: Steve Grubb Link: https://lore.kernel.org/r/3075502.aeNJFYEL58@x2 Signed-off-by: Richard Guy Briggs --- fs/notify/fanotify/fanotify.c | 3 ++- include/linux/audit.h | 9 + kernel/auditsc.c

[PATCH v6 0/3] fanotify: Allow user space to pass back additional audit info

2.git@redhat.com Richard Guy Briggs (3): fanotify: Ensure consistent variable type for response fanotify: define struct members to hold response decision context fanotify,audit: Allow audit to use the full permission event response fs/notify/fanotify/fanotify.c | 8 ++- fs/notify

Re: [PATCH v5 2/3] fanotify: define struct members to hold response decision context

On 2023-01-17 09:27, Jan Kara wrote: > On Mon 16-01-23 15:42:29, Richard Guy Briggs wrote: > > On 2023-01-03 13:42, Jan Kara wrote: > > > On Thu 22-12-22 15:47:21, Richard Guy Briggs wrote: > > > > > > + > > > > > > + if (info_len !=

Re: [PATCH v5 2/3] fanotify: define struct members to hold response decision context

On 2023-01-03 13:42, Jan Kara wrote: > On Thu 22-12-22 15:47:21, Richard Guy Briggs wrote: > > On 2022-12-16 17:43, Jan Kara wrote: > > > On Mon 12-12-22 09:06:10, Richard Guy Briggs wrote: > > > > This patch adds a flag, FAN_INFO and an extensible buffer to provide

Re: [PATCH v5 3/3] fanotify, audit: Allow audit to use the full permission event response

On 2023-01-10 10:26, Steve Grubb wrote: > Hello Richard, > > On Monday, January 9, 2023 10:08:04 PM EST Richard Guy Briggs wrote: > > When I use an application that expected the old API, meaning it simply > > does: > > > > > > response.fd = metada

Re: [PATCH v5 3/3] fanotify,audit: Allow audit to use the full permission event response

as expected. I'll do some more testing but I > think there is something wrong in the compatibility path. I'll have a closer look, because this wasn't the intended behaviour. > On Monday, December 12, 2022 9:06:11 AM EST Richard Guy Briggs wrote: > > This patch passes the full response so

Re: New bug in Audit

bugzilla instance at the URL below: > > I believe this is fixed by this commit: > > https://github.com/linux-audit/audit-kernel/commit/ > 1b2263a807ca651f94517b1b22dc5f13e494984d Yes, that commit fixes that bug upstream. It has been backported to RHEL. > -Steve - RGB --

Re: [PATCH v5 2/3] fanotify: define struct members to hold response decision context

On 2022-12-16 17:43, Jan Kara wrote: > On Mon 12-12-22 09:06:10, Richard Guy Briggs wrote: > > This patch adds a flag, FAN_INFO and an extensible buffer to provide > > additional information about response decisions. The buffer contains > > one or more headers defining

Re: [PATCH v5 3/3] fanotify,audit: Allow audit to use the full permission event response

On 2022-12-20 18:31, Paul Moore wrote: > On Mon, Dec 12, 2022 at 9:06 AM Richard Guy Briggs wrote: > > > > This patch passes the full response so that the audit function can use all > > of it. The audit function was updated to log the additional information in > >

[PATCH v5 3/3] fanotify, audit: Allow audit to use the full permission event response

-by: Steve Grubb Link: https://lore.kernel.org/r/3075502.aeNJFYEL58@x2 Signed-off-by: Richard Guy Briggs --- fs/notify/fanotify/fanotify.c | 3 ++- include/linux/audit.h | 9 + kernel/auditsc.c | 25 ++--- 3 files changed, 29 insertions(+), 8 deletions

[PATCH v5 2/3] fanotify: define struct members to hold response decision context

://lore.kernel.org/r/20201001101219.ge17...@quack2.suse.cz Signed-off-by: Richard Guy Briggs --- fs/notify/fanotify/fanotify.c | 5 +- fs/notify/fanotify/fanotify.h | 4 ++ fs/notify/fanotify/fanotify_user.c | 86 ++ include/linux/fanotify.h | 5 ++ include

[PATCH v5 1/3] fanotify: Ensure consistent variable type for response

-by: Richard Guy Briggs --- fs/notify/fanotify/fanotify.h | 2 +- fs/notify/fanotify/fanotify_user.c | 6 +++--- include/linux/audit.h | 6 +++--- kernel/auditsc.c | 2 +- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/fs/notify/fanotify/fanotify.h

[PATCH v5 0/3] fanotify: Allow user space to pass back additional audit info

all/cover.1670606054.git@redhat.com Richard Guy Briggs (3): fanotify: Ensure consistent variable type for response fanotify: define struct members to hold response decision context fanotify,audit: Allow audit to use the full permission event response fs/notify/fanotify/fanotify.c

Re: [PATCH] audit: fix undefined behavior in bit shift for AUDIT_BIT

EY_LEN 256 > > #define AUDIT_BITMASK_SIZE 64 > > #define AUDIT_WORD(nr) ((__u32)((nr)/32)) > > -#define AUDIT_BIT(nr) (1 << ((nr) - AUDIT_WORD(nr)*32)) > > +#define AUDIT_BIT(nr) (1U << ((nr) - AUDIT_WORD(nr)*32)) > > > > #define AUDIT_SYSCALL

Re: [PATCH v4 3/4] fanotify,audit: Allow audit to use the full permission event response

On 2022-09-09 10:55, Steve Grubb wrote: > On Friday, September 9, 2022 10:38:46 AM EDT Richard Guy Briggs wrote: > > > Richard, add subj_trust and obj_trust. These can be 0|1|2 for no, yes, > > > unknown. > > > > type? bitfield? My gut would say th

Re: [PATCH v4 3/4] fanotify,audit: Allow audit to use the full permission event response

On 2022-09-09 10:22, Steve Grubb wrote: > On Friday, September 9, 2022 7:09:44 AM EDT Jan Kara wrote: > > Hello Steve! > > > > On Fri 09-09-22 00:03:53, Steve Grubb wrote: > > > On Thursday, September 8, 2022 10:41:44 PM EDT Richard Guy Briggs wrote: > &g

Re: [PATCH v4 3/4] fanotify,audit: Allow audit to use the full permission event response

at 4:11 PM Steve Grubb wrote: > > > > > On Wednesday, September 7, 2022 2:43:54 PM EDT Richard Guy Briggs > wrote: > > > > > > > > Ultimately I guess I'll leave it upto audit subsystem what it > > > > > > > > wants

Re: [PATCH v4 3/4] fanotify,audit: Allow audit to use the full permission event response

On 2022-09-01 14:31, Paul Moore wrote: > On Thu, Sep 1, 2022 at 3:52 AM Jan Kara wrote: > > On Wed 31-08-22 21:47:09, Paul Moore wrote: > > > On Wed, Aug 31, 2022 at 7:55 PM Steve Grubb wrote: > > > > On Wednesday, August 31, 2022 6:19:40 PM EDT Richard Guy Briggs

Re: [PATCH v4 3/4] fanotify,audit: Allow audit to use the full permission event response

On 2022-08-31 17:25, Steve Grubb wrote: > On Wednesday, August 31, 2022 5:07:25 PM EDT Richard Guy Briggs wrote: > > > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > > > > index 433418d73584..f000fec52360 100644 > > > > --- a/kernel/auditsc.c > >

Re: [PATCH v4 3/4] fanotify,audit: Allow audit to use the full permission event response

On 2022-08-15 20:22, Paul Moore wrote: > On Tue, Aug 9, 2022 at 1:23 PM Richard Guy Briggs wrote: > > > > This patch passes the full value so that the audit function can use all > > of it. The audit function was updated to log the additional information in > >

Re: [RFC PATCH 2/2] fs/xattr: wire up syscalls

nkage long sys_lremovexattr(const char __user *path, > const char __user *name); > asmlinkage long sys_fremovexattr(int fd, const char __user *name); > diff --git a/include/uapi/asm-generic/unistd.h > b/include/uapi/asm-generic/unistd.h > index 45fa

Re: [PATCH] tests/io_uring: ensure that tne io_uring::enter_ring_fd is imported

On 2022-08-25 16:28, Paul Moore wrote: > On Thu, Aug 25, 2022 at 4:10 PM Richard Guy Briggs wrote: > > On 2022-08-24 15:42, Paul Moore wrote: > > > The liburing library added a new field to the io_uring struct in > > > commit b02125e164ea ("Add preliminary sup

Re: [PATCH] tests/io_uring: ensure that tne io_uring::enter_ring_fd is imported

t; > ring->sq.ring_sz = params->sq_off.array + > params->sq_entries * sizeof(unsigned); > > -- > Linux-audit mailing list > Linux-audit@redhat.com > https://listman.redhat.com/mailman/listinfo/linux-audit > - RGB -- Richard Guy B

[PATCH ghak138 v2 2/4] audit: explicitly check audit_context->context enum value

Be explicit in checking the struct audit_context "context" member enum value rather than assuming the order of context enum values. Fixes: 12c5e81d3fd0 ("audit: prepare audit_context for use in calling contexts beyond syscalls") Signed-off-by: Richard Guy Briggs --- kernel

[PATCH ghak138 v2 1/4] audit: audit_context pid unused, context enum comment fix

The pid member of struct audit_context is never used. Remove it. The audit_reset_context() comment about unconditionally resetting "ctx->state" should read "ctx->context". Signed-off-by: Richard Guy Briggs --- kernel/audit.h | 2 +- kernel/auditsc.c | 4 ++-- 2 f

[PATCH ghak138 v2 4/4] audit: move audit_return_fixup before the filters

texts beyond syscalls") Signed-off-by: Richard Guy Briggs --- kernel/auditsc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 280b4720c7a0..9f8c05228d6d 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -1940,6 +1940

[PATCH ghak138 v2 3/4] audit: free audit_proctitle only on task exit

("audit: prepare audit_context for use in calling contexts beyond syscalls") Signed-off-by: Richard Guy Briggs --- kernel/auditsc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/auditsc.c b/kernel/auditsc.c index d77c9805c6b1..280b4720c7a0 100644 --

[PATCH ghak138 v2 0/4] issues from moving beyond syscalls

to see what caused it. changelog v2: - split into 4 patches - flesh out proctitle move justification - add issue reference in return_fixup move patch - remove explicit Cc: Richard Guy Briggs (4): audit: audit_context pid unused, context enum comment fix audit: explicitly check audit_context

Re: [PATCH ghak138] audit: move audit_return_fixup before the filters

On 2022-08-25 09:20, Paul Moore wrote: > On Wed, Aug 24, 2022 at 11:10 PM Richard Guy Briggs wrote: > > > > The success and return_code are needed by the filters. Move > > audit_return_fixup() before the filters. > > > > The pid member of struct aud

[PATCH ghak138] audit: move audit_return_fixup before the filters

quot;audit: prepare audit_context for use in calling contexts beyond syscalls") Signed-off-by: Richard Guy Briggs --- kernel/audit.h | 2 +- kernel/auditsc.c | 12 ++-- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/kernel/audit.h b/kernel/audit.h index 58b66543b4d5..

Re: [PATCH v4 2/4] fanotify: define struct members to hold response decision context

On 2022-08-19 10:17, Nick Desaulniers wrote: > On Fri, Aug 19, 2022 at 9:25 AM Richard Guy Briggs wrote: > > > > On 2022-08-10 22:28, kernel test robot wrote: > > > Hi Richard, > > > > > > Thank you for the patch! Perhaps something to improve: >

Re: [PATCH v4 4/4] fanotify, audit: deliver fan_info as a hex-encoded string

On 2022-08-16 09:37, Steve Grubb wrote: > Hello Richard, > > Although I have it working, I have some comments below that might improve > things. > > On Tuesday, August 9, 2022 1:22:55 PM EDT Richard Guy Briggs wrote: > > Currently the only type of fanotify info tha

Re: [PATCH v4 2/4] fanotify: define struct members to hold response decision context

is applied to the wrong git tree, kindly drop us a note. > And when submitting patch, we suggest to use '--base' as documented in > https://git-scm.com/docs/git-format-patch#_base_tree_information] > > url: > https://github.com/intel-lab-lkp/linux/commits/Richard-Guy-Briggs

Re: [PATCH v4 4/4] fanotify, audit: deliver fan_info as a hex-encoded string

On 2022-08-10 15:15, Steve Grubb wrote: > Hell Richard, That's quite an introduction! ;-) > On Tuesday, August 9, 2022 1:22:55 PM EDT Richard Guy Briggs wrote: > > Currently the only type of fanotify info that is defined is an audit > > rule number, but convert it to hex

[PATCH v4 3/4] fanotify, audit: Allow audit to use the full permission event response

fan_info=17 Suggested-by: Steve Grubb Link: https://lore.kernel.org/r/3075502.aeNJFYEL58@x2 Signed-off-by: Richard Guy Briggs --- fs/notify/fanotify/fanotify.c | 3 ++- include/linux/audit.h | 9 + kernel/auditsc.c | 31 --- 3 files changed

[PATCH v4 4/4] fanotify, audit: deliver fan_info as a hex-encoded string

Currently the only type of fanotify info that is defined is an audit rule number, but convert it to hex encoding to future-proof the field. Sample record: type=FANOTIFY msg=audit(1659730979.839:284): resp=1 fan_type=0 fan_info=3F Suggested-by: Paul Moore Signed-off-by: Richard Guy Briggs

[PATCH v4 0/4] fanotify: Allow user space to pass back additional audit info

fo=3F" Link: https://lore.kernel.org/r/cover.1659981772.git@redhat.com Richard Guy Briggs (4): fanotify: Ensure consistent variable type for response fanotify: define struct members to hold respons

[PATCH v4 1/4] fanotify: Ensure consistent variable type for response

-by: Richard Guy Briggs --- fs/notify/fanotify/fanotify.h | 2 +- fs/notify/fanotify/fanotify_user.c | 6 +++--- include/linux/audit.h | 6 +++--- kernel/auditsc.c | 2 +- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/fs/notify/fanotify/fanotify.h

[PATCH v4 2/4] fanotify: define struct members to hold response decision context

://lore.kernel.org/r/20201001101219.ge17...@quack2.suse.cz Signed-off-by: Richard Guy Briggs --- fs/notify/fanotify/fanotify.c | 10 ++- fs/notify/fanotify/fanotify.h | 2 + fs/notify/fanotify/fanotify_user.c | 104 +++-- include/linux/fanotify.h | 5 ++ include

Re: [EXTERNAL] Re: Help setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr

d > "setxattr" which isn't going to work; the lines in audit.rules are > intended to be passed as command line arguments to auditctl. Look at > the augenrules script (repo link below) and the auditctl '-R' option. > > * > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub

Re: [PATCH v3 2/3] fanotify: define struct members to hold response decision context

On 2022-05-17 08:37, Amir Goldstein wrote: > On Mon, May 16, 2022 at 11:22 PM Richard Guy Briggs wrote: > > > > This patch adds 2 structure members to the response returned from user > > space on a permission event. The first field is 32 bits for the context > &

Re: [PATCH v3 3/3] fanotify: Allow audit to use the full permission event response

On 2022-05-16 21:42, Paul Moore wrote: > On Mon, May 16, 2022 at 4:22 PM Richard Guy Briggs wrote: > > > > This patch passes the full value so that the audit function can use all > > of it. The audit function was updated to log the additional information in > >

Re: [PATCH v2 2/3] fanotify: define struct members to hold response decision context

On 2022-05-09 10:54, Jan Kara wrote: > On Fri 06-05-22 14:46:49, Richard Guy Briggs wrote: > > On 2022-05-05 16:44, Jan Kara wrote: > > > On Tue 03-05-22 21:33:35, Richard Guy Briggs wrote: > > > > On 2022-05-02 20:16, Paul Moore wrote: > > > > > On Th

[PATCH v3 2/3] fanotify: define struct members to hold response decision context

Link: https://lore.kernel.org/r/2745105.e9J7NaK4W3@x2 Suggested-by: Jan Kara Link: https://lore.kernel.org/r/20201001101219.ge17...@quack2.suse.cz Signed-off-by: Richard Guy Briggs --- fs/notify/fanotify/fanotify.c | 2 +- fs/notify/fanotify/fanotify.h | 2 + fs/notify/fanotify

[PATCH v3 3/3] fanotify: Allow audit to use the full permission event response

fan_ctx=17 Suggested-by: Steve Grubb Link: https://lore.kernel.org/r/3075502.aeNJFYEL58@x2 Signed-off-by: Richard Guy Briggs --- fs/notify/fanotify/fanotify.c | 4 +++- include/linux/audit.h | 9 + kernel/auditsc.c | 18 +++--- 3 files changed, 23 insertions

[PATCH v3 1/3] fanotify: Ensure consistent variable type for response

-by: Richard Guy Briggs --- fs/notify/fanotify/fanotify.h | 2 +- fs/notify/fanotify/fanotify_user.c | 6 +++--- include/linux/audit.h | 6 +++--- kernel/auditsc.c | 2 +- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/fs/notify/fanotify/fanotify.h

[PATCH v3 0/3] fanotify: Allow user space to pass back additional audit info

to union - move low-cost fd check earlier - change FAN_RESPONSE_INFO_AUDIT_NONE to FAN_RESPONSE_INFO_NONE - switch to u32 for internal and __u32 for uapi Link: https://lore.kernel.org/r/cover.1652724390.git@redhat.com Richard Guy Briggs (3): fanotify: Ensure consistent variable type for response

Re: [PATCH v2 2/3] fanotify: define struct members to hold response decision context

On 2022-05-05 16:44, Jan Kara wrote: > On Tue 03-05-22 21:33:35, Richard Guy Briggs wrote: > > On 2022-05-02 20:16, Paul Moore wrote: > > > On Thu, Apr 28, 2022 at 8:45 PM Richard Guy Briggs > > > wrote: > > > > This patch adds 2 structure members to the re

Re: [PATCH v2 2/3] fanotify: define struct members to hold response decision context

On 2022-05-02 20:16, Paul Moore wrote: > On Thu, Apr 28, 2022 at 8:45 PM Richard Guy Briggs wrote: > > This patch adds 2 structure members to the response returned from user > > space on a permission event. The first field is 16 bits for the context > > type. The context ty

Re: [PATCH v2 1/3] fanotify: Ensure consistent variable type for response

On 2022-05-02 20:16, Paul Moore wrote: > On Thu, Apr 28, 2022 at 8:45 PM Richard Guy Briggs wrote: > > > > The user space API for the response variable is __u32. This patch makes > > sure that the whole path through the kernel uses __u32 so that there is > > no s

Re: [PATCH v2 0/3] fanotify: Allow user space to pass back additional audit info

On 2022-05-02 20:16, Paul Moore wrote: > On Thu, Apr 28, 2022 at 8:55 PM Richard Guy Briggs wrote: > > On 2022-04-28 20:44, Richard Guy Briggs wrote: > > > The Fanotify API can be used for access control by requesting permission > > > event notification. The user spa

Re: [PATCH v2 0/3] fanotify: Allow user space to pass back additional audit info

On 2022-04-28 20:44, Richard Guy Briggs wrote: > The Fanotify API can be used for access control by requesting permission > event notification. The user space tooling that uses it may have a > complicated policy that inherently contains additional context for the > decision. If this

[PATCH v2 1/3] fanotify: Ensure consistent variable type for response

-by: Richard Guy Briggs Link: https://lore.kernel.org/r/aa98a3ad00666a6fc0ce411755de4a1a60f5c0cd.1651174324.git@redhat.com --- fs/notify/fanotify/fanotify.h | 2 +- fs/notify/fanotify/fanotify_user.c | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/fs/notify

[PATCH v2 2/3] fanotify: define struct members to hold response decision context

://lore.kernel.org/r/2745105.e9J7NaK4W3@x2 Suggested-by: Jan Kara Link: https://lore.kernel.org/r/20201001101219.ge17...@quack2.suse.cz Signed-off-by: Richard Guy Briggs Link: https://lore.kernel.org/r/17660b3f2817e5c0a19d1e9e5d40b53ff4561845.1651174324.git@redhat.com --- fs/notify/fanotify

[PATCH v2 3/3] fanotify: Allow audit to use the full permission event response

fan_ctx=17 Suggested-by: Steve Grubb Link: https://lore.kernel.org/r/3075502.aeNJFYEL58@x2 Signed-off-by: Richard Guy Briggs Link: https://lore.kernel.org/r/23c7f206a465d88cc646a944515fcc6a365f5eb2.1651174324.git@redhat.com --- fs/notify/fanotify/fanotify.c | 4 +++- include/linux/audit.h

[PATCH v2 0/3] fanotify: Allow user space to pass back additional audit info

@redhat.com Richard Guy Briggs (3): fanotify: Ensure consistent variable type for response fanotify: define struct members to hold response decision context fanotify: Allow audit to use the full permission event response fs/notify/fanotify/fanotify.c | 5 ++- fs/notify/fanotify/fanotify.h

Re: [PATCH] audit: do a quick exit when syscall number is invalid

On 2022-04-06 01:19, CGEL wrote: > On Mon, Apr 04, 2022 at 11:58:50AM -0400, Richard Guy Briggs wrote: > > On 2022-04-02 08:06, CGEL wrote: > > > On Fri, Apr 01, 2022 at 10:16:45AM -0400, Paul Moore wrote: > > > > On Fri, Apr 1, 2022 at 9:39 AM Steve Grubb wrote: &

Re: [PATCH] audit: do a quick exit when syscall number is invalid

nt, but the kernel is the last step for security. If userspace and the kernel are mismatched or out of sync, then the kernel enforces policy to protect itself. > > > > > Beware that there are some limitations > > > > > to the audit syscall filter, which are unfortunately baked into the > > > > > current design/implementation, which may affect this to some extent. > > > > -- > > paul-moore.com - RGB -- Richard Guy Briggs Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635 -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit

Re: [PATCH v6] audit: log AUDIT_TIME_* records only from rules

On 2022-02-22 13:56, Paul Moore wrote: > On Tue, Feb 22, 2022 at 11:45 AM Richard Guy Briggs wrote: > > AUDIT_TIME_* events are generated when there are syscall rules present > > that are not related to time keeping. This will produce noisy log > > entries that could fl

[PATCH v6] audit: log AUDIT_TIME_* records only from rules

ekeeping: Audit clock adjustments") Signed-off-by: Richard Guy Briggs --- Changelog: v2: - rename __audit_ntp_log_ to audit_log_ntp - pre-check ntp before storing - move tk out of the context union and move ntp logging to the bottom of audit_show_special() - restructure logging of ntp to use

[PATCH v5] audit: log AUDIT_TIME_* records only from rules

ekeeping: Audit clock adjustments") Signed-off-by: Richard Guy Briggs --- Changelog: v2: - rename __audit_ntp_log_ to audit_log_ntp - pre-check ntp before storing - move tk out of the context union and move ntp logging to the bottom of audit_show_special() - restructure logging of ntp to use

[PATCH v4] audit: log AUDIT_TIME_* records only from rules

and log it at syscall exit time respecting the filter rules. Please see https://bugzilla.redhat.com/show_bug.cgi?id=1991919 Fixes: 7e8eda734d30 ("ntp: Audit NTP parameters adjustment") Fixes: 2d87a0674bd6 ("timekeeping: Audit clock adjustments") Signed-off-by: Richard Guy B

Re: [PATCH v3] audit: log AUDIT_TIME_* records only from rules

On 2022-02-10 21:08, Paul Moore wrote: > On Thu, Feb 10, 2022 at 6:46 PM Richard Guy Briggs wrote: > > On 2022-01-31 20:29, Paul Moore wrote: > > > On Mon, Jan 31, 2022 at 6:29 PM Richard Guy Briggs > > > wrote: > > > > On 2022-01-31 17:02, Paul Moore wro

Re: [PATCH v3] audit: log AUDIT_TIME_* records only from rules

On 2022-01-31 20:29, Paul Moore wrote: > On Mon, Jan 31, 2022 at 6:29 PM Richard Guy Briggs wrote: > > On 2022-01-31 17:02, Paul Moore wrote: > > > On Wed, Jan 26, 2022 at 8:52 AM Richard Guy Briggs > > > wrote: > > > > On 2022-01-25 22:24, Richard

Re: [PATCH v4 2/3] audit: add support for the openat2 syscall

On 2022-02-09 16:18, Paul Moore wrote: > On Wed, Feb 9, 2022 at 10:57 AM Paul Moore wrote: > > On Tue, Feb 8, 2022 at 10:44 PM Jeff Mahoney wrote: > > > > > > Hi Richard - > > > > > > On 5/19/21 16:00, Richard Guy Briggs wrote: > > > > Th

[PATCH v1] audit: fix illegal pointer dereference for openat2

://lore.kernel.org/r/c96031b4-b76d-d82c-e232-1cccbbf71...@suse.com Fixes: 1c30e3af8a79 ("audit: add support for the openat2 syscall") Reported-by: Jeff Mahoney Signed-off-by: Richard Guy Briggs --- kernel/auditsc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/a

Re: [PATCH v4 2/3] audit: add support for the openat2 syscall

On 2022-02-09 10:57, Paul Moore wrote: > On Tue, Feb 8, 2022 at 10:44 PM Jeff Mahoney wrote: > > > > Hi Richard - > > > > On 5/19/21 16:00, Richard Guy Briggs wrote: > > > The openat2(2) syscall was added in kernel v5.6 with commit fddb5d430ad9 > &

Re: How to configure auditd to register like internal bash commands?

that be possible? >Would you mind please to help me on some knowledge about that? You may want to look into pam_tty_audit, but it may flood your logs. - RGB -- Richard Guy Briggs Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer V

Re: [PATCH v3] audit: log AUDIT_TIME_* records only from rules

On 2022-01-31 17:02, Paul Moore wrote: > On Wed, Jan 26, 2022 at 8:52 AM Richard Guy Briggs wrote: > > On 2022-01-25 22:24, Richard Guy Briggs wrote: > > > AUDIT_TIME_* events are generated when there are syscall rules present > > > that are > > > not related

Re: [PATCH v3] audit: log AUDIT_TIME_* records only from rules

On 2022-01-25 22:24, Richard Guy Briggs wrote: > AUDIT_TIME_* events are generated when there are syscall rules present that > are > not related to time keeping. This will produce noisy log entries that could > flood the logs and hide events we really care about. > > Rathe

  1   2   3   4   5   6   7   8   9   10   >