like to verify if what I mentioned earlier is accurate, and I have an
> additional point but depends on whether this is accurate.
>
> Ali
- RGB
--
Richard Guy Briggs
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
Upstream IRC: SunRaycer
Voice:
d, thanks Phil
Thanks Phil, Pablo. If it isn't too late, please add my
Reviewed-by: Richard Guy Briggs
- RGB
--
Richard Guy Briggs
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
Upstream IRC: SunRaycer
Voice: +1.613.860 2354 SMS: +1.613.518.6570
+= snprintf(cp, buf - cp + sizeof(buf) - 1,
> +";start=%04u%02u%02u%02u%02u%02u", (int) tm.tm_year +
> 1900,
> +tm.tm_mon + 1, tm.tm_mday, tm.tm_hour, tm.tm_min,
> +tm.tm_sec);
> + /* Terminate the buffer. */
> + if
; is as one word (no space between the "SE" and "Linux") and
> with the first three letters capitalized. I know we can be a little
> lazy with capitalization, I definitely am, but writing it as one word
> is the important part.
>
> --
> paul-moore
n too, but I was wondering if this is planned or if I am
> > looking in the wrong place, or what to do.
>
> It has never done that and is not planned.
>
> -Steve
- RGB
--
Richard Guy Briggs
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Can
thub.com/linux-audit/audit-kernel/issues/90
https://github.com/linux-audit/audit-kernel/issues/91
https://github.com/linux-audit/audit-kernel/issues/92
https://github.com/linux-audit/audit-kernel/issues/75
- RGB
--
Richard Guy Briggs
Sr. S/W Engineer, Kernel Security, Ba
; called
> > > > for every syscall? Could you point me to the code where the evaluation
> > > > happens only once?
> > >
> > > There is a file, kernel/audit_watch.c, that implements the interface
> > > between
> > > audit and fsnotify. You would want to l
;audit event" which is a collection of audit records with the same
timestamp and serial number correspond to *one* event of interest to the
audit subsystem either due to internal rules or added audit rules that
when triggered record audit information into a set of records that are
all related to
ith file IO
> > it's easy to distinguish that file opens are worth auditing but file
> > reads and writes would be insane to audit. It's not so clear for me
> > for sockets.
>
> This is going to be dependent on both the workloads and applications
> used on the system, there i
hursday, February 9, 2023 5:37:22 PM EST Paul Moore wrote:
> > >>>> On Thu, Feb 9, 2023 at 4:53 PM Richard Guy Briggs
> > >>>> wrote:
> > >>>>> On 2023-02-01 16:18, Paul Moore wrote:
> > >>>>>> On Wed, Feb 1, 2023
On 2023-02-01 16:18, Paul Moore wrote:
> On Wed, Feb 1, 2023 at 3:34 PM Richard Guy Briggs wrote:
> > fadvise and madvise both provide hints for caching or access pattern for
> > file and memory respectively. Skip them.
>
> You forgot to update the first sentence in the com
> > > > > On Tue, Feb 7, 2023 at 7:09 AM Jan Kara wrote:
> > > > > > On Fri 03-02-23 16:35:13, Richard Guy Briggs wrote:
> > > > > > > The Fanotify API can be used for access control by requesting
> > > > > > > permission
&
:284): resp=1 fan_type=0 fan_info=0
subj_trust=2 obj_trust=2
Suggested-by: Steve Grubb
Link: https://lore.kernel.org/r/3075502.aeNJFYEL58@x2
Signed-off-by: Richard Guy Briggs
---
fs/notify/fanotify/fanotify.c | 3 ++-
include/linux/audit.h | 9 +
kernel/auditsc.c
. It will return
the expected size but not issue an audit record.
Suggested-by: Steve Grubb
Link: https://lore.kernel.org/r/2745105.e9J7NaK4W3@x2
Suggested-by: Jan Kara
Link: https://lore.kernel.org/r/20201001101219.ge17...@quack2.suse.cz
Signed-off-by: Richard Guy Briggs
---
fs/notify/fanotify
-by: Richard Guy Briggs
Acked-by: Paul Moore
---
fs/notify/fanotify/fanotify.h | 2 +-
fs/notify/fanotify/fanotify_user.c | 6 +++---
include/linux/audit.h | 6 +++---
kernel/auditsc.c | 2 +-
4 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/fs
2.git@redhat.com
v7:
- change non FAN_INFO case to "0"
- change from if-return to switch(type)-case, which now ignores non-audit info
Link: https://lore.kernel.org/all/cover.1675373475.git@redhat.com
Richard Guy Briggs (3):
fanotify: Ensure consistent variable type for resp
fadvise and madvise both provide hints for caching or access pattern for
file and memory respectively. Skip them.
Fixes: 5bd2182d58e9 ("audit,io_uring,io-wq: add some basic audit support to
io_uring")
Signed-off-by: Richard Guy Briggs
---
changelog
v2:
- drop *GETXATTR patch
- dr
On 2023-01-27 19:06, Paul Moore wrote:
> On Fri, Jan 27, 2023 at 6:01 PM Richard Guy Briggs wrote:
> > On 2023-01-27 17:43, Paul Moore wrote:
> > > On Fri, Jan 27, 2023 at 12:24 PM Richard Guy Briggs
> > > wrote:
> > > > Getting XATTRs is not
On 2023-01-27 16:03, Jens Axboe wrote:
> On 1/27/23 4:02 PM, Richard Guy Briggs wrote:
> > On 2023-01-27 15:45, Jens Axboe wrote:
> >> On 1/27/23 3:35?PM, Paul Moore wrote:
> >>> On Fri, Jan 27, 2023 at 12:24 PM Richard Guy Briggs
> >>> wrote:
>
23 12:42 PM, Paul Moore wrote:
> >>>>> On Fri, Jan 27, 2023 at 12:40 PM Jens Axboe wrote:
> >>>>>> On 1/27/23 10:23 AM, Richard Guy Briggs wrote:
> >>>>>>> A couple of updates to the iouring ops audit bypass selections
> >>>>
On 2023-01-27 15:45, Jens Axboe wrote:
> On 1/27/23 3:35?PM, Paul Moore wrote:
> > On Fri, Jan 27, 2023 at 12:24 PM Richard Guy Briggs wrote:
> >>
> >> Since FADVISE can truncate files and MADVISE operates on memory, reverse
> >> the audit_skip tags.
> >&
On 2023-01-27 17:43, Paul Moore wrote:
> On Fri, Jan 27, 2023 at 12:24 PM Richard Guy Briggs wrote:
> > Getting XATTRs is not particularly interesting security-wise.
> >
> > Suggested-by: Steve Grubb
> > Fixes: a56834e0fafe ("io_uring: add fgetxattr and g
On 2023-01-27 17:35, Paul Moore wrote:
> On Fri, Jan 27, 2023 at 12:24 PM Richard Guy Briggs wrote:
> >
> > Since FADVISE can truncate files and MADVISE operates on memory, reverse
> > the audit_skip tags.
> >
> > Fixes: 5bd2182d58e9 ("audit,io_uri
Getting XATTRs is not particularly interesting security-wise.
Suggested-by: Steve Grubb
Fixes: a56834e0fafe ("io_uring: add fgetxattr and getxattr support")
Signed-off-by: Richard Guy Briggs
---
io_uring/opdef.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/io_uring/opdef.c
A couple of updates to the iouring ops audit bypass selections suggested in
consultation with Steve Grubb.
Richard Guy Briggs (2):
io_uring,audit: audit IORING_OP_FADVISE but not IORING_OP_MADVISE
io_uring,audit: do not log IORING_OP_*GETXATTR
io_uring/opdef.c | 4 +++-
1 file changed, 3
Since FADVISE can truncate files and MADVISE operates on memory, reverse
the audit_skip tags.
Fixes: 5bd2182d58e9 ("audit,io_uring,io-wq: add some basic audit support to
io_uring")
Signed-off-by: Richard Guy Briggs
---
io_uring/opdef.c | 2 +-
1 file changed, 1 insertion(+),
On 2023-01-20 13:58, Paul Moore wrote:
> On Tue, Jan 17, 2023 at 4:14 PM Richard Guy Briggs wrote:
> >
> > This patch passes the full response so that the audit function can use all
> > of it. The audit function was updated to log the additional information in
> >
3F
> > as the default value when no additional info was sent? Would it be better to
> > just make it 0?
>
> ...
>
> > On Tuesday, January 17, 2023 4:14:07 PM EST Richard Guy Briggs wrote:
> > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> > &
. It will return
the expected size but not issue an audit record.
Suggested-by: Steve Grubb
Link: https://lore.kernel.org/r/2745105.e9J7NaK4W3@x2
Suggested-by: Jan Kara
Link: https://lore.kernel.org/r/20201001101219.ge17...@quack2.suse.cz
Signed-off-by: Richard Guy Briggs
---
fs/notify/fanotify
-by: Richard Guy Briggs
Acked-by: Paul Moore
---
fs/notify/fanotify/fanotify.h | 2 +-
fs/notify/fanotify/fanotify_user.c | 6 +++---
include/linux/audit.h | 6 +++---
kernel/auditsc.c | 2 +-
4 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/fs
:284): resp=1 fan_type=0 fan_info=3F
subj_trust=2 obj_trust=2
Suggested-by: Steve Grubb
Link: https://lore.kernel.org/r/3075502.aeNJFYEL58@x2
Signed-off-by: Richard Guy Briggs
---
fs/notify/fanotify/fanotify.c | 3 ++-
include/linux/audit.h | 9 +
kernel/auditsc.c
2.git@redhat.com
Richard Guy Briggs (3):
fanotify: Ensure consistent variable type for response
fanotify: define struct members to hold response decision context
fanotify,audit: Allow audit to use the full permission event response
fs/notify/fanotify/fanotify.c | 8 ++-
fs/notify
On 2023-01-17 09:27, Jan Kara wrote:
> On Mon 16-01-23 15:42:29, Richard Guy Briggs wrote:
> > On 2023-01-03 13:42, Jan Kara wrote:
> > > On Thu 22-12-22 15:47:21, Richard Guy Briggs wrote:
> > > > > > +
> > > > > > + if (info_len !=
On 2023-01-03 13:42, Jan Kara wrote:
> On Thu 22-12-22 15:47:21, Richard Guy Briggs wrote:
> > On 2022-12-16 17:43, Jan Kara wrote:
> > > On Mon 12-12-22 09:06:10, Richard Guy Briggs wrote:
> > > > This patch adds a flag, FAN_INFO and an extensible buffer to provide
On 2023-01-10 10:26, Steve Grubb wrote:
> Hello Richard,
>
> On Monday, January 9, 2023 10:08:04 PM EST Richard Guy Briggs wrote:
> > When I use an application that expected the old API, meaning it simply
> > does:
> > >
> > > response.fd = metada
as expected. I'll do some more testing but I
> think there is something wrong in the compatibility path.
I'll have a closer look, because this wasn't the intended behaviour.
> On Monday, December 12, 2022 9:06:11 AM EST Richard Guy Briggs wrote:
> > This patch passes the full response so
bugzilla instance at the URL below:
>
> I believe this is fixed by this commit:
>
> https://github.com/linux-audit/audit-kernel/commit/
> 1b2263a807ca651f94517b1b22dc5f13e494984d
Yes, that commit fixes that bug upstream.
It has been backported to RHEL.
> -Steve
- RGB
--
On 2022-12-16 17:43, Jan Kara wrote:
> On Mon 12-12-22 09:06:10, Richard Guy Briggs wrote:
> > This patch adds a flag, FAN_INFO and an extensible buffer to provide
> > additional information about response decisions. The buffer contains
> > one or more headers defining
On 2022-12-20 18:31, Paul Moore wrote:
> On Mon, Dec 12, 2022 at 9:06 AM Richard Guy Briggs wrote:
> >
> > This patch passes the full response so that the audit function can use all
> > of it. The audit function was updated to log the additional information in
> >
-by: Steve Grubb
Link: https://lore.kernel.org/r/3075502.aeNJFYEL58@x2
Signed-off-by: Richard Guy Briggs
---
fs/notify/fanotify/fanotify.c | 3 ++-
include/linux/audit.h | 9 +
kernel/auditsc.c | 25 ++---
3 files changed, 29 insertions(+), 8 deletions
://lore.kernel.org/r/20201001101219.ge17...@quack2.suse.cz
Signed-off-by: Richard Guy Briggs
---
fs/notify/fanotify/fanotify.c | 5 +-
fs/notify/fanotify/fanotify.h | 4 ++
fs/notify/fanotify/fanotify_user.c | 86 ++
include/linux/fanotify.h | 5 ++
include
-by: Richard Guy Briggs
---
fs/notify/fanotify/fanotify.h | 2 +-
fs/notify/fanotify/fanotify_user.c | 6 +++---
include/linux/audit.h | 6 +++---
kernel/auditsc.c | 2 +-
4 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/fs/notify/fanotify/fanotify.h
all/cover.1670606054.git@redhat.com
Richard Guy Briggs (3):
fanotify: Ensure consistent variable type for response
fanotify: define struct members to hold response decision context
fanotify,audit: Allow audit to use the full permission event response
fs/notify/fanotify/fanotify.c
EY_LEN 256
> > #define AUDIT_BITMASK_SIZE 64
> > #define AUDIT_WORD(nr) ((__u32)((nr)/32))
> > -#define AUDIT_BIT(nr) (1 << ((nr) - AUDIT_WORD(nr)*32))
> > +#define AUDIT_BIT(nr) (1U << ((nr) - AUDIT_WORD(nr)*32))
> >
> > #define AUDIT_SYSCALL
On 2022-09-09 10:55, Steve Grubb wrote:
> On Friday, September 9, 2022 10:38:46 AM EDT Richard Guy Briggs wrote:
> > > Richard, add subj_trust and obj_trust. These can be 0|1|2 for no, yes,
> > > unknown.
> >
> > type? bitfield? My gut would say th
On 2022-09-09 10:22, Steve Grubb wrote:
> On Friday, September 9, 2022 7:09:44 AM EDT Jan Kara wrote:
> > Hello Steve!
> >
> > On Fri 09-09-22 00:03:53, Steve Grubb wrote:
> > > On Thursday, September 8, 2022 10:41:44 PM EDT Richard Guy Briggs wrote:
> &g
at 4:11 PM Steve Grubb wrote:
> > > > > On Wednesday, September 7, 2022 2:43:54 PM EDT Richard Guy Briggs
> wrote:
> > > > > > > > Ultimately I guess I'll leave it upto audit subsystem what it
> > > > > > > > wants
On 2022-09-01 14:31, Paul Moore wrote:
> On Thu, Sep 1, 2022 at 3:52 AM Jan Kara wrote:
> > On Wed 31-08-22 21:47:09, Paul Moore wrote:
> > > On Wed, Aug 31, 2022 at 7:55 PM Steve Grubb wrote:
> > > > On Wednesday, August 31, 2022 6:19:40 PM EDT Richard Guy Briggs
On 2022-08-31 17:25, Steve Grubb wrote:
> On Wednesday, August 31, 2022 5:07:25 PM EDT Richard Guy Briggs wrote:
> > > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> > > > index 433418d73584..f000fec52360 100644
> > > > --- a/kernel/auditsc.c
> >
On 2022-08-15 20:22, Paul Moore wrote:
> On Tue, Aug 9, 2022 at 1:23 PM Richard Guy Briggs wrote:
> >
> > This patch passes the full value so that the audit function can use all
> > of it. The audit function was updated to log the additional information in
> >
nkage long sys_lremovexattr(const char __user *path,
> const char __user *name);
> asmlinkage long sys_fremovexattr(int fd, const char __user *name);
> diff --git a/include/uapi/asm-generic/unistd.h
> b/include/uapi/asm-generic/unistd.h
> index 45fa
On 2022-08-25 16:28, Paul Moore wrote:
> On Thu, Aug 25, 2022 at 4:10 PM Richard Guy Briggs wrote:
> > On 2022-08-24 15:42, Paul Moore wrote:
> > > The liburing library added a new field to the io_uring struct in
> > > commit b02125e164ea ("Add preliminary sup
t;
> ring->sq.ring_sz = params->sq_off.array +
> params->sq_entries * sizeof(unsigned);
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://listman.redhat.com/mailman/listinfo/linux-audit
>
- RGB
--
Richard Guy B
Be explicit in checking the struct audit_context "context" member enum
value rather than assuming the order of context enum values.
Fixes: 12c5e81d3fd0 ("audit: prepare audit_context for use in calling contexts
beyond syscalls")
Signed-off-by: Richard Guy Briggs
---
kernel
The pid member of struct audit_context is never used. Remove it.
The audit_reset_context() comment about unconditionally resetting
"ctx->state" should read "ctx->context".
Signed-off-by: Richard Guy Briggs
---
kernel/audit.h | 2 +-
kernel/auditsc.c | 4 ++--
2 f
texts
beyond syscalls")
Signed-off-by: Richard Guy Briggs
---
kernel/auditsc.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 280b4720c7a0..9f8c05228d6d 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1940,6 +1940
("audit: prepare audit_context for use in calling contexts
beyond syscalls")
Signed-off-by: Richard Guy Briggs
---
kernel/auditsc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index d77c9805c6b1..280b4720c7a0 100644
--
to see what caused it.
changelog v2:
- split into 4 patches
- flesh out proctitle move justification
- add issue reference in return_fixup move patch
- remove explicit Cc:
Richard Guy Briggs (4):
audit: audit_context pid unused, context enum comment fix
audit: explicitly check audit_context
On 2022-08-25 09:20, Paul Moore wrote:
> On Wed, Aug 24, 2022 at 11:10 PM Richard Guy Briggs wrote:
> >
> > The success and return_code are needed by the filters. Move
> > audit_return_fixup() before the filters.
> >
> > The pid member of struct aud
quot;audit: prepare audit_context for use in calling contexts
beyond syscalls")
Signed-off-by: Richard Guy Briggs
---
kernel/audit.h | 2 +-
kernel/auditsc.c | 12 ++--
2 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/kernel/audit.h b/kernel/audit.h
index 58b66543b4d5..
On 2022-08-19 10:17, Nick Desaulniers wrote:
> On Fri, Aug 19, 2022 at 9:25 AM Richard Guy Briggs wrote:
> >
> > On 2022-08-10 22:28, kernel test robot wrote:
> > > Hi Richard,
> > >
> > > Thank you for the patch! Perhaps something to improve:
>
On 2022-08-16 09:37, Steve Grubb wrote:
> Hello Richard,
>
> Although I have it working, I have some comments below that might improve
> things.
>
> On Tuesday, August 9, 2022 1:22:55 PM EDT Richard Guy Briggs wrote:
> > Currently the only type of fanotify info tha
is applied to the wrong git tree, kindly drop us a note.
> And when submitting patch, we suggest to use '--base' as documented in
> https://git-scm.com/docs/git-format-patch#_base_tree_information]
>
> url:
> https://github.com/intel-lab-lkp/linux/commits/Richard-Guy-Briggs
On 2022-08-10 15:15, Steve Grubb wrote:
> Hell Richard,
That's quite an introduction! ;-)
> On Tuesday, August 9, 2022 1:22:55 PM EDT Richard Guy Briggs wrote:
> > Currently the only type of fanotify info that is defined is an audit
> > rule number, but convert it to hex
fan_info=17
Suggested-by: Steve Grubb
Link: https://lore.kernel.org/r/3075502.aeNJFYEL58@x2
Signed-off-by: Richard Guy Briggs
---
fs/notify/fanotify/fanotify.c | 3 ++-
include/linux/audit.h | 9 +
kernel/auditsc.c | 31 ---
3 files changed
Currently the only type of fanotify info that is defined is an audit
rule number, but convert it to hex encoding to future-proof the field.
Sample record:
type=FANOTIFY msg=audit(1659730979.839:284): resp=1 fan_type=0 fan_info=3F
Suggested-by: Paul Moore
Signed-off-by: Richard Guy Briggs
fo=3F"
Link: https://lore.kernel.org/r/cover.1659981772.git@redhat.com
Richard Guy Briggs (4):
fanotify: Ensure consistent variable type for response
fanotify: define struct members to hold respons
-by: Richard Guy Briggs
---
fs/notify/fanotify/fanotify.h | 2 +-
fs/notify/fanotify/fanotify_user.c | 6 +++---
include/linux/audit.h | 6 +++---
kernel/auditsc.c | 2 +-
4 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/fs/notify/fanotify/fanotify.h
://lore.kernel.org/r/20201001101219.ge17...@quack2.suse.cz
Signed-off-by: Richard Guy Briggs
---
fs/notify/fanotify/fanotify.c | 10 ++-
fs/notify/fanotify/fanotify.h | 2 +
fs/notify/fanotify/fanotify_user.c | 104 +++--
include/linux/fanotify.h | 5 ++
include
d
> "setxattr" which isn't going to work; the lines in audit.rules are
> intended to be passed as command line arguments to auditctl. Look at
> the augenrules script (repo link below) and the auditctl '-R' option.
>
> *
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub
On 2022-05-17 08:37, Amir Goldstein wrote:
> On Mon, May 16, 2022 at 11:22 PM Richard Guy Briggs wrote:
> >
> > This patch adds 2 structure members to the response returned from user
> > space on a permission event. The first field is 32 bits for the context
> &
On 2022-05-16 21:42, Paul Moore wrote:
> On Mon, May 16, 2022 at 4:22 PM Richard Guy Briggs wrote:
> >
> > This patch passes the full value so that the audit function can use all
> > of it. The audit function was updated to log the additional information in
> >
On 2022-05-09 10:54, Jan Kara wrote:
> On Fri 06-05-22 14:46:49, Richard Guy Briggs wrote:
> > On 2022-05-05 16:44, Jan Kara wrote:
> > > On Tue 03-05-22 21:33:35, Richard Guy Briggs wrote:
> > > > On 2022-05-02 20:16, Paul Moore wrote:
> > > > > On Th
Link: https://lore.kernel.org/r/2745105.e9J7NaK4W3@x2
Suggested-by: Jan Kara
Link: https://lore.kernel.org/r/20201001101219.ge17...@quack2.suse.cz
Signed-off-by: Richard Guy Briggs
---
fs/notify/fanotify/fanotify.c | 2 +-
fs/notify/fanotify/fanotify.h | 2 +
fs/notify/fanotify
fan_ctx=17
Suggested-by: Steve Grubb
Link: https://lore.kernel.org/r/3075502.aeNJFYEL58@x2
Signed-off-by: Richard Guy Briggs
---
fs/notify/fanotify/fanotify.c | 4 +++-
include/linux/audit.h | 9 +
kernel/auditsc.c | 18 +++---
3 files changed, 23 insertions
-by: Richard Guy Briggs
---
fs/notify/fanotify/fanotify.h | 2 +-
fs/notify/fanotify/fanotify_user.c | 6 +++---
include/linux/audit.h | 6 +++---
kernel/auditsc.c | 2 +-
4 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/fs/notify/fanotify/fanotify.h
to union
- move low-cost fd check earlier
- change FAN_RESPONSE_INFO_AUDIT_NONE to FAN_RESPONSE_INFO_NONE
- switch to u32 for internal and __u32 for uapi
Link: https://lore.kernel.org/r/cover.1652724390.git@redhat.com
Richard Guy Briggs (3):
fanotify: Ensure consistent variable type for response
On 2022-05-05 16:44, Jan Kara wrote:
> On Tue 03-05-22 21:33:35, Richard Guy Briggs wrote:
> > On 2022-05-02 20:16, Paul Moore wrote:
> > > On Thu, Apr 28, 2022 at 8:45 PM Richard Guy Briggs
> > > wrote:
> > > > This patch adds 2 structure members to the re
On 2022-05-02 20:16, Paul Moore wrote:
> On Thu, Apr 28, 2022 at 8:45 PM Richard Guy Briggs wrote:
> > This patch adds 2 structure members to the response returned from user
> > space on a permission event. The first field is 16 bits for the context
> > type. The context ty
On 2022-05-02 20:16, Paul Moore wrote:
> On Thu, Apr 28, 2022 at 8:45 PM Richard Guy Briggs wrote:
> >
> > The user space API for the response variable is __u32. This patch makes
> > sure that the whole path through the kernel uses __u32 so that there is
> > no s
On 2022-05-02 20:16, Paul Moore wrote:
> On Thu, Apr 28, 2022 at 8:55 PM Richard Guy Briggs wrote:
> > On 2022-04-28 20:44, Richard Guy Briggs wrote:
> > > The Fanotify API can be used for access control by requesting permission
> > > event notification. The user spa
On 2022-04-28 20:44, Richard Guy Briggs wrote:
> The Fanotify API can be used for access control by requesting permission
> event notification. The user space tooling that uses it may have a
> complicated policy that inherently contains additional context for the
> decision. If this
-by: Richard Guy Briggs
Link:
https://lore.kernel.org/r/aa98a3ad00666a6fc0ce411755de4a1a60f5c0cd.1651174324.git@redhat.com
---
fs/notify/fanotify/fanotify.h | 2 +-
fs/notify/fanotify/fanotify_user.c | 6 +++---
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/fs/notify
://lore.kernel.org/r/2745105.e9J7NaK4W3@x2
Suggested-by: Jan Kara
Link: https://lore.kernel.org/r/20201001101219.ge17...@quack2.suse.cz
Signed-off-by: Richard Guy Briggs
Link:
https://lore.kernel.org/r/17660b3f2817e5c0a19d1e9e5d40b53ff4561845.1651174324.git@redhat.com
---
fs/notify/fanotify
fan_ctx=17
Suggested-by: Steve Grubb
Link: https://lore.kernel.org/r/3075502.aeNJFYEL58@x2
Signed-off-by: Richard Guy Briggs
Link:
https://lore.kernel.org/r/23c7f206a465d88cc646a944515fcc6a365f5eb2.1651174324.git@redhat.com
---
fs/notify/fanotify/fanotify.c | 4 +++-
include/linux/audit.h
@redhat.com
Richard Guy Briggs (3):
fanotify: Ensure consistent variable type for response
fanotify: define struct members to hold response decision context
fanotify: Allow audit to use the full permission event response
fs/notify/fanotify/fanotify.c | 5 ++-
fs/notify/fanotify/fanotify.h
On 2022-04-06 01:19, CGEL wrote:
> On Mon, Apr 04, 2022 at 11:58:50AM -0400, Richard Guy Briggs wrote:
> > On 2022-04-02 08:06, CGEL wrote:
> > > On Fri, Apr 01, 2022 at 10:16:45AM -0400, Paul Moore wrote:
> > > > On Fri, Apr 1, 2022 at 9:39 AM Steve Grubb wrote:
&
nt, but the kernel is the last
step for security.
If userspace and the kernel are mismatched or out of sync, then the
kernel enforces policy to protect itself.
> > > > > Beware that there are some limitations
> > > > > to the audit syscall filter, which are unfortunately baked into the
> > > > > current design/implementation, which may affect this to some extent.
> >
> > --
> > paul-moore.com
- RGB
--
Richard Guy Briggs
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
On 2022-02-22 13:56, Paul Moore wrote:
> On Tue, Feb 22, 2022 at 11:45 AM Richard Guy Briggs wrote:
> > AUDIT_TIME_* events are generated when there are syscall rules present
> > that are not related to time keeping. This will produce noisy log
> > entries that could fl
ekeeping: Audit clock adjustments")
Signed-off-by: Richard Guy Briggs
---
Changelog:
v2:
- rename __audit_ntp_log_ to audit_log_ntp
- pre-check ntp before storing
- move tk out of the context union and move ntp logging to the bottom of
audit_show_special()
- restructure logging of ntp to use
ekeeping: Audit clock adjustments")
Signed-off-by: Richard Guy Briggs
---
Changelog:
v2:
- rename __audit_ntp_log_ to audit_log_ntp
- pre-check ntp before storing
- move tk out of the context union and move ntp logging to the bottom of
audit_show_special()
- restructure logging of ntp to use
and log it at syscall exit time respecting the filter rules.
Please see https://bugzilla.redhat.com/show_bug.cgi?id=1991919
Fixes: 7e8eda734d30 ("ntp: Audit NTP parameters adjustment")
Fixes: 2d87a0674bd6 ("timekeeping: Audit clock adjustments")
Signed-off-by: Richard Guy B
On 2022-02-10 21:08, Paul Moore wrote:
> On Thu, Feb 10, 2022 at 6:46 PM Richard Guy Briggs wrote:
> > On 2022-01-31 20:29, Paul Moore wrote:
> > > On Mon, Jan 31, 2022 at 6:29 PM Richard Guy Briggs
> > > wrote:
> > > > On 2022-01-31 17:02, Paul Moore wro
On 2022-01-31 20:29, Paul Moore wrote:
> On Mon, Jan 31, 2022 at 6:29 PM Richard Guy Briggs wrote:
> > On 2022-01-31 17:02, Paul Moore wrote:
> > > On Wed, Jan 26, 2022 at 8:52 AM Richard Guy Briggs
> > > wrote:
> > > > On 2022-01-25 22:24, Richard
On 2022-02-09 16:18, Paul Moore wrote:
> On Wed, Feb 9, 2022 at 10:57 AM Paul Moore wrote:
> > On Tue, Feb 8, 2022 at 10:44 PM Jeff Mahoney wrote:
> > >
> > > Hi Richard -
> > >
> > > On 5/19/21 16:00, Richard Guy Briggs wrote:
> > > > Th
://lore.kernel.org/r/c96031b4-b76d-d82c-e232-1cccbbf71...@suse.com
Fixes: 1c30e3af8a79 ("audit: add support for the openat2 syscall")
Reported-by: Jeff Mahoney
Signed-off-by: Richard Guy Briggs
---
kernel/auditsc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/a
On 2022-02-09 10:57, Paul Moore wrote:
> On Tue, Feb 8, 2022 at 10:44 PM Jeff Mahoney wrote:
> >
> > Hi Richard -
> >
> > On 5/19/21 16:00, Richard Guy Briggs wrote:
> > > The openat2(2) syscall was added in kernel v5.6 with commit fddb5d430ad9
> &
that be possible?
>Would you mind please to help me on some knowledge about that?
You may want to look into pam_tty_audit, but it may flood your logs.
- RGB
--
Richard Guy Briggs
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
V
On 2022-01-31 17:02, Paul Moore wrote:
> On Wed, Jan 26, 2022 at 8:52 AM Richard Guy Briggs wrote:
> > On 2022-01-25 22:24, Richard Guy Briggs wrote:
> > > AUDIT_TIME_* events are generated when there are syscall rules present
> > > that are
> > > not related
On 2022-01-25 22:24, Richard Guy Briggs wrote:
> AUDIT_TIME_* events are generated when there are syscall rules present that
> are
> not related to time keeping. This will produce noisy log entries that could
> flood the logs and hide events we really care about.
>
> Rathe
1 - 100 of 2206 matches
Mail list logo