Hi,
Is it possible to exclude a script from triggering audit records?
I know that one can exclude an executable via -a never,exit -F
exe=/path/to/exe but I haven't been able to find a way to do the same
for a script.
Also, is there a way to have the exclusion applied to all child
processes
On Tue, Sep 8, 2020 at 8:21 PM John Johansen
wrote:
>
> On 9/8/20 4:37 PM, Casey Schaufler wrote:
> > On 9/8/2020 6:35 AM, Stephen Smalley wrote:
> >> On Mon, Sep 7, 2020 at 9:28 PM Stephen Smalley
> >> wrote:
> >>> On Sat, Sep 5, 2020 at 3:07 PM John
On Mon, Sep 7, 2020 at 9:28 PM Stephen Smalley
wrote:
>
> On Sat, Sep 5, 2020 at 3:07 PM John Johansen
> wrote:
> >
> > On 9/5/20 11:13 AM, Casey Schaufler wrote:
> > > On 9/5/2020 6:25 AM, Paul Moore wrote:
> > >> On Fri, Sep 4, 2020 at 7:58 PM Case
On Sat, Sep 5, 2020 at 3:07 PM John Johansen
wrote:
>
> On 9/5/20 11:13 AM, Casey Schaufler wrote:
> > On 9/5/2020 6:25 AM, Paul Moore wrote:
> >> On Fri, Sep 4, 2020 at 7:58 PM Casey Schaufler
> >> wrote:
> >>> On 9/4/2020 2:53 PM, Paul Moore wrote:
> On Fri, Sep 4, 2020 at 5:35 PM Casey
On 7/24/20 4:32 PM, Casey Schaufler wrote:
Create a new audit record type to contain the subject information
when there are multiple security modules that require such data.
This record is linked with the same timestamp and serial number.
The record is produced only in cases where there is more
data is expanded to use an array of
> security module data rather than a single instance.
> Because IMA uses the audit rule functions it is
> affected as well.
>
> Acked-by: Stephen Smalley
> Acked-by: Paul Moore
> Signed-off-by: Casey Schaufler
With CONFIG_BPF_LSM=y:
se
On Mon, Jun 22, 2020 at 8:22 AM Stephen Smalley
wrote:
>
> On Mon, Jun 8, 2020 at 12:18 PM Stephen Smalley
> wrote:
> >
> > On Fri, Jun 5, 2020 at 4:24 AM Topi Miettinen wrote:
> > >
> > > At least on Debian, /etc/protocols, which is used by
> > &
On Mon, Jun 8, 2020 at 12:18 PM Stephen Smalley
wrote:
>
> On Fri, Jun 5, 2020 at 4:24 AM Topi Miettinen wrote:
> >
> > At least on Debian, /etc/protocols, which is used by
> > socket.getprotobyname() to resolve protocols to names, does not
> > contain an entry
On Fri, Jun 5, 2020 at 4:24 AM Topi Miettinen wrote:
>
> At least on Debian, /etc/protocols, which is used by
> socket.getprotobyname() to resolve protocols to names, does not
> contain an entry for "ipv4". In that case, set the protocol number
> used by audit logs for "ipv4" to a fixed value. To
On Thu, May 14, 2020 at 7:25 PM Casey Schaufler wrote:
>
> Change the data used in UDS SO_PEERSEC processing from a
> secid to a more general struct lsmblob. Update the
> security_socket_getpeersec_dgram() interface to use the
> lsmblob. There is a small amount of scaffolding code
> that will
On Thu, May 14, 2020 at 7:30 PM Casey Schaufler wrote:
>
> Create a new audit record type to contain the subject information
> when there are multiple security modules that require such data.
> This record is emitted before the other records for the event, but
> is linked with the same timestamp
"/proc/kcore access"
scontext=unconfined_u:unconfined_r:test_lockdown_integrity_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:test_lockdown_integrity_t:s0-s0:c0.c1023
tclass=lockdown permissive=0
Signed-off-by: Stephen Smalley
---
include/linux/lsm_audit.h | 2 ++
include/linux/security.h| 2 ++
On 8/15/19 1:41 PM, Aaron Goidel wrote:
Presently, there is no way for LSMs to enable collection of supplemental
audit records such as path and inode information when a permission denial
occurs. Provide a LSM hook to allow LSMs to selectively enable collection
on a per-task basis, even if the
On 8/15/19 6:32 PM, James Morris wrote:
On Thu, 15 Aug 2019, Aaron Goidel wrote:
In SELinux this new information is leveraged here to perform an
additional inode based check for capabilities relevant to inodes. Since
the inode provided to capable_wrt_inode_uidgid() is a const argument,
this
On 8/14/19 3:59 PM, Paul Moore wrote:
On Tue, Aug 13, 2019 at 5:27 PM Richard Guy Briggs wrote:
On 2019-08-13 11:01, Aaron Goidel wrote:
On 8/8/19 12:30 PM, Paul Moore wrote:
On Thu, Aug 1, 2019 at 10:43 AM Aaron Goidel wrote:
From: Nicholas Franck
At present security_capable does not
On 7/12/19 1:50 PM, James Morris wrote:
On Fri, 12 Jul 2019, Nicholas Franck wrote:
+ case LSM_AUDIT_DATA_CAP: {
+ const struct inode *inode;
+
+ if (a->u.cap_struct.cad) {
+ switch (a->u.cap_struct.cad->type) {
+
On 7/9/19 5:18 PM, Casey Schaufler wrote:
On 7/9/2019 11:12 AM, Stephen Smalley wrote:
On 7/9/19 1:51 PM, Casey Schaufler wrote:
On 7/9/2019 10:13 AM, Stephen Smalley wrote:
On 7/3/19 5:25 PM, Casey Schaufler wrote:
Create a new entry "display" in /proc/.../attr for controlling
On 7/9/19 1:51 PM, Casey Schaufler wrote:
On 7/9/2019 10:13 AM, Stephen Smalley wrote:
On 7/3/19 5:25 PM, Casey Schaufler wrote:
Create a new entry "display" in /proc/.../attr for controlling
which LSM security information is displayed for a process.
The name of an active LSM tha
On 1/25/19 5:06 AM, Ondrej Mosnacek wrote:
avc_dump_av() and avc_dump_query() are each used only in one place. Get
rid of them and open code their contents in the call sites.
Signed-off-by: Ondrej Mosnacek
Reviewed-by: Stephen Smalley
---
security/selinux/avc.c | 140
On 1/25/19 5:06 AM, Ondrej Mosnacek wrote:
These BUG_ONs do not really protect from any catastrophic situation so
there is no need to have them there.
They are to catch bugs in callers that pass requested==0. That is
always indicative of a bug in the caller (e.g. failed to correctly
compute
On 1/25/19 5:06 AM, Ondrej Mosnacek wrote:
We don't need to crash the machine in these cases. Let's just detect the
buggy state early and error out with a warning.
Signed-off-by: Ondrej Mosnacek
Reviewed-by: Stephen Smalley
---
security/selinux/avc.c | 5 +++--
1 file changed, 3
Daniel Walsh
Link: https://bugzilla.redhat.com/show_bug.cgi?id=1135683
Signed-off-by: Ondrej Mosnacek
Reviewed-by: Stephen Smalley
---
security/selinux/avc.c | 15
security/selinux/include/security.h | 3 +++
security/selinux/ss/services.c | 37
On 1/22/19 2:42 PM, Paul Moore wrote:
On Mon, Jan 21, 2019 at 10:36 AM Ondrej Mosnacek wrote:
In case a file has an invalid context set, in an AVC record generated
upon access to such file, the target context is always reported as
unlabeled. This patch adds new optional fields to the AVC
On 1/18/19 5:04 AM, Ondrej Mosnacek wrote:
In case a file has an invalid context set, in an AVC record generated
upon access to such file, the target context is always reported as
unlabeled. This patch adds new optional fields to the AVC record (slcon
and tlcon) that report the actual context
On Fri, 2017-07-28 at 09:11 -0400, Steve Grubb wrote:
> On Friday, July 28, 2017 3:23:31 AM EDT Richard Guy Briggs wrote:
> > In the process of normalizing audit log messages, it was noticed
> > that the
> > AVC initialization code registered an audit log KERNEL record that
> > didn't
> > fit the
ng to normalize it it was
> determined that this record was not even necessary. Remove it.
>
> Ref: http://marc.info/?l=selinux=149614868525826=2
> See: https://github.com/linux-audit/audit-kernel/issues/48
> Signed-off-by: Richard Guy Briggs <r...@redhat.com>
Acked-by:
On Mon, 2016-12-19 at 15:19 +, Gary Tierney wrote:
> On Mon, Dec 19, 2016 at 09:43:06AM -0500, Stephen Smalley wrote:
> >
> > On Sat, 2016-12-17 at 20:48 +, Gary Tierney wrote:
> > >
> > > Adds error and warning messages to the codepaths which can fa
On Sat, 2016-12-17 at 20:48 +, Gary Tierney wrote:
> Adds error and warning messages to the codepaths which can fail when
> loading a new policy. If a policy fails to load, an error message
> will
> be printed to dmesg with a description of what failed. Previously if
> there was an error
On 11/22/2016 09:28 AM, Steve Grubb wrote:
> On Tuesday, November 22, 2016 8:56:57 AM EST Stephen Smalley wrote:
>> On 11/21/2016 04:50 PM, Paul Moore wrote:
>>> On Mon, Nov 21, 2016 at 12:30 PM, Steve Grubb <sgr...@redhat.com> wrote:
>>>> The AUDIT_MAC
On 11/21/2016 04:50 PM, Paul Moore wrote:
> On Mon, Nov 21, 2016 at 12:30 PM, Steve Grubb wrote:
>> The AUDIT_MAC_POLICY_LOAD event has dangling text that means the same thing
>> as the event type and is missing the uid and results field. The bigger issue
>> is that in some
On Mon, Oct 19, 2015 at 6:29 PM, Paul Moore <pmo...@redhat.com> wrote:
> On Friday, October 09, 2015 10:56:12 AM Stephen Smalley wrote:
>> On 10/07/2015 07:08 PM, Paul Moore wrote:
>> > diff --git a/ipc/kdbus/connection.c b/ipc/kdbus/connection.c
>> > index ef63d
On 10/09/2015 11:39 AM, Paul Moore wrote:
On Friday, October 09, 2015 11:05:58 AM Stephen Smalley wrote:
On 10/07/2015 07:08 PM, Paul Moore wrote:
+static int selinux_kdbus_init_inode(struct inode *inode,
+ const struct cred *creds)
+{
+ struct
On 10/09/2015 12:25 PM, Steve Grubb wrote:
On Friday, October 09, 2015 10:57:44 AM Stephen Smalley wrote:
On 10/07/2015 07:08 PM, Paul Moore wrote:
The kdbus service names will be recorded using 'service', similar to
the existing dbus audit records.
Signed-off-by: Paul Moore <
On 10/07/2015 07:08 PM, Paul Moore wrote:
SELinux treats kdbus service names as objects and therefore needs a
mechanism to map service names to security labels. This patch adds
support for loading kdbus name/label matches with the security policy.
The patch supports service name prefix
On 10/07/2015 07:08 PM, Paul Moore wrote:
In order to effectively enforce LSM based access controls we need to
have more information about the kdbus endpoint creator than the
uid/gid currently stored in the kdbus_node_type struct. This patch
replaces the uid/gid values with a reference to the
On 10/07/2015 07:08 PM, Paul Moore wrote:
The kdbus service names will be recorded using 'service', similar to
the existing dbus audit records.
Signed-off-by: Paul Moore
---
ChangeLog:
- v3
* Ported to the 4.3-rc4 based kdbus tree
- v2
* Initial draft
---
the security label on a kdbusfs inode
Signed-off-by: Paul Moore <pmo...@redhat.com>
---
ChangeLog:
- v3
* Ported to the 4.3-rc4 based kdbus tree
- v2
* Implemented suggestions by Stephen Smalley
* call security_kdbus_conn_new() sooner
* reworked hook inside kdbus_conn_policy_ow
On 10/07/2015 07:08 PM, Paul Moore wrote:
Add the SELinux access control implementation for the new kdbus LSM
hooks using the new kdbus object class and the following permissions:
[NOTE: permissions below are based on kdbus code from Aug 2015]
* kdbus:impersonate
Send a different
On 05/20/2015 04:21 PM, Steve Grubb wrote:
On Wednesday, May 20, 2015 04:06:55 PM Paul Moore wrote:
On Thursday, April 09, 2015 02:49:31 PM Jeff Vander Stoep wrote:
Add information about ioctl calls to the LSM audit data. Log the
file path and command number.
Signed-off-by: Jeff Vander Stoep
wrote:
How about permitted rather then allowed.
I think permitted is already in an AVC.
Not sure where.
On 04/29/2014 10:59 PM, Eric Paris wrote:
On Tue, 2014-04-29 at 16:54 -0700, Stephen Smalley wrote:
Requested for Android in order to distinguish denials that are not in
fact breaking
Attached patch switches to reporting permissive=0|1 and only does it
for avc: denied messages.
On Wed, Apr 30, 2014 at 8:18 AM, Stephen Smalley
stephen.smal...@gmail.com wrote:
I could make it permissive=0 or permissive=1 if that is less
confusing. It doesn't necessarily correspond
it to save
bytes. They add up when you have 100's of thousands of events per day.
-Steve
Otherwise LGTM. From the Android camp, this will be very helpful.
On Apr 30, 2014 8:43 AM, Stephen Smalley stephen.smal...@gmail.com
wrote:
Attached patch switches to reporting permissive=0|1
On 03/15/2014 07:29 PM, Richard Guy Briggs wrote:
---
kernel/audit.c |5 ++---
kernel/auditsc.c |9 +
2 files changed, 7 insertions(+), 7 deletions(-)
Doesn't this also need to be fixed (twice) in security/lsm_audit.c?
diff --git a/kernel/audit.c b/kernel/audit.c
index
On 01/13/2014 12:02 PM, William Roberts wrote:
Re-factor proc_pid_cmdline() to use get_cmdline() helper
from mm.h.
Signed-off-by: William Roberts wrobe...@tresys.com
Acked-by: Stephen Smalley s...@tycho.nsa.gov
---
fs/proc/base.c | 36 ++--
1 file
On 01/13/2014 12:02 PM, William Roberts wrote:
introduce get_cmdline() for retreiving the value of a processes
proc/self/cmdline value.
Signed-off-by: William Roberts wrobe...@tresys.com
Acked-by: Stephen Smalley s...@tycho.nsa.gov
---
include/linux/mm.h |1 +
mm/util.c
On 12/02/2013 04:10 PM, William Roberts wrote:
Add two new functions to mm.h:
* copy_cmdline()
* get_cmdline_length()
Signed-off-by: William Roberts wrobe...@tresys.com
---
include/linux/mm.h |7 +++
mm/util.c | 48
2
On 12/02/2013 04:10 PM, William Roberts wrote:
Re-factor proc_pid_cmdline() to use get_cmdline_length() and
copy_cmdline() helpers from mm.h
Signed-off-by: William Roberts wrobe...@tresys.com
---
fs/proc/base.c | 35 ++-
1 file changed, 10 insertions(+),
On 12/13/2013 09:51 AM, William Roberts wrote:
On Fri, Dec 13, 2013 at 9:12 AM, Stephen Smalley s...@tycho.nsa.gov wrote:
Also, why not just get_task_mm(task) within the function rather than
pass it in by the caller?
Yes I was debating whether or not to drop the pointer checks... np
WRT
On Wed, 2010-01-20 at 13:47 +0100, Göran Uddeborg wrote:
Stephen Smalley:
To get object information, you need to enable
syscall auditing, and add a trivial syscall filter to turn on pathname
collection by the audit subsystem.
Thanks for that tip (all of you who gave it)! I now know
On Wed, 2010-01-20 at 14:23 -0500, Daniel J Walsh wrote:
On 01/20/2010 11:15 AM, Joshua Brindle wrote:
Stephen Smalley wrote:
On Wed, 2010-01-20 at 10:12 -0500, Daniel J Walsh wrote:
On 01/20/2010 08:51 AM, Stephen Smalley wrote:
On Wed, 2010-01-20 at 13:47 +0100, Göran Uddeborg wrote
chroot
is an example syscall filter.
The filter doesn't need to have anything to do with your failing
operation - it just turns on the machinery that will cause pathname
collection so that when the AVC is generated, you will also get a
SYSCALL record with the pathname info.
--
Stephen Smalley
On Tue, 2010-01-19 at 10:06 -0500, Daniel J Walsh wrote:
On 01/19/2010 09:52 AM, Stephen Smalley wrote:
On Mon, 2010-01-18 at 22:05 +0100, Göran Uddeborg wrote:
Here is another strange AVC I'm trying to understand.
SETroubleshoot on one of my machines is telling me that
SELinux
to the selinux_audit_data private space,
once again to make it so that the patched version behaves like the
unpatched.
I've tested and confirmed that AVCs look the same before and after
this patch.
Signed-off-by: Thomas Liu t...@redhat.com
Acked-by: Stephen Smalley s...@tycho.nsa.gov
Looks like there is also
want the code to work with either, you'd directly
read /proc/pid/attr/current and display the resulting string. If you
want to be SELinux-specific and include functionality like MLS label
translation, you'd use getpidcon(3).
--
Stephen Smalley
National Security Agency
--
Linux-audit mailing
, so as long as that remains text, audit2allow doesn't
have to care what the raw format is).
2008/8/14, Stephen Smalley [EMAIL PROTECTED]:
On Wed, 2008-08-13 at 13:25 -0300, Klaus Heinrich Kiwi wrote:
On Wed, 2008-08-13 at 11:09 -0400, Eric Paris wrote:
HAHAHA, kernel output xml? dream
compatibility both in kernel and in
the userland, as we are not allowed to break existing userland with new
kernel and we'd like new userland to still work on old kernels. Patches
that meet those standards accepted.
--
Stephen Smalley
National Security Agency
--
Linux-audit mailing list
Linux-audit
On Wed, 2008-05-07 at 12:48 -0400, Steve Grubb wrote:
On Wednesday 07 May 2008 11:29:36 Eric Paris wrote:
On Wed, May 7, 2008 at 11:23 AM, Stephen Smalley [EMAIL PROTECTED] wrote:
On Wed, 2008-05-07 at 11:17 -0400, Eric Paris wrote:
I assume we do NOT want to use this variant
,
.release_secctx = smack_release_secctx,
--
Stephen Smalley
National Security Agency
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
On Wed, 2008-03-12 at 08:40 -0700, Casey Schaufler wrote:
--- Stephen Smalley [EMAIL PROTECTED] wrote:
On Wed, 2008-03-12 at 04:44 +0200, Ahmed S. Darwish wrote:
Hi!,
Setup the new Audit hooks for Smack. The AUDIT_SUBJ_USER and
AUDIT_OBJ_USER SELinux flags are recycled
configured.
Then, audit system doesn't collect pathname info due to the
optimization to not collect information without syscall filters, and
SELinux doesn't get the vfsmount (reliably) in selinux_inode_permission,
so it cannot generate a path either.
--
Stephen Smalley
National Security Agency
. just the component name)
when it has the (vfsmount, dentry) pair available in the LSM hook, which
often isn't the case still. So we still depend on audit pathname
collection to give us more information than just the component name on
many permission checks.
--
Stephen Smalley
National Security
On Sun, 2007-08-05 at 17:03 -0700, Casey Schaufler wrote:
From: Casey Schaufler [EMAIL PROTECTED]
This patch interposes LSM interfaces between the audit system
and SELinux. This helps make SELinux a cleaner LSM and clarifies
the interfaces provided by the audit system. The audit system
no
specific. Any problem with making the security_audit_rule
interfaces use a void * ? The audit code appears to be accomodating.
The struct is already opaque outside of the security module, so you can
just rename it and implement your own version of the struct in your
module.
--
Stephen Smalley
was a static function
registered from an initcall in the same file where the function was
defined.
--
Stephen Smalley
National Security Agency
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
.
--
Stephen Smalley
National Security Agency
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
On Wed, 2007-07-25 at 13:19 -0700, Casey Schaufler wrote:
I'm looking at getting audit into my Smack LSM module.
Stephen Smalley has suggested, and I concur, that this
may be the time to convert audit from using SELinux
specific interfaces to LSM based interfaces.
Before I start blasting
=user_u:system_r:unconfined_t:s0 key=(null)
type=AVC_PATH msg=audit(1183463480.620:6351): path=/etc/fstab
--
Stephen Smalley
National Security Agency
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
On Tue, 2007-07-03 at 07:57 -0400, Stephen Smalley wrote:
On Tue, 2007-07-03 at 00:23 +0100, Matthew Booth wrote:
On Tue, 2007-07-03 at 10:48 +1200, Darryl Dixon - Winterhouse Consulting
wrote:
Hi Matt,
Thank you for your very thorough response. What you say about not being
able
On Mon, 2007-03-12 at 08:20 -0400, Alexander Viro wrote:
OK, you've convinced me - I'm switching to selinux-specific ones
in kernel/auditsc.c. Updated patch follows, should fix 228409 and
228384.
Acked-by: Stephen Smalley [EMAIL PROTECTED]
diff --git a/fs/proc/base.c b/fs/proc
On Fri, 2007-03-09 at 16:13 -0500, Stephen Smalley wrote:
On Fri, 2007-03-09 at 15:23 -0500, Steve Grubb wrote:
On Friday 09 March 2007 14:31, Camilo Y. Campo wrote:
The cat command failed and audit is saying success. A bit strange for
me. Could anybody clarify this point for me, please
On Fri, 2007-03-09 at 16:17 -0500, Stephen Smalley wrote:
On Fri, 2007-03-09 at 16:13 -0500, Stephen Smalley wrote:
On Fri, 2007-03-09 at 15:23 -0500, Steve Grubb wrote:
On Friday 09 March 2007 14:31, Camilo Y. Campo wrote:
The cat command failed and audit is saying success. A bit
be:
security_release_secctx(ctx,len).
@@ -1195,6 +1207,9 @@ void audit_syscall_exit(int valid, long return_code)
} else {
audit_free_names(context);
audit_free_aux(context);
+ kfree(context-obj_ctx);
And again.
Otherwise, looks fine.
--
Stephen Smalley
National
equivalents,
selinux_get_task_sid and selinux_sid_to_string, already in use by audit]
instead for such internal access to security contexts.
--
Stephen Smalley
National Security Agency
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
to saner API?
Just switch to the saner API.
audit_log_task_context) could be using selinux_get_task_sid() +
selinux_sid_to_string() instead of security_getprocattr.
--
Stephen Smalley
National Security Agency
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo
is certainly
legitimate use of them (although I understand your goal of centralizing
audit configuration).
--
Stephen Smalley
National Security Agency
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
is not that pretty,
but the Makefile is configured with -Werror and a function which doesn't
use its parameters causes warnings. Is there a better solution to this
problem?
Signed-off-by: Michael Thompson [EMAIL PROTECTED]
Acked-by: Stephen Smalley [EMAIL PROTECTED]
--
Stephen Smalley
National Security
I think this is an existing problem, and not new to 1.2.7.
SELinux userland code isn't supposed to assume any fixed max.
libselinux does use an initial buffer size as a starting point when
calling e.g. getxattr, but will resize the buffer to a larger size if
necessary.
--
Stephen Smalley
Rename selinux_ctxid_to_string to selinux_sid_to_string to be
consistent with other interfaces.
Signed-off-by: Stephen Smalley [EMAIL PROTECTED]
Acked-by: James Morris [EMAIL PROTECTED]
---
include/linux/selinux.h|8
kernel/audit.c | 14 +++---
kernel
in the linux-audit archives.
--
Stephen Smalley
National Security Agency
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
79 matches
Mail list logo