> > the following (something between option #2 and #3):
> > subj1_lsm=smack subj1= subj2_lsm=selinux
> >
> > subj2= ...
> > >>> If it's not a subj= field why use the indirection?
> > >>>
> > >>> subj_smack= subj_selinux=
FWIW +1 on this approach.
--
Linux-audit m
On Mon, Nov 26, 2018 at 8:48 AM Paul Moore wrote:
>
> On Fri, Nov 23, 2018 at 6:47 PM Ranran wrote:
> > Hello,
> >
> > Is it possible to log all messages from within kernel, (without any
> > userspace application and daemon) ?
>
> If you are not running an audit daemon then the audit records will
Hence sudo would be required.
> >
> > frank
> >
> >
> > On 09/24/2018 06:35 AM, William Roberts wrote:
> >> Sorry for the HTML...
> >>
> >> This seems off topic. This is list for questions surrounding the linux
> >> audit subsystem.
> >
Sorry for the HTML...
This seems off topic. This is list for questions surrounding the linux
audit subsystem.
That file is usually user=root group=root mode=0644. Ie read only for all,
writeable for user root. No sudoers entry needed for read access.
On Sun, Sep 23, 2018, 21:30 khalid fahad wro
Then follow the unsubscribe directions here:
https://www.redhat.com/mailman/listinfo/linux-audit
Rather then spamming the list.
On Wed, Jul 11, 2018 at 6:27 AM, Mauler, Gary [US] (MS)
wrote:
> I no longer want to receive emails
>
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> http
On Fri, Oct 20, 2017 at 3:16 PM, Casey Schaufler wrote:
> The function audit_log_secctx() is unused and cannot be
> made safe for the stacked/namespaced security module case.
> It, alas, shows up in the KAPI. Can this derelict code be
> removed? I'll provide a patch it it can go.
It seems to be u
On Apr 13, 2017 14:22, "Christian Rebischke"
wrote:
On Thu, Apr 13, 2017 at 05:05:36PM -0400, Paul Moore wrote:
> Unless Steve has exclusive administrative access to people.redhat.com
> (I think it is safe to say he does not, but correct me if I'm wrong
> Steve ) you can't trust an unsigned check
On Apr 13, 2017 14:17, "Paul Moore" wrote:
On Thu, Apr 13, 2017 at 5:08 PM, William Roberts
wrote:
> On Apr 13, 2017 14:05, "Paul Moore" wrote:
>> Unless Steve has exclusive administrative access to people.redhat.com
>> (I think it is safe to say he do
On Apr 13, 2017 14:05, "Paul Moore" wrote:
On Thu, Apr 13, 2017 at 5:00 PM, William Roberts
wrote:
> Isn't the hash on the https people's page? Which last time I looked wasnt
> throwing cert errors in chrome.
Unless Steve has exclusive administrative access to people
On Apr 13, 2017 13:56, "Christian Rebischke"
wrote:
On Thu, Apr 13, 2017 at 01:30:57PM -0700, William Roberts wrote:
> That's not true, he's providing you a detached signature via this
> mechanism. You just need to check the sha256sum before extraction.
The problem wi
On Apr 13, 2017 13:28, "Christian Rebischke"
wrote:
On Tue, Apr 11, 2017 at 10:03:54AM -0400, Steve Grubb wrote:
> I added a sha256sum to the release announcement yesterday. You can also
access
> the people page via https.
>
Thanks, but as I stated before. SHA256 and https doesn't ensure a
non-m
On Apr 7, 2017 4:41 PM, "Christian Rebischke"
wrote:
On Thu, Apr 06, 2017 at 06:27:08PM -0700, William Roberts wrote:
> Why not just checkout the release with git?
Because this wouldn't solve the problem or do you use signed commits in
your linux-audit git repository?
As
Why not just checkout the release with git?
On Apr 6, 2017 16:36, "Christian Rebischke"
wrote:
> Hello,
> I am the maintainer of 'audit' in the official Arch Linux Repositories.
> Is there a reason why you don't provide a signature file for the
> releases nor a checksum or am I just stupid and c
On Nov 29, 2016 07:10, "Florian Westphal" wrote:
>
> allows better debugging as freeing audit buffers now always honors slub
> debug hooks (e.g. object poisoning) and leak checker can detect the
> free operation.
>
> Removal also results in a small speedup (using
> single rule 'iptables -A INPUT -
On Oct 25, 2016 06:59, "William Roberts" wrote:
>
> On Oct 25, 2016 06:48, "William Roberts" wrote:
> >
> > On Oct 25, 2016 06:42, "teroz" wrote:
> > >
> > > Hey William
> > > exploit is run as a normal user and privile
On Oct 25, 2016 06:48, "William Roberts" wrote:
>
> On Oct 25, 2016 06:42, "teroz" wrote:
> >
> > Hey William
> > exploit is run as a normal user and privilege escalates to a root shell
> >
>
> Look under the covers. Dirty cow allo
modifies.
Take a peak with strace.
https://www.google.com/amp/www.theregister.co.uk/AMP/2016/10/21/linux_privilege_escalation_hole/
> On Tue, 25 Oct 2016 at 15:09 William Roberts
wrote:
>>
>> On Oct 25, 2016 05:12, "teroz" wrote:
>> >
>> > I used one of
On Oct 25, 2016 05:12, "teroz" wrote:
>
> I used one of the dirtycow root exploits on Fedora24 configured
with 30-pci-dss-v31.rules. I was expecting an ANOM_ROOT_TRANS record but
didn't get one. What triggers an ANOM_ROOT_TRANS record? What then is the
best way to trivially audit for a successful
You don't always need local access, I look at a lot of logs from systems I don't
have access too, and I just decode them using python. I use the snippet
from here to do it:
http://stackoverflow.com/questions/9641440/convert-from-ascii-string-encoded-in-hex-to-plain-ascii
It might not be ideal, I h
On Thu, Jul 14, 2016 at 4:18 PM, William Roberts
wrote:
>
>
> On Thu, Jul 14, 2016 at 3:17 PM, Paul Moore wrote:
>
>> On Thu, Jul 14, 2016 at 3:29 PM, wrote:
>> > From: William Roberts
>> >
>> > ioctlcmd is currently printing hex numbers, but
On Thu, Jul 14, 2016 at 3:17 PM, Paul Moore wrote:
> On Thu, Jul 14, 2016 at 3:29 PM, wrote:
> > From: William Roberts
> >
> > ioctlcmd is currently printing hex numbers, but their is no leading
> > 0x. Thus things like ioctlcmd=1234 are misleading, as
On Aug 1, 2015 12:44 PM, "Richard Guy Briggs" wrote:
>
> Signed-off-by: Richard Guy Briggs
> ---
> include/uapi/linux/audit.h |2 ++
> kernel/audit.c |2 +-
> kernel/audit_watch.c |8
> kernel/auditsc.c |6 +++---
> 4 files changed, 10 inserti
For audit log records, the type field can be something like 1400 for
an AVC event. I know on the desktop it formats these all to the pretty
names IIRC, however I am on Android and were not quite as advanced
yet. Is their a definitive guide for each number what they correspond
to besides cracking op
Apr 30, 2014 at 9:01 AM, Steve Grubb wrote:
> > On Wednesday, April 30, 2014 08:48:31 AM William Roberts wrote:
> >> My only nit would be the variable name resultwould it be better
> named
> >> is_permissive or something?
> >
> > That adds more bytes. My perso
My only nit would be the variable name resultwould it be better named
is_permissive or something?
Otherwise LGTM. From the Android camp, this will be very helpful.
On Apr 30, 2014 8:43 AM, "Stephen Smalley"
wrote:
> Attached patch switches to reporting permissive=0|1 and only does it
> for a
All,
Just following up on v7 of these patches and the merge status. I'm new
to this and trying to find out what I need to do to finish the merge,
if anything:
https://lkml.org/lkml/2014/2/11/803
https://lkml.org/lkml/2014/2/11/574
https://lkml.org/lkml/2014/2/11/506
Thanks again for everyone's h
Re-factor proc_pid_cmdline() to use get_cmdline() helper
from mm.h.
Acked-by: David Rientjes
Acked-by: Stephen Smalley
Acked-by: Richard Guy Briggs
Signed-off-by: William Roberts
---
fs/proc/base.c | 36 ++--
1 file changed, 2 insertions(+), 34 deletions
that were
inconvenienced a drink at a conference :-P
Bill
On Tue, Feb 11, 2014 at 9:47 AM, William Roberts
wrote:
> The most up to date patches were v6. The difference between v5 and v6
> is rtrim(). Did you not want the rtrim?
> Most things end with null bytes, this helps prevent hex-
key=(null)
type=UNKNOWN[1327] msg=audit(1391217013.924:386):
proctitle=6D6B646972002D70002F7661722F72756E2F636F6E736F6C65
Acked-by: Steve Grubb (wrt record formating)
Signed-off-by: William Roberts
---
include/uapi/linux/audit.h |1 +
kernel/audit.h |6
kernel/auditsc.c | 67 +++
introduce get_cmdline() for retreiving the value of a processes
proc/self/cmdline value.
Acked-by: David Rientjes
Acked-by: Stephen Smalley
Acked-by: Richard Guy Briggs
Signed-off-by: William Roberts
---
include/linux/mm.h |1 +
mm/util.c | 48
kernel&m=139093196518317&w=2
http://marc.info/?l=linux-kernel&m=139093197518332&w=2
Bill
On Tue, Feb 11, 2014 at 9:25 AM, William Roberts
wrote:
> On Tue, Feb 11, 2014 at 8:36 AM, Richard Guy Briggs wrote:
>> On 14/02/06, William Roberts wrote:
>>> During an
On Tue, Feb 11, 2014 at 8:36 AM, Richard Guy Briggs wrote:
> On 14/02/06, William Roberts wrote:
>> During an audit event, cache and print the value of the process's
>> proctitle value (proc//cmdline). This is useful in situations
>> where processes are started via for
Re-factor proc_pid_cmdline() to use get_cmdline() helper
from mm.h.
Acked-by: David Rientjes
Acked-by: Stephen Smalley
Signed-off-by: William Roberts
---
fs/proc/base.c | 36 ++--
1 file changed, 2 insertions(+), 34 deletions(-)
diff --git a/fs/proc/base.c
introduce get_cmdline() for retreiving the value of a processes
proc/self/cmdline value.
Acked-by: David Rientjes
Acked-by: Stephen Smalley
Signed-off-by: William Roberts
---
include/linux/mm.h |1 +
mm/util.c | 48
2 files
key=(null)
type=UNKNOWN[1327] msg=audit(1391217013.924:386):
proctitle=6D6B646972002D70002F7661722F72756E2F636F6E736F6C65
Signed-off-by: William Roberts
---
include/uapi/linux/audit.h |1 +
kernel/audit.h |6
kernel/auditsc.c | 67
3 files cha
introduce get_cmdline() for retreiving the value of a processes
proc/self/cmdline value.
Acked-by: David Rientjes
Acked-by: Stephen Smalley
Signed-off-by: William Roberts
---
include/linux/mm.h |1 +
mm/util.c | 48
2 files
Re-factor proc_pid_cmdline() to use get_cmdline() helper
from mm.h.
Acked-by: David Rientjes
Acked-by: Stephen Smalley
Signed-off-by: William Roberts
---
fs/proc/base.c | 36 ++--
1 file changed, 2 insertions(+), 34 deletions(-)
diff --git a/fs/proc/base.c
d=1002 gid=1002 euid=1002 suid=1002 fsuid=1002 egid=1002
sgid=1002 fsgid=1002 tty=(none) ses=4294967295 comm="bt_hc_worker"
exe="/system/bin/app_process" subj=u:r:bluetooth:s0 key=(null)
cmdline="com.android.bluetooth"
Signed-off-by: William Roberts
---
kernel
d=1002 gid=1002 euid=1002 suid=1002 fsuid=1002 egid=1002
sgid=1002 fsgid=1002 tty=(none) ses=4294967295 comm="bt_hc_worker"
exe="/system/bin/app_process" cmdline="com.android.bluetooth"
subj=u:r:bluetooth:s0 key=(null)
Signed-off-by: William Roberts
---
kerne
Re-factor proc_pid_cmdline() to use get_cmdline() helper
from mm.h.
Acked-by: David Rientjes
Acked-by: Stephen Smalley
Signed-off-by: William Roberts
---
fs/proc/base.c | 36 ++--
1 file changed, 2 insertions(+), 34 deletions(-)
diff --git a/fs/proc/base.c
introduce get_cmdline() for retreiving the value of a processes
proc/self/cmdline value.
Acked-by: David Rientjes
Acked-by: Stephen Smalley
Signed-off-by: William Roberts
---
include/linux/mm.h |1 +
mm/util.c | 48
2 files
d=1002 gid=1002 euid=1002 suid=1002 fsuid=1002 egid=1002
sgid=1002 fsgid=1002 tty=(none) ses=4294967295 comm="bt_hc_worker"
exe="/system/bin/app_process" cmdline="com.android.bluetooth"
subj=u:r:bluetooth:s0 key=(null)
Signed-off-by: William Roberts
---
kerne
Re-factor proc_pid_cmdline() to use get_cmdline() helper
from mm.h.
Signed-off-by: William Roberts
---
fs/proc/base.c | 36 ++--
1 file changed, 2 insertions(+), 34 deletions(-)
diff --git a/fs/proc/base.c b/fs/proc/base.c
index 5150706..f0c5927 100644
--- a
introduce get_cmdline() for retreiving the value of a processes
proc/self/cmdline value.
Signed-off-by: William Roberts
---
include/linux/mm.h |1 +
mm/util.c | 48
2 files changed, 49 insertions(+)
diff --git a/include/linux/mm.h
On Thu, Jan 16, 2014 at 8:40 AM, William Roberts
wrote:
> On Thu, Jan 16, 2014 at 7:11 AM, Steve Grubb wrote:
>> On Thursday, January 16, 2014 07:03:34 AM William Roberts wrote:
>>> On Thu, Jan 16, 2014 at 6:02 AM, Steve Grubb wrote:
>>> > On Wednesday, Januar
On Thu, Jan 16, 2014 at 6:02 AM, Steve Grubb wrote:
> On Wednesday, January 15, 2014 09:08:39 PM William Roberts wrote:
>> >> > Try this,
>> >> >
>> >> > cp /bin/ls 'test test test'
>> >> > auditctll -a always,exit -
On Wed, Jan 15, 2014 at 8:51 PM, Steve Grubb wrote:
> On Wednesday, January 15, 2014 05:44:29 PM William Roberts wrote:
>> On Wed, Jan 15, 2014 at 5:33 PM, Steve Grubb wrote:
>> > On Wednesday, January 15, 2014 05:08:13 PM William Roberts wrote:
>> >> On Wed, Jan 15
On Wed, Jan 15, 2014 at 5:33 PM, Steve Grubb wrote:
> On Wednesday, January 15, 2014 05:08:13 PM William Roberts wrote:
>> On Wed, Jan 15, 2014 at 4:54 PM, Steve Grubb wrote:
>> > On Wednesday, January 15, 2014 01:02:14 PM William Roberts wrote:
>> >> During an au
On Wed, Jan 15, 2014 at 4:54 PM, Steve Grubb wrote:
> On Wednesday, January 15, 2014 01:02:14 PM William Roberts wrote:
>> During an audit event, cache and print the value of the process's
>> cmdline value (proc//cmdline). This is useful in situations
>> where proces
Re-factor proc_pid_cmdline() to use get_cmdline() helper
from mm.h.
Acked-by: David Rientjes
Acked-by: Stephen Smalley
Signed-off-by: William Roberts
---
fs/proc/base.c | 36 ++--
1 file changed, 2 insertions(+), 34 deletions(-)
diff --git a/fs/proc/base.c
d=1002 gid=1002 euid=1002 suid=1002 fsuid=1002 egid=1002
sgid=1002 fsgid=1002 tty=(none) ses=4294967295 comm="bt_hc_worker"
exe="/system/bin/app_process" cmdline="com.android.bluetooth"
subj=u:r:bluetooth:s0 key=(null)
Signed-off-by: William Roberts
---
kernel
introduce get_cmdline() for retreiving the value of a processes
proc/self/cmdline value.
Acked-by: David Rientjes
Acked-by: Stephen Smalley
Signed-off-by: William Roberts
---
include/linux/mm.h |1 +
mm/util.c | 48
2 files
This bounced LKML, re-sending. My phone sent it as HTML
On Tue, Jan 14, 2014 at 7:50 PM, William Roberts
wrote:
> The race was non existent. I had the VMA locked. I switched to this to keep
> the code that gets the cmdline value almost unchanged to try and reduce
> bugs. I can still
smaller.
On Jan 14, 2014 5:45 PM, "Richard Guy Briggs" wrote:
> On 14/01/06, William Roberts wrote:
> > During an audit event, cache and print the value of the process's
> > cmdline value (proc//cmdline). This is useful in situations
> > where processes are
d=1002 gid=1002 euid=1002 suid=1002 fsuid=1002 egid=1002
sgid=1002 fsgid=1002 tty=(none) ses=4294967295 comm="bt_hc_worker"
exe="/system/bin/app_process" cmdline="com.android.bluetooth"
subj=u:r:bluetooth:s0 key=(null)
Signed-off-by: William Roberts
---
kernel/audit
On Mon, Jan 13, 2014 at 12:02 PM, William Roberts
wrote:
> During an audit event, cache and print the value of the process's
> cmdline value (proc//cmdline). This is useful in situations
> where processes are started via fork'd virtual machines where the
> comm field is
Re-factor proc_pid_cmdline() to use get_cmdline() helper
from mm.h.
Signed-off-by: William Roberts
---
fs/proc/base.c | 36 ++--
1 file changed, 2 insertions(+), 34 deletions(-)
diff --git a/fs/proc/base.c b/fs/proc/base.c
index 03c8d74..cfd178d 100644
--- a
d=1002 gid=1002 euid=1002 suid=1002 fsuid=1002 egid=1002
sgid=1002 fsgid=1002 tty=(none) ses=4294967295 comm="bt_hc_worker"
exe="/system/bin/app_process" subj=u:r:bluetooth:s0 key=(null)
cmdline="com.android.bluetooth"
Signed-off-by: William Roberts
---
kernel/audit
introduce get_cmdline() for retreiving the value of a processes
proc/self/cmdline value.
Signed-off-by: William Roberts
---
include/linux/mm.h |1 +
mm/util.c | 48
2 files changed, 49 insertions(+)
diff --git a/include/linux/mm.h
good.
And is then directly known to be safe to pass to
audit_log_untrusted_string(), which aborts printing
on the first null byte.
On Fri, Jan 10, 2014 at 1:37 PM, William Roberts
wrote:
> I think your right
>
> On Fri, Jan 10, 2014 at 1:08 PM, Eric Paris wrote:
>> If you know t
I think your right
On Fri, Jan 10, 2014 at 1:08 PM, Eric Paris wrote:
> If you know the buf len, you can just use audit_log_n_untrusted_string()
> I think
>
> On Tue, 2014-01-07 at 12:44 -0800, William Roberts wrote:
>> Signed-off-by: William Roberts
>> ---
>
On Tue, Jan 7, 2014 at 12:44 PM, William Roberts
wrote:
> Signed-off-by: William Roberts
> ---
> kernel/auditsc.c | 19 +++
> 1 file changed, 15 insertions(+), 4 deletions(-)
>
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index a4c2003..9ba1f2a
Just some updates from the review that I have gathered.
1. Possibility of accessing invalid memory on res being 0.
2. Do not switch ordering of fields.
Does anyone hate using the boolean expression to get my
increment value? Removes some branches. Based on my
loose understanding that boolean opera
Signed-off-by: William Roberts
---
kernel/auditsc.c | 19 +++
1 file changed, 15 insertions(+), 4 deletions(-)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index a4c2003..9ba1f2a 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1292,9 +1292,20 @@ static void
On Tue, Jan 7, 2014 at 8:34 AM, Steve Grubb wrote:
> On Monday, January 06, 2014 07:38:02 PM William Roberts wrote:
>> I've been doing some testing of the recent audit cmdline patches,
>> notably as many as the error paths as I can.
>>
>> On a failure, the field i
On Jan 6, 2014 7:38 PM, "William Roberts" wrote:
>
> I've been doing some testing of the recent audit cmdline patches,
> notably as many as the error paths as I can.
>
> On a failure, the field is populated with null, like when key is null.
> However, it has
I've been doing some testing of the recent audit cmdline patches,
notably as many as the error paths as I can.
On a failure, the field is populated with null, like when key is null.
However, it has quotes, should I drop the quotes...
Example:
Now:
cmdline="(null)" key=(null)
Proposed:
cmdline=(
t;
> On Mon, Jan 06, 2014 at 07:30:30AM -0800, William Roberts wrote:
>> +static void audit_log_cmdline(struct audit_buffer *ab, struct task_struct
>> *tsk,
>> + struct audit_context *context)
>> +{
>> + int res;
>> + char *buf;
&
d=1002 gid=1002 euid=1002 suid=1002 fsuid=1002 egid=1002
sgid=1002 fsgid=1002 tty=(none) ses=4294967295 comm="bt_hc_worker"
exe="/system/bin/app_process" cmdline="com.android.bluetooth"
subj=u:r:bluetooth:s0 key=(null)
Signed-off-by: William Roberts
---
kernel/au
Re-factor proc_pid_cmdline() to use get_cmdline() helper
from mm.h.
Signed-off-by: William Roberts
---
fs/proc/base.c | 36 ++--
1 file changed, 2 insertions(+), 34 deletions(-)
diff --git a/fs/proc/base.c b/fs/proc/base.c
index 03c8d74..cfd178d 100644
--- a
introduce get_cmdline() for retreiving the value of a processes
proc/self/cmdline value.
Signed-off-by: William Roberts
---
include/linux/mm.h |1 +
mm/util.c | 48
2 files changed, 49 insertions(+)
diff --git a/include/linux/mm.h
Yes youre missing setting the audit pid so the kernel knows who to
send messages too.
I wrote an auditd from scratch for android, feel free to look at the
code. Its very simple, and
includes the libaudit pieces I needed to re-implement to get a version
that was NOT
GPL'd.
Recently it got a bit mo
introduce get_cmdline() for retreiving the value of a processes
proc/self/cmdline value.
Signed-off-by: William Roberts
---
include/linux/mm.h |1 +
mm/util.c | 48
2 files changed, 49 insertions(+)
diff --git a/include/linux/mm.h
Re-factor proc_pid_cmdline() to use get_cmdline() helper
from mm.h.
Signed-off-by: William Roberts
---
fs/proc/base.c | 36 ++--
1 file changed, 2 insertions(+), 34 deletions(-)
diff --git a/fs/proc/base.c b/fs/proc/base.c
index 03c8d74..cfd178d 100644
--- a
d=1002 gid=1002 euid=1002 suid=1002 fsuid=1002 egid=1002
sgid=1002 fsgid=1002 tty=(none) ses=4294967295 comm="bt_hc_worker"
exe="/system/bin/app_process" cmdline="com.android.bluetooth"
subj=u:r:bluetooth:s0 key=(null)
Signed-off-by: William Roberts
---
kernel/au
I'm doing work now involving namespacesthe necessity is real. I'll
take a look early next week.
On Dec 20, 2013 10:34 PM, "Richard Guy Briggs" wrote:
> Log the namespace details of a task.
> ---
>
> Does anyone have comments on this patch?
>
> I'm looking for guidance on which types of messa
On Fri, Dec 13, 2013 at 10:26 AM, William Roberts
wrote:
> On Fri, Dec 13, 2013 at 10:04 AM, Stephen Smalley wrote:
>> On 12/13/2013 09:51 AM, William Roberts wrote:
>>> On Fri, Dec 13, 2013 at 9:12 AM, Stephen Smalley wrote:
>>>> Also, why not just get_task_mm(ta
On Fri, Dec 13, 2013 at 10:04 AM, Stephen Smalley wrote:
> On 12/13/2013 09:51 AM, William Roberts wrote:
>> On Fri, Dec 13, 2013 at 9:12 AM, Stephen Smalley wrote:
>>> Also, why not just get_task_mm(task) within the function rather than
>>> pass it in by the caller?
&
On Fri, Dec 13, 2013 at 9:23 AM, Stephen Smalley wrote:
> On 12/02/2013 04:10 PM, William Roberts wrote:
>> Re-factor proc_pid_cmdline() to use get_cmdline_length() and
>> copy_cmdline() helpers from mm.h
>>
>> Signed-off-by: William Roberts
>&
On Fri, Dec 13, 2013 at 9:12 AM, Stephen Smalley wrote:
> On 12/02/2013 04:10 PM, William Roberts wrote:
>> Add two new functions to mm.h:
>> * copy_cmdline()
>> * get_cmdline_length()
>>
>> Signed-off-by: William Roberts
>> ---
>> include/linux/mm.h
all,
I sent out some patches a while back (12/2) that affect mm, procfs and
audit. The audit patch (PATCH 3/3) was ack'd on by Richard Guy Briggs.
But the other patches I have not heard anything on.
Patches:
[PATCH 1/3] mm: Create utility functions for accessing a tasks commandline value
[PATCH 2
Sigh...I sent this back out from another emai address and got bounced
from the lists... resending. Sorry for the cruft.
On Fri, Dec 6, 2013 at 7:34 AM, William Roberts wrote:
> I sent out 3 patches on 12/2/2013. I didn't get any response. I thought I
> added the right peop
Re-factor proc_pid_cmdline() to use get_cmdline_length() and
copy_cmdline() helpers from mm.h
Signed-off-by: William Roberts
---
fs/proc/base.c | 35 ++-
1 file changed, 10 insertions(+), 25 deletions(-)
diff --git a/fs/proc/base.c b/fs/proc/base.c
index
Add two new functions to mm.h:
* copy_cmdline()
* get_cmdline_length()
Signed-off-by: William Roberts
---
include/linux/mm.h |7 +++
mm/util.c | 48
2 files changed, 55 insertions(+)
diff --git a/include/linux/mm.h b/include
ple of where this
is useful and applicable is in the realm of Android.
The cached cmdline is tied to the lifecycle of the audit_context
structure and is built on demand.
Signed-off-by: William Roberts
---
kernel/audit.h |1 +
kernel/auditsc.c | 82 +++
This patch series relates to work started on the audit mailing list.
It eventually involved touching other modules, so I am trying to
pull in those owners as well. In a nutshell I add new utility
functions for accessing a processes cmdline value as displayed
in proc//cmdline, and then refactor proc
On Mon, Dec 2, 2013 at 9:18 AM, Richard Guy Briggs wrote:
> On Mon, Dec 02, 2013 at 08:20:10AM -0800, William Roberts wrote:
>> On Mon, Dec 2, 2013 at 8:07 AM, Richard Guy Briggs wrote:
>> > On Mon, Dec 02, 2013 at 07:42:20AM -0800, William Roberts wrote:
>> >
On Mon, Dec 2, 2013 at 8:07 AM, Richard Guy Briggs wrote:
> On Mon, Dec 02, 2013 at 07:42:20AM -0800, William Roberts wrote:
>> Changelog since last post:
>> * Rebase on latest master
>>
>> [PATCH] audit: Audit proc cmdline value
>
> Hi Bill,
>
> I
ple of where this
is useful and applicable is in the realm of Android.
The cached cmdline is tied to the lifecycle of the audit_context
structure and is built on demand.
Signed-off-by: William Roberts
---
fs/proc/base.c | 35 +++---
include/linux/mm.h |7 +
kerne
Just following up on this since the holiday, any traction?
Changelog since last post:
* Rebase on latest master
[PATCH] audit: Audit proc cmdline value
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
ple of where this
is useful and applicable is in the realm of Android.
The cached cmdline is tied to the lifecycle of the audit_context
structure and is built on demand.
Signed-off-by: William Roberts
---
fs/proc/base.c | 35 +++---
include/linux/mm.h |7 +
kerne
What's changed since last time?
* Squashed all the patches down
* Patches are relative to master
This is the version I would like to get merged.
[PATCH] audit: Audit proc cmdline value
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
Also, updating to a master kernel now, to try and publish relative to that.
On Wed, Nov 20, 2013 at 5:29 PM, William Roberts
wrote:
> Changes since last publish:
> * Ran all patches through checkpatch, some elluded me.
> * Changed cmdline copy/length API to reduce task_mm_get() mmpu
t via PR_SET_NAME. The other benefit is this
is not limited to 16 bytes as COMM historically has.
Change-Id: I9bf0928a8aa249d22ecd55fa9cd27325dd394eb1
Signed-off-by: William Roberts
---
fs/proc/base.c |2 +-
include/linux/proc_fs.h |1 +
kernel/auditsc.c|
Each call to length copy required a call to get_task_mm() and mmput.
Just require the caller to aquire and pass a valid mm.
Change-Id: Id7069b80f1cbea5b30032a0a459dd54b7446f665
Signed-off-by: William Roberts
---
fs/proc/base.c | 63
Changes since last publish:
* Ran all patches through checkpatch, some elluded me.
* Changed cmdline copy/length API to reduce task_mm_get() mmput() calls
Still need to know:
* Any major objecttions to this still?
* My public API changes are in proc, is this the best spot for those?
As always, th
Rather then reading from userspace on every call,
cache the page in the audit_context and couple
to that objects life-cycle.
Change-Id: Ia0d432bc4aba8588840f0dc0026a1e9483e5b485
Signed-off-by: William Roberts
---
kernel/auditsc.c | 48 +---
1 file
Rather then cacheing whole pages, use kmalloc to potentially
cache a smaller size.
Change-Id: I9fb749dc2bdac506d1bc6f2259fbbdeeec87b298
Signed-off-by: William Roberts
---
fs/proc/base.c | 93 +++
include/linux/proc_fs.h |5 ++-
kernel
On Wed, Nov 20, 2013 at 2:03 PM, William Roberts
wrote:
> On Wed, Nov 20, 2013 at 1:47 PM, Richard Guy Briggs wrote:
>> On Thu, Nov 14, 2013 at 08:56:57AM +0530, Paul Davies C wrote:
>>> Currently when the coredump signals are logged by the audit system , the
>>> actua
On Wed, Nov 20, 2013 at 1:47 PM, Richard Guy Briggs wrote:
> On Thu, Nov 14, 2013 at 08:56:57AM +0530, Paul Davies C wrote:
>> Currently when the coredump signals are logged by the audit system , the
>> actual path to the executable is not logged. Without details of exe , the
>> system admin may n
1 - 100 of 156 matches
Mail list logo