On Tue, Apr 2, 2019 at 7:32 AM Neil Horman wrote:
> On Mon, Apr 01, 2019 at 10:50:03AM -0400, Paul Moore wrote:
> > On Fri, Mar 15, 2019 at 2:35 PM Richard Guy Briggs wrote:
> > > Audit events could happen in a network namespace outside of a task
> > > context d
order to extend the generic
> ptrace API with PTRACE_GET_SYSCALL_INFO request.
>
> Reviewed-by: Geert Uytterhoeven
> Acked-by: Paul Moore
> Cc: Elvira Khabirova
> Cc: Eugene Syromyatnikov
> Cc: Oleg Nesterov
> Cc: Andy Lutomirski
> Cc: linux-m...@lists.linux-m68k.org
) which in turn is required to extend
> the generic ptrace API with PTRACE_GET_SYSCALL_INFO request.
>
> Acked-by: Paul Moore
> Acked-by: Vincent Chen
> Acked-by: Greentime Hu
> Cc: Elvira Khabirova
> Cc: Eugene Syromyatnikov
> Cc: Oleg Nesterov
> Cc: Andy Lutomirski
order to extend the generic
> ptrace API with PTRACE_GET_SYSCALL_INFO request.
>
> Acked-by: Paul Moore
> Cc: Elvira Khabirova
> Cc: Eugene Syromyatnikov
> Cc: Richard Kuo
> Cc: Oleg Nesterov
> Cc: Andy Lutomirski
> Cc: linux-hexa...@vger.kernel.org
> Cc: linux-audi
eletion(-)
Merged into audit/next, thanks.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
order to extend the generic
> ptrace API with PTRACE_GET_SYSCALL_INFO request.
>
> Acked-by: Paul Moore
> Cc: Elvira Khabirova
> Cc: Eugene Syromyatnikov
> Cc: Yoshinori Sato
> Cc: Oleg Nesterov
> Cc: Andy Lutomirski
> Cc: uclinux-h8-de...@lists.sourceforge.jp
> Cc: l
are
> needed to implement syscall_get_arch() which in turn is required to
> extend the generic ptrace API with PTRACE_GET_SYSCALL_INFO request.
>
> Acked-by: Vineet Gupta
> Acked-by: Paul Moore
> Cc: Elvira Khabirova
> Cc: Eugene Syromyatnikov
> Cc: Alexey Brodkin
> Cc: Ole
order to extend the generic
> ptrace API with PTRACE_GET_SYSCALL_INFO request.
>
> Acked-by: Vineet Gupta
> Acked-by: Paul Moore
> Cc: Elvira Khabirova
> Cc: Eugene Syromyatnikov
> Cc: Alexey Brodkin
> Cc: Oleg Nesterov
> Cc: Andy Lutomirski
> Cc: linux-snps-...@lis
order to extend the generic
> ptrace API with PTRACE_GET_SYSCALL_INFO request.
>
> Acked-by: Mark Salter
> Acked-by: Paul Moore
> Cc: Elvira Khabirova
> Cc: Eugene Syromyatnikov
> Cc: Aurelien Jacquiot
> Cc: Oleg Nesterov
> Cc: Andy Lutomirski
> Cc: linux-c6x-.
a xattr (I would hope not),
but if we are going to use the xattr field, perhaps we should simply
stick with the name as provided (".") so we don't ever run afoul of
xattr names? I'm curious to hear what the IMA/EVM folks think of
this.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
order to extend the generic
> ptrace API with PTRACE_GET_SYSCALL_INFO request.
>
> Acked-by: Paul Moore
> Acked-by: Vincent Chen
> Acked-by: Greentime Hu
> Cc: Elvira Khabirova
> Cc: Eugene Syromyatnikov
> Cc: Oleg Nesterov
> Cc: Andy Lutomirski
> Cc: linux-audi
order to extend the generic
> ptrace API with PTRACE_GET_SYSCALL_INFO request.
>
> Acked-by: Paul Moore
> Acked-by: Ley Foon Tan
> Cc: Elvira Khabirova
> Cc: Eugene Syromyatnikov
> Cc: Ley Foon Tan
> Cc: Oleg Nesterov
> Cc: Andy Lutomirski
> Cc: nios2-...@lists.
order to extend the generic
> ptrace API with PTRACE_GET_SYSCALL_INFO request.
>
> Acked-by: Paul Moore
> Cc: Elvira Khabirova
> Cc: Eugene Syromyatnikov
> Cc: Guan Xuetao
> Cc: Oleg Nesterov
> Cc: Andy Lutomirski
> Cc: linux-audit@redhat.com
> Signed-off-by: Dmitry V
) which in turn is required to extend
> the generic ptrace API with PTRACE_GET_SYSCALL_INFO request.
>
> Acked-by: Paul Moore
> Cc: Guan Xuetao
> Cc: Elvira Khabirova
> Cc: Eugene Syromyatnikov
> Cc: Oleg Nesterov
> Cc: Andy Lutomirski
> Cc: linux-audit@r
not declared.
> Should it be static?
>
> Signed-off-by: YueHaibing
> ---
> kernel/auditsc.c | 8 +---
> 1 file changed, 5 insertions(+), 3 deletions(-)
Merged into audit/next, thanks.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
On Wed, Mar 20, 2019 at 8:50 PM Richard Guy Briggs wrote:
> On 2019-03-20 19:48, Paul Moore wrote:
> > On Sat, Mar 16, 2019 at 8:10 AM Richard Guy Briggs wrote:
> > > In commit fa516b66a1bf ("EVM: Allow runtime modification of the set of
> > > verified xattr
3 ("syscall_get_arch: remove useless function arguments")
> Reverts: 1002d94d3076 ("syscall.h: fix doc text for syscall_get_arch()")
> Reviewed-by: Andy Lutomirski # for x86
> Reviewed-by: Palmer Dabbelt
> Acked-by: Paul Moore
> Acked-by: Paul Burton # M
rnel/time/ntp.c | 38 ++
> kernel/time/timekeeping.c | 6 ++
> 5 files changed, 82 insertions(+), 8 deletions(-)
These patches look fine to me, but it would be really nice to get an
ACK from the time folks before I merge this into audit/next. Time
folks, I know you've looked at previous versions of this patchset, can
you give this a quick look to make sure everything is still okay from
your perspective?
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
On Thu, Apr 4, 2019 at 5:40 PM Richard Guy Briggs wrote:
> On 2019-04-02 07:31, Neil Horman wrote:
> > On Mon, Apr 01, 2019 at 10:50:03AM -0400, Paul Moore wrote:
> > > On Fri, Mar 15, 2019 at 2:35 PM Richard Guy Briggs
> > > wrote:
> > > > Audit eve
confident on my answer
here, is if refcount was a regular int and we wanted to access it
outside of a spinlock (to be clear, it doesn't look like this patch
currently does this). With RCU, if refcount was a regular int
(unsigned or otherwise), I believe it would be possible for different
thre
On Thu, Mar 28, 2019 at 5:40 PM Richard Guy Briggs wrote:
> On 2019-03-28 11:46, Paul Moore wrote:
> > On Wed, Mar 27, 2019 at 9:12 PM Richard Guy Briggs wrote:
> > >
> > > On 2019-03-27 23:42, Ondrej Mosnacek wrote:
> > > > On Fri, Mar 15, 2019 at 7:3
On Wed, Mar 27, 2019 at 11:05 AM Mimi Zohar wrote:
> On Tue, 2019-03-26 at 19:58 -0400, Paul Moore wrote:
> > On Tue, Mar 26, 2019 at 4:40 PM Mimi Zohar wrote:
> > >
> > > Hi Richard, Paul,
> > >
> > > On Tue, 2019-03-26 at 14:49 -0400, Richard Guy
On Mon, Mar 25, 2019 at 10:50 AM Paul Moore wrote:
> On Thu, Mar 7, 2019 at 7:33 AM Ondrej Mosnacek wrote:
> > This patchset implements auditing of (syscall-triggered) changes that
> > can modify or indirectly affect the system clock. Some of these
> > changes can already
On Mon, Apr 1, 2019 at 1:44 PM Richard Guy Briggs wrote:
> On 2019-04-01 10:49, Paul Moore wrote:
> > On Fri, Mar 15, 2019 at 2:34 PM Richard Guy Briggs wrote:
> > > Standalone audit records have the timestamp and serial number generated
> > > on the fly and as s
?
> enum audit_state state, current_state;
> unsigned intserial; /* serial number for record */
> int major; /* syscall number */
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
}
> + audit_log_format(ab, "contid=");
> + } else
> + audit_log_format(ab, ",");
> + audit_log_format(ab, "%llu", cont->id);
> + first = false;
&g
is some guidance that INIT_LIST_HEAD() should be used
regardless, you shouldn't need to call this here since list_add_rcu()
will take care of any list.h related initialization.
> + cont->id = contid;
> + refcount_set(>refcount, 1);
> + list_add_rcu(>list, contid_list);
> + }
> +out:
> + spin_unlock(>contid_list_lock);
> +}
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
the
> > object2 should be.
> >
> > ausearch -k test-ra --format csv --extra-obj2
> >
> > ,SYSCALL,04/05/2019,13:57:22,110873,audit-rule,5549,root,root,priviliged-acct,renamed,success,/tmp/rnd_pop/I2wt8yFylHdNJdX8/sesvPVcmFUDDBp1Pc/5yqohyxiGYwSzXwYRN2/93qyvIU9V2O8dsDXSdQP/csE7ryqvCWMBd8ASyJ3e/5M2w0d4eagxxig9KYM5.file,184553858,,file,/opt/rh/rh-python36/root/usr/bin/python3.6
> >
> > is this desired behaviour?
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
imi Zohar
>
> Paul, were you planning on upstreaming this patch?
Yep, unless you would rather do it? If you pull it into the IMA tree,
please add my ACK; otherwise let me know and I'll merge it into
audit/next.
Acked-by: Paul Moore
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
d it previously), and I have no problem merging this via the audit
tree, but I'm far from an expert on all the various arches listed, so
having the associated arch maintainer ACKs is important. Based on the
mail I've seen, here is the current status of the maintainer ACKs:
* arc: good (vgu...@synop
out free'ing the memory in places other than
audit_free_context(), let's create a helper function similar to
audit_free_aux() and use that when we need to free module.name. For
example:
static inline void audit_free_module(struct audit_context *context)
{
if (context-type == AUDIT_KERN_MODULE)
urn;
> + }
Hello.
Thanks for the patch, but I have to ask if you've considered freeing
the module name in audit_free_context()? That seems like the correct
way to solve this issue.
-Paul
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
(-)
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
On Thu, Mar 7, 2019 at 3:43 PM Paul Moore wrote:
> On Wed, Mar 6, 2019 at 8:16 PM Li RongQing wrote:
> >
> > module.name will be allocated unconditionally when auditing load
> > module, and audit_log_start() can fail with other reasons, or
> > audit_log_exit maybe not
gt;
> @@ -1583,6 +1590,7 @@ void __audit_syscall_exit(int success, long return_code)
> if (!list_empty(>killed_trees))
> audit_kill_trees(>killed_trees);
>
> + audit_free_module(context);
> audit_free_names(context);
> unroll_tree_refs(context, NULL, 0);
> audit_free_aux(context);
> --
> 2.16.2
>
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
hard Guy Briggs
> ---
> Passes audit-testsuite with CONFIG_AUDITSYSCALL set automatically and
> passes expected tests with it turned off manually.
>
> include/linux/audit.h | 9 -
> kernel/audit.h| 5 +
> 2 files changed, 5 insertions(+), 9 deletions(-)
Mer
-kernel/issues/106
>
> Signed-off-by: Richard Guy Briggs
> ---
> Tested with ausearch-test-0.6 and audit-testsuite, manually inspected
> for record association.
>
> drivers/tty/tty_audit.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
Merged into audit/next.
--
pau
A. R. Silva
> ---
> kernel/auditfilter.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
Merged into audit/next, thanks.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
On Mon, Jan 28, 2019 at 4:20 PM Steve Grubb wrote:
> On Mon, 28 Jan 2019 15:08:56 -0500
> Paul Moore wrote:
> > On Mon, Jan 28, 2019 at 3:03 PM Steve Grubb wrote:
> > > On Mon, 28 Jan 2019 11:26:51 -0500
> > > Paul Moore wrote:
> > >
> > > > O
On Tue, Jan 29, 2019 at 6:18 PM Richard Guy Briggs wrote:
> On 2019-01-29 18:07, Paul Moore wrote:
> > On Mon, Jan 28, 2019 at 1:33 PM Richard Guy Briggs wrote:
> > > Remove audit_context from struct task_struct and struct audit_buffer
> > > when CONFIG_AUDIT is enab
return NULL;
> }
>
> +#ifdef CONFIG_AUDITSYSCALL
> audit_get_stamp(ab->ctx, , );
> +#else
> + audit_get_stamp(NULL, , );
> +#endif
If ab->ctx is NULL we don't really need this, do we?
> audit_log_format(ab, "audit(%llu.%03l
On Fri, Jan 25, 2019 at 5:27 PM Richard Guy Briggs wrote:
> On 2019-01-25 16:45, Paul Moore wrote:
> > On Wed, Jan 23, 2019 at 1:35 PM Richard Guy Briggs wrote:
> > > Don't fetch fcaps when umount2 is called to avoid a process hang while
> > > it waits for the missing
On Fri, Jan 25, 2019 at 4:53 AM Ondrej Mosnacek wrote:
> On Tue, Jan 22, 2019 at 8:42 PM Paul Moore wrote:
> > On Mon, Jan 21, 2019 at 10:36 AM Ondrej Mosnacek
> > wrote:
> > > In case a file has an invalid context set, in an AVC record generated
> > > upo
nux/sched.h | 2 +-
> init/init_task.c | 2 +-
> kernel/audit.c| 85
> +++
> kernel/auditsc.c | 84 --
> 6 files changed, 113 insertions(+), 108 deletions(-)
Looks good
it_file(const struct file *file)
> @@ -1952,7 +1952,7 @@ void __audit_inode_child(struct inode *parent,
> n = audit_alloc_name(context, AUDIT_TYPE_PARENT);
> if (!n)
> return;
> - audit_copy_inode(n, NULL, parent);
> + audit_copy_inode(n, NULL, parent, 0);
> }
>
> if (!found_child) {
> @@ -1971,7 +1971,7 @@ void __audit_inode_child(struct inode *parent,
> }
>
> if (inode)
> - audit_copy_inode(found_child, dentry, inode);
> + audit_copy_inode(found_child, dentry, inode, 0);
> else
> found_child->ino = AUDIT_INO_UNSET;
> }
> --
> 1.8.3.1
>
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
if (WARN_ON(!tclass || tclass >= ARRAY_SIZE(secclass_map)))
> + return -EINVAL;
> +
> if (!a) {
> a = _data;
> a->type = LSM_AUDIT_DATA_NONE;
> --
> 2.20.1
>
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
gt; + * @sid: security identifier, SID
> + * @scontext: security context
> + * @scontext_len: length in bytes
> + *
> + * Write the string representation of the context associated with @sid
> + * into a dynamically allocated string of the correct size, but only if the
> + * context is invalid in the current policy.
> >
> > At the least, they should be WARN_ONs.
>
> OK, seems that switching to WARN_ON() will be a better choice.
>
> Paul, you can apply the series without this patch and I will post a
> corrected patch separately (if that's OK with you).
Yep. Patches 1, 2, and 4 should now be
> completely */
Removed "exact" from the comment above so it fits an 80 char line
width. Please watch for this in your patches, I care a lot about line
widths.
Otherwise as long as Serge is happy with the capabilities bits, I'm
happy with the audit bits; merged.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
_exe(struct audit_buffer *ab,
>
> extern int audit_filter(int msgtype, unsigned int listtype);
>
> -#ifdef CONFIG_AUDITSYSCALL
> -extern int audit_signal_info(int sig, struct task_struct *t);
> -extern void audit_filter_inodes(struct task_struct *tsk, struct
> audit_context *ct
}
> + if (f->type == AUDIT_FSTYPE
> + && audit_comparator(parent->i_sb->s_magic,
> + f->op, f->val)
> + && e->rule.action == AUDIT_NEVER) {
> + rcu_read_unlock();
> + return;
> }
> }
> }
> --
> 1.8.3.1
>
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
(sad->state, sad->ssid, ,
> +_len);
> + if (rc)
> + audit_log_format(ab, " ssid=%d", sad->ssid);
> + else {
> + audit_log_format(ab, " scontext=%s", scontext);
> + kfree(scontext);
> }
> +
> + rc = security_sid_to_context(sad->state, sad->tsid, ,
> +_len);
> + if (rc)
> + audit_log_format(ab, " tsid=%d", sad->tsid);
> + else {
> + audit_log_format(ab, " tcontext=%s", scontext);
> + kfree(scontext);
> + }
> +
> + BUG_ON(!sad->tclass || sad->tclass >= ARRAY_SIZE(secclass_map));
> + audit_log_format(ab, " tclass=%s", secclass_map[sad->tclass-1].name);
> +
> + if (sad->denied)
> + audit_log_format(ab, " permissive=%u", sad->result ? 0 : 1);
> }
>
> /* This is the slow part of avc audit with big stack footprint */
> --
> 2.20.1
>
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
On Tue, Jan 29, 2019 at 9:54 PM Richard Guy Briggs wrote:
> On 2019-01-29 18:26, Paul Moore wrote:
> > On Tue, Jan 29, 2019 at 6:18 PM Richard Guy Briggs wrote:
> > > On 2019-01-29 18:07, Paul Moore wrote:
> > > > On Mon, Jan 28, 2019 at 1:33 PM Rich
x/ss/services.c | 3 +--
> security/smack/smack_lsm.c | 4 +---
> 12 files changed, 26 insertions(+), 38 deletions(-)
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
On Thu, Jan 31, 2019 at 10:53 PM Paul Moore wrote:
> On Tue, Jan 29, 2019 at 9:54 PM Richard Guy Briggs wrote:
> > On 2019-01-29 18:26, Paul Moore wrote:
> > > On Tue, Jan 29, 2019 at 6:18 PM Richard Guy Briggs
> > > wrote:
> > > > On 2019-01-29 18:07,
On Fri, Feb 1, 2019 at 4:57 PM Richard Guy Briggs wrote:
> On 2019-02-01 16:05, Paul Moore wrote:
> > On Fri, Feb 1, 2019 at 3:42 PM Nathan Chancellor
> > wrote:
> > > On Wed, Jan 23, 2019 at 01:35:00PM -0500, Richard Guy Briggs wrote:
> > > > Don't fetch f
letting us now.
Richard, please submit a patch to fix this ASAP. Looking at this, the
obvious fix is to move audit_copy_inode() to auditsc.c, but I'm not
sure if that itself is going to cause problems (it doesn't look like
it). Actually, thinking out loud, I wonder if we shouldn't move
audit_log_cap(), audit_log_fcaps(), audit_copy_fcaps(), and
audit_log_name() too?
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
> kernel/audit.h| 9 ---
> kernel/auditsc.c | 158
> ++++++
> 4 files changed, 161 insertions(+), 167 deletions(-)
Merged into audit/next, thanks.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
mour, integrity and smack.
> Might there be others out of tree that do use it (or did request it)?
I'm not aware of any work-in-progress that would make use of it, so if
it isn't used by anything in-tree, go ahead and get rid of it. If we
need it again in the future for some reason we can always add
On Mon, Jan 28, 2019 at 6:25 PM Paul Moore wrote:
> On Fri, Jan 25, 2019 at 5:27 PM Richard Guy Briggs wrote:
> > On 2019-01-25 16:45, Paul Moore wrote:
> > > On Wed, Jan 23, 2019 at 1:35 PM Richard Guy Briggs
> > > wrote:
> > > > Don't fetch fcaps wh
.c | 2 --
> kernel/auditsc.c | 64
> ++--
> 2 files changed, 27 insertions(+), 39 deletions(-)
Merged into audit/next.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
; kernel/time/ntp.c | 22 ++++--
> kernel/time/ntp_internal.h | 4 ++-
> kernel/time/timekeeping.c | 7 -
> 6 files changed, 112 insertions(+), 5 deletions(-)
Merged into audit/next, thanks.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
anged, 27 insertions(+)
Merged into audit/next, thanks everyone.
Ondrej, please watch your line lengths, I had to break up another line
greater than 80 chars.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
* never called */
> #define audit_kill_trees(context) BUG()
>
> -#define audit_signal_info(s, t) AUDIT_DISABLED
> +#define audit_signal_info_syscall(t) AUDIT_OFF
Similar as above.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
r years.
It's ready when it's ready.
> On 6/3/19 6:01 PM, Paul Moore wrote:
> > On Fri, May 31, 2019 at 1:54 PM Richard Guy Briggs wrote:
> >> Remove the BUG() call since we will never have an invalid op value as
> >> audit_data_to_entry()/audit_to_op() ensure that
On Tue, May 28, 2019 at 5:54 PM Daniel Walsh wrote:
>
> On 4/22/19 9:49 AM, Paul Moore wrote:
> > On Mon, Apr 22, 2019 at 7:38 AM Neil Horman wrote:
> >> On Mon, Apr 08, 2019 at 11:39:07PM -0400, Richard Guy Briggs wrote:
> >>> Implement kernel audit container
result = audit_match_filetype(ctx, f->val);
> + if (f->op == Audit_not_equal)
> + result = !result;
> break;
> case AUDIT_FIELD_COMPARE:
> result = audit_field_compare(tsk, cred, f, ctx, name);
> --
> 1.8.3.1
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
On Thu, May 30, 2019 at 4:37 PM Richard Guy Briggs wrote:
> On 2019-05-30 10:34, Paul Moore wrote:
> > On Thu, May 30, 2019 at 10:20 AM Richard Guy Briggs wrote:
> > >
> > > On 2019-05-29 18:16, Paul Moore wrote:
> > > > On Mon, Apr 8, 2019 at 11:4
On Thu, May 30, 2019 at 5:29 PM Tycho Andersen wrote:
> On Thu, May 30, 2019 at 03:29:32PM -0400, Paul Moore wrote:
> >
> > [REMINDER: It is an "*audit* container ID" and not a general
> > "container ID" ;) Smiley aside, I'm not kidding about that part.]
On Thu, May 30, 2019 at 8:21 PM Richard Guy Briggs wrote:
> On 2019-05-30 19:26, Paul Moore wrote:
> > On Thu, May 30, 2019 at 5:29 PM Tycho Andersen wrote:
> > > On Thu, May 30, 2019 at 03:29:32PM -0400, Paul Moore wrote:
> > > >
> > > >
On Thu, May 30, 2019 at 1:09 PM Serge E. Hallyn wrote:
> On Wed, May 29, 2019 at 06:39:48PM -0400, Paul Moore wrote:
> > On Wed, May 29, 2019 at 6:28 PM Tycho Andersen wrote:
> > > On Wed, May 29, 2019 at 12:03:58PM -0400, Paul Moore wrote:
> > > > On Wed, May 29, 2
On Thu, May 30, 2019 at 3:34 PM Richard Guy Briggs wrote:
> On 2019-05-30 12:55, Paul Moore wrote:
> > The audit_data_to_entry() function ensures that the operator is valid
> > so we can get rid of these BUG() calls. We keep the "return 0" just
> > so the syst
agree is a workable
compromise). We did consider allowing for a chain of nested audit
container IDs, but the implications of doing so are significant
(implementation mess, runtime cost, etc.) so we are leaving that out
of this effort.
>From a practical perspective, un-setting the audit container ID is
pretty much the same as changing it from one set value to another so
most of the above applies to that case as well.
--
paul moore
www.paul-moore.com
On Wed, May 29, 2019 at 11:34 AM Tycho Andersen wrote:
>
> On Wed, May 29, 2019 at 11:29:05AM -0400, Paul Moore wrote:
> > On Wed, May 29, 2019 at 10:57 AM Tycho Andersen wrote:
> > >
> > > On Mon, Apr 08, 2019 at 11:39:09PM -0400, Richard Guy Briggs wrote:
> &
On Thu, May 30, 2019 at 10:09 AM Richard Guy Briggs wrote:
>
> On 2019-05-30 15:08, Ondrej Mosnacek wrote:
> > On Thu, May 30, 2019 at 12:16 AM Paul Moore wrote:
> > > On Mon, Apr 8, 2019 at 11:40 PM Richard Guy Briggs
> > > wrote:
> > > >
> >
On Thu, May 30, 2019 at 10:20 AM Richard Guy Briggs wrote:
>
> On 2019-05-29 18:16, Paul Moore wrote:
> > On Mon, Apr 8, 2019 at 11:41 PM Richard Guy Briggs wrote:
> > >
> > > Implement audit container identifier filtering using the AUDIT_CONTID
> > > f
On Thu, May 30, 2019 at 9:08 AM Steve Grubb wrote:
> On Wednesday, May 29, 2019 6:26:12 PM EDT Paul Moore wrote:
> > On Mon, Apr 22, 2019 at 9:49 AM Paul Moore wrote:
> > > On Mon, Apr 22, 2019 at 7:38 AM Neil Horman
> wrote:
> > > > On Mon, Apr 08, 2019 at 11:
On Thu, May 30, 2019 at 10:16 AM Richard Guy Briggs wrote:
>
> On 2019-05-29 18:17, Paul Moore wrote:
> > On Mon, Apr 8, 2019 at 11:41 PM Richard Guy Briggs wrote:
> > >
> > > Audit events could happen in a network namespace outside of a task
> > > conte
On Tue, May 28, 2019 at 6:22 PM Richard Guy Briggs wrote:
> On 2019-05-28 18:00, Paul Moore wrote:
> > On Wed, May 22, 2019 at 5:52 PM Richard Guy Briggs wrote:
> > >
> > > The field operator is ignored on several string fields. WATCH, DIR,
> > > PERM and FIL
On Wed, May 29, 2019 at 8:03 AM Daniel Walsh wrote:
>
> On 5/28/19 8:43 PM, Richard Guy Briggs wrote:
> > On 2019-05-28 19:00, Steve Grubb wrote:
> >> On Tuesday, May 28, 2019 6:26:47 PM EDT Paul Moore wrote:
> >>> On Tue, May 28, 2019 at 5:54 PM Daniel Walsh
On Wed, May 29, 2019 at 10:07 AM Daniel Walsh wrote:
> On 5/29/19 9:17 AM, Paul Moore wrote:
> > On Wed, May 29, 2019 at 8:03 AM Daniel Walsh wrote:
> >> On 5/28/19 8:43 PM, Richard Guy Briggs wrote:
> >>> On 2019-05-28 19:00, Steve Grubb wrote:
> >>>
mp; right) == right);
> default:
> - BUG();
> return 0;
> }
> }
> --
> 1.8.3.1
>
--
paul moore
www.paul-moore.com
The audit_data_to_entry() function ensures that the operator is valid
so we can get rid of these BUG() calls. We keep the "return 0" just
so the system behaves in a sane-ish manner should something go
horribly wrong.
Signed-off-by: Paul Moore
---
kernel/auditfilter.c |3 ---
1 fi
is time. It appears as though we will never have an invalid op
value as audit_data_to_entry()/audit_to_op() ensure that the op value
is a a known good value. Removing the BUG() from all the audit
comparators is a separate issue, but I think it would be good to
remove it from this newly added comparator; keeping it so that we
return "0" in the default case seems reasoanble.
> + return 0;
> + }
> +}
--
paul moore
www.paul-moore.com
cumentation/core-api/printk-formats.rst the recommendation for
u64 is %llu (or %llx, if you want hex). Looking quickly through the
printk code this appears to still be correct. I suggest we get rid of
the cast (like it was in v5).
> + audit_log_end(ab);
> +}
> +EXPORT_SYMBOL(audit_log_contid);
--
paul moore
www.paul-moore.com
+ if (cont) {
> + INIT_LIST_HEAD(>list);
I thought you were going to get rid of this INIT_LIST_HEAD() call?
> + cont->id = contid;
> + refcount_set(>refcount, 1);
> + list_add_rcu(>list, contid_list);
> + }
> +out:
> + spin_unlock(>contid_list_lock);
> +}
--
paul moore
www.paul-moore.com
On Mon, Apr 22, 2019 at 9:49 AM Paul Moore wrote:
> On Mon, Apr 22, 2019 at 7:38 AM Neil Horman wrote:
> > On Mon, Apr 08, 2019 at 11:39:07PM -0400, Richard Guy Briggs wrote:
> > > Implement kernel audit container identifier.
> >
> > I'm sorry, I've lost track
like Richard is working up some
ideas now, let's wait to see what that looks like."
... and that is where we are at. I'm looking forward to seeing
Richard's next patchset.
> On Friday, May 31, 2019 8:44:45 AM EDT Paul Moore wrote:
> > On Thu, May 30, 2019 at 8:21 PM Richard Guy Bri
d_context() and security_sid_mls_copy() cases
below it would appear that the labels can be considered "trusted",
even if they are invalid. I understand your concern about logging
consistency with the "invalid_context" field, but without some further
discussion it is hard to accept this patch as-is.
--
paul moore
www.paul-moore.com
, to be honest, the string you get back from
context_struct_to_string() is always going to be NUL-terminated so you
could simplify this further:
audit_log_start(...);
audit_log_format("... invalid_context=");
/* no need to record the NUL with untrusted strings */
audit_log_n_untru
On Mon, Jun 24, 2019 at 10:15 PM John Johansen
wrote:
> On 6/24/19 6:46 PM, Paul Moore wrote:
> > On Mon, Jun 24, 2019 at 9:01 PM Casey Schaufler
> > wrote:
> >> On 6/24/2019 2:33 PM, John Johansen wrote:
> >>> On 6/21/19 11:52 AM, Casey Schaufler wrote:
&
struct lsmblob blob;
> >>
> >> -lsmblob_init(, osid);
> >> -if (security_secid_to_secctx(, )) {
> >> -audit_log_format(ab, " osid=%u", osid);
> > I am not comfortable just dropping this I would think
On Wed, Jun 12, 2019 at 3:37 AM Ondrej Mosnacek wrote:
> On Wed, Jun 12, 2019 at 12:56 AM Paul Moore wrote:
> > On Tue, Jun 11, 2019 at 4:07 AM Ondrej Mosnacek wrote:
> > > These strings may come from untrusted sources (e.g. file xattrs) so they
> > >
- 1] == '\0')
> + scontext_len--;
> + audit_log_format(ab, " trawcon=");
> + audit_log_n_untrustedstring(ab, scontext, scontext_len);
> kfree(scontext);
> }
> }
> --
> 2.20.1
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
On Wed, May 8, 2019 at 9:52 PM Richard Guy Briggs wrote:
> On 2019-05-08 18:05, Paul Moore wrote:
> > On Wed, May 8, 2019 at 12:46 PM Richard Guy Briggs wrote:
> > >
> > > Provide a method to filter out sockaddr and bind calls by network
> > > address f
cosmetic in nature where the audit_filter_rules()
changes actually affect the behavior of the code and there is no
strong connection between the two changes. It seems like we would be
better off if you split the changes into two patches.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
; kernel/signal.c | 2 +-
> 5 files changed, 46 insertions(+), 19 deletions(-)
Merged into audit/next, thanks.
--
paul moore
www.paul-moore.com
t; generic way based on any given syscall that one parameter is a file
> > descriptor
> > that can be cross referenced?
>
> This is even Al Viro territory...
I'm sure Al would have some better commentary on this than me, but to
do this properly would likely involve caching the full path used by
the various open() syscalls for the life of the given fd and then
doing some rather painful string comparisons on each file i/o syscall
- no thank you ;)
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
> +++-
> 1 file changed, 34 insertions(+), 22 deletions(-)
Merged into audit/next, thanks.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
hak73 v2
> - check for valid range of saddr_fam value
> v3:
> - eliminate AF_UNSPEC check
>
> include/uapi/linux/audit.h | 1 +
> kernel/auditfilter.c | 5 +++++
> kernel/auditsc.c | 5 +
> 3 files changed, 11 insertions(+)
Merged into audit/next.
--
p
1 - 100 of 2156 matches
Mail list logo