Re: [PATCH ghak64 V2] audit: add saddr_fam filter field

result = > audit_comparator(ctx->sockaddr->ss_family, > + f->op, f->val); > + break; > case AUDIT_SUBJ_USER: > case AUDIT_SUBJ_ROLE: > case AUDIT_SUBJ_TYPE: > -- > 1.8.3.1 > -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit

Re: [PATCH ghak64 V3] audit: add saddr_fam filter field

On Fri, May 10, 2019 at 12:16 PM Richard Guy Briggs wrote: > On 2019-05-10 11:28, Paul Moore wrote: > > On Thu, May 9, 2019 at 8:02 PM Richard Guy Briggs wrote: > > > > > > Provide a method to filter out sockaddr and bind calls by network > > > address f

Re: [PATCH ghak64 V1] audit: add saddr_fam filter field

On Tue, Apr 30, 2019 at 1:01 PM Richard Guy Briggs wrote: > On 2019-04-27 10:09, Paul Moore wrote: > > On Fri, Apr 26, 2019 at 1:00 PM Richard Guy Briggs wrote: ... > > Beyond that, looking at the patch below it seems like there is an > > obvious omission regarding v

[GIT PULL] Audit patches for v5.2

evm_secfs.c| 10 +-- 43 files changed, 331 insertions(+), 107 deletions(-) create mode 100644 arch/m68k/include/asm/syscall.h create mode 100644 arch/unicore32/include/asm/syscall.h -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/ma

Re: [PATCH] audit: fix a memory leak bug

err = -EINVAL; > WARN_ON(1); > } Since there are only two "types" (_ADD_RULE and _DEL_RULE) and the allocation is only three lines (audit_data_to_entry() + two lines for error handling), maybe it makes more sense to duplicate the audit_data_to_entry() call i

Re: [PATCH ghak111 V1] audit: deliver siginfo regarless of syscall

On Thu, Apr 18, 2019 at 11:16 AM Richard Guy Briggs wrote: > On 2019-04-18 10:59, Paul Moore wrote: > > On Mon, Apr 8, 2019 at 11:53 PM Richard Guy Briggs wrote: > > > When a process signals the audit daemon (shutdown, rotate, resume, > > > reconfig) but syscall auditi

Re: [PATCH v2] audit: fix a memory leak bug

audit_log_rule_change("remove_rule", >rule, !err); > break; > + Same here. > default: > - err = -EINVAL; > WARN_ON(1); > + return -EINVAL; > } > > if (err || type == AUDIT_DEL_RULE) { > -- > 2.7.4 -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit

Re: [PATCH ghak64 V1] audit: add saddr_fam filter field

> audit_comparator(ctx->sockaddr->ss_family, > + f->op, f->val); > + break; > case AUDIT_SUBJ_USER: > case AUDIT_SUBJ_ROLE: > case AUDIT_SUBJ_TYPE: > -- > 1.8.3.1 -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit

Re: [PATCH 0/5] vfs: track the dentry name length in name_snapshot

gt; that exercises the fsnotify code, in particular? > > FWIW, my variant sits in vfs.git@work.dcache. Jan Kara contributed some audit related stress tests to the audit-testsuite (link below). You can find the tests under ./tests_manual/stress_tree. * https://github.com/linux-audit/audit-tes

Re: [PATCH 5/5] audit: fix audit_compare_dname_path to take a qstr

--- > kernel/auditsc.c| 7 +++ > 5 files changed, 13 insertions(+), 12 deletions(-) This looks fine to me. I'm guessing you are planning on this going in with the other patches, but if you want me to pull this single patch into audit/next let me know. Acked-by: Paul Moore

Re: [PATCH ghak90 V6 02/10] audit: add container id

On July 8, 2019 8:12:56 PM Richard Guy Briggs wrote: > On 2019-05-30 19:26, Paul Moore wrote: >> On Thu, May 30, 2019 at 5:29 PM Tycho Andersen wrote: >>> On Thu, May 30, 2019 at 03:29:32PM -0400, Paul Moore wrote: >>>> >>>> >>>> [REMIN

An update on my kernel "secnext" builds and testing

anyone has a favorite distro, with good SELinux/audit support, please let me know. -Paul -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit

Re: [PATCH ghak90 V6 05/10] audit: add contid support for signalling the audit daemon

udit container ID work). While I'm not opposed to trying to make things like this a bit more robust by adding version fields and similar things, there are still so many (so very many) problems with the audit kernel/userspace interface that still need to be addressed. -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit

Re: [PATCH ghak90 V6 05/10] audit: add contid support for signalling the audit daemon

On Tue, Apr 9, 2019 at 9:49 AM Neil Horman wrote: > On Tue, Apr 09, 2019 at 09:40:58AM -0400, Paul Moore wrote: > > On Tue, Apr 9, 2019 at 8:58 AM Ondrej Mosnacek wrote: > > > > > > On Tue, Apr 9, 2019 at 5:40 AM Richard Guy Briggs wrote: > > > >

Re: [PATCH ghak90 V6 05/10] audit: add contid support for signalling the audit daemon

On Tue, Apr 9, 2019 at 9:53 AM Richard Guy Briggs wrote: > On 2019-04-09 09:40, Paul Moore wrote: > > On Tue, Apr 9, 2019 at 8:58 AM Ondrej Mosnacek wrote: > > > On Tue, Apr 9, 2019 at 5:40 AM Richard Guy Briggs wrote: > > > > Add audit container identifier suppo

Re: [PATCH ghak90 V6 00/10] audit: implement container identifier

branch; that's up to him. I've done this with other big changes in other trees, e.g. SELinux, and it has worked well to get some extra testing in and keep the patchset "merge ready" while others outside the subsystem look things over. -- paul moore www.paul-moore.com -- Linux-audit

Re: [PATCH v3] audit: fix a memory leak bug

y: Wenwen Wang > --- > kernel/auditfilter.c | 12 +++- > 1 file changed, 7 insertions(+), 5 deletions(-) Merged into audit/next - thanks! -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit

Re: Preferred subj= with multiple LSMs

On Mon, Jul 15, 2019 at 6:56 PM Steve Grubb wrote: > On Monday, July 15, 2019 5:28:56 PM EDT Paul Moore wrote: > > On Mon, Jul 15, 2019 at 3:37 PM Casey Schaufler > wrote: > > > On 7/15/2019 12:04 PM, Richard Guy Briggs wrote: > > > > On 2019-07-13 11:08, Steve G

Re: [PATCH ghak90 V6 02/10] audit: add container id

On Tue, Jul 16, 2019 at 11:37 AM Richard Guy Briggs wrote: > On 2019-07-15 17:09, Paul Moore wrote: > > On Mon, Jul 8, 2019 at 2:12 PM Richard Guy Briggs wrote: > > > On 2019-05-30 19:26, Paul Moore wrote: > > > > ... > > > > > > I lik

Re: [PATCH ghak90 V6 02/10] audit: add container id

On Tue, Jul 16, 2019 at 3:38 PM Richard Guy Briggs wrote: > On 2019-07-15 16:38, Paul Moore wrote: > > On Mon, Jul 8, 2019 at 1:51 PM Richard Guy Briggs wrote: > > > On 2019-05-29 11:29, Paul Moore wrote: > > > > ... > > > > > > The idea is

Re: Preferred subj= with multiple LSMs

On Tue, Jul 16, 2019 at 2:41 PM Casey Schaufler wrote: > On 7/16/2019 11:06 AM, Steve Grubb wrote: > > On Tuesday, July 16, 2019 1:43:18 PM EDT Paul Moore wrote: > >> On Tue, Jul 16, 2019 at 1:30 PM Casey Schaufler > > wrote: > >>> On 7/16/2019 10:12 AM, Pau

Re: Preferred subj= with multiple LSMs

On Tue, Jul 16, 2019 at 5:46 PM Steve Grubb wrote: > On Tuesday, July 16, 2019 5:25:21 PM EDT Paul Moore wrote: ... > > Agreed. While I'm not going to be on a specific Linux release, I do > > believe that at some point in the future the LSM stacking work is > > going t

Re: Preferred subj= with multiple LSMs

hability requirements, but with significant > parsing performance penalties. I think "hideous format" sums it up nicely. Whatever we choose here we are likely going to be stuck with for some time and I'm near to 100% that multiplexing the labels onto a single field is going to be a

Re: [PATCH ghak90 V6 02/10] audit: add container id

On Tue, Jul 16, 2019 at 6:03 PM Richard Guy Briggs wrote: > On 2019-07-15 17:04, Paul Moore wrote: > > On Mon, Jul 8, 2019 at 2:06 PM Richard Guy Briggs wrote: ... > > > If we can't trust ns_capable() then why are we passing on > > > CAP_AUDIT_CONTROL? It is being p

Re: [RFC] audit support for BPF notification

> eBPF (as opposed to tech preview)? As a reminder, this is a public mailing list that focuses on the technical development of the upstream Linux audit project; Red Hat product decisions should not be discussed here. -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-a

Re: [PATCH] audit: set context->dummy even when audit is off

On Fri, Nov 1, 2019 at 9:24 AM Chris Mason wrote: > On 31 Oct 2019, at 19:27, Paul Moore wrote: > > It's been a while, but I thought we suggested Dave try running > > 'auditctl -a never,task' to see if that would solve his problem and I > > believe his answer was no, wh

Re: [PATCH] audit: set context->dummy even when audit is off

On Mon, Nov 4, 2019 at 7:39 PM Chris Mason wrote: > On 4 Nov 2019, at 19:15, Paul Moore wrote: > > > On Fri, Nov 1, 2019 at 9:24 AM Chris Mason wrote: > >> On 31 Oct 2019, at 19:27, Paul Moore wrote: > >>> It's been a while, but I thought we suggested Dave try

Re: [PATCH ghak90 V7 04/21] audit: convert to contid list to check for orch/engine ownership

On Fri, Oct 25, 2019 at 5:00 PM Richard Guy Briggs wrote: > On 2019-10-10 20:38, Paul Moore wrote: > > On Wed, Sep 18, 2019 at 9:24 PM Richard Guy Briggs wrote: > > > Store the audit container identifier in a refcounted kernel object that > > > is added to the mas

Re: [PATCH ghak90 V7 08/21] audit: add contid support for signalling the audit daemon

On Fri, Oct 25, 2019 at 3:20 PM Richard Guy Briggs wrote: > On 2019-10-10 20:39, Paul Moore wrote: > > On Wed, Sep 18, 2019 at 9:25 PM Richard Guy Briggs wrote: > > > Add audit container identifier support to the action of signalling the > > > audit daemon. > &

Re: [PATCH ghak90 V7 06/21] audit: contid limit of 32k imposed to avoid DoS

On Thu, Oct 24, 2019 at 5:23 PM Richard Guy Briggs wrote: > On 2019-10-10 20:38, Paul Moore wrote: > > On Fri, Sep 27, 2019 at 8:52 AM Neil Horman wrote: > > > On Wed, Sep 18, 2019 at 09:22:23PM -0400, Richard Guy Briggs wrote: > > > > Set an arbitrary limit on

Re: [PATCH ghak90 V7 20/21] audit: add capcontid to set contid outside init_user_ns

On Wed, Oct 30, 2019 at 6:04 PM Richard Guy Briggs wrote: > On 2019-10-30 16:27, Paul Moore wrote: > > On Thu, Oct 24, 2019 at 5:00 PM Richard Guy Briggs wrote: > > > Here's the note I had from that meeting: > > > > > > - Eric raised the issue that using

Re: [PATCH ghak90 V7 20/21] audit: add capcontid to set contid outside init_user_ns

tem containers, which require a working procfs (see above). I'm sure there are plenty others, but these are the ones that came immediately to mind. -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit

Re: [PATCH] audit: set context->dummy even when audit is off

IT_DISABLED which not only prevents audit_alloc() from allocating an audit_context (and remember if the audit_context is NULL then audit_dummy_context() returns true), but it also clears the TIF_SYSCALL_AUDIT flag (which I'm guessing you also want). Can you confirm the results of 'auditctl -a never,task' on your systems? -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit

Re: [PATCH ghak90 V7 14/21] audit: contid check descendancy and nesting

On Thu, Oct 24, 2019 at 6:08 PM Richard Guy Briggs wrote: > On 2019-10-10 20:40, Paul Moore wrote: > > On Wed, Sep 18, 2019 at 9:26 PM Richard Guy Briggs wrote: > > > ?fixup! audit: convert to contid list to check for orch/engine ownership > > > > ? >

Re: [PATCH ghak90 V7 20/21] audit: add capcontid to set contid outside init_user_ns

patchset and focus on the procfs API. Also, for the record, removing the audit loginuid from procfs is not something to take lightly, if at all; like it or not, it's part of the kernel API. -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit

Re: [PATCH] bpf: emit audit messages upon successful prog load and unload

_OFF) > @@ -1342,10 +1341,7 @@ static void bpf_audit_prog(const struct bpf_prog > *prog, enum bpf_event event) > ab = audit_log_start(audit_context(), GFP_ATOMIC, AUDIT_BPF); > if (unlikely(!ab)) > return; > - if (has_task_context) > -

Re: [PATCH] bpf: emit audit messages upon successful prog load and unload

ord to look like how you've coded it up in bpf_audit_prog(); duplicating the fields with audit_log_task() is wrong, you've either already got them via an associated record (which you get from passing non-NULL as the first parameter to audit_log_start()), or you don't because there is no associated

Re: [PATCH] bpf: emit audit messages upon successful prog load and unload

On Thu, Nov 21, 2019 at 7:25 PM Daniel Borkmann wrote: > On 11/22/19 12:41 AM, Paul Moore wrote: > > On Wed, Nov 20, 2019 at 4:49 PM Alexei Starovoitov > > wrote: > >> On Wed, Nov 20, 2019 at 1:46 PM Daniel Borkmann > >> wrote: > >>> On 11/20/19 1

Re: [PATCH] bpf: emit audit messages upon successful prog load and unload

On Thu, Nov 21, 2019 at 7:23 PM Alexei Starovoitov wrote: > On Thu, Nov 21, 2019 at 06:41:31PM -0500, Paul Moore wrote: > > On Wed, Nov 20, 2019 at 4:49 PM Alexei Starovoitov > > wrote: > > > On Wed, Nov 20, 2019 at 1:46 PM Daniel Borkmann > > > wrote: > &

Re: [PATCHv3] bpf: Emit audit messages upon successful prog load and unload

kmann > > Co-developed-by: Jiri Olsa > > Signed-off-by: Jiri Olsa > > Paul, Steve, given the merge window is closed by now, does this version look > okay to you for proceeding to merge into bpf-next? Given the change to audit UAPI I was hoping to merge this via the audit/next tree, is that okay with you? -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit

Re: [PATCH v3] kernel: audit.c: Add __rcu annotation to RCU pointer

On Mon, Dec 2, 2019 at 6:35 PM Joel Fernandes wrote: > On Mon, Dec 02, 2019 at 06:24:29PM -0500, Paul Moore wrote: > > On Mon, Dec 2, 2019 at 4:19 PM Joel Fernandes > > wrote: > > > Good idea to CC the following on RCU patches: > > > Paul McKenney >

Re: [RFC PATCH v2] security, lockdown, selinux: implement SELinux lockdown

ns(-) While I remain concerned about the granularity, I think this is about as good as we can get right now without potentially messing things up in the future. Applied to selinux/next, thanks Stephen. -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit

Re: [PATCHv3] bpf: Emit audit messages upon successful prog load and unload

On Mon, Dec 9, 2019 at 6:19 PM Daniel Borkmann wrote: > On 12/9/19 3:56 PM, Paul Moore wrote: > > On Mon, Dec 9, 2019 at 7:15 AM Daniel Borkmann wrote: > >> On Fri, Dec 06, 2019 at 10:49:34PM +0100, Jiri Olsa wrote: > >>> From: Daniel Borkmann > >>> &g

Re: [PATCHv3] bpf: Emit audit messages upon successful prog load and unload

On Tue, Dec 10, 2019 at 10:37 AM Jiri Olsa wrote: > On Mon, Dec 09, 2019 at 06:53:23PM -0500, Paul Moore wrote: > > On Mon, Dec 9, 2019 at 6:19 PM Daniel Borkmann wrote: > > > On 12/9/19 3:56 PM, Paul Moore wrote: > > > > On Mon, Dec 9, 2019 at 7:15 AM D

Re: [PATCHv3] bpf: Emit audit messages upon successful prog load and unload

On Wed, Dec 11, 2019 at 8:20 AM Daniel Borkmann wrote: > On Tue, Dec 10, 2019 at 05:45:59PM -0500, Paul Moore wrote: > > On Tue, Dec 10, 2019 at 10:37 AM Jiri Olsa wrote: > > > On Mon, Dec 09, 2019 at 06:53:23PM -0500, Paul Moore wrote: > > > > On Mon, Dec 9, 2

Re: [PATCHv2] bpf: Emit audit messages upon successful prog load and unload

On Fri, Dec 6, 2019 at 4:28 PM Jiri Olsa wrote: > On Fri, Dec 06, 2019 at 04:11:13PM -0500, Paul Moore wrote: > > Other than that, this looks good to me, and I see Steve has already > > given the userspace portion a thumbs-up. Have you started on the > > audit-testsu

Re: [PATCH ghak90 V7 20/21] audit: add capcontid to set contid outside init_user_ns

think my previous comment about having both the procfs and netlink interfaces apply here. I don't see why we need two different APIs at the start; explain to me why procfs isn't sufficient. If the argument is simply the desire to avoid mounting procfs in the container, how many container orchestrators can function today without a valid /proc? -- paul moore www.paul-moore.com

Re: [PATCH ghak90 V7 20/21] audit: add capcontid to set contid outside init_user_ns

On Mon, Oct 21, 2019 at 7:58 PM Richard Guy Briggs wrote: > On 2019-10-21 17:43, Paul Moore wrote: > > On Mon, Oct 21, 2019 at 5:38 PM Richard Guy Briggs wrote: > > > On 2019-10-21 15:53, Paul Moore wrote: > > > > On Fri, Oct 18, 2019 at 9:39 PM Rich

Re: [PATCH ghak90 V7 20/21] audit: add capcontid to set contid outside init_user_ns

On Mon, Oct 21, 2019 at 5:38 PM Richard Guy Briggs wrote: > On 2019-10-21 15:53, Paul Moore wrote: > > On Fri, Oct 18, 2019 at 9:39 PM Richard Guy Briggs wrote: > > > On 2019-09-18 21:22, Richard Guy Briggs wrote: > > > > Provide a mechanism similar to CAP_AU

Re: [PATCH] audit: remove redundant condition check in kauditd_thread()

> _retry_queue, UNICAST_RETRIES, > NULL, kauditd_hold_skb); > - if (ac && rc < 0) { > + if (rc < 0) { > sk = NULL; > auditd_reset(ac); > goto main_queue; > -- > 2.7.4.3 -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit

Re: [PATCH ghak90 V7 20/21] audit: add capcontid to set contid outside init_user_ns

On Tue, Oct 22, 2019 at 8:13 AM Neil Horman wrote: > On Mon, Oct 21, 2019 at 08:31:37PM -0400, Paul Moore wrote: > > On Mon, Oct 21, 2019 at 7:58 PM Richard Guy Briggs wrote: > > > On 2019-10-21 17:43, Paul Moore wrote: > > > > On Mon, Oct 21, 2019 at 5:38 PM Rich

Re: [PATCH ghak90 V7 20/21] audit: add capcontid to set contid outside init_user_ns

ing in a reasonable patch stack. Let's leave that for the next draft. -- paul moore www.paul-moore.com

Re: [PATCH] audit: remove redundant condition check in kauditd_thread()

On Fri, Oct 25, 2019 at 3:14 AM Yunfeng Ye wrote: > On 2019/10/25 13:43, Paul Moore wrote: > > On October 23, 2019 3:27:50 PM Yunfeng Ye wrote: > >> Warning is found by the code analysis tool: > >> "the condition 'if(ac && rc < 0)' is redundant: a

[GIT PULL] Audit patches for v5.5

++-- include/linux/audit.h | 5 +++-- include/uapi/linux/audit.h | 1 + kernel/audit.c | 15 --- 4 files changed, 18 insertions(+), 11 deletions(-) -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman

Re: [RFC] bpf: Emit audit messages upon successful prog load and unload

n this in case you weren't already aware. If you do keep it in syscall.c, I don't think there is a need to implement a no-op version dependent on CONFIG_AUDITSYSCALL; that will just clutter the code. If you do move it to auditsc.c please change the name to audit_bpf()/__audit_bpf() so it matches the other functions; if you keep it in syscall.c you can name it whatever you like :) -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit

Re: [PATCH v3] kernel: audit.c: Add __rcu annotation to RCU pointer

the associated spinlock for writing. > > */ > > -static struct auditd_connection { > > +struct auditd_connection { > > struct pid *pid; > > u32 portid; > > struct net *net; > > struct rcu_head rcu; > > -} *auditd_conn = NU

Re: [PATCH ghak90 V7 20/21] audit: add capcontid to set contid outside init_user_ns

set: I think it would be a mistake to include any changes to loginuid in your next patchset, even as a "RFC" at the end. Also, barring some shocking comments from Eric relating to the imminent death of /proc in containers, I think it would also be a mistake to include the netlink API. Let's keep it small and focused :) -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit

[PATCH 1/2] audit-testsuite: use our own version of perltidy in the Travis CI tests

From: Paul Moore Unfortunately the perltidy results differ between moden distros and the current Travis CI environment. This patch attempts to address this by using the current upstream perltidy in the Travis CI tests. Signed-off-by: Paul Moore --- .travis.yml | 10 +- 1 file

[PATCH 0/2] Fix perltidy on Travis CI

The version of perltidy currently available in Travis CI via Ubuntu 16.04 LTS doesn't produce the same output as the perltidy shipped in more modern distros. This patchset addresses this by installing perltidy from the upstream sources. --- Paul Moore (2): audit-testsuite: use our own

[PATCH 2/2] audit-testsuite: fix the style according to ./tools/check-syntax

From: Paul Moore Signed-off-by: Paul Moore --- tests/exec_execve/test |2 +- tests/exec_name/test |2 +- tests/file_create/test |2 +- tests/file_delete/test |2 +- tests/file_rename/test

Re: [PATCH v3] audit: Report suspicious O_CREAT usage

n CONFIG_AUDIT=n case > - improve operations naming (paul) > --- > fs/namei.c | 8 ++-- > include/linux/audit.h | 5 +++-- > include/uapi/linux/audit.h | 1 + > kernel/audit.c | 11 ++- > 4 files changed, 16 insertions(+),

Re: [PATCH ghak90 V7 06/21] audit: contid limit of 32k imposed to avoid DoS

got a similar question. Up to this point in the patchset, there is a potential issue of hash bucket chain lengths and traversing them with a spinlock held, but it seems like we shouldn't be putting an arbitrary limit on audit container IDs unless we have a good reason for it. If for some reason we do want to enforce a limit, it should probably be a tunable value like a sysctl, or similar. -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit

Re: [PATCH ghak90 V7 04/21] audit: convert to contid list to check for orch/engine ownership

} else { > + rc = -ENOMEM; > + goto conterror; > + } > + } > + task->audit->cont = newcont; > + audit_cont_put(oldcont); > +conterror: > + spin_unlock(_contid_list_lock); > + } > task_unlock(task); > > if (!audit_enabled) > diff --git a/kernel/audit.h b/kernel/audit.h > index 16bd03b88e0d..e4a31aa92dfe 100644 > --- a/kernel/audit.h > +++ b/kernel/audit.h > @@ -211,6 +211,14 @@ static inline int audit_hash_ino(u32 ino) > return (ino & (AUDIT_INODE_BUCKETS-1)); > } > > +#define AUDIT_CONTID_BUCKETS 32 > +extern struct list_head audit_contid_hash[AUDIT_CONTID_BUCKETS]; > + > +static inline int audit_hash_contid(u64 contid) > +{ > + return (contid & (AUDIT_CONTID_BUCKETS-1)); > +} > + > /* Indicates that audit should log the full pathname. */ > #define AUDIT_NAME_FULL -1 > -- paul moore www.paul-moore.com

Re: [PATCH ghak90 V7 18/21] audit: track container nesting

mit a patchset that has fixup patches as part of the original posting. In this case fixup patches have the opposite effect: the patchset becomes more complicated, reviews take longer, and the likelihood of missing important details increases. When in doubt, don't submit separate fixup patches, fold them into the original patches instead. -- paul moore www.paul-moore.com

Re: [PATCH ghak90 V7 13/21] audit: NETFILTER_PKT: record each container ID associated with a netNS

am = -1; > + struct audit_context *context; > + struct net *net; > > if (audit_enabled == AUDIT_OFF) > - goto errout; > - ab = audit_log_start(NULL, GFP_ATOMIC, AUDIT_NETFILTER_PKT); > + goto out; > + context = audit_alloc_local(GFP_ATOMIC); > + ab = audit_log_start(context, GFP_ATOMIC, AUDIT_NETFILTER_PKT); > if (ab == NULL) > goto errout; > > @@ -101,7 +104,11 @@ static bool audit_ip6(struct audit_buffer *ab, struct > sk_buff *skb) > > audit_log_end(ab); > > + net = xt_net(par); > + audit_log_netns_contid_list(net, context); > errout: > + audit_free_context(context); > +out: > return XT_CONTINUE; > } > -- paul moore www.paul-moore.com

Re: [PATCH ghak90 V7 14/21] audit: contid check descendancy and nesting

{ > + rc = -EXDEV; > + goto unlock; > + } > + /* only allow contid setting again if nesting */ > + if (audit_contid_set(task) && current == audit_cont_owner(task)) > rc = -ECHILD; > +unlock: > read_unlock(_lock); > if (!rc) { > struct audit_cont *oldcont = audit_cont(task); -- paul moore www.paul-moore.com

Re: [PATCH ghak90 V7 12/21] audit: add support for containerid to network namespaces

*cont), GFP_ATOMIC) > + if (cont) { > + INIT_LIST_HEAD(>list); > + cont->id = contid; > + refcount_set(>refcount, 1); > + list_add_rcu(>list, contid_list); > + } > +out: > + spin_unlock(>contid_list_lock); > +} -- paul moore www.paul-moore.com

Re: [PATCH ghak90 V7 15/21] sched: pull task_is_descendant into kernel/sched/core.c

(!thread_group_leader(walker)) > - walker = rcu_dereference(walker->group_leader); > - if (walker == parent) { > - rc = 1; > - break; > - } > - walker = rcu_dereference(walker->real_parent); > - } > - rcu_read_unlock(); > - > - return rc; > -} > - > -/** > * ptracer_exception_found - tracer registered as exception for this tracee > * @tracer: the task_struct of the process attempting ptrace > * @tracee: the task_struct of the process to be ptraced -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit

Re: [PATCH ghak90 V7 08/21] audit: add contid support for signalling the audit daemon

pt of an audit container ID "lifetime" in the kernel, when do we consider the ID gone? Is it when the last process in the container exits, or is it when we generate the last audit record which could possibly contain the audit container ID? This patch would appear to support the former, but if we wanted the latter we would need to grab a reference to the audit container ID struct so it wouldn't "die" on us before we could emit the signal info record. -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit

Re: [PATCH ghak90 V7 16/21] audit: add support for contid set/get by netlink

are going to host nested orchestrators? Can you reasonably run a fully fledged orchestrator without a valid /proc? -- paul moore www.paul-moore.com

Re: [PATCH ghak90 V7 17/21] audit: add support for loginuid/sessionid set/get by netlink

dit container ID work, yes? If so, it shouldn't be part of this patchset. -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit

Re: [PATCH ghak90 V7 05/21] audit: log drop of contid on exit of last task

; comm="); > + audit_log_untrustedstring(ab, get_task_comm(comm, current)); > + audit_log_d_path_exe(ab, current->mm); > + audit_log_format(ab, " res=1"); > + audit_log_end(ab); > +} Why can't we just do this in audit_cont_put()? Is it because we call audit_cont_put() in the new audit_free() function? What if we were to do it in __audit_free()/audit_free_syscall()? -- paul moore www.paul-moore.com

Re: Is auditing ftruncate useful?

On Fri, Feb 7, 2020 at 4:56 PM Paul Moore wrote: > On February 7, 2020 2:18:33 PM Steve Grubb wrote: > > On Thursday, February 6, 2020 1:33:19 PM EST Lenny Bruzenak wrote: > >>> Doesn't seem much better: > >>> > >>> type=PROCTITLE msg=audit(02/06/202

Re: [PATCH ghak90 V8 13/16] audit: track container nesting

On Wed, Feb 5, 2020 at 6:51 PM Richard Guy Briggs wrote: > On 2020-02-05 18:05, Paul Moore wrote: > > On Thu, Jan 30, 2020 at 2:28 PM Richard Guy Briggs wrote: > > > On 2020-01-22 16:29, Paul Moore wrote: > > > > On Tue, Dec 31, 2019 at 2:51 PM Rich

Re: [PATCH ghak90 V8 07/16] audit: add contid support for signalling the audit daemon

ts properly designed to handle this without too much problem (I'm not entirely sure we do)? -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit

Re: [PATCH] audit: fix error handling in audit_data_to_entry()

On Mon, Feb 24, 2020 at 4:31 PM Paul Moore wrote: > > Commit 219ca39427bf ("audit: use union for audit_field values since > they are mutually exclusive") combined a number of separate fields in > the audit_field struct into a single union. Generally this work

[PATCH v2] audit: always check the netlink payload length in audit_receive_msg()

...@syzkaller.appspotmail.com Signed-off-by: Paul Moore --- kernel/audit.c | 40 +--- 1 file changed, 21 insertions(+), 19 deletions(-) diff --git a/kernel/audit.c b/kernel/audit.c index 17b0d523afb3..9ddfe2aa6671 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -1101,13 +1101,11

Re: [PATCH v2] audit: always check the netlink payload length in audit_receive_msg()

On Tue, Feb 25, 2020 at 12:50 PM Paul Moore wrote: > > This patch ensures that we always check the netlink payload length > in audit_receive_msg() before we take any action on the payload > itself. > > Cc: sta...@vger.kernel.org > Reported-by: syzbot+399c44bf1f43b8747...@syzk

[PATCH] audit: fix error handling in audit_data_to_entry()

tmail.com Signed-off-by: Paul Moore --- kernel/auditfilter.c | 71 +++--- 1 file changed, 39 insertions(+), 32 deletions(-) diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index b0126e9c0743..026e34da4ace 100644 --- a/kernel/auditf

Re: kernel panic: audit: backlog limit exceeded

, good catch :) I saw the panic and instinctively chalked that up to a mistaken config, not expecting that it was what was being tested. > On Mon, 2020-02-24 at 17:38 -0500, Paul Moore wrote: > > On Mon, Feb 24, 2020 at 3:18 AM syzbot > > wrote: > > > Hello, > >

[PATCH] audit: always check the netlink payload length in audit_receive_msg()

...@syzkaller.appspotmail.com Signed-off-by: Paul Moore --- kernel/audit.c | 43 +++ 1 file changed, 23 insertions(+), 20 deletions(-) diff --git a/kernel/audit.c b/kernel/audit.c index 17b0d523afb3..6e8b176bdb68 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -1101,13 +1101,11

Re: [PATCH] audit: always check the netlink payload length in audit_receive_msg()

On Mon, Feb 24, 2020 at 5:53 PM Paul Moore wrote: > This patch ensures that we always check the netlink payload length > in audit_receive_msg() before we take any action on the payload > itself. > > Cc: sta...@vger.kernel.org > Reported-by: syzbot+399c44bf1f43b8747...@syzkall

Re: [PATCH] audit: always check the netlink payload length in audit_receive_msg()

On Mon, Feb 24, 2020 at 5:53 PM Paul Moore wrote: > > This patch ensures that we always check the netlink payload length > in audit_receive_msg() before we take any action on the payload > itself. > > Cc: sta...@vger.kernel.org > Reported-by: syzbot+399c44bf1f43b8747...@syzk

Re: KMSAN: uninit-value in audit_receive

sys_sendmsg net/compat.c:646 [inline] > __ia32_compat_sys_sendmsg+0xed/0x130 net/compat.c:646 > do_syscall_32_irqs_on arch/x86/entry/common.c:339 [inline] > do_fast_syscall_32+0x3c7/0x6e0 arch/x86/entry/common.c:410 > entry_SYSENTER_compat+0x68/0x77 arch/x86/entry/entry_64_compat.S:139 > = -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit

Re: kernel panic: audit: rate limit exceeded

5: > Kernel Offset: disabled > Rebooting in 86400 seconds.. Has the syzbot audit related configuration recently changed? At the very least it looks like you want to configure the system so that it doesn't panic when an audit record is lost (printk/AUDIT_FAIL_PRINTK or s

Re: kernel panic: audit: backlog limit exceeded

syzbot will keep track of this bug report. See: > https://goo.gl/tpsmEJ#status for how to communicate with syzbot. > For information about bisection process see: https://goo.gl/tpsmEJ#bisection > syzbot can test patches for this bug, for details see: > https://goo.gl/tpsmEJ#testing-patches Similar to syzbot report 72461ac44b36c98f58e5, see my comments there. -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit

Re: [PATCH v15 00/23] LSM: Module stacking for AppArmor

have to start pushing on this series. If the audit community > hasn't any additional feedback, I'll take it that what's here is > acceptable and move my lobbying efforts elsewhere. I'll take another look later this week. -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit

Re: [PATCH ghak28 V6] audit: log audit netlink multicast bind and unbind events

)", > +audit_get_sessionid(current)); > + audit_put_tty(tty); > + audit_log_task_context(ab); /* subj= */ > + audit_log_format(ab, " comm="); > + audit_log_untrustedstring(ab, get_task_comm(comm, current)); > + audit_log_d_path_exe(ab, current->mm); /* exe= */ > + audit_log_format(ab, " nl-mcgrp=%d op=%s res=%d", group, op, !err); > + audit_log_end(ab); > +} -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit

[GIT PULL] Audit fixes for v5.6 (#1)

: audit: always check the netlink payload length in audit_receive_msg() (2020-02-24 16:38:57 -0500) audit/stable-5.6 PR 20200226 Paul Moore (2): audit: fix error

New linux-audit mailing list archive on lore.kernel.org

not present in the redhat.com archive. * https://lore.kernel.org/linux-audit -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit

Re: KMSAN: uninit-value in audit_log_vformat

ndmsg net/compat.c:646 [inline] > __ia32_compat_sys_sendmsg+0xed/0x130 net/compat.c:646 > do_syscall_32_irqs_on arch/x86/entry/common.c:339 [inline] > do_fast_syscall_32+0x3c7/0x6e0 arch/x86/entry/common.c:410 > entry_SYSENTER_compat+0x68/0x77 arch/x86/entry/entry_64_compat.S:139

Re: kernel panic: audit: backlog limit exceeded

On Thu, Feb 27, 2020 at 10:40 AM Dmitry Vyukov wrote: > On Mon, Feb 24, 2020 at 11:47 PM Paul Moore wrote: > > On Mon, Feb 24, 2020 at 5:43 PM Eric Paris wrote: > > > https://syzkaller.appspot.com/x/repro.syz?x=151b1109e0 (the > > > reproducer listed) looks l

Re: [PATCH ghak120] audit: trigger accompanying records when no rules present

in auditsc_get_stamp() and not someplace a bit more obvious like audit_log_start()? Is it because auditsc_get_stamp() only gets called once per event? I'm willing to take the "hit" of one extra assignment in audit_log_start() to keep this in a more obvious place and not buried in audi

Re: [PATCH ghak28 V4] audit: log audit netlink multicast bind and unbind events

On Wed, Jan 22, 2020 at 6:07 PM Richard Guy Briggs wrote: > On 2020-01-22 17:40, Paul Moore wrote: > > On Fri, Jan 17, 2020 at 3:21 PM Richard Guy Briggs wrote: ... > > > diff --git a/kernel/audit.c b/kernel/audit.c > > > index 17b0d523afb3..478259f3fa53 100644

[GIT PULL] Audit patch for v5.6

) audit/stable-5.6 PR 20200127 Amol Grover (1): audit: Add __rcu annotation to RCU pointer kernel/audit.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) -- paul moore www.paul

Re: [PATCH ghak90 V8 13/16] audit: track container nesting

e we probably want to special case that as I don't think we want to display audit container IDs as signed numbers in general. -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit

Re: [PATCH ghak90 V8 04/16] audit: convert to contid list to check for orch/engine ownership

On Tue, Feb 4, 2020 at 5:52 PM Richard Guy Briggs wrote: > On 2020-01-22 16:28, Paul Moore wrote: > > On Tue, Dec 31, 2019 at 2:50 PM Richard Guy Briggs wrote: > > > > > > Store the audit container identifier in a refcounted kernel object that > > > is added t

Re: [PATCH ghak90 V8 16/16] audit: add capcontid to set contid outside init_user_ns

On Tue, Feb 4, 2020 at 7:39 PM Richard Guy Briggs wrote: > On 2020-01-22 16:29, Paul Moore wrote: > > On Tue, Dec 31, 2019 at 2:51 PM Richard Guy Briggs wrote: > > > > > > Provide a mechanism similar to CAP_AUDIT_CONTROL to explicitly give a > > >

Re: [PATCH ghak90 V8 13/16] audit: track container nesting

On Thu, Jan 30, 2020 at 2:28 PM Richard Guy Briggs wrote: > On 2020-01-22 16:29, Paul Moore wrote: > > On Tue, Dec 31, 2019 at 2:51 PM Richard Guy Briggs wrote: > > > > > > Track the parent container of a container to be able to filter and > > > report nesting

Re: [PATCH ghak90 V8 11/16] audit: add support for containerid to network namespaces

On Tue, Feb 4, 2020 at 6:43 PM Richard Guy Briggs wrote: > On 2020-01-22 16:28, Paul Moore wrote: > > On Tue, Dec 31, 2019 at 2:51 PM Richard Guy Briggs wrote: > > > > > > This also adds support to qualify NETFILTER_PKT records. > > > > > > Aud

<    1   2   3   4   5   6   7   8   9   10   >