result =
> audit_comparator(ctx->sockaddr->ss_family,
> + f->op, f->val);
> + break;
> case AUDIT_SUBJ_USER:
> case AUDIT_SUBJ_ROLE:
> case AUDIT_SUBJ_TYPE:
> --
> 1.8.3.1
>
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
On Fri, May 10, 2019 at 12:16 PM Richard Guy Briggs wrote:
> On 2019-05-10 11:28, Paul Moore wrote:
> > On Thu, May 9, 2019 at 8:02 PM Richard Guy Briggs wrote:
> > >
> > > Provide a method to filter out sockaddr and bind calls by network
> > > address f
On Tue, Apr 30, 2019 at 1:01 PM Richard Guy Briggs wrote:
> On 2019-04-27 10:09, Paul Moore wrote:
> > On Fri, Apr 26, 2019 at 1:00 PM Richard Guy Briggs wrote:
...
> > Beyond that, looking at the patch below it seems like there is an
> > obvious omission regarding v
evm_secfs.c| 10 +--
43 files changed, 331 insertions(+), 107 deletions(-)
create mode 100644 arch/m68k/include/asm/syscall.h
create mode 100644 arch/unicore32/include/asm/syscall.h
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/ma
err = -EINVAL;
> WARN_ON(1);
> }
Since there are only two "types" (_ADD_RULE and _DEL_RULE) and the
allocation is only three lines (audit_data_to_entry() + two lines for
error handling), maybe it makes more sense to duplicate the
audit_data_to_entry() call i
On Thu, Apr 18, 2019 at 11:16 AM Richard Guy Briggs wrote:
> On 2019-04-18 10:59, Paul Moore wrote:
> > On Mon, Apr 8, 2019 at 11:53 PM Richard Guy Briggs wrote:
> > > When a process signals the audit daemon (shutdown, rotate, resume,
> > > reconfig) but syscall auditi
audit_log_rule_change("remove_rule", >rule, !err);
> break;
> +
Same here.
> default:
> - err = -EINVAL;
> WARN_ON(1);
> + return -EINVAL;
> }
>
> if (err || type == AUDIT_DEL_RULE) {
> --
> 2.7.4
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
> audit_comparator(ctx->sockaddr->ss_family,
> + f->op, f->val);
> + break;
> case AUDIT_SUBJ_USER:
> case AUDIT_SUBJ_ROLE:
> case AUDIT_SUBJ_TYPE:
> --
> 1.8.3.1
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
gt; that exercises the fsnotify code, in particular?
>
> FWIW, my variant sits in vfs.git@work.dcache.
Jan Kara contributed some audit related stress tests to the
audit-testsuite (link below). You can find the tests under
./tests_manual/stress_tree.
* https://github.com/linux-audit/audit-tes
---
> kernel/auditsc.c| 7 +++
> 5 files changed, 13 insertions(+), 12 deletions(-)
This looks fine to me. I'm guessing you are planning on this going in
with the other patches, but if you want me to pull this single patch
into audit/next let me know.
Acked-by: Paul Moore
On July 8, 2019 8:12:56 PM Richard Guy Briggs wrote:
> On 2019-05-30 19:26, Paul Moore wrote:
>> On Thu, May 30, 2019 at 5:29 PM Tycho Andersen wrote:
>>> On Thu, May 30, 2019 at 03:29:32PM -0400, Paul Moore wrote:
>>>>
>>>>
>>>> [REMIN
anyone has a favorite distro, with good SELinux/audit
support, please let me know.
-Paul
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
udit container ID work). While
I'm not opposed to trying to make things like this a bit more robust
by adding version fields and similar things, there are still so many
(so very many) problems with the audit kernel/userspace interface that
still need to be addressed.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
On Tue, Apr 9, 2019 at 9:49 AM Neil Horman wrote:
> On Tue, Apr 09, 2019 at 09:40:58AM -0400, Paul Moore wrote:
> > On Tue, Apr 9, 2019 at 8:58 AM Ondrej Mosnacek wrote:
> > >
> > > On Tue, Apr 9, 2019 at 5:40 AM Richard Guy Briggs wrote:
> > > >
On Tue, Apr 9, 2019 at 9:53 AM Richard Guy Briggs wrote:
> On 2019-04-09 09:40, Paul Moore wrote:
> > On Tue, Apr 9, 2019 at 8:58 AM Ondrej Mosnacek wrote:
> > > On Tue, Apr 9, 2019 at 5:40 AM Richard Guy Briggs wrote:
> > > > Add audit container identifier suppo
branch; that's up to him. I've done
this with other big changes in other trees, e.g. SELinux, and it has
worked well to get some extra testing in and keep the patchset "merge
ready" while others outside the subsystem look things over.
--
paul moore
www.paul-moore.com
--
Linux-audit
y: Wenwen Wang
> ---
> kernel/auditfilter.c | 12 +++-
> 1 file changed, 7 insertions(+), 5 deletions(-)
Merged into audit/next - thanks!
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
On Mon, Jul 15, 2019 at 6:56 PM Steve Grubb wrote:
> On Monday, July 15, 2019 5:28:56 PM EDT Paul Moore wrote:
> > On Mon, Jul 15, 2019 at 3:37 PM Casey Schaufler
> wrote:
> > > On 7/15/2019 12:04 PM, Richard Guy Briggs wrote:
> > > > On 2019-07-13 11:08, Steve G
On Tue, Jul 16, 2019 at 11:37 AM Richard Guy Briggs wrote:
> On 2019-07-15 17:09, Paul Moore wrote:
> > On Mon, Jul 8, 2019 at 2:12 PM Richard Guy Briggs wrote:
> > > On 2019-05-30 19:26, Paul Moore wrote:
> >
> > ...
> >
> > > > I lik
On Tue, Jul 16, 2019 at 3:38 PM Richard Guy Briggs wrote:
> On 2019-07-15 16:38, Paul Moore wrote:
> > On Mon, Jul 8, 2019 at 1:51 PM Richard Guy Briggs wrote:
> > > On 2019-05-29 11:29, Paul Moore wrote:
> >
> > ...
> >
> > > > The idea is
On Tue, Jul 16, 2019 at 2:41 PM Casey Schaufler wrote:
> On 7/16/2019 11:06 AM, Steve Grubb wrote:
> > On Tuesday, July 16, 2019 1:43:18 PM EDT Paul Moore wrote:
> >> On Tue, Jul 16, 2019 at 1:30 PM Casey Schaufler
> > wrote:
> >>> On 7/16/2019 10:12 AM, Pau
On Tue, Jul 16, 2019 at 5:46 PM Steve Grubb wrote:
> On Tuesday, July 16, 2019 5:25:21 PM EDT Paul Moore wrote:
...
> > Agreed. While I'm not going to be on a specific Linux release, I do
> > believe that at some point in the future the LSM stacking work is
> > going t
hability requirements, but with significant
> parsing performance penalties.
I think "hideous format" sums it up nicely. Whatever we choose here
we are likely going to be stuck with for some time and I'm near to
100% that multiplexing the labels onto a single field is going to be a
On Tue, Jul 16, 2019 at 6:03 PM Richard Guy Briggs wrote:
> On 2019-07-15 17:04, Paul Moore wrote:
> > On Mon, Jul 8, 2019 at 2:06 PM Richard Guy Briggs wrote:
...
> > > If we can't trust ns_capable() then why are we passing on
> > > CAP_AUDIT_CONTROL? It is being p
> eBPF (as opposed to tech preview)?
As a reminder, this is a public mailing list that focuses on the
technical development of the upstream Linux audit project; Red Hat
product decisions should not be discussed here.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-a
On Fri, Nov 1, 2019 at 9:24 AM Chris Mason wrote:
> On 31 Oct 2019, at 19:27, Paul Moore wrote:
> > It's been a while, but I thought we suggested Dave try running
> > 'auditctl -a never,task' to see if that would solve his problem and I
> > believe his answer was no, wh
On Mon, Nov 4, 2019 at 7:39 PM Chris Mason wrote:
> On 4 Nov 2019, at 19:15, Paul Moore wrote:
>
> > On Fri, Nov 1, 2019 at 9:24 AM Chris Mason wrote:
> >> On 31 Oct 2019, at 19:27, Paul Moore wrote:
> >>> It's been a while, but I thought we suggested Dave try
On Fri, Oct 25, 2019 at 5:00 PM Richard Guy Briggs wrote:
> On 2019-10-10 20:38, Paul Moore wrote:
> > On Wed, Sep 18, 2019 at 9:24 PM Richard Guy Briggs wrote:
> > > Store the audit container identifier in a refcounted kernel object that
> > > is added to the mas
On Fri, Oct 25, 2019 at 3:20 PM Richard Guy Briggs wrote:
> On 2019-10-10 20:39, Paul Moore wrote:
> > On Wed, Sep 18, 2019 at 9:25 PM Richard Guy Briggs wrote:
> > > Add audit container identifier support to the action of signalling the
> > > audit daemon.
> &
On Thu, Oct 24, 2019 at 5:23 PM Richard Guy Briggs wrote:
> On 2019-10-10 20:38, Paul Moore wrote:
> > On Fri, Sep 27, 2019 at 8:52 AM Neil Horman wrote:
> > > On Wed, Sep 18, 2019 at 09:22:23PM -0400, Richard Guy Briggs wrote:
> > > > Set an arbitrary limit on
On Wed, Oct 30, 2019 at 6:04 PM Richard Guy Briggs wrote:
> On 2019-10-30 16:27, Paul Moore wrote:
> > On Thu, Oct 24, 2019 at 5:00 PM Richard Guy Briggs wrote:
> > > Here's the note I had from that meeting:
> > >
> > > - Eric raised the issue that using
tem containers, which
require a working procfs (see above).
I'm sure there are plenty others, but these are the ones that came
immediately to mind.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
IT_DISABLED which not only prevents audit_alloc()
from allocating an audit_context (and remember if the audit_context is
NULL then audit_dummy_context() returns true), but it also clears the
TIF_SYSCALL_AUDIT flag (which I'm guessing you also want).
Can you confirm the results of 'auditctl -a never,task' on your systems?
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
On Thu, Oct 24, 2019 at 6:08 PM Richard Guy Briggs wrote:
> On 2019-10-10 20:40, Paul Moore wrote:
> > On Wed, Sep 18, 2019 at 9:26 PM Richard Guy Briggs wrote:
> > > ?fixup! audit: convert to contid list to check for orch/engine ownership
> >
> > ?
>
patchset and focus on the
procfs API.
Also, for the record, removing the audit loginuid from procfs is not
something to take lightly, if at all; like it or not, it's part of the
kernel API.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
_OFF)
> @@ -1342,10 +1341,7 @@ static void bpf_audit_prog(const struct bpf_prog
> *prog, enum bpf_event event)
> ab = audit_log_start(audit_context(), GFP_ATOMIC, AUDIT_BPF);
> if (unlikely(!ab))
> return;
> - if (has_task_context)
> -
ord to look like how
you've coded it up in bpf_audit_prog(); duplicating the fields with
audit_log_task() is wrong, you've either already got them via an
associated record (which you get from passing non-NULL as the first
parameter to audit_log_start()), or you don't because there is no
associated
On Thu, Nov 21, 2019 at 7:25 PM Daniel Borkmann wrote:
> On 11/22/19 12:41 AM, Paul Moore wrote:
> > On Wed, Nov 20, 2019 at 4:49 PM Alexei Starovoitov
> > wrote:
> >> On Wed, Nov 20, 2019 at 1:46 PM Daniel Borkmann
> >> wrote:
> >>> On 11/20/19 1
On Thu, Nov 21, 2019 at 7:23 PM Alexei Starovoitov
wrote:
> On Thu, Nov 21, 2019 at 06:41:31PM -0500, Paul Moore wrote:
> > On Wed, Nov 20, 2019 at 4:49 PM Alexei Starovoitov
> > wrote:
> > > On Wed, Nov 20, 2019 at 1:46 PM Daniel Borkmann
> > > wrote:
> &
kmann
> > Co-developed-by: Jiri Olsa
> > Signed-off-by: Jiri Olsa
>
> Paul, Steve, given the merge window is closed by now, does this version look
> okay to you for proceeding to merge into bpf-next?
Given the change to audit UAPI I was hoping to merge this via the
audit/next tree, is that okay with you?
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
On Mon, Dec 2, 2019 at 6:35 PM Joel Fernandes wrote:
> On Mon, Dec 02, 2019 at 06:24:29PM -0500, Paul Moore wrote:
> > On Mon, Dec 2, 2019 at 4:19 PM Joel Fernandes
> > wrote:
> > > Good idea to CC the following on RCU patches:
> > > Paul McKenney
>
ns(-)
While I remain concerned about the granularity, I think this is about
as good as we can get right now without potentially messing things up
in the future. Applied to selinux/next, thanks Stephen.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
On Mon, Dec 9, 2019 at 6:19 PM Daniel Borkmann wrote:
> On 12/9/19 3:56 PM, Paul Moore wrote:
> > On Mon, Dec 9, 2019 at 7:15 AM Daniel Borkmann wrote:
> >> On Fri, Dec 06, 2019 at 10:49:34PM +0100, Jiri Olsa wrote:
> >>> From: Daniel Borkmann
> >>>
&g
On Tue, Dec 10, 2019 at 10:37 AM Jiri Olsa wrote:
> On Mon, Dec 09, 2019 at 06:53:23PM -0500, Paul Moore wrote:
> > On Mon, Dec 9, 2019 at 6:19 PM Daniel Borkmann wrote:
> > > On 12/9/19 3:56 PM, Paul Moore wrote:
> > > > On Mon, Dec 9, 2019 at 7:15 AM D
On Wed, Dec 11, 2019 at 8:20 AM Daniel Borkmann wrote:
> On Tue, Dec 10, 2019 at 05:45:59PM -0500, Paul Moore wrote:
> > On Tue, Dec 10, 2019 at 10:37 AM Jiri Olsa wrote:
> > > On Mon, Dec 09, 2019 at 06:53:23PM -0500, Paul Moore wrote:
> > > > On Mon, Dec 9, 2
On Fri, Dec 6, 2019 at 4:28 PM Jiri Olsa wrote:
> On Fri, Dec 06, 2019 at 04:11:13PM -0500, Paul Moore wrote:
> > Other than that, this looks good to me, and I see Steve has already
> > given the userspace portion a thumbs-up. Have you started on the
> > audit-testsu
think my previous comment about having both the procfs and netlink
interfaces apply here. I don't see why we need two different APIs at
the start; explain to me why procfs isn't sufficient. If the argument
is simply the desire to avoid mounting procfs in the container, how
many container orchestrators can function today without a valid /proc?
--
paul moore
www.paul-moore.com
On Mon, Oct 21, 2019 at 7:58 PM Richard Guy Briggs wrote:
> On 2019-10-21 17:43, Paul Moore wrote:
> > On Mon, Oct 21, 2019 at 5:38 PM Richard Guy Briggs wrote:
> > > On 2019-10-21 15:53, Paul Moore wrote:
> > > > On Fri, Oct 18, 2019 at 9:39 PM Rich
On Mon, Oct 21, 2019 at 5:38 PM Richard Guy Briggs wrote:
> On 2019-10-21 15:53, Paul Moore wrote:
> > On Fri, Oct 18, 2019 at 9:39 PM Richard Guy Briggs wrote:
> > > On 2019-09-18 21:22, Richard Guy Briggs wrote:
> > > > Provide a mechanism similar to CAP_AU
> _retry_queue, UNICAST_RETRIES,
> NULL, kauditd_hold_skb);
> - if (ac && rc < 0) {
> + if (rc < 0) {
> sk = NULL;
> auditd_reset(ac);
> goto main_queue;
> --
> 2.7.4.3
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
On Tue, Oct 22, 2019 at 8:13 AM Neil Horman wrote:
> On Mon, Oct 21, 2019 at 08:31:37PM -0400, Paul Moore wrote:
> > On Mon, Oct 21, 2019 at 7:58 PM Richard Guy Briggs wrote:
> > > On 2019-10-21 17:43, Paul Moore wrote:
> > > > On Mon, Oct 21, 2019 at 5:38 PM Rich
ing in a reasonable patch stack. Let's leave that for the next
draft.
--
paul moore
www.paul-moore.com
On Fri, Oct 25, 2019 at 3:14 AM Yunfeng Ye wrote:
> On 2019/10/25 13:43, Paul Moore wrote:
> > On October 23, 2019 3:27:50 PM Yunfeng Ye wrote:
> >> Warning is found by the code analysis tool:
> >> "the condition 'if(ac && rc < 0)' is redundant: a
++--
include/linux/audit.h | 5 +++--
include/uapi/linux/audit.h | 1 +
kernel/audit.c | 15 ---
4 files changed, 18 insertions(+), 11 deletions(-)
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman
n this in case
you weren't already aware.
If you do keep it in syscall.c, I don't think there is a need to
implement a no-op version dependent on CONFIG_AUDITSYSCALL; that will
just clutter the code.
If you do move it to auditsc.c please change the name to
audit_bpf()/__audit_bpf() so it matches the other functions; if you
keep it in syscall.c you can name it whatever you like :)
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
the associated spinlock for writing.
> > */
> > -static struct auditd_connection {
> > +struct auditd_connection {
> > struct pid *pid;
> > u32 portid;
> > struct net *net;
> > struct rcu_head rcu;
> > -} *auditd_conn = NU
set: I think it would
be a mistake to include any changes to loginuid in your next patchset,
even as a "RFC" at the end. Also, barring some shocking comments from
Eric relating to the imminent death of /proc in containers, I think it
would also be a mistake to include the netlink API.
Let's keep it small and focused :)
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
From: Paul Moore
Unfortunately the perltidy results differ between moden distros and the
current Travis CI environment. This patch attempts to address this by
using the current upstream perltidy in the Travis CI tests.
Signed-off-by: Paul Moore
---
.travis.yml | 10 +-
1 file
The version of perltidy currently available in Travis CI via
Ubuntu 16.04 LTS doesn't produce the same output as the perltidy
shipped in more modern distros. This patchset addresses this by
installing perltidy from the upstream sources.
---
Paul Moore (2):
audit-testsuite: use our own
From: Paul Moore
Signed-off-by: Paul Moore
---
tests/exec_execve/test |2 +-
tests/exec_name/test |2 +-
tests/file_create/test |2 +-
tests/file_delete/test |2 +-
tests/file_rename/test
n CONFIG_AUDIT=n case
> - improve operations naming (paul)
> ---
> fs/namei.c | 8 ++--
> include/linux/audit.h | 5 +++--
> include/uapi/linux/audit.h | 1 +
> kernel/audit.c | 11 ++-
> 4 files changed, 16 insertions(+),
got a similar question. Up to this point in the patchset, there
is a potential issue of hash bucket chain lengths and traversing them
with a spinlock held, but it seems like we shouldn't be putting an
arbitrary limit on audit container IDs unless we have a good reason
for it. If for some reason we do want to enforce a limit, it should
probably be a tunable value like a sysctl, or similar.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
} else {
> + rc = -ENOMEM;
> + goto conterror;
> + }
> + }
> + task->audit->cont = newcont;
> + audit_cont_put(oldcont);
> +conterror:
> + spin_unlock(_contid_list_lock);
> + }
> task_unlock(task);
>
> if (!audit_enabled)
> diff --git a/kernel/audit.h b/kernel/audit.h
> index 16bd03b88e0d..e4a31aa92dfe 100644
> --- a/kernel/audit.h
> +++ b/kernel/audit.h
> @@ -211,6 +211,14 @@ static inline int audit_hash_ino(u32 ino)
> return (ino & (AUDIT_INODE_BUCKETS-1));
> }
>
> +#define AUDIT_CONTID_BUCKETS 32
> +extern struct list_head audit_contid_hash[AUDIT_CONTID_BUCKETS];
> +
> +static inline int audit_hash_contid(u64 contid)
> +{
> + return (contid & (AUDIT_CONTID_BUCKETS-1));
> +}
> +
> /* Indicates that audit should log the full pathname. */
> #define AUDIT_NAME_FULL -1
>
--
paul moore
www.paul-moore.com
mit a patchset that has fixup
patches as part of the original posting. In this case fixup patches
have the opposite effect: the patchset becomes more complicated,
reviews take longer, and the likelihood of missing important details
increases.
When in doubt, don't submit separate fixup patches, fold them into the
original patches instead.
--
paul moore
www.paul-moore.com
am = -1;
> + struct audit_context *context;
> + struct net *net;
>
> if (audit_enabled == AUDIT_OFF)
> - goto errout;
> - ab = audit_log_start(NULL, GFP_ATOMIC, AUDIT_NETFILTER_PKT);
> + goto out;
> + context = audit_alloc_local(GFP_ATOMIC);
> + ab = audit_log_start(context, GFP_ATOMIC, AUDIT_NETFILTER_PKT);
> if (ab == NULL)
> goto errout;
>
> @@ -101,7 +104,11 @@ static bool audit_ip6(struct audit_buffer *ab, struct
> sk_buff *skb)
>
> audit_log_end(ab);
>
> + net = xt_net(par);
> + audit_log_netns_contid_list(net, context);
> errout:
> + audit_free_context(context);
> +out:
> return XT_CONTINUE;
> }
>
--
paul moore
www.paul-moore.com
{
> + rc = -EXDEV;
> + goto unlock;
> + }
> + /* only allow contid setting again if nesting */
> + if (audit_contid_set(task) && current == audit_cont_owner(task))
> rc = -ECHILD;
> +unlock:
> read_unlock(_lock);
> if (!rc) {
> struct audit_cont *oldcont = audit_cont(task);
--
paul moore
www.paul-moore.com
*cont), GFP_ATOMIC)
> + if (cont) {
> + INIT_LIST_HEAD(>list);
> + cont->id = contid;
> + refcount_set(>refcount, 1);
> + list_add_rcu(>list, contid_list);
> + }
> +out:
> + spin_unlock(>contid_list_lock);
> +}
--
paul moore
www.paul-moore.com
(!thread_group_leader(walker))
> - walker = rcu_dereference(walker->group_leader);
> - if (walker == parent) {
> - rc = 1;
> - break;
> - }
> - walker = rcu_dereference(walker->real_parent);
> - }
> - rcu_read_unlock();
> -
> - return rc;
> -}
> -
> -/**
> * ptracer_exception_found - tracer registered as exception for this tracee
> * @tracer: the task_struct of the process attempting ptrace
> * @tracee: the task_struct of the process to be ptraced
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
pt of an audit container ID "lifetime"
in the kernel, when do we consider the ID gone? Is it when the last
process in the container exits, or is it when we generate the last
audit record which could possibly contain the audit container ID?
This patch would appear to support the former, but if we wanted the
latter we would need to grab a reference to the audit container ID
struct so it wouldn't "die" on us before we could emit the signal info
record.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
are going to host nested orchestrators? Can you reasonably run
a fully fledged orchestrator without a valid /proc?
--
paul moore
www.paul-moore.com
dit container ID work, yes?
If so, it shouldn't be part of this patchset.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
; comm=");
> + audit_log_untrustedstring(ab, get_task_comm(comm, current));
> + audit_log_d_path_exe(ab, current->mm);
> + audit_log_format(ab, " res=1");
> + audit_log_end(ab);
> +}
Why can't we just do this in audit_cont_put()? Is it because we call
audit_cont_put() in the new audit_free() function? What if we were to
do it in __audit_free()/audit_free_syscall()?
--
paul moore
www.paul-moore.com
On Fri, Feb 7, 2020 at 4:56 PM Paul Moore wrote:
> On February 7, 2020 2:18:33 PM Steve Grubb wrote:
> > On Thursday, February 6, 2020 1:33:19 PM EST Lenny Bruzenak wrote:
> >>> Doesn't seem much better:
> >>>
> >>> type=PROCTITLE msg=audit(02/06/202
On Wed, Feb 5, 2020 at 6:51 PM Richard Guy Briggs wrote:
> On 2020-02-05 18:05, Paul Moore wrote:
> > On Thu, Jan 30, 2020 at 2:28 PM Richard Guy Briggs wrote:
> > > On 2020-01-22 16:29, Paul Moore wrote:
> > > > On Tue, Dec 31, 2019 at 2:51 PM Rich
ts properly designed to handle this without too much problem (I'm
not entirely sure we do)?
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
On Mon, Feb 24, 2020 at 4:31 PM Paul Moore wrote:
>
> Commit 219ca39427bf ("audit: use union for audit_field values since
> they are mutually exclusive") combined a number of separate fields in
> the audit_field struct into a single union. Generally this work
...@syzkaller.appspotmail.com
Signed-off-by: Paul Moore
---
kernel/audit.c | 40 +---
1 file changed, 21 insertions(+), 19 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 17b0d523afb3..9ddfe2aa6671 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1101,13 +1101,11
On Tue, Feb 25, 2020 at 12:50 PM Paul Moore wrote:
>
> This patch ensures that we always check the netlink payload length
> in audit_receive_msg() before we take any action on the payload
> itself.
>
> Cc: sta...@vger.kernel.org
> Reported-by: syzbot+399c44bf1f43b8747...@syzk
tmail.com
Signed-off-by: Paul Moore
---
kernel/auditfilter.c | 71 +++---
1 file changed, 39 insertions(+), 32 deletions(-)
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index b0126e9c0743..026e34da4ace 100644
--- a/kernel/auditf
, good catch :) I saw the panic and instinctively chalked
that up to a mistaken config, not expecting that it was what was being
tested.
> On Mon, 2020-02-24 at 17:38 -0500, Paul Moore wrote:
> > On Mon, Feb 24, 2020 at 3:18 AM syzbot
> > wrote:
> > > Hello,
> >
...@syzkaller.appspotmail.com
Signed-off-by: Paul Moore
---
kernel/audit.c | 43 +++
1 file changed, 23 insertions(+), 20 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 17b0d523afb3..6e8b176bdb68 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1101,13 +1101,11
On Mon, Feb 24, 2020 at 5:53 PM Paul Moore wrote:
> This patch ensures that we always check the netlink payload length
> in audit_receive_msg() before we take any action on the payload
> itself.
>
> Cc: sta...@vger.kernel.org
> Reported-by: syzbot+399c44bf1f43b8747...@syzkall
On Mon, Feb 24, 2020 at 5:53 PM Paul Moore wrote:
>
> This patch ensures that we always check the netlink payload length
> in audit_receive_msg() before we take any action on the payload
> itself.
>
> Cc: sta...@vger.kernel.org
> Reported-by: syzbot+399c44bf1f43b8747...@syzk
sys_sendmsg net/compat.c:646 [inline]
> __ia32_compat_sys_sendmsg+0xed/0x130 net/compat.c:646
> do_syscall_32_irqs_on arch/x86/entry/common.c:339 [inline]
> do_fast_syscall_32+0x3c7/0x6e0 arch/x86/entry/common.c:410
> entry_SYSENTER_compat+0x68/0x77 arch/x86/entry/entry_64_compat.S:139
> =
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
5:
> Kernel Offset: disabled
> Rebooting in 86400 seconds..
Has the syzbot audit related configuration recently changed? At the
very least it looks like you want to configure the system so that it
doesn't panic when an audit record is lost (printk/AUDIT_FAIL_PRINTK
or s
syzbot will keep track of this bug report. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> For information about bisection process see: https://goo.gl/tpsmEJ#bisection
> syzbot can test patches for this bug, for details see:
> https://goo.gl/tpsmEJ#testing-patches
Similar to syzbot report 72461ac44b36c98f58e5, see my comments there.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
have to start pushing on this series. If the audit community
> hasn't any additional feedback, I'll take it that what's here is
> acceptable and move my lobbying efforts elsewhere.
I'll take another look later this week.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
)",
> +audit_get_sessionid(current));
> + audit_put_tty(tty);
> + audit_log_task_context(ab); /* subj= */
> + audit_log_format(ab, " comm=");
> + audit_log_untrustedstring(ab, get_task_comm(comm, current));
> + audit_log_d_path_exe(ab, current->mm); /* exe= */
> + audit_log_format(ab, " nl-mcgrp=%d op=%s res=%d", group, op, !err);
> + audit_log_end(ab);
> +}
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
:
audit: always check the netlink payload length in audit_receive_msg()
(2020-02-24 16:38:57 -0500)
audit/stable-5.6 PR 20200226
Paul Moore (2):
audit: fix error
not present in the redhat.com archive.
* https://lore.kernel.org/linux-audit
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
ndmsg net/compat.c:646 [inline]
> __ia32_compat_sys_sendmsg+0xed/0x130 net/compat.c:646
> do_syscall_32_irqs_on arch/x86/entry/common.c:339 [inline]
> do_fast_syscall_32+0x3c7/0x6e0 arch/x86/entry/common.c:410
> entry_SYSENTER_compat+0x68/0x77 arch/x86/entry/entry_64_compat.S:139
On Thu, Feb 27, 2020 at 10:40 AM Dmitry Vyukov wrote:
> On Mon, Feb 24, 2020 at 11:47 PM Paul Moore wrote:
> > On Mon, Feb 24, 2020 at 5:43 PM Eric Paris wrote:
> > > https://syzkaller.appspot.com/x/repro.syz?x=151b1109e0 (the
> > > reproducer listed) looks l
in auditsc_get_stamp() and not
someplace a bit more obvious like audit_log_start()? Is it because
auditsc_get_stamp() only gets called once per event? I'm willing to
take the "hit" of one extra assignment in audit_log_start() to keep
this in a more obvious place and not buried in audi
On Wed, Jan 22, 2020 at 6:07 PM Richard Guy Briggs wrote:
> On 2020-01-22 17:40, Paul Moore wrote:
> > On Fri, Jan 17, 2020 at 3:21 PM Richard Guy Briggs wrote:
...
> > > diff --git a/kernel/audit.c b/kernel/audit.c
> > > index 17b0d523afb3..478259f3fa53 100644
)
audit/stable-5.6 PR 20200127
Amol Grover (1):
audit: Add __rcu annotation to RCU pointer
kernel/audit.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--
paul moore
www.paul
e we
probably want to special case that as I don't think we want to display
audit container IDs as signed numbers in general.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
On Tue, Feb 4, 2020 at 5:52 PM Richard Guy Briggs wrote:
> On 2020-01-22 16:28, Paul Moore wrote:
> > On Tue, Dec 31, 2019 at 2:50 PM Richard Guy Briggs wrote:
> > >
> > > Store the audit container identifier in a refcounted kernel object that
> > > is added t
On Tue, Feb 4, 2020 at 7:39 PM Richard Guy Briggs wrote:
> On 2020-01-22 16:29, Paul Moore wrote:
> > On Tue, Dec 31, 2019 at 2:51 PM Richard Guy Briggs wrote:
> > >
> > > Provide a mechanism similar to CAP_AUDIT_CONTROL to explicitly give a
> > >
On Thu, Jan 30, 2020 at 2:28 PM Richard Guy Briggs wrote:
> On 2020-01-22 16:29, Paul Moore wrote:
> > On Tue, Dec 31, 2019 at 2:51 PM Richard Guy Briggs wrote:
> > >
> > > Track the parent container of a container to be able to filter and
> > > report nesting
On Tue, Feb 4, 2020 at 6:43 PM Richard Guy Briggs wrote:
> On 2020-01-22 16:28, Paul Moore wrote:
> > On Tue, Dec 31, 2019 at 2:51 PM Richard Guy Briggs wrote:
> > >
> > > This also adds support to qualify NETFILTER_PKT records.
> > >
> > > Aud
101 - 200 of 2156 matches
Mail list logo