(void)
>
> audit_log_proctitle();
>
> + audit_log_container_drop();
> +
> /* Send end of event record to help user space know we are finished */
> ab = audit_log_start(context, GFP_KERNEL, AUDIT_EOE);
> if (ab)
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
adds a
"capable(CAP_AUDIT_CONTROL)" which is good, but perhaps we also need a
"ns_capable(CAP_AUDIT_CONTROL)" to allow a given audit container ID
orchestrator/owner the ability to control which of it's descendants
can change their audit container ID, for example:
if (!capable(CAP_AUDIT_CONTROL) ||
!ns_capable(current->nsproxy->user_ns, CAP_AUDIT_CONTROL))
return -EPERM;
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
ab = audit_log_start(context, GFP_KERNEL, AUDIT_CWD);
> @@ -1575,6 +1590,14 @@ static void audit_log_exit(void)
>
> audit_log_proctitle();
>
> + rcu_read_lock();
> + cont = _audit_contobj_get(current);
> + rcu_read_unlock();
> + audit_log_container_id(context, cont);
> + rcu_read_lock();
> + _audit_contobj_put(cont);
> + rcu_read_unlock();
Do we need to grab an additional reference for the audit container
object here? We don't create any additional references here that
persist beyond the lifetime of this function, right?
> audit_log_container_drop();
>
> /* Send end of event record to help user space know we are finished */
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
ONTEXT, gfpflags);
> + if (!context) {
> + audit_log_lost("out of memory in audit_alloc_local");
> + goto out;
You might as well just return NULL here, no need to jump and then return NULL.
> + }
> + context->serial = audit_seria
this point in
the patchset but thought it might be worth mentioning in case you
noticed the same and were on the fence.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
hat this might be
a better approach? My current thinking is that the capable/ns_capable
approach is preferable as it leverages existing kernel mechanisms and
doesn't require us to reinvent the wheel in the audit subsystem.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
lify this with "(--countns->count) < 1", although if it
is changed to a refcount_t (which seems like a smart thing), the
normal decrement/test would be the best choice.
> + list_del_rcu(>list);
> + kfree_rcu(contns, rcu);
> + }
> + break;
> + }
> + spin_unlock(>contobj_list_lock);
> + rcu_read_unlock();
> +}
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
properly sort out the inheritance.
> Signed-off-by: Richard Guy Briggs
> ---
> include/linux/audit.h | 1 +
> kernel/audit.c| 60
> ++-
> kernel/audit.h| 2 ++
> kernel/auditfilter.c | 17 ++-
&
quest & AA_PTRACE_PERM_MASK) {
> - audit_log_format(ab, " requested_mask=");
> - audit_ptrace_mask(ab, aad(sa)->request);
> + audit_log_format(ab, " requested_mask=%s",
> +audit_ptrace_mask(aad(sa)->request));
>
> if (aad(sa)->denied & AA_PTRACE_PERM_MASK) {
> - audit_log_format(ab, " denied_mask=");
> - audit_ptrace_mask(ab, aad(sa)->denied);
> + audit_log_format(ab, " denied_mask=%s",
> +audit_ptrace_mask(aad(sa)->denied));
> }
Quotes. There are none.
... and it looks like there are more missing too, but I kinda stopped
seriously reading the patch here, please take a closer look at the
patch, make the necessary changes, and resubmit.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
On Fri, Jul 3, 2020 at 4:26 PM Richard Guy Briggs wrote:
>
> On 2020-07-03 09:36, Paul Moore wrote:
> > Commit 142240398e50 ("audit: add gfp parameter to audit_log_nfcfg")
> > incorrectly passed gfp flags to audit_log_nfcfg() which were not
> > consistent with
- add cwd= field to LSM record
>
> include/linux/audit.h | 9 -
> kernel/auditsc.c | 17 +++--
> security/lsm_audit.c | 5 +
> 3 files changed, 28 insertions(+), 3 deletions(-)
Merged into audit/next, thanks.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
On Wed, Jul 8, 2020 at 7:15 PM Richard Guy Briggs wrote:
> On 2020-07-08 18:41, Paul Moore wrote:
> > On Fri, Jul 3, 2020 at 5:50 PM Richard Guy Briggs wrote:
> > >
> > > audit_log_string() was inteded to be an internal audit function and
> > > since there are
; - if (unlikely(!audit_dummy_context()))
> + if (audit_context())
> return __audit_sockaddr(len, addr);
> return 0;
> }
> --
> 1.8.3.1
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
);
> set_current_state(TASK_UNINTERRUPTIBLE);
> - stime = schedule_timeout(stime);
> + stime = schedule_timeout(rtime);
> + atomic_add(rtime - stime,
> _backlog_wait_time_actual);
> remove_wait_queue(_backlog_wait, );
> } else {
> if (audit_rate_check() && printk_ratelimit())
> --
> 2.17.1
>
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
t; kernel/audit.c | 35 +++
> 2 files changed, 41 insertions(+), 1 deletion(-)
If an admin is prioritizing security, aka don't loose any audit
records, and there is a concern over variable system latency due to an
audit queue backlog, why not s
imit to 0, it is effectively disabled
allowing the backlog to grow without any restrictions placed on it by
the audit subsystem.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
On Mon, Jun 1, 2020 at 11:36 AM Paul Moore wrote:
> On Sun, May 24, 2020 at 4:47 PM Gustavo A. R. Silva
> wrote:
> > One of the more common cases of allocation size calculations is finding
> > the size of a structure that has a zero-sized array at the end, along
> > wit
On Mon, Jun 8, 2020 at 2:04 PM Richard Guy Briggs wrote:
> On 2020-04-22 13:24, Paul Moore wrote:
> > On Fri, Apr 17, 2020 at 6:26 PM Eric W. Biederman
> > wrote:
> > > Paul Moore writes:
> > > > On Thu, Apr 16, 2020 at 4:36 PM Eric W. Biederman
> &g
kshmi Ramasubramanian
> Suggested-by: Steve Grubb
> ---
> security/integrity/integrity_audit.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
Acked-by: Paul Moore
> diff --git a/security/integrity/integrity_audit.c
> b/security/integrity/integrity_au
On Thu, Jun 18, 2020 at 10:36 AM Steve Grubb wrote:
> On Thursday, June 18, 2020 9:46:54 AM EDT Paul Moore wrote:
> > On Thu, Jun 18, 2020 at 9:39 AM Steve Grubb wrote:
> > > The kernel cannot grow the backlog unbounded. If you do nothing, the
> > > backlog is 64 - w
22
>
> Signed-off-by: Lakshmi Ramasubramanian
> Suggested-by: Steve Grubb
> Suggested-by: Mimi Zohar
> ---
> security/integrity/integrity.h | 13 +
> security/integrity/integrity_audit.c | 11 ++-
> 2 files changed, 23 insertions(+), 1 deletion(-)
. I'm not sure if this is a concern and, if so,
> > how it should be handled.
>
> Do you have any concerns with respect to adding audit messages in low
> memory conditions?
Assuming the system is not completely toast, the allocation failure
could be a very transient issue; I woul
s the
> operation's results. If it really is errno, the name is fine. It's generic
> enough that it can be reused on other events if that mattered.
Steve, what is the historical reason why we have both "res" and
"result" for indicating a boolean success/fail? I'm just cu
akshmi Ramasubramanian
> Suggested-by: Steve Grubb
> ---
> security/integrity/integrity_audit.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
If we can't use "res=" to carry more than 0/1 then this seems reasonable.
Acked-by: Paul Moore
> diff --git
On Wed, Jun 17, 2020 at 6:54 PM Max Englander wrote:
> On Wed, Jun 17, 2020 at 02:47:19PM -0400, Paul Moore wrote:
> > On Tue, Jun 16, 2020 at 12:58 AM Max Englander
> > wrote:
> > >
> > > In environments where security is prioritized, users may set
> >
rs ago:
>
> https://github.com/linux-audit/audit-kernel/issues/63
> "RFE: add kernel audit queue statistics"
I would be more open to the idea of reporting queue statistics as part
of the audit status information, or similar.
--
paul moore
www.paul-moore.com
--
Linux
dle and chain/set/flowtable
>
> include/linux/audit.h | 18
> kernel/auditsc.c | 24 --
> net/netfilter/nf_tables_api.c | 103
> ++
> 3 files changed, 142 insertions(+), 3 deletions(-)
I'm not seeing any additional comments from the netfilter
On Fri, Jun 5, 2020 at 3:54 PM Lakshmi Ramasubramanian
wrote:
> On 6/5/20 12:37 PM, Paul Moore wrote:
>
> > If it's audit related, it's generally best to CC the linux-audit list,
> > not just me (fixed).
> >
> > It's not clear to me what this pr_err() is try
On Fri, Jun 5, 2020 at 2:46 PM Mimi Zohar wrote:
>
> [Cc'ing Paul Moore]
If it's audit related, it's generally best to CC the linux-audit list,
not just me (fixed).
It's not clear to me what this pr_err() is trying to indicate other
than *something* failed. Can someone provide som
, not the function name
> "process_buffer_measurement".
>
> Userspace needs to be aware of the new audit messages. Maybe include
> samples of them in the cover letter.
Yes, examples of the audit record in the commit description (the cover
letter isn't recorded in the git log), are encouraged.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
On Wed, Jun 10, 2020 at 9:58 PM Lakshmi Ramasubramanian
wrote:
> On 6/10/20 6:45 PM, Paul Moore wrote:
>
> Hi Paul,
>
> > I'm sorry I didn't get a chance to mention this before you posted this
> > patch, but for the past several years we have been sticking with a
>
djust this patch accordingly. Otherwise, this looks fine to
me.
> audit_log_untrustedstring(ab, get_task_comm(name, current));
> if (fname) {
> audit_log_format(ab, " name=");
> --
> 2.27.0
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
On Tue, Jul 21, 2020 at 10:01 PM Richard Guy Briggs wrote:
> On 2020-07-21 18:45, Paul Moore wrote:
> > On Tue, Jul 21, 2020 at 6:30 PM Paul Moore wrote:
> > > Richard, you broke it, you bought it :) Did you want to take a closer
> > > look at this? If you can't let
On Thu, Jul 23, 2020 at 8:57 AM Richard Guy Briggs wrote:
> On 2020-07-22 21:01, Paul Moore wrote:
> > Do you have a rough idea as to how long it would take to chase down
> > all the code paths? I'm asking not to rush you, but to figure out if
> > we should revert the
.org
Fixes: 1320a4052ea1 ("audit: trigger accompanying records when no rules
present")
Reported-by: j24...@googlemail.com
Signed-off-by: Paul Moore
---
kernel/audit.c |1 -
kernel/audit.h |8
kernel/auditsc.c |3 +++
3 files changed, 3 insertions(+), 9 deletions(-)
On Tue, Jul 28, 2020 at 12:27 PM Richard Guy Briggs wrote:
> On 2020-07-27 22:14, Paul Moore wrote:
> > On Mon, Jul 27, 2020 at 5:30 PM Richard Guy Briggs wrote:
> > > Issue ghak120 enabled syscall records to accompany required records when
> > > no rules are pre
On Tue, Jul 28, 2020 at 10:01 PM Richard Guy Briggs wrote:
>
> On 2020-07-28 14:47, Paul Moore wrote:
> > On Tue, Jul 28, 2020 at 12:27 PM Richard Guy Briggs wrote:
> > > I know you like only really minimal fixes this late, but this seemed
> > > pretty minimal to
On Tue, Jul 28, 2020 at 5:09 PM Paul Moore wrote:
>
> Unfortunately the commit listed in the subject line above failed
> to ensure that the task's audit_context was properly initialized/set
> before enabling the "accompanying records". Depending on the
> sitation, th
R 20200729
----
Paul Moore (1):
revert: 1320a4052ea1 ("audit: trigger accompanying records when no
rules present")
kernel/audit.c | 1 -
kernel/audit.h | 8
kernel/auditsc.c | 3 +++
3 files changed, 3 insertions(+), 9 deletions(-)
--
paul moore
www.paul-moore
to fix
this bug (this seems more like a feature add than a bigfix). Yes,
they may fix the problem but it seems like simply adding a
context->pwd test in audit_log_name() similar to what we do in
audit_log_exit() is the correct fix.
We are currently at -rc7 and this really needs to land before v5.8 is
released, presumably this weekend; this means a small and limited bug
fix patch is what is needed.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
On Tue, Jul 14, 2020 at 5:00 PM Richard Guy Briggs wrote:
> On 2020-07-14 16:29, Paul Moore wrote:
> > On Tue, Jul 14, 2020 at 1:44 PM Richard Guy Briggs wrote:
> > > On 2020-07-14 12:21, Paul Moore wrote:
> > > > On Mon, Jul 13, 2020 at 3:52 PM Rich
On Wed, Jul 15, 2020 at 9:30 PM Paul Moore wrote:
> On Wed, Jul 8, 2020 at 7:13 PM Paul Moore wrote:
> > On Sat, Jul 4, 2020 at 11:15 AM Max Englander
> > wrote:
> > >
> > > In environments where the preservation of audit events and predictable
> > &
ones Desougi
Signed-off-by: Paul Moore
---
net/netfilter/nf_tables_api.c |8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index f7ff91479647..886e64291f41 100644
--- a/net/netfilter/nf_tables_api.c
s well as converts a call in a RCU protected section to
an ATOMIC.
https://lore.kernel.org/linux-audit/159378341669.5956.13490174029711421419.stgit@sifl
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
riefly. I'll be away until the 24th and won't be able to
> look before then.
I am just getting back to normal network access myself, but I did have
a brief exchange with Richard about this and I agree it looks a bit
odd.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
dev=%s op=%s error_msg='%s' res=%d"
"... module=%s dev=%s op=%s res=%d"
The first thing that jumps out is that some fields, e.g. "sector", are
not always present in the record; we typically handle this by using a
"?" for the field value in those cases where you
On Wed, Aug 18, 2021 at 5:59 PM Casey Schaufler wrote:
>
> On 8/16/2021 11:57 AM, Paul Moore wrote:
> > On Fri, Aug 13, 2021 at 5:47 PM Casey Schaufler
> > wrote:
> >> On 8/13/2021 1:43 PM, Paul Moore wrote:
> ...
> > Yeah, the thought occurred to me, but we
On Thu, Aug 12, 2021 at 6:38 PM Casey Schaufler wrote:
> On 8/12/2021 1:59 PM, Paul Moore wrote:
> > On Wed, Jul 21, 2021 at 9:12 PM Casey Schaufler
> > wrote:
> >> Create a new audit record type to contain the subject information
> >> when there are multi
On Tue, Aug 24, 2021 at 11:20 AM Casey Schaufler wrote:
> On 8/24/2021 7:45 AM, Paul Moore wrote:
> > On Fri, Aug 20, 2021 at 7:48 PM Casey Schaufler
> > wrote:
> >>> On 8/20/2021 12:06 PM, Paul Moore wrote:
> >>>> Unless you explicitly enable audit o
dd generic compat syscall support")
> added generic support for bi-arch.
>
> Convert powerpc to that bi-arch generic audit support.
>
> Cc: Paul Moore
> Cc: Eric Paris
> Signed-off-by: Christophe Leroy
> ---
> Resending v2 with Audit people in Cc
>
> v2:
>
On Fri, Aug 20, 2021 at 7:48 PM Casey Schaufler wrote:
> > On 8/20/2021 12:06 PM, Paul Moore wrote:
> >> Unless you explicitly enable audit on the kernel cmdline, e.g.
> >> "audit=1", processes started before userspace enables audit will not
> >> h
pid = 2082
> >>> memfd created, fd = 3
> io_uring_queue_init: Permission denied
>
> I have CONFIG_IO_URING=y set, what else is needed?
I'm not sure how you tried to run those tests, but try running as root
and with SELinux in permissive mode.
--
paul moore
www.paul
On Thu, Aug 26, 2021 at 10:37 AM Michael Ellerman wrote:
> Paul Moore writes:
> > On Tue, Aug 24, 2021 at 1:11 PM Christophe Leroy
> > wrote:
> >> Le 24/08/2021 à 16:47, Paul Moore a écrit :
> >> > On Tue, Aug 24, 2021 at 9:36 AM Christophe Leroy
&
On Fri, Aug 27, 2021 at 9:36 AM Richard Guy Briggs wrote:
> On 2021-08-26 15:14, Paul Moore wrote:
> > On Thu, Aug 26, 2021 at 12:32 PM Richard Guy Briggs wrote:
> > > I'm getting:
> > > # ./iouring.2
> > > Kernel thread io_uring-sq is not ru
On Wed, Aug 11, 2021 at 4:49 PM Paul Moore wrote:
>
> From: Casey Schaufler
>
> Add Smack privilege checks for io_uring. Use CAP_MAC_OVERRIDE
> for the override_creds case and CAP_MAC_ADMIN for creating a
> polling thread. These choices are based on conjecture rega
On Tue, Aug 31, 2021 at 11:03 AM Casey Schaufler wrote:
> On 8/31/2021 7:44 AM, Paul Moore wrote:
> >
> > Casey, with the idea of posting a v3 towards the end of the merge
> > window next week, without the RFC tag and with the intention of
> > merging it into -next d
On Wed, Aug 25, 2021 at 9:16 PM Richard Guy Briggs wrote:
>
> On 2021-08-24 16:57, Richard Guy Briggs wrote:
> > On 2021-08-11 16:48, Paul Moore wrote:
> > > Draft #2 of the patchset which brings auditing and proper LSM access
> > > controls to the io_uring sub
bug is *really* important; even if you don't have a fix for
that, just a description of the problem would be good.
--
paul moore
www.paul-moore.com
/*
* io_uring test tool to exercise LSM/SELinux and audit kernel code paths
* Author: Paul Moore
*
* Copyright 2021 Microsoft Corporation
*
to simply add the -stable marking and merge it into audit/next
to get pushed up to Linus early next week, assuming we see v5.14
released this Sunday. If for some reason we see a v5.14-rc8 next week
I'll adjust things and send it to Linus as a -stable patch.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
On Tue, Aug 24, 2021 at 1:11 PM Christophe Leroy
wrote:
> Le 24/08/2021 à 16:47, Paul Moore a écrit :
> > On Tue, Aug 24, 2021 at 9:36 AM Christophe Leroy
> > wrote:
> >>
> >> Commit e65e1fc2d24b ("[PATCH] syscall class hookup for all normal
> >
ecution context returns to userspace and in the case of
sqpoll the processing is handled by a separate kernel thread with no
association to a process thread.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
On Fri, Aug 13, 2021 at 2:48 PM Casey Schaufler wrote:
> On 8/13/2021 8:31 AM, Paul Moore wrote:
> > On Thu, Aug 12, 2021 at 6:38 PM Casey Schaufler
> > wrote:
> >> On 8/12/2021 1:59 PM, Paul Moore wrote:
> >>> On Wed, Jul 21, 2021 at 9:12 PM Casey Schaufle
On Fri, Aug 13, 2021 at 5:47 PM Casey Schaufler wrote:
> On 8/13/2021 1:43 PM, Paul Moore wrote:
> > On Fri, Aug 13, 2021 at 2:48 PM Casey Schaufler
> > wrote:
> >> On 8/13/2021 8:31 AM, Paul Moore wrote:
> >>> On Thu, Aug 12, 2021 at 6:38 PM Casey Schaufler
On Tue, Aug 24, 2021 at 9:21 PM Richard Guy Briggs wrote:
>
> On 2021-06-02 13:46, Paul Moore wrote:
> > On Wed, Jun 2, 2021 at 1:29 PM Richard Guy Briggs wrote:
> > > On 2021-05-21 17:49, Paul Moore wrote:
> > > > WARNING - This is a work in progress and shou
On Sun, Aug 29, 2021 at 11:18 AM Paul Moore wrote:
> On Sat, Aug 28, 2021 at 11:04 AM Richard Guy Briggs wrote:
> > I did set a syscall filter for
> > -a exit,always -F arch=b64 -S
> > io_uring_enter,io_uring_setup,io_uring_register -F key=iouringsyscall
>
_each_entry(node, >chunks, list)
> node->index &= ~(1U<<31);
> @@ -938,7 +938,7 @@ int audit_tag_tree(char *old, char *new)
> mutex_unlock(_filter_mutex);
>
> if (!failed) {
> - struct node *node;
> + struct audit_node *node;
> spin_lock(_lock);
> list_for_each_entry(node, >chunks, list)
> node->index &= ~(1U<<31);
> --
> 2.25.0
>
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
break;
> + }
> + audit_log_format(ab, " res=%d", result);
> + audit_log_end(ab);
> +}
> +EXPORT_SYMBOL_GPL(dm_audit_log_ti);
Just checking, but are you okay when the inevitable happens and
someone passes an @audit_type that is not either AUDIT_CM_CTRL
On Mon, Sep 6, 2021 at 2:41 AM LEROY Christophe
wrote:
> Le 03/09/2021 à 19:06, Paul Moore a écrit :
> > On Fri, Sep 3, 2021 at 11:48 AM Christophe Leroy
> > wrote:
> >>
> >> struct node defined in kernel/audit_tree.c conflicts with
> >> s
somewhat significant so I'll post an
updated v4 patchset later today once it passes through a round of
testing.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
On Mon, Sep 13, 2021 at 9:50 PM Paul Moore wrote:
> On Mon, Sep 13, 2021 at 3:23 PM Paul Moore wrote:
> > On Thu, Sep 9, 2021 at 8:59 PM Richard Guy Briggs wrote:
> > > On 2021-09-01 15:21, Paul Moore wrote:
> > > > On Sun, Aug 29, 2021 at 11:18 AM Paul Moore w
0
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
key=(null)
AUID="root" UID="root" GID="root" EUID="root" SUID="root"
FSUID="root" EGID="root" SGID="root" FSGID="root"
Thanks to Richard
/audit_filter_list[7].
Thanks to Richard Guy Briggs for his review, feedback, and work on
the corresponding audit userspace changes.
Signed-off-by: Paul Moore
---
v3:
- removed work-in-progress warning from the description
v2:
- incorporate feedback from Richard
v1:
- initial draft
---
include/uapi
ion making the request.
With a SQPOLL thread, we can no longer compare requested
credential changes against the application making the request,
the comparison is made against the ring's credentials.
Signed-off-by: Paul Moore
---
v3:
- removed work-in-progress warning from the desc
the smack_uring_* funcs static, remove debug code]
Signed-off-by: Paul Moore
---
v3:
- removed debug code
v2:
- made the smack_uring_* funcs static
v1:
- initial draft
---
security/smack/smack_lsm.c | 46
1 file changed, 46 insertions(+)
diff --git
->in_syscall flag into an enum which
can be used to by future patches to indicate a calling context other
than the syscall context.
Thanks to Richard Guy Briggs for review and feedback.
Acked-by: Richard Guy Briggs
Signed-off-by: Paul Moore
---
v3:
- removed work-in-progress warning f
orking-io_uring")
-Paul
---
Casey Schaufler (1):
Smack: Brutalist io_uring support with debug
Paul Moore (7):
audit: prepare audit_context for use in calling contexts beyond syscalls
audit,io_uring,io-wq: add some basic audit support to io_uring
audit: add filtering
arguments.
Acked-by: Mickaël Salaün
Signed-off-by: Paul Moore
---
v3:
- no change
v2:
- no change
v1:
- initial draft
---
fs/anon_inodes.c| 29 +
include/linux/anon_inodes.h |4
2 files changed, 33 insertions(+)
diff --git a/fs/anon_inodes.c b/fs
.
Signed-off-by: Paul Moore
---
v3:
- no change
v2:
- no change
v1:
- initial draft
---
fs/io_uring.c |4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/io_uring.c b/fs/io_uring.c
index 388754b24785..56cc9aba0d01 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -10155,8
/audit_filter_list[7].
Thanks to Richard Guy Briggs for his review, feedback, and work on
the corresponding audit userspace changes.
Signed-off-by: Paul Moore
---
v4:
- no change
v3:
- removed work-in-progress warning from the description
v2:
- incorporate feedback from Richard
v1:
- initial draft
0
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
key=(null)
AUID="root" UID="root" GID="root" EUID="root" SUID="root"
FSUID="root" EGID="root" SGID="root" FSGID="root"
Thanks to Richard Guy
->in_syscall flag into an enum which
can be used to by future patches to indicate a calling context other
than the syscall context.
Thanks to Richard Guy Briggs for review and feedback.
Acked-by: Richard Guy Briggs
Signed-off-by: Paul Moore
---
v4:
- fix some spelling errors in the comments
below:
git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git
(checkout branch "working-io_uring")
---
Casey Schaufler (1):
Smack: Brutalist io_uring support
Paul Moore (7):
audit: prepare audit_context for use in calling contexts beyond syscalls
audit,io_u
eds sqpoll }
These permissions can be seen in the two simple policy statements
below:
allow domA_t domB_t : io_uring { override_creds };
allow domA_t self : io_uring { sqpoll };
Signed-off-by: Paul Moore
---
v4:
- no change
v3:
- removed work-in-progress warning from the description
ion making the request.
With a SQPOLL thread, we can no longer compare requested
credential changes against the application making the request,
the comparison is made against the ring's credentials.
Signed-off-by: Paul Moore
---
v4:
- no change
v3:
- removed work-in-progress wa
.
Signed-off-by: Paul Moore
---
v4:
- no change
v3:
- no change
v2:
- no change
v1:
- initial draft
---
fs/io_uring.c |4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/io_uring.c b/fs/io_uring.c
index 388754b24785..56cc9aba0d01 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
the smack_uring_* funcs static, remove debug code]
Signed-off-by: Paul Moore
---
v4:
- updated subject line
v3:
- removed debug code
v2:
- made the smack_uring_* funcs static
v1:
- initial draft
---
security/smack/smack_lsm.c | 46
1 file changed, 46
arguments.
Acked-by: Mickaël Salaün
Signed-off-by: Paul Moore
---
v4:
- no change
v3:
- no change
v2:
- no change
v1:
- initial draft
---
fs/anon_inodes.c| 29 +
include/linux/anon_inodes.h |4
2 files changed, 33 insertions(+)
diff --git a/fs
tsc.c | 15 +--
> 1 file changed, 1 insertion(+), 14 deletions(-)
Merged into audit/next, thanks!
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
truct audit_buffer
> *ab,
> case LSM_AUDIT_DATA_NONE:
> return;
> case LSM_AUDIT_DATA_IPC:
> - audit_log_format(ab, " key=%d ", a->u.ipc_id);
> + audit_log_format(ab, " ipc_key=%d ", a->u.ipc_id);
>
On Tue, Sep 14, 2021 at 10:26 AM Casey Schaufler wrote:
>
> On 9/13/2021 8:33 PM, Paul Moore wrote:
> > From: Casey Schaufler
> >
> > Add Smack privilege checks for io_uring. Use CAP_MAC_OVERRIDE
> > for the override_creds case and CAP_MAC_ADMIN for creating a
>
On Mon, Sep 13, 2021 at 3:23 PM Paul Moore wrote:
> On Thu, Sep 9, 2021 at 8:59 PM Richard Guy Briggs wrote:
> > On 2021-09-01 15:21, Paul Moore wrote:
> > > On Sun, Aug 29, 2021 at 11:18 AM Paul Moore wrote:
> > > > On Sat, Aug 28, 2021 at 11:04 AM Rich
On Thu, Sep 16, 2021 at 9:33 AM Richard Guy Briggs wrote:
> On 2021-09-15 12:49, Paul Moore wrote:
> > This patch adds basic auditing to io_uring operations, regardless of
> > their context. This is accomplished by allocating audit_context
> > structures for the io-wq worke
On Thu, Sep 16, 2021 at 10:19 AM Richard Guy Briggs wrote:
> On 2021-09-16 10:02, Paul Moore wrote:
> > On Thu, Sep 16, 2021 at 9:33 AM Richard Guy Briggs wrote:
> > > On 2021-09-15 12:49, Paul Moore wrote:
> > > > This patch adds basic auditing to i
On Tue, Sep 14, 2021 at 10:49 AM Paul Moore wrote:
>
> On Tue, Sep 14, 2021 at 9:15 AM Ondrej Mosnacek wrote:
> >
> > The "key" field is used to associate records with the rule that
> > triggered them, os it's not a good idea to overload it with an
> &g
On Wed, Sep 15, 2021 at 12:49 PM Paul Moore wrote:
>
> A quick update to the v3 patchset with a small change to the audit
> record format (remove the audit login ID on io_uring records) and
> a subject line fix on the Smack patch. I also caught a few minor
> things in the code com
On Tue, Sep 7, 2021 at 11:45 AM LEROY Christophe
wrote:
> > -Message d'origine-
> > De : Paul Moore
> > On Mon, Sep 6, 2021 at 2:41 AM LEROY Christophe
> > wrote:
> > > Le 03/09/2021 à 19:06, Paul Moore a écrit :
> > > > On Fri, Sep 3, 202
a copy of the GNU General Public License
> - * along with this program; if not, write to the Free Software
> - * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
> - *
> * Written by Rickard E. (Rik) Faith
> *
> * Many of the ideas implemented
On Thu, Sep 9, 2021 at 8:59 PM Richard Guy Briggs wrote:
> On 2021-09-01 15:21, Paul Moore wrote:
> > On Sun, Aug 29, 2021 at 11:18 AM Paul Moore wrote:
> > > On Sat, Aug 28, 2021 at 11:04 AM Richard Guy Briggs
> > > wrote:
> > > > I did set a syscall fi
least the kernel/auditsc.c file still makes use of the
timespec64 struct which is defined in include/linux/time64.h which is
brought in by include/linux/time.h and *not* by
include/linux/timekeeping.h. As long as we make use of the timespec64
struct and the definition remains in time64.h let's ke
nt to
add to it in the future. What do you think about something like
"audit_arch.h" instead?
If that change is okay with you I can go ahead and do the rename while
I'm merging the patches, I'll consider it penance for letting this
patchset sit for so long :/
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
401 - 500 of 2156 matches
Mail list logo