| 8
> kernel/auditsc.c| 4 ++--
> net/bridge/netfilter/ebtables.c | 6 +++---
> net/netfilter/nf_tables_api.c | 33 +
> net/netfilter/x_tables.c| 5 +++--
> 5 files changed, 33 insertions(+), 23 deletions(-)
Merg
audit_inode* stubs in the !CONFIG_AUDITSYSCALL case.
>
> Signed-off-by: Richard Guy Briggs
> ---
> include/linux/audit.h | 8
> 1 file changed, 8 deletions(-)
Merged into audit/next.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
atomic_add(audit_backlog_wait_time - stime,
> &audit_backlog_wait_sum);
Since stime can only be different in one place in the code above
(after the schedule_timeout() call), why not move the atomic_add() up
there and drop the "if"? Yes there is the potential of calling
atomic_add() multiple times in this case, but the thread is waiting
anyway and this way we don't impact other code paths.
> }
>
> ab = audit_buffer_alloc(ctx, gfp_mask, type);
> --
> 2.17.1
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
ones Desougi
Signed-off-by: Paul Moore
---
net/netfilter/nf_tables_api.c |8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index f7ff91479647..886e64291f41 100644
--- a/net/netfilter/nf_tables_api.c
d out as well as converts a call in a RCU protected section to
an ATOMIC.
https://lore.kernel.org/linux-audit/159378341669.5956.13490174029711421419.stgit@sifl
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
> + } else {
> + rc = -ENOMEM;
> + spin_unlock(&audit_contobj_list_lock);
> + goto conterror;
> + }
> + }
> + spin_unlock(&am
On Sat, Jul 4, 2020 at 9:29 AM Paul Moore wrote:
> On Sat, Jun 27, 2020 at 9:22 AM Richard Guy Briggs wrote:
> >
> > Implement the proc fs write to set the audit container identifier of a
> > process, emitting an AUDIT_CONTAINER_OP record to document the event.
Sorry ab
tsk->audit = NULL;
> + kmem_cache_free(audit_task_cache, info);
Another nitpick, and this one may even become a moot point given the
question posed above. However, is there any reason we couldn't get
rid of "info" and simplify this a bit?
audit_free_syscall(tsk);
kmem_cache_free(au
goto conterror;
> + }
> _audit_contobj_hold(cont);
> newcont = cont;
> } else {
> diff --git a/security/selinux/nlmsgtab.c b/security/selinux/nlmsgtab.c
> index b69231918686..8303bb7a63d0 100644
> --- a/security/selinux/nlmsgtab.c
> +++ b/security/selinux/nlmsgtab.c
> @@ -137,6 +137,7 @@ struct nlmsg_perm {
> { AUDIT_DEL_RULE, NETLINK_AUDIT_SOCKET__NLMSG_WRITE},
> { AUDIT_USER, NETLINK_AUDIT_SOCKET__NLMSG_RELAY},
> { AUDIT_SIGNAL_INFO,NETLINK_AUDIT_SOCKET__NLMSG_READ },
> + { AUDIT_SIGNAL_INFO2, NETLINK_AUDIT_SOCKET__NLMSG_READ },
> { AUDIT_TRIM, NETLINK_AUDIT_SOCKET__NLMSG_WRITE},
> { AUDIT_MAKE_EQUIV, NETLINK_AUDIT_SOCKET__NLMSG_WRITE},
> { AUDIT_TTY_GET,NETLINK_AUDIT_SOCKET__NLMSG_READ },
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
list_add_rcu(&newcont->list,
> + &audit_contid_hash[h]);
> + } else {
> + rc = -ENOMEM;
> + spin_unlock(&audit_contobj_list_lock);
> + goto conterror;
> + }
> + }
> + spin_unlock(&audit_contobj_list_lock);
> + task->audit->cont = newcont;
> + _audit_contobj_put(oldcont);
> + }
> +conterror:
> + task_unlock(task);
> +
> + if (!audit_enabled)
> + return rc;
> +
> + ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_CONTAINER_OP);
> + if (!ab)
> + return rc;
> +
> + audit_log_format(ab,
> +"op=set opid=%d contid=%llu old-contid=%llu",
> +task_tgid_nr(task), contid, oldcont ? oldcont->id :
> -1);
> + _audit_contobj_put(oldcont);
> + rcu_read_unlock();
> + audit_log_end(ab);
> + return rc;
> +}
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
_log_exit(void)
>
> audit_log_proctitle();
>
> + audit_log_container_drop();
> +
> /* Send end of event record to help user space know we are finished */
> ab = audit_log_start(context, GFP_KERNEL, AUDIT_EOE);
> if (ab)
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
unt--;
> + if (contns->count < 1) {
One could simplify this with "(--countns->count) < 1", although if it
is changed to a refcount_t (which seems like a smart thing), the
normal decrement/test would be the best choice.
> + list_del_rcu(&contns->list);
> + kfree_rcu(contns, rcu);
> + }
> + break;
> + }
> + spin_unlock(&aunet->contobj_list_lock);
> + rcu_read_unlock();
> +}
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
properly sort out the inheritance.
> Signed-off-by: Richard Guy Briggs
> ---
> include/linux/audit.h | 1 +
> kernel/audit.c| 60
> ++-
> kernel/audit.h| 2 ++
> kernel/auditfilter.c | 17 ++-
&
ntext = audit_alloc_context(AUDIT_RECORD_CONTEXT, gfpflags);
> + if (!context) {
> + audit_log_lost("out of memory in audit_alloc_local");
> + goto out;
You might as well just return NULL here, no need to jump and then return NULL.
> + }
on it at this point in
the patchset but thought it might be worth mentioning in case you
noticed the same and were on the fence.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
this might be
a better approach? My current thinking is that the capable/ns_capable
approach is preferable as it leverages existing kernel mechanisms and
doesn't require us to reinvent the wheel in the audit subsystem.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
o add to the capability check. Patch 2 adds a
"capable(CAP_AUDIT_CONTROL)" which is good, but perhaps we also need a
"ns_capable(CAP_AUDIT_CONTROL)" to allow a given audit container ID
orchestrator/owner the ability to control which of it's descendants
can change their audit container ID, for example:
if (!capable(CAP_AUDIT_CONTROL) ||
!ns_capable(current->nsproxy->user_ns, CAP_AUDIT_CONTROL))
return -EPERM;
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
d.mnt) {
> ab = audit_log_start(context, GFP_KERNEL, AUDIT_CWD);
> @@ -1575,6 +1590,14 @@ static void audit_log_exit(void)
>
> audit_log_proctitle();
>
> + rcu_read_lock();
> + cont = _audit_contobj_get(current);
> + rcu_read_unlock();
> + audit_log_container_id(context, cont);
> + rcu_read_lock();
> + _audit_contobj_put(cont);
> + rcu_read_unlock();
Do we need to grab an additional reference for the audit container
object here? We don't create any additional references here that
persist beyond the lifetime of this function, right?
> audit_log_container_drop();
>
> /* Send end of event record to help user space know we are finished */
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
On Mon, Jul 6, 2020 at 10:50 PM Richard Guy Briggs wrote:
> On 2020-07-05 11:09, Paul Moore wrote:
> > On Sat, Jun 27, 2020 at 9:21 AM Richard Guy Briggs wrote:
> > >
> > > The audit-related parameters in struct task_struct should ideally be
> > > colle
On Fri, Jul 3, 2020 at 4:26 PM Richard Guy Briggs wrote:
>
> On 2020-07-03 09:36, Paul Moore wrote:
> > Commit 142240398e50 ("audit: add gfp parameter to audit_log_nfcfg")
> > incorrectly passed gfp flags to audit_log_nfcfg() which were not
> > consistent with
gt;request & AA_PTRACE_PERM_MASK) {
> - audit_log_format(ab, " requested_mask=");
> - audit_ptrace_mask(ab, aad(sa)->request);
> + audit_log_format(ab, " requested_mask=%s",
> +audit_ptrace_mask(aad(sa)->request));
>
> if (aad(sa)->denied & AA_PTRACE_PERM_MASK) {
> - audit_log_format(ab, " denied_mask=");
> - audit_ptrace_mask(ab, aad(sa)->denied);
> + audit_log_format(ab, " denied_mask=%s",
> +audit_ptrace_mask(aad(sa)->denied));
> }
Quotes. There are none.
... and it looks like there are more missing too, but I kinda stopped
seriously reading the patch here, please take a closer look at the
patch, make the necessary changes, and resubmit.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
; - if (unlikely(!audit_dummy_context()))
> + if (audit_context())
> return __audit_sockaddr(len, addr);
> return 0;
> }
> --
> 1.8.3.1
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
04bf25c87
> - add cwd= field to LSM record
>
> include/linux/audit.h | 9 -
> kernel/auditsc.c | 17 +++--
> security/lsm_audit.c | 5 +
> 3 files changed, 28 insertions(+), 3 deletions(-)
Merged into audit/next, thanks.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
add_wait_queue_exclusive(&audit_backlog_wait,
> &wait);
> set_current_state(TASK_UNINTERRUPTIBLE);
> - stime = schedule_timeout(stime);
> + stime = schedule_timeout(rtime);
> + atomic_add(rtime - stime,
> &audit_backlog_wait_time_actual);
> remove_wait_queue(&audit_backlog_wait, &wait);
> } else {
> if (audit_rate_check() && printk_ratelimit())
> --
> 2.17.1
>
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
On Wed, Jul 8, 2020 at 7:15 PM Richard Guy Briggs wrote:
> On 2020-07-08 18:41, Paul Moore wrote:
> > On Fri, Jul 3, 2020 at 5:50 PM Richard Guy Briggs wrote:
> > >
> > > audit_log_string() was inteded to be an internal audit function and
> > > since there are
On Mon, Jul 13, 2020 at 1:40 PM Richard Guy Briggs wrote:
> On 2020-07-08 18:49, Paul Moore wrote:
> > On Fri, Jul 3, 2020 at 1:18 PM Richard Guy Briggs wrote:
> > > When there are no rules present, the event SOCKADDR record is not
> > > generated due to audit_d
are describing could be done after the fact without
any disruption to the kernel/userspace interface. I would strongly
encourage both patchsets to remain self-contained if at all possible
so as to not jeopardize each other.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.
On Mon, Jul 13, 2020 at 4:30 PM Richard Guy Briggs wrote:
> On 2020-07-07 21:42, Paul Moore wrote:
> > On Mon, Jul 6, 2020 at 10:50 PM Richard Guy Briggs wrote:
> > > On 2020-07-05 11:09, Paul Moore wrote:
> > > > On Sat, Jun 27, 2020 at 9:21 AM Rich
On Mon, Jul 13, 2020 at 8:28 PM Casey Schaufler wrote:
> On 7/13/2020 5:11 PM, Paul Moore wrote:
> > On Mon, Jul 13, 2020 at 7:09 PM Casey Schaufler
> > wrote:
> >> ... but it does appear that I could switch to using your
> >> audit_alloc_local().
> > In
On Mon, Jul 13, 2020 at 9:08 PM Richard Guy Briggs wrote:
> On 2020-07-13 20:11, Paul Moore wrote:
> > On Mon, Jul 13, 2020 at 7:09 PM Casey Schaufler
> > wrote:
> > > ... but it does appear that I could switch to using your
> > > audit_alloc_local().
> &g
edby");
> - break;
> + return "tracedby";
> }
> + return "";
Are we okay with this returning an empty string ("") in this case?
Should it be a question mark ("?")?
My guess is that userspace parsing should be okay since it still has
quotes, I'm just not sure if we wanted to use a question mark as we do
in other cases where the field value is empty/unknown.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
On Tue, Jul 14, 2020 at 1:44 PM Richard Guy Briggs wrote:
> On 2020-07-14 12:21, Paul Moore wrote:
> > On Mon, Jul 13, 2020 at 3:52 PM Richard Guy Briggs wrote:
> > >
> > > audit_log_string() was inteded to be an internal audit function and
> > > since ther
On Wed, Jul 8, 2020 at 7:13 PM Paul Moore wrote:
>
> On Sat, Jul 4, 2020 at 11:15 AM Max Englander wrote:
> >
> > In environments where the preservation of audit events and predictable
> > usage of system memory are prioritized, admins may use a combination of
> &
On Tue, Jul 14, 2020 at 5:00 PM Richard Guy Briggs wrote:
> On 2020-07-14 16:29, Paul Moore wrote:
> > On Tue, Jul 14, 2020 at 1:44 PM Richard Guy Briggs wrote:
> > > On 2020-07-14 12:21, Paul Moore wrote:
> > > > On Mon, Jul 13, 2020 at 3:52 PM Rich
On Wed, Jul 15, 2020 at 9:30 PM Paul Moore wrote:
> On Wed, Jul 8, 2020 at 7:13 PM Paul Moore wrote:
> > On Sat, Jul 4, 2020 at 11:15 AM Max Englander
> > wrote:
> > >
> > > In environments where the preservation of audit events and predictable
> > &
On Tue, Jul 21, 2020 at 3:31 PM John Johansen
wrote:
> On 7/21/20 8:19 AM, Paul Moore wrote:
> > On Tue, Jul 14, 2020 at 5:00 PM Richard Guy Briggs wrote:
> >> On 2020-07-14 16:29, Paul Moore wrote:
> >>> On Tue, Jul 14, 2020 at 1:44 PM Richard Guy Briggs
> &
on here? */
> > 2049audit_log_string(ab, "");
> > 2050} else
> > (gdb) l *audit_log_exit+0x63d
> > 0x8115445d is in audit_log_exit (kernel/auditsc.c:1342).
> > 1337case 0:
> > 1338/* name was specified as a relative path
> > and the
> > 1339 * directory component is the cwd
> > 1340 */
> > 1341audit_log_d_path(ab, " name=",
> > &context->pwd);
> > 1342break;
> > 1343default:
> > 1344/* log the name's directory component */
> > 1345audit_log_format(ab, " name=");
> > 1346audit_log_n_untrustedstring(ab,
> > n->name->name,
> > (gdb) l *audit_filter_inodes+0x2e
> > 0x81155e2e is in audit_filter_inodes (kernel/auditsc.c:835).
> > 830 */
> > 831 void audit_filter_inodes(struct task_struct *tsk, struct
> > audit_context *ctx)
> > 832 {
> > 833 struct audit_names *n;
> > 834
> > 835 if (auditd_test_task(tsk))
> > 836 return;
> > 837
> > 838 rcu_read_lock();
> > 839
> > (gdb) l *__audit_syscall_exit+0x23b
> > 0x8115661b is in __audit_syscall_exit (kernel/auditsc.c:1710).
> > 1705
> > 1706audit_filter_syscall(current, context,
> > 1707
> > &audit_filter_list[AUDIT_FILTER_EXIT]);
> > 1708audit_filter_inodes(current, context);
> > 1709if (context->current_state == AUDIT_RECORD_CONTEXT)
> > 1710audit_log_exit();
> > 1711}
> > 1712
> > 1713context->in_syscall = 0;
> > 1714context->prio = context->state == AUDIT_RECORD_CONTEXT ?
> > ~0ULL : 0;
> > (gdb) l *syscall_slow_exit_work+0x117
> > 0x81005197 is in syscall_slow_exit_work (include/linux/audit.h:316).
> > 311 {
> > 312 if (unlikely(audit_context())) {
> > 313 int success = is_syscall_success(pt_regs);
> > 314 long return_code = regs_return_value(pt_regs);
> > 315
> > 316 __audit_syscall_exit(success, return_code);
> > 317 }
> > 318 }
> > 319 static inline struct filename *audit_reusename(const __user char
> > *name)
> > 320 {
> > (gdb) l *do_syscall_64+0x10e
> > 0x8100543e is in do_syscall_64 (arch/x86/entry/common.c:276).
> > warning: Source file is more recent than executable.
> > 271 /*
> > 272 * First do one-time work. If these work items are
> > enabled, we
> > 273 * want to run them exactly once per syscall exit with IRQs
> > on.
> > 274 */
> > 275 if (unlikely(cached_flags & SYSCALL_EXIT_WORK_FLAGS))
> > 276 syscall_slow_exit_work(regs, cached_flags);
> > 277
> > 278 local_irq_disable();
> > 279 prepare_exit_to_usermode(regs);
> > 280 }
> > (gdb) l *entry_SYSCALL_64_after_hwframe+0x44
> > 0x8180008c is at
> > /build/linux-iTqI2R/linux-5.7.6/arch/x86/entry/entry_64.S:184.
> > 179 /build/linux-iTqI2R/linux-5.7.6/arch/x86/entry/entry_64.S: No such
> > file or directory.
> > (gdb) l *__audit_free+0x233
> > 0x81156283 is in __audit_free (kernel/auditsc.c:1602).
> > 1597
> > 1598audit_filter_syscall(tsk, context,
> > 1599
> > &audit_filter_list[AUDIT_FILTER_EXIT]);
> > 1600audit_filter_inodes(tsk, context);
> > 1601if (context->current_state == AUDIT_RECORD_CONTEXT)
> > 1602audit_log_exit();
> > 1603}
> > 1604
> > 1605audit_set_context(tsk, NULL);
> > 1606audit_free_context(context);
> > (gdb) l *do_exit+0x8d3
> > 0x81088ce3 is in do_exit (include/linux/audit.h:301).
> > 296 return !p || *(int *)p;
> > 297 }
> > 298 static inline void audit_free(struct task_struct *task)
> > 299 {
> > 300 if (unlikely(task->audit_context))
> > 301 __audit_free(task);
> > 302 }
> > 303 static inline void audit_syscall_entry(int major, unsigned long a0,
> > 304unsigned long a1, unsigned
> > long a2,
> > 305unsigned long a3)
> > (gdb) l *syscall_slow_exit_work+0x117
> > 0x81005197 is in syscall_slow_exit_work (include/linux/audit.h:316).
> > 311 {
> > 312 if (unlikely(audit_context())) {
> > 313 int success = is_syscall_success(pt_regs);
> > 314 long return_code = regs_return_value(pt_regs);
> > 315
> > 316 __audit_syscall_exit(success, return_code);
> > 317 }
> > 318 }
> > 319 static inline struct filename *audit_reusename(const __user char
> > *name)
> > 320 {
> > (gdb) l *rewind_stack_do_exit+0x17
> > (gdb)
> >
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
On Tue, Jul 21, 2020 at 6:30 PM Paul Moore wrote:
> Richard, you broke it, you bought it :) Did you want to take a closer
> look at this? If you can't let me know. Based on a quick look, my
> gut feeling is that either context->pwd is never set properly or it is
> gettin
On Tue, Jul 21, 2020 at 10:01 PM Richard Guy Briggs wrote:
> On 2020-07-21 18:45, Paul Moore wrote:
> > On Tue, Jul 21, 2020 at 6:30 PM Paul Moore wrote:
> > > Richard, you broke it, you bought it :) Did you want to take a closer
> > > look at this? If you can'
On Thu, Jul 23, 2020 at 8:57 AM Richard Guy Briggs wrote:
> On 2020-07-22 21:01, Paul Moore wrote:
> > Do you have a rough idea as to how long it would take to chase down
> > all the code paths? I'm asking not to rush you, but to figure out if
> > we should revert th
eed to sprinkle audit_getcwd() calls everywhere to fix
this bug (this seems more like a feature add than a bigfix). Yes,
they may fix the problem but it seems like simply adding a
context->pwd test in audit_log_name() similar to what we do in
audit_log_exit() is the correct fix.
We are curren
On Tue, Jul 28, 2020 at 12:27 PM Richard Guy Briggs wrote:
> On 2020-07-27 22:14, Paul Moore wrote:
> > On Mon, Jul 27, 2020 at 5:30 PM Richard Guy Briggs wrote:
> > > Issue ghak120 enabled syscall records to accompany required records when
> > > no rules are presen
ger.kernel.org
Fixes: 1320a4052ea1 ("audit: trigger accompanying records when no rules
present")
Reported-by: j24...@googlemail.com
Signed-off-by: Paul Moore
---
kernel/audit.c |1 -
kernel/audit.h |8
kernel/auditsc.c |3 +++
3 files changed, 3 insertions(+), 9 del
On Tue, Jul 28, 2020 at 5:09 PM Paul Moore wrote:
>
> Unfortunately the commit listed in the subject line above failed
> to ensure that the task's audit_context was properly initialized/set
> before enabling the "accompanying records". Depending on the
> sitatio
On Tue, Jul 28, 2020 at 10:01 PM Richard Guy Briggs wrote:
>
> On 2020-07-28 14:47, Paul Moore wrote:
> > On Tue, Jul 28, 2020 at 12:27 PM Richard Guy Briggs wrote:
> > > I know you like only really minimal fixes this late, but this seemed
> > > pretty minimal to
5.8 PR 20200729
----
Paul Moore (1):
revert: 1320a4052ea1 ("audit: trigger accompanying records when no
rules present")
kernel/audit.c | 1 -
kernel/audit.h | 8
kernel/auditsc.c | 3 +++
3 files changed, 3 insertions(+), 9 deletions(-)
--
paul moore
www.paul-
id = 0;
> > +u32 audit_sig_sid;
>
> All of these are unused outside of audit.c and might as
> well be static and removed from the .h file.
There's plenty of time before the merge window closes, doing this
would definitely make this patch much more useful than the typical
signed int failed = 0;
> + static unsigned int failed;
>
> /* NOTE: kauditd_thread takes care of all our locking, we just use
> * the netlink info passed to us (e.g. sk and portid) */
> --
> 2.26.2
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
):
audit: Use struct_size() helper in alloc_chunk
Max Englander (1):
audit: report audit wait metric in audit status reply
Paul Moore (1):
audit: use the proper gfp flags in the audit_log_nfcfg() calls
Richard Guy Briggs (5):
audit: log nftables configuration change events
audit
o audit/next until after the merge window closes. I'll send
another reply once this has been merged.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
e automatically.
>
> Signed-off-by: Jules Irenge
> ---
> kernel/audit.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
Similar to patch 1/2, this will need to wait until after the merge
window closes.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linu
="swapper/0" name=".builtin_trusted_keys" res=0 errno=-12
>
> Signed-off-by: Lakshmi Ramasubramanian
> ---
> specs/fields/field-dictionary.csv | 1 +
> 1 file changed, 1 insertion(+)
Merged. Thanks for following up with this.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
ck today briefly. I'll be away until the 24th and won't be able to
> look before then.
I am just getting back to normal network access myself, but I did have
a brief exchange with Richard about this and I agree it looks a bit
odd.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
On Thu, Aug 6, 2020 at 2:33 PM Paul Moore wrote:
>
> On Mon, Aug 3, 2020 at 8:35 AM Jules Irenge wrote:
> >
> > Variables sig_pid, audit_sig_uid and audit_sig_sid
> > are only used in the audit.c file across the kernel
> > Hence it appears no reason for declaring
On Thu, Aug 6, 2020 at 2:35 PM Paul Moore wrote:
>
> On Mon, Aug 3, 2020 at 8:35 AM Jules Irenge wrote:
> >
> > Checkpatch tool reports
> >
> > "ERROR: do not initialise globals/statics to 0"
> >
> > To fix this, audit_sig_sid is uninitialize
On Fri, Jul 17, 2020 at 8:44 PM Richard Guy Briggs wrote:
> On 2020-07-05 11:11, Paul Moore wrote:
> > On Sat, Jun 27, 2020 at 9:23 AM Richard Guy Briggs wrote:
> > >
> > > Add audit container identifier auxiliary record to user event standalone
> > > records
On Wed, Jul 29, 2020 at 3:00 PM Richard Guy Briggs wrote:
> On 2020-07-05 11:10, Paul Moore wrote:
> > On Sat, Jun 27, 2020 at 9:22 AM Richard Guy Briggs wrote:
> > >
> > > Add audit container identifier support to the action of signalling the
> > > audit
On Wed, Jul 29, 2020 at 3:41 PM Richard Guy Briggs wrote:
> On 2020-07-05 11:10, Paul Moore wrote:
> > On Sat, Jun 27, 2020 at 9:22 AM Richard Guy Briggs wrote:
...
> > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> > > index f03d3eb0752c..9e79645e5c0e 100644
&
On Wed, Jul 29, 2020 at 4:06 PM Richard Guy Briggs wrote:
> On 2020-07-05 11:09, Paul Moore wrote:
> > On Sat, Jun 27, 2020 at 9:22 AM Richard Guy Briggs wrote:
...
> > > @@ -212,6 +219,33 @@ void __init audit_task_init(void)
> > >
On Fri, Aug 7, 2020 at 1:10 PM Richard Guy Briggs wrote:
> On 2020-07-05 11:11, Paul Moore wrote:
> > On Sat, Jun 27, 2020 at 9:23 AM Richard Guy Briggs wrote:
> > > Require the target task to be a descendant of the container
> > > orchestrator/engine.
If you want to
A heads-up that I've replaced the "master" branch in the audit
kernel repo with the "main" branch. This should have little to no
practical impact, but if you run into problems let me know.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Lin
On Fri, Aug 21, 2020 at 5:56 PM Casey Schaufler wrote:
> On 8/21/2020 2:35 PM, Paul Moore wrote:
> > A heads-up that I've replaced the "master" branch in the audit
> > kernel repo with the "main" branch. This should have little to no
> > practical im
Merged into audit/next, thanks.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
helpful:
* https://www.kernel.org/doc/html/latest/process/submitting-patches.html
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
eral non-syscall events include
> > subject contexts, so the use of audit_context data has been expanded
> > as necessary.
> >
> > Signed-off-by: Casey Schaufler
> > Cc: linux-audit@redhat.com
>
> Paul, can you review/ack the audit changes?
I did a previous
--
> 6 files changed, 33 insertions(+), 15 deletions(-)
Acked-by: Paul Moore
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
nclude/linux/cred.h | 3 ++-
> include/linux/security.h | 5 +++--
> kernel/cred.c| 10 ++
> security/security.c | 14 ++++--
> 4 files changed, 23 insertions(+), 9 deletions(-)
Acked-by: Paul Moore
--
paul moore
www.paul-moore.com
--
Linux-audit mail
ure where it ended
up, but if there is a viable alternative it might be a good idea to
pursue it.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
quire userspace changes to take advantage
of it, and the way forward is clearly nftables so it probably isn't
worth the effort.
I'm okay with this patch with the understanding that several chunks in
the patch are replaced by later patches in the series.
Acked-by: Paul Moore
> diff --git a
data is expanded to use an array of
> security module data rather than a single instance.
> Because IMA uses the audit rule functions it is
> affected as well.
>
> Acked-by: Stephen Smalley
> Acked-by: Paul Moore
> Signed-off-by: Casey Schaufler
> ---
> include/linux/
On Fri, Sep 4, 2020 at 5:35 PM Casey Schaufler wrote:
> On 9/4/2020 1:08 PM, Paul Moore wrote:
> > On Wed, Aug 26, 2020 at 11:07 AM Casey Schaufler
> > wrote:
> >> Change the data used in UDS SO_PEERSEC processing from a
> >> secid to a more g
d.c | 30 +
> net/netlabel/netlabel_user.c| 6 ++---
> security/security.c | 11 +++++
> 12 files changed, 117 insertions(+), 37 deletions(-)
Acked-by: Paul Moore
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
/security.c | 12 +---
> 3 files changed, 19 insertions(+), 7 deletions(-)
Acked-by: Paul Moore
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
ity/ima/ima_appraise.c | 10 +++---
> security/integrity/ima/ima_main.c | 49 +++
> security/security.c | 12 +--
> 10 files changed, 76 insertions(+), 70 deletions(-)
Acked-by: Paul Moore
--
paul moore
www.paul-moore.com
--
Linux-aud
gt; security/integrity/ima/ima_policy.c | 4 +---
> security/security.c | 11 +--
> 4 files changed, 19 insertions(+), 9 deletions(-)
Acked-by: Paul Moore
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
On Fri, Sep 4, 2020 at 7:58 PM Casey Schaufler wrote:
>
> On 9/4/2020 2:53 PM, Paul Moore wrote:
> > On Fri, Sep 4, 2020 at 5:35 PM Casey Schaufler
> > wrote:
> >> On 9/4/2020 1:08 PM, Paul Moore wrote:
...
> > I understand the concerns you mention, the
Audit_equal,
>rule->lsm[i].rules);
I'm jumping across patches in this patchset so I may have missed
something, but I think the ima_filter_rule_match() call should be
using the passed "blob" pointer and not the local &
| 19 +++---
> net/netlabel/netlabel_user.c| 4 ++-
> security/security.c | 11
> 15 files changed, 121 insertions(+), 35 deletions(-)
One small comment below, but otherwise ...
Acked-by: Paul Moore
> +/**
> + * lsmcontext_init - initial
rtions(+), 18 deletions(-)
Acked-by: Paul Moore
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
> security/smack/smack_lsm.c | 5 +-
> security/smack/smackfs.c| 10 ++--
> 12 files changed, 65 insertions(+), 82 deletions(-)
Minor change suggested to a comment below, but looks good otherwise.
Acked-by: Paul Moore
> diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv
: Stephen Smalley
> Signed-off-by: Casey Schaufler
> ---
> security/security.c | 29 +++++
> 1 file changed, 29 insertions(+)
Acked-by: Paul Moore
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
xt);
> if (seclen)
> size += nla_total_size(seclen);
> }
I think we can get rid of the local "seclen" variable, right? We can
embed the nfqnl_get_sk_secctx() in the conditional and then simply
reference "context.len&quo
Based on previous discussions and what I *think* you are trying to do
in this patchset, I believe Richard's audit_alloc_local()
implementation (link below) is a better and cleaner solution. His
latest revisions needs some minor tweaks (see my feeback), but I think
you could probably work with
n't find an
alternate solution that we can all agree on which doesn't have these
stacking limits.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
can simplify a lot of code if we just
add a audit_getcwd() call in audit_log_exit() if the
context->names_list is not empty. We should even be safe in the task
exit case as the fs info appears to get cleaned up *after*
audit_log_exit() is called.
Assuming we go this route, we can probably get r
On Mon, Sep 21, 2020 at 3:57 PM Richard Guy Briggs wrote:
> On 2020-09-15 12:18, Paul Moore wrote:
> > On Thu, Sep 10, 2020 at 11:03 AM Richard Guy Briggs wrote:
> > >
> > > When there are no audit rules registered, mandatory records (config,
> > > etc.) ar
nel/audit.c| 3 +++
> kernel/auditsc.c | 27 +++
> security/lsm_audit.c | 5 -
> 4 files changed, 10 insertions(+), 33 deletions(-)
I've gone over this revision a couple of times now and it looks okay,
but past experience is whispering in my
On Wed, Sep 23, 2020 at 10:49 AM Richard Guy Briggs wrote:
> On 2020-09-23 10:29, Paul Moore wrote:
> > I've gone over this revision a couple of times now and it looks okay,
> > but past experience is whispering in my ear that perhaps this is
> > better to wait on thi
uch since that is
internal and we can modify that as needed; the userspace/kernel
fanotify API and the audit record are the important things to focus
on.
Simply recording the "extra_info_type" integer and dumping the
"extra_info" as a hex encoded bitstring in the audit record is
t
audit users are focused more on security relevant events at the
process level, not the thread level. After all, there isn't really
much in the way of significant boundaries between threads.
To get the information you are looking for, I think we would need to
add an additional task/threa
ing a lot of screaming, so just
trust me on this one. If you really want to challenge this assertion
go read the past seven to eight years of linux-audit archives first ;)
> On Thu, Oct 8, 2020, 04:27 Paul Moore wrote:
>>
>> On Tue, Oct 6, 2020 at 4:20 PM Steve Grubb wrote:
>>
alize variable audit_sig_sid
Xu Wang (1):
audit: Remove redundant null check
kernel/audit.c | 9 -
kernel/audit.h | 4
2 files changed, 4 insertions(+), 9 deletions(-)
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/lis
On Mon, Oct 12, 2020 at 8:51 PM Paul Moore wrote:
>
> Hi Linus,
>
> A small set of audit patches for v5.10. There are only three patches
> in total, and all three are trivial fixes that don't really warrant
> any explanations beyond their descriptions. As usual, all t
On Mon, Oct 12, 2020 at 8:54 PM Paul Moore wrote:
> On Mon, Oct 12, 2020 at 8:51 PM Paul Moore wrote:
> >
> > Hi Linus,
> >
> > A small set of audit patches for v5.10. There are only three patches
> > in total, and all three are trivial fixes that don'
ot; (or similar, I'm not worried about names at this
point) to each record, reset to 0/1 at the start of each event, and
when we needed to link records somehow we could add a "related=1,..,N"
field. This would potentially be useful beyond just the audit
container ID work.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
atch. Would you like me to pull this into the
audit tree or are you intending this to get pulled in as part of the
larger patchset somewhere else?
Acked-by: Paul Moore
> diff --git a/kernel/audit.c b/kernel/audit.c
> index 68cee3bc8cfe..0be42cac086b 100644
> --- a/kernel/audit.c
>
On Sun, Oct 25, 2020 at 6:38 PM Mauro Carvalho Chehab
wrote:
> Em Sun, 25 Oct 2020 18:10:44 -0400
> Paul Moore escreveu:
>
> > On Fri, Oct 23, 2020 at 12:33 PM Mauro Carvalho Chehab
> > wrote:
> > >
> > > typo:
> > > kauditd_print_skb
On Wed, Sep 23, 2020 at 1:47 PM Paul Moore wrote:
> On Wed, Sep 23, 2020 at 10:49 AM Richard Guy Briggs wrote:
> > On 2020-09-23 10:29, Paul Moore wrote:
> > > I've gone over this revision a couple of times now and it looks okay,
> > > but past experience is w
On Fri, Oct 23, 2020 at 4:40 PM Richard Guy Briggs wrote:
> On 2020-10-22 21:21, Paul Moore wrote:
> > On Wed, Oct 21, 2020 at 12:39 PM Richard Guy Briggs wrote:
> > > Here is an exmple I was able to generate after updating the testsuite
> > > script to include a sig
"context" is a bit ambiguous. Could this be named something to indicate
> > > a security context rather than any other sort, such as audit or user
> > > context?
> >
> > Would "subj_obj_fields" be better?
>
> That is much more obvious to me. Maybe even sec_context_multi, but I
> like your suggestion better?
How about just "multiple_lsms"? It's relatively concise and better
reflects what it is actually being tested IMHO.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
601 - 700 of 2305 matches
Mail list logo