On Tue, May 11, 2021 at 10:00 AM Casey Schaufler wrote:
> On 5/10/2021 6:28 PM, Paul Moore wrote:
> > On Mon, May 10, 2021 at 8:37 PM Casey Schaufler
> > wrote:
> >> On 5/10/2021 4:52 PM, Paul Moore wrote:
> >>> On Mon, May 10, 2021 at 12:30 PM Casey Schaufl
On Tue, May 11, 2021 at 1:14 PM Richard Guy Briggs wrote:
>
> On 2021-05-10 21:23, Paul Moore wrote:
> > On Fri, Apr 30, 2021 at 4:36 PM Richard Guy Briggs wrote:
> > >
> > > Replace audit syscall class magic numbers with macros.
> > >
> > > This
On Wed, May 12, 2021 at 4:43 AM He Zhe wrote:
> On 5/11/21 10:51 PM, Paul Moore wrote:
> > On Mon, May 10, 2021 at 11:19 PM He Zhe wrote:
> >> On 5/11/21 6:38 AM, Paul Moore wrote:
> >>> On Fri, Apr 23, 2021 at 6:36 AM He Zhe wrote:
> >>>> regs_r
_name
> pointer and be done with it.
>
> Signed-off-by: Ondrej Mosnacek
> ---
> include/linux/lsm_audit.h | 8
> security/selinux/hooks.c | 2 +-
> 2 files changed, 5 insertions(+), 5 deletions(-)
Much better, merged into selinux/next. Thanks.
--
paul moore
www
ll give
these yet another review by the end of the week.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
ity/security.c | 45
> 2 files changed, 49 insertions(+)
Acked-by: Paul Moore
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
allows for the
> possibility that more than one module may be called upon
> to translate a secid to a string, as can occur in the
> audit code.
>
> Signed-off-by: Casey Schaufler
> Cc: net...@vger.kernel.org
> Cc: linux-audit@redhat.com
> Cc: netfilter-de...@vger.kernel.org
&g
+++-
> 6 files changed, 85 insertions(+), 25 deletions(-)
Acked-by: Paul Moore
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
cords, but that is a problem for another day.
Acked-by: Paul Moore
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
> Signed-off-by: Casey Schaufler
> Cc: net...@vger.kernel.org
> Cc: netfilter-de...@vger.kernel.org
> ---
> net/netfilter/nfnetlink_queue.c | 37 +
> 1 file changed, 14 insertions(+), 23 deletions(-)
Acked-by: Paul Moore
--
paul moore
www.paul-mo
uct.
> >>
> >> Setting the "interface_lsm" requires that all security modules using
> >> setprocattr hooks allow the action. Each security module is
> >> responsible for defining its policy.
> >>
> >> AppArmor hook provided by John Johansen
++-
> net/netfilter/nf_conntrack_standalone.c | 4 ++-
> net/netfilter/nfnetlink_queue.c | 13 ++---
> net/netlabel/netlabel_unlabeled.c | 19 +++---
> net/netlabel/netlabel_user.c| 4 ++-
> security/security.c | 11
> 15 fi
NULL ||
> + !lsmblob_is_set(&context->lsm))
> + return;
> +
> + ab = audit_log_start(context, GFP_ATOMIC, AUDIT_MAC_TASK_CONTEXTS);
> + if (!ab)
> + return; /* audit_panic or being filtered */
We should be consistent with our
tches to indicate a calling context other
than the syscall context.
Thanks to Richard Guy Briggs for review and feedback.
Acked-by: Richard Guy Briggs
Signed-off-by: Paul Moore
---
kernel/audit.h |5 +
kernel/auditsc.c | 255 +++---
2 files
on this branch given
the early/rough nature of these patches).
git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git
(checkout branch "working-io_uring")
Thanks in advance,
-Paul
---
Casey Schaufler (1):
Smack: Brutalist io_uring support with debug
Paul Moore (8):
shown below:
%
Thanks to Richard Guy Briggs for review and feedback.
Signed-off-by: Paul Moore
---
fs/io-wq.c |4 +
fs/io_uring.c | 11 +++
include/linux/audit.h | 17
include/uapi/linux/audit.h |1
kernel/audit.h |2 +
k
WARNING - This patch is intended only to aid in the initial dev/test
of the audit/io_uring support, it is not intended to be merged.
With this patch, you can emit io_uring operation audit records with
the following commands (the first clears any blocking rules):
% auditctl -D
% auditctl -a ex
f the
existing audit filtering infrastructure as possible. In order to do
this we reuse the audit filter rule's syscall mask for the io_uring
operation and we create a new filter for io_uring operations as
AUDIT_FILTER_URING_EXIT/audit_filter_list[7].
Signed-off-by: Paul Moore
---
in
arguments.
Signed-off-by: Paul Moore
---
fs/anon_inodes.c| 29 +
include/linux/anon_inodes.h |4
2 files changed, 33 insertions(+)
diff --git a/fs/anon_inodes.c b/fs/anon_inodes.c
index a280156138ed..e0c3e33c4177 100644
--- a/fs/anon_inodes.c
+++ b/fs
tions.
Signed-off-by: Paul Moore
---
fs/io_uring.c |4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/io_uring.c b/fs/io_uring.c
index e9941d1ad8fd..6ff769c9b7d3 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -9562,8 +9562,8 @@ static struct file *io_uring_get_file(s
e comparison is made against the ring's credentials.
Signed-off-by: Paul Moore
---
fs/io_uring.c | 10 ++
include/linux/lsm_hook_defs.h |5 +
include/linux/lsm_hooks.h | 13 +
include/linux/security.h | 16
: Paul Moore
---
security/smack/smack_lsm.c | 64
1 file changed, 64 insertions(+)
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 223a6da0e6dc..f6423c0096e9 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack
self : io_uring { sqpoll };
Signed-off-by: Paul Moore
---
security/selinux/hooks.c| 67 +++
security/selinux/include/classmap.h |2 +
2 files changed, 69 insertions(+)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
ind
On Fri, May 21, 2021 at 8:53 PM Tetsuo Handa
wrote:
> On 2021/05/22 6:49, Paul Moore wrote:
> > I've provided the SELinux
> > implementation, Casey has been nice enough to provide a Smack patch,
> > and John is working on an AppArmor patch as I write this. I've
On Fri, May 21, 2021 at 6:05 PM Casey Schaufler wrote:
> On 5/21/2021 1:19 PM, Paul Moore wrote:
> > On Thu, May 13, 2021 at 4:32 PM Casey Schaufler
> > wrote:
> >> Create a new audit record type to contain the subject information
> >> when there are multiple s
On Fri, May 21, 2021 at 8:22 PM Pavel Begunkov wrote:
> On 5/21/21 10:49 PM, Paul Moore wrote:
> > WARNING - This is a work in progress and should not be merged
> > anywhere important. It is almost surely not complete, and while it
> > probably compiles it likely hasn'
On Sun, May 23, 2021 at 4:26 PM Pavel Begunkov wrote:
> On 5/22/21 3:36 AM, Paul Moore wrote:
> > On Fri, May 21, 2021 at 8:22 PM Pavel Begunkov
> > wrote:
> >> On 5/21/21 10:49 PM, Paul Moore wrote:
> [...]
> >>>
> >>> + if (req->opcode
casting and masking all at once. Maybe a
> small static inline helper would be good for the sake of legibility? Sm
> like:
>
> static inline u32 audit_openat2_acc(struct open_how *how, int mask)
> {
> u32 flags = how->flags;
> return mask & ACC_MODE(
context->mmap.flags);
> > break;
> > + case AUDIT_OPENAT2:
> > + audit_log_format(ab, "oflag=0%llo mode=0%llo resolve=0x%llx",
>
> Hm, should we maybe follow the struct member names for all entries, i.e.
> replace s/oflag/flags?
There is some precedence for using "oflags" to refer to "open" flags,
my guess is Richard is trying to be consistent here. I agree it's a
little odd, but it looks like the right thing to me from an audit
perspective; the audit perspective is a little odd after all :)
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
On Tue, May 25, 2021 at 4:27 AM Pavel Begunkov wrote:
> On 5/24/21 8:59 PM, Paul Moore wrote:
> > On Sun, May 23, 2021 at 4:26 PM Pavel Begunkov
> > wrote:
> >> On 5/22/21 3:36 AM, Paul Moore wrote:
> >>> On Fri, May 21, 2021 at 8:22 PM Pavel Begunkov
>
On Tue, May 25, 2021 at 9:11 PM Jens Axboe wrote:
> On 5/24/21 1:59 PM, Paul Moore wrote:
> > That said, audit is not for everyone, and we have build time and
> > runtime options to help make life easier. Beyond simply disabling
> > audit at compile time a number o
On Wed, May 26, 2021 at 6:19 AM Pavel Begunkov wrote:
> On 5/26/21 3:04 AM, Paul Moore wrote:
> > On Tue, May 25, 2021 at 9:11 PM Jens Axboe wrote:
> >> On 5/24/21 1:59 PM, Paul Moore wrote:
> >>> That said, audit is not for everyone, and we have build time and
>
On Wed, May 26, 2021 at 1:54 PM Jens Axboe wrote:
> On 5/26/21 11:31 AM, Jens Axboe wrote:
> > On 5/26/21 11:15 AM, Jens Axboe wrote:
> >> On 5/25/21 8:04 PM, Paul Moore wrote:
> >>> On Tue, May 25, 2021 at 9:11 PM Jens Axboe wrote:
> >>>> On 5/24/21
On Wed, May 26, 2021 at 2:01 PM Jens Axboe wrote:
> On 5/26/21 11:54 AM, Jens Axboe wrote:
> > On 5/26/21 11:31 AM, Jens Axboe wrote:
> >> On 5/26/21 11:15 AM, Jens Axboe wrote:
> >>> On 5/25/21 8:04 PM, Paul Moore wrote:
> >>>> On Tue, May 25, 2021
On Wed, May 26, 2021 at 10:59 AM Jeff Moyer wrote:
> Paul Moore writes:
>
> > Also, any pointers to easy-to-run io_uring tests would be helpful. I
> > am particularly interested in tests which make use of the personality
> > option, share urings across process boundar
On Wed, May 26, 2021 at 2:57 PM Pavel Begunkov wrote:
> On 5/26/21 7:44 PM, Paul Moore wrote:
> > On Wed, May 26, 2021 at 2:01 PM Jens Axboe wrote:
> >> On 5/26/21 11:54 AM, Jens Axboe wrote:
> >>> On 5/26/21 11:31 AM, Jens Axboe wrote:
> >>>> On 5/2
On Wed, May 26, 2021 at 3:06 PM Jeff Moyer wrote:
> Paul Moore writes:
>
> > On Wed, May 26, 2021 at 10:59 AM Jeff Moyer wrote:
> >> Paul Moore writes:
> >>
> >> > Also, any pointers to easy-to-run io_uring tests would be helpful. I
> >> >
On Wed, May 26, 2021 at 3:44 PM Jens Axboe wrote:
> On 5/26/21 12:44 PM, Paul Moore wrote:
> > On Wed, May 26, 2021 at 2:01 PM Jens Axboe wrote:
> >> On 5/26/21 11:54 AM, Jens Axboe wrote:
> >>> On 5/26/21 11:31 AM, Jens Axboe wrote:
> >>>> On 5/26/2
ins anything as io_register_personality()
> only captures the value of get_current_cred(), so the process already has
> changed to
> the credentials (at least once for the
> io_uring_register(IORING_REGISTER_PERSONALITY)
> call).
>
> metze
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
On Wed, May 26, 2021 at 4:19 PM Paul Moore wrote:
> ... If we moved the _entry
> and _exit calls into the individual operation case blocks (quick
> openat example below) so that only certain operations were able to be
> audited would that be acceptable assuming the high freque
On Fri, May 28, 2021 at 6:36 PM Richard Guy Briggs wrote:
> On 2021-05-21 17:50, Paul Moore wrote:
> > WARNING - This is a work in progress and should not be merged
> > anywhere important. It is almost surely not complete, and while it
> > probably compiles it likely hasn&#
On Mon, May 31, 2021 at 9:44 AM Richard Guy Briggs wrote:
> On 2021-05-30 11:26, Paul Moore wrote:
> > On Fri, May 28, 2021 at 6:36 PM Richard Guy Briggs wrote:
> > > On 2021-05-21 17:50, Paul Moore wrote:
...
> > > > diff --git a/kernel/auditsc.c b/kernel/audits
On Wed, Jun 2, 2021 at 11:38 AM Richard Guy Briggs wrote:
> On 2021-06-01 21:40, Paul Moore wrote:
> > On Mon, May 31, 2021 at 9:44 AM Richard Guy Briggs wrote:
> > > On 2021-05-30 11:26, Paul Moore wrote:
> > > > On Fri, May 28, 2021 at 6:36 PM Richard Guy Briggs
On Wed, Jun 2, 2021 at 4:27 AM Pavel Begunkov wrote:
> On 5/28/21 5:02 PM, Paul Moore wrote:
> > On Wed, May 26, 2021 at 4:19 PM Paul Moore wrote:
> >> ... If we moved the _entry
> >> and _exit calls into the individual operation case blocks (quick
> >> openat
On Wed, Jun 2, 2021 at 1:29 PM Richard Guy Briggs wrote:
> On 2021-05-21 17:49, Paul Moore wrote:
> > WARNING - This is a work in progress and should not be merged
> > anywhere important. It is almost surely not complete, and while it
> > probably compiles it likely hasn&#
On Thu, Jun 3, 2021 at 11:54 AM Jens Axboe wrote:
> On 5/28/21 10:02 AM, Paul Moore wrote:
> > On Wed, May 26, 2021 at 4:19 PM Paul Moore wrote:
> >> ... If we moved the _entry
> >> and _exit calls into the individual operation case blocks (quick
> >> openat
TE_ prefix? As that may get a
bit long, I might suggest dropping the _CONTEXT from the enums too
such that you would end up with the following:
enum audit_state {
AUDIT_STATE_DISABLED,
AUDIT_STATE_BUILD,
AUDIT_STATE_RECORD,
};
Thoughts?
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
ipation of new records. When the thread returns to execution
it checks the queue and if there are any records present it
immediately starts processing them, if the queue is empty the
kauditd thread goes back to sleep.
Signed-off-by: Paul Moore
---
kernel/audit.
can send a new
> patch version.
Hi Sergey,
I personally prefer the AUDIT_STATE_* enums and would rather see that.
> В Сб, 05/06/2021 в 22:40 -0400, Paul Moore пишет:
> > On Fri, Jun 4, 2021 at 7:21 AM Sergey Nazarov
> > wrote:
> > >
> > > AUDIT_DISABLED defi
On Mon, Jun 7, 2021 at 1:51 PM Richard Guy Briggs wrote:
> On 2021-06-07 13:07, Paul Moore wrote:
> > On Mon, Jun 7, 2021 at 5:58 AM Sergey Nazarov wrote:
> > > Hi, Paul!
> > > I think this could be easer. It's enouth to rename AUDIT_DISABLE only.
> >
case AUDIT_FILTER_URING_EXIT:
> case AUDIT_FILTER_TASK:
> #endif
> case AUDIT_FILTER_USER:
> @@ -982,7 +984,8 @@ static inline int audit_add_rule(struct audit_entry
> *entry)
> }
>
> entry->rule.prio = ~0ULL;
> - if (entry->
On Mon, Jun 7, 2021 at 2:40 PM Richard Guy Briggs wrote:
> On 2021-06-05 23:23, Paul Moore wrote:
> > [NOTE: As this is an RFC patch, I wanted to add some commentary at
> > the top of the patch description explaining where this patch came
> > from and what testing has been
num audit_state used in syscall audit code only. This patch changes
> enum audit_state constants prefix AUDIT to AUDIT_STATE to avoid
> AUDIT_DISABLED redefinition.
>
> v2: the comments of Richard Guy Briggs and Paul Moore were taken into account
>
> Signed-off-by: Sergey Nazaro
to audit/next, thank you.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
clarification Richard. I just wanted to
make sure since the contribution format was a bit unusual given the
context :)
Regardless, thanks again for the feedback, I'll get this incorporated.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman
x/audit.h
>
> Signed-off-by: Zhen Lei
> ---
> include/uapi/linux/audit.h | 4 ++--
> kernel/audit.h | 2 +-
> kernel/auditsc.c | 8
> 3 files changed, 7 insertions(+), 7 deletions(-)
Merged into audit/next.
--
paul moore
www.paul-moore.com
xpose the audit arch matching the syscall numbers in
> the uapi headers?
Yes, which is why the existing headers do so ;) If you don't see the
header files I mentioned above, it may be worth checking your kernel
source repository and your distribution's installed kernel header
file
On Mon, Jun 28, 2021 at 1:13 PM Thomas Weißschuh wrote:
>
> Hi Paul,
>
> thanks for your response!
Hi :)
> On Mo, 2021-06-28T12:59-0400, Paul Moore wrote:
> > On Mon, Jun 28, 2021 at 9:25 AM Thomas Weißschuh
> > wrote:
> > >
> > > Hi everyone,
&
On Mon, Jun 28, 2021 at 1:58 PM Thomas Weißschuh wrote:
>
> Hi again!
!!! :)
> On Mo, 2021-06-28T13:34-0400, Paul Moore wrote:
> > On Mon, Jun 28, 2021 at 1:13 PM Thomas Weißschuh
> > wrote:
> > > On Mo, 2021-06-28T12:59-0400, Paul Moore wrote:
> > > &
| 10
kernel/audit_tree.c| 12 +++--
kernel/auditsc.c | 63 --
security/lsm_audit.c | 1 -
5 files changed, 53 insertions(+), 37 deletions(-)
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-au
On Tue, Jun 29, 2021 at 6:40 AM Thomas Weißschuh wrote:
>
> On Mo, 2021-06-28T18:43-0400, Paul Moore wrote:
> > On Mon, Jun 28, 2021 at 1:58 PM Thomas Weißschuh
> > wrote:
> > >
> > > Hi again!
> >
> > !!! :)
>
> Indeed, hi!
'
On Fri, Jul 16, 2021 at 8:30 AM wrote:
> From: MaYuming
>
> avoid include file to multi include.
>
> Signed-off-by: MaYuming
> ---
> kernel/audit.h | 5 +
> 1 file changed, 5 insertions(+)
Merged into audit/next, thanks.
--
paul moore
www.paul-moore.com
least the kernel/auditsc.c file still makes use of the
timespec64 struct which is defined in include/linux/time64.h which is
brought in by include/linux/time.h and *not* by
include/linux/timekeeping.h. As long as we make use of the timespec64
struct and the definition remains in time64.h let'
g if we want to
add to it in the future. What do you think about something like
"audit_arch.h" instead?
If that change is okay with you I can go ahead and do the rename while
I'm merging the patches, I'll consider it penance for letting this
patchset sit for so long :/
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
review and feedback.
Signed-off-by: Paul Moore
---
v2:
- incorporate feedback from Richard
v1:
- initial draft
---
include/uapi/linux/audit.h |3 +-
kernel/audit_tree.c|3 +-
kernel/audit_watch.c |3 +-
kernel/auditfilter.c | 15 --
kernel/auditsc.c
smack_uring_* funcs static]
Signed-off-by: Paul Moore
---
v2:
- made the smack_uring_* funcs static
v1:
- initial draft
---
security/smack/smack_lsm.c | 64
1 file changed, 64 insertions(+)
diff --git a/security/smack/smack_lsm.c b/security/smack
arguments.
Signed-off-by: Paul Moore
---
v2:
- no change
v1:
- initial draft
---
fs/anon_inodes.c| 29 +
include/linux/anon_inodes.h |4
2 files changed, 33 insertions(+)
diff --git a/fs/anon_inodes.c b/fs/anon_inodes.c
index a280156138ed
tches to indicate a calling context other
than the syscall context.
Thanks to Richard Guy Briggs for review and feedback.
Acked-by: Richard Guy Briggs
Signed-off-by: Paul Moore
---
v2:
- no change
v1:
- initial draft
---
kernel/audit.h |5 +
kernel/auditsc.
shown below:
%
Thanks to Richard Guy Briggs for review and feedback.
Signed-off-by: Paul Moore
---
v2:
- added dummy funcs for audit_uring_{entry,exit}()
- replaced opcode checks in io_issue_sqe() with audit_skip checks
- moved fastpath checks into audit_uring_{entry,exit}()
- audit_log_uring()
ext up is
verification of the audit filter code for io_uring). Assuming no
critical issues are found on the mailing lists or during testing, I
will post a proper patchset later with the idea of merging it into
selinux/next after the upcoming merge window closes.
Any comments, feedback, etc. are welco
WARNING - This patch is intended only to aid in the initial dev/test
of the audit/io_uring support, it is not intended to be merged.
With this patch, you can emit io_uring operation audit records with
the following commands (the first clears any blocking rules):
% auditctl -D
% auditctl -a ex
tions.
Signed-off-by: Paul Moore
---
v2:
- no change
v1:
- initial draft
---
fs/io_uring.c |4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/io_uring.c b/fs/io_uring.c
index b407a6ea1779..ea396f5fe735 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -9662,8 +9662,8 @@ s
e comparison is made against the ring's credentials.
Signed-off-by: Paul Moore
---
v2:
- no change
v1:
- initial draft
---
fs/io_uring.c | 10 ++
include/linux/lsm_hook_defs.h |5 +
include/linux/lsm_hooks.h | 13 +
include/lin
self : io_uring { sqpoll };
Signed-off-by: Paul Moore
---
v2:
- made the selinux_uring_* funcs static
- removed the debugging code
v1:
- initial draft
---
security/selinux/hooks.c| 34 ++
security/selinux/include/classmap.h |2 ++
2 files changed
On Thu, Aug 12, 2021 at 5:32 AM Mickaël Salaün wrote:
> On 11/08/2021 22:48, Paul Moore wrote:
> > Extending the secure anonymous inode support to other subsystems
> > requires that we have a secure anon_inode_getfile() variant in
> > addition to the existing secure anon_
inition of a local
audit_context. However, there really should be no reason why we have
to distinguish between a proper and local audtit_context when it comes
to free'ing the memory, just call audit_free_context() in both cases.
> @@ -1036,7 +1042,7 @@ static int audit_log_pid_context(struct audit_context
> *context, pid_t pid,
> from_kuid(&init_user_ns, auid),
> from_kuid(&init_user_ns, uid), sessionid);
> if (lsmblob_is_set(blob)) {
> - if (security_secid_to_secctx(blob, &lsmctx)) {
> + if (security_secid_to_secctx(blob, &lsmctx, LSMBLOB_FIRST)) {
Misplaced code change?
Actually, there are a lot of these below, I'm not going to comment on
all of them as I think you get the idea ... and I very well may be
wrong so I'll save you all of my wrongness in that case :)
> diff --git a/security/security.c b/security/security.c
> index cb359e185d1a..5d7fd982f84a 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -2309,7 +2309,7 @@ int security_setprocattr(const char *lsm, const char
> *name, void *value,
> hlist_for_each_entry(hp, &security_hook_heads.setprocattr,
> list) {
> rc = hp->hook.setprocattr(name, value, size);
> - if (rc < 0)
> + if (rc < 0 && rc != -EINVAL)
> return rc;
> }
This really looks misplaced ... ?
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
On Thu, Aug 12, 2021 at 6:38 PM Casey Schaufler wrote:
> On 8/12/2021 1:59 PM, Paul Moore wrote:
> > On Wed, Jul 21, 2021 at 9:12 PM Casey Schaufler
> > wrote:
> >> Create a new audit record type to contain the subject information
> >> when there are multiple s
On Fri, Aug 13, 2021 at 2:48 PM Casey Schaufler wrote:
> On 8/13/2021 8:31 AM, Paul Moore wrote:
> > On Thu, Aug 12, 2021 at 6:38 PM Casey Schaufler
> > wrote:
> >> On 8/12/2021 1:59 PM, Paul Moore wrote:
> >>> On Wed, Jul 21, 2021 at 9:12 PM Casey Schaufle
On Fri, Aug 13, 2021 at 5:47 PM Casey Schaufler wrote:
> On 8/13/2021 1:43 PM, Paul Moore wrote:
> > On Fri, Aug 13, 2021 at 2:48 PM Casey Schaufler
> > wrote:
> >> On 8/13/2021 8:31 AM, Paul Moore wrote:
> >>> On Thu, Aug 12, 2021 at 6:38 PM Casey Schaufler
d"
"... module=%s dev=%s op=%s error_msg='%s' res=%d"
"... module=%s dev=%s op=%s res=%d"
The first thing that jumps out is that some fields, e.g. "sector", are
not always present in the record; we typically handle this by using a
"?" for t
On Wed, Aug 18, 2021 at 5:59 PM Casey Schaufler wrote:
>
> On 8/16/2021 11:57 AM, Paul Moore wrote:
> > On Fri, Aug 13, 2021 at 5:47 PM Casey Schaufler
> > wrote:
> >> On 8/13/2021 1:43 PM, Paul Moore wrote:
> ...
> > Yeah, the thought occurred to me, but we
On Thu, Aug 19, 2021 at 6:41 PM Casey Schaufler wrote:
> On 8/18/2021 5:56 PM, Casey Schaufler wrote:
> > On 8/18/2021 5:47 PM, Paul Moore wrote:
> >> ...
> >> I just spent a few minutes tracing the code paths up from audit
> >> through netlink and then through
On Fri, Aug 20, 2021 at 7:48 PM Casey Schaufler wrote:
> > On 8/20/2021 12:06 PM, Paul Moore wrote:
> >> Unless you explicitly enable audit on the kernel cmdline, e.g.
> >> "audit=1", processes started before userspace enables audit will not
> >> have
it: Add generic compat syscall support")
> added generic support for bi-arch.
>
> Convert powerpc to that bi-arch generic audit support.
>
> Cc: Paul Moore
> Cc: Eric Paris
> Signed-off-by: Christophe Leroy
> ---
> Resending v2 with Audit people in Cc
>
> v2:
On Tue, Aug 24, 2021 at 11:20 AM Casey Schaufler wrote:
> On 8/24/2021 7:45 AM, Paul Moore wrote:
> > On Fri, Aug 20, 2021 at 7:48 PM Casey Schaufler
> > wrote:
> >>> On 8/20/2021 12:06 PM, Paul Moore wrote:
> >>>> Unless you explicitly enable audit o
can be important,
but the bug is *really* important; even if you don't have a fix for
that, just a description of the problem would be good.
--
paul moore
www.paul-moore.com
/*
* io_uring test tool to exercise LSM/SELinux and audit kernel code paths
* Author: Paul Moore
*
* Copyright 2021
27;m
going to simply add the -stable marking and merge it into audit/next
to get pushed up to Linus early next week, assuming we see v5.14
released this Sunday. If for some reason we see a v5.14-rc8 next week
I'll adjust things and send it to Linus as a -stable patch.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
On Tue, Aug 24, 2021 at 1:11 PM Christophe Leroy
wrote:
> Le 24/08/2021 à 16:47, Paul Moore a écrit :
> > On Tue, Aug 24, 2021 at 9:36 AM Christophe Leroy
> > wrote:
> >>
> >> Commit e65e1fc2d24b ("[PATCH] syscall class hookup for all normal
> >>
On Tue, Aug 24, 2021 at 9:21 PM Richard Guy Briggs wrote:
>
> On 2021-06-02 13:46, Paul Moore wrote:
> > On Wed, Jun 2, 2021 at 1:29 PM Richard Guy Briggs wrote:
> > > On 2021-05-21 17:49, Paul Moore wrote:
> > > > WARNING - This is a work in progress and shou
On Wed, Aug 25, 2021 at 9:16 PM Richard Guy Briggs wrote:
>
> On 2021-08-24 16:57, Richard Guy Briggs wrote:
> > On 2021-08-11 16:48, Paul Moore wrote:
> > > Draft #2 of the patchset which brings auditing and proper LSM access
> > > controls to the io_uring subsyst
ted, pid = 2082
> >>> memfd created, fd = 3
> io_uring_queue_init: Permission denied
>
> I have CONFIG_IO_URING=y set, what else is needed?
I'm not sure how you tried to run those tests, but try running as root
and with SELinux in permissive mode.
--
paul moor
On Thu, Aug 26, 2021 at 10:37 AM Michael Ellerman wrote:
> Paul Moore writes:
> > On Tue, Aug 24, 2021 at 1:11 PM Christophe Leroy
> > wrote:
> >> Le 24/08/2021 à 16:47, Paul Moore a écrit :
> >> > On Tue, Aug 24, 2021 at 9:36 AM Christophe Leroy
&
On Fri, Aug 27, 2021 at 9:36 AM Richard Guy Briggs wrote:
> On 2021-08-26 15:14, Paul Moore wrote:
> > On Thu, Aug 26, 2021 at 12:32 PM Richard Guy Briggs wrote:
> > > I'm getting:
> > > # ./iouring.2
> > > Kernel thread io_uring-sq is n
ecution context returns to userspace and in the case of
sqpoll the processing is handled by a separate kernel thread with no
association to a process thread.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
to kernel/audit.h
Richard Guy Briggs (1):
audit: move put_tree() to avoid trim_trees refcount underflow and UAF
kernel/audit.h | 5 +
kernel/audit_tree.c | 2 +-
2 files changed, 6 insertions(+), 1 deletion(-)
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@
On Wed, Aug 11, 2021 at 4:49 PM Paul Moore wrote:
>
> From: Casey Schaufler
>
> Add Smack privilege checks for io_uring. Use CAP_MAC_OVERRIDE
> for the override_creds case and CAP_MAC_ADMIN for creating a
> polling thread. These choices are based on conjecture regarding
&
On Tue, Aug 31, 2021 at 11:03 AM Casey Schaufler wrote:
> On 8/31/2021 7:44 AM, Paul Moore wrote:
> >
> > Casey, with the idea of posting a v3 towards the end of the merge
> > window next week, without the RFC tag and with the intention of
> > merging it into -next duri
On Sun, Aug 29, 2021 at 11:18 AM Paul Moore wrote:
> On Sat, Aug 28, 2021 at 11:04 AM Richard Guy Briggs wrote:
> > I did set a syscall filter for
> > -a exit,always -F arch=b64 -S
> > io_uring_enter,io_uring_setup,io_uring_register -F key=iouringsyscall
>
struct node *node;
> + struct audit_node *node;
> spin_lock(&hash_lock);
> list_for_each_entry(node, &tree->chunks, list)
> node->index &= ~(1U<<31);
> @@ -938,7 +938,7 @@ int audit_tag_tree(char *old, char *new)
> mutex_unlock(&audit_filter_mutex);
>
> if (!failed) {
> - struct node *node;
> + struct audit_node *node;
> spin_lock(&hash_lock);
> list_for_each_entry(node, &tree->chunks, list)
> node->index &= ~(1U<<31);
> --
> 2.25.0
>
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
sector=?", dev_major,
> +dev_minor);
> + break;
> + }
> + audit_log_format(ab, " res=%d", result);
> + audit_log_end(ab);
> +}
> +EXPORT_SYMBOL_GPL(dm_audit_log_ti);
Just checking, but are you okay when
801 - 900 of 2305 matches
Mail list logo
