On 2019-01-03 15:10, Paul Moore wrote:
> On Thu, Nov 1, 2018 at 6:07 PM Richard Guy Briggs wrote:
> > On 2018-10-19 19:15, Paul Moore wrote:
> > > On Sun, Aug 5, 2018 at 4:32 AM Richard Guy Briggs wrote:
> > > > The audit-related parameters in str
om/linux-audit/audit-kernel/issues/103
Signed-off-by: Richard Guy Briggs
---
Passes audit-testsuite.
include/linux/capability.h | 5 +++--
kernel/audit.c | 6 --
kernel/audit.h | 1 +
kernel/auditsc.c | 4
security/commoncap.c | 2 ++
5 files ch
e filesystems.
Note: refactor __audit_inode_child() to remove two levels of if
indentation.
Please see the github issue tracker
https://github.com/linux-audit/audit-kernel/issues/100
Signed-off-by: Richard Guy Briggs
---
kernel/auditsc.c | 35 +++
1 file changed,
/audit-kernel/issues/100
Signed-off-by: Richard Guy Briggs
---
fs/namei.c| 2 +-
fs/namespace.c| 2 ++
include/linux/audit.h | 15 ++-
include/linux/namei.h | 3 +++
kernel/audit.c| 10 +-
kernel/audit.h| 2 +-
kernel/auditsc.c | 6
usage
conflict
- don't depend on MNT_FORCE
- rename AUDIT_INODE_NOREVAL to AUDIT_INODE_NOREVAL to be consistent
- rename lflags to flags and flags to aflags
- document LOOKUP_ flags
- signal cap_* values unknown and set cap_* fields to "?" indicating so
Richard Guy Briggs (2):
a
Compiles and boots with config AUDITSYSCALL def_bool n in init/Kconfig.
Verified syscall code is not present in resulting kernel.
Richard Guy Briggs (2):
audit: clean up AUDITSYSCALL prototypes and stubs
audit: remove audit_context when CONFIG_ AUDIT and not AUDITSYSCALL
include/linux
it is only used by syscall auditing.
See github issue https://github.com/linux-audit/audit-kernel/issues/105
Signed-off-by: Richard Guy Briggs
---
include/linux/sched.h | 2 +-
kernel/audit.c| 155 +++---
kernel/audit.h| 9 ---
kernel
Pull together all the audit syscall watch, mark and tree prototypes and
stubs into the same ifdef.
Signed-off-by: Richard Guy Briggs
---
kernel/audit.h | 64 ++
1 file changed, 33 insertions(+), 31 deletions(-)
diff --git a/kernel/audit.h
/linux-audit/audit-kernel/issues/104
Signed-off-by: Richard Guy Briggs
---
fs/proc/base.c| 6 ++--
include/linux/audit.h | 42 +
include/linux/sched.h | 2 +-
init/init_task.c | 2 +-
kernel/audit.c| 85
-off-by: Richard Guy Briggs
---
Changelog:
v4:
- rebase on v5.0-rc1
- remove audit_log_config_change_alt() and call
audit_log_common_recv_msg() directly
- remove audit_tree_log_remove_rule() change superceded by patch v3-3/4
Passes audit-testsuite, no issues identified with ausearch-test.
kernel
On 2019-01-17 22:26, Paul Moore wrote:
> On Thu, Jan 17, 2019 at 6:19 PM Richard Guy Briggs wrote:
> > On 2019-01-17 12:58, Paul Moore wrote:
> > > On Thu, Jan 17, 2019 at 10:34 AM Richard Guy Briggs
> > > wrote:
> > > >
> > > > On 2019-01-1
On 2019-01-17 12:58, Paul Moore wrote:
> On Thu, Jan 17, 2019 at 10:34 AM Richard Guy Briggs wrote:
> >
> > On 2019-01-17 08:21, Paul Moore wrote:
> > > On Thu, Jan 17, 2019 at 4:33 AM Steve Grubb wrote:
> > > > On Mon, 14 Jan 2019 17:58:58 -0500 Paul Moore
+
> kernel/auditsc.c | 4 ++--
> kernel/seccomp.c | 4 ++--
> 36 files changed, 148 insertions(+), 47 deletions(-)
> create mode 100644 arch/m68k/include/asm/syscall.h
> create mode 100644 arch/unicore32/include/asm/syscall.h
>
> --
> ldv
- RGB
--
Richard Guy Briggs
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
gt; > > > wrote:
> > > > > On Mon, Dec 10, 2018 at 5:18 PM Richard Guy Briggs
> > > > > wrote:
> > > > > > Tie syscall information to all CONFIG_CHANGE calls since they
> > > > > > are all a result of user actions.
> I s
On 2019-01-17 10:32, Steve Grubb wrote:
> On Mon, 14 Jan 2019 17:58:58 -0500
> Paul Moore wrote:
>
> > On Mon, Dec 10, 2018 at 5:18 PM Richard Guy Briggs
> > wrote:
> > >
> > > Tie syscall information to all CONFIG_CHANGE calls since they are
> >
On 2019-01-14 17:58, Paul Moore wrote:
> On Mon, Dec 10, 2018 at 5:18 PM Richard Guy Briggs wrote:
> > Tie syscall information to all CONFIG_CHANGE calls since they are all a
> > result of user actions.
> >
> > Exclude user records from syscall cont
On 2019-01-10 20:12, Paul Moore wrote:
> On Thu, Jan 10, 2019 at 5:59 PM Richard Guy Briggs wrote:
> > On 2019-01-03 15:11, Paul Moore wrote:
> > > On Wed, Oct 31, 2018 at 5:17 PM Richard Guy Briggs
> > > wrote:
> > > > On 2018-10-19 19:17, Paul Moore wr
On 2019-01-03 15:11, Paul Moore wrote:
> On Wed, Oct 31, 2018 at 5:17 PM Richard Guy Briggs wrote:
> > On 2018-10-19 19:17, Paul Moore wrote:
> > > On Sun, Aug 5, 2018 at 4:33 AM Richard Guy Briggs
> wrote:
> > > > Add audit container identifier auxiliary record
On 2019-01-03 18:50, Guenter Roeck wrote:
> Hi Richard,
>
> On Tue, Jul 31, 2018 at 04:07:36PM -0400, Richard Guy Briggs wrote:
> > The audit-related parameters in struct task_struct should ideally be
> > collected together and accessed through a standard audit API.
> >
On 2019-01-03 15:33, Paul Moore wrote:
> On Thu, Jan 3, 2019 at 3:29 PM Richard Guy Briggs wrote:
> > I'm not sure what's going on here, but it looks like HTML-encoded reply
> > quoting making the quoted text very difficult to read. All the previous
> > ">&quo
wrote:
> On Thu, Nov 1, 2018 at 6:07 PM Richard Guy Briggs wrote:
> On 2018-10-19 19:15, Paul Moore wrote:
> On Sun, Aug 5, 2018 at 4:32 AM Richard Guy Briggs
> wrote:
>The audit-related parameters in struct task_struct
> should ideally be
>collected togeth
On 2019-01-03 10:58, Guenter Roeck wrote:
> Hi Richard,
>
> On Thu, Jan 03, 2019 at 12:36:13PM -0500, Richard Guy Briggs wrote:
> > On 2019-01-03 08:15, Guenter Roeck wrote:
> > > Hi,
> > >
> > > On Tue, Jul 31, 2018 at 04:07:35PM -0400, Richard Guy Br
On 2019-01-03 08:15, Guenter Roeck wrote:
> Hi,
>
> On Tue, Jul 31, 2018 at 04:07:35PM -0400, Richard Guy Briggs wrote:
> > Implement kernel audit container identifier.
>
> I don't see a follow-up submission of this patch series. Has it been
> abandoned,
> or do I
On 2018-10-31 15:30, Richard Guy Briggs wrote:
> On 2018-10-19 19:18, Paul Moore wrote:
> > On Sun, Aug 5, 2018 at 4:33 AM Richard Guy Briggs wrote:
> > > Add audit container identifier auxiliary record(s) to NETFILTER_PKT
> > > event standalone records. Iterate
On 2018-12-14 17:02, Paul Moore wrote:
> On Fri, Dec 14, 2018 at 11:27 AM Richard Guy Briggs wrote:
> > On 2018-12-12 08:03, Paul Moore wrote:
> > > On Fri, Nov 16, 2018 at 12:34 PM Richard Guy Briggs
> > > wrote:
> > > > On user and remote filesyst
On 2018-12-12 08:03, Paul Moore wrote:
> On Fri, Nov 16, 2018 at 12:34 PM Richard Guy Briggs wrote:
> > On user and remote filesystems, a forced umount can still hang due to
> > attemting to fetch the fcaps of a mounted filesystem that is no longer
> > available.
> >
On 2018-12-11 18:26, Paul Moore wrote:
> On Tue, Dec 11, 2018 at 5:41 PM Richard Guy Briggs wrote:
> > On 2018-12-11 17:31, Paul Moore wrote:
> > > On Mon, Dec 10, 2018 at 5:18 PM Richard Guy Briggs
> > > wrote:
>
> ...
>
> > > > Richard G
On 2018-12-11 17:31, Paul Moore wrote:
> On Mon, Dec 10, 2018 at 5:18 PM Richard Guy Briggs wrote:
> > Make a number of changes to normalize CONFIG_CHANGE records by adding
> > missing op= fields, providing more information in existing op fields
> > (optional last patc
-off-by: Richard Guy Briggs
---
kernel/audit.c | 27 +++
kernel/audit_fsnotify.c | 2 +-
kernel/audit_tree.c | 2 +-
kernel/audit_watch.c| 2 +-
kernel/auditfilter.c| 2 +-
5 files changed, 23 insertions(+), 12 deletions(-)
diff --git a/kernel/audit.c
r_recv_msg() and squash into record connection
- squash kill_trees context handling with kill-trees before EOE
- rebase on audit/next (v4.20-rc1) with 2a1fe215e730 ("audit: use current
whenever possible")
- remove parens in extended format
v2:
- re-order audit_log_exit() and audit_k
Give a clue as to the source of mark, watch and tree rule changes.
See: https://github.com/linux-audit/audit-kernel/issues/50
See: https://github.com/linux-audit/audit-kernel/issues/59
Signed-off-by: Richard Guy Briggs
---
kernel/audit.h | 4 ++--
kernel/audit_fsnotify.c | 2
8-06-14 14:55:04.507:47) : op=set
audit_enabled=1 old=1 auid=unset ses=unset subj=... res=yes
See: https://github.com/linux-audit/audit-kernel/issues/59
Signed-off-by: Richard Guy Briggs
---
kernel/audit.c | 6 --
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/kernel/audit.
with the associated syscall event by
the user library due to the EOE record flagging the end of the event.
See: https://github.com/linux-audit/audit-kernel/issues/50
See: https://github.com/linux-audit/audit-kernel/issues/59
Signed-off-by: Richard Guy Briggs
---
kernel/audit.h | 4 ++--
kernel
; ---
> > include/linux/audit.h | 21 +
> > include/uapi/linux/audit.h | 2 ++
> > kernel/auditsc.c | 15 +++
> > 3 files changed, 38 insertions(+)
>
> A reminder that we need tests for these new records and a RFE page on the
; ---
> > include/linux/audit.h | 21 +
> > include/uapi/linux/audit.h | 2 ++
> > kernel/auditsc.c | 15 +++
> > 3 files changed, 38 insertions(+)
>
> A reminder that we need tests for these new records and a RFE page on the
trcpy), and signal a lost record via audit_log_lost.
>
> Signed-off-by: Yi Wang
> Reviewed-by: Jiang Biao
Reviewed-by: Richard Guy Briggs
> ---
> v2: use kstrdup instead of kmalloc + strcpy, and signal a lost
> record. Thanks to Eric and Paul.
>
> kernel/auditsc.c | 13 +++
trcpy), and signal a lost record via audit_log_lost.
>
> Signed-off-by: Yi Wang
> Reviewed-by: Jiang Biao
Reviewed-by: Richard Guy Briggs
> ---
> v2: use kstrdup instead of kmalloc + strcpy, and signal a lost
> record. Thanks to Eric and Paul.
>
> kernel/auditsc.c | 13 +++
On 2018-05-21 16:06, Paul Moore wrote:
> On Mon, May 21, 2018 at 3:19 PM, Eric W. Biederman <ebied...@xmission.com>
> wrote:
> > Steve Grubb <sgr...@redhat.com> writes:
> >> On Friday, March 16, 2018 5:00:40 AM EDT Richard Guy Briggs wrote:
> >>>
On 2018-05-21 16:06, Paul Moore wrote:
> On Mon, May 21, 2018 at 3:19 PM, Eric W. Biederman
> wrote:
> > Steve Grubb writes:
> >> On Friday, March 16, 2018 5:00:40 AM EDT Richard Guy Briggs wrote:
> >>> Add support for reading the container ID from the p
gt; comm="init" name="01parse-kernel.sh" dev=rootfs ino=5413 res=0
> >
> > it was missing "tty" and "exe", but the order is as I mentioned. The
> > expectation is that INTEGRITY events maintain this established order across
> > all events.
>
> I am *appending* exe= and tty= now:
>
> type=INTEGRITY_PCR msg=audit(1526939047.809:305): pid=1609 uid=0 auid=0
> ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> op="invalid_pcr" cause="open_writers" comm="ssh"
> name="/var/lib/sss/mc/passwd" dev="dm-0" ino=1962679 res=1
> exe="/usr/bin/ssh" tty=tty2
This isn't necessary since they already covered in the already
connected SYSCALL record which duplicates even more information than is
already.
> Stefan
>
> > -Steve
> >
> > > https://elixir.bootlin.com/linux/latest/source/kernel/auditsc.c#L2433
> > >
> > > > that. The reason why you can do that is those additional fields are not
> > > > required to be searchable by common criteria.
> > > >
> > > > -Steve
- RGB
--
Richard Guy Briggs <r...@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
gt; comm="init" name="01parse-kernel.sh" dev=rootfs ino=5413 res=0
> >
> > it was missing "tty" and "exe", but the order is as I mentioned. The
> > expectation is that INTEGRITY events maintain this established order across
> > all events.
>
> I am *appending* exe= and tty= now:
>
> type=INTEGRITY_PCR msg=audit(1526939047.809:305): pid=1609 uid=0 auid=0
> ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> op="invalid_pcr" cause="open_writers" comm="ssh"
> name="/var/lib/sss/mc/passwd" dev="dm-0" ino=1962679 res=1
> exe="/usr/bin/ssh" tty=tty2
This isn't necessary since they already covered in the already
connected SYSCALL record which duplicates even more information than is
already.
> Stefan
>
> > -Steve
> >
> > > https://elixir.bootlin.com/linux/latest/source/kernel/auditsc.c#L2433
> > >
> > > > that. The reason why you can do that is those additional fields are not
> > > > required to be searchable by common criteria.
> > > >
> > > > -Steve
- RGB
--
Richard Guy Briggs
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
On 2018-05-18 12:49, Stefan Berger wrote:
> On 05/18/2018 11:45 AM, Richard Guy Briggs wrote:
> > On 2018-05-18 07:49, Stefan Berger wrote:
> > > On 05/17/2018 05:30 PM, Richard Guy Briggs wrote:
> > > > On 2018-05-17 10:18, Stefan Berger wrote:
> > > > &g
On 2018-05-18 12:49, Stefan Berger wrote:
> On 05/18/2018 11:45 AM, Richard Guy Briggs wrote:
> > On 2018-05-18 07:49, Stefan Berger wrote:
> > > On 05/17/2018 05:30 PM, Richard Guy Briggs wrote:
> > > > On 2018-05-17 10:18, Stefan Berger wrote:
> > > > &g
On 2018-05-18 12:34, Mimi Zohar wrote:
> On Fri, 2018-05-18 at 11:56 -0400, Richard Guy Briggs wrote:
> > On 2018-05-18 10:39, Mimi Zohar wrote:
> > > On Fri, 2018-05-18 at 09:54 -0400, Stefan Berger wrote:
> > > > On 05/18/2
On 2018-05-18 12:34, Mimi Zohar wrote:
> On Fri, 2018-05-18 at 11:56 -0400, Richard Guy Briggs wrote:
> > On 2018-05-18 10:39, Mimi Zohar wrote:
> > > On Fri, 2018-05-18 at 09:54 -0400, Stefan Berger wrote:
> > > > On 05/18/2
TY_AUDIT.
If I understand your question correctly, then no, since each one is a
different type of record, hence the half dozen IMA record types:
#define AUDIT_INTEGRITY_DATA 1800 /* Data integrity verification */
#define AUDIT_INTEGRITY_METADATA1801 /* Metadata integrity verification
TY_AUDIT.
If I understand your question correctly, then no, since each one is a
different type of record, hence the half dozen IMA record types:
#define AUDIT_INTEGRITY_DATA 1800 /* Data integrity verification */
#define AUDIT_INTEGRITY_METADATA1801 /* Metadata integrity verification
> > >> by ima_parse_rule(), is broken.
> > > Post which series? The IMA namespacing patch set? This change should
> > > be upstreamed independently of IMA namespacing.
> >
> > Without Richard's local context patch it may just be one or two patches.
>
> > >> by ima_parse_rule(), is broken.
> > > Post which series? The IMA namespacing patch set? This change should
> > > be upstreamed independently of IMA namespacing.
> >
> > Without Richard's local context patch it may just be one or two patches.
&g
On 2018-05-18 08:53, Mimi Zohar wrote:
> On Fri, 2018-05-18 at 07:49 -0400, Stefan Berger wrote:
> > On 05/17/2018 05:30 PM, Richard Guy Briggs wrote:
>
> [...]
>
> > >>> auxiliary record either by being converted to a syscall auxiliary record
> > >>
On 2018-05-18 08:53, Mimi Zohar wrote:
> On Fri, 2018-05-18 at 07:49 -0400, Stefan Berger wrote:
> > On 05/17/2018 05:30 PM, Richard Guy Briggs wrote:
>
> [...]
>
> > >>> auxiliary record either by being converted to a syscall auxiliary record
> > >>
On 2018-05-18 07:49, Stefan Berger wrote:
> On 05/17/2018 05:30 PM, Richard Guy Briggs wrote:
> > On 2018-05-17 10:18, Stefan Berger wrote:
> > > On 03/08/2018 06:21 AM, Richard Guy Briggs wrote:
> > > > On 2018-03-05 09:24, Mimi Zohar wrote:
> > > > &g
On 2018-05-18 07:49, Stefan Berger wrote:
> On 05/17/2018 05:30 PM, Richard Guy Briggs wrote:
> > On 2018-05-17 10:18, Stefan Berger wrote:
> > > On 03/08/2018 06:21 AM, Richard Guy Briggs wrote:
> > > > On 2018-03-05 09:24, Mimi Zohar wrote:
> > > > &g
On 2018-05-18 09:56, Steve Grubb wrote:
> On Thu, 17 May 2018 17:56:00 -0400
> Richard Guy Briggs <r...@redhat.com> wrote:
>
> > > During syscall events, the path info is returned in a a record
> > > simply called AUDIT_PATH, cwd info is returned in AUDIT_C
On 2018-05-18 09:56, Steve Grubb wrote:
> On Thu, 17 May 2018 17:56:00 -0400
> Richard Guy Briggs wrote:
>
> > > During syscall events, the path info is returned in a a record
> > > simply called AUDIT_PATH, cwd info is returned in AUDIT_CWD. So,
> > > rath
Use the existing audit_log_session_info() function rather than
hardcoding its functionality.
Signed-off-by: Richard Guy Briggs <r...@redhat.com>
---
kernel/auditfilter.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
Use the existing audit_log_session_info() function rather than
hardcoding its functionality.
Signed-off-by: Richard Guy Briggs
---
kernel/auditfilter.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index d7a807e..9e87377
On 2018-05-17 17:00, Steve Grubb wrote:
> On Fri, 16 Mar 2018 05:00:28 -0400
> Richard Guy Briggs <r...@redhat.com> wrote:
>
> > Implement the proc fs write to set the audit container ID of a
> > process, emitting an AUDIT_CONTAINER record to document the event.
&g
On 2018-05-17 17:00, Steve Grubb wrote:
> On Fri, 16 Mar 2018 05:00:28 -0400
> Richard Guy Briggs wrote:
>
> > Implement the proc fs write to set the audit container ID of a
> > process, emitting an AUDIT_CONTAINER record to document the event.
> >
> > T
On 2018-05-17 17:09, Steve Grubb wrote:
> On Fri, 16 Mar 2018 05:00:30 -0400
> Richard Guy Briggs <r...@redhat.com> wrote:
>
> > Create a new audit record AUDIT_CONTAINER_INFO to document the
> > container ID of a process if it is present.
>
> As menti
On 2018-05-17 17:09, Steve Grubb wrote:
> On Fri, 16 Mar 2018 05:00:30 -0400
> Richard Guy Briggs wrote:
>
> > Create a new audit record AUDIT_CONTAINER_INFO to document the
> > container ID of a process if it is present.
>
> As mentioned in a previous email, I th
On 2018-05-17 10:18, Stefan Berger wrote:
> On 03/08/2018 06:21 AM, Richard Guy Briggs wrote:
> > On 2018-03-05 09:24, Mimi Zohar wrote:
> > > On Mon, 2018-03-05 at 08:50 -0500, Richard Guy Briggs wrote:
> > > > On 2018-03-05 08:43, Mimi Zoh
On 2018-05-17 10:18, Stefan Berger wrote:
> On 03/08/2018 06:21 AM, Richard Guy Briggs wrote:
> > On 2018-03-05 09:24, Mimi Zohar wrote:
> > > On Mon, 2018-03-05 at 08:50 -0500, Richard Guy Briggs wrote:
> > > > On 2018-03-05 08:43, Mimi Zoh
Enable fork.c compilation with audit disabled.
Signed-off-by: Richard Guy Briggs <r...@redhat.com>
---
Hi Paul, this one got caught by the 0-day kbuildbot. Can you squash it
down if you haven't merged it yet?
---
kernel/fork.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/kernel/
Enable fork.c compilation with audit disabled.
Signed-off-by: Richard Guy Briggs
---
Hi Paul, this one got caught by the 0-day kbuildbot. Can you squash it
down if you haven't merged it yet?
---
kernel/fork.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/kernel/fork.c b/kernel/fork.c
- p2/5: add audit header to init/init_task.c to quiet kbuildbot
- audit_signal_info(): fetch loginuid once
- remove task_struct from audit_context() param list
- remove extra task_struct local vars
- do nothing on request to set audit context when audit is disabled
Richard Guy Briggs (3):
audit
- p2/5: add audit header to init/init_task.c to quiet kbuildbot
- audit_signal_info(): fetch loginuid once
- remove task_struct from audit_context() param list
- remove extra task_struct local vars
- do nothing on request to set audit context when audit is disabled
Richard Guy Briggs (3):
audit
Recognizing that the loginuid is an internal audit value, use an access
function to retrieve the audit loginuid value for the task rather than
reaching directly into the task struct to get it.
Signed-off-by: Richard Guy Briggs <r...@redhat.com>
---
kernel/auditsc.
Recognizing that the loginuid is an internal audit value, use an access
function to retrieve the audit loginuid value for the task rather than
reaching directly into the task struct to get it.
Signed-off-by: Richard Guy Briggs
---
kernel/auditsc.c | 24 +++-
1 file changed
to manage this pool of memory.
Un-inline audit_free() to be able to always recover that memory.
See: https://github.com/linux-audit/audit-kernel/issues/81
Signed-off-by: Richard Guy Briggs <r...@redhat.com>
---
include/linux/audit.h | 34 --
include/li
to manage this pool of memory.
Un-inline audit_free() to be able to always recover that memory.
See: https://github.com/linux-audit/audit-kernel/issues/81
Signed-off-by: Richard Guy Briggs
---
include/linux/audit.h | 34 --
include/linux/sched.h | 5 +
init/i
On the rebase of the following commit on the new seccomp actions_logged
function, one audit_context access was missed.
commit cdfb6b341f0f2409aba24b84f3b4b2bba50be5c5
("audit: use inline function to get audit context")
Signed-off-by: Richard Guy Briggs <r...@redhat.com>
---
kern
On the rebase of the following commit on the new seccomp actions_logged
function, one audit_context access was missed.
commit cdfb6b341f0f2409aba24b84f3b4b2bba50be5c5
("audit: use inline function to get audit context")
Signed-off-by: Richard Guy Briggs
---
kernel/auditsc.c | 2
On 2018-05-14 23:05, Richard Guy Briggs wrote:
> On 2018-05-14 17:44, Paul Moore wrote:
> > On Sat, May 12, 2018 at 9:58 PM, Richard Guy Briggs <r...@redhat.com> wrote:
> > > Recognizing that the audit context is an internal audit value, use an
> > > access funct
On 2018-05-14 23:05, Richard Guy Briggs wrote:
> On 2018-05-14 17:44, Paul Moore wrote:
> > On Sat, May 12, 2018 at 9:58 PM, Richard Guy Briggs wrote:
> > > Recognizing that the audit context is an internal audit value, use an
> > > access function to retriev
; - audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_POLICY_LOAD,
> + audit_log(audit_context(), GFP_KERNEL, AUDIT_MAC_POLICY_LOAD,
> -"policy loaded auid=%u ses=%u",
> +"auid=%u ses=%u lsm=selinux res=1",
> from_kuid(_user_ns, audit_get_loginuid(current)),
> audit_get_sessionid(current));
> out:
- RGB
--
Richard Guy Briggs <r...@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
; - audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_POLICY_LOAD,
> + audit_log(audit_context(), GFP_KERNEL, AUDIT_MAC_POLICY_LOAD,
> -"policy loaded auid=%u ses=%u",
> +"auid=%u ses=%u lsm=selinux res=1",
> from_kuid(_user_ns, audit_get_loginuid(current)),
> audit_get_sessionid(current));
> out:
- RGB
--
Richard Guy Briggs
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
On 2018-05-14 17:44, Paul Moore wrote:
> On Sat, May 12, 2018 at 9:58 PM, Richard Guy Briggs <r...@redhat.com> wrote:
> > Recognizing that the audit context is an internal audit value, use an
> > access function to retrieve the audit context pointer for the task
> > ra
On 2018-05-14 17:44, Paul Moore wrote:
> On Sat, May 12, 2018 at 9:58 PM, Richard Guy Briggs wrote:
> > Recognizing that the audit context is an internal audit value, use an
> > access function to retrieve the audit context pointer for the task
> > rather than reaching d
audit_context() param list
- remove extra task_struct local vars
- do nothing on request to set audit context when audit is disabled
Richard Guy Briggs (5):
audit: normalize loginuid read access
audit: convert sessionid unset to a macro
audit: use inline function to get audit context
audit: use
audit_context() param list
- remove extra task_struct local vars
- do nothing on request to set audit context when audit is disabled
Richard Guy Briggs (5):
audit: normalize loginuid read access
audit: convert sessionid unset to a macro
audit: use inline function to get audit context
audit: use
Recognizing that the loginuid is an internal audit value, use an access
function to retrieve the audit loginuid value for the task rather than
reaching directly into the task struct to get it.
Signed-off-by: Richard Guy Briggs <r...@redhat.com>
---
kernel/auditsc.c | 18 +--
Recognizing that the loginuid is an internal audit value, use an access
function to retrieve the audit loginuid value for the task rather than
reaching directly into the task struct to get it.
Signed-off-by: Richard Guy Briggs
---
kernel/auditsc.c | 18 +-
1 file changed, 9
Recognizing that the audit context is an internal audit value, use an
access function to retrieve the audit context pointer for the task
rather than reaching directly into the task struct to get it.
Signed-off-by: Richard Guy Briggs <r...@redhat.com>
---
include/linux/audit.h
Recognizing that the audit context is an internal audit value, use an
access function to retrieve the audit context pointer for the task
rather than reaching directly into the task struct to get it.
Signed-off-by: Richard Guy Briggs
---
include/linux/audit.h| 14
github.com/linux-audit/audit-kernel/issues/81
Signed-off-by: Richard Guy Briggs <r...@redhat.com>
---
MAINTAINERS| 2 +-
include/linux/audit.h | 10 +-
include/linux/audit_task.h | 31 +++
include/linux/sched.h | 6 ++
Recognizing that the audit context is an internal audit value, use an
access function to set the audit context pointer for the task
rather than reaching directly into the task struct to set it.
Signed-off-by: Richard Guy Briggs <r...@redhat.com>
---
include/linux/audit.h | 6 ++
Use a macro, "AUDIT_SID_UNSET", to replace each instance of
initialization and comparison to an audit session ID.
Signed-off-by: Richard Guy Briggs <r...@redhat.com>
---
include/linux/audit.h | 2 +-
include/net/xfrm.h | 2 +-
include/uapi/linux/audit.h | 1 +
github.com/linux-audit/audit-kernel/issues/81
Signed-off-by: Richard Guy Briggs
---
MAINTAINERS| 2 +-
include/linux/audit.h | 10 +-
include/linux/audit_task.h | 31 +++
include/linux/sched.h | 6 ++
init/init_task.c
Recognizing that the audit context is an internal audit value, use an
access function to set the audit context pointer for the task
rather than reaching directly into the task struct to set it.
Signed-off-by: Richard Guy Briggs
---
include/linux/audit.h | 6 ++
kernel/auditsc.c | 7
Use a macro, "AUDIT_SID_UNSET", to replace each instance of
initialization and comparison to an audit session ID.
Signed-off-by: Richard Guy Briggs
---
include/linux/audit.h | 2 +-
include/net/xfrm.h | 2 +-
include/uapi/linux/audit.h | 1 +
init/init_task.c
On 2018-05-10 17:21, Richard Guy Briggs wrote:
> On 2018-05-09 11:13, Paul Moore wrote:
> > On Fri, May 4, 2018 at 4:54 PM, Richard Guy Briggs <r...@redhat.com> wrote:
> > > Recognizing that the loginuid is an internal audit value, use an access
> > > function to
On 2018-05-10 17:21, Richard Guy Briggs wrote:
> On 2018-05-09 11:13, Paul Moore wrote:
> > On Fri, May 4, 2018 at 4:54 PM, Richard Guy Briggs wrote:
> > > Recognizing that the loginuid is an internal audit value, use an access
> > > function to retrieve the audit
On 2018-05-09 11:46, Paul Moore wrote:
> On Fri, May 4, 2018 at 4:54 PM, Richard Guy Briggs <r...@redhat.com> wrote:
> > The audit-related parameters in struct task_struct should ideally be
> > collected together and accessed through a standard audit API.
> >
> &
On 2018-05-09 11:46, Paul Moore wrote:
> On Fri, May 4, 2018 at 4:54 PM, Richard Guy Briggs wrote:
> > The audit-related parameters in struct task_struct should ideally be
> > collected together and accessed through a standard audit API.
> >
> > Collect the e
On 2018-05-09 11:13, Paul Moore wrote:
> On Fri, May 4, 2018 at 4:54 PM, Richard Guy Briggs <r...@redhat.com> wrote:
> > Recognizing that the loginuid is an internal audit value, use an access
> > function to retrieve the audit loginuid value for the task rather than
On 2018-05-09 11:13, Paul Moore wrote:
> On Fri, May 4, 2018 at 4:54 PM, Richard Guy Briggs wrote:
> > Recognizing that the loginuid is an internal audit value, use an access
> > function to retrieve the audit loginuid value for the task rather than
> > reaching directly
On 2018-05-09 11:28, Paul Moore wrote:
> On Fri, May 4, 2018 at 4:54 PM, Richard Guy Briggs <r...@redhat.com> wrote:
> > Recognizing that the audit context is an internal audit value, use an
> > access function to retrieve the audit context pointer for the task
> > ra
On 2018-05-09 11:28, Paul Moore wrote:
> On Fri, May 4, 2018 at 4:54 PM, Richard Guy Briggs wrote:
> > Recognizing that the audit context is an internal audit value, use an
> > access function to retrieve the audit context pointer for the task
> > rather than reaching d
On 2018-05-09 12:07, Tobin C. Harding wrote:
> On Fri, May 04, 2018 at 04:54:37PM -0400, Richard Guy Briggs wrote:
> > Recognizing that the audit context is an internal audit value, use an
> > access function to set the audit context pointer for the task
> > rather t
201 - 300 of 2017 matches
Mail list logo