On 2017-03-07 09:29, Paul Moore wrote:
> On Mon, Mar 6, 2017 at 11:03 PM, Richard Guy Briggs wrote:
> > On 2017-03-06 10:10, Cong Wang wrote:
> >> On Mon, Mar 6, 2017 at 2:54 AM, Dmitry Vyukov wrote:
> >> > Hello,
> >> >
> >> > I've
t, I think.
> But kauditd_send_unicast_skb() seems not holding this mutex.
H, I wonder if it makes sense to wrap most of the contents of the
outer while loop in kauditd_thread in the audit_cmd_mutex, or around the
first two innter while loops and the "if (auditd)" condition after t
end_unicast_skb() seems not holding this mutex.
H, I wonder if it makes sense to wrap most of the contents of the
outer while loop in kauditd_thread in the audit_cmd_mutex, or around the
first two innter while loops and the "if (auditd)" condition after the
"quick_loop:" l
On 2017-03-03 19:19, Paul Moore wrote:
> On Tue, Feb 28, 2017 at 10:37 PM, Richard Guy Briggs <r...@redhat.com> wrote:
> > Sorry, I forgot to include Cc: in this cover letter for context to the 4
> > alt patches.
> >
> > On 2017-02-28 22:15, Richard Guy
On 2017-03-03 19:19, Paul Moore wrote:
> On Tue, Feb 28, 2017 at 10:37 PM, Richard Guy Briggs wrote:
> > Sorry, I forgot to include Cc: in this cover letter for context to the 4
> > alt patches.
> >
> > On 2017-02-28 22:15, Richard Guy Briggs
On 2017-03-06 17:30, Jessica Yu wrote:
> +++ Richard Guy Briggs [06/03/17 16:49 -0500]:
> >On 2017-03-03 19:22, Paul Moore wrote:
> >>On Fri, Mar 3, 2017 at 4:14 PM, Richard Guy Briggs <r...@redhat.com> wrote:
> >>> On 2017-02-28 23:15, Steve Grubb wrote:
> &
On 2017-03-06 17:30, Jessica Yu wrote:
> +++ Richard Guy Briggs [06/03/17 16:49 -0500]:
> >On 2017-03-03 19:22, Paul Moore wrote:
> >>On Fri, Mar 3, 2017 at 4:14 PM, Richard Guy Briggs wrote:
> >>> On 2017-02-28 23:15, Steve Grubb wrote:
> >>>>
On 2017-03-03 19:22, Paul Moore wrote:
> On Fri, Mar 3, 2017 at 4:14 PM, Richard Guy Briggs <r...@redhat.com> wrote:
> > On 2017-02-28 23:15, Steve Grubb wrote:
> >> On Tuesday, February 28, 2017 10:37:04 PM EST Richard Guy Briggs wrote:
> >> > Sorry, I forgot
On 2017-03-03 19:22, Paul Moore wrote:
> On Fri, Mar 3, 2017 at 4:14 PM, Richard Guy Briggs wrote:
> > On 2017-02-28 23:15, Steve Grubb wrote:
> >> On Tuesday, February 28, 2017 10:37:04 PM EST Richard Guy Briggs wrote:
> >> > Sorry, I forgot to include Cc: in
In __audit_inode_child, return immedialy upon detecting module-related
syscalls.
See https://github.com/linux-audit/audit-kernel/issues/8
Test case: https://github.com/linux-audit/audit-testsuite/issues/42
Signed-off-by: Richard Guy Briggs <r...@redhat.com>
---
kernel/auditsc.c |6 ++
1 files chan
In __audit_inode_child, return immedialy upon detecting module-related
syscalls.
See https://github.com/linux-audit/audit-kernel/issues/8
Test case: https://github.com/linux-audit/audit-testsuite/issues/42
Signed-off-by: Richard Guy Briggs
---
kernel/auditsc.c |6 ++
1 files changed, 6 insertions(+), 0
On 2017-02-28 23:15, Steve Grubb wrote:
> On Tuesday, February 28, 2017 10:37:04 PM EST Richard Guy Briggs wrote:
> > Sorry, I forgot to include Cc: in this cover letter for context to the 4
> > alt patches.
> >
> > On 2017-02-28 22:15, Richard Guy Briggs
On 2017-02-28 23:15, Steve Grubb wrote:
> On Tuesday, February 28, 2017 10:37:04 PM EST Richard Guy Briggs wrote:
> > Sorry, I forgot to include Cc: in this cover letter for context to the 4
> > alt patches.
> >
> > On 2017-02-28 22:15, Richard Guy Briggs
to parse what is happening. The PATH record correctly
records the setuid bit and owner. Suppress the BPRM_FCAPS record on
set*id.
See: https://github.com/linux-audit/audit-kernel/issues/16
Signed-off-by: Richard Guy Briggs <r...@redhat.com>
---
security/commoncap.c |5 +++--
1 files c
to parse what is happening. The PATH record correctly
records the setuid bit and owner. Suppress the BPRM_FCAPS record on
set*id.
See: https://github.com/linux-audit/audit-kernel/issues/16
Signed-off-by: Richard Guy Briggs
---
security/commoncap.c |5 +++--
1 files changed, 3 insertions
tem_u:system_r:insmod_t:s0 key="mod-load"
The test case listed below will need to be modified to check for no null PATH
records.
See: https://github.com/linux-audit/audit-kernel/issues/8
Test case: https://github.com/linux-audit/audit-testsuite/issues/42
Signed-off-by: Richard Guy Brig
tem_u:system_r:insmod_t:s0 key="mod-load"
The test case listed below will need to be modified to check for no null PATH
records.
See: https://github.com/linux-audit/audit-kernel/issues/8
Test case: https://github.com/linux-audit/audit-testsuite/issues/42
Signed-off-by: Richard
Sorry, I forgot to include Cc: in this cover letter for context to the 4
alt patches.
On 2017-02-28 22:15, Richard Guy Briggs wrote:
> The background to this is:
> https://github.com/linux-audit/audit-kernel/issues/8
>
> In short, audit SYSCALL records for *init_module were
Sorry, I forgot to include Cc: in this cover letter for context to the 4
alt patches.
On 2017-02-28 22:15, Richard Guy Briggs wrote:
> The background to this is:
> https://github.com/linux-audit/audit-kernel/issues/8
>
> In short, audit SYSCALL records for *init_module were
those records when the parent is not found in
that task context's audit names_list.
See https://github.com/linux-audit/audit-kernel/issues/8
Test case: https://github.com/linux-audit/audit-testsuite/issues/42
Signed-off-by: Richard Guy Briggs <r...@redhat.com>
---
kernel/auditsc.c
those records when the parent is not found in
that task context's audit names_list.
See https://github.com/linux-audit/audit-kernel/issues/8
Test case: https://github.com/linux-audit/audit-testsuite/issues/42
Signed-off-by: Richard Guy Briggs
---
kernel/auditsc.c | 20 +++-
1
hides those records, but the SYSCALL record "items=" count will
still reflect the number of hidden items. (This will fail the test below.)
See https://github.com/linux-audit/audit-kernel/issues/8
Test case: https://github.com/linux-audit/audit-testsuite/issues/42
Signed-off-by: Richard Guy
hides those records, but the SYSCALL record "items=" count will
still reflect the number of hidden items. (This will fail the test below.)
See https://github.com/linux-audit/audit-kernel/issues/8
Test case: https://github.com/linux-audit/audit-testsuite/issues/42
Signed-off-by: Richard
In __audit_inode_child, return immedialy upon detecting TRACEFS and DEBUGFS
(and potentially other filesystems identified, via dentry->d_sb->s_magic).
See https://github.com/linux-audit/audit-kernel/issues/8
Test case: https://github.com/linux-audit/audit-testsuite/issues/42
Signed-off-by: Richard Guy Bri
In __audit_inode_child, return immedialy upon detecting TRACEFS and DEBUGFS
(and potentially other filesystems identified, via dentry->d_sb->s_magic).
See https://github.com/linux-audit/audit-kernel/issues/8
Test case: https://github.com/linux-audit/audit-testsuite/issues/42
Signed-off-by: Richard Guy
t solution that I've missed that catches
things before they get anywhere near audit_inode_child (called from
tracefs' notifiers)?
I'll thread onto this message tested patches for all four solutions.
- RGB
--
Richard Guy Briggs <r...@redhat.com>
Kernel Security Engineering, Base Operating Syste
t solution that I've missed that catches
things before they get anywhere near audit_inode_child (called from
tracefs' notifiers)?
I'll thread onto this message tested patches for all four solutions.
- RGB
--
Richard Guy Briggs
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote,
On 2017-02-14 13:43, Steve Grubb wrote:
> On Tuesday, February 14, 2017 1:38:36 PM EST Paul Moore wrote:
> > On Tue, Feb 14, 2017 at 1:11 PM, Richard Guy Briggs <r...@redhat.com> wrote:
> > > On 2017-02-14 13:02, Steve Grubb wrote:
> > >> On Monday, Februar
On 2017-02-14 13:43, Steve Grubb wrote:
> On Tuesday, February 14, 2017 1:38:36 PM EST Paul Moore wrote:
> > On Tue, Feb 14, 2017 at 1:11 PM, Richard Guy Briggs wrote:
> > > On 2017-02-14 13:02, Steve Grubb wrote:
> > >> On Monday, February 13, 2017 4
On 2017-02-14 13:02, Steve Grubb wrote:
> On Monday, February 13, 2017 4:20:55 PM EST Paul Moore wrote:
> > On Sat, Feb 4, 2017 at 1:10 PM, Richard Guy Briggs <r...@redhat.com> wrote:
> > > This adds a new auxiliary record MODULE_INIT to the SYSCALL event.
> > >
&
On 2017-02-14 13:02, Steve Grubb wrote:
> On Monday, February 13, 2017 4:20:55 PM EST Paul Moore wrote:
> > On Sat, Feb 4, 2017 at 1:10 PM, Richard Guy Briggs wrote:
> > > This adds a new auxiliary record MODULE_INIT to the SYSCALL event.
> > >
> > > We get
-off-by: Richard Guy Briggs <r...@redhat.com>
---
include/linux/audit.h | 12
include/uapi/linux/audit.h |1 +
kernel/audit.h |3 +++
kernel/auditsc.c | 14 ++
kernel/module.c|5 -
5 files changed, 34 insertions
-off-by: Richard Guy Briggs
---
include/linux/audit.h | 12
include/uapi/linux/audit.h |1 +
kernel/audit.h |3 +++
kernel/auditsc.c | 14 ++
kernel/module.c|5 -
5 files changed, 34 insertions(+), 1 deletions
On 2017-02-04 08:27, Steve Grubb wrote:
> On Friday, February 3, 2017 7:18:58 PM EST Paul Moore wrote:
> > On Tue, Jan 31, 2017 at 3:02 PM, Richard Guy Briggs <r...@redhat.com> wrote:
> > > On 2017-01-31 11:07, Paul Moore wrote:
> > >> On Tue, Jan 31, 20
On 2017-02-04 08:27, Steve Grubb wrote:
> On Friday, February 3, 2017 7:18:58 PM EST Paul Moore wrote:
> > On Tue, Jan 31, 2017 at 3:02 PM, Richard Guy Briggs wrote:
> > > On 2017-01-31 11:07, Paul Moore wrote:
> > >> On Tue, Jan 31, 2017 at 7:36 AM, Richard Guy Brig
On 2017-02-03 19:18, Paul Moore wrote:
> On Tue, Jan 31, 2017 at 3:02 PM, Richard Guy Briggs <r...@redhat.com> wrote:
> > On 2017-01-31 11:07, Paul Moore wrote:
> >> On Tue, Jan 31, 2017 at 7:36 AM, Richard Guy Briggs <r...@redhat.com>
> >> wrote:
>
On 2017-02-03 19:18, Paul Moore wrote:
> On Tue, Jan 31, 2017 at 3:02 PM, Richard Guy Briggs wrote:
> > On 2017-01-31 11:07, Paul Moore wrote:
> >> On Tue, Jan 31, 2017 at 7:36 AM, Richard Guy Briggs
> >> wrote:
> >> > On 2017-01-31 06:59, Paul Moore wrot
On 2017-01-31 11:07, Paul Moore wrote:
> On Tue, Jan 31, 2017 at 7:36 AM, Richard Guy Briggs <r...@redhat.com> wrote:
> > On 2017-01-31 06:59, Paul Moore wrote:
> >> On Thu, Jan 26, 2017 at 4:21 PM, Richard Guy Briggs <r...@redhat.com>
> >> wrote:
On 2017-01-31 11:07, Paul Moore wrote:
> On Tue, Jan 31, 2017 at 7:36 AM, Richard Guy Briggs wrote:
> > On 2017-01-31 06:59, Paul Moore wrote:
> >> On Thu, Jan 26, 2017 at 4:21 PM, Richard Guy Briggs
> >> wrote:
> >> > This adds a new auxiliary
On 2017-01-31 06:59, Paul Moore wrote:
> On Thu, Jan 26, 2017 at 4:21 PM, Richard Guy Briggs <r...@redhat.com> wrote:
> > This adds a new auxiliary record MODULE_INIT to the SYSCALL event.
> >
> > We get finit_module for free since it made most sense to hook
On 2017-01-31 06:59, Paul Moore wrote:
> On Thu, Jan 26, 2017 at 4:21 PM, Richard Guy Briggs wrote:
> > This adds a new auxiliary record MODULE_INIT to the SYSCALL event.
> >
> > We get finit_module for free since it made most sense to hook this in to
> > load_module().
On 2017-01-30 11:54, Steve Grubb wrote:
> On Thu, 26 Jan 2017 14:50:07 -0500
> Richard Guy Briggs <r...@redhat.com> wrote:
>
> > This adds a new auxiliary record MODULE_INIT to the SYSCALL event.
>
> Thanks, this is definitely needed. Can you provide an example event
On 2017-01-30 11:54, Steve Grubb wrote:
> On Thu, 26 Jan 2017 14:50:07 -0500
> Richard Guy Briggs wrote:
>
> > This adds a new auxiliary record MODULE_INIT to the SYSCALL event.
>
> Thanks, this is definitely needed. Can you provide an example event
> generated by thi
-audit/audit-kernel/issues/7
> > https://github.com/linux-audit/audit-kernel/wiki/RFE-Module-load-record-format
> >
> > Signed-off-by: Richard Guy Briggs <r...@redhat.com>
> > ---
> > include/linux/audit.h | 12
> > include/uapi
> > https://github.com/linux-audit/audit-kernel/wiki/RFE-Module-load-record-format
> >
> > Signed-off-by: Richard Guy Briggs
> > ---
> > include/linux/audit.h | 12
> > include/uapi/linux/audit.h |1 +
> > kernel/audit.h
-off-by: Richard Guy Briggs <r...@redhat.com>
---
include/linux/audit.h | 12
include/uapi/linux/audit.h |1 +
kernel/audit.h |3 +++
kernel/auditsc.c | 20
kernel/module.c|5 -
5 files changed, 40 inse
-off-by: Richard Guy Briggs
---
include/linux/audit.h | 12
include/uapi/linux/audit.h |1 +
kernel/audit.h |3 +++
kernel/auditsc.c | 20
kernel/module.c|5 -
5 files changed, 40 insertions(+), 1 deletions
On 2017-01-26 14:50, Richard Guy Briggs wrote:
> This adds a new auxiliary record MODULE_INIT to the SYSCALL event.
>
> We get finit_module for free since it made most sense to hook this in to
> load_module().
>
> https://github.com/linux-audit/audit-kernel/issues/7
> htt
On 2017-01-26 14:50, Richard Guy Briggs wrote:
> This adds a new auxiliary record MODULE_INIT to the SYSCALL event.
>
> We get finit_module for free since it made most sense to hook this in to
> load_module().
>
> https://github.com/linux-audit/audit-kernel/issues/7
> htt
-off-by: Richard Guy Briggs <r...@redhat.com>
---
include/linux/audit.h | 12
include/uapi/linux/audit.h |1 +
kernel/audit.h |3 +++
kernel/auditsc.c | 20
kernel/module.c|5 -
5 files changed, 40 inse
-off-by: Richard Guy Briggs
---
include/linux/audit.h | 12
include/uapi/linux/audit.h |1 +
kernel/audit.h |3 +++
kernel/auditsc.c | 20
kernel/module.c|5 -
5 files changed, 40 insertions(+), 1 deletions
UDE_EXTEND | \
> - AUDIT_FEATURE_BITMAP_SESSIONID_FILTER)
> + AUDIT_FEATURE_BITMAP_SESSIONID_FILTER | \
> + AUDIT_FEATURE_BITMAP_LOST_RESET)
>
> /* deprecated: AUDIT_VERSION_* */
> #define AUDIT_VERSION_LATESTAU
UDE_EXTEND | \
> - AUDIT_FEATURE_BITMAP_SESSIONID_FILTER)
> + AUDIT_FEATURE_BITMAP_SESSIONID_FILTER | \
> + AUDIT_FEATURE_BITMAP_LOST_RESET)
>
> /* deprecated: AUDIT_VERSION_* */
> #define AUDIT_VERSION_LATESTAUDIT_FEATURE_BITMAP_ALL
- RGB
--
Richard Guy Briggs
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635
-kernel/issues/14
Signed-off-by: Richard Guy Briggs <r...@redhat.com>
---
v3:
Proper spacing around operators and functions. Local var ordering.
Ditch unlikely, return early.
v2:
Move work to audit_socketcall_compat() and use audit_dummy_context().
---
include/linux/audit.h
-kernel/issues/14
Signed-off-by: Richard Guy Briggs
---
v3:
Proper spacing around operators and functions. Local var ordering.
Ditch unlikely, return early.
v2:
Move work to audit_socketcall_compat() and use audit_dummy_context().
---
include/linux/audit.h | 20
On 2017-01-16 13:27, David Miller wrote:
> From: Richard Guy Briggs <r...@redhat.com>
> Date: Fri, 13 Jan 2017 04:51:48 -0500
>
> > diff --git a/include/linux/audit.h b/include/linux/audit.h
> > index 9d4443f..43d8003 100644
> > --- a/include/linux/audit.
On 2017-01-16 13:27, David Miller wrote:
> From: Richard Guy Briggs
> Date: Fri, 13 Jan 2017 04:51:48 -0500
>
> > diff --git a/include/linux/audit.h b/include/linux/audit.h
> > index 9d4443f..43d8003 100644
> > --- a/include/linux/audit.h
> > +++ b/include/li
On 2017-01-16 15:04, Paul Moore wrote:
> On Fri, Jan 13, 2017 at 9:42 AM, Eric Paris <epa...@redhat.com> wrote:
> > On Fri, 2017-01-13 at 04:51 -0500, Richard Guy Briggs wrote:
> >> diff --git a/include/linux/audit.h b/include/linux/audit.h
> >> index 9d4443f..
On 2017-01-16 15:04, Paul Moore wrote:
> On Fri, Jan 13, 2017 at 9:42 AM, Eric Paris wrote:
> > On Fri, 2017-01-13 at 04:51 -0500, Richard Guy Briggs wrote:
> >> diff --git a/include/linux/audit.h b/include/linux/audit.h
> >> index 9d4443f..43d8003 100644
>
On 2017-01-13 10:18, Eric Paris wrote:
> On Fri, 2017-01-13 at 10:06 -0500, Richard Guy Briggs wrote:
> > On 2017-01-13 09:42, Eric Paris wrote:
> > > On Fri, 2017-01-13 at 04:51 -0500, Richard Guy Briggs wrote:
>
>
> > > > diff --git a/include/linux/audit.h b
On 2017-01-13 10:18, Eric Paris wrote:
> On Fri, 2017-01-13 at 10:06 -0500, Richard Guy Briggs wrote:
> > On 2017-01-13 09:42, Eric Paris wrote:
> > > On Fri, 2017-01-13 at 04:51 -0500, Richard Guy Briggs wrote:
>
>
> > > > diff --git a/include/linux/audit.h b
On 2017-01-13 09:42, Eric Paris wrote:
> On Fri, 2017-01-13 at 04:51 -0500, Richard Guy Briggs wrote:
> > 32-bit socketcalls were not being logged by audit on x86_64 systems.
> > Log them. This is basically a duplicate of the call from
> > net/socket.c:sys_socketcal
On 2017-01-13 09:42, Eric Paris wrote:
> On Fri, 2017-01-13 at 04:51 -0500, Richard Guy Briggs wrote:
> > 32-bit socketcalls were not being logged by audit on x86_64 systems.
> > Log them. This is basically a duplicate of the call from
> > net/socket.c:sys_socketcal
-kernel/issues/14
Signed-off-by: Richard Guy Briggs <r...@redhat.com>
--
v2:
Move work to audit_socketcall_compat() and use audit_dummy_context().
---
include/linux/audit.h | 16
net/compat.c | 15 +--
2 files changed, 29 insertions(+), 2 del
-kernel/issues/14
Signed-off-by: Richard Guy Briggs
--
v2:
Move work to audit_socketcall_compat() and use audit_dummy_context().
---
include/linux/audit.h | 16
net/compat.c | 15 +--
2 files changed, 29 insertions(+), 2 deletions(-)
diff --git
On 2017-01-12 16:32, Paul Moore wrote:
> On Thu, Jan 12, 2017 at 7:36 AM, Richard Guy Briggs <r...@redhat.com> wrote:
> > 32-bit socketcalls were not being logged by audit on x86_64 systems.
> > Log them.
> >
> > See: https://github.com/linux-audit/audit-ke
On 2017-01-12 16:32, Paul Moore wrote:
> On Thu, Jan 12, 2017 at 7:36 AM, Richard Guy Briggs wrote:
> > 32-bit socketcalls were not being logged by audit on x86_64 systems.
> > Log them.
> >
> > See: https://github.com/linux-audit/audit-kernel/issues/14
> >
>
32-bit socketcalls were not being logged by audit on x86_64 systems.
Log them.
See: https://github.com/linux-audit/audit-kernel/issues/14
Signed-off-by: Richard Guy Briggs <r...@redhat.com>
---
net/compat.c | 18 --
1 files changed, 16 insertions(+), 2 deletions(-)
diff
32-bit socketcalls were not being logged by audit on x86_64 systems.
Log them.
See: https://github.com/linux-audit/audit-kernel/issues/14
Signed-off-by: Richard Guy Briggs
---
net/compat.c | 18 --
1 files changed, 16 insertions(+), 2 deletions(-)
diff --git a/net/compat.c b
gt; auditing all instances of the syscall could still be a heavyweight solution.
>
> 4) If the application spawns children processes, that rule doesn't audit
> their syscalls. That can be fixed with ppid=%d but then grandchildren
> pids are a problem.
This patch that wasn't accepted
> their syscalls. That can be fixed with ppid=%d but then grandchildren
> pids are a problem.
This patch that wasn't accepted upstream might be useful:
https://www.redhat.com/archives/linux-audit/2015-August/msg00067.html
https://www.redhat.com/archives/linux-audit/2015-August/msg00068.html
> 5) Cleanup of the audit rule for an old pid, before the pid is reused,
> could be difficult.
>
> Tyler
>
> > Perhaps an improvement to this could be enabling audit when seccomp
> > syscall is seen? I can't tell if auditctl already has something to do
> > this ("start auditing this process and all children when syscall X is
> > performed").
> >
> > -Kees
- RGB
--
Richard Guy Briggs
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635
On 2016-12-13 16:17, Cong Wang wrote:
> On Tue, Dec 13, 2016 at 2:52 AM, Richard Guy Briggs <r...@redhat.com> wrote:
> > It is actually the audit_pid and audit_nlk_portid that I care about
> > more. The audit daemon could vanish or close the socket while the
>
On 2016-12-13 16:17, Cong Wang wrote:
> On Tue, Dec 13, 2016 at 2:52 AM, Richard Guy Briggs wrote:
> > It is actually the audit_pid and audit_nlk_portid that I care about
> > more. The audit daemon could vanish or close the socket while the
> > kernel sock to which it was at
On 2016-12-13 16:19, Cong Wang wrote:
> On Tue, Dec 13, 2016 at 7:03 AM, Richard Guy Briggs <r...@redhat.com> wrote:
> > @@ -1283,8 +1299,10 @@ static void __net_exit audit_net_exit(struct net
> > *net)
> > {
> > struct audit_net *aune
On 2016-12-13 16:19, Cong Wang wrote:
> On Tue, Dec 13, 2016 at 7:03 AM, Richard Guy Briggs wrote:
> > @@ -1283,8 +1299,10 @@ static void __net_exit audit_net_exit(struct net
> > *net)
> > {
> > struct audit_net *aunet = net_generic(net, audit_net_id);
&g
the audit_cmd_mutex.
See: https://lkml.org/lkml/2016/11/26/232
Thanks to Eric Dumazet <eduma...@google.com> and Cong Wang
<xiyou.wangc...@gmail.com> on ideas how to fix it.
Signed-off-by: Richard Guy Briggs <r...@redhat.com>
---
There has been a lot of change in the audit code that is ab
the audit_cmd_mutex.
See: https://lkml.org/lkml/2016/11/26/232
Thanks to Eric Dumazet and Cong Wang
on ideas how to fix it.
Signed-off-by: Richard Guy Briggs
---
There has been a lot of change in the audit code that is about to go
upstream to address audit queue issues. This patch is based on the
source
On 2016-12-13 00:10, Richard Guy Briggs wrote:
> On 2016-12-12 15:18, Paul Moore wrote:
> > On Mon, Dec 12, 2016 at 5:03 AM, Richard Guy Briggs <r...@redhat.com> wrote:
> > > Resetting audit_sock appears to be racy.
> > >
> > > audit_sock was being copied
On 2016-12-13 00:10, Richard Guy Briggs wrote:
> On 2016-12-12 15:18, Paul Moore wrote:
> > On Mon, Dec 12, 2016 at 5:03 AM, Richard Guy Briggs wrote:
> > > Resetting audit_sock appears to be racy.
> > >
> > > audit_sock was being copied and d
On 2016-12-12 15:58, Cong Wang wrote:
> On Mon, Dec 12, 2016 at 2:03 AM, Richard Guy Briggs <r...@redhat.com> wrote:
> > Resetting audit_sock appears to be racy.
> >
> > audit_sock was being copied and dereferenced without using a refcount on
> > the sourc
On 2016-12-12 15:58, Cong Wang wrote:
> On Mon, Dec 12, 2016 at 2:03 AM, Richard Guy Briggs wrote:
> > Resetting audit_sock appears to be racy.
> >
> > audit_sock was being copied and dereferenced without using a refcount on
> > the source sock.
> >
> > B
On 2016-12-12 16:10, Cong Wang wrote:
> On Mon, Dec 12, 2016 at 2:02 AM, Richard Guy Briggs <r...@redhat.com> wrote:
> > On 2016-12-09 20:13, Cong Wang wrote:
> >> Netlink notifier can safely be converted to blocking one, I will send
> >> a patch.
> >
&
On 2016-12-12 16:10, Cong Wang wrote:
> On Mon, Dec 12, 2016 at 2:02 AM, Richard Guy Briggs wrote:
> > On 2016-12-09 20:13, Cong Wang wrote:
> >> Netlink notifier can safely be converted to blocking one, I will send
> >> a patch.
> >
> > I had a quick look
On 2016-12-13 02:51, Richard Guy Briggs wrote:
> On 2016-12-09 23:40, Cong Wang wrote:
> > On Fri, Dec 9, 2016 at 8:13 PM, Cong Wang <xiyou.wangc...@gmail.com> wrote:
> > > On Fri, Dec 9, 2016 at 3:01 AM, Richard Guy Briggs <r...@redhat.com>
> > > wrote
On 2016-12-13 02:51, Richard Guy Briggs wrote:
> On 2016-12-09 23:40, Cong Wang wrote:
> > On Fri, Dec 9, 2016 at 8:13 PM, Cong Wang wrote:
> > > On Fri, Dec 9, 2016 at 3:01 AM, Richard Guy Briggs
> > > wrote:
> > >> On 2016-12-08 22:57, Cong Wang wrote:
On 2016-12-09 23:40, Cong Wang wrote:
> On Fri, Dec 9, 2016 at 8:13 PM, Cong Wang <xiyou.wangc...@gmail.com> wrote:
> > On Fri, Dec 9, 2016 at 3:01 AM, Richard Guy Briggs <r...@redhat.com> wrote:
> >> On 2016-12-08 22:57, Cong Wang wrote:
> >>> On Thu, D
On 2016-12-09 23:40, Cong Wang wrote:
> On Fri, Dec 9, 2016 at 8:13 PM, Cong Wang wrote:
> > On Fri, Dec 9, 2016 at 3:01 AM, Richard Guy Briggs wrote:
> >> On 2016-12-08 22:57, Cong Wang wrote:
> >>> On Thu, Dec 8, 2016 at 10:02 PM, Richard Guy Briggs
>
On 2016-12-12 15:18, Paul Moore wrote:
> On Mon, Dec 12, 2016 at 5:03 AM, Richard Guy Briggs <r...@redhat.com> wrote:
> > Resetting audit_sock appears to be racy.
> >
> > audit_sock was being copied and dereferenced without using a refcount on
> > the sourc
On 2016-12-12 15:18, Paul Moore wrote:
> On Mon, Dec 12, 2016 at 5:03 AM, Richard Guy Briggs wrote:
> > Resetting audit_sock appears to be racy.
> >
> > audit_sock was being copied and dereferenced without using a refcount on
> > the source sock.
> >
> > B
On 2016-12-12 12:10, Paul Moore wrote:
> On Mon, Dec 12, 2016 at 5:03 AM, Richard Guy Briggs <r...@redhat.com> wrote:
> > Resetting audit_sock appears to be racy.
> >
> > audit_sock was being copied and dereferenced without using a refcount on
> > the sourc
On 2016-12-12 12:10, Paul Moore wrote:
> On Mon, Dec 12, 2016 at 5:03 AM, Richard Guy Briggs wrote:
> > Resetting audit_sock appears to be racy.
> >
> > audit_sock was being copied and dereferenced without using a refcount on
> > the source sock.
> >
> > B
the audit_cmd_mutex.
See: https://lkml.org/lkml/2016/11/26/232
Thanks to Eric Dumazet <eduma...@google.com> and Cong Wang
<xiyou.wangc...@gmail.com> on ideas how to fix it.
Signed-off-by: Richard Guy Briggs <r...@redhat.com>
---
There has been a lot of change in the audit code that is ab
the audit_cmd_mutex.
See: https://lkml.org/lkml/2016/11/26/232
Thanks to Eric Dumazet and Cong Wang
on ideas how to fix it.
Signed-off-by: Richard Guy Briggs
---
There has been a lot of change in the audit code that is about to go
upstream to address audit queue issues. This patch is based on the
source
On 2016-12-09 20:13, Cong Wang wrote:
> On Fri, Dec 9, 2016 at 3:01 AM, Richard Guy Briggs <r...@redhat.com> wrote:
> > On 2016-12-08 22:57, Cong Wang wrote:
> >> On Thu, Dec 8, 2016 at 10:02 PM, Richard Guy Briggs <r...@redhat.com>
> >> wrote:
> &g
On 2016-12-09 20:13, Cong Wang wrote:
> On Fri, Dec 9, 2016 at 3:01 AM, Richard Guy Briggs wrote:
> > On 2016-12-08 22:57, Cong Wang wrote:
> >> On Thu, Dec 8, 2016 at 10:02 PM, Richard Guy Briggs
> >> wrote:
> >> > I also tried to extend Con
On 2016-12-09 12:53, Dmitry Vyukov wrote:
> On Fri, Dec 9, 2016 at 12:48 PM, Richard Guy Briggs <r...@redhat.com> wrote:
> > On 2016-12-09 11:49, Dmitry Vyukov wrote:
> >> On Fri, Dec 9, 2016 at 7:02 AM, Richard Guy Briggs <r...@redhat.com> wrote:
> >> &g
On 2016-12-09 12:53, Dmitry Vyukov wrote:
> On Fri, Dec 9, 2016 at 12:48 PM, Richard Guy Briggs wrote:
> > On 2016-12-09 11:49, Dmitry Vyukov wrote:
> >> On Fri, Dec 9, 2016 at 7:02 AM, Richard Guy Briggs wrote:
> >> > On 2016-11-29 23:52, Richard Guy Briggs wrote:
On 2016-12-09 11:49, Dmitry Vyukov wrote:
> On Fri, Dec 9, 2016 at 7:02 AM, Richard Guy Briggs <r...@redhat.com> wrote:
> > On 2016-11-29 23:52, Richard Guy Briggs wrote:
> > I tried a quick compile attempt on the test case (I assume it is a
> > socket fuzzer) and get
On 2016-12-09 11:49, Dmitry Vyukov wrote:
> On Fri, Dec 9, 2016 at 7:02 AM, Richard Guy Briggs wrote:
> > On 2016-11-29 23:52, Richard Guy Briggs wrote:
> > I tried a quick compile attempt on the test case (I assume it is a
> > socket fuzzer) and get the following compile
On 2016-12-08 22:57, Cong Wang wrote:
> On Thu, Dec 8, 2016 at 10:02 PM, Richard Guy Briggs <r...@redhat.com> wrote:
> > I also tried to extend Cong Wang's idea to attempt to proactively respond
> > to a
> > NETLINK_URELEASE on the audit_sock and reset it, but ra
701 - 800 of 2017 matches
Mail list logo