On 2016-12-08 22:57, Cong Wang wrote:
> On Thu, Dec 8, 2016 at 10:02 PM, Richard Guy Briggs wrote:
> > I also tried to extend Cong Wang's idea to attempt to proactively respond
> > to a
> > NETLINK_URELEASE on the audit_sock and reset it, but ran into a locking
> >
On 2016-11-29 23:52, Richard Guy Briggs wrote:
> On 2016-11-29 15:13, Cong Wang wrote:
> > On Tue, Nov 29, 2016 at 8:48 AM, Richard Guy Briggs <r...@redhat.com> wrote:
> > > On 2016-11-26 17:11, Cong Wang wrote:
> > >> It is racy on audit_sock, especially o
On 2016-11-29 23:52, Richard Guy Briggs wrote:
> On 2016-11-29 15:13, Cong Wang wrote:
> > On Tue, Nov 29, 2016 at 8:48 AM, Richard Guy Briggs wrote:
> > > On 2016-11-26 17:11, Cong Wang wrote:
> > >> It is racy on audit_sock, especially on the netns
On 2016-11-29 15:13, Cong Wang wrote:
> On Tue, Nov 29, 2016 at 8:48 AM, Richard Guy Briggs <r...@redhat.com> wrote:
> > On 2016-11-26 17:11, Cong Wang wrote:
> >> It is racy on audit_sock, especially on the netns exit path.
> >
> > I think that is the only
On 2016-11-29 15:13, Cong Wang wrote:
> On Tue, Nov 29, 2016 at 8:48 AM, Richard Guy Briggs wrote:
> > On 2016-11-26 17:11, Cong Wang wrote:
> >> It is racy on audit_sock, especially on the netns exit path.
> >
> > I think that is the only place it is racy. The othe
On 2016-11-29 18:24, Florian Westphal wrote:
> Richard Guy Briggs <r...@redhat.com> wrote:
> > > static void audit_buffer_free(struct audit_buffer *ab)
> > > {
> > > - unsigned long flags;
> > > -
> > > if (!ab)
>
On 2016-11-29 18:24, Florian Westphal wrote:
> Richard Guy Briggs wrote:
> > > static void audit_buffer_free(struct audit_buffer *ab)
> > > {
> > > - unsigned long flags;
> > > -
> > > if (!ab)
> > > return;
>
uld help. I'll have a closer look.
> diff --git a/kernel/audit.c b/kernel/audit.c
> index f1ca116..20bc79e 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -1167,10 +1167,13 @@ static void __net_exit audit_net_exit(struct net *net)
> {
> struct audit_net *aun
lp. I'll have a closer look.
> diff --git a/kernel/audit.c b/kernel/audit.c
> index f1ca116..20bc79e 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -1167,10 +1167,13 @@ static void __net_exit audit_net_exit(struct net *net)
> {
> struct audit_net *aunet = net_generic(net, audit
fp_mask = gfp_mask;
> @@ -1294,13 +1260,10 @@ static struct audit_buffer *
> audit_buffer_alloc(struct audit_context *ctx,
>
> nlh = nlmsg_put(ab->skb, 0, 0, type, 0, 0);
> if (!nlh)
> - goto out_kfree_skb;
> + goto err;
>
> return
,13 +1260,10 @@ static struct audit_buffer *
> audit_buffer_alloc(struct audit_context *ctx,
>
> nlh = nlmsg_put(ab->skb, 0, 0, type, 0, 0);
> if (!nlh)
> - goto out_kfree_skb;
> + goto err;
>
> return ab;
>
> -out_kfre
AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND)
> ++ AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND | \
> + AUDIT_FEATURE_BITMAP_SESSIONID_FILTER)
>
> /* deprecated: AUDIT_VERSION_* */
> #define AUDIT_VERSION_LATESTAUDIT_FEATURE_BITMA
AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND)
> ++ AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND | \
> + AUDIT_FEATURE_BITMAP_SESSIONID_FILTER)
>
> /* deprecated: AUDIT_VERSION_* */
> #define AUDIT_VERSION_LATESTAUDIT_FEATURE_BITMAP_ALL
- R
On 2016-11-17 18:34, Paul Moore wrote:
> On Tue, Nov 15, 2016 at 3:49 AM, Richard Guy Briggs <r...@redhat.com> wrote:
> > On 2016-11-14 15:17, Paul Moore wrote:
> >> On Thu, Nov 10, 2016 at 1:41 AM, Richard Guy Briggs <r...@redhat.com>
> >> wrote:
&g
On 2016-11-17 18:34, Paul Moore wrote:
> On Tue, Nov 15, 2016 at 3:49 AM, Richard Guy Briggs wrote:
> > On 2016-11-14 15:17, Paul Moore wrote:
> >> On Thu, Nov 10, 2016 at 1:41 AM, Richard Guy Briggs
> >> wrote:
> >> > The value (unsigned i
On 2016-11-14 15:21, Paul Moore wrote:
> On Thu, Nov 10, 2016 at 1:39 AM, Richard Guy Briggs <r...@redhat.com> wrote:
> > Tame initialization warning of len_abuf in audit_log_execve_info even
> > though there isn't presently a bug introduced by commit 43761473c254
> >
On 2016-11-14 15:21, Paul Moore wrote:
> On Thu, Nov 10, 2016 at 1:39 AM, Richard Guy Briggs wrote:
> > Tame initialization warning of len_abuf in audit_log_execve_info even
> > though there isn't presently a bug introduced by commit 43761473c254
> > ("
On 2016-11-14 15:17, Paul Moore wrote:
> On Thu, Nov 10, 2016 at 1:41 AM, Richard Guy Briggs <r...@redhat.com> wrote:
> > The value (unsigned int)-1 is used as a sentinel to indicate the
> > sessionID is unset. Skip this value when the session_id value wraps.
> >
>
On 2016-11-14 15:17, Paul Moore wrote:
> On Thu, Nov 10, 2016 at 1:41 AM, Richard Guy Briggs wrote:
> > The value (unsigned int)-1 is used as a sentinel to indicate the
> > sessionID is unset. Skip this value when the session_id value wraps.
> >
> > Signed
The value (unsigned int)-1 is used as a sentinel to indicate the
sessionID is unset. Skip this value when the session_id value wraps.
Signed-off-by: Richard Guy Briggs <r...@redhat.com>
---
kernel/auditsc.c |5 -
1 files changed, 4 insertions(+), 1 deletions(-)
diff --git a/
The value (unsigned int)-1 is used as a sentinel to indicate the
sessionID is unset. Skip this value when the session_id value wraps.
Signed-off-by: Richard Guy Briggs
---
kernel/auditsc.c |5 -
1 files changed, 4 insertions(+), 1 deletions(-)
diff --git a/kernel/auditsc.c b/kernel
Tame initialization warning of len_abuf in audit_log_execve_info even
though there isn't presently a bug introduced by commit 43761473c254
("audit: fix a double fetch in audit_log_single_execve_arg()"). Using
UNINITIALIZED_VAR instead may mask future bugs.
Signed-off-by: Richard Guy
Tame initialization warning of len_abuf in audit_log_execve_info even
though there isn't presently a bug introduced by commit 43761473c254
("audit: fix a double fetch in audit_log_single_execve_arg()"). Using
UNINITIALIZED_VAR instead may mask future bugs.
Signed-off-by: Richard
On 2016-10-20 15:27, Paul Moore wrote:
> On Thursday, August 18, 2016 01:43:12 PM Richard Guy Briggs wrote:
> > https://github.com/linux-audit/audit-kernel/wiki/RFE-Session-ID-User-Filter
> > RFE Session ID User Filter
> >
> > https://github.com/linux-audit/audit-k
On 2016-10-20 15:27, Paul Moore wrote:
> On Thursday, August 18, 2016 01:43:12 PM Richard Guy Briggs wrote:
> > https://github.com/linux-audit/audit-kernel/wiki/RFE-Session-ID-User-Filter
> > RFE Session ID User Filter
> >
> > https://github.com/linux-audit/audit-k
On 16/09/08, Richard Guy Briggs wrote:
> Reported-by: Paul Wouters <p...@nohats.com>
Oops, this above should read "nohats.ca".
> Signed-off-by: Richard Guy Briggs <r...@tricolour.ca>
> ---
> include/uapi/linux/xfrm.h | 2 +-
> 1 file changed, 1 insert
On 16/09/08, Richard Guy Briggs wrote:
> Reported-by: Paul Wouters
Oops, this above should read "nohats.ca".
> Signed-off-by: Richard Guy Briggs
> ---
> include/uapi/linux/xfrm.h | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/include/u
Reported-by: Paul Wouters <p...@nohats.com>
Signed-off-by: Richard Guy Briggs <r...@tricolour.ca>
---
include/uapi/linux/xfrm.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/uapi/linux/xfrm.h b/include/uapi/linux/xfrm.h
index 1433389..1fc62b2 100644
-
Reported-by: Paul Wouters
Signed-off-by: Richard Guy Briggs
---
include/uapi/linux/xfrm.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/uapi/linux/xfrm.h b/include/uapi/linux/xfrm.h
index 1433389..1fc62b2 100644
--- a/include/uapi/linux/xfrm.h
+++ b/include/uapi
uct than the mm ref count. Is
this really necessary? Is a spin-lock significantly lower cost than a
refcount? Other than that, this refactorization looks sensible.
Acked-by: Richard Guy Briggs <r...@redhat.com>
> fs/proc/base.c | 7 +--
> include/linux/mm.h | 1 +
uct than the mm ref count. Is
this really necessary? Is a spin-lock significantly lower cost than a
refcount? Other than that, this refactorization looks sensible.
Acked-by: Richard Guy Briggs
> fs/proc/base.c | 7 +--
> include/linux/mm.h | 1 +
> kernel/audit
Fix original naive attempt to get/lock access to task->mm->exe_file by
using get_mm_exe_file and checking for NULL.
See: https://lkml.org/lkml/2016/7/30/97
Signed-off-by: Richard Guy Briggs <r...@redhat.com>
---
kernel/audit_watch.c | 13 ++---
1 files changed, 10 inse
Fix original naive attempt to get/lock access to task->mm->exe_file by
using get_mm_exe_file and checking for NULL.
See: https://lkml.org/lkml/2016/7/30/97
Signed-off-by: Richard Guy Briggs
---
kernel/audit_watch.c | 13 ++---
1 files changed, 10 insertions(+), 3 deletions(-)
t; This is buggy on 2 accounts:
> > 1. exe_file can be NULL
Agreed, this is a bug.
> > 2. rcu does not protect f_inode
Thank you for pointing this out too.
I'll send a patch to fix this.
> > The issue is made worse with allowing arbitrary number changes.
> >
> > Modifyi
ounts:
> > 1. exe_file can be NULL
Agreed, this is a bug.
> > 2. rcu does not protect f_inode
Thank you for pointing this out too.
I'll send a patch to fix this.
> > The issue is made worse with allowing arbitrary number changes.
> >
> > Modifying get_mm_exe
On 2016-08-18 19:53, Paul Moore wrote:
> On Thu, Aug 18, 2016 at 1:43 PM, Richard Guy Briggs <r...@redhat.com> wrote:
> > https://github.com/linux-audit/audit-kernel/wiki/RFE-Session-ID-User-Filter
> > RFE Session ID User Filter
> >
> > https://github.com/linux-au
On 2016-08-18 19:53, Paul Moore wrote:
> On Thu, Aug 18, 2016 at 1:43 PM, Richard Guy Briggs wrote:
> > https://github.com/linux-audit/audit-kernel/wiki/RFE-Session-ID-User-Filter
> > RFE Session ID User Filter
> >
> > https://github.com/linux-audit/audit-kernel/issues/
: add a session ID filter to the kernel's user filter
Signed-off-by: Richard Guy Briggs <r...@redhat.com>
---
include/linux/audit.h | 10 ++
include/uapi/linux/audit.h |1 +
kernel/auditfilter.c |3 +++
kernel/auditsc.c |7 ---
4 files chang
: add a session ID filter to the kernel's user filter
Signed-off-by: Richard Guy Briggs
---
include/linux/audit.h | 10 ++
include/uapi/linux/audit.h |1 +
kernel/auditfilter.c |3 +++
kernel/auditsc.c |7 ---
4 files changed, 18 insertions(+), 3
Add to the audit feature bitmap to indicate availability of the
extension of the exclude filter to include PID, UID, AUID, GID, SUBJ_*.
RFE: add additional fields for use in audit filter exclude rules
https://github.com/linux-audit/audit-kernel/issues/5
Signed-off-by: Richard Guy Briggs &l
Add to the audit feature bitmap to indicate availability of the
extension of the exclude filter to include PID, UID, AUID, GID, SUBJ_*.
RFE: add additional fields for use in audit filter exclude rules
https://github.com/linux-audit/audit-kernel/issues/5
Signed-off-by: Richard Guy Briggs
Define AUDIT_SESSIONID in the uapi and add support for specifying user
filters based on the session ID.
https://github.com/linux-audit/audit-kernel/issues/4
RFE: add a session ID filter to the kernel's user filter
Signed-off-by: Richard Guy Briggs <r...@redhat.com>
---
include/uapi
Define AUDIT_SESSIONID in the uapi and add support for specifying user
filters based on the session ID.
https://github.com/linux-audit/audit-kernel/issues/4
RFE: add a session ID filter to the kernel's user filter
Signed-off-by: Richard Guy Briggs
---
include/uapi/linux/audit.h |1
Add to the audit feature bitmap to indicate availability of the
extension of the exclude and user filters to include sessionID.
RFE: add a session ID filter to the kernel's user filter
https://github.com/linux-audit/audit-kernel/issues/4
Signed-off-by: Richard Guy Briggs <r...@redhat.
This third patch is expected to have a merge conflict with:
"audit: add exclude filter extension to feature bitmap"
posted on 2016-08-18.
Richard Guy Briggs (3):
audit: add support for session ID user filter
audit: add AUDIT_SESSIONID_SET support
audit: add sessionid filter
This third patch is expected to have a merge conflict with:
"audit: add exclude filter extension to feature bitmap"
posted on 2016-08-18.
Richard Guy Briggs (3):
audit: add support for session ID user filter
audit: add AUDIT_SESSIONID_SET support
audit: add sessionid filter
Add to the audit feature bitmap to indicate availability of the
extension of the exclude and user filters to include sessionID.
RFE: add a session ID filter to the kernel's user filter
https://github.com/linux-audit/audit-kernel/issues/4
Signed-off-by: Richard Guy Briggs
---
include/uapi/linux
user filters, sessionid_set and loginuid_set
https://www.redhat.com/archives/linux-audit/2016-August/msg5.html
and the test case:
https://github.com/rgbriggs/audit-testsuite/tree/ghak4-test-for-sessionID-user-filter
Richard Guy Briggs (2):
audit: add support for session ID user
user filters, sessionid_set and loginuid_set
https://www.redhat.com/archives/linux-audit/2016-August/msg5.html
and the test case:
https://github.com/rgbriggs/audit-testsuite/tree/ghak4-test-for-sessionID-user-filter
Richard Guy Briggs (2):
audit: add support for session ID user
: add a session ID filter to the kernel's user filter
Signed-off-by: Richard Guy Briggs <r...@redhat.com>
---
include/linux/audit.h | 10 ++
include/uapi/linux/audit.h |1 +
kernel/auditfilter.c |3 +++
kernel/auditsc.c |7 ---
4 files chang
: add a session ID filter to the kernel's user filter
Signed-off-by: Richard Guy Briggs
---
include/linux/audit.h | 10 ++
include/uapi/linux/audit.h |1 +
kernel/auditfilter.c |3 +++
kernel/auditsc.c |7 ---
4 files changed, 18 insertions(+), 3
Define AUDIT_SESSIONID in the uapi and add support for specifying user
filters based on the session ID.
https://github.com/linux-audit/audit-kernel/issues/4
RFE: add a session ID filter to the kernel's user filter
Signed-off-by: Richard Guy Briggs <r...@redhat.com>
---
include/uapi
Define AUDIT_SESSIONID in the uapi and add support for specifying user
filters based on the session ID.
https://github.com/linux-audit/audit-kernel/issues/4
RFE: add a session ID filter to the kernel's user filter
Signed-off-by: Richard Guy Briggs
---
include/uapi/linux/audit.h |1
On 2016-06-16 17:07, Paul Moore wrote:
> On Tue, Jun 14, 2016 at 5:03 PM, Richard Guy Briggs <r...@redhat.com> wrote:
> > In the case of an error returned from a field check in an audit filter
> > syscall rule, it is treated as a match and the rule action is honoured.
>
On 2016-06-16 17:07, Paul Moore wrote:
> On Tue, Jun 14, 2016 at 5:03 PM, Richard Guy Briggs wrote:
> > In the case of an error returned from a field check in an audit filter
> > syscall rule, it is treated as a match and the rule action is honoured.
> >
> > This could
The only users of audit_get_tty and audit_put_tty are internal to audit,
so move it out of include/linux/audit.h to kernel.h and create a proper
function rather than inlining it. This also reduces kABI changes.
Suggested-by: Paul Moore <pmo...@redhat.com>
Signed-off-by: Richard Guy Bri
The only users of audit_get_tty and audit_put_tty are internal to audit,
so move it out of include/linux/audit.h to kernel.h and create a proper
function rather than inlining it. This also reduces kABI changes.
Suggested-by: Paul Moore
Signed-off-by: Richard Guy Briggs
---
include/linux
Move the calculations of values after the allocation in case the
allocation fails. This avoids wasting effort in the rare case that it
fails, but more importantly saves us extra logic to release the tty ref.
Signed-off-by: Richard Guy Briggs <r...@redhat.com>
---
kernel/auditsc.c
Move the calculations of values after the allocation in case the
allocation fails. This avoids wasting effort in the rare case that it
fails, but more importantly saves us extra logic to release the tty ref.
Signed-off-by: Richard Guy Briggs
---
kernel/auditsc.c |7 ---
1 files changed
On 2016-06-27 11:18, Paul Moore wrote:
> On Fri, Jun 24, 2016 at 4:35 PM, Richard Guy Briggs <r...@redhat.com> wrote:
> > RFE: add additional fields for use in audit filter exclude rules
> > https://github.com/linux-audit/audit-kernel/issues/5
> >
> > Re-fac
On 2016-06-27 11:18, Paul Moore wrote:
> On Fri, Jun 24, 2016 at 4:35 PM, Richard Guy Briggs wrote:
> > RFE: add additional fields for use in audit filter exclude rules
> > https://github.com/linux-audit/audit-kernel/issues/5
> >
> > Re-factor an
the check to quit early if the list is empty.
Signed-off-by: Richard Guy Briggs <r...@redhat.com>
---
v4: rebase on 4.6-based audit/next.
v3: pull audit_filter_user_rules() into audit_filter() and simplify
logic.
v2: combine audit_filter_user() and audit_filter_type() into
audit_filter().
---
i
the check to quit early if the list is empty.
Signed-off-by: Richard Guy Briggs
---
v4: rebase on 4.6-based audit/next.
v3: pull audit_filter_user_rules() into audit_filter() and simplify
logic.
v2: combine audit_filter_user() and audit_filter_type() into
audit_filter().
---
include/linux/audit.h
the check to quit early if the list is empty.
Signed-off-by: Richard Guy Briggs <r...@redhat.com>
---
v3: pull audit_filter_user_rules() into audit_filter() and simplify
logic.
v2: combine audit_filter_user() and audit_filter_type() into
audit_filter().
---
include/linux/audit.h |2 -
kernel/a
the check to quit early if the list is empty.
Signed-off-by: Richard Guy Briggs
---
v3: pull audit_filter_user_rules() into audit_filter() and simplify
logic.
v2: combine audit_filter_user() and audit_filter_type() into
audit_filter().
---
include/linux/audit.h |2 -
kernel/audit.c|4
On 2016-06-16 16:54, Paul Moore wrote:
> On Tue, Jun 14, 2016 at 5:04 PM, Richard Guy Briggs <r...@redhat.com> wrote:
> > RFE: add additional fields for use in audit filter exclude rules
> > https://github.com/linux-audit/audit-kernel/issues/5
> >
> > Re-fac
On 2016-06-16 16:54, Paul Moore wrote:
> On Tue, Jun 14, 2016 at 5:04 PM, Richard Guy Briggs wrote:
> > RFE: add additional fields for use in audit filter exclude rules
> > https://github.com/linux-audit/audit-kernel/issues/5
> >
> > Re-factor an
om
> Acked-by: Paul Moore <p...@paul-moore.com>
Acked-by: Richard Guy Briggs <r...@redhat.com>
> ---
> include/linux/audit.h | 4 ++--
> kernel/audit.c| 10 +-
> kernel/audit.h| 2 +-
> kernel/auditsc.c | 6 +++---
> 4 files changed, 11
imes.
> The log strings can handle this transition as strings can
> hold upto 1024 characters.
>
> Signed-off-by: Deepa Dinamani
> Cc: Paul Moore
> Cc: Eric Paris
> Cc: linux-au...@redhat.com
> Acked-by: Paul Moore
Acked-by: Richard Guy Briggs
> ---
> incl
On 16/06/03, Paul Moore wrote:
> On Fri, Jun 3, 2016 at 4:24 PM, Richard Guy Briggs <r...@redhat.com> wrote:
> > On 16/06/03, Paul Moore wrote:
> >> On Wed, Jun 1, 2016 at 6:50 PM, Richard Guy Briggs <r...@redhat.com> wrote:
> >> > RFE: add additional fi
On 16/06/03, Paul Moore wrote:
> On Fri, Jun 3, 2016 at 4:24 PM, Richard Guy Briggs wrote:
> > On 16/06/03, Paul Moore wrote:
> >> On Wed, Jun 1, 2016 at 6:50 PM, Richard Guy Briggs wrote:
> >> > RFE: add additional fields for use in audit filter exclude rules
&
, LOGINUID_SET, SUBJ_*.
The process of combining the similar audit_filter_user() and
audit_filter_type() functions, required inverting the meaning and
including the ALWAYS action of the latter.
Keep the check to quit early if the list is empty.
Signed-off-by: Richard Guy Briggs <r...@redhat.
, LOGINUID_SET, SUBJ_*.
The process of combining the similar audit_filter_user() and
audit_filter_type() functions, required inverting the meaning and
including the ALWAYS action of the latter.
Keep the check to quit early if the list is empty.
Signed-off-by: Richard Guy Briggs
---
v2: combine
malicious abuse of
this bug. The downside of this approach is it could DoS the audit
subsystem.
Signed-off-by: Richard Guy Briggs <r...@redhat.com>
---
kernel/auditsc.c |4
1 files changed, 4 insertions(+), 0 deletions(-)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 7
malicious abuse of
this bug. The downside of this approach is it could DoS the audit
subsystem.
Signed-off-by: Richard Guy Briggs
---
kernel/auditsc.c |4
1 files changed, 4 insertions(+), 0 deletions(-)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 71e14d8..6123672 100644
On 16/06/09, Steve Grubb wrote:
> On Thursday, June 09, 2016 07:59:43 PM Richard Guy Briggs wrote:
> > On 16/06/09, Steve Grubb wrote:
> > > On Wednesday, June 08, 2016 10:05:01 PM Deepa Dinamani wrote:
> > > > struct timespec is not y2038 safe.
> > > &g
On 16/06/09, Steve Grubb wrote:
> On Thursday, June 09, 2016 07:59:43 PM Richard Guy Briggs wrote:
> > On 16/06/09, Steve Grubb wrote:
> > > On Wednesday, June 08, 2016 10:05:01 PM Deepa Dinamani wrote:
> > > > struct timespec is not y2038 safe.
> > > &g
ild);
> > /**
> > * auditsc_get_stamp - get local copies of audit_context values
> > * @ctx: audit_context for the task
> > - * @t: timespec to store time recorded in the audit_context
> > + * @t: timespec64 to store time recorded in the audit_context
> > * @serial: serial value that is recorded in the audit_context
> > *
> > * Also sets the context as auditable.
> > */
> > int auditsc_get_stamp(struct audit_context *ctx,
> > - struct timespec *t, unsigned int *serial)
> > + struct timespec64 *t, unsigned int *serial)
> > {
> > if (!ctx->in_syscall)
> > return 0;
>
> --
> Linux-audit mailing list
> linux-au...@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
- RGB
--
Richard Guy Briggs <r...@redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635
_ts64(>ctime);
> > context->in_syscall = 1;
> > context->current_state = state;
> > context->ppid = 0;
> > @@ -1932,13 +1932,13 @@ EXPORT_SYMBOL_GPL(__audit_inode_child);
> > /**
> > * auditsc_get_stamp - get local copies of audit_cont
On 16/06/03, Paul Moore wrote:
> On Wed, Jun 1, 2016 at 6:50 PM, Richard Guy Briggs <r...@redhat.com> wrote:
> > RFE: add additional fields for use in audit filter exclude rules
> > https://github.com/linux-audit/audit-kernel/issues/5
> >
> > Re-
On 16/06/03, Paul Moore wrote:
> On Wed, Jun 1, 2016 at 6:50 PM, Richard Guy Briggs wrote:
> > RFE: add additional fields for use in audit filter exclude rules
> > https://github.com/linux-audit/audit-kernel/issues/5
> >
> > Re-factor audit_filter_type() to use audit_fi
in audit_filter_user() to quit early if list is empty.
Signed-off-by: Richard Guy Briggs <r...@redhat.com>
---
kernel/auditfilter.c | 22 +-
1 files changed, 9 insertions(+), 13 deletions(-)
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 96c9a1b..515c752
in audit_filter_user() to quit early if list is empty.
Signed-off-by: Richard Guy Briggs
---
kernel/auditfilter.c | 22 +-
1 files changed, 9 insertions(+), 13 deletions(-)
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 96c9a1b..515c752 100644
--- a/kernel
In commit 724e4fcc the intention was to pass any errors back from
audit_filter_user_rules() to audit_filter_user(). Add that code.
Signed-off-by: Richard Guy Briggs <r...@redhat.com>
---
kernel/auditfilter.c |4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/
In commit 724e4fcc the intention was to pass any errors back from
audit_filter_user_rules() to audit_filter_user(). Add that code.
Signed-off-by: Richard Guy Briggs
---
kernel/auditfilter.c |4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/kernel/auditfilter.c b
Define AUDIT_SESSIONID in the uapi and add support for specifying user
filters based on the session ID.
https://github.com/linux-audit/audit-kernel/issues/4
RFE: add a session ID filter to the kernel's user filter
Signed-off-by: Richard Guy Briggs <r...@redhat.com>
---
Like loginuid
Define AUDIT_SESSIONID in the uapi and add support for specifying user
filters based on the session ID.
https://github.com/linux-audit/audit-kernel/issues/4
RFE: add a session ID filter to the kernel's user filter
Signed-off-by: Richard Guy Briggs
---
Like loginuid (auid), should this have
On 16/04/27, Peter Hurley wrote:
> On 04/27/2016 06:31 PM, Richard Guy Briggs wrote:
> > On 16/04/22, Peter Hurley wrote:
> >> On 04/21/2016 11:14 AM, Richard Guy Briggs wrote:
> >>> The tty field was missing from AUDIT_LOGIN events.
> >>>
> >>>
On 16/04/27, Peter Hurley wrote:
> On 04/27/2016 06:31 PM, Richard Guy Briggs wrote:
> > On 16/04/22, Peter Hurley wrote:
> >> On 04/21/2016 11:14 AM, Richard Guy Briggs wrote:
> >>> The tty field was missing from AUDIT_LOGIN events.
> >>>
> >>>
On 16/04/22, Peter Hurley wrote:
> On 04/21/2016 11:14 AM, Richard Guy Briggs wrote:
> > The tty field was missing from AUDIT_LOGIN events.
> >
> > Refactor code to create a new function audit_get_tty(), using it to
> > replace the call in audit
On 16/04/22, Peter Hurley wrote:
> On 04/21/2016 11:14 AM, Richard Guy Briggs wrote:
> > The tty field was missing from AUDIT_LOGIN events.
> >
> > Refactor code to create a new function audit_get_tty(), using it to
> > replace the call in audit
d that meant I could not make it behave
> > the same way as all the existing code. I picked "(none)" because
> > in case of CONFIG_TTY being disabled that is more logical: it's
> > not a NULL pointer because something went wrong, but instead the
> > pointer doesn't m
d that meant I could not make it behave
> > the same way as all the existing code. I picked "(none)" because
> > in case of CONFIG_TTY being disabled that is more logical: it's
> > not a NULL pointer because something went wrong, but instead the
> > pointer doesn't
On 16/04/21, Paul Moore wrote:
> On Thu, Apr 21, 2016 at 2:14 PM, Richard Guy Briggs <r...@redhat.com> wrote:
> > The tty field was missing from AUDIT_LOGIN events.
> >
> > Refactor code to create a new function audit_get_tty(), using it to
> > replace the call in
On 16/04/21, Paul Moore wrote:
> On Thu, Apr 21, 2016 at 2:14 PM, Richard Guy Briggs wrote:
> > The tty field was missing from AUDIT_LOGIN events.
> >
> > Refactor code to create a new function audit_get_tty(), using it to
> > replace the call in audit
-off-by: Richard Guy Briggs <r...@redhat.com>
---
V4: Add missing prototype for audit_put_tty() when audit syscall is not
enabled (MIPS).
V3: Introduce audit_put_tty() alias to decrement kref.
V2: Use kref to protect tty signal struct while in use.
---
include/linux/audit.h
-off-by: Richard Guy Briggs
---
V4: Add missing prototype for audit_put_tty() when audit syscall is not
enabled (MIPS).
V3: Introduce audit_put_tty() alias to decrement kref.
V2: Use kref to protect tty signal struct while in use.
---
include/linux/audit.h | 24
-off-by: Richard Guy Briggs <r...@redhat.com>
---
V3: Introduce audit_put_tty() alias to decrement kref.
V2: Use kref to protect tty signal struct while in use.
---
include/linux/audit.h | 22 ++
kernel/audit.c| 18 +-
kernel/auditsc.c
-off-by: Richard Guy Briggs
---
V3: Introduce audit_put_tty() alias to decrement kref.
V2: Use kref to protect tty signal struct while in use.
---
include/linux/audit.h | 22 ++
kernel/audit.c| 18 +-
kernel/auditsc.c |8 ++--
3 files
The tty field was missing from AUDIT_LOGIN events.
Refactor code to create a new function audit_get_tty(), using it to
replace the call in audit_log_task_info() and to add it to
audit_log_set_loginuid(). Lock and bump the kref to protect it.
Signed-off-by: Richard Guy Briggs <r...@redhat.
801 - 900 of 2017 matches
Mail list logo