The tty field was missing from AUDIT_LOGIN events.
Refactor code to create a new function audit_get_tty(), using it to
replace the call in audit_log_task_info() and to add it to
audit_log_set_loginuid(). Lock and bump the kref to protect it.
Signed-off-by: Richard Guy Briggs
---
V2: Use kref
On 16/04/13, Peter Hurley wrote:
> Hi Richard,
Hi Peter,
> On 04/13/2016 04:25 PM, Richard Guy Briggs wrote:
> > The tty field was missing from AUDIT_LOGIN events.
> >
> > Refactor code to create a new function audit_get_tty(), using it to
> > replace t
On 16/04/13, Peter Hurley wrote:
> Hi Richard,
Hi Peter,
> On 04/13/2016 04:25 PM, Richard Guy Briggs wrote:
> > The tty field was missing from AUDIT_LOGIN events.
> >
> > Refactor code to create a new function audit_get_tty(), using it to
> > replace t
The tty field was missing from AUDIT_LOGIN events.
Refactor code to create a new function audit_get_tty(), using it to
replace the call in audit_log_task_info() and to add it to
audit_log_set_loginuid().
Signed-off-by: Richard Guy Briggs <r...@redhat.com>
---
include/linux/audit.h
The tty field was missing from AUDIT_LOGIN events.
Refactor code to create a new function audit_get_tty(), using it to
replace the call in audit_log_task_info() and to add it to
audit_log_set_loginuid().
Signed-off-by: Richard Guy Briggs
---
include/linux/audit.h | 18
ccomp
> stop spamming.
>
> Audit should always be opt-in, not opt-out.
Not for those who rely on it...
> However I think making it conditional on syscall auditing like
> in my patch is equivalent and much simpler.
>
> If you really insist on the sysctl I can send patch.
>
> -Andi
- RGB
--
Richard Guy Briggs <r...@redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635
s issue at the link below:
> >
> > * https://github.com/linux-audit/audit-kernel/issues/13
>
> Making it a sysctl is fine for me as long as it is disabled by default
> so that user space doesn't need to be modified to make seccomp
> stop spamming.
>
> Audit should alwa
; >
> > Well it makes sense to me. The question is whether we are protecting the
> > thing running as init, or the 'physical' thread with pid 1. I think it's
> > the former, so let's push on this. Please resend the patch with a proper
> > signed-off-by, and feel free to add
; >
> > Well it makes sense to me. The question is whether we are protecting the
> > thing running as init, or the 'physical' thread with pid 1. I think it's
> > the former, so let's push on this. Please resend the patch with a proper
> > signed-off-by, and feel free to a
On 15/12/22, Steve Grubb wrote:
> On Tuesday, December 22, 2015 09:24:56 AM Paul Moore wrote:
> > On Tuesday, December 22, 2015 04:03:06 AM Richard Guy Briggs wrote:
> > > Nothing prevents a new auditd starting up and replacing a valid
> > > audit_pid when an
as AUDIT_CONFIG_CHANGE messages with failure result.
Signed-off-by: Richard Guy Briggs
---
kernel/audit.c |8 ++--
1 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 0368be2..9000c6f 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -882,11
block.
Signed-off-by: Richard Guy Briggs
---
include/uapi/linux/audit.h |1 +
kernel/audit.c | 16 +++-
2 files changed, 16 insertions(+), 1 deletions(-)
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 843540c..d820aa9 100644
On 15/12/22, Steve Grubb wrote:
> On Tuesday, December 22, 2015 09:24:56 AM Paul Moore wrote:
> > On Tuesday, December 22, 2015 04:03:06 AM Richard Guy Briggs wrote:
> > > Nothing prevents a new auditd starting up and replacing a valid
> > > audit_pid when an
block.
Signed-off-by: Richard Guy Briggs <r...@redhat.com>
---
include/uapi/linux/audit.h |1 +
kernel/audit.c | 16 +++-
2 files changed, 16 insertions(+), 1 deletions(-)
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 843540c..d
as AUDIT_CONFIG_CHANGE messages with failure result.
Signed-off-by: Richard Guy Briggs <r...@redhat.com>
---
kernel/audit.c |8 ++--
1 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 0368be2..9000c6f 100644
--- a/kernel/audit.c
+++ b/
as AUDIT_CONFIG_CHANGE messages with failure result.
Signed-off-by: Richard Guy Briggs
---
kernel/audit.c |8 ++--
1 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 0368be2..9000c6f 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -882,11
and portid to 0 in
the call to audit_make_reply().
Signed-off-by: Richard Guy Briggs
---
include/uapi/linux/audit.h |1 +
kernel/audit.c | 16 +++-
2 files changed, 16 insertions(+), 1 deletions(-)
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux
and portid to 0 in
the call to audit_make_reply().
Signed-off-by: Richard Guy Briggs <r...@redhat.com>
---
include/uapi/linux/audit.h |1 +
kernel/audit.c | 16 +++-
2 files changed, 16 insertions(+), 1 deletions(-)
diff --git a/include/uapi/linux/audit.h b/i
as AUDIT_CONFIG_CHANGE messages with failure result.
Signed-off-by: Richard Guy Briggs <r...@redhat.com>
---
kernel/audit.c |8 ++--
1 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 0368be2..9000c6f 100644
--- a/kernel/audit.c
+++ b/
t_pid == current->tgid)
> > - gfp_mask &= ~__GFP_WAIT;
> > + gfp_mask &= ~__GFP_DIRECT_RECLAIM;
> > else
> > reserve = 0;
> > }
>
> paul moore
- RGB
-
if (audit_pid && audit_pid == current->tgid)
> > - gfp_mask &= ~__GFP_WAIT;
> > + gfp_mask &= ~__GFP_DIRECT_RECLAIM;
> > else
> > reserve = 0;
> > }
>
On 15/11/04, Paul Moore wrote:
> On Thursday, October 22, 2015 02:53:14 PM Richard Guy Briggs wrote:
> > After auditd has recovered from an overflowed queue, the first process
> > that doesn't use reserves to make it through the queue checks should
> > reset the au
On 15/11/04, Paul Moore wrote:
> On Thursday, October 22, 2015 02:53:14 PM Richard Guy Briggs wrote:
> > After auditd has recovered from an overflowed queue, the first process
> > that doesn't use reserves to make it through the queue checks should
> > reset the au
On 15/10/27, Paul Moore wrote:
> On Thursday, October 22, 2015 02:53:13 PM Richard Guy Briggs wrote:
> > This set of patches cleans up a number of corner cases in the management
> > of the audit queue.
> >
> > Richard Guy Briggs (7):
> > audit: don't needlessly
On 15/10/27, Paul Moore wrote:
> On Thursday, October 22, 2015 02:53:13 PM Richard Guy Briggs wrote:
> > This set of patches cleans up a number of corner cases in the management
> > of the audit queue.
> >
> > Richard Guy Briggs (7):
> > audit: don't needlessly
cation. IOW, for people with audit compiled
> in and subscribed by journald but switched off, I think that the
> records shouldn't be emitted.
>
> If you agree, I can send the two-line patch.
This sounds reasonable to me. It isn't an AVC. Steve? Paul?
> --Andy
- RGB
--
Richard
cation. IOW, for people with audit compiled
> in and subscribed by journald but switched off, I think that the
> records shouldn't be emitted.
>
> If you agree, I can send the two-line patch.
This sounds reasonable to me. It isn't an AVC. Steve? Paul?
> --Andy
- RGB
--
Richard Guy
This set of patches cleans up a number of corner cases in the management
of the audit queue.
Richard Guy Briggs (7):
audit: don't needlessly reset valid wait time
audit: include auditd's threads in audit_log_start() wait exception
audit: allow systemd to use queue reserves
audit: wake up
Treat systemd the same way as auditd, allowing it to overrun the queue to avoid
blocking.
Signed-off-by: Richard Guy Briggs
---
kernel/audit.c |2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 3917aad..384a1a1 100644
--- a/kernel
If the audit_backlog_limit is changed from a limited value to an
unlimited value (zero) while the queue was overflowed, wake up the
audit_backlog_wait queue to allow those processes to continue.
Signed-off-by: Richard Guy Briggs
---
kernel/audit.c |3 ++-
1 files changed, 2 insertions(+), 1
After auditd has recovered from an overflowed queue, the first process
that doesn't use reserves to make it through the queue checks should
reset the audit backlog wait time to the configured value. After that,
there is no need to keep resetting it.
Signed-off-by: Richard Guy Briggs
---
kernel
to check audit_cmd_mutex but another
process could have this locked on another cpu. Use rcu_read_lock() and
ACCESS_ONCE() to check audit_cmd_mutex.
Signed-off-by: Richard Guy Briggs
---
kernel/audit.c |7 +--
1 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/kernel/audit.c b
timeout of 60 seconds (audit_backlog_wait_time).
Wake up the processes caught in the audit_backlog_wait queue when auditd
is no longer present so they can be sent instead to the hold queue.
Signed-off-by: Richard Guy Briggs
---
kernel/audit.c |6 +-
1 files changed, 5 insertions(+), 1
When auditd is restarted, even though the kauditd_thread is present, it
remains dormant until the next audit log message is queued.
Wake up the kauditd_thread in the kauditd_wait queue immediately when
auditd registers its availability to drain the queue.
Signed-off-by: Richard Guy Briggs
Should auditd spawn threads, allow all members of its thread group to
use the audit_backlog_limit reserves to bypass the queue limits too.
Signed-off-by: Richard Guy Briggs
---
kernel/audit.c |2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/kernel/audit.c b/kernel
On 15/10/21, Scott Matheina wrote:
> On 10/21/2015 09:15 PM, Richard Guy Briggs wrote:
> > On 15/10/21, Scott Matheina wrote:
> >> On 10/21/2015 10:33 AM, Richard Guy Briggs wrote:
> >>> On 15/10/21, Joe Perches wrote:
> >>>> On Mon, 2015-1
timeout of 60 seconds (audit_backlog_wait_time).
Wake up the processes caught in the audit_backlog_wait queue when auditd
is no longer present so they can be sent instead to the hold queue.
Signed-off-by: Richard Guy Briggs <r...@redhat.com>
---
kernel/audit.c |6 +-
1 files chan
When auditd is restarted, even though the kauditd_thread is present, it
remains dormant until the next audit log message is queued.
Wake up the kauditd_thread in the kauditd_wait queue immediately when
auditd registers its availability to drain the queue.
Signed-off-by: Richard Guy Briggs &l
After auditd has recovered from an overflowed queue, the first process
that doesn't use reserves to make it through the queue checks should
reset the audit backlog wait time to the configured value. After that,
there is no need to keep resetting it.
Signed-off-by: Richard Guy Briggs &l
to check audit_cmd_mutex but another
process could have this locked on another cpu. Use rcu_read_lock() and
ACCESS_ONCE() to check audit_cmd_mutex.
Signed-off-by: Richard Guy Briggs <r...@redhat.com>
---
kernel/audit.c |7 +--
1 files changed, 5 insertions(+), 2 deletions(-)
diff
Should auditd spawn threads, allow all members of its thread group to
use the audit_backlog_limit reserves to bypass the queue limits too.
Signed-off-by: Richard Guy Briggs <r...@redhat.com>
---
kernel/audit.c |2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/
If the audit_backlog_limit is changed from a limited value to an
unlimited value (zero) while the queue was overflowed, wake up the
audit_backlog_wait queue to allow those processes to continue.
Signed-off-by: Richard Guy Briggs <r...@redhat.com>
---
kernel/audit.c |3 ++-
1 files chan
This set of patches cleans up a number of corner cases in the management
of the audit queue.
Richard Guy Briggs (7):
audit: don't needlessly reset valid wait time
audit: include auditd's threads in audit_log_start() wait exception
audit: allow systemd to use queue reserves
audit: wake up
Treat systemd the same way as auditd, allowing it to overrun the queue to avoid
blocking.
Signed-off-by: Richard Guy Briggs <r...@redhat.com>
---
kernel/audit.c |2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 3917aad..384a1a1
On 15/10/21, Scott Matheina wrote:
> On 10/21/2015 09:15 PM, Richard Guy Briggs wrote:
> > On 15/10/21, Scott Matheina wrote:
> >> On 10/21/2015 10:33 AM, Richard Guy Briggs wrote:
> >>> On 15/10/21, Joe Perches wrote:
> >>>> On Mon, 2015-1
On 15/10/21, Scott Matheina wrote:
> On 10/21/2015 10:33 AM, Richard Guy Briggs wrote:
> > On 15/10/21, Joe Perches wrote:
> >> On Mon, 2015-10-19 at 12:10 -0400, Richard Guy Briggs wrote:
> >>> On 15/10/18, Scott Matheina wrote:
> >>>> On 10/14/2015 04
On 15/10/21, Joe Perches wrote:
> On Mon, 2015-10-19 at 12:10 -0400, Richard Guy Briggs wrote:
> > On 15/10/18, Scott Matheina wrote:
> > > On 10/14/2015 04:54 PM, Paul Moore wrote:
> > > > On Saturday, October 10, 2015 08:57:55 PM Scott Matheina wrote:
>
On 15/10/21, Joe Perches wrote:
> On Mon, 2015-10-19 at 12:10 -0400, Richard Guy Briggs wrote:
> > On 15/10/18, Scott Matheina wrote:
> > > On 10/14/2015 04:54 PM, Paul Moore wrote:
> > > > On Saturday, October 10, 2015 08:57:55 PM Scott Matheina wrote:
>
On 15/10/21, Scott Matheina wrote:
> On 10/21/2015 10:33 AM, Richard Guy Briggs wrote:
> > On 15/10/21, Joe Perches wrote:
> >> On Mon, 2015-10-19 at 12:10 -0400, Richard Guy Briggs wrote:
> >>> On 15/10/18, Scott Matheina wrote:
> >>>> On 10/14/2015 04
to fix.
Again, another manifestation of that bug? That blank line should be
after the declaration and before the if statement.
> As you might have guessed, this is one of my first patches. I wasn't
> sure if a patch like this would even get reviewed, and responded to.
> I'm s
d looking for warnings to fix.
Again, another manifestation of that bug? That blank line should be
after the declaration and before the if statement.
> As you might have guessed, this is one of my first patches. I wasn't
> sure if a patch like this would even get reviewed, and responded t
On 15/09/28, Paul Moore wrote:
> On Monday, September 28, 2015 07:17:31 AM Richard Guy Briggs wrote:
> > On 15/09/25, Paul Moore wrote:
> > > The audit_make_reply() function is the wrong thing to be using here, we
> > > should create our own buffer from scratch lik
On 15/09/25, Paul Moore wrote:
> On Friday, September 25, 2015 07:10:19 AM Richard Guy Briggs wrote:
> > On 15/09/24, Paul Moore wrote:
> > > On Friday, September 18, 2015 03:59:58 AM Richard Guy Briggs wrote:
> > > > diff --git a/kernel/audit.c b/kernel/audit.c
On 15/09/28, Paul Moore wrote:
> On Monday, September 28, 2015 07:17:31 AM Richard Guy Briggs wrote:
> > On 15/09/25, Paul Moore wrote:
> > > The audit_make_reply() function is the wrong thing to be using here, we
> > > should create our own buffer from scratch lik
On 15/09/25, Paul Moore wrote:
> On Friday, September 25, 2015 07:10:19 AM Richard Guy Briggs wrote:
> > On 15/09/24, Paul Moore wrote:
> > > On Friday, September 18, 2015 03:59:58 AM Richard Guy Briggs wrote:
> > > > diff --git a/kernel/audit.c b/kernel/audit.c
On 15/09/24, Paul Moore wrote:
> On Friday, September 18, 2015 03:59:58 AM Richard Guy Briggs wrote:
> > Nothing prevents a new auditd starting up and replacing a valid
> > audit_pid when an old auditd is still running, effectively starving out
> > the old auditd since audit
On 15/09/24, Paul Moore wrote:
> On Friday, September 18, 2015 03:59:58 AM Richard Guy Briggs wrote:
> > Nothing prevents a new auditd starting up and replacing a valid
> > audit_pid when an old auditd is still running, effectively starving out
> > the old auditd since audit
as a fixup if it is not yet upstream.
Signed-off-by: Richard Guy Briggs
---
kernel/audit.c |5 -
1 files changed, 4 insertions(+), 1 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 18cdfe2..9d32218 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -420,7 +420,10
On 15/09/18, Paul Moore wrote:
> On Friday, September 18, 2015 03:52:43 AM Richard Guy Briggs wrote:
> > A bug was introduced by "audit: try harder to send to auditd upon
> > netlink failure", caused by incomplete code and a function that expects
> > a string an
as a fixup if it is not yet upstream.
Signed-off-by: Richard Guy Briggs <r...@redhat.com>
---
kernel/audit.c |5 -
1 files changed, 4 insertions(+), 1 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 18cdfe2..9d32218 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -420,7 +4
On 15/09/18, Paul Moore wrote:
> On Friday, September 18, 2015 03:52:43 AM Richard Guy Briggs wrote:
> > A bug was introduced by "audit: try harder to send to auditd upon
> > netlink failure", caused by incomplete code and a function that expects
> > a string an
On 15/09/18, Steve Grubb wrote:
> On Fri, 18 Sep 2015 03:52:43 -0400
> Richard Guy Briggs wrote:
>
> > A bug was introduced by "audit: try harder to send to auditd upon
> > netlink failure", caused by incomplete code and a function that
> > expects a str
as AUDIT_CONFIG_CHANGE messages with failure result.
Signed-off-by: Richard Guy Briggs
---
kernel/audit.c |8 ++--
1 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 3399ab2..65dcd45 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -883,12
of the new auditd. If the audit ping succeeds (or doesn't
fail with certainty), fail to register the new auditd and return an
error (-EEXIST).
This is expected to make the patch preventing an old auditd orphaning a
new auditd redundant.
Signed-off-by: Richard Guy Briggs
---
include/uapi/linux
as a fixup if it is not yet upstream.
Signed-off-by: Richard Guy Briggs
---
kernel/audit.c |5 -
1 files changed, 4 insertions(+), 1 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 18cdfe2..60913e6 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -420,7 +420,10
On 15/09/18, Steve Grubb wrote:
> On Fri, 18 Sep 2015 03:52:43 -0400
> Richard Guy Briggs <r...@redhat.com> wrote:
>
> > A bug was introduced by "audit: try harder to send to auditd upon
> > netlink failure", caused by incomplete code and a function that
>
as a fixup if it is not yet upstream.
Signed-off-by: Richard Guy Briggs <r...@redhat.com>
---
kernel/audit.c |5 -
1 files changed, 4 insertions(+), 1 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 18cdfe2..60913e6 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -420,7 +4
as AUDIT_CONFIG_CHANGE messages with failure result.
Signed-off-by: Richard Guy Briggs <r...@redhat.com>
---
kernel/audit.c |8 ++--
1 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 3399ab2..65dcd45 100644
--- a/kernel/audit.c
+++ b/
of the new auditd. If the audit ping succeeds (or doesn't
fail with certainty), fail to register the new auditd and return an
error (-EEXIST).
This is expected to make the patch preventing an old auditd orphaning a
new auditd redundant.
Signed-off-by: Richard Guy Briggs <r...@redhat.
On 15/09/16, Paul Moore wrote:
> On Wed, Sep 16, 2015 at 6:24 AM, Richard Guy Briggs wrote:
> > On 15/09/14, Paul Moore wrote:
> >> On Sunday, September 13, 2015 12:08:19 PM Richard Guy Briggs wrote:
> >> > On 15/09/11, Paul Moore wrote:
> >> > > Alt
On 15/09/16, Paul Moore wrote:
> On Wed, Sep 16, 2015 at 6:24 AM, Richard Guy Briggs <r...@redhat.com> wrote:
> > On 15/09/14, Paul Moore wrote:
> >> On Sunday, September 13, 2015 12:08:19 PM Richard Guy Briggs wrote:
> >> > On 15/09/11, Paul Moore wrote:
&g
On 15/09/14, Paul Moore wrote:
> On Sunday, September 13, 2015 12:08:19 PM Richard Guy Briggs wrote:
> > On 15/09/11, Paul Moore wrote:
> > > Although I suppose if nothing else we could send a record indicating
> > > that another auditd attempted to replace it ... if
On 15/09/14, Paul Moore wrote:
> On Sunday, September 13, 2015 12:08:19 PM Richard Guy Briggs wrote:
> > On 15/09/11, Paul Moore wrote:
> > > Although I suppose if nothing else we could send a record indicating
> > > that another auditd attempted to replace it ... if
On 15/09/11, Paul Moore wrote:
> On Fri, Sep 11, 2015 at 6:21 AM, Richard Guy Briggs wrote:
> > On 15/09/09, Paul Moore wrote:
> >> On Monday, September 07, 2015 12:58:18 PM Richard Guy Briggs wrote:
> >> > On 15/09/07, Richard Guy Briggs wrote:
> >> > &
On 15/09/11, Paul Moore wrote:
> On Fri, Sep 11, 2015 at 6:21 AM, Richard Guy Briggs <r...@redhat.com> wrote:
> > On 15/09/09, Paul Moore wrote:
> >> On Monday, September 07, 2015 12:58:18 PM Richard Guy Briggs wrote:
> >> > On 15/09/07, Richard Guy Briggs wr
On 15/09/09, Paul Moore wrote:
> On Monday, September 07, 2015 12:58:18 PM Richard Guy Briggs wrote:
> > On 15/09/07, Richard Guy Briggs wrote:
> > > Nothing prevents a new auditd starting up and replacing a valid
> > > audit_pid when an old auditd is still runnin
On 15/09/09, Paul Moore wrote:
> On Monday, September 07, 2015 12:58:18 PM Richard Guy Briggs wrote:
> > On 15/09/07, Richard Guy Briggs wrote:
> > > Nothing prevents a new auditd starting up and replacing a valid
> > > audit_pid when an old auditd is still runnin
ks for taking the time to review this...
> On Mon, 2015-09-07 at 12:48 -0400, Richard Guy Briggs wrote:
> > Nothing prevents a new auditd starting up and replacing a valid
> > audit_pid when an old auditd is still running, effectively starving out
> > the old auditd since audit_p
ks for taking the time to review this...
> On Mon, 2015-09-07 at 12:48 -0400, Richard Guy Briggs wrote:
> > Nothing prevents a new auditd starting up and replacing a valid
> > audit_pid when an old auditd is still running, effectively starving out
> > the old auditd since audit_p
On 15/09/07, Richard Guy Briggs wrote:
> Nothing prevents a new auditd starting up and replacing a valid
> audit_pid when an old auditd is still running, effectively starving out
> the old auditd since audit_pid no longer points to the old valid auditd.
>
> There isn't an eas
audit_pid other than attempting to send a message to see if
it fails. If no message to auditd has been attempted since auditd died
unnaturally or got killed, audit_pid will still indicate it is alive.
Signed-off-by: Richard Guy Briggs
---
Note: Would it be too bold to actually block the registration
xt.
Reported-by: Vipin Rathor
Reported-by:
Signed-off-by: Richard Guy Briggs
---
kernel/audit.c | 24 +++-
1 files changed, 19 insertions(+), 5 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 1c13e42..18cdfe2 100644
--- a/kernel/audit.c
+++ b/kernel/audit.
On 15/09/04, Paul Moore wrote:
> On Friday, September 04, 2015 05:14:54 AM Richard Guy Briggs wrote:
> > There are several reports of the kernel losing contact with auditd ...
>
> Even if this doesn't completely solve the problem, I like the extra reporting
> and robustness of
xt.
Reported-by: Vipin Rathor <v.rat...@gmail.com>
Reported-by: <ctc...@hotmail.com>
Signed-off-by: Richard Guy Briggs <r...@redhat.com>
---
kernel/audit.c | 24 +++-
1 files changed, 19 insertions(+), 5 deletions(-)
diff --git a/kernel/audit.c b/kernel/au
On 15/09/04, Paul Moore wrote:
> On Friday, September 04, 2015 05:14:54 AM Richard Guy Briggs wrote:
> > There are several reports of the kernel losing contact with auditd ...
>
> Even if this doesn't completely solve the problem, I like the extra reporting
> and robustness of
On 15/09/07, Richard Guy Briggs wrote:
> Nothing prevents a new auditd starting up and replacing a valid
> audit_pid when an old auditd is still running, effectively starving out
> the old auditd since audit_pid no longer points to the old valid auditd.
>
> There isn't an eas
audit_pid other than attempting to send a message to see if
it fails. If no message to auditd has been attempted since auditd died
unnaturally or got killed, audit_pid will still indicate it is alive.
Signed-off-by: Richard Guy Briggs <r...@redhat.com>
---
Note: Would it be too bold to actually
ther unexpected ones for now), report the error and
re-schedule the thread, retrying up to 5 times.
Reported-by: Vipin Rathor
Reported-by:
Signed-off-by: Richard Guy Briggs
---
kernel/audit.c | 43 +++
1 files changed, 39 insertions(+), 4 deletions(-)
ther unexpected ones for now), report the error and
re-schedule the thread, retrying up to 5 times.
Reported-by: Vipin Rathor <v.rat...@gmail.com>
Reported-by: <ctc...@hotmail.com>
Signed-off-by: Richard Guy Briggs <r...@redhat.com>
---
kernel/audit.c | 43 ++
On 15/08/12, Paul Moore wrote:
> On Wednesday, August 12, 2015 05:48:48 AM Richard Guy Briggs wrote:
> >
> > Do you plan to push this fix to next?
>
> Patience. Yes, I'll be pushing this to next sometime this week; as usual
> I'll
> send mail when I do.
Ok, no p
On 15/08/11, Richard Guy Briggs wrote:
> On 15/08/10, Paul Moore wrote:
> > On Monday, August 10, 2015 01:29:43 PM Richard Guy Briggs wrote:
> > > On 15/08/10, Paul Moore wrote:
> > > > On Saturday, August 08, 2015 10:20:25 AM Richard Guy Briggs wrote:
> > >
On 15/08/12, Paul Moore wrote:
On Wednesday, August 12, 2015 05:48:48 AM Richard Guy Briggs wrote:
Do you plan to push this fix to next?
Patience. Yes, I'll be pushing this to next sometime this week; as usual
I'll
send mail when I do.
Ok, no problem, I'm not rushing. I was unsure
On 15/08/11, Richard Guy Briggs wrote:
On 15/08/10, Paul Moore wrote:
On Monday, August 10, 2015 01:29:43 PM Richard Guy Briggs wrote:
On 15/08/10, Paul Moore wrote:
On Saturday, August 08, 2015 10:20:25 AM Richard Guy Briggs wrote:
diff --git a/kernel/audit_watch.c b/kernel
On 15/08/10, Paul Moore wrote:
> On Monday, August 10, 2015 01:29:43 PM Richard Guy Briggs wrote:
> > On 15/08/10, Paul Moore wrote:
> > > On Saturday, August 08, 2015 10:20:25 AM Richard Guy Briggs wrote:
> > > > diff --git a/kernel/audit_watch.c b/kernel/audit
On 15/08/10, Paul Moore wrote:
> On Saturday, August 08, 2015 10:20:25 AM Richard Guy Briggs wrote:
> > diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c
> > index 1255dbf..656c7e9 100644
> > --- a/kernel/audit_watch.c
> > +++ b/kernel/audit_watch.c
&
On 15/08/10, Paul Moore wrote:
> On Saturday, August 08, 2015 10:23:48 AM Richard Guy Briggs wrote:
> > Adding "C=1 CF=-D__CHECK_ENDIAN__" to enable sparse warnings identified a
> > warning with the
> > [PATCH V9 3/3] audit: add audit by children of executable
On 15/08/10, Paul Moore wrote:
On Saturday, August 08, 2015 10:23:48 AM Richard Guy Briggs wrote:
Adding C=1 CF=-D__CHECK_ENDIAN__ to enable sparse warnings identified a
warning with the
[PATCH V9 3/3] audit: add audit by children of executable path
patch posted a couple of days ago
On 15/08/10, Paul Moore wrote:
On Saturday, August 08, 2015 10:20:25 AM Richard Guy Briggs wrote:
diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c
index 1255dbf..656c7e9 100644
--- a/kernel/audit_watch.c
+++ b/kernel/audit_watch.c
@@ -540,8 +540,14 @@ int audit_dupe_exe(struct
On 15/08/10, Paul Moore wrote:
On Monday, August 10, 2015 01:29:43 PM Richard Guy Briggs wrote:
On 15/08/10, Paul Moore wrote:
On Saturday, August 08, 2015 10:20:25 AM Richard Guy Briggs wrote:
diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c
index 1255dbf..656c7e9 100644
ly from my review.
It doesn't say which lock triggered the warning, hash_lock, or
entry->lock. The hash_lock is locked on call and returns in the same
state. entry->lock looks fine. The fsnotify marks look get/put
balanced too.
Is sparse spewing bogons, or am I?
- RGB
--
Richard Guy Briggs
901 - 1000 of 2017 matches
Mail list logo