Al used to send pull requests every couple of years but he told me to
just start pushing them to you directly.
The following changes since commit 19f949f52599ba7c3f67a5897ac6be14bfcb1200:
Linux 3.8 (2013-02-18 15:58:34 -0800)
are available in the git repository at:
git://git.infradead.org/users/eparis/audit.git master
for you to fetch changes up to 2a0b4be6dd655e24990da1d0811e28b9277f8b12:
audit: fix message spacing printing auid (2013-05-08 00:02:19 -0400)
Most of the changes are in audit* files so you shouldn't much care. Our
touching outside of core audit code is pretty straight forward. A couple
of interface changes which hit net/. A simple argument bug calling audit
functions in namei.c and the removal of some assembly branch prediction
code on ppc.
Looks like you are going to have 2 merge failures due to patches which
came in through akpm.
The first in kernel/audit.c is a simple resolution. My tree is correct
deleting those 3 lines.
The second in kernel/audit.h is a little worse. You want to take my
tree. Remove the #ifdef CONFIG_AUDIT and #endif towards the end of the
new code. Then you want to remove the line declaring extern int
audit_enabled;
I'm attaching my merge resolution commit as a reference.
----------------------------------------------------------------
Andrew Morton (1):
auditsc: remove audit_set_context() altogether - fold it into its caller
Anton Blanchard (2):
audit: Syscall rules are not applied to existing processes on non-x86
powerpc: Remove static branch prediction in 64bit traced syscall path
Chen Gang (1):
kernel: audit: beautify code, for extern function, better to check its
parameters by itself
Dmitry Monakhov (1):
audit: destroy long filenames correctly
Eric Paris (17):
audit: use data= not msg= for AUDIT_USER_TTY messages
Audit: do not print error when LSMs disabled
audit: fix build break when AUDIT_DEBUG == 2
audit: allow checking the type of audit message in the user filter
audit: make validity checking generic
audit: remove the old depricated kernel interface
audit: stop pushing loginid, uid, sessionid as arguments
audit: push loginuid and sessionid processing down
audit: use a consistent audit helper to log lsm information
helper for some session id stuff
audit: use spin_lock_irqsave/restore in audit tty code
audit: do not needlessly take a spinlock in copy_signal
audit: do not needlessly take a lock in tty_audit_exit
audit: use spin_lock in audit_receive_msg to process tty logging
audit: fix event coverage of AUDIT_ANOM_LINK
Revert "audit: move kaudit thread start from auditd registration to
kaudit init"
audit: fix message spacing printing auid
Eric W. Biederman (1):
audit: Make testing for a valid loginuid explicit.
Gao feng (1):
audit: remove duplicate export of audit_enabled
Jeff Layton (1):
audit: vfs: fix audit_inode call in O_CREAT case of do_last
Matvejchikov Ilya (1):
audit: improve GID/EGID comparation logic
Rakib Mullick (1):
auditsc: Use kzalloc instead of kmalloc+memset.
Richard Guy Briggs (4):
audit: refactor hold queue flush
audit: flatten kauditd_thread wait queue code
audit: move kaudit thread start from auditd registration to kaudit init
audit: add an option to control logging of passwords with pam_tty_audit
arch/powerpc/kernel/entry_64.S | 2 +-
drivers/tty/tty_audit.c | 104 +++++++++++++++--------------------
fs/namei.c | 2 +-
include/linux/audit.h | 48 ++++++++++------
include/linux/sched.h | 1 +
include/linux/tty.h | 6 +-
include/uapi/linux/audit.h | 4 +-
kernel/audit.c | 516
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++--------------------------------------------------------
kernel/audit.h | 156
++++++++++++++++++++++++++++++++++++++++++++++++++++
kernel/auditfilter.c | 360
+++++++++++++++++++++++++++++++++++++-----------------------------------------------------------------------------------
kernel/auditsc.c | 421
+++++++++++++++-----------------------------------------------------------------------------------------------------------------------------
net/socket.c | 6 +-
12 files changed, 749 insertions(+), 877 deletions(-)
commit 3f321c3c7f40eb887a4c40320dc555391382cb93
Merge: 9affd6b 82d8da0
Author: Eric Paris <[email protected]>
Date: Tue May 7 23:09:02 2013 -0400
Merge branch 'audit-for-3.10' into merge-test
Conflicts:
kernel/audit.c
kernel/audit.h
diff --cc kernel/audit.c
index 0b084fa,f9c6506..fc94ee3
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@@ -660,17 -646,14 +646,15 @@@ static int audit_receive_msg(struct sk_
/* As soon as there's any sign of userspace auditd,
* start kauditd to talk to it */
- if (!kauditd_task)
+ if (!kauditd_task) {
kauditd_task = kthread_run(kauditd_thread, NULL, "kauditd");
- if (IS_ERR(kauditd_task)) {
- err = PTR_ERR(kauditd_task);
- kauditd_task = NULL;
- return err;
+ if (IS_ERR(kauditd_task)) {
+ err = PTR_ERR(kauditd_task);
+ kauditd_task = NULL;
+ return err;
+ }
}
- loginuid = audit_get_loginuid(current);
- sessionid = audit_get_sessionid(current);
- security_task_getsecid(current, &sid);
+
seq = nlh->nlmsg_seq;
data = nlmsg_data(nlh);
diff --cc kernel/audit.h
index 11468d9,45c8325..1c95131
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@@ -59,8 -65,161 +65,158 @@@ struct audit_entry
struct audit_krule rule;
};
+ struct audit_cap_data {
+ kernel_cap_t permitted;
+ kernel_cap_t inheritable;
+ union {
+ unsigned int fE; /* effective bit of file cap */
+ kernel_cap_t effective; /* effective set of process */
+ };
+ };
+
+ /* When fs/namei.c:getname() is called, we store the pointer in name and
+ * we don't let putname() free it (instead we free all of the saved
+ * pointers at syscall exit time).
+ *
+ * Further, in fs/namei.c:path_lookup() we store the inode and device.
+ */
+ struct audit_names {
+ struct list_head list; /* audit_context->names_list */
+
+ struct filename *name;
+ int name_len; /* number of chars to log */
+ bool name_put; /* call __putname()? */
+
+ unsigned long ino;
+ dev_t dev;
+ umode_t mode;
+ kuid_t uid;
+ kgid_t gid;
+ dev_t rdev;
+ u32 osid;
+ struct audit_cap_data fcap;
+ unsigned int fcap_ver;
+ unsigned char type; /* record type */
+ /*
+ * This was an allocated audit_names and not from the array of
+ * names allocated in the task audit context. Thus this name
+ * should be freed on syscall exit.
+ */
+ bool should_free;
+ };
+
+ /* The per-task audit context. */
+ struct audit_context {
+ int dummy; /* must be the first element */
+ int in_syscall; /* 1 if task is in a syscall */
+ enum audit_state state, current_state;
+ unsigned int serial; /* serial number for record */
+ int major; /* syscall number */
+ struct timespec ctime; /* time of syscall entry */
+ unsigned long argv[4]; /* syscall arguments */
+ long return_code;/* syscall return code */
+ u64 prio;
+ int return_valid; /* return code is valid */
+ /*
+ * The names_list is the list of all audit_names collected during this
+ * syscall. The first AUDIT_NAMES entries in the names_list will
+ * actually be from the preallocated_names array for performance
+ * reasons. Except during allocation they should never be referenced
+ * through the preallocated_names array and should only be found/used
+ * by running the names_list.
+ */
+ struct audit_names preallocated_names[AUDIT_NAMES];
+ int name_count; /* total records in names_list */
+ struct list_head names_list; /* struct audit_names->list anchor */
+ char *filterkey; /* key for rule that triggered record */
+ struct path pwd;
+ struct audit_aux_data *aux;
+ struct audit_aux_data *aux_pids;
+ struct sockaddr_storage *sockaddr;
+ size_t sockaddr_len;
+ /* Save things to print about task_struct */
+ pid_t pid, ppid;
+ kuid_t uid, euid, suid, fsuid;
+ kgid_t gid, egid, sgid, fsgid;
+ unsigned long personality;
+ int arch;
+
+ pid_t target_pid;
+ kuid_t target_auid;
+ kuid_t target_uid;
+ unsigned int target_sessionid;
+ u32 target_sid;
+ char target_comm[TASK_COMM_LEN];
+
+ struct audit_tree_refs *trees, *first_trees;
+ struct list_head killed_trees;
+ int tree_count;
+
+ int type;
+ union {
+ struct {
+ int nargs;
+ long args[6];
+ } socketcall;
+ struct {
+ kuid_t uid;
+ kgid_t gid;
+ umode_t mode;
+ u32 osid;
+ int has_perm;
+ uid_t perm_uid;
+ gid_t perm_gid;
+ umode_t perm_mode;
+ unsigned long qbytes;
+ } ipc;
+ struct {
+ mqd_t mqdes;
+ struct mq_attr mqstat;
+ } mq_getsetattr;
+ struct {
+ mqd_t mqdes;
+ int sigev_signo;
+ } mq_notify;
+ struct {
+ mqd_t mqdes;
+ size_t msg_len;
+ unsigned int msg_prio;
+ struct timespec abs_timeout;
+ } mq_sendrecv;
+ struct {
+ int oflag;
+ umode_t mode;
+ struct mq_attr attr;
+ } mq_open;
+ struct {
+ pid_t pid;
+ struct audit_cap_data cap;
+ } capset;
+ struct {
+ int fd;
+ int flags;
+ } mmap;
+ };
+ int fds[2];
+
+ #if AUDIT_DEBUG
+ int put_count;
+ int ino_count;
+ #endif
+ };
+
-#ifdef CONFIG_AUDIT
-extern int audit_enabled;
extern int audit_ever_enabled;
+ extern void audit_copy_inode(struct audit_names *name,
+ const struct dentry *dentry,
+ const struct inode *inode);
+ extern void audit_log_cap(struct audit_buffer *ab, char *prefix,
+ kernel_cap_t *cap);
+ extern void audit_log_fcaps(struct audit_buffer *ab, struct audit_names *name);
+ extern void audit_log_name(struct audit_context *context,
+ struct audit_names *n, struct path *path,
+ int record_num, int *call_panic);
-#endif
+
extern int audit_pid;
#define AUDIT_INODE_BUCKETS 32
--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit
