[RFC PATCH 4/5] audit: fix filename matching in __audit_inode() and __audit_inode_child()

filenames in the audit log and other odd audit record entries. This patch fixes the filename matching code and restores some sanity to the filename audit records. Signed-off-by: Paul Moore pmo...@redhat.com --- kernel/auditsc.c | 34 +- 1 file changed, 25 insertions

[RFC PATCH 3/5] audit: enable filename recording via getname_kernel()

Enable recording of filenames in getname_kernel() and remove the kludgy workaround in __audit_inode() now that we have proper filename logging for kernel users. Signed-off-by: Paul Moore pmo...@redhat.com --- fs/namei.c |1 + kernel/auditsc.c | 40

[RFC PATCH 1/5] fs: rework getname_kernel to handle up to PATH_MAX sized filenames

In preparation for expanded use in the kernel, make getname_kernel() more useful by allowing it to handle any legal filename length. Signed-off-by: Paul Moore pmo...@redhat.com --- fs/namei.c | 34 -- 1 file changed, 20 insertions(+), 14 deletions(-) diff --git

[RFC PATCH 0/5] Overhaul the audit filename handling

in taking this for the next v3.19-rcX release, otherwise I'll toss it into linux-next for v3.20. -Paul --- Paul Moore (5): fs: rework getname_kernel to handle up to PATH_MAX sized filenames fs: create proper filename objects using getname_kernel() audit: enable filename recording via

Re: Linux audit performance impact

On Wed, Feb 18, 2015 at 5:32 PM, Richard Guy Briggs r...@redhat.com wrote: On 15/02/18, Paul Moore wrote: I would imagine a scenario where we introduced the new format in stages: #1 - Move in-kernel audit record string generation completely into kernel/audit*.c. Benefits everyone regardless

Re: [PATCH 1/3] kernel/audit: consolidate handling of mm-exe_file

: Paul Moore p...@paul-moore.com Cc: Eric Paris epa...@redhat.com Cc: linux-audit@redhat.com Signed-off-by: Davidlohr Bueso dbu...@suse.de --- Compile tested only. kernel/audit.c | 9 + kernel/audit.h | 14 ++ kernel/auditsc.c | 9 + 3 files changed, 16

Re: Linux audit performance impact

in the implementation. I'm only planning a change in the format, not the content of the audit records so you'll still have success/fail indicators like you do now. -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit

Re: Linux audit performance impact

to contribute to a revision of the Linux implementation. Well, good news, you're in the right place. My patches will be posted here and all are welcome, and encouraged, to provide their comments and/or patches. -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https

Re: [PATCH] audit.h: remove the macro AUDIT_ARCH_ARMEB definition

|__AUDIT_ARCH_LE) #define AUDIT_ARCH_FRV (EM_FRV) #define AUDIT_ARCH_I386(EM_386|__AUDIT_ARCH_LE) -- 2.1.0 -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit

Re: [PATCH] audit: Remove condition which always evaluates to false

*AUDIT_BACKLOG_WAIT_TIME) + if (s.backlog_wait_time 10*AUDIT_BACKLOG_WAIT_TIME) return -EINVAL; err = audit_set_backlog_wait_time(s.backlog_wait_time); if (err 0) -- 1.9.1 -- paul moore

Re: [PATCH 1/3] kernel/audit: consolidate handling of mm-exe_file

On Sat, Feb 21, 2015 at 10:00 AM, Davidlohr Bueso d...@stgolabs.net wrote: On Sat, 2015-02-21 at 08:45 -0500, Paul Moore wrote: On Fri, Feb 20, 2015 at 8:23 PM, Davidlohr Bueso d...@stgolabs.net wrote: On Wed, 2015-02-18 at 22:23 -0500, Paul Moore wrote: I'd prefer

Re: [PATCH v2 2/3] kernel/audit: reduce mmap_sem hold for mm-exe_file

)); } void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk) -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit

Re: [PATCH v2 1/3] kernel/audit: consolidate handling of mm-exe_file

(ab, exe=(null)); + audit_log_d_path_exe(ab, current-mm); } /** -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit

Re: [PATCH 1/3] kernel/audit: consolidate handling of mm-exe_file

On Fri, Feb 20, 2015 at 8:23 PM, Davidlohr Bueso d...@stgolabs.net wrote: On Wed, 2015-02-18 at 22:23 -0500, Paul Moore wrote: I'd prefer if the audit_log_d_path_exe() helper wasn't a static inline. What do you have in mind? Pretty much what I said before, audit_log_d_path_exe

Re: [PATCH] audit.h: remove the macro AUDIT_ARCH_ARMEB definition

On Sun, Mar 22, 2015 at 8:55 PM, Li RongQing roy.qing...@gmail.com wrote: On Mon, Mar 23, 2015 at 8:51 AM, Li RongQing roy.qing...@gmail.com wrote: On Fri, Mar 20, 2015 at 9:29 PM, Paul Moore p...@paul-moore.com wrote: On Fri, Mar 20, 2015 at 12:55 AM, roy.qing...@gmail.com wrote: From: Li

Re: x32 + audit status?

On Thu, Mar 5, 2015 at 6:07 PM, Andy Lutomirski l...@amacapital.net wrote: On Mar 5, 2015 10:32 AM, David Drysdale drysd...@google.com wrote: Hi, Do we currently expect the audit system to work with x32 syscalls? I was playing with the audit system for the first time today (on v4.0-rc2,

Re: [PATCH v2 0/5] Overhaul the audit filename handling

On Friday, January 23, 2015 05:30:56 AM Al Viro wrote: On Thu, Jan 22, 2015 at 09:40:01PM +, Al Viro wrote: On Thu, Jan 22, 2015 at 09:29:03PM +, Al Viro wrote: On Thu, Jan 22, 2015 at 04:25:13PM -0500, Paul Moore wrote: Your experimental branch looks good to me, thanks

Changes to the git repository

into upstream and send a pull request for the upstream branch. 6. Resume normal operation. If you've got any questions, let me know. -Paul -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit

[GIT PULL] Audit patches for 4.1

+--- kernel/audit.h | 3 ++ kernel/audit_tree.c | 88 ++ kernel/auditsc.c| 9 +- 4 files changed, 94 insertions(+), 53 deletions(-) -- paul moore security @ redhat -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com

Re: [PATCH V6 05/10] audit: log creation and deletion of namespace instances

with this? If not, please suggest some alternate ideas; simply shouting IT'S ALL CRAP! isn't helpful for anyone ... it may be true, but it doesn't help us solve the problem ;) -- paul moore security @ redhat -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit

Re: [PATCH V6 05/10] audit: log creation and deletion of namespace instances

/containers. -- paul moore security @ redhat -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit

Re: [PATCH V6 05/10] audit: log creation and deletion of namespace instances

in the kernel is a mistake in my opinion. My current opinion is that we allow userspace to set a container ID token as it sees fit and the kernel will just use the value provided by userspace. -- paul moore security @ redhat -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com

Re: [PATCH V6 05/10] audit: log creation and deletion of namespace instances

On Thursday, May 14, 2015 11:23:09 PM Andy Lutomirski wrote: On Thu, May 14, 2015 at 7:32 PM, Richard Guy Briggs r...@redhat.com wrote: On 15/05/14, Paul Moore wrote: * Look at our existing audit records to determine which records should have namespace and container ID tokens added. We

Re: [PATCH V6 05/10] audit: log creation and deletion of namespace instances

On Tue, May 19, 2015 at 9:09 AM, Richard Guy Briggs r...@redhat.com wrote: On 15/05/16, Paul Moore wrote: On Sat, May 16, 2015 at 10:46 AM, Eric W. Biederman wrote: It sounds nice but containers are not just a per process construct. Sometimes you might know anamespace but not which process

Re: [PATCH 1/2] security: lsm_audit: add ioctl specific auditing

LSM_AUDIT_DATA_DENTRY: { struct inode *inode; -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit

Re: [PATCH] audit: Fix check of return value of strnlen_user()

On Tuesday, June 02, 2015 05:08:29 PM Jan Kara wrote: strnlen_user() returns 0 when it hits fault, not -1. Fix the test in audit_log_single_execve_arg(). Luckily this shouldn't ever happen unless there's a kernel bug so it's mostly a cosmetic fix. CC: Paul Moore pmo...@redhat.com Signed-off

Re: [PATCH] audit: Fix check of return value of strnlen_user()

On Thu, Jun 4, 2015 at 5:32 PM, Jan Kara j...@suse.cz wrote: On Thu 04-06-15 09:18:49, Paul Moore wrote: On Thu, Jun 4, 2015 at 3:36 AM, Jan Kara j...@suse.cz wrote: On Wed 03-06-15 14:56:18, Paul Moore wrote: On Tuesday, June 02, 2015 05:08:29 PM Jan Kara wrote: strnlen_user() returns 0

[GIT PULL] Audit patches for 4.2

in LSM_AUDIT_DATA_TASK audit message type Shailendra Verma (1): audit: fix for typo in comment to function audit_log_link_denied() kernel/audit.c | 2 +- kernel/auditsc.c | 6 ++ security/lsm_audit.c | 2 +- 3 files changed, 4 insertions(+), 6 deletions(-) -- paul moore security

Re: [PATCH] audit: Fix check of return value of strnlen_user()

On Tuesday, June 02, 2015 05:08:29 PM Jan Kara wrote: strnlen_user() returns 0 when it hits fault, not -1. Fix the test in audit_log_single_execve_arg(). Luckily this shouldn't ever happen unless there's a kernel bug so it's mostly a cosmetic fix. CC: Paul Moore pmo...@redhat.com Signed-off

Re: [PATCH] audit: Fix check of return value of strnlen_user()

On Thu, Jun 4, 2015 at 3:36 AM, Jan Kara j...@suse.cz wrote: On Wed 03-06-15 14:56:18, Paul Moore wrote: On Tuesday, June 02, 2015 05:08:29 PM Jan Kara wrote: strnlen_user() returns 0 when it hits fault, not -1. Fix the test in audit_log_single_execve_arg(). Luckily this shouldn't ever

Re: [PATCH V5 0/5] audit by executable name

. Cheers, peter [1] https://www.redhat.com/archives/linux-audit/2014-October/msg00024.html Nope, but Richard is working on it. -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit

Re: [PATCH] kernel:audit - Fix for typo in comment to function audit_log_link_denied().

the restriction */ void audit_log_link_denied(const char *operation, struct path *link) -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit

Re: [PATCH 1/1] Obsolete check is now removed.

-- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit

Re: [PATCH] lsm: rename duplicate labels in LSM_AUDIT_DATA_TASK audit message type

); + audit_log_format(ab, opid=%d ocomm=, pid); audit_log_untrustedstring(ab, memcpy(comm, tsk-comm, sizeof(comm))); } -- paul moore security @ redhat -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com

Re: [PATCH V10] fixup: audit: implement audit by executable

On Wednesday, August 12, 2015 05:48:48 AM Richard Guy Briggs wrote: Do you plan to push this fix to next? Patience. Yes, I'll be pushing this to next sometime this week; as usual I'll send mail when I do. -- paul moore security @ redhat -- Linux-audit mailing list Linux-audit@redhat.com

Re: auditing kdbus service names

On Wednesday, August 12, 2015 05:38:14 PM Steve Grubb wrote: On Wednesday, August 12, 2015 08:40:34 AM Paul Moore wrote: Hello all, I'm currently working on a set of LSM hooks for the new kdbus IPC mechanism and one of the things that I believe we will need to add is a new audit

Re: [PATCH V10] fixup: audit: implement audit by executable

On Wednesday, August 12, 2015 11:19:44 AM Richard Guy Briggs wrote: On 15/08/12, Paul Moore wrote: On Wednesday, August 12, 2015 05:48:48 AM Richard Guy Briggs wrote: Do you plan to push this fix to next? Patience. Yes, I'll be pushing this to next sometime this week; as usual I'll

Re: [PATCH 1/2] audit: log binding and unbinding to netlink multicast socket

On Tuesday, July 28, 2015 10:31:54 AM Steve Grubb wrote: On Friday, July 24, 2015 06:54:27 PM Paul Moore wrote: On Thursday, July 23, 2015 04:45:10 PM Steve Grubb wrote: The audit subsystem could use a function that logs the commonly needed fields for a typical audit event. This logs less

Re: [PATCH V5] audit: save signal match info in case entry passed in is the one deleted

: + mutex_unlock(audit_filter_mutex); + if (tree) audit_put_tree(tree); /* that's the temporary one */ -- paul moore security @ redhat -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit

[PATCH] audit: fix uninitialized variable in audit_add_rule()

As reported by the 0-Day testing service: kernel/auditfilter.c: In function 'audit_rule_change': kernel/auditfilter.c:864:6: warning: 'err' may be used uninit... int err; Cc: Richard Guy Briggs r...@redhat.com Signed-off-by: Paul Moore pmo...@redhat.com --- kernel/auditfilter.c |2

Re: [PATCH V4 (was V6)] audit: use macros for unset inode and device values

On Wednesday, August 05, 2015 02:30:14 AM Richard Guy Briggs wrote: On 15/08/04, Paul Moore wrote: On Saturday, August 01, 2015 03:42:23 PM Richard Guy Briggs wrote: Signed-off-by: Richard Guy Briggs r...@redhat.com --- include/uapi/linux/audit.h |2 ++ kernel/audit.c

Re: [PATCH V6] audit: save signal match info in case entry passed in is the one deleted

, audit_free_rule_rcu); out: + mutex_unlock(audit_filter_mutex); + if (tree) audit_put_tree(tree); /* that's the temporary one */ -- paul moore security @ redhat -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux

Re: [PATCH V5] audit: use macros for unset inode and device values

+#define AUDIT_DEV_UNSET (unsigned int)-1 I suspect it was lost in the noise when I mentioned it on v4, but how about changing AUDIT_DEV_UNSET to (dev_t)-1? -- paul moore security @ redhat -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit

Re: [PATCH V9 3/3] audit: add audit by children of executable path

On Fri, Aug 7, 2015 at 12:03 PM, Richard Guy Briggs r...@redhat.com wrote: On 15/08/07, Paul Moore wrote: On Friday, August 07, 2015 02:37:15 AM Richard Guy Briggs wrote: On 15/08/06, Paul Moore wrote: I guess what I'm saying is that I'm not currently convinced that there is enough

Re: [PATCH V9 3/3] audit: add audit by children of executable path

; -- paul moore security @ redhat -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit

Re: [PATCH V9 2/3] audit: implement audit by executable

); break; -- paul moore security @ redhat -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit

Re: [PATCH V9 1/3] audit: clean simple fsnotify implementation

rule from filterlist. */ -static inline int audit_del_rule(struct audit_entry *entry) +int audit_del_rule(struct audit_entry *entry) { struct audit_entry *e; struct audit_tree *tree = entry-rule.tree; -- paul moore security @ redhat -- Linux-audit mailing list Linux-audit

Re: [PATCH V9 3/3] audit: add audit by children of executable path

On August 6, 2015 5:11:50 PM Steve Grubb sgr...@redhat.com wrote: On Thursday, August 06, 2015 04:24:58 PM Paul Moore wrote: On Wednesday, August 05, 2015 04:29:38 PM Richard Guy Briggs wrote: This adds the ability to audit the actions of children of a not-yet-running process

Re: [PATCH V4 (was V6)] audit: macros to replace unset inode and device values

in the patchset, no need to send a cover email, e.g. patch 0/1, just put the text in the patch description itself. -- paul moore security @ redhat -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit

Re: [PATCH V4 (was V6)] audit: use macros for unset inode and device values

)-1; + found_child-ino = AUDIT_INO_UNSET; } EXPORT_SYMBOL_GPL(__audit_inode_child); -- paul moore security @ redhat -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit

Re: [PATCH V5] audit: use macros for unset inode and device values

(found_child, dentry, inode); else - found_child-ino = (unsigned long)-1; + found_child-ino = AUDIT_INO_UNSET; } EXPORT_SYMBOL_GPL(__audit_inode_child); -- paul moore security @ redhat -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman

Re: [PATCH V5] audit: use macros for unset inode and device values

On Wednesday, August 05, 2015 11:40:34 PM Richard Guy Briggs wrote: On 15/08/05, Paul Moore wrote: I suspect it was lost in the noise when I mentioned it on v4, but how about changing AUDIT_DEV_UNSET to (dev_t)-1? I saw your comment only after resubmitting. I'm fine either way

Re: [PATCH V4 (was V6)] audit: use macros for unset inode and device values

and inode values, e.g. -1. While I agree that there is value in auditing by dev/inode, I can't think of a reasonable situation where the user would need to pass an unset/invalid device and/or inode value into the kernel as part of an audit configuration command. -- paul moore security @ redhat

Re: [PATCH V9 2/3] audit: implement audit by executable

On Friday, August 07, 2015 02:25:14 AM Richard Guy Briggs wrote: On 15/08/06, Paul Moore wrote: Merged, although some more minor whitespace tweaks were necessary for checkpatch. On a related note, if you're not running ./scripts/checlpatch.pl on your patches before sending them out, I

Re: [PATCH V9 3/3] audit: add audit by children of executable path

On Friday, August 07, 2015 02:37:15 AM Richard Guy Briggs wrote: On 15/08/06, Paul Moore wrote: I guess what I'm saying is that I'm not currently convinced that there is enough value in this to offset the risk I feel the loop presents. I understand the use cases that you are mentioning

Re: [PATCH V10] fixup: audit: implement audit by executable

On Monday, August 10, 2015 01:29:43 PM Richard Guy Briggs wrote: On 15/08/10, Paul Moore wrote: On Saturday, August 08, 2015 10:20:25 AM Richard Guy Briggs wrote: diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c index 1255dbf..656c7e9 100644 --- a/kernel/audit_watch.c +++ b

Re: [PATCH V10] fixup! audit: add audit by children of executable path

On Monday, August 10, 2015 12:53:54 PM Richard Guy Briggs wrote: On 15/08/10, Paul Moore wrote: I'm still not convinced that we need to merge exe child filtering patch so I'm not going to apply this, or your v10 patch, at this point in time. If you want to hold on to the code in case you

Re: [PATCH V10] fixup: audit: implement audit by executable

) For the record I'm using gcc v4.9.3 and sparse v0.5.0. + ino = exe_file-f_inode-i_ino; + dev = exe_file-f_inode-i_sb-s_dev; + rcu_read_unlock(); return audit_mark_compare(mark, ino, dev); } -- paul moore security @ redhat -- Linux-audit mailing list Linux-audit@redhat.com https

auditing kdbus service names

, any objections? -- paul moore security @ redhat -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit

Re: [PATCH V4 (was V6) 2/2] audit: eliminate unnecessary extra layer of watch parent references

(krule, parent); - /* match get in audit_find_parent or audit_init_parent */ - audit_put_parent(parent); - h = audit_hash_ino((u32)watch-ino); *list = audit_inode_hash[h]; error: -- paul moore security @ redhat -- Linux-audit mailing list Linux-audit@redhat.com https

Re: [PATCH V4 (was V6) 1/2] audit: eliminate unnecessary extra layer of watch references

) audit_put_tree(tree); /* that's the temporary one */ -- paul moore security @ redhat -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit

Re: [PATCH V4 (was V6)] audit: save signal match info in case entry passed in is the one deleted

silly as-is. -- paul moore security @ redhat -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit

Re: [PATCH 1/2] audit: log binding and unbinding to netlink multicast socket

), + from_kuid(init_user_ns, audit_get_loginuid(tsk)), + tty, audit_get_sessionid(tsk)); You should check the format string against audit_log_task_info(); they don't match. -- paul moore security @ redhat -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com

Re: [PATCH 2/2] audit: log binding and unbinding to netlink multicast socket

(ab, nlnk-grp=%d, group); + audit_log_format(ab, op=%s, op); + audit_log_format(ab, res=%d, !err); + audit_log_end(ab); Any reason we can't do this with one audit_log_format() call? audit_log_format(ab, nlnk-grp=%d op=%s res=%d, group, op, !err); -- paul moore security

Re: Auditd framework slowdowns (sometimes freezes) the entire system.

for the kernel developers. We only support the two APIs at the moment. We will be doing some rework of the audit APIs that should improve performance, but that is far from being ready. -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman

Re: [PATCH V6 2/2] audit: eliminate unnecessary extra layer of watch parent references

) audit_add_to_parent(krule, parent); - /* match get in audit_find_parent or audit_init_parent */ - audit_put_parent(parent); - h = audit_hash_ino((u32)watch-ino); *list = audit_inode_hash[h]; error: -- paul moore security @ redhat -- Linux-audit mailing list

Re: [PATCH V6 1/2] audit: eliminate unnecessary extra layer of watch references

, matches initial get */ return err; } Since the error label is now just a return err;, how about removing the label entirely and replacing the gotos with returns? -- paul moore security @ redhat -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux

Re: [PATCH V6 4/4] audit: avoid double copying the audit_exe path string

On Thursday, July 16, 2015 10:01:28 PM Richard Guy Briggs wrote: On 15/07/16, Paul Moore wrote: On Tuesday, July 14, 2015 11:50:26 AM Richard Guy Briggs wrote: Make this interface consistent with watch and filter key, avoiding the extra string copy and simply consume the new string

Re: [PATCH V6 4/4] audit: avoid double copying the audit_exe path string

bisectable, not mushed with an unrelated feature addition. But it ain't my tree :) It's been a long day, and maybe I'm missing something here, but this patch only affects the new code, no? On Thu, 2015-07-16 at 22:01 -0400, Richard Guy Briggs wrote: On 15/07/16, Paul Moore wrote

Re: [PATCH V6 3/4] audit: convert audit_exe to audit_fsnotify

) + audit_remove_mark(entry-rule.exe); if (IS_ERR(nentry)) { /* save the first error encountered for the * return value */ -- paul moore security @ redhat -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit

Re: [PATCH V6 4/4] audit: avoid double copying the audit_exe path string

); goto exit_free; } -- paul moore security @ redhat -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit

Re: [PATCH V6 2/4] audit: clean simple fsnotify implementation

--; - if (!audit_match_signal(entry)) + if (!match) audit_signals--; #endif mutex_unlock(audit_filter_mutex); Is the bit above worthy of it's own bugfix patch independent of this fsnotify implementation, or is it only an issue with this new fsnotify code? -- paul moore security @ redhat

Re: [PATCH V6 1/4] audit: implement audit by executable

understand what this accomplishes, I'm a little tried right now and I just don't get it. -- paul moore security @ redhat -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit

Re: [PATCH V6 4/4] audit: avoid double copying the audit_exe path string

it :) The refcnt stuff is almost surely going to get messy and I would just assume not deal with that right now since it appears to be working. We have other stuff we need to fix first. -- paul moore security @ redhat -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com

Re: [PATCH V6 4/4] audit: avoid double copying the audit_exe path string

On Friday, July 17, 2015 12:48:53 PM Richard Guy Briggs wrote: On 15/07/16, Paul Moore wrote: On Thursday, July 16, 2015 10:01:30 PM Eric Paris wrote: I have to admit, I'm partial to not merging this (with the other patches). Changing object lifetimes in what i seem to remember is long

Re: [PATCH V6 1/4] audit: implement audit by executable

On Friday, July 17, 2015 11:33:17 AM Richard Guy Briggs wrote: On 15/07/16, Paul Moore wrote: On Tuesday, July 14, 2015 11:50:23 AM Richard Guy Briggs wrote: From: Eric Paris epa...@redhat.com This patch implements the ability to filter on the executable. It is clearly incomplete

Re: Subject: [PATCH 1/1] Fix redundant check against unsigned int in broken audit test fix for exec arg len

audit_context *context, * for strings that are too long, we should not have created * any. */ - if (WARN_ON_ONCE(len 0 || len MAX_ARG_STRLEN - 1)) { + if (WARN_ON_ONCE(len MAX_ARG_STRLEN - 1)) { send_sig(SIGKILL, current, 0); return -1; } -- paul moore

Re: [PATCH V6 1/4] audit: implement audit by executable

On Friday, July 17, 2015 04:46:18 PM Richard Guy Briggs wrote: On 15/07/17, Paul Moore wrote: You could do a based on or similar tag if you want. I'm honestly not sure what the official tags are beyond signed-off, acked, and reviewed. Those are the only ones I really care about anyway

Re: [PATCH 2/2] Fixed Trivial Warnings in file: Deleted Spaces prior to tabs, and added lines. modified: kernel/auditfilter.c

On Sunday, October 18, 2015 12:50:45 PM Scott Matheina wrote: > On 10/14/2015 04:54 PM, Paul Moore wrote: > > On Saturday, October 10, 2015 08:57:55 PM Scott Matheina wrote: > >> Signed-off-by: Scott Matheina <sc...@matheina.com> > >> --- >

Re: BSides Portland - The Linux Audit Framework

by-shift > > I hope you find them useful. I only just quickly skimmed the slides, but thanks for sharing these; it's always nice to have more awareness of what functionality exists. -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit

Re: [PATCH 2/2] Fixed Trivial Warnings in file: Deleted Spaces prior to tabs, and added lines. modified: kernel/auditfilter.c

atch, or import it directly via stgit/git/whatever; if I have to transform your patch in some way to get it to apply, I get grumpy, and I don't like to get grumpy. Beyond that, good luck and have fun :) -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://www.red

Re: [PATCH] Fix to:WARNING: please, no space before tabs modified: kernel/auditfilter.c

les during filtering. If modified, these structures > + * must be copied and replace their counterparts in the filterlist. > + * An audit_parent struct is not accessed during filtering, so may > + * be written directly provided audit_filter_mutex is held. > */ > > /* Audit filter lists, defi

Re: [PATCH] audit: removing unused variable

On Wed, Oct 28, 2015 at 6:12 PM, Joe Perches <j...@perches.com> wrote: > On Wed, 2015-10-28 at 16:35 -0400, Paul Moore wrote: >> On Wednesday, October 28, 2015 09:40:34 AM Saurabh Sengar wrote: >> > variavle rc in not required as it is just used for unchanged for return, &

Re: [RFC PATCH v3 2/5] lsm: introduce hooks for kdbus

On Tuesday, October 20, 2015 04:41:14 PM Stephen Smalley wrote: > On Mon, Oct 19, 2015 at 6:29 PM, Paul Moore <pmo...@redhat.com> wrote: > > On Friday, October 09, 2015 10:56:12 AM Stephen Smalley wrote: > >> On 10/07/2015 07:08 PM, Paul Moore wrote: > >> > d

Re: Should audit_seccomp check audit_enabled?

een a while since we discussed those patches, but if I remember correctly it was going to be very difficult to do it in an arch agnostic way and that was a concern. -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit

Re: [RFC PATCH 0/7] audit: clean up audit queue handling

the upcoming merge window. I still need to take a closer look and properly review these patches, but I wanted to let you know why I haven't acted on them yet. -- paul moore security @ redhat -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit

Re: [RFC PATCH 0/7] audit: clean up audit queue handling

On Wednesday, October 28, 2015 02:43:18 PM Richard Guy Briggs wrote: > On 15/10/27, Paul Moore wrote: > > On Thursday, October 22, 2015 02:53:13 PM Richard Guy Briggs wrote: > > > This set of patches cleans up a number of corner cases in the management > &

[PATCH] audit: make audit_log_common_recv_msg() a void function

It always returns zero and no one is checking the return value. Signed-off-by: Paul Moore <pmo...@redhat.com> --- kernel/audit.c |8 +++- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/kernel/audit.c b/kernel/audit.c index 0b81880..4d3cdcd 100644 --- a/kernel/audit.c

Re: [PATCH] audit: removing unused variable

return rc; > + return 0; > audit_log_format(*ab, "pid=%d uid=%u", pid, uid); > audit_log_session_info(*ab); > audit_log_task_context(*ab); > > - return rc; > + return 0; > } > > int is_audit_feature_set(int i) -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit

Re: Should audit_seccomp check audit_enabled?

essage completely (we would still need to do whatever audit records are required, see below). Wearing my audit hat, I want to make sure we tick off all the right boxes for the various certifications that people care about. Steve Grubb has commented on what he needs in the past, although I'm not sure

Re: Should audit_seccomp check audit_enabled?

On Fri, Oct 23, 2015 at 4:51 PM, Steve Grubb <sgr...@redhat.com> wrote: > On Friday, October 23, 2015 03:38:05 PM Paul Moore wrote: >> On Fri, Oct 23, 2015 at 1:01 PM, Kees Cook <keesc...@chromium.org> wrote: >> > On Fri, Oct 23, 2015 at 9:19 AM, Andy Lutomirski

Re: [RFC PATCH 1/7] audit: don't needlessly reset valid wait time

ace it with the simple "audit_backlog_wait_time = 0;" unless you can think of a solid reason not to do so. It seems much more obvious and readable to me. -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit

[RFC PATCH] audit: remove audit_backlog_wait_overflow

It seems much more obvious and readable to simply use "0". Signed-off-by: Paul Moore <pmo...@redhat.com> --- kernel/audit.c |3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/kernel/audit.c b/kernel/audit.c index 5a3ae37..6b4ae65 100644 --- a/kernel/audi

Re: [RFC PATCH 2/7] audit: include auditd's threads in audit_log_start() wait exception

ent->tgid) > gfp_mask &= ~__GFP_WAIT; > else > reserve = 0; -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit

Re: SELinux policy reload cannot be sent to audit system

that's failing. Did socket fail? Did the send fail? Does it work in permissive > mode? I would also verify that your loaded SELinux policy is not blocking the CAP_AUDIT_WRITE capability or the netlink_audit_socket:nlmsg_relay permission. -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit

[GIT PULL] Audit patches for 4.4

-0500) Paul Moore (1): audit: make audit_log_common_recv_msg() a void function Richard Guy Briggs (1): audit: try harder to send to auditd upon netlink failure Saurabh Sengar (1): audit: removing unused variable

Re: Audit Framework and namespaces

On Tue, Nov 3, 2015 at 12:34 PM, Gulland, Scott A <scott.gull...@hpe.com> wrote: > Does the audit framework work with linux namespaces? I'm sorry, you'll have to be more specific than that; what exactly are you interested in with respect to audit and namespaces? -- paul moore www.paul-

Re: [GIT PULL] Audit patches for 4.4

On Wednesday, November 04, 2015 08:34:12 AM Paul Moore wrote: > Hi Linus, > > Seven audit patches for 4.4, but really only one of any significant value, > the remainder are trivial cleanups that are described well enough in the > patch descriptions. The one significant patc

Re: [RFC PATCH 3/7] audit: allow systemd to use queue reserves

ve = 0; > > - RGB > > -- > Richard Guy Briggs <rbri...@redhat.com> > Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, > Red Hat Remote, Ottawa, Canada > Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545 > > -- > Linux-audit mailing list > Linux-audit@redhat.com > https://www.redhat.com/mailman/listinfo/linux-audit -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit

Re: [RFC PATCH 6/7] audit: wake up audit_backlog_wait queue when auditd goes away.

ask, sleep_time = timeout_start + > audit_backlog_wait_time - jiffies; if (sleep_time > 0) { > sleep_time = wait_for_auditd(sleep_time); > - if (sleep_time > 0) > + if (audit_pid && sleep_time > 0) >

<    1   2   3   4   5   6   7   8   9   10   >