On 2018-11-11 17:24, Ondrej Mosnacek wrote:
> Hi Richard,
> On Fri, Nov 9, 2018 at 11:04 PM Richard Guy Briggs wrote:
> > Hi Paul, Ondrej,
> >
> > I've got a couple of patches with two different approaches to address
> > ghak100:
> > https://githu
On 2018-11-12 12:32, Ondrej Mosnacek wrote:
> On Sun, Nov 11, 2018 at 11:36 PM Richard Guy Briggs wrote:
> > On 2018-11-11 17:24, Ondrej Mosnacek wrote:
> > > Hi Richard,
> > > On Fri, Nov 9, 2018 at 11:04 PM Richard Guy Briggs
> > > wrote:
> > >
On 2018-11-12 15:02, Ondrej Mosnacek wrote:
> On Mon, Nov 12, 2018 at 2:32 PM Richard Guy Briggs wrote:
> > On 2018-11-12 12:32, Ondrej Mosnacek wrote:
> > > On Sun, Nov 11, 2018 at 11:36 PM Richard Guy Briggs
> > > wrote:
> > > > On 2018-11-11 17:24, Ondr
On 2018-11-12 15:37, Ondrej Mosnacek wrote:
> On Mon, Nov 12, 2018 at 12:32 PM Ondrej Mosnacek wrote:
> > On Sun, Nov 11, 2018 at 11:36 PM Richard Guy Briggs wrote:
> > > On 2018-11-11 17:24, Ondrej Mosnacek wrote:
> > > > Hi Richard,
> > > > On Fri,
cast socket? If not, there is no need for it
to check or have CAP_AUDIT_READ.
Having audit_can_read() available in lib/libaudit.c is certainly useful
regardless for other potential libaudit users like systemd.
- RGB
--
Richard Guy Briggs
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Rem
On 2018-11-15 09:51, Steve Grubb wrote:
> On Wed, 14 Nov 2018 19:57:07 -0500
> Richard Guy Briggs wrote:
>
> > Hi Steve,
> >
> > In commit 183775f155cb96d8012c2d493041a03f1b825b2f ("Do capabilities
> > check rather than uid") a switch was made fr
On 2018-11-15 23:45, Steve Grubb wrote:
> On Thu, 15 Nov 2018 08:23:46 -0500
> Richard Guy Briggs wrote:
>
> > > I thought that the prime audit connection requires a capability
> > > check to ensure a process without proper privilege does not replace
> > >
Signed-off-by: Richard Guy Briggs
---
kernel/audit.c | 15 ++-
1 file changed, 10 insertions(+), 5 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 2a8058764aa6..90cbc89fd6d2 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -2057,11 +2057,16 @@ void audit
Remove the CONFIG_AUDIT_WATCH and CONFIG_AUDIT_TREE config options since
they are both dependent on CONFIG_AUDITSYSCALL and force
CONFIG_FSNOTIFY.
Signed-off-by: Richard Guy Briggs
---
init/Kconfig | 9 -
kernel/Makefile | 4 +---
kernel/audit.h | 6 +++---
kernel/auditsc.c
cker
https://github.com/linux-audit/audit-kernel/issues/100
Signed-off-by: Richard Guy Briggs
---
fs/namei.c| 2 +-
fs/namespace.c| 3 +++
include/linux/audit.h | 8 ++--
kernel/audit.c| 5 +++--
kernel/audit.h| 2 +-
kernel/auditsc.c | 6 +++---
6 files c
The audit_log_session_info() function is only used in kernel/audit*, so
move its prototype to kernel/audit.h
Signed-off-by: Richard Guy Briggs
---
include/linux/audit.h | 2 --
kernel/audit.h| 2 ++
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/include/linux/audit.h b
://github.com/linux-audit/audit-kernel/issues/100
Richard Guy Briggs (2):
audit: avoid fcaps on MNT_FORCE
audit: moar filter PATH records keyed on filesystem magic
fs/namei.c| 2 +-
fs/namespace.c| 3 +++
include/linux/audit.h | 8 ++--
kernel/audit.c| 5 +++--
kernel
x-audit/audit-kernel/issues/100
Signed-off-by: Richard Guy Briggs
---
kernel/auditsc.c | 23 +++
1 file changed, 23 insertions(+)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index d39a7fbaf944..59d6d3fbc00e 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1777
: Richard Guy Briggs
---
kernel/audit.c | 6 +++---
kernel/audit_fsnotify.c | 5 ++---
kernel/audit_watch.c| 5 ++---
3 files changed, 7 insertions(+), 9 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 2a8058764aa6..6c53e373b828 100644
--- a/kernel/audit.c
+++ b/kernel
On 2018-11-19 16:22, Paul Moore wrote:
> On Fri, Nov 16, 2018 at 12:10 PM Richard Guy Briggs wrote:
> >
> > Since the vast majority of files (99.993% on a typical system) have no
> > fcaps, display "0" instead of the full zero-padded 16 hex digits in the
> >
On 2018-11-19 13:47, Miklos Szeredi wrote:
> On Fri, Nov 16, 2018 at 6:34 PM Richard Guy Briggs wrote:
> >
> > Don't fetch fcaps when umount2 is called with MNT_FORCE to avoid a
> > process hang while it waits for the missing resource to (possibly never)
> > re
On 2018-11-20 09:17, Miklos Szeredi wrote:
> On Mon, Nov 19, 2018 at 11:59 PM Richard Guy Briggs wrote:
>
> > The simple answer is that the audit PATH record format expects the four
> > cap_f* fields to be there and a best effort is being attempted to fill
> > in that in
if (unlikely(!ab))
> return;
>
> - audit_log_format(ab, "op=seccomp-logging");
> - audit_log_format(ab, " actions=%s", names);
> - audit_log_format(ab, " old-actions=%s", old_names);
> - audit_log_format(ab, " res=%d", res);
> + audit_log_format(ab,
> + "op=seccomp-logging actions=%s old-actions=%s res=%d",
> + names, old_names, res);
> audit_log_end(ab);
> }
>
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
- RGB
--
Richard Guy Briggs
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
t, context);
> }
>
> static inline void handle_one(const struct inode *inode)
> @@ -2025,7 +2021,7 @@ static void audit_log_set_loginuid(kuid_t koldloginuid,
> kuid_t kloginuid,
> uid = from_kuid(&init_user_ns, task_uid(current));
> oldloginuid = from_kuid(&in
to write it directly to disk in the kernel if that
is what you are asking.
> Ran
- RGB
--
Richard Guy Briggs
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
--
Linux-audit mailing l
On 2018-02-15 15:42, Paul Moore wrote:
> On Mon, Feb 12, 2018 at 7:29 AM, Richard Guy Briggs wrote:
> > The arch_f pointer was added to the struct audit_krule in commit:
> > e54dc2431d740a79a6bd013babade99d71b1714f ("audit signal recipients")
> >
> > This is
ypted log files, then you may be out of luck.
> ran
- RGB
--
Richard Guy Briggs
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
--
Linux-audit mailing list
Linux-audit@redhat.com
http
On 2018-11-26 11:37, Paul Moore wrote:
> On Sun, Nov 25, 2018 at 12:11 PM Richard Guy Briggs wrote:
> > On 2018-02-15 15:42, Paul Moore wrote:
> > > On Mon, Feb 12, 2018 at 7:29 AM, Richard Guy Briggs
> > > wrote:
> > > > The arch_f pointer was ad
Signed-off-by: Richard Guy Briggs
Acked-by: Steve Grubb
---
Changelog:
v2:
- switch to cap_isclear() and condense logic
kernel/audit.c | 10 ++
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 2a8058764aa6..55b2079145dc 100644
--- a
the associated syscall event by
the user library due to the EOE record flagging the end of the event.
See: https://github.com/linux-audit/audit-kernel/issues/50
See: https://github.com/linux-audit/audit-kernel/issues/59
Signed-off-by: Richard Guy Briggs
---
kernel/audit.h | 4 ++--
kernel
t(2018-06-14 14:55:04.507:47) : op=set
audit_enabled=1 old=1 auid=unset ses=unset subj=... res=yes
See: https://github.com/linux-audit/audit-kernel/issues/59
Signed-off-by: Richard Guy Briggs
---
kernel/audit.c | 6 --
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/kernel/a
Give a clue as to the source of mark, watch and tree rule changes.
See: https://github.com/linux-audit/audit-kernel/issues/50
See: https://github.com/linux-audit/audit-kernel/issues/59
Signed-off-by: Richard Guy Briggs
---
kernel/audit.h | 4 ++--
kernel/audit_fsnotify.c | 2
g_user_recv_msg() and squash into record connection
- squash kill_trees context handling with kill-trees before EOE
- rebase on audit/next (v4.20-rc1) with 2a1fe215e730 ("audit: use current
whenever possible")
- remove parens in extended format
v2:
- re-order audit_log_exit() and audit_
-off-by: Richard Guy Briggs
---
kernel/audit.c | 27 +++
kernel/audit_fsnotify.c | 2 +-
kernel/audit_tree.c | 2 +-
kernel/audit_watch.c| 2 +-
kernel/auditfilter.c| 2 +-
5 files changed, 23 insertions(+), 12 deletions(-)
diff --git a/kernel/audit.c
On 2018-12-11 17:31, Paul Moore wrote:
> On Mon, Dec 10, 2018 at 5:18 PM Richard Guy Briggs wrote:
> > Make a number of changes to normalize CONFIG_CHANGE records by adding
> > missing op= fields, providing more information in existing op fields
> > (optional last patc
On 2018-12-11 18:26, Paul Moore wrote:
> On Tue, Dec 11, 2018 at 5:41 PM Richard Guy Briggs wrote:
> > On 2018-12-11 17:31, Paul Moore wrote:
> > > On Mon, Dec 10, 2018 at 5:18 PM Richard Guy Briggs
> > > wrote:
>
> ...
>
> > > > Richard G
On 2018-12-13 18:23, Paul Moore wrote:
> On Thu, Dec 13, 2018 at 6:17 PM Paul Moore wrote:
> > If the point of the lost_reset test is to flood the system with audit
> > records, why are we restricting ourselves with a filter? Let's log
> > everything.
> >
> > tests/lost_reset/test |4 ++--
>
On 2018-12-14 10:53, Paul Moore wrote:
> On Thu, Dec 13, 2018 at 8:59 PM Richard Guy Briggs wrote:
> > On 2018-12-13 18:23, Paul Moore wrote:
> > > On Thu, Dec 13, 2018 at 6:17 PM Paul Moore wrote:
> > > > If the point of the lost_reset test is to flood the system w
On 2018-12-12 08:03, Paul Moore wrote:
> On Fri, Nov 16, 2018 at 12:34 PM Richard Guy Briggs wrote:
> > On user and remote filesystems, a forced umount can still hang due to
> > attemting to fetch the fcaps of a mounted filesystem that is no longer
> > available.
> >
On 2018-12-14 15:35, Paul Moore wrote:
> On Fri, Dec 14, 2018 at 11:12 AM Richard Guy Briggs wrote:
> > On 2018-12-14 10:53, Paul Moore wrote:
> > > On Thu, Dec 13, 2018 at 8:59 PM Richard Guy Briggs
> > > wrote:
> > > > On 2018-12-13 18:23, Paul Moore wro
On 2018-12-14 17:02, Paul Moore wrote:
> On Fri, Dec 14, 2018 at 11:27 AM Richard Guy Briggs wrote:
> > On 2018-12-12 08:03, Paul Moore wrote:
> > > On Fri, Nov 16, 2018 at 12:34 PM Richard Guy Briggs
> > > wrote:
> > > > On user and remote filesystems
On 2018-10-31 15:30, Richard Guy Briggs wrote:
> On 2018-10-19 19:18, Paul Moore wrote:
> > On Sun, Aug 5, 2018 at 4:33 AM Richard Guy Briggs wrote:
> > > Add audit container identifier auxiliary record(s) to NETFILTER_PKT
> > > event standalone records. Iterate
On 2019-01-03 08:15, Guenter Roeck wrote:
> Hi,
>
> On Tue, Jul 31, 2018 at 04:07:35PM -0400, Richard Guy Briggs wrote:
> > Implement kernel audit container identifier.
>
> I don't see a follow-up submission of this patch series. Has it been
> abandoned,
> or
On 2019-01-03 10:58, Guenter Roeck wrote:
> Hi Richard,
>
> On Thu, Jan 03, 2019 at 12:36:13PM -0500, Richard Guy Briggs wrote:
> > On 2019-01-03 08:15, Guenter Roeck wrote:
> > > Hi,
> > >
> > > On Tue, Jul 31, 2018 at 04:07:35PM -0400, Richard Guy Br
0, Paul Moore wrote:
> On Thu, Nov 1, 2018 at 6:07 PM Richard Guy Briggs wrote:
> > On 2018-10-19 19:15, Paul Moore wrote:
> > > On Sun, Aug 5, 2018 at 4:32 AM Richard Guy Briggs
> wrote:
> > > > The audit-related parameters in struct task_struct
> should ide
On 2019-01-03 15:33, Paul Moore wrote:
> On Thu, Jan 3, 2019 at 3:29 PM Richard Guy Briggs wrote:
> > I'm not sure what's going on here, but it looks like HTML-encoded reply
> > quoting making the quoted text very difficult to read. All the previous
> > &quo
On 2019-01-03 18:50, Guenter Roeck wrote:
> Hi Richard,
>
> On Tue, Jul 31, 2018 at 04:07:36PM -0400, Richard Guy Briggs wrote:
> > The audit-related parameters in struct task_struct should ideally be
> > collected together and accessed through a standard audit API.
> >
On 2019-01-03 15:11, Paul Moore wrote:
> On Wed, Oct 31, 2018 at 5:17 PM Richard Guy Briggs wrote:
> > On 2018-10-19 19:17, Paul Moore wrote:
> > > On Sun, Aug 5, 2018 at 4:33 AM Richard Guy Briggs
> wrote:
> > > > Add audit container identifier auxiliary record
On 2019-01-10 20:12, Paul Moore wrote:
> On Thu, Jan 10, 2019 at 5:59 PM Richard Guy Briggs wrote:
> > On 2019-01-03 15:11, Paul Moore wrote:
> > > On Wed, Oct 31, 2018 at 5:17 PM Richard Guy Briggs
> > > wrote:
> > > > On 2018-10-19 19:17, Paul Moore wr
On 2019-01-14 17:58, Paul Moore wrote:
> On Mon, Dec 10, 2018 at 5:18 PM Richard Guy Briggs wrote:
> > Tie syscall information to all CONFIG_CHANGE calls since they are all a
> > result of user actions.
> >
> > Exclude user records from syscall cont
On 2019-01-17 10:32, Steve Grubb wrote:
> On Mon, 14 Jan 2019 17:58:58 -0500
> Paul Moore wrote:
>
> > On Mon, Dec 10, 2018 at 5:18 PM Richard Guy Briggs
> > wrote:
> > >
> > > Tie syscall information to all CONFIG_CHANGE calls since they are
> >
On 2019-01-17 08:21, Paul Moore wrote:
> On Thu, Jan 17, 2019 at 4:33 AM Steve Grubb wrote:
> > On Mon, 14 Jan 2019 17:58:58 -0500 Paul Moore wrote:
> > > On Mon, Dec 10, 2018 at 5:18 PM Richard Guy Briggs
> > > wrote:
> > > > Tie syscall information to
On 2019-01-17 10:05, Richard Guy Briggs wrote:
> On 2019-01-17 10:32, Steve Grubb wrote:
> > On Mon, 14 Jan 2019 17:58:58 -0500
> > Paul Moore wrote:
> >
> > > On Mon, Dec 10, 2018 at 5:18 PM Richard Guy Briggs
> > > wrote:
> > > >
> &g
gt; > > > wrote:
> > > > > On Mon, Dec 10, 2018 at 5:18 PM Richard Guy Briggs
> > > > > wrote:
> > > > > > Tie syscall information to all CONFIG_CHANGE calls since they
> > > > > > are all a result of user actions.
> I s
| 6 ++
> kernel/auditsc.c | 4 ++--
> kernel/seccomp.c | 4 ++--
> 36 files changed, 148 insertions(+), 47 deletions(-)
> create mode 100644 arch/m68k/include/asm/syscall.h
> create mode 100644 arch/unicore32/include/asm/syscall.h
On 2019-01-17 12:58, Paul Moore wrote:
> On Thu, Jan 17, 2019 at 10:34 AM Richard Guy Briggs wrote:
> >
> > On 2019-01-17 08:21, Paul Moore wrote:
> > > On Thu, Jan 17, 2019 at 4:33 AM Steve Grubb wrote:
> > > > On Mon, 14 Jan 2019 17:58:58 -0500 Paul Moore
On 2019-01-17 22:26, Paul Moore wrote:
> On Thu, Jan 17, 2019 at 6:19 PM Richard Guy Briggs wrote:
> > On 2019-01-17 12:58, Paul Moore wrote:
> > > On Thu, Jan 17, 2019 at 10:34 AM Richard Guy Briggs
> > > wrote:
> > > >
> > > > On 2019-01-1
-off-by: Richard Guy Briggs
---
Changelog:
v4:
- rebase on v5.0-rc1
- remove audit_log_config_change_alt() and call
audit_log_common_recv_msg() directly
- remove audit_tree_log_remove_rule() change superceded by patch v3-3/4
Passes audit-testsuite, no issues identified with ausearch-test.
kernel
p;scontext_len);
> - if (rc)
> - audit_log_format(ab, " tsid=%d", tsid);
> - else {
> - audit_log_format(ab, " tcontext=%s", scontext);
> - kfree(scontext);
> - }
> + avc_dump_sid(ab, state, ssid, 's');
>
/linux-audit/audit-kernel/issues/104
Signed-off-by: Richard Guy Briggs
---
fs/proc/base.c| 6 ++--
include/linux/audit.h | 42 +
include/linux/sched.h | 2 +-
init/init_task.c | 2 +-
kernel/audit.c| 85
Compiles and boots with config AUDITSYSCALL def_bool n in init/Kconfig.
Verified syscall code is not present in resulting kernel.
Richard Guy Briggs (2):
audit: clean up AUDITSYSCALL prototypes and stubs
audit: remove audit_context when CONFIG_ AUDIT and not AUDITSYSCALL
include/linux
Pull together all the audit syscall watch, mark and tree prototypes and
stubs into the same ifdef.
Signed-off-by: Richard Guy Briggs
---
kernel/audit.h | 64 ++
1 file changed, 33 insertions(+), 31 deletions(-)
diff --git a/kernel/audit.h
only used by syscall auditing.
See github issue https://github.com/linux-audit/audit-kernel/issues/105
Signed-off-by: Richard Guy Briggs
---
include/linux/sched.h | 2 +-
kernel/audit.c| 155 +++---
kernel/audit.h| 9 ---
kernel
inux-audit/audit-kernel/issues/100
Signed-off-by: Richard Guy Briggs
---
fs/namei.c| 2 +-
fs/namespace.c| 2 ++
include/linux/audit.h | 15 ++-
include/linux/namei.h | 3 +++
kernel/audit.c| 10 +-
kernel/audit.h| 2 +-
kernel/auditsc.c
e filesystems.
Note: refactor __audit_inode_child() to remove two levels of if
indentation.
Please see the github issue tracker
https://github.com/linux-audit/audit-kernel/issues/100
Signed-off-by: Richard Guy Briggs
---
kernel/auditsc.c | 35 +++
1 file changed,
usage
conflict
- don't depend on MNT_FORCE
- rename AUDIT_INODE_NOREVAL to AUDIT_INODE_NOREVAL to be consistent
- rename lflags to flags and flags to aflags
- document LOOKUP_ flags
- signal cap_* values unknown and set cap_* fields to "?" indicating so
Richard Guy Briggs (2)
om/linux-audit/audit-kernel/issues/103
Signed-off-by: Richard Guy Briggs
---
Passes audit-testsuite.
include/linux/capability.h | 5 +++--
kernel/audit.c | 6 --
kernel/audit.h | 1 +
kernel/auditsc.c | 4
security/commoncap.c | 2 ++
5 files ch
On 2019-01-03 15:10, Paul Moore wrote:
> On Thu, Nov 1, 2018 at 6:07 PM Richard Guy Briggs wrote:
> > On 2018-10-19 19:15, Paul Moore wrote:
> > > On Sun, Aug 5, 2018 at 4:32 AM Richard Guy Briggs wrote:
> > > > The audit-related parameters in struct
On 2019-01-22 17:07, Richard Guy Briggs wrote:
> Remove audit_context from struct task_struct and struct audit_buffer
> when CONFIG_AUDIT is enabled but CONFIG_AUDITSYSCALL is not.
>
> Also, audit_log_name() (and supporting inode and fcaps functions) should
> have been put back in
On 2019-01-25 16:45, Paul Moore wrote:
> On Wed, Jan 23, 2019 at 1:35 PM Richard Guy Briggs wrote:
> > Don't fetch fcaps when umount2 is called to avoid a process hang while
> > it waits for the missing resource to (possibly never) re-appear.
> >
> > Note the comme
only used by syscall auditing.
See github issue https://github.com/linux-audit/audit-kernel/issues/105
Signed-off-by: Richard Guy Briggs
---
Changelog:
v2:
- resolve merge conflicts from rebase on upstreamed ghak103 patch
- wrap task_struct audit_context in CONFIG_AUDITSYSCALL
include/linux
syscall
> > > > auditing Kconfig knob entirely.
> > > >
> > > > If you wanted to put together a patch that added a single "-a
> > > > never,task" rule on boot I could get behind that, just make it
> > > > default to off.
> &
On 2019-01-29 18:07, Paul Moore wrote:
> On Mon, Jan 28, 2019 at 1:33 PM Richard Guy Briggs wrote:
> > Remove audit_context from struct task_struct and struct audit_buffer
> > when CONFIG_AUDIT is enabled but CONFIG_AUDITSYSCALL is not.
> >
> > Also, audit_log_name(
On 2019-01-29 18:26, Paul Moore wrote:
> On Tue, Jan 29, 2019 at 6:18 PM Richard Guy Briggs wrote:
> > On 2019-01-29 18:07, Paul Moore wrote:
> > > On Mon, Jan 28, 2019 at 1:33 PM Richard Guy Briggs
> > > wrote:
> > > > Remove audit_context from str
RGB
--
Richard Guy Briggs
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
Audit: Introduce > generic
Audit LSM hooks") but appears to have never been used.
Remove it.
Please see the github issue
https://github.com/linux-audit/audit-kernel/issues/107
Signed-off-by: Richard Guy Briggs
---
Passes audit-testsuite.
include/linux/lsm_hooks.h | 4 +---
On 2019-01-31 23:15, Paul Moore wrote:
> On Thu, Jan 31, 2019 at 11:52 AM Richard Guy Briggs wrote:
> >
> > The audit_rule_match() struct audit_context *actx parameter is not used
> > by any in-tree consumers (selinux, apparmour, integrity, smack).
> >
> > The a
On 2019-02-01 16:05, Paul Moore wrote:
> On Fri, Feb 1, 2019 at 3:42 PM Nathan Chancellor
> wrote:
> > On Wed, Jan 23, 2019 at 01:35:00PM -0500, Richard Guy Briggs wrote:
> > > Don't fetch fcaps when umount2 is called to avoid a process hang while
> > > i
On 2019-02-01 17:24, Paul Moore wrote:
> On Thu, Jan 31, 2019 at 10:53 PM Paul Moore wrote:
> > On Tue, Jan 29, 2019 at 9:54 PM Richard Guy Briggs wrote:
> > > On 2019-01-29 18:26, Paul Moore wrote:
> > > > On Tue, Jan 29, 2019 at 6:18 PM Richard Guy Briggs
>
On 2019-02-01 16:57, Richard Guy Briggs wrote:
> On 2019-02-01 16:05, Paul Moore wrote:
> > On Fri, Feb 1, 2019 at 3:42 PM Nathan Chancellor
> > wrote:
> > > On Wed, Jan 23, 2019 at 01:35:00PM -0500, Richard Guy Briggs wrote:
> > > > Don't fetch fcaps
only used by syscall auditing.
See github issue https://github.com/linux-audit/audit-kernel/issues/105
Signed-off-by: Richard Guy Briggs
---
Tested with CONFIG_AUDITSYSCALL automatically set "y" and manually set
"n". Passes all audit-testsuite with the former and the expect
auditsc_get_stamp() and audit_serial() are internal audit functions so
move their prototypes from include/linux/audit.h to kernel/audit.h
so they are not visible to the rest of the kernel.
Signed-off-by: Richard Guy Briggs
---
Passes audit-testsuite with CONFIG_AUDITSYSCALL set automatically and
AUDIT_TTY records were logged as seperate events from their syscall
records. Join them so they are logged as the single event that they
are.
Please see the github issue
https://github.com/linux-audit/audit-kernel/issues/106
Signed-off-by: Richard Guy Briggs
---
Tested with ausearch-test-0.6
hub.com/linux-audit/audit-kernel/wiki/RFE-More-detailed-auditing-of-changes-to-system-clock
>
> Testing: Passed audit-testuite; functional tests TBD
Reviewed-by: Richard Guy Briggs
How do you plan to test this in the audit-testsuite?
> Changes in v6:
> - Reorganized the patches to grou
tidion in net/rfkill/core.c to avoid contid name
collision
v2
- add check for children and threads
- add network namespace container identifier list
- add NETFILTER_PKT audit container identifier logging
- patch description and documentation clean-up and example
- reap unused ppid
Richard Guy Briggs (
90
Signed-off-by: Richard Guy Briggs
---
include/linux/audit.h | 49 +++
include/linux/sched.h | 7 +
init/init_task.c | 3 +--
init/main.c | 2 ++
kernel/audit.c| 71 +--
kernel/audit.h
: 18446744073709551615).
This read requires CAP_AUDIT_CONTROL.
Signed-off-by: Richard Guy Briggs
Acked-by: Serge Hallyn
---
fs/proc/base.c | 23 +--
1 file changed, 21 insertions(+), 2 deletions(-)
diff --git a/fs/proc/base.c b/fs/proc/base.c
index 2505c46c8701..0b833cbdf5b6 100644
--- a
b.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID
Signed-off-by: Richard Guy Briggs
Acked-by: Serge Hallyn
Acked-by: Steve Grubb
Signed-off-by: Richard Guy Briggs
---
fs/proc/base.c | 36
include/linux/audit.h | 25
64
See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID
Signed-off-by: Richard Guy Briggs
Acked-by: Serge Hallyn
Acked-by: Steve Grubb
Signed-off-by: Richard Guy Briggs
---
include/linux/audit.h | 5 +
include/uapi/linux/audit.h | 1 +
kernel/audit.c
Add audit container identifier support to ptrace and signals. In
particular, the "ref" field provides a way to label the auxiliary record
to which it is associated.
Signed-off-by: Richard Guy Briggs
Acked-by: Serge Hallyn
Signed-off-by: Richard Guy Briggs
---
include/linux/au
Add audit container identifier auxiliary record to user event standalone
records.
Signed-off-by: Richard Guy Briggs
---
kernel/audit.c | 13 ++---
1 file changed, 6 insertions(+), 7 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index cfa659b3f6c4..cf448599ef34 100644
--- a
discarded immediately after the local associated records are
produced.
Signed-off-by: Richard Guy Briggs
Acked-by: Serge Hallyn
---
include/linux/audit.h | 8
kernel/audit.h| 1 +
kernel/auditsc.c | 35 ++-
3 files changed, 39 insertions(+), 5
: Richard Guy Briggs
Acked-by: Serge Hallyn
---
include/linux/audit.h | 1 +
include/uapi/linux/audit.h | 5 -
kernel/audit.h | 1 +
kernel/auditfilter.c | 47 ++
kernel/auditsc.c | 3 +++
5 files changed, 56
Add audit container identifier auxiliary record(s) to NETFILTER_PKT
event standalone records. Iterate through all potential audit container
identifiers associated with a network namespace.
Signed-off-by: Richard Guy Briggs
---
include/linux/audit.h| 5 +
kernel/audit.c | 41
that drops a net namespace
- setns call that drops a net namespace
See: https://github.com/linux-audit/audit-kernel/issues/92
See: https://github.com/linux-audit/audit-testsuite/issues/64
See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID
Signed-off-by: Richard Guy Briggs
Signed-off-by: Richard Guy Briggs
---
auparse/normalize_record_map.h | 2 ++
1 file changed, 2 insertions(+)
diff --git a/auparse/normalize_record_map.h b/auparse/normalize_record_map.h
index 085437f67724..e0135c65ae85 100644
--- a/auparse/normalize_record_map.h
+++ b/auparse
Add the audit_get_containerid() call analogous to audit_getloginuid()
and audit_get_session() calls to get our own audit container identifier.
This is intended as a debug patch, not to be upstreamed.
Signed-off-by: Richard Guy Briggs
---
docs/Makefile.am | 2 +-
docs
options help text
- update ausearch parser and error codes
v2
- rebase on UINT_MAX patch
- add patches for AUDIT_CONTAINER, AUDIT_CONTAINER_INFO, ausearch,
normalization
Richard Guy Briggs (6):
AUDIT_CONTAINER_OP message type basic support
AUDIT_CONTAINER_ID message type basic support
/90
See: https://github.com/linux-audit/audit-testsuite/issues/64
See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID
Signed-off-by: Richard Guy Briggs
---
lib/libaudit.h| 4
lib/msg_typetab.h | 1 +
2 files changed, 5 insertions(+)
diff --git a/lib/libaudit.h b
tion.
See: https://github.com/linux-audit/audit-userspace/issues/40
See: https://github.com/linux-audit/audit-kernel/issues/91
See: https://github.com/linux-audit/audit-testsuite/issues/64
See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID
Signed-off-by: Richard Guy Briggs
Add support to ausearch for searching on the containerid field in
records.
Signed-off-by: Richard Guy Briggs
---
src/aureport-options.c | 1 +
src/ausearch-llist.c | 2 +
src/ausearch-llist.h | 1 +
src/ausearch-match.c | 3 +
src/ausearch-options.c | 47 +++-
src
-audit/audit-userspace/issues/51
See: https://github.com/linux-audit/audit-kernel/issues/90
See: https://github.com/linux-audit/audit-testsuite/issues/64
See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID
Signed-off-by: Richard Guy Briggs
---
lib/libaudit.h| 4
lib
On 2019-03-15 14:29, Richard Guy Briggs wrote:
> Add audit container identifier auxiliary record(s) to NETFILTER_PKT
> event standalone records. Iterate through all potential audit container
> identifiers associated with a network namespace.
Ugh, noticed a stray tailing whitesp
keyword "locked" appears in the record.
Normalize this by changing it to "xattr=(locked)".
Please see the github issue
https://github.com/linux-audit/audit-kernel/issues/109
Signed-off-by: Richard Guy Briggs
---
security/integrity/evm/evm_secfs.c | 5 +++--
1 file changed, 3
On 2019-03-18 07:10, Neil Horman wrote:
> On Fri, Mar 15, 2019 at 02:29:51PM -0400, Richard Guy Briggs wrote:
> > Add support for reading the audit container identifier from the proc
> > filesystem.
> >
> > This is a read from the proc entry of the form
> > /pro
101 - 200 of 2438 matches
Mail list logo