[PATCH] audit: reduce scope of audit_net_id

audit_net_id isn't used outside kernel/audit.c. Reduce its scope. Signed-off-by: Richard Guy Briggs r...@redhat.com --- kernel/audit.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/kernel/audit.c b/kernel/audit.c index 59c0bbe..bdd0172 100644 --- a/kernel/audit.c

[PATCH] audit: reduce scope of audit_log_fcaps

audit_log_fcaps() isn't used outside kernel/audit.c. Reduce its scope. Signed-off-by: Richard Guy Briggs r...@redhat.com --- kernel/audit.c |2 +- kernel/audit.h |1 - 2 files changed, 1 insertions(+), 2 deletions(-) diff --git a/kernel/audit.c b/kernel/audit.c index bdd0172..3225a5d

[PATCH] audit: use union for audit_field values since they are mutually exclusive

Since only one of val, uid and gid are used at any given time, combine them to reduce the size of the struct audit_field. Signed-off-by: Richard Guy Briggs r...@redhat.com --- include/linux/audit.h |8 +--- kernel/auditfilter.c |2 -- 2 files changed, 5 insertions(+), 5 deletions

Re: aulast only displaying reboot pseudo-users

to display these things... Agreed. One lesson here? Let's get a minimum useful subset of http://people.redhat.com/sgrubb/audit/audit-parse.txt into linux-2.6/Documentation/ tree to try to avoid this issue in the future. - RGB -- Richard Guy Briggs rbri...@redhat.com Senior Software Engineer, Kernel

Re: aulast only displaying reboot pseudo-users

/listinfo/linux-audit - RGB -- Richard Guy Briggs rbri...@redhat.com Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545 -- Linux-audit mailing list Linux-audit

[PATCH] fixup! audit: use union for audit_field values since they are mutually exclusive

Eric Paris suggested lsm_str and lsm_rule could be added to this optimisation. audit_free_rule needed a bit of re-factoring to accompish this, but nothing too controversial. Signed-off-by: Richard Guy Briggs r...@redhat.com --- include/linux/audit.h |6 -- kernel/auditfilter.c | 27

[PATCH] [STABLE] audit: remove superfluous new- prefix in AUDIT_LOGIN messages

The new- prefix on ses and auid are un-necessary and break ausearch. Upstream-commit: aa589a1 Cc: sta...@vger.kernel.org # v3.14-rc1 to v3.14 Reported-by: Steve Grubb sgr...@redhat.com Signed-off-by: Richard Guy Briggs r...@redhat.com --- kernel/auditsc.c |2 +- 1 files changed, 1 insertions

[PATCH 00/14] audit by executable name

of the features involved or attempt to solve problems that don't exist. Posting this now to clarify some of that and move on... Eric Paris (3): audit: implement audit by executable audit: clean simple fsnotify implementation audit: convert audit_exe to audit_fsnotify Richard Guy Briggs (11): fixup

[PATCH 11/14] fixup! audit: implement audit by executable

Add space for consistency. --- kernel/auditfilter.c |1 + 1 files changed, 1 insertions(+), 0 deletions(-) diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index eede673..f40c13b 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -1012,6 +1012,7 @@ int

[PATCH 08/14] fixup! audit: clean simple fsnotify implementation

Remove redundant goto. --- kernel/audit_fsnotify.c |1 - 1 files changed, 0 insertions(+), 1 deletions(-) diff --git a/kernel/audit_fsnotify.c b/kernel/audit_fsnotify.c index 0fda71f..d169326 100644 --- a/kernel/audit_fsnotify.c +++ b/kernel/audit_fsnotify.c @@ -134,7 +134,6 @@ struct

[PATCH 09/14] audit: put rule existence check in canonical order

--- kernel/auditfilter.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index c52cbc0..cae8eae 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -148,7 +148,7 @@ static inline int audit_to_inode(struct

[PATCH 03/14] audit: convert audit_exe to audit_fsnotify

will just continue to work. Signed-off-by: Eric Paris epa...@redhat.com Signed-off-by: Richard Guy Briggs r...@redhat.com --- include/linux/audit.h |2 +- kernel/audit.h| 31 - kernel/audit_exe.c| 87 +++-- kernel

[PATCH 07/14] fixup! audit: convert audit_exe to audit_fsnotify

Put audit_alloc_mark() arguments in same order as watch, tree and inode. --- kernel/audit.h |2 +- kernel/audit_exe.c |2 +- kernel/audit_fsnotify.c |2 +- kernel/auditfilter.c|2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/kernel/audit.h

[PATCH 06/14] audit: avoid double copying the audit_exe path string

--- kernel/audit_fsnotify.c | 12 ++-- kernel/auditfilter.c|2 +- 2 files changed, 3 insertions(+), 11 deletions(-) diff --git a/kernel/audit_fsnotify.c b/kernel/audit_fsnotify.c index 707df2b..07e 100644 --- a/kernel/audit_fsnotify.c +++ b/kernel/audit_fsnotify.c @@ -99,7

[PATCH 04/14] fixup! audit: convert audit_exe to audit_fsnotify

Remove unnecessary space. --- kernel/auditfilter.c |1 - 1 files changed, 0 insertions(+), 1 deletions(-) diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index 30091ce..94b6af1 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -551,7 +551,6 @@ static struct audit_entry

[PATCH 02/14] audit: clean simple fsnotify implementation

the audit_fsnotify code to support that hierarchy if the optomization is necessary. Signed-off-by: Eric Paris epa...@redhat.com Signed-off-by: Richard Guy Briggs r...@redhat.com --- kernel/Makefile |2 +- kernel/audit.h | 29 ++ kernel/audit_fsnotify.c | 251

[PATCH 13/14] audit: continue fleshing out audit by exe

--- include/linux/audit.h |1 + kernel/audit.h |1 + kernel/audit_fsnotify.c | 15 +++ kernel/auditfilter.c| 21 - 4 files changed, 37 insertions(+), 1 deletions(-) diff --git a/include/linux/audit.h b/include/linux/audit.h index

[PATCH 01/14] audit: implement audit by executable

. But at this moment, this patch works. Based-on-user-interface-by: Richard Guy Briggs r...@redhat.com Cc: r...@redhat.com Based-on-idea-by: Peter Moody pmo...@google.com Cc: pmo...@google.com Signed-off-by: Eric Paris epa...@redhat.com Signed-off-by: Richard Guy Briggs r...@redhat.com --- include

[PATCH 12/14] fixup! audit: clean simple fsnotify implementation

Rename audit_remove_rule() to audit_remove_mark_rule(). --- kernel/audit_fsnotify.c |4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/kernel/audit_fsnotify.c b/kernel/audit_fsnotify.c index d169326..efefa16 100644 --- a/kernel/audit_fsnotify.c +++

[PATCH 14/14] audit: enable audit_get/put_mark()

--- kernel/audit.h |2 ++ kernel/audit_fsnotify.c |6 +++--- kernel/auditfilter.c| 10 +- 3 files changed, 10 insertions(+), 8 deletions(-) diff --git a/kernel/audit.h b/kernel/audit.h index 2093c5e..3151ae5 100644 --- a/kernel/audit.h +++ b/kernel/audit.h @@

[PATCH 10/14] fixup! audit: implement audit by executable

Check for existence of exe rule. --- kernel/audit_tree.c |2 +- kernel/audit_watch.c |2 +- kernel/auditfilter.c |4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/kernel/audit_tree.c b/kernel/audit_tree.c index 135944a..b4bf5d2 100644 --- a/kernel/audit_tree.c

Re: [PATCH 14/14] audit: enable audit_get/put_mark()

myself they are needed, but I'll figure that out after I read more carefully your comments to the previous patch. On Tue, 17 Jun 2014 23:09:49 -0400 Richard Guy Briggs r...@redhat.com wrote: --- kernel/audit.h |2 ++ kernel/audit_fsnotify.c |6 +++--- kernel/auditfilter.c

Re: [Linux-ima-user] [PATCH] audit: fix dangling keywords in integrity ima message output

On 14/06/17, Mimi Zohar wrote: On Mon, 2014-06-16 at 15:52 -0400, Richard Guy Briggs wrote: Replace spaces in op keyword labels in log output since userspace audit tools can't parse orphaned keywords. The patch didn't apply cleanly to linux-integrity/#next. Please take a look

[PATCH 00/12] [V3] audit by executable name

.html v0: Peter Moodie's original patches Next step: Get full-path notify working. Eric Paris (3): audit: implement audit by executable audit: clean simple fsnotify implementation audit: convert audit_exe to audit_fsnotify Richard Guy Briggs (9): fixup! audit: clean simple fsnotify

[PATCH 06/12] [V3] fixup! audit: clean simple fsnotify implementation

Rename several watch references to mark. Signed-off-by: Richard Guy Briggs r...@redhat.com --- kernel/audit_fsnotify.c | 16 1 files changed, 8 insertions(+), 8 deletions(-) diff --git a/kernel/audit_fsnotify.c b/kernel/audit_fsnotify.c index b936213..c66e91b 100644

[PATCH 12/12] [V3] fixup! audit: clean simple fsnotify implementation

Let audit_free_rule() take care of calling audit_remove_mark(). Signed-off-by: Richard Guy Briggs r...@redhat.com --- kernel/auditfilter.c |5 ++--- 1 files changed, 2 insertions(+), 3 deletions(-) diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index e9d0b2f..ff99749 100644

[PATCH 08/12] [V3] fixup! audit: convert audit_exe to audit_fsnotify

Put audit_alloc_mark() arguments in same order as watch, tree and inode. Signed-off-by: Richard Guy Briggs r...@redhat.com --- kernel/audit.h |2 +- kernel/audit_exe.c |2 +- kernel/audit_fsnotify.c |2 +- kernel/auditfilter.c|2 +- 4 files changed, 4 insertions

[PATCH 01/12] [V3] audit: implement audit by executable

. But at this moment, this patch works. Based-on-user-interface-by: Richard Guy Briggs r...@redhat.com Cc: r...@redhat.com Based-on-idea-by: Peter Moody pmo...@google.com Cc: pmo...@google.com Signed-off-by: Eric Paris epa...@redhat.com Signed-off-by: Richard Guy Briggs r...@redhat.com --- include

[PATCH 07/12] [V3] audit: avoid double copying the audit_exe path string

Make this interface consistent with watch and filter key, avoiding the extra string copy and simply consume the new string pointer. Signed-off-by: Richard Guy Briggs r...@redhat.com --- kernel/audit_fsnotify.c | 12 ++-- kernel/auditfilter.c|2 +- 2 files changed, 3 insertions

[PATCH 10/12] [V3] fixup! audit: implement audit by executable

Add space for consistency. Signed-off-by: Richard Guy Briggs r...@redhat.com --- kernel/auditfilter.c |1 + 1 files changed, 1 insertions(+), 0 deletions(-) diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index c3bf4bb..e9d0b2f 100644 --- a/kernel/auditfilter.c +++ b/kernel

[PATCH 03/12] [V3] audit: convert audit_exe to audit_fsnotify

will just continue to work. Signed-off-by: Eric Paris epa...@redhat.com Signed-off-by: Richard Guy Briggs r...@redhat.com --- include/linux/audit.h |2 +- kernel/audit.h| 32 +++--- kernel/audit_exe.c| 87 +++-- kernel

[PATCH 11/12] [V3] fixup! audit: clean simple fsnotify implementation

Rename audit_remove_rule() to audit_remove_mark_rule(). Signed-off-by: Richard Guy Briggs r...@redhat.com --- kernel/audit_fsnotify.c |4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/kernel/audit_fsnotify.c b/kernel/audit_fsnotify.c index a11cede..07b33f7 100644

[PATCH 05/12] [V3] fixup! audit: convert audit_exe to audit_fsnotify

Remove unnecessary space. Signed-off-by: Richard Guy Briggs r...@redhat.com --- kernel/auditfilter.c |1 - 1 files changed, 0 insertions(+), 1 deletions(-) diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index 9b2db56..d57c57d 100644 --- a/kernel/auditfilter.c +++ b/kernel

Re: [PATCH v2 1/2] auditsc: audit_krule mask accesses need bounds checking

to see logged in this situation? -Steve - RGB -- Richard Guy Briggs rbri...@redhat.com Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545 -- Linux-audit mailing list

[PATCH 0/3] [RFC] X32: fix syscall_get_nr while not breaking seccomp BPF

to BPF. A new ARCH definition, AUDIT_ARCH_X86_X32, was added for syscall_get_arch(). Cc: Paul Moore pmo...@redhat.com Cc: Eric Paris epa...@redhat.com Cc: Al Viro av...@redhat.com Cc: Will Drewry w...@chromium.org Cc: H. Peter Anvin h...@zytor.com Signed-off-by: Richard Guy Briggs r...@redhat.com

[PATCH 1/3] [RFC] audit: add AUDIT_ARCH_X86_X32 arch definition

h...@zytor.com Signed-off-by: Richard Guy Briggs r...@redhat.com --- include/uapi/linux/audit.h |1 + 1 files changed, 1 insertions(+), 0 deletions(-) diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h index e15d6fc..4f5607f 100644 --- a/include/uapi/linux/audit.h +++ b

[PATCH 3/3] [RFC] Revert x86: remove the x32 syscall bitmask from syscall_get_nr()

-by: Richard Guy Briggs r...@redhat.com Link: http://lkml.kernel.org/r/cover.1405023592.git@redhat.com --- arch/x86/include/asm/syscall.h |4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/x86/include/asm/syscall.h b/arch/x86/include/asm/syscall.h index d58b6be..8c1bb2b

[PATCH 2/3] [RFC] seccomp: give BPF x32 bit when restoring x32 filter

-by: Richard Guy Briggs r...@redhat.com Link: http://lkml.kernel.org/r/cover.1405023592.git@redhat.com --- arch/x86/include/asm/syscall.h |4 kernel/seccomp.c |6 ++ 2 files changed, 10 insertions(+), 0 deletions(-) diff --git a/arch/x86/include/asm/syscall.h b/arch

Re: [PATCH] arm64: audit: Fix build for audit changes

that has been added in -next. Fix this by making the equivalent update to ARMv8. Signed-off-by: Mark Brown broo...@linaro.org Signed-off-by: Richard Guy Briggs r...@redhat.com I'm not sure the best way to propagate this patch, but it will be necessary. --- arch/arm64/kernel/ptrace.c | 4

Re: [PATCH V3 0/6] namespaces: log namespaces per task

On 14/05/20, Richard Guy Briggs wrote: On 14/05/20, Eric Paris wrote: On Tue, 2014-05-20 at 09:12 -0400, Richard Guy Briggs wrote: The purpose is to track namespaces in use by logged processes from the perspective of init_*_ns. (Including the Linux API list due to the additions to /proc

Re: [PATCH V3 0/6] namespaces: log namespaces per task

On 14/08/19, Eric W. Biederman wrote: Richard Guy Briggs r...@redhat.com writes: On 14/05/20, Richard Guy Briggs wrote: On 14/05/20, Eric Paris wrote: On Tue, 2014-05-20 at 09:12 -0400, Richard Guy Briggs wrote: The purpose is to track namespaces in use by logged processes from

[PATCH V4 1/8] namespaces: assign each namespace instance a serial number

) to uniquely identify it per kernel boot. Signed-off-by: Richard Guy Briggs r...@redhat.com --- fs/mount.h |1 + fs/namespace.c |1 + include/linux/ipc_namespace.h |1 + include/linux/nsproxy.h|8 include/linux/pid_namespace.h

[PATCH V4 2/8] namespaces: expose namespace instance serial number in proc_ns_operations

Expose the namespace instance serial number for each namespace type in the proc namespace operations structure to make it available for the proc filesystem. Signed-off-by: Richard Guy Briggs r...@redhat.com --- fs/namespace.c |7 +++ include/linux/proc_ns.h |1 + ipc

[PATCH V4 5/8] namespaces: expose ns_entries

Expose ns_entries so subsystems other than proc can use this set of namespace operations. Signed-off-by: Richard Guy Briggs r...@redhat.com --- fs/proc/namespaces.c|2 +- include/linux/proc_ns.h |1 + 2 files changed, 2 insertions(+), 1 deletions(-) diff --git a/fs/proc/namespaces.c

[PATCH V4 6/8] audit: log namespace serial numbers

format would look something like: type=NS_INFO msg=audit(1408577535.306:82): netns=8 utsns=2 ipcns=1 pidns=4 userns=3 mntns=5 The serial numbers are printed in hex. Suggested-by: Aristeu Rozanski aroza...@redhat.com Signed-off-by: Richard Guy Briggs r...@redhat.com Acked-by: Serge

[PATCH V4 3/8] namespaces: expose ns instance serial numbers in proc

...@hallyn.com Signed-off-by: Richard Guy Briggs r...@redhat.com --- fs/proc/namespaces.c | 33 + 1 files changed, 25 insertions(+), 8 deletions(-) diff --git a/fs/proc/namespaces.c b/fs/proc/namespaces.c index 8902609..e953e0a 100644 --- a/fs/proc/namespaces.c

[PATCH V4 8/8] audit: initialize at subsystem time rather than device time

The audit subsystem should be initialized a bit earlier so that it is in place in time for initial namespace serial number logging. --- kernel/audit.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/kernel/audit.c b/kernel/audit.c index 6d95d1c..aa99518 100644 ---

[PATCH V4 7/8] audit: log creation and deletion of namespace instances

While deleting a namespace would result in: type=type=AUDIT_NS_DEL_MNT msg=audit(1408577552.221:85): pid=481 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 mntns=9 res=1 If non-zero, old_snum lists the namespace from which it was cloned. Signed-off-by: Richard Guy

[PATCH V4 0/8] namespaces: log namespaces per task

from audit. *However*, the addition of the proc/pid/ns/*_snum does make it available to other processes now. Richard Guy Briggs (8): namespaces: assign each namespace instance a serial number namespaces: expose namespace instance serial number in proc_ns_operations namespaces: expose ns

[PATCH V4 4/8] Documentation: add a section for /proc/pid/ns/

--- Documentation/filesystems/proc.txt | 16 1 files changed, 16 insertions(+), 0 deletions(-) diff --git a/Documentation/filesystems/proc.txt b/Documentation/filesystems/proc.txt index ddc531a..c4bfd6f 100644 --- a/Documentation/filesystems/proc.txt +++

Re: [PATCH V4 0/8] namespaces: log namespaces per task

On 14/08/21, Aristeu Rozanski wrote: Hi Richard, Hi Aris, On Wed, Aug 20, 2014 at 09:09:33PM -0400, Richard Guy Briggs wrote: Is there a way to link serial numbers of namespaces involved in migration of a container to another kernel? It sounds like what is needed is a part

Re: [PATCH V4 3/8] namespaces: expose ns instance serial numbers in proc

On 14/08/21, Andy Lutomirski wrote: On Aug 20, 2014 8:12 PM, Richard Guy Briggs r...@redhat.com wrote: Expose the namespace instace serial numbers in the proc filesystem at /proc/pid/ns/ns_snum. The link text gives the serial number in hex. What's the use case? I understand the utility

Re: [PATCH V4 1/8] namespaces: assign each namespace instance a serial number

On 14/08/21, Andy Lutomirski wrote: On Aug 20, 2014 8:12 PM, Richard Guy Briggs r...@redhat.com wrote: Generate and assign a serial number per namespace instance since boot. Use a serial number per namespace (unique across one boot of one kernel) instead of the inode number (which

Re: [PATCH V4 1/8] namespaces: assign each namespace instance a serial number

On 14/08/21, Andy Lutomirski wrote: On Thu, Aug 21, 2014 at 2:28 PM, Richard Guy Briggs r...@redhat.com wrote: On 14/08/21, Andy Lutomirski wrote: On Aug 20, 2014 8:12 PM, Richard Guy Briggs r...@redhat.com wrote: Generate and assign a serial number per namespace instance since boot

[PATCH] audit: set nlmsg_len for multicast messages.

in audit_log_vformat(), but would be more efficient in audit_log_end(). Reported-by: Zbigniew Jędrzejewski-Szmek zbys...@in.waw.pl Signed-off-by: Richard Guy Briggs r...@redhat.com --- kernel/audit.c |3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) diff --git a/kernel/audit.c b/kernel

Re: [PATCH V4 3/8] namespaces: expose ns instance serial numbers in proc

On 14/08/24, Andy Lutomirski wrote: On Thu, Aug 21, 2014 at 6:58 PM, Richard Guy Briggs r...@redhat.com wrote: On 14/08/21, Andy Lutomirski wrote: On Aug 20, 2014 8:12 PM, Richard Guy Briggs r...@redhat.com wrote: Expose the namespace instace serial numbers in the proc filesystem

Re: [PATCH V4 1/8] namespaces: assign each namespace instance a serial number

On 14/08/23, Eric W. Biederman wrote: Richard Guy Briggs r...@redhat.com writes: Generate and assign a serial number per namespace instance since boot. Use a serial number per namespace (unique across one boot of one kernel) instead of the inode number (which is claimed to have had

[PATCH V4 0/4] audit by executable name

notify working. Eric Paris (3): audit: implement audit by executable audit: clean simple fsnotify implementation audit: convert audit_exe to audit_fsnotify Richard Guy Briggs (1): audit: avoid double copying the audit_exe path string include/linux/audit.h |1 + include/uapi/linux

[PATCH V4 2/4] audit: clean simple fsnotify implementation

watch references to mark. RGB: Rename audit_remove_rule() to audit_remove_mark_rule(). RGB: Let audit_free_rule() take care of calling audit_remove_mark(). Signed-off-by: Eric Paris epa...@redhat.com Signed-off-by: Richard Guy Briggs r...@redhat.com --- kernel/Makefile |2 +- kernel

[PATCH V4 3/4] audit: convert audit_exe to audit_fsnotify

will just continue to work. RGB: Put audit_alloc_mark() arguments in same order as watch, tree and inode. Signed-off-by: Eric Paris epa...@redhat.com Signed-off-by: Richard Guy Briggs r...@redhat.com --- include/linux/audit.h |2 +- kernel/audit.h | 34 +++--- kernel

[PATCH V4 1/4] audit: implement audit by executable

. But at this moment, this patch works. Based-on-user-interface-by: Richard Guy Briggs r...@redhat.com Cc: r...@redhat.com Based-on-idea-by: Peter Moody pmo...@google.com Cc: pmo...@google.com Signed-off-by: Eric Paris epa...@redhat.com Signed-off-by: Richard Guy Briggs r...@redhat.com --- include

Re: arm64 audit build failures in -next

a week's time. - RGB -- Richard Guy Briggs rbri...@redhat.com Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545 -- Linux-audit mailing list Linux-audit@redhat.com

Re: [PATCH V4 3/8] namespaces: expose ns instance serial numbers in proc

ideas here? Do we need fancier netlink messages for this? --Andy Andy Lutomirski - RGB -- Richard Guy Briggs rbri...@redhat.com Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635, Alt

Re: [PATCH V4 1/8] namespaces: assign each namespace instance a serial number

On 14/08/28, Eric W. Biederman wrote: Richard Guy Briggs r...@redhat.com writes: On 14/08/23, Eric W. Biederman wrote: Richard Guy Briggs r...@redhat.com writes: Generate and assign a serial number per namespace instance since boot. Use a serial number per namespace (unique across

Re: Draft copy of how to write good events

break userspace... Here's a unified diff of a few obvious minor cleanups... -Steve - RGB -- Richard Guy Briggs rbri...@redhat.com Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635, Alt

Re: Draft copy of how to write good events

On 14/09/04, Richard Guy Briggs wrote: On 14/09/03, Steve Grubb wrote: Hello, Hi Steve, People have mentioned a couple times that they would like to know more about what is expected of well written events. I put together a draft document located here: http

Re: [PATCH net-next] netfilter: create audit records for ebtables replaces

-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit - RGB -- Richard Guy Briggs rbri...@redhat.com Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545

[PATCH] audit: restore AUDIT_LOGINUID unset ABI

: exit,never auid=-1 (0x) syscall=all Cc: sta...@vger.kernel.org # v3.10-rc1+ Signed-off-by: Richard Guy Briggs r...@redhat.com --- kernel/auditfilter.c |7 +++ 1 files changed, 7 insertions(+), 0 deletions(-) diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index 40ed981

[PATCH] selinux: services: cleanup orphan keywords in audit log text

Restructure to keyword=value pairs without spaces. Drop superfluous words in text. Make invalid_context a keyword. Change result= keyword to seresult=. Signed-off-by: Richard Guy Briggs r...@redhat.com --- security/selinux/ss/services.c | 14 -- 1 files changed, 8 insertions

[PATCH] selinux: hooks: cleanup orphan keywords in audit log text

Convert audit_log() call to WARN_ONCE(). Rename type= to nlmsg_type= to avoid confusion with the audit record type. Added protocol= to help track down which protocol (NETLINK_AUDIT?) was used within the netlink protocol family. Signed-off-by: Richard Guy Briggs r...@redhat.com --- security

[PATCH] audit: remove open_arg() function that is never used

open_arg() was added in commit 55669bfa audit: AUDIT_PERM support and never used. Remove it. Signed-off-by: Richard Guy Briggs r...@redhat.com --- kernel/auditsc.c |8 1 files changed, 0 insertions(+), 8 deletions(-) diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 4e17443

Re: [PATCH] selinux: hooks: cleanup orphan keywords in audit log text

On 14/09/22, Paul Moore wrote: On Thursday, September 18, 2014 08:50:17 PM Richard Guy Briggs wrote: Convert audit_log() call to WARN_ONCE(). Rename type= to nlmsg_type= to avoid confusion with the audit record type. Added protocol= to help track down which protocol (NETLINK_AUDIT

[PATCH] audit: restore AUDIT_LOGINUID unset ABI

: exit,never auid=-1 (0x) syscall=all Tag it so that it is reported the same way it was set. Note: move the field validation call ahead of the mutation code to have it work on the original field set. Signed-off-by: Richard Guy Briggs r...@redhat.com --- include/uapi/linux/audit.h |3

Re: [PATCH] audit: restore AUDIT_LOGINUID unset ABI

On 14/09/24, Richard Guy Briggs wrote: A regression was caused by commit 780a7654cee8: audit: Make testing for a valid loginuid explicit. (which in turn attempted to fix a regression caused by e1760bd) Eric (Paris), does tagging this field in the type member with a high bit work

Re: [PATCH v2] arm: prevent BUG_ON in audit_syscall_entry()

)) + trace_sys_exit(regs, regs_return_value(regs)); + } if (test_thread_flag(TIF_SYSCALL_TRACE)) tracehook_report_syscall(regs, PTRACE_SYSCALL_EXIT); -- 1.7.9.5 - RGB -- Richard Guy Briggs rbri...@redhat.com Senior Software Engineer, Kernel Security, AMER ENG Base

[PATCH 0/7] audit fsnotify cleanups for watches and trees

This is a collection of patches to clean up some issues discovered while implementing audit by exe path. They compile and have been lightly tested. I'd be interested in feedback about approaches or details or grossly misunderstanding some fundamental concepts. Thanks! Richard Guy Briggs (7

[PATCH 4/7] audit: optimize add to parent skipping needless search and consuming parent ref

When parent has just been created there is no need to search for the parent in the list. Add a parameter to skip the search and consume the parent reference no matter what happens. Signed-off-by: Richard Guy Briggs r...@redhat.com --- kernel/audit_watch.c | 23 +++ 1 files

[PATCH 5/7] audit: remove redundant watch refcount

Remove extra layer of audit_{get,put}_watch() calls. Signed-off-by: Richard Guy Briggs r...@redhat.com --- kernel/audit_watch.c |5 + kernel/auditfilter.c |7 --- 2 files changed, 1 insertions(+), 11 deletions(-) diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c index

[PATCH 7/7] audit: rename audit_log_remove_rule to disambiguate for trees

Rename audit_log_remove_rule() to audit_tree_log_remove_rule() to avoid confusion with watch and mark rule removal/changes. Signed-off-by: Richard Guy Briggs r...@redhat.com --- kernel/audit_tree.c |4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/kernel/audit_tree.c b

[PATCH 6/7] audit: remove extra audit_get_parent()

There appears to be an extra parent reference taken. Remove it. Signed-off-by: Richard Guy Briggs r...@redhat.com --- kernel/audit_watch.c |1 - 1 files changed, 0 insertions(+), 1 deletions(-) diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c index c707afb..eb53bc7 100644

[PATCH 2/7] audit: cull redundancy in audit_rule_change

Re-factor audit_rule_change() to reduce the amount of code redundancy and simplify the logic. Signed-off-by: Richard Guy Briggs r...@redhat.com --- kernel/auditfilter.c | 20 +++- 1 files changed, 7 insertions(+), 13 deletions(-) diff --git a/kernel/auditfilter.c b/kernel

[PATCH 1/7] audit: put rule existence check in canonical order

Use same rule existence check order as audit_make_tree(), audit_to_watch(), update_lsm_rule() for legibility. Signed-off-by: Richard Guy Briggs r...@redhat.com --- kernel/auditfilter.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/kernel/auditfilter.c b/kernel

[PATCH 3/7] audit: eliminate string copy for new tree rules

New tree rules copy the path twice and discard the intermediary copy. This saves one pointer at the expense of one path string copy. Signed-off-by: Richard Guy Briggs r...@redhat.com --- kernel/audit_tree.c |9 + kernel/auditfilter.c |5 +++-- 2 files changed, 8 insertions

[PATCH V5 1/5] audit: implement audit by executable

. But at this moment, this patch works. Based-on-user-interface-by: Richard Guy Briggs r...@redhat.com Cc: r...@redhat.com Based-on-idea-by: Peter Moody pmo...@google.com Cc: pmo...@google.com Signed-off-by: Eric Paris epa...@redhat.com Signed-off-by: Richard Guy Briggs r...@redhat.com --- include

[PATCH V5 3/5] audit: convert audit_exe to audit_fsnotify

will just continue to work. Signed-off-by: Eric Paris epa...@redhat.com Signed-off-by: Richard Guy Briggs r...@redhat.com --- include/linux/audit.h |2 +- kernel/audit.h| 32 +++--- kernel/audit_exe.c| 87 +++-- kernel

[PATCH V5 0/5] audit by executable name

Moodie's original patches https://www.redhat.com/archives/linux-audit/2012-August/msg00033.html Next step: Get full-path notify working. Eric Paris (3): audit: implement audit by executable audit: clean simple fsnotify implementation audit: convert audit_exe to audit_fsnotify Richard Guy

[PATCH V5 4/5] audit: avoid double copying the audit_exe path string

Make this interface consistent with watch and filter key, avoiding the extra string copy and simply consume the new string pointer. Signed-off-by: Richard Guy Briggs r...@redhat.com --- kernel/audit_exe.c |5 - kernel/audit_fsnotify.c | 12 ++-- kernel/auditfilter.c

[PATCH V5 04/13] audit: log namespace serial numbers

format would look something like: type=NS_INFO msg=audit(1408577535.306:82): netns=8 utsns=2 ipcns=1 pidns=4 userns=3 mntns=5 The serial numbers are printed in hex. Suggested-by: Aristeu Rozanski aroza...@redhat.com Signed-off-by: Richard Guy Briggs r...@redhat.com Acked-by: Serge

[PATCH V5 10/13] audit: log on switching namespace (setns)

Added six new audit message types, AUDIT_NS_SET_* and function audit_log_ns_set() to log a switch of namespace. Signed-off-by: Richard Guy Briggs r...@redhat.com --- include/linux/audit.h |4 +++ include/uapi/linux/audit.h |6 + kernel/audit.c | 46

[PATCH V5 05/13] audit: initialize at subsystem time rather than device time

The audit subsystem should be initialized a bit earlier so that it is in place in time for initial namespace serial number logging. --- kernel/audit.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/kernel/audit.c b/kernel/audit.c index ff1630d..8ff7f28 100644 ---

[PATCH V5 12/13] namespaces: expose ns instance serial numbers in proc

...@hallyn.com Signed-off-by: Richard Guy Briggs r...@redhat.com --- fs/proc/namespaces.c | 33 + 1 files changed, 25 insertions(+), 8 deletions(-) diff --git a/fs/proc/namespaces.c b/fs/proc/namespaces.c index 310da74..29c3909 100644 --- a/fs/proc/namespaces.c

[PATCH V5 11/13] audit: emit AUDIT_NS_INFO record with AUDIT_VIRT_CONTROL record

Signed-off-by: Richard Guy Briggs r...@redhat.com --- include/uapi/linux/audit.h |2 ++ kernel/audit.c |2 ++ 2 files changed, 4 insertions(+), 0 deletions(-) diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h index 7ec7209..beb23f7 100644 --- a/include/uapi

[PATCH V5 08/13] sched: add a macro to ref all CLONE_NEW* flags

--- include/uapi/linux/sched.h |6 ++ 1 files changed, 6 insertions(+), 0 deletions(-) diff --git a/include/uapi/linux/sched.h b/include/uapi/linux/sched.h index 34f9d73..5aceba2 100644 --- a/include/uapi/linux/sched.h +++ b/include/uapi/linux/sched.h @@ -28,6 +28,12 @@ #define

[PATCH V5 00/13] namespaces: log namespaces per task

problematic information leaks? Only CAP_AUDIT_CONTROL (and now CAP_AUDIT_READ) in init_user_ns can get to this information in the init namespace at the moment from audit. *However*, the addition of the proc/pid/ns/*_snum does make it available to other processes now. Richard Guy Briggs (13

[PATCH V5 13/13] Documentation: add a section for /proc/pid/ns/

--- Documentation/filesystems/proc.txt | 16 1 files changed, 16 insertions(+), 0 deletions(-) diff --git a/Documentation/filesystems/proc.txt b/Documentation/filesystems/proc.txt index ddc531a..c4bfd6f 100644 --- a/Documentation/filesystems/proc.txt +++

[PATCH V5 06/13] audit: log creation and deletion of namespace instances

While deleting a namespace would result in: type=type=AUDIT_NS_DEL_MNT msg=audit(1408577552.221:85): pid=481 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 mntns=9 res=1 If non-zero, old_snum lists the namespace from which it was cloned. Signed-off-by: Richard Guy

[PATCH V5 02/13] namespaces: expose namespace instance serial number in proc_ns_operations

Expose the namespace instance serial number for each namespace type in the proc namespace operations structure to make it available for the proc filesystem. Signed-off-by: Richard Guy Briggs r...@redhat.com --- fs/namespace.c |7 +++ include/linux/proc_ns.h |1 + ipc

[PATCH V5 01/13] namespaces: assign each namespace instance a serial number

) to uniquely identify it per kernel boot. Signed-off-by: Richard Guy Briggs r...@redhat.com --- fs/mount.h |1 + fs/namespace.c |1 + include/linux/ipc_namespace.h |1 + include/linux/nsproxy.h| 10 ++ include/linux/pid_namespace.h

[PATCH V5 09/13] fork: audit on creation of new namespace(s)

When clone(2) is called to fork a new process creating one or more namespaces, audit the event to tie the new pid with the namespace IDs. Signed-off-by: Richard Guy Briggs --- kernel/fork.c|3 +++ kernel/nsproxy.c |1 + 2 files changed, 4 insertions(+), 0 deletions(-) diff --git

[PATCH V5 07/13] audit: dump namespace IDs for pid on receipt of AUDIT_NS_INFO

When a task with CAP_AUDIT_CONTROL sends a NETLINK_AUDIT message of type AUDIT_NS_INFO with a PID of interest, dump the namespace IDs of that task to the audit log. --- kernel/audit.c | 14 ++ 1 files changed, 14 insertions(+), 0 deletions(-) diff --git a/kernel/audit.c

<    1   2   3   4   5   6   7   8   9   10   >