audit_net_id isn't used outside kernel/audit.c. Reduce its scope.
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
kernel/audit.c |2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 59c0bbe..bdd0172 100644
--- a/kernel/audit.c
audit_log_fcaps() isn't used outside kernel/audit.c. Reduce its scope.
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
kernel/audit.c |2 +-
kernel/audit.h |1 -
2 files changed, 1 insertions(+), 2 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index bdd0172..3225a5d
Since only one of val, uid and gid are used at any given time, combine them to
reduce the size of the struct audit_field.
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
include/linux/audit.h |8 +---
kernel/auditfilter.c |2 --
2 files changed, 5 insertions(+), 5 deletions
to display these things...
Agreed.
One lesson here? Let's get a minimum useful subset of
http://people.redhat.com/sgrubb/audit/audit-parse.txt into
linux-2.6/Documentation/ tree to try to avoid this issue in the future.
- RGB
--
Richard Guy Briggs rbri...@redhat.com
Senior Software Engineer, Kernel
/listinfo/linux-audit
- RGB
--
Richard Guy Briggs rbri...@redhat.com
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red
Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
--
Linux-audit mailing list
Linux-audit
Eric Paris suggested lsm_str and lsm_rule could be added to this optimisation.
audit_free_rule needed a bit of re-factoring to accompish this, but nothing too
controversial.
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
include/linux/audit.h |6 --
kernel/auditfilter.c | 27
The new- prefix on ses and auid are un-necessary and break ausearch.
Upstream-commit: aa589a1
Cc: sta...@vger.kernel.org # v3.14-rc1 to v3.14
Reported-by: Steve Grubb sgr...@redhat.com
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
kernel/auditsc.c |2 +-
1 files changed, 1 insertions
of the features involved or attempt to solve
problems that don't exist. Posting this now to clarify some of that and move
on...
Eric Paris (3):
audit: implement audit by executable
audit: clean simple fsnotify implementation
audit: convert audit_exe to audit_fsnotify
Richard Guy Briggs (11):
fixup
Add space for consistency.
---
kernel/auditfilter.c |1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index eede673..f40c13b 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -1012,6 +1012,7 @@ int
Remove redundant goto.
---
kernel/audit_fsnotify.c |1 -
1 files changed, 0 insertions(+), 1 deletions(-)
diff --git a/kernel/audit_fsnotify.c b/kernel/audit_fsnotify.c
index 0fda71f..d169326 100644
--- a/kernel/audit_fsnotify.c
+++ b/kernel/audit_fsnotify.c
@@ -134,7 +134,6 @@ struct
---
kernel/auditfilter.c |2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index c52cbc0..cae8eae 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -148,7 +148,7 @@ static inline int audit_to_inode(struct
will just continue to
work.
Signed-off-by: Eric Paris epa...@redhat.com
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
include/linux/audit.h |2 +-
kernel/audit.h| 31 -
kernel/audit_exe.c| 87 +++--
kernel
Put audit_alloc_mark() arguments in same order as watch, tree and inode.
---
kernel/audit.h |2 +-
kernel/audit_exe.c |2 +-
kernel/audit_fsnotify.c |2 +-
kernel/auditfilter.c|2 +-
4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/kernel/audit.h
---
kernel/audit_fsnotify.c | 12 ++--
kernel/auditfilter.c|2 +-
2 files changed, 3 insertions(+), 11 deletions(-)
diff --git a/kernel/audit_fsnotify.c b/kernel/audit_fsnotify.c
index 707df2b..07e 100644
--- a/kernel/audit_fsnotify.c
+++ b/kernel/audit_fsnotify.c
@@ -99,7
Remove unnecessary space.
---
kernel/auditfilter.c |1 -
1 files changed, 0 insertions(+), 1 deletions(-)
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 30091ce..94b6af1 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -551,7 +551,6 @@ static struct audit_entry
the audit_fsnotify code to
support that hierarchy if the optomization is necessary.
Signed-off-by: Eric Paris epa...@redhat.com
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
kernel/Makefile |2 +-
kernel/audit.h | 29 ++
kernel/audit_fsnotify.c | 251
---
include/linux/audit.h |1 +
kernel/audit.h |1 +
kernel/audit_fsnotify.c | 15 +++
kernel/auditfilter.c| 21 -
4 files changed, 37 insertions(+), 1 deletions(-)
diff --git a/include/linux/audit.h b/include/linux/audit.h
index
. But at this moment, this
patch works.
Based-on-user-interface-by: Richard Guy Briggs r...@redhat.com
Cc: r...@redhat.com
Based-on-idea-by: Peter Moody pmo...@google.com
Cc: pmo...@google.com
Signed-off-by: Eric Paris epa...@redhat.com
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
include
Rename audit_remove_rule() to audit_remove_mark_rule().
---
kernel/audit_fsnotify.c |4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/kernel/audit_fsnotify.c b/kernel/audit_fsnotify.c
index d169326..efefa16 100644
--- a/kernel/audit_fsnotify.c
+++
---
kernel/audit.h |2 ++
kernel/audit_fsnotify.c |6 +++---
kernel/auditfilter.c| 10 +-
3 files changed, 10 insertions(+), 8 deletions(-)
diff --git a/kernel/audit.h b/kernel/audit.h
index 2093c5e..3151ae5 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@
Check for existence of exe rule.
---
kernel/audit_tree.c |2 +-
kernel/audit_watch.c |2 +-
kernel/auditfilter.c |4 ++--
3 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/kernel/audit_tree.c b/kernel/audit_tree.c
index 135944a..b4bf5d2 100644
--- a/kernel/audit_tree.c
myself they are needed, but I'll figure that
out after I read more carefully your comments to the previous patch.
On Tue, 17 Jun 2014 23:09:49 -0400
Richard Guy Briggs r...@redhat.com wrote:
---
kernel/audit.h |2 ++
kernel/audit_fsnotify.c |6 +++---
kernel/auditfilter.c
On 14/06/17, Mimi Zohar wrote:
On Mon, 2014-06-16 at 15:52 -0400, Richard Guy Briggs wrote:
Replace spaces in op keyword labels in log output since userspace audit
tools
can't parse orphaned keywords.
The patch didn't apply cleanly to linux-integrity/#next. Please take a
look
.html
v0: Peter Moodie's original patches
Next step:
Get full-path notify working.
Eric Paris (3):
audit: implement audit by executable
audit: clean simple fsnotify implementation
audit: convert audit_exe to audit_fsnotify
Richard Guy Briggs (9):
fixup! audit: clean simple fsnotify
Rename several watch references to mark.
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
kernel/audit_fsnotify.c | 16
1 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/kernel/audit_fsnotify.c b/kernel/audit_fsnotify.c
index b936213..c66e91b 100644
Let audit_free_rule() take care of calling audit_remove_mark().
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
kernel/auditfilter.c |5 ++---
1 files changed, 2 insertions(+), 3 deletions(-)
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index e9d0b2f..ff99749 100644
Put audit_alloc_mark() arguments in same order as watch, tree and inode.
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
kernel/audit.h |2 +-
kernel/audit_exe.c |2 +-
kernel/audit_fsnotify.c |2 +-
kernel/auditfilter.c|2 +-
4 files changed, 4 insertions
. But at this moment, this
patch works.
Based-on-user-interface-by: Richard Guy Briggs r...@redhat.com
Cc: r...@redhat.com
Based-on-idea-by: Peter Moody pmo...@google.com
Cc: pmo...@google.com
Signed-off-by: Eric Paris epa...@redhat.com
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
include
Make this interface consistent with watch and filter key, avoiding the extra
string copy and simply consume the new string pointer.
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
kernel/audit_fsnotify.c | 12 ++--
kernel/auditfilter.c|2 +-
2 files changed, 3 insertions
Add space for consistency.
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
kernel/auditfilter.c |1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index c3bf4bb..e9d0b2f 100644
--- a/kernel/auditfilter.c
+++ b/kernel
will just continue to
work.
Signed-off-by: Eric Paris epa...@redhat.com
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
include/linux/audit.h |2 +-
kernel/audit.h| 32 +++---
kernel/audit_exe.c| 87 +++--
kernel
Rename audit_remove_rule() to audit_remove_mark_rule().
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
kernel/audit_fsnotify.c |4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/kernel/audit_fsnotify.c b/kernel/audit_fsnotify.c
index a11cede..07b33f7 100644
Remove unnecessary space.
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
kernel/auditfilter.c |1 -
1 files changed, 0 insertions(+), 1 deletions(-)
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 9b2db56..d57c57d 100644
--- a/kernel/auditfilter.c
+++ b/kernel
to see logged in
this situation?
-Steve
- RGB
--
Richard Guy Briggs rbri...@redhat.com
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red
Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
--
Linux-audit mailing list
to BPF.
A new ARCH definition, AUDIT_ARCH_X86_X32, was added for syscall_get_arch().
Cc: Paul Moore pmo...@redhat.com
Cc: Eric Paris epa...@redhat.com
Cc: Al Viro av...@redhat.com
Cc: Will Drewry w...@chromium.org
Cc: H. Peter Anvin h...@zytor.com
Signed-off-by: Richard Guy Briggs r...@redhat.com
h...@zytor.com
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
include/uapi/linux/audit.h |1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index e15d6fc..4f5607f 100644
--- a/include/uapi/linux/audit.h
+++ b
-by: Richard Guy Briggs r...@redhat.com
Link: http://lkml.kernel.org/r/cover.1405023592.git@redhat.com
---
arch/x86/include/asm/syscall.h |4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/x86/include/asm/syscall.h b/arch/x86/include/asm/syscall.h
index d58b6be..8c1bb2b
-by: Richard Guy Briggs r...@redhat.com
Link: http://lkml.kernel.org/r/cover.1405023592.git@redhat.com
---
arch/x86/include/asm/syscall.h |4
kernel/seccomp.c |6 ++
2 files changed, 10 insertions(+), 0 deletions(-)
diff --git a/arch/x86/include/asm/syscall.h b/arch
that has been added in -next. Fix this by making the equivalent
update to ARMv8.
Signed-off-by: Mark Brown broo...@linaro.org
Signed-off-by: Richard Guy Briggs r...@redhat.com
I'm not sure the best way to propagate this patch, but it will be
necessary.
---
arch/arm64/kernel/ptrace.c | 4
On 14/05/20, Richard Guy Briggs wrote:
On 14/05/20, Eric Paris wrote:
On Tue, 2014-05-20 at 09:12 -0400, Richard Guy Briggs wrote:
The purpose is to track namespaces in use by logged processes from the
perspective of init_*_ns.
(Including the Linux API list due to the additions to /proc
On 14/08/19, Eric W. Biederman wrote:
Richard Guy Briggs r...@redhat.com writes:
On 14/05/20, Richard Guy Briggs wrote:
On 14/05/20, Eric Paris wrote:
On Tue, 2014-05-20 at 09:12 -0400, Richard Guy Briggs wrote:
The purpose is to track namespaces in use by logged processes from
) to
uniquely identify it per kernel boot.
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
fs/mount.h |1 +
fs/namespace.c |1 +
include/linux/ipc_namespace.h |1 +
include/linux/nsproxy.h|8
include/linux/pid_namespace.h
Expose the namespace instance serial number for each namespace type in the proc
namespace operations structure to make it available for the proc filesystem.
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
fs/namespace.c |7 +++
include/linux/proc_ns.h |1 +
ipc
Expose ns_entries so subsystems other than proc can use this set of namespace
operations.
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
fs/proc/namespaces.c|2 +-
include/linux/proc_ns.h |1 +
2 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/fs/proc/namespaces.c
format would look something like:
type=NS_INFO msg=audit(1408577535.306:82): netns=8 utsns=2 ipcns=1
pidns=4 userns=3 mntns=5
The serial numbers are printed in hex.
Suggested-by: Aristeu Rozanski aroza...@redhat.com
Signed-off-by: Richard Guy Briggs r...@redhat.com
Acked-by: Serge
...@hallyn.com
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
fs/proc/namespaces.c | 33 +
1 files changed, 25 insertions(+), 8 deletions(-)
diff --git a/fs/proc/namespaces.c b/fs/proc/namespaces.c
index 8902609..e953e0a 100644
--- a/fs/proc/namespaces.c
The audit subsystem should be initialized a bit earlier so that it is in place
in time for initial namespace serial number logging.
---
kernel/audit.c |2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 6d95d1c..aa99518 100644
---
While deleting a namespace would result in:
type=type=AUDIT_NS_DEL_MNT msg=audit(1408577552.221:85): pid=481 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 mntns=9 res=1
If non-zero, old_snum lists the namespace from which it was cloned.
Signed-off-by: Richard Guy
from audit. *However*, the addition of the
proc/pid/ns/*_snum does make it available to other processes now.
Richard Guy Briggs (8):
namespaces: assign each namespace instance a serial number
namespaces: expose namespace instance serial number in proc_ns_operations
namespaces: expose ns
---
Documentation/filesystems/proc.txt | 16
1 files changed, 16 insertions(+), 0 deletions(-)
diff --git a/Documentation/filesystems/proc.txt
b/Documentation/filesystems/proc.txt
index ddc531a..c4bfd6f 100644
--- a/Documentation/filesystems/proc.txt
+++
On 14/08/21, Aristeu Rozanski wrote:
Hi Richard,
Hi Aris,
On Wed, Aug 20, 2014 at 09:09:33PM -0400, Richard Guy Briggs wrote:
Is there a way to link serial numbers of namespaces involved in migration
of a
container to another kernel? It sounds like what is needed is a part
On 14/08/21, Andy Lutomirski wrote:
On Aug 20, 2014 8:12 PM, Richard Guy Briggs r...@redhat.com wrote:
Expose the namespace instace serial numbers in the proc filesystem at
/proc/pid/ns/ns_snum. The link text gives the serial number in hex.
What's the use case?
I understand the utility
On 14/08/21, Andy Lutomirski wrote:
On Aug 20, 2014 8:12 PM, Richard Guy Briggs r...@redhat.com wrote:
Generate and assign a serial number per namespace instance since boot.
Use a serial number per namespace (unique across one boot of one kernel)
instead of the inode number (which
On 14/08/21, Andy Lutomirski wrote:
On Thu, Aug 21, 2014 at 2:28 PM, Richard Guy Briggs r...@redhat.com wrote:
On 14/08/21, Andy Lutomirski wrote:
On Aug 20, 2014 8:12 PM, Richard Guy Briggs r...@redhat.com wrote:
Generate and assign a serial number per namespace instance since boot
in audit_log_vformat(), but would be more efficient in audit_log_end().
Reported-by: Zbigniew Jędrzejewski-Szmek zbys...@in.waw.pl
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
kernel/audit.c |3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/kernel/audit.c b/kernel
On 14/08/24, Andy Lutomirski wrote:
On Thu, Aug 21, 2014 at 6:58 PM, Richard Guy Briggs r...@redhat.com wrote:
On 14/08/21, Andy Lutomirski wrote:
On Aug 20, 2014 8:12 PM, Richard Guy Briggs r...@redhat.com wrote:
Expose the namespace instace serial numbers in the proc filesystem
On 14/08/23, Eric W. Biederman wrote:
Richard Guy Briggs r...@redhat.com writes:
Generate and assign a serial number per namespace instance since boot.
Use a serial number per namespace (unique across one boot of one kernel)
instead of the inode number (which is claimed to have had
notify working.
Eric Paris (3):
audit: implement audit by executable
audit: clean simple fsnotify implementation
audit: convert audit_exe to audit_fsnotify
Richard Guy Briggs (1):
audit: avoid double copying the audit_exe path string
include/linux/audit.h |1 +
include/uapi/linux
watch references to mark.
RGB: Rename audit_remove_rule() to audit_remove_mark_rule().
RGB: Let audit_free_rule() take care of calling audit_remove_mark().
Signed-off-by: Eric Paris epa...@redhat.com
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
kernel/Makefile |2 +-
kernel
will just continue to
work.
RGB: Put audit_alloc_mark() arguments in same order as watch, tree and inode.
Signed-off-by: Eric Paris epa...@redhat.com
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
include/linux/audit.h |2 +-
kernel/audit.h | 34 +++---
kernel
. But at this moment, this
patch works.
Based-on-user-interface-by: Richard Guy Briggs r...@redhat.com
Cc: r...@redhat.com
Based-on-idea-by: Peter Moody pmo...@google.com
Cc: pmo...@google.com
Signed-off-by: Eric Paris epa...@redhat.com
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
include
a
week's time.
- RGB
--
Richard Guy Briggs rbri...@redhat.com
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red
Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
--
Linux-audit mailing list
Linux-audit@redhat.com
ideas here? Do we need fancier netlink
messages for this?
--Andy
Andy Lutomirski
- RGB
--
Richard Guy Briggs rbri...@redhat.com
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red
Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt
On 14/08/28, Eric W. Biederman wrote:
Richard Guy Briggs r...@redhat.com writes:
On 14/08/23, Eric W. Biederman wrote:
Richard Guy Briggs r...@redhat.com writes:
Generate and assign a serial number per namespace instance since boot.
Use a serial number per namespace (unique across
break userspace...
Here's a unified diff of a few obvious minor cleanups...
-Steve
- RGB
--
Richard Guy Briggs rbri...@redhat.com
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red
Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt
On 14/09/04, Richard Guy Briggs wrote:
On 14/09/03, Steve Grubb wrote:
Hello,
Hi Steve,
People have mentioned a couple times that they would like to know more
about
what is expected of well written events. I put together a draft document
located here:
http
-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
- RGB
--
Richard Guy Briggs rbri...@redhat.com
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red
Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
: exit,never auid=-1 (0x) syscall=all
Cc: sta...@vger.kernel.org # v3.10-rc1+
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
kernel/auditfilter.c |7 +++
1 files changed, 7 insertions(+), 0 deletions(-)
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 40ed981
Restructure to keyword=value pairs without spaces. Drop superfluous words in
text. Make invalid_context a keyword. Change result= keyword to seresult=.
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
security/selinux/ss/services.c | 14 --
1 files changed, 8 insertions
Convert audit_log() call to WARN_ONCE().
Rename type= to nlmsg_type= to avoid confusion with the audit record
type.
Added protocol= to help track down which protocol (NETLINK_AUDIT?) was used
within the netlink protocol family.
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
security
open_arg() was added in commit 55669bfa audit: AUDIT_PERM support
and never used. Remove it.
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
kernel/auditsc.c |8
1 files changed, 0 insertions(+), 8 deletions(-)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 4e17443
On 14/09/22, Paul Moore wrote:
On Thursday, September 18, 2014 08:50:17 PM Richard Guy Briggs wrote:
Convert audit_log() call to WARN_ONCE().
Rename type= to nlmsg_type= to avoid confusion with the audit record
type.
Added protocol= to help track down which protocol (NETLINK_AUDIT
: exit,never auid=-1 (0x) syscall=all
Tag it so that it is reported the same way it was set.
Note: move the field validation call ahead of the mutation code to have it work
on the original field set.
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
include/uapi/linux/audit.h |3
On 14/09/24, Richard Guy Briggs wrote:
A regression was caused by commit 780a7654cee8:
audit: Make testing for a valid loginuid explicit.
(which in turn attempted to fix a regression caused by e1760bd)
Eric (Paris), does tagging this field in the type member with a high
bit work
))
+ trace_sys_exit(regs, regs_return_value(regs));
+ }
if (test_thread_flag(TIF_SYSCALL_TRACE))
tracehook_report_syscall(regs, PTRACE_SYSCALL_EXIT);
--
1.7.9.5
- RGB
--
Richard Guy Briggs rbri...@redhat.com
Senior Software Engineer, Kernel Security, AMER ENG Base
This is a collection of patches to clean up some issues discovered while
implementing audit by exe path.
They compile and have been lightly tested.
I'd be interested in feedback about approaches or details or grossly
misunderstanding some fundamental concepts.
Thanks!
Richard Guy Briggs (7
When parent has just been created there is no need to search for the parent in
the list. Add a parameter to skip the search and consume the parent reference
no matter what happens.
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
kernel/audit_watch.c | 23 +++
1 files
Remove extra layer of audit_{get,put}_watch() calls.
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
kernel/audit_watch.c |5 +
kernel/auditfilter.c |7 ---
2 files changed, 1 insertions(+), 11 deletions(-)
diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c
index
Rename audit_log_remove_rule() to audit_tree_log_remove_rule() to avoid
confusion with watch and mark rule removal/changes.
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
kernel/audit_tree.c |4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/kernel/audit_tree.c b
There appears to be an extra parent reference taken. Remove it.
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
kernel/audit_watch.c |1 -
1 files changed, 0 insertions(+), 1 deletions(-)
diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c
index c707afb..eb53bc7 100644
Re-factor audit_rule_change() to reduce the amount of code redundancy and
simplify the logic.
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
kernel/auditfilter.c | 20 +++-
1 files changed, 7 insertions(+), 13 deletions(-)
diff --git a/kernel/auditfilter.c b/kernel
Use same rule existence check order as audit_make_tree(), audit_to_watch(),
update_lsm_rule() for legibility.
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
kernel/auditfilter.c |2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/kernel/auditfilter.c b/kernel
New tree rules copy the path twice and discard the intermediary copy.
This saves one pointer at the expense of one path string copy.
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
kernel/audit_tree.c |9 +
kernel/auditfilter.c |5 +++--
2 files changed, 8 insertions
. But at this moment, this
patch works.
Based-on-user-interface-by: Richard Guy Briggs r...@redhat.com
Cc: r...@redhat.com
Based-on-idea-by: Peter Moody pmo...@google.com
Cc: pmo...@google.com
Signed-off-by: Eric Paris epa...@redhat.com
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
include
will just continue to
work.
Signed-off-by: Eric Paris epa...@redhat.com
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
include/linux/audit.h |2 +-
kernel/audit.h| 32 +++---
kernel/audit_exe.c| 87 +++--
kernel
Moodie's original patches
https://www.redhat.com/archives/linux-audit/2012-August/msg00033.html
Next step:
Get full-path notify working.
Eric Paris (3):
audit: implement audit by executable
audit: clean simple fsnotify implementation
audit: convert audit_exe to audit_fsnotify
Richard Guy
Make this interface consistent with watch and filter key, avoiding the extra
string copy and simply consume the new string pointer.
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
kernel/audit_exe.c |5 -
kernel/audit_fsnotify.c | 12 ++--
kernel/auditfilter.c
format would look something like:
type=NS_INFO msg=audit(1408577535.306:82): netns=8 utsns=2 ipcns=1
pidns=4 userns=3 mntns=5
The serial numbers are printed in hex.
Suggested-by: Aristeu Rozanski aroza...@redhat.com
Signed-off-by: Richard Guy Briggs r...@redhat.com
Acked-by: Serge
Added six new audit message types, AUDIT_NS_SET_* and function
audit_log_ns_set() to log a switch of namespace.
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
include/linux/audit.h |4 +++
include/uapi/linux/audit.h |6 +
kernel/audit.c | 46
The audit subsystem should be initialized a bit earlier so that it is in place
in time for initial namespace serial number logging.
---
kernel/audit.c |2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index ff1630d..8ff7f28 100644
---
...@hallyn.com
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
fs/proc/namespaces.c | 33 +
1 files changed, 25 insertions(+), 8 deletions(-)
diff --git a/fs/proc/namespaces.c b/fs/proc/namespaces.c
index 310da74..29c3909 100644
--- a/fs/proc/namespaces.c
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
include/uapi/linux/audit.h |2 ++
kernel/audit.c |2 ++
2 files changed, 4 insertions(+), 0 deletions(-)
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 7ec7209..beb23f7 100644
--- a/include/uapi
---
include/uapi/linux/sched.h |6 ++
1 files changed, 6 insertions(+), 0 deletions(-)
diff --git a/include/uapi/linux/sched.h b/include/uapi/linux/sched.h
index 34f9d73..5aceba2 100644
--- a/include/uapi/linux/sched.h
+++ b/include/uapi/linux/sched.h
@@ -28,6 +28,12 @@
#define
problematic information leaks? Only CAP_AUDIT_CONTROL
(and now CAP_AUDIT_READ) in init_user_ns can get to this information in
the init namespace at the moment from audit. *However*, the addition of the
proc/pid/ns/*_snum does make it available to other processes now.
Richard Guy Briggs (13
---
Documentation/filesystems/proc.txt | 16
1 files changed, 16 insertions(+), 0 deletions(-)
diff --git a/Documentation/filesystems/proc.txt
b/Documentation/filesystems/proc.txt
index ddc531a..c4bfd6f 100644
--- a/Documentation/filesystems/proc.txt
+++
While deleting a namespace would result in:
type=type=AUDIT_NS_DEL_MNT msg=audit(1408577552.221:85): pid=481 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 mntns=9 res=1
If non-zero, old_snum lists the namespace from which it was cloned.
Signed-off-by: Richard Guy
Expose the namespace instance serial number for each namespace type in the proc
namespace operations structure to make it available for the proc filesystem.
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
fs/namespace.c |7 +++
include/linux/proc_ns.h |1 +
ipc
) to
uniquely identify it per kernel boot.
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
fs/mount.h |1 +
fs/namespace.c |1 +
include/linux/ipc_namespace.h |1 +
include/linux/nsproxy.h| 10 ++
include/linux/pid_namespace.h
When clone(2) is called to fork a new process creating one or more namespaces,
audit the event to tie the new pid with the namespace IDs.
Signed-off-by: Richard Guy Briggs
---
kernel/fork.c|3 +++
kernel/nsproxy.c |1 +
2 files changed, 4 insertions(+), 0 deletions(-)
diff --git
When a task with CAP_AUDIT_CONTROL sends a NETLINK_AUDIT message of type
AUDIT_NS_INFO with a PID of interest, dump the namespace IDs of that task to
the audit log.
---
kernel/audit.c | 14 ++
1 files changed, 14 insertions(+), 0 deletions(-)
diff --git a/kernel/audit.c
301 - 400 of 2206 matches
Mail list logo